According to cyber security firm F-Secure, India witnessed over 6.9 lakh cyber attacks between January to June 2018. As the usage and penetration of internet increases, this is only bound to rise. Digital revolution promises multidimensional metamorphosis in the way we perform transactions in almost all sectors of the economy. And cyberspace with its global domain of interdependent networks providing phenomenal computational capabilities and connectivity has also exposed inherent vulnerabilities. Today almost all the governance, business processes, health, IT, energy, and other infrastructures exist and operate within the cyberspace. As a result, cyber attacks can not only disrupt these infrastructures but can cripple the entire economy, also posing national security threat.
Broadly there are four types of threats to cyberspace - Cyber War, which is an unauthorized invasion by a government into the systems and networks of another-hence called as fifth domain of warfare- disrupting their critical systems; Cyber Espionage in which governments or hackers can invade into the systems of another to steal the sensitive information; Cyber Crime- although can have political and military ramifications- broadly includes everything that affects the lives of common individuals like- spamming, phishing, malvertising, identity-thefts, cyberstalking, spyware, Trojans, data manipulation and such things; and finally, Cyber Terrorism, which spread propaganda of extremism, recruit and radicalize the youth. (Tharoor, 2012). Evolution of technology has impacted the nature of conflict and war, characterized by no contact wars, where the enemy is unseen and the victim unsure of how and where to react (IDSA, 2012). Moreover, non-state actors (e.g. hackers, criminals, terrorist organizations etc.,) now have more muscular power than ever as they are characterized by anonymity, borderless nature and invisibility. In fact, the widely reported attacks on the websites of Estonia (2007) and of Georgia (2008) are believed to have been carried by non-state actors, backed by state-actors.
In more recent years, a massive 3 billion yahoo’s email addresses were compromised. The ransomware like WannaCry and Petya affected several hundred thousands of computers across 150 countries, including India. Even the US Presidential Elections are reported to have been influenced. In the Indian scenario, in 2016 as many as 32 lakh Indian debit cards were hacked amounting to a loss of Rs. 1.3 crore in fraudulent transactions as per the National Payments Corporation of India (NPCI). The hacker group who called themselves “Legion Crew” hacked into the accounts of lead public figures including Barkha Dutt, Rahul Gandhi and Ravish Kumar. More recently, Cosmos Bank lost 94 crores after a malware was installed on its ATM servers by the hackers.
Further, India is a net information exporter. There are also huge gaps in security and data protection in the affordable cellphones that are available in India. And India imports most of the digital equipments further adding to the security risks. At the business organizational levels, EY Global Information Security Survey (GISS) 2016-17 India Report noted that 75% of the CXOs admitted that they lacked confidence in their company’s cybersecurity processes. And EY GISS 2018-19 India edition reported that ‘careless and unaware employees’ (32%) as the leading cause of vulnerability for increased risk exposure of enterprises followed by outdated security controls (21%) and unauthorised access (19%). Further, cyber attacks have evolved from virus attacks, malware to more sophisticated Denial of Services. They also have increased penetration of attack by moving down the stack from Application, Operating System, Virtual Machine to the hardware levels. At the macro level, the government sector accounted for 27 to 29% of all the attacks. Banking, energy, telecom and defence continue to be high on the priority list of cybercriminals.
India has enacted the Information Technology Act, 2000 which was revised in 2008. It also has issued National Cyber Security Policy (NCSP) in 2013. As a result of the policy, India’s cybersecurity institutional capabilities consist of National Cybercrime Coordination Centre (NCCC), Indian Computer Emergency Response Team (CERT-In), National Critical Information Infrastructure Protection Centre (NCIIPC), Cyber Swacchta Kendra. The policy also aims to create a 500,000 strong cybersecurity workforce, provide fiscal benefits for the businesses for adopting cybersecurity practices, and aims to build public-private partnerships (PPP) for cooperative cybersecurity efforts.
NCCC scans the web traffic and is the first-layer to detect cybersecurity threats. CERT-In is the nodal agency to deal with cybersecurity threats. It collects, analyses, forecasts, issues guidelines and also coordinates cyber incident response activities. NCIIPC is the nodal agency for Critical Information Infrastructure- those computer resources, the destruction of which, shall have a debilitating impact on national security, economy, public health or safety. Broadly, NCIIPC has identified power and energy, banking and finance, telecom, transport, government, strategic and public enterprises as the critical information infrastructure. Cyber Swacchta Kendra is the Botnet cleaning and Analysis Centre of India, which enables cleaning and securing systems of end-users to prevent further infections.
There is also the National Technical Research Organization (NTRO), a technical intelligence agency which has been tasked to help in tackling cybersecurity threat in the country among the other things. In addition, Network Traffic Analysis System (NeTRA) is Defence Research and Development Organization initiative which intercepts and analyses internet traffic, including email transcripts, social media accounts, and voices. The country also unveiled CERT-Fin recently (2017), which will act as the umbrella CERT for the financial sector working closely with all financial sector regulators and stakeholders on the matters of cybersecurity. It also has put in place Crisis Management Plan for countering cyber attacks and cyber terrorism providing rapid identification, response and remedial actions.
As a result of steps taken by the government, India was ranked 23rd out of 165 nations in the Global Cybersecurity Index (GCI) 2017-released by United Nations International Telecommunication Union- which measures the commitment of the nations to cybersecurity and India was listed in the “maturing category”. Furthermore, India is aiming to be among the top ten nations on the GCI.
However, challenges exist. The NCSP is criticised on the lines that it basically serves to be a statement of principles rather than a comprehensive framework which should integrate how to operationalize cybersecurity ranging from training the personnel, developing PPP, and to accelerate civil-military partnerships. The NCSP should also include security risks arising from new technologies like cloud computing which it lacks currently. Additionally, the cyber policy outlines multiple stakeholders like the Ministry of Home Affairs, Ministry of Electronics & Information Technology, NCIIP, NCCC and so on. There would be ambiguity and indecisiveness as to whom to approach and thus there is a call towards providing a clear institutional arrangement for an effective response in case of threats. As India grows, it is vulnerable to cyber attacks due to strategic deficiencies, unpreparedness and ineffective implementation of policies. The ‘Strategy for New India @ 75' document released by the NITI Aayog recognized that the regulatory framework for cybersecurity as inadequate and advocated for a comprehensive cybersecurity framework.
NCSP envisions the creation of 500,000 cyber specialists. However, the number of skilled personnel trained was only 10% (Aman Thankkar, 2017). National Association of Softwares and Services Companies (NASSCOM) estimated that India will need 1 million cybersecurity professionals by 2020. Thus there is an extensive gap in the estimation as well as efforts. NASSCOM and Data Security Council of India (DSCI) have collaborated with ISACA (Information Systems Audit and Control Association) to address the cybersecurity skills shortage in India. This is a step in the right direction and the government should facilitate such co-operation further. Constructively, University Grants Commission also directed institutions to add Cyber Security and Information Security as subjects for higher studies. There are also institutes like Institute for Information Security and Indian School of Ethical Hacking offering these technical courses. India can even harness its highly skilled IT workforce to create cyber experts. Gulshan Rai- National Cyber Security Coordinator in the Prime Minister’s Office- mentioned that companies have increased spending on security by over 15-20% in recent years. These are encouraging trends.
India should not shy away from building offensive cyber potentialities which is indispensable if we are to ensure capability for self-defence granted under Article 51 of the UN Charter. There is also a need to foster more regular, more formalized and greater civil-military cooperation. Further, India should continue to pursue data localization policies against digital giants. Additionally, India should establish a Cyber Policy Research Centre- a think tank- in the domain of cybersecurity. Training a larger number cyber-specialized police force (also recognized by NITI Aayog document) and legal experts will strengthen the cybersecurity efforts.
The country also needs to establish National Cyber Security Commission on the lines of Space Commission or Atomic Energy Commission- which will have extensive powers in coordination, synergize efforts with various stakeholders and also play a vital role in the cyber warfare. India should also bring out a cyber doctrine. Further, it should proactively pursue indigenous Artificial Intelligence and Machine Learning that allow us to develop smart security solutions.
Lastly, India needs to collaborate with international organizations and other countries. It is currently an active participant with Tallinn Manual which is an academic, non-binding study on how international law applies to cyber conflicts and cyber warfare. It should also contemplate being a part of the Budapest convention- Convention on Cybercrime- international treaty addressing the issue of internet and cyber crimes. Additionally, it could endorse and also facilitate private entities to endorse the recent Paris Call for Trust and Security in Cyberspace which is involved in developing common principles for securing cyberspace. On the one hand, India should be cyber-prepared and on the other hand, it should cooperate and collaborate with stakeholders to provide for a safe cyberspace.
MEITy. (2013, July). National Cyber Security Policy-2013. Ministry of Electronics & Information Technology. New Delhi
Tomar, S (2013, Aug 26) National Cyber Security Policy 2013: An Assessment. IDSA [Comment]. Retrieved from: https://idsa.in/idsacomments/NationalCyberSecurityPolicy2013_stomar_260813
Davinder. (2017, October) India’s Cyber Security: Architecture and Imperatives. India Foundation Journal. Retrieved from: http://indiafoundation.in/indias-cyber-security-architecture-and-imperatives/
Sukumar, A.M (2016, March 9) Upgrading India’s cyber security architecture. The Hindu. Retrieved from: https://www.thehindu.com/opinion/columns/upgrading-indias-cyber-security-architecture/article8327987.ece
Thakker, Aman (2017, October 10) It's Time For India to Update Its Cybersecurity Policy. The Diplomat. Retrieved from: https://thediplomat.com/2017/10/its-time-for-india-to-update-its-cybersecurity-policy/
NITI Aayog (2018, November). Strategy for New India @ 75. Retrieved from: http://niti.gov.in/writereaddata/files/Strategy_for_New_India.pdf
Tharoor, S (2012, August 23). Living with the reality of virtual threats. The Hindu. Retrieved from: https://www.thehindu.com/opinion/lead/living-with-the-reality-of-virtual-threats/article3808398.ece
Saraswat VK. Cyber Security. NITI Aayog. Retrieved from: https://niti.gov.in/writereaddata/files/document_publication/CyberSecurityConclaveAtVigyanBhavanDelhi_1.pdf
IDSA Task Force Report (2012, March). India’s Cyber Security Challenge. IDSA. Retrieved from: https://idsa.in/system/files/book/book_indiacybersecurity.pdf
Press Trust of India. (2019, February 14). Careless, unaware employees top vulnerability for rising cyber risk exposure: EY. The Times of India. Retrieved from: https://timesofindia.indiatimes.com/business/india-business/careless-unaware-employees-top-vulnerability-for-rising-cyber-risk-exposure-ey/articleshow/67992276.cms
Image credits: managementevents.com
Subscribe to our weekly newsletters.
Get all our posts, blogs and video content via e-mail.