Cyber Security 2
Content
Securing the Indian corporateCyber criminals use bypass methods to avoid traditional sandbox detection, since more organizations are utilizing virtual machine defences to test for malware and threats, attackers are taking new steps to avoid detection by recognizing virtual machine environments. Organizations and security providers find that they need to evolve toward more proactive real-time defences that can stop advanced threats and data theft. ‘The existing combined strength of cyber security experts in all organizations in the government domain is 556, which is grossly inadequate to handle cyber security activities in a meaningful and effective manner,’ says a secret note prepared by the National Security Council Secretariat (NSCS), which is engaged in creating an elaborate cyber security architecture. Cyber security software firms in India have warned that with the increasing use of mobile communication devices and an overlap of work related and personal data will present a serious threat of data theft and other malware attacks in the coming years. Bangalore is the IT capital and the most networked city in India. These proud tags that the city wears perhaps makes it an obvious choice for the dubious distinction of also topping the national charts when it comes to cyber crime. Despite the country’s reputation of being an IT and software powerhouse, India had reported 13,301 cyber security breaches in 2011. One of the biggest cyber attacks that the country faced occurred on 12 July 2012 when hackers penetrated the email accounts of 12,000 people, including high officials from the Defence Research and Development Organization (DRDO), the Indo-Tibetan Border Police (ITBP), the Ministry of Home Affairs, and the Ministry of External Affairs. India’s cyber security defences are not strong. In January 2012, for instance, National Technical Research Organization officials alerted the Airports Authority of India (AAI) to serious vulnerabilities in its cargo management system at Chennai, Coimbatore, Kolkata, Amritsar, Lucknow and Guwahati airports. Weak passwords and outdated operating systems were the main problems. These six airports handled 311,000 metric tons of international cargo in 2010/11. A single day’s disruption would have sent 853 tons of cargo to the wrong destination. The economic impact would have been immense had the systems been penetrated by unscrupulous elements. Companies such as the Kolkata-based ITC have suffered cyber attacks. According to a July 2012 report by Bloomberg, Chinese hackers possibly had access to ITC’s network for a year. It also said cyber thieves hacked into the computer of ITC Chairman Y.C. Deveshwar’s personal assistant and stole several documents, including tax filings. A perusal of the Information Technology Act 2000 (see box) shows that it is not a data protection law; it is merely an e-commerce enabling law, which also addresses a couple of other issues. White collar crimes and financial frauds are on the increase in India. By their very nature these high profile crimes affect the corporate sector. Indian companies also face increased levels of corporate, financial and technological fraud. With a growing dependence on information and communication technology (ICT) for various corporate functions, corporate systems and corporate assets are exposed to diverse forms of cyber attacks. They face a growing threat from malware attacks, phishing attacks, ATM frauds, online banking threats, trading fraud, among others. Cyber crime is not defined in the Information Technology Act 2000, the IT Amendment Act 2008 or in any other legislation in India. Offence or crime has been dealt with elaborately listing various acts and the punishment for each, under the Indian Penal Code, 1860 and quite a few other legislations too.The Information Technology Act 2000, was made effective from 17 October 2000. The act essentially
deals with the following issues: legal recognition of electronic documents; legal recognition of digital signatures; offenses and contraventions; justice dispensation systems for cyber crimes.Being the first legislation in the nation on technology, computers and e-commerce and e-communication, the act was the subject of extensive debate, elaborate review and detailed criticism, with one arm of the industry criticizing some sections of the act to be draconian and the other stating it to be too diluted and lenient. Thus, in 2003-04, a need to amend it was expressed. The consolidated amendment called the Information Technology Amendment Act 2008 was placed in Parliament and passed without much debate towards the end of 2008 (by which time the Mumbai terrorist attack of 26 November 2008 had taken place). This amended act got the President assent on 5 February 2009 and was made effective from 27 October 2009. Some of the notable features of the ITAA are as follows: A focus on data privacy; focus on information security; defining cyber café; making digital signature technology neutral; defining reasonable security practices to be followed by corporates; redefining the role of intermediaries; recognizing the role of Indian Computer Emergency Response Team; inclusion of some additional cyber crimes like child pornography and cyber terrorism; and authorizing an inspector to investigate cyber offences (as against a Deputy Superintendent of Police earlier). Case 5: Hospital fires business development manager for diverting customers to rivals. A reputed multi-speciality hospital in Gujarat was offering attractive packages to foreign patients. The main link was the hospital’s website that generates a majority of the business as the hospital staff handle queries, offer and negotiate hospitalization expenses and also provides round-the-clock online services. One day the hospital authorities realized that the traffic to their site had suddenly dropped. Apart from routine patients, others were just not turning up. This actually started happening after the hospital fired its business development manager. Apparently, he had access to emails from patients, and was diverting them to other hospitals. He even offered them competitive packages from these hospitals using the existing database of inquiries. Data is a corporate asset. It is an important raw material for brick and mortar companies, BPOs, technology and IT companies. Data has also become an important tool and weapon for corporates to capture a larger market share. Due to the importance of data in this new era, its security has become a major issue with industry. The theft and piracy of data is a threat faced by IT players, who spend millions to compile or buy data from the market. Their profits depend on the security of their data. The Reserve Bank of India (RBI) had earlier constituted a working group on information security. On its recommendations, RBI directed all banks to create a position of chief information officer (CIO) as well as steering committees on information security at the board level. But the recommendations of the RBI have still not been implemented and there is no sign that cyber security of banks has been streamlined. ATM fraud, credit card fraud, phishing frauds, and Internet banking frauds are increasing. In fact, the RBI ombudsman office is flooded with ATM fraud related complaint Banks need to adopt technolegal measures to prevent ATM and other similar frauds. Further, cyber due diligence training for bank employees would be beneficial. Mobile banking cyber security in India needs to be analyzed in depth. As of date we have no implementable mobile governance policy in India. India has embarked on a massive biometric identification project to provide people with access to services of the state. But a major problem with Indian security initiatives is that India has launched various projects and initiatives without considering their cyber security aspect. This could turn out to be a bad policy decision.
Cloud adoption remains stifled by security concerns. Cloud computing uptake in the market increased 20.9 per cent from the 2011 figure to 33 per cent last year.. But 50 per cent of companies not using cloud, identified security as the main reason for their inaction. Businesses view cloud offerings as unsafe. Business leaders also have a culture of wanting to own their IT systems and not procuring from third-party vendors on demand, the survey noted. Cyber criminals use thousands of networked computers (botnets) to ‘jam’ a website by directing excessive traffic to it, causing it to crash. Such attacks are often termed as Distributed Denial of Service (DDoS). The expansion of cloud services and mobile networks could create additional targets for DDoS attacks. While firewalls, intrusion protection and other devices can mitigate low level attacks, large volumetric attacks can be an issue as they may not be able to separate legitimate from illegitimate traffic. According to cyber law experts, it’s also important to look at data vis-à-vis the new era of cloud computing. Thanks to this new paradigm, data theft has added an international character. For example, systems may be accessed in USA, their data manipulated in China and consequences felt in India. The result of this ability is that different countries, jurisdictions, laws and rules will come into play which becomes an issue in itself.Further, the collection of evidence in such circumstances becomes another issue as investigation will have to be conducted in three different countries, all of whom may not be on talking terms, and poor technical know-how of the cops will only add to the woes. Also, a lack of coordination amongst different investigating agencies and a not-so-sure extradition process would be another headache. However, the biggest of all these issues remains a lack of specific laws in the country dealing with this crime. So even if the culprit is caught, he can easily get away by picking and choosing any of the various loopholes in our law. According to some estimates, by 2015 India will require about 5,00,000 cyber security experts to cater to the growing need of securing cyberspace. While China is estimated to have 25 million cyber commandos, the number of cyber soldiers in North Korea is pegged at 15,000. India is said to be the eighth most vulnerable country in the world with regard to cyber crime. According to government data, in just the last five years, as many as 774 government websites were hacked. The attacks appeared to have emanated from Australia, Bahrain, Brazil, Egypt, Germany, Indonesia, Lebanon, Libya, Morocco, Pakistan, Saudi Arabia, among others. According to data available with the Indian Computer Emergency Response Team, the defacement of Indian websites has almost tripled compared to 2007. We need to understand the fact that the dependence of the economy and governance on e-banking, e-commerce, travel booking, electric transfers and payment systems, is growing. The moment we talk about growth in these areas, our first concern is whether the transactions are secure. The trust level in these systems is critical and that can only come from enhanced security.We need a techno-legal cyber security policy in India to tackle the challenges of present cyber attacks and cyber crimes. Such a cyber security policy must consider all the aspects mentioned above in detail and ensure both offensive and defensive cyber security capabilities for IndiA. Although the constitution does not contain any explicit reference to a right to privacy, this right has just been read into the Supreme Court as a component of two fundamental rights: the right to freedom under Article 19, and the right to life and personal liberty under Article 21. India is taking its first steps towards privacy regulation through a draft law based on former Justice A.P. Shah’s expert group report on privacy and data protection. What India needs is more collaboration between private companies and educational institutions to develop talent. We need more cyber warriors and better preparation for a cyber war. In a world where everyone from established behemoths to new start-ups are bubbling with plans to collect the most intimate data, cyber security
may well be replaced by zero privacy. The law cannot keep pace with technology. Talented engineers will constantly be working to find new ways to scoop up massive amounts of information which companies may previously have regarded as private and confidential. The future policy and debate needs to be about how, and whether, the legal framework relates to technology; how authority is granted; who has access to material; and how scrutiny can be meaningful. It will also need to ask about the outsourcing of highly sensitive intelligence to corporations. There is much to discuss. The policy requires wisdom and a willingness to tread a unique Indian path. Cyber insecurities in a developing society WHILE cyber crimes like bank frauds, identity theft, phishing, spoofing and hacking get central focus in a developing society like India, the real trouble, both in volume and in gravity, lies elsewhere. The number of mobile phones in India is 16 times the number of personal computers. (919: 57 million); 9.05 million of these mobile users use Internet whereas 13.81 million households have a broadband connection. Clearly, an increasing number of people are preferring to use their mobile devices to connect to the Internet and this deserves a lot more attention The wide use of pirated operating systems, software, and media creates inherent vulnerability. The awareness of people using computers is extremely low as hardly any cyber security issues are addressed in Hindi or other Indian languages. It can also be attributed to the fact that not many people use IT in a way that it becomes mission critical for them and are hence disinclined to invest in making themselves more secure. Issue of SIM on fake IDs: A person wouldn’t commit a crime if he knew there was an outside chance of getting caught. The entire crime prevention effort is based on this premise. In the business of mobile telephony, when a SIM card is bought the person has to submit proof of identity and address to the retailer who forwards it to the company, which after vetting the two documents activates the SIM. The company does a tele self-verification, a process in which a call is made to the new SIM and details mentioned in the application form are verbally verified. Because of this feeble process, it is easy to get possession of a SIM on a fake ID. Not all the people using such SIMs do so because they are terrorists or professional criminals. Many do so to hide their fat mobile bills from the taxman. Quite a lot of people choose to buy these ‘pre-activated’ SIMs simply to avoid the delay between the purchase and activation. According to the 2012 World Bank report, ‘Maximizing Mobile’, 96% of mobile subscribers in India use prepaid connections. The main reason is probably that India is a price sensitive market and prepaid connection users can easily hop from one provider to another if they find a more attractive tariff plan. But this reality and a weak verification process have led to a huge number of SIMs on fake IDs. While no official figures are available, police investigators say that virtually eight out of ten SIMs they come across during investigations are fake! The law provides that if a company is found to have issued a SIM on a fake ID, it is liable to pay a fine of Rs 50,000. However, because of poor or little enforcement, this is unheard of. The best way out is to make the process simpler. Immediate activation should be possible if a person applies with his Aadhar card. As the UID authority allows everyone to verify the Aadhar online, the retailer could do the entire process himself – take a finger print scan, make entries into a central software system and activate the SIM immediately. A pilot has been done in the state of Andhra Pradesh and the Department of Telecom is likely to formulate and announce a policy soon. A similar process could be adopted for persons holding a valid passport. This way a foreign visitor landing at an Indian airport could easily buy a SIM and start using it immediately. This process would also help save money otherwise spent on the verification process, which is anyway feeble.
Harassment – crank calls and blank calls: This is beyond doubt the most prevalent of all mobile crimes and also a stepping stone to further crimes. Calling numbers randomly to have some fun is a pastime for many aimless individuals and women are their preferred targets. The tenacity of such pesky callers can be estimated from the fact that nine out of ten calls on the police emergency helpline 100 are of this nature! Even radio jockeys do this routinely to turn someone into a ‘bakra’ This is quite similar to telemarketing calls, specifically known as unsolicited commercial calls. The good news is that a reasonable solution has been found for it. Through a system of registering telemarketers on one hand, and enabling subscribers on the other to register and block such communication, the menace has substantially reduced. A similar solution can be put together to end this problem. A mechanism for reporting such crimes and another for warning and then withdrawing services to that subscriber could be an effective and cost-effective solution. If the problem persists, legal action could be initiated. Until the recent amendments to the Indian Penal Code, a person making such pesky calls to a woman could be punished with one year’s imprisonment and a fine. But have you ever heard that happen? No. That’s why such crimes have soared. After the 2012 Delhi gang rape case, many amendments were made to the IPC, one of which is section 354 D that provides for a maximum punishment of three years, plus a fine to a person found ‘stalking’ another. Mobile theft, IMEI counterfeiting: Going by the conventional definition of crime, theft is on top of the list. Mobile phones are no exception to this. Industry experts say that more than Rs 500 crore worth mobiles are stolen each year. Stealing is an offence under the Indian Penal Code and an arrangement to prevent mobile theft through a number called IMEI is in place. IMEI (International Mobile Equipment Identification) is a 14 or 15 digit identification number that uniquely identifies a mobile handset, similar to what a chassis number is to an automobile. When a mobile device tries to register into a network, its IMEI is recorded. It is possible to create a registry of blacklisted IMEIs and block them off the networks, thereby rendering theft of mobile phones a useless business proposition. Australia was the first country to implement this across its GSM networks in 2003. The United Kingdom has also done this effectively by creating a National Mobile Property Register. The registry will not work until change of IMEI is also made impossible. Presently, it is possible to change the IMEI of a device by using software that can be downloaded free. Legally, this act constitutes a serious crime of counterfeiting, which is punishable by up to seven years in prison. Some Chinese manufacturers make phones that don’t have any IMEI! The Government of India has prohibited the use of such phones, and the networks are now effectively complying with this directive. Manufacturers ought to devise a hardware solution that makes it impossible to change the IMEI number of a handset. Despite extensive research in this area, the money invested is a small fraction of that being lost. Until that happens, consumers should be encouraged to use software that helps track a phone. Available free of cost, it is an effective tool for investigating thefts. Widespread use of pirated software: For decades, users in India have managed with pirated software operating systems, applications and media. Initially, a lack of awareness and enforcement to prevent piracy led to widespread use of such software. For most people it was normal to buy hardware and request the vendor to load the software free of cost. Even some government offices did not buy official software! In those times, floppies and CDs constituted the main mode of viral injection, but with the progression of Internet, computers have become far more vulnerable. Concomitantly, software manufacturers developed an arrangement of sending out regular updates to plug the security gaps and make other improvements. Here arises the problem in its present
shape. Several users in India continue to use ‘not genuine’ software, which does not update itself while the threats and vulnerability around it grow and descend through the net. The situation can be ameliorated by putting in place policies that encourage the use of open source software. For a start, the government could make it mandatory for its own offices and their servers to use open source software. Brazil, for example, has promoted open source in a big way. It has even set up a portal to host open source software for municipal agencies, schools, retail outlets, libraries, accounting, and so on (www.softwarepublico. gov.br). Users in a region are encouraged to develop software best suited to their needs. The BRICS countries, which includes India, have pledged their support in this transformation. Imagine how much money can be saved by the country if only there is a strategic large-scale recourse to software, as also years of manpower, currently wasted in securing cyber systems. Inadequate awareness for security wares for smartphones: Though the mobile revolution has taken users by storm, the regulatory and security environment has been slow to react, and has been left far behind. While the issues of standards and interoperability have been addressed for personal computers, the case of mobiles still requires more effort. As smartphones replicate most functions of computers, the vulnerability to data theft goes up several fold, as people increasingly store and access critical information on smartphones, unfortunately without adequate attention to vulnerability. The sale of smartphone antivirus as compared to that for personal computers, reveals an inverse equivalence to the number of smartphones and personal computers sold. Language divide deepens the digital divide and cyber insecurity: Only three per cent of Indians have access to the Internet at home and only 21 per cent understand English, and a much smaller percentage, well. A vast majority of people have no means of educating themselves about cyber threats. An occasional and superficial article in the Indian language newspapers is of little help. It is only recently that software was made available in the Indian languages, but the antivirus software by and large does not provide any support. If security related messages pop up in a foreign script, it is not easy to visualize their use Cyber security in developing societies is a challenge that we have barely begun to address. It is exacerbated not just by the digital divide – a large population struggling with rising hardware and software expenses, the rise often having little relation to productivity – but also a huge language divide. What is more tragic is that our development leaders and policy makers are inadequately sensitive to this. While the Government of New Zealand portals have a Hindi section and the UK has information in several Indian languages, most Government of India portals have only dated and sketchy Hindi sections, and nothing in other Indian languages. The journey to a cyber secure environment is likely to be a long and testing one. The legal dimensions In the fast moving world of today, crime respects no jurisdictions – rather it enjoys unlimited geographical jurisdiction across the globe. Hence, we find crimes being committed even in space or through the Internet world across countries. It is, therefore, essential to understand cyber law. In general, cyber law is a generic term, which refers to all legal and regulatory aspects of the Internet and the world-wide web. Anything concerning or related to, or emanating from, any legal aspects, or issues, or any activity of Netizens and others in cyberspace comes within the ambit of cyber law. In other words, cyber law is a tool that provides legal recognition to electronic documents and a framework to support e-filing and e-commerce transactions. It also provides a legal framework to
mitigate/check cyber crimes in a particular set-up.The growth of electronic commerce has fuelled the need for vibrant and effective regulatory mechanisms, which would further strengthen the legal infrastructure, so crucial to the accomplishment of electronic commerce and control and regulate cyber crime. All these regulatory mechanisms and legal infrastructure come within the domain of cyber law. It is critical to underscore that strong cyber laws and implementation and enforcement per se is a dire need for which each and every government must play a significant role in managing the affairs of electronic commerce and controlling cyber crime. This is essential for countries across the world to retain faith in the legal enforcement agencies of each country. Like other legal systems, the law relating to cyber crime is an evolving and growing process, as newer challenges are continually surfacing in this field. Consequently, due to the fast growth of internet, various legal issues have arisen, more particularly in the area of cyber crime such as domain name disputes, intellectual property rights disputes, electronic commerce issues, privacy, encryption, electronic contracts, spamming, banking crime and so on, which makes it essential for all governments to enact effective and strong regulations to control both offences and offenders. Today, cyberspace touches practically everything and everyone. It provides a platform for innovation and prosperity and also the means to improve general welfare around the globe. But with the broad reach of a loose and lightly regulated digital infrastructure, great risks threaten nations, private enterprise, and individual rights. The government has a responsibility to address these strategic vulnerabilities to ensure the safety and security of all vital assets of a nation from mineral, agricultural, commercial, industrial, manpower and offshore at one end to the vital defence, nuclear, space and communications at the other. Though the word crime carries the general meaning as a legal wrong that can be followed by criminal proceedings which may result in punishment, cyber crime refers to unlawful acts wherein the computer is either a tool or target or both. Indian cyber laws have been amended twice in view of fast changing developments in ICT (information communication technology) and usage of the Internet worldwide as most work of all organizations, whether public or private, now takes place through networking across the world.With cyber crime growing day by day, it is difficult to find a distinction between cyber crime and conventional crime. To achieve some clarity, cyber crime may be classified under different categories which are as follows. Cyber Crimes in the personal domain comprise of harassment via email, cyber stalking, dissemination of obscene material, defamation, pornography (specially child pornography), hacking of passwords, email and SMS spoofing, cheating and fraud, among others. At present harassment is commonplace and on the increase in social sites such as Facebook and Twitte A recent survey conducted by an international agency claims that more than 20% of total earnings through networks is coming from pornography websites for which certain stringent regulations are the need of the hour. However, no country is taking a lead in this grey area. It is not uncommon to read reports about criminals having stolen individual identities, thereby living ‘legally’ in the name of an innocent person! Besides crimes in the personal domain, there are crimes against a person’s property, cyber crimes against government, and cyber crimes against society at large. An unlawful act done with the intention of causing harm to cyberspace will affect a large number of persons. Some of these offences are cyber trafficking, online gambling, financial crimes, attack on individual privacy, and other crimes that take place through the Internet. According to government figures, India was the 10th most intensely cyber attacked country in 201011. However, today it stands second only to the US. With Internet usage, including through mobile phones, rising dramatically – from 202 million users in March 2010 to 412 million in March 2011 and 485 million in March 2012 – India is now second only to China in the number of devices connected to the net. Therefore, the Indian government needs to be more scrupulous and prove its cyber security
strength to the world to ensure confidence in the management of networking in the country, without any hesitation or reluctance. According to its Section 43, ‘Whoever does any act or destroys, deletes, alters and disrupts or causes disruption of any computer with the intention of damaging the whole data of the computer system without the permission of the owner of the computer, shall be liable to pay a fine up to one crore to the person so affected by way of remedy. Further, under its Section 43A, where a body corporate is maintaining and protecting the data of the persons as provided by the central government, if there is any negligent act or failure in protecting the data/information then a body corporate shall be liable to pay compensation to persons so affected. And Section 66 deals with ‘hacking with computer systems’ and provides for imprisonment up to three years or a fine, which may extend up to two years or both. The following are some of the key parts of the act: 1. It provides for a regulatory regime to supervise the digital signature system, essential for carrying out financial transactions through the Internet and other electronic modes. It also provides for the appointment of a controller and other authorities for the purpose of the act. 2. To enable electronic governance, it provides the use and acceptance of electronic records and agencies, making the interaction between citizen and government easy. 3. It creates civil and criminal liability for contravention of the act. 4. There is a provision to publish an electronic gazette or official gazette where all regulations, rules, orders, bylaws and notifications can be accessed over the Internet. 5. Makes illegal the tampering of computer documents and publishing obscene information in electronic form. 6. The act empowers the controller to decrypt any coded information and direct any agency to intercept any information transmitted through any computer network. 7. It provides for penalties. Any person who without permission of the owner or any other person who is in charge of a computer, computer system or computer network a) Accesses or secures access to such computer, computer system or computer network; b) Downloads, copies or extracts any data, computer database or information from such computer, computer system and computer network including information or data held or stored in any removable storage medium; c) Introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; d) Damages or cause to be damaged any computer, computer system or computer network, data, computer database or any other programme residing in such computer, computer system or computer network; e) Disrupts or causes disruption of any computer, computer system or computer network;
f) Denies or causes the denial of access to any person authorized to access any computer, compute system or computer network by any mean; g) Provides any assistance to any person to facilities, access to a computer, compute system or computer network in contravention of the provisions of this act, rules or regulations made thereund h) Charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system or computer network; He shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. It also provides for penalty for failure to furnish information, return, etc. to the controller of the certifying authority. 8. It provides for the establishment of adjudicatory and appellate authorities. 9. It stipulates penalties for offences, e.g., tempering with computer source and documents hacking, etc. and for contraventions committed outside India, but involving a computer or network located in India; it also provides that any police officer not below the rank of a deputy superintendent is empowered to search and arrest without warrant any person for violating the provisions of the act. It provides for confiscation of any computer system floppies, compact disks, tape drivers or any other accessories, etc. 10. It mandates the constitution of a cyber regulation advisory committee. 11. The act shall override earlier laws. In the end, for India to maintain a leading edge in the IT information technology space, it must take a comprehensive view of cyber security. Not only are stringent laws with severe punishment required, but it is important to educate and create a judiciary with knowledge of cyberspace, IT and communications. Our strategic resources need to be guarded through competent, educated and knowledgeable cyber security professionals. The corporate sector must be encouraged to proportionately contribute to R&D in cyber security programmes in view of the increasing public private partnership ventures. Every nation should come forward with a cyber security policy to check transborder cyber crimes and to bring offenders to justice.
Small business often use security devices and software security products such as a firewall device, anti-virus software and at times intrusion detection and prevention devices. They rely on the experience of their staff, local experts and the vendors to secure their machines. But they often lack routine security validation of their environment and effectiveness of their security solution. As a result, small business is not aware of the security weaknesses introduced in their environment over time. For example, they are not aware of new applications that have been installed with default or easily guessable passwords, whether the firewall rules are up to date and locked down, or whether undesired applications have been installed (P2P), among other aspects. Large business, including government and academic institutions, usually implement good security solutions depending upon their business models/requirements, which may consist of firewalls, proxy servers, VPN, IDS/IPS etc. They generally incorporate the best industry practices and would have
developed policies, standards, processes and procedures to address security within the organization. However, the security requirements are very diverse between large organizations mainly due to the nature of their business and the regulations that they need to fulfil. Often, security takes a back seat due to a lack of understanding of security given the business leads and deadlines, and business decisions that introduce security weaknesses. Business accepts the risk to achieve deadlines, which introduce security holes that remain unaddressed over long periods. Some organizations continue to use an older technology with inherent security risks. Such technologies may coexist on the local network along with newer technologies, thereby increasing the risk. For example, a manufacturing company is likely to be more concerned about the availability of their robots for manufacturing and delivery of products rather than with upgrading the old operating system that’s running the robot. Such business decisions are made by many large organizations that could result in a breach of security and damage their reputation. The above facts are based on common issues observed over the years and I plan to provide the metrics later. In the early days, virus propagation was through floppies and the main characteristics of these viruses, among others, was to perform disruptive or destructive activities such as erase the hard drive or make it unusable, and distort or wipe away characters on the screen. These viruses then evolved from hiding in the hard drive boot sectors to infiltrating programmes and the operating system itself. The main characteristics of the viruses also changed from merely causing damage by gaining and retaining access to the computer. And with this came the objective of stealing information such as banking information, personal information, credit card numbers, passwords etc. This access also enabled hackers to launch attacks and gain similar control over other computers. And as the number of infected computers increased, the hackers developed mechanisms to monitor, update and control them remotely. These types of viruses are termed bots, and they deploy various and perhaps all of the techniques of evasion from antivirus operating system, users and processes etc, and are controlled through command and control (C&C) servers. Some of the bots, such as QAKBOT, were targeted at corporates and had built in features to determine if the user was a corporate user, and if not, to simply exit. Information security education ADVANCED technologies/equipments/systems are rapidly penetrating the Indian market following the reform and liberalization policies being implemented as a priority by the present government. India has also seen the growth of better communication facilities and value added services as a part of the total information revolution in India. The impact of this technological revolution is far-reaching, forcing us to recognize information as a vital resource for management decision making in the country. Just as safeguarding and protection of physical and financial assets of the industry/corporate sector/government played an important role during the industrial revolution, protection of information resources as assets will equally be a major concern during the coming decades. The availability of consistent, integrated and timely information for management decision making at various levels is vital to improve production technology in the manufacturing sector, and to produce quality products at an optimal cost to gain a competitive advantage in international trade.
Information protection assumes a different dimension compared to physical assets protection. Unfortunately, this area has so far been neglected in the country. Professional organizations like the Computer Society of India, Bureau of Indian Standards and Institution of Electrical and Electronics Engineers have organized seminars and debates to make managers, professionals and workers aware of the threats facing the information industry. On the one hand, we want information to be shared between various organizations, persons and countries and, on the other, need to protect sensitive and trade related information. Security is no longer a technology issue; it is considered to be a management issue. Depending upon the type and classification of information, protection measures are available at a cost. This requires a reclassification of information so that appropriate security measures can devised for protecting classified information.
India in the global cyber security market As noted before, by its very nature, the global cyberspace is borderless and cannot be isolated to national or regional boundaries. One of the fundamental concerns on cyber security arise from the fact that the core Internet protocols are insecure and the expansion of Internet is taking place on the same insecure systems. The global explosion in mobile based Internet usage is increasing the vulnerability of the cyberspace. As the Internet has become central to the social, economic and political life of citizens and nations, countries are investing heavily in establishing information and communications technology (ICT) infrastructure to bring more and more citizens online. Thus, protection of the critical ICT infrastructure has emerged as another major challenge, in addition to securing the communications and transactions conducted over the Internet. The vulnerability of the cyberspace is already being exploited by both state and non-state actors.5 The attacks in cyberspace can be mounted by potential adversaries intending to inflict damage on social, economic or commercial interests. They can also be targeted at achieving political or military objectives. They are often aimed at weakening or crippling the critical ICT infrastructure of the adversary to cause denial of access to information and networks or to render them non-functional. In 2007, there were massive cyber attacks on Estonia aimed at disabling the websites of government ministries, political parties, newspapers, banks, and companies. The attackers, suspected to be from a major country with involvement of state actors, employed sophisticated cyber warfare techniques to disable Estonia’s critical ICT networks and e-government infrastructure. The nature of cyberspace makes it difficult to identify the perpetrators of these attacks and an attractive pro-position for enemies who do not want to be engaged in conventional conflicts. There is no contact or physical action across the border and the attacking party can completely deny any involvement. The attacked party may not even be sure as to when and how to react. Both the state and non-state actors have developed capabilities to engage in cyber attacks for prolonged periods without being identified. There are some additional features of critical ICT infrastructure and cyber-space that merit discussion here. Cyber infrastructure is largely owned and operated by the private sector. However,
ensuring cyber security involves a multi-agency and multi-layered effort involving both state and private agencies. This poses a significant organizational and coordination challenge. At an organizational level, cyber security is not merely a technological issue, but a management one as well. This encompasses enterprise risk management and involves human, process reengineering, change management, legal, network and security aspects. While the private agencies are responsible for securing their individual pieces of infrastructure, the seamless flow and exchange of information and interlinkages amongst the networks makes it essential to coordinate the entire effort through an integrated command and control entity that is accountable for cyber security. The roles and responsibilities of all the parties need to be clearly specified.There is a need for governments to establish appropriate policy mechanisms and legal structures. While security investments made by private industry takes care of their individual corporate needs, they might fall short of the requirements to secure a national network-wide infrastructure. Thus, a pure market based approach to ensure cyber security may not work. A key challenge in this regard is to provide for the additional investments that might be required to secure the cyberspace and critical ICT infrastructure for the country. This might come from incentives provided to the industry to generate collective action in a well planned approach to secure the critical ICT infrastructure. A lack of capacity at the executive and policy making levels within organizations is another major challenge in ensuring cyber security. There is a need for a focused approach to build capacities to deal with security incidents, deploy latest technological solutions, provide adequate training to all the relevant levels of employees and deal with process transformation and change management required to achieve this goal. Before we discuss the opportunities and challenges for India in the global cyber security market, it is relevant to discuss the cyber security scenario and the emerging opportunities and challenges within the country and how the government and industry can meet them and benefit from the opportunities. As India develops its ICT infrastructure in an effort to bring more of its citizens online through projects such as the National Optical Fibre Network (NOFN) and makes greater efforts to provide public services electronically through its e-governance projects, the risks for cyber security in the country are going to be much higher in future. It would also make the entire ICT infrastructure and cyber assets in the country far more vulnerable to cyber attacks from both state and non-state actors from countries inimical to India. Are we geared to meet these challenges? The government has recently taken several steps to ensure greater focus on these issues within the country. It has recently notified the National Cyber Security Policy 20137 with the goal of addressing the cyber security domain comprehensively from a national perspective. The main goal of the policy is to make the cyberspace secure and resilient for citizens, businesses, and the government. The policy envisages the establishment of national and sectoral mechanisms to ensure cyber security through the creation of a National Critical Information Infrastructure Protection Centre (NCIIPC). Computer Emergency Response Team (CERT-In) shall act as the nodal agency for coordination of all cyber security and crisis management efforts. It will also act as the nodal organization for coordination and operationalization of sectoral CERTs in specific domains in the country. Though efforts are being made to create an effective policy framework to deal with cyber security in the country, there are areas where significant challenges lie. I would like to mention e-governance as a specific case in point. The country has put in place a separate core ICT infrastructure for e-
governance consisting of state-wide area networks (SWANs) and state data centres (SDCs) in each state and union territory. Common Service Centres (CSCs), run by private village level entrepreneurs (VLEs), act as the front end for delivery of these services in rural areas. Currently, over 100,000 CSCs are operational across the country. Recently, mobile governance has been implemented to bring all government services on the mobile platform. The National e-Governance Plan is the flagship programme in e-governance consisting of 31 Mission Mode Projects (MMPs) spanning across a large number of government ministries and departments both at the national and state levels. During the last seven years of its implementation, NeGP has achieved considerable success with 23 out of the 31 projects delivering services electronically to the citizens and businesses. Though NeGP has been a success, ensuring cyber security remains a big challenge as it involves protecting critical ICT infrastructure such as SWANs, SDCs and the applications of various departments running on them. Though scheme specific guidelines have been issued and several states have made significant efforts to protect their cyber assets, there is a need for a comprehensive policy on cyber security in e-governance and ensuring uniformity in its implementation across the country. Application level security is another important domain where greater effort is required.
The scenario discussed above presents big opportunities for the government and industry to address cyber security comprehensively. As the government moves forward to put a policy framework in place, the IT industry can develop appropriate technological solutions to address the cyber security requirements of the core ICT infrastructure and applications. Massive opportunities for the industry are also opening up in sectors such as defence and telecom where the need for cyber security is more critical. Protecting the cyberspace and critical ICT infrastructure has emerged as a major challenge globally due to the factors discussed above. The Internet has emerged as the central feature affecting the lives of billions globally through e-commerce, banking, travel, e-government, email, etc. With the emergence of smart technologies, a host of utility services such as water supply networks, electricity distribution, among others, are critically dependent on ICT networks. Electronic systems and communications play a key role in the operation of equipment in the defence sector. What are the opportunities and challenges that such a situation presents to nations like India? To analyse these aspects, it is important to understand the key trends in emerging technologies and how they impact the security scenario in cyber space. In the following paragraphs, I discuss seven such key trends and explain how they present challenges and opportunities for the Indian industry globally. The most important phenomenon that is driving the expansion in the usage of Internet worldwide is mobility. The advent of mobile devices has brought an unprecedented number of users online, and has consequently increased the risks associated with cyberspace as many of the mobile and tablet users may be first time users of Internet and may not be skilled enough to understand the risks. An expansion in the usage of smartphones and tablets has also brought into focus the security of the operating systems and applications that run on them. As the usage expands, so will the attempts by hackers to break into these devices and steal sensitive personal and corporate information. While
this poses challenges for the device manufacturers and OS developers, it presents great opportunities for Indian firms working in the mobility domain. As India is known for its prowess in software development, developing security solutions and secure applications for the mobile world is an unprecedented opportunity globally that is just waiting to be grabbed. The second important technology trend that is driving the ICT industry is the emergence of the cloud platform. While this phenomenon emerged a few years ago, it is only now maturing and cloud based solutions are being deployed across a number of domains in business, industry and government. Ensuring proper security of applications and data on the cloud is a major challenge and its entire implications are still not clear. Even a few cloud failures can result in massive breaches in security and devastating loss of data for the users. As the cloud encompasses the entire gamut of infrastructure, platform, and software as services, developing security solutions for this platform presents the Indian industry with an outstanding opportunity globally. A related segment which also presents great opportunities is data centre operations and management. Another related phenomenon is the emergence of security as a service on the cloud. This is another space that offers good opportunities for Indian firms. The third important trend that has recently emerged is the use of multi-factor authentication to improve security. Just a simple password is not enough to ensure access to a host of applications and services in areas such as banking, insurance, financial transactions and government services. In India, an Aadhaar based biometric authentication has emerged as a new mechanism to authenticate the identity of users. This presents an excellent opportunity for Indian industry to develop applications in this domain and address security concerns. The fourth trend impacting on cyber security globally is the continuous morphing of hacker groups and individuals to maintain their anonymity. This poses serious challenges for organizations and government agencies trying to secure cyberspace as the attacks cannot be attributed to any specific entity. However, this situation also presents opportunities to continuously evolve technologies that can help in unmasking the identity of these anonymous attackers. Active cooperation amongst government agencies and organizations internationally is required to achieve the desired objectives in this area. Agencies such as the United Nations are active and the issue of global cyber security is likely to come up at the 68th session of the UN General Assembly in September 2013.8 The fifth trend that is impacting the cyber security scenario is the increasing involvement of state actors in cyber war aimed at crippling the information and communication infrastructure of their targeted countries and crippling their social, economic, government and military activities. There is enough evidence of involvement of state actors in several recent incidents of cyber attacks.9 Stuxnet is a case in point.10 It presents a serious challenge for countries like India, surrounded by several inimical neighbours. However, this also presents the country with a big opportunity to develop solutions to secure its ICT infrastructure and cyber assets. The sixth emerging trend is the related issue of ensuring privacy and confidentiality of information pertaining to individuals and businesses. One of the motivations for cyber attacks is to gain access to or steal information that has commercial value or that helps the attackers to commit fraud with that information. To protect privacy, effective laws and regulations need to be put in place to ensure what data can be used and shared and for what purpose. It also has a bearing on where the data can be stored in servers. This is already a major concern in some domains such as healthcare, where
privacy and security concerns about hosting and sharing health data are significant. As India is the world leader in IT services outsourcing business, it offers a big opportunity for the Indian government to put in place effective policies to assure the international community that the country respects the concerns on privacy and confidentiality of data. Indian industry should exploit this opportunity to get a bigger share of the worldwide market in IT and IT enabled services. Lastly, there is a greater effort being made internationally at the multilateral level to address global concerns on cyber security. Recently, the international Group of Governmental Experts, representing 15 countries including India, has submitted a report to the United Nations secretary general on enhancing cyber security globally. International cooperation in cyber security presents great opportunities for India to spearhead and lead the efforts to build a global consensus around the approaches to address the issues. It would also open up tremendous opportunities for Indian industry to develop and showcase its capabilities to offer technical solutions to deal with the threats. A global concern ‘This world – cyberspace – is a world that we depend on every single day... [it] has made us more interconnected than at any time in human history.’ The growth and dependence on ICT has given rise to new challenges. Consequently, today there is a trade-off in our global village between enjoying the conveniences offered by ICT and minimizing the opportunities its use presents to eavesdropping by nation states on one hand and criminals on the other. While the motives of the former are about power politics and hegemony, the latter are out to cheat gullible and ignorant individuals who are unable to estimate the reach of ICT into their private lives. Criminals in cyberspace are today capable of spreading sophisticated threats through mobile devices, cloud applications and have the ability to infiltrate high value targets. According to a 2011 Norton study, threats to cyberspace have increased dramatically in the past year afflicting 431 million adult victims globally – or 14 adults victims every second, one million cyber crime victims every day.2 Cyber crime has now become a business which exceeds a trillion dollars a year in online fraud, identity theft and lost intellectual property, affecting millions of people around the world, as well as countless businesses and governments of every nation. The challenges faced by governments vis-à-vis cyber security issues are scary as there is no simple way to detect, identify and recover from attackers who cannot be seen or heard, leave behind no physical evidence, and hide their tracks through a complex web of compromised computers. As a result of integration of controls, processing and provision of services through ICT, the sophisticated attackers and/or hackers can disrupt the electronic controls of, for instance, our power grids, water treatment plants and telecommunications networks. They can interfere with the production and delivery of basic goods and services provided by our governments and the private sector. They can easily sabotage privacy by stealing our personal information.
Post the 2008 cyber attacks in Europe, many developed nations began to take note of the opportunities as well as the risks associated with cyberspace and ICT. For instance, the Government Accountability Office (GAO) in its July 2010 report to the Congressional Requesters appraised the enormity of the genie of cyberspace and need for cyber security. The US has an Internet Crime
Complaint Center (IC3) which provides services to both the victims of online crimes and to law enforcement agencies. Its 2011 report reveals that for the third year in a row it received over 300,000 complaints, a 3.4% increase over the previous year. The adjusted dollar loss of complaints was $485.3 million.3 The strategic guideline issued by the government stresses five basic principles viz.: upholding fundamental freedoms; respect for property; valuing privacy; protection from crime; and right of self-defence. The document explicitly spells out the role of the US regarding the future of cyberspace: enlarge the focus through diplomacy by strengthening partnerships at the global level; actively look after its defence through acts of dissuasion and deterrence with the ultimate aim of making progress on the development front which will ensure prosperity and security.
deals with the following issues: legal recognition of electronic documents; legal recognition of digital signatures; offenses and contraventions; justice dispensation systems for cyber crimes.Being the first legislation in the nation on technology, computers and e-commerce and e-communication, the act was the subject of extensive debate, elaborate review and detailed criticism, with one arm of the industry criticizing some sections of the act to be draconian and the other stating it to be too diluted and lenient. Thus, in 2003-04, a need to amend it was expressed. The consolidated amendment called the Information Technology Amendment Act 2008 was placed in Parliament and passed without much debate towards the end of 2008 (by which time the Mumbai terrorist attack of 26 November 2008 had taken place). This amended act got the President assent on 5 February 2009 and was made effective from 27 October 2009. Some of the notable features of the ITAA are as follows: A focus on data privacy; focus on information security; defining cyber café; making digital signature technology neutral; defining reasonable security practices to be followed by corporates; redefining the role of intermediaries; recognizing the role of Indian Computer Emergency Response Team; inclusion of some additional cyber crimes like child pornography and cyber terrorism; and authorizing an inspector to investigate cyber offences (as against a Deputy Superintendent of Police earlier). Case 5: Hospital fires business development manager for diverting customers to rivals. A reputed multi-speciality hospital in Gujarat was offering attractive packages to foreign patients. The main link was the hospital’s website that generates a majority of the business as the hospital staff handle queries, offer and negotiate hospitalization expenses and also provides round-the-clock online services. One day the hospital authorities realized that the traffic to their site had suddenly dropped. Apart from routine patients, others were just not turning up. This actually started happening after the hospital fired its business development manager. Apparently, he had access to emails from patients, and was diverting them to other hospitals. He even offered them competitive packages from these hospitals using the existing database of inquiries. Data is a corporate asset. It is an important raw material for brick and mortar companies, BPOs, technology and IT companies. Data has also become an important tool and weapon for corporates to capture a larger market share. Due to the importance of data in this new era, its security has become a major issue with industry. The theft and piracy of data is a threat faced by IT players, who spend millions to compile or buy data from the market. Their profits depend on the security of their data. The Reserve Bank of India (RBI) had earlier constituted a working group on information security. On its recommendations, RBI directed all banks to create a position of chief information officer (CIO) as well as steering committees on information security at the board level. But the recommendations of the RBI have still not been implemented and there is no sign that cyber security of banks has been streamlined. ATM fraud, credit card fraud, phishing frauds, and Internet banking frauds are increasing. In fact, the RBI ombudsman office is flooded with ATM fraud related complaint Banks need to adopt technolegal measures to prevent ATM and other similar frauds. Further, cyber due diligence training for bank employees would be beneficial. Mobile banking cyber security in India needs to be analyzed in depth. As of date we have no implementable mobile governance policy in India. India has embarked on a massive biometric identification project to provide people with access to services of the state. But a major problem with Indian security initiatives is that India has launched various projects and initiatives without considering their cyber security aspect. This could turn out to be a bad policy decision.
Cloud adoption remains stifled by security concerns. Cloud computing uptake in the market increased 20.9 per cent from the 2011 figure to 33 per cent last year.. But 50 per cent of companies not using cloud, identified security as the main reason for their inaction. Businesses view cloud offerings as unsafe. Business leaders also have a culture of wanting to own their IT systems and not procuring from third-party vendors on demand, the survey noted. Cyber criminals use thousands of networked computers (botnets) to ‘jam’ a website by directing excessive traffic to it, causing it to crash. Such attacks are often termed as Distributed Denial of Service (DDoS). The expansion of cloud services and mobile networks could create additional targets for DDoS attacks. While firewalls, intrusion protection and other devices can mitigate low level attacks, large volumetric attacks can be an issue as they may not be able to separate legitimate from illegitimate traffic. According to cyber law experts, it’s also important to look at data vis-à-vis the new era of cloud computing. Thanks to this new paradigm, data theft has added an international character. For example, systems may be accessed in USA, their data manipulated in China and consequences felt in India. The result of this ability is that different countries, jurisdictions, laws and rules will come into play which becomes an issue in itself.Further, the collection of evidence in such circumstances becomes another issue as investigation will have to be conducted in three different countries, all of whom may not be on talking terms, and poor technical know-how of the cops will only add to the woes. Also, a lack of coordination amongst different investigating agencies and a not-so-sure extradition process would be another headache. However, the biggest of all these issues remains a lack of specific laws in the country dealing with this crime. So even if the culprit is caught, he can easily get away by picking and choosing any of the various loopholes in our law. According to some estimates, by 2015 India will require about 5,00,000 cyber security experts to cater to the growing need of securing cyberspace. While China is estimated to have 25 million cyber commandos, the number of cyber soldiers in North Korea is pegged at 15,000. India is said to be the eighth most vulnerable country in the world with regard to cyber crime. According to government data, in just the last five years, as many as 774 government websites were hacked. The attacks appeared to have emanated from Australia, Bahrain, Brazil, Egypt, Germany, Indonesia, Lebanon, Libya, Morocco, Pakistan, Saudi Arabia, among others. According to data available with the Indian Computer Emergency Response Team, the defacement of Indian websites has almost tripled compared to 2007. We need to understand the fact that the dependence of the economy and governance on e-banking, e-commerce, travel booking, electric transfers and payment systems, is growing. The moment we talk about growth in these areas, our first concern is whether the transactions are secure. The trust level in these systems is critical and that can only come from enhanced security.We need a techno-legal cyber security policy in India to tackle the challenges of present cyber attacks and cyber crimes. Such a cyber security policy must consider all the aspects mentioned above in detail and ensure both offensive and defensive cyber security capabilities for IndiA. Although the constitution does not contain any explicit reference to a right to privacy, this right has just been read into the Supreme Court as a component of two fundamental rights: the right to freedom under Article 19, and the right to life and personal liberty under Article 21. India is taking its first steps towards privacy regulation through a draft law based on former Justice A.P. Shah’s expert group report on privacy and data protection. What India needs is more collaboration between private companies and educational institutions to develop talent. We need more cyber warriors and better preparation for a cyber war. In a world where everyone from established behemoths to new start-ups are bubbling with plans to collect the most intimate data, cyber security
may well be replaced by zero privacy. The law cannot keep pace with technology. Talented engineers will constantly be working to find new ways to scoop up massive amounts of information which companies may previously have regarded as private and confidential. The future policy and debate needs to be about how, and whether, the legal framework relates to technology; how authority is granted; who has access to material; and how scrutiny can be meaningful. It will also need to ask about the outsourcing of highly sensitive intelligence to corporations. There is much to discuss. The policy requires wisdom and a willingness to tread a unique Indian path. Cyber insecurities in a developing society WHILE cyber crimes like bank frauds, identity theft, phishing, spoofing and hacking get central focus in a developing society like India, the real trouble, both in volume and in gravity, lies elsewhere. The number of mobile phones in India is 16 times the number of personal computers. (919: 57 million); 9.05 million of these mobile users use Internet whereas 13.81 million households have a broadband connection. Clearly, an increasing number of people are preferring to use their mobile devices to connect to the Internet and this deserves a lot more attention The wide use of pirated operating systems, software, and media creates inherent vulnerability. The awareness of people using computers is extremely low as hardly any cyber security issues are addressed in Hindi or other Indian languages. It can also be attributed to the fact that not many people use IT in a way that it becomes mission critical for them and are hence disinclined to invest in making themselves more secure. Issue of SIM on fake IDs: A person wouldn’t commit a crime if he knew there was an outside chance of getting caught. The entire crime prevention effort is based on this premise. In the business of mobile telephony, when a SIM card is bought the person has to submit proof of identity and address to the retailer who forwards it to the company, which after vetting the two documents activates the SIM. The company does a tele self-verification, a process in which a call is made to the new SIM and details mentioned in the application form are verbally verified. Because of this feeble process, it is easy to get possession of a SIM on a fake ID. Not all the people using such SIMs do so because they are terrorists or professional criminals. Many do so to hide their fat mobile bills from the taxman. Quite a lot of people choose to buy these ‘pre-activated’ SIMs simply to avoid the delay between the purchase and activation. According to the 2012 World Bank report, ‘Maximizing Mobile’, 96% of mobile subscribers in India use prepaid connections. The main reason is probably that India is a price sensitive market and prepaid connection users can easily hop from one provider to another if they find a more attractive tariff plan. But this reality and a weak verification process have led to a huge number of SIMs on fake IDs. While no official figures are available, police investigators say that virtually eight out of ten SIMs they come across during investigations are fake! The law provides that if a company is found to have issued a SIM on a fake ID, it is liable to pay a fine of Rs 50,000. However, because of poor or little enforcement, this is unheard of. The best way out is to make the process simpler. Immediate activation should be possible if a person applies with his Aadhar card. As the UID authority allows everyone to verify the Aadhar online, the retailer could do the entire process himself – take a finger print scan, make entries into a central software system and activate the SIM immediately. A pilot has been done in the state of Andhra Pradesh and the Department of Telecom is likely to formulate and announce a policy soon. A similar process could be adopted for persons holding a valid passport. This way a foreign visitor landing at an Indian airport could easily buy a SIM and start using it immediately. This process would also help save money otherwise spent on the verification process, which is anyway feeble.
Harassment – crank calls and blank calls: This is beyond doubt the most prevalent of all mobile crimes and also a stepping stone to further crimes. Calling numbers randomly to have some fun is a pastime for many aimless individuals and women are their preferred targets. The tenacity of such pesky callers can be estimated from the fact that nine out of ten calls on the police emergency helpline 100 are of this nature! Even radio jockeys do this routinely to turn someone into a ‘bakra’ This is quite similar to telemarketing calls, specifically known as unsolicited commercial calls. The good news is that a reasonable solution has been found for it. Through a system of registering telemarketers on one hand, and enabling subscribers on the other to register and block such communication, the menace has substantially reduced. A similar solution can be put together to end this problem. A mechanism for reporting such crimes and another for warning and then withdrawing services to that subscriber could be an effective and cost-effective solution. If the problem persists, legal action could be initiated. Until the recent amendments to the Indian Penal Code, a person making such pesky calls to a woman could be punished with one year’s imprisonment and a fine. But have you ever heard that happen? No. That’s why such crimes have soared. After the 2012 Delhi gang rape case, many amendments were made to the IPC, one of which is section 354 D that provides for a maximum punishment of three years, plus a fine to a person found ‘stalking’ another. Mobile theft, IMEI counterfeiting: Going by the conventional definition of crime, theft is on top of the list. Mobile phones are no exception to this. Industry experts say that more than Rs 500 crore worth mobiles are stolen each year. Stealing is an offence under the Indian Penal Code and an arrangement to prevent mobile theft through a number called IMEI is in place. IMEI (International Mobile Equipment Identification) is a 14 or 15 digit identification number that uniquely identifies a mobile handset, similar to what a chassis number is to an automobile. When a mobile device tries to register into a network, its IMEI is recorded. It is possible to create a registry of blacklisted IMEIs and block them off the networks, thereby rendering theft of mobile phones a useless business proposition. Australia was the first country to implement this across its GSM networks in 2003. The United Kingdom has also done this effectively by creating a National Mobile Property Register. The registry will not work until change of IMEI is also made impossible. Presently, it is possible to change the IMEI of a device by using software that can be downloaded free. Legally, this act constitutes a serious crime of counterfeiting, which is punishable by up to seven years in prison. Some Chinese manufacturers make phones that don’t have any IMEI! The Government of India has prohibited the use of such phones, and the networks are now effectively complying with this directive. Manufacturers ought to devise a hardware solution that makes it impossible to change the IMEI number of a handset. Despite extensive research in this area, the money invested is a small fraction of that being lost. Until that happens, consumers should be encouraged to use software that helps track a phone. Available free of cost, it is an effective tool for investigating thefts. Widespread use of pirated software: For decades, users in India have managed with pirated software operating systems, applications and media. Initially, a lack of awareness and enforcement to prevent piracy led to widespread use of such software. For most people it was normal to buy hardware and request the vendor to load the software free of cost. Even some government offices did not buy official software! In those times, floppies and CDs constituted the main mode of viral injection, but with the progression of Internet, computers have become far more vulnerable. Concomitantly, software manufacturers developed an arrangement of sending out regular updates to plug the security gaps and make other improvements. Here arises the problem in its present
shape. Several users in India continue to use ‘not genuine’ software, which does not update itself while the threats and vulnerability around it grow and descend through the net. The situation can be ameliorated by putting in place policies that encourage the use of open source software. For a start, the government could make it mandatory for its own offices and their servers to use open source software. Brazil, for example, has promoted open source in a big way. It has even set up a portal to host open source software for municipal agencies, schools, retail outlets, libraries, accounting, and so on (www.softwarepublico. gov.br). Users in a region are encouraged to develop software best suited to their needs. The BRICS countries, which includes India, have pledged their support in this transformation. Imagine how much money can be saved by the country if only there is a strategic large-scale recourse to software, as also years of manpower, currently wasted in securing cyber systems. Inadequate awareness for security wares for smartphones: Though the mobile revolution has taken users by storm, the regulatory and security environment has been slow to react, and has been left far behind. While the issues of standards and interoperability have been addressed for personal computers, the case of mobiles still requires more effort. As smartphones replicate most functions of computers, the vulnerability to data theft goes up several fold, as people increasingly store and access critical information on smartphones, unfortunately without adequate attention to vulnerability. The sale of smartphone antivirus as compared to that for personal computers, reveals an inverse equivalence to the number of smartphones and personal computers sold. Language divide deepens the digital divide and cyber insecurity: Only three per cent of Indians have access to the Internet at home and only 21 per cent understand English, and a much smaller percentage, well. A vast majority of people have no means of educating themselves about cyber threats. An occasional and superficial article in the Indian language newspapers is of little help. It is only recently that software was made available in the Indian languages, but the antivirus software by and large does not provide any support. If security related messages pop up in a foreign script, it is not easy to visualize their use Cyber security in developing societies is a challenge that we have barely begun to address. It is exacerbated not just by the digital divide – a large population struggling with rising hardware and software expenses, the rise often having little relation to productivity – but also a huge language divide. What is more tragic is that our development leaders and policy makers are inadequately sensitive to this. While the Government of New Zealand portals have a Hindi section and the UK has information in several Indian languages, most Government of India portals have only dated and sketchy Hindi sections, and nothing in other Indian languages. The journey to a cyber secure environment is likely to be a long and testing one. The legal dimensions In the fast moving world of today, crime respects no jurisdictions – rather it enjoys unlimited geographical jurisdiction across the globe. Hence, we find crimes being committed even in space or through the Internet world across countries. It is, therefore, essential to understand cyber law. In general, cyber law is a generic term, which refers to all legal and regulatory aspects of the Internet and the world-wide web. Anything concerning or related to, or emanating from, any legal aspects, or issues, or any activity of Netizens and others in cyberspace comes within the ambit of cyber law. In other words, cyber law is a tool that provides legal recognition to electronic documents and a framework to support e-filing and e-commerce transactions. It also provides a legal framework to
mitigate/check cyber crimes in a particular set-up.The growth of electronic commerce has fuelled the need for vibrant and effective regulatory mechanisms, which would further strengthen the legal infrastructure, so crucial to the accomplishment of electronic commerce and control and regulate cyber crime. All these regulatory mechanisms and legal infrastructure come within the domain of cyber law. It is critical to underscore that strong cyber laws and implementation and enforcement per se is a dire need for which each and every government must play a significant role in managing the affairs of electronic commerce and controlling cyber crime. This is essential for countries across the world to retain faith in the legal enforcement agencies of each country. Like other legal systems, the law relating to cyber crime is an evolving and growing process, as newer challenges are continually surfacing in this field. Consequently, due to the fast growth of internet, various legal issues have arisen, more particularly in the area of cyber crime such as domain name disputes, intellectual property rights disputes, electronic commerce issues, privacy, encryption, electronic contracts, spamming, banking crime and so on, which makes it essential for all governments to enact effective and strong regulations to control both offences and offenders. Today, cyberspace touches practically everything and everyone. It provides a platform for innovation and prosperity and also the means to improve general welfare around the globe. But with the broad reach of a loose and lightly regulated digital infrastructure, great risks threaten nations, private enterprise, and individual rights. The government has a responsibility to address these strategic vulnerabilities to ensure the safety and security of all vital assets of a nation from mineral, agricultural, commercial, industrial, manpower and offshore at one end to the vital defence, nuclear, space and communications at the other. Though the word crime carries the general meaning as a legal wrong that can be followed by criminal proceedings which may result in punishment, cyber crime refers to unlawful acts wherein the computer is either a tool or target or both. Indian cyber laws have been amended twice in view of fast changing developments in ICT (information communication technology) and usage of the Internet worldwide as most work of all organizations, whether public or private, now takes place through networking across the world.With cyber crime growing day by day, it is difficult to find a distinction between cyber crime and conventional crime. To achieve some clarity, cyber crime may be classified under different categories which are as follows. Cyber Crimes in the personal domain comprise of harassment via email, cyber stalking, dissemination of obscene material, defamation, pornography (specially child pornography), hacking of passwords, email and SMS spoofing, cheating and fraud, among others. At present harassment is commonplace and on the increase in social sites such as Facebook and Twitte A recent survey conducted by an international agency claims that more than 20% of total earnings through networks is coming from pornography websites for which certain stringent regulations are the need of the hour. However, no country is taking a lead in this grey area. It is not uncommon to read reports about criminals having stolen individual identities, thereby living ‘legally’ in the name of an innocent person! Besides crimes in the personal domain, there are crimes against a person’s property, cyber crimes against government, and cyber crimes against society at large. An unlawful act done with the intention of causing harm to cyberspace will affect a large number of persons. Some of these offences are cyber trafficking, online gambling, financial crimes, attack on individual privacy, and other crimes that take place through the Internet. According to government figures, India was the 10th most intensely cyber attacked country in 201011. However, today it stands second only to the US. With Internet usage, including through mobile phones, rising dramatically – from 202 million users in March 2010 to 412 million in March 2011 and 485 million in March 2012 – India is now second only to China in the number of devices connected to the net. Therefore, the Indian government needs to be more scrupulous and prove its cyber security
strength to the world to ensure confidence in the management of networking in the country, without any hesitation or reluctance. According to its Section 43, ‘Whoever does any act or destroys, deletes, alters and disrupts or causes disruption of any computer with the intention of damaging the whole data of the computer system without the permission of the owner of the computer, shall be liable to pay a fine up to one crore to the person so affected by way of remedy. Further, under its Section 43A, where a body corporate is maintaining and protecting the data of the persons as provided by the central government, if there is any negligent act or failure in protecting the data/information then a body corporate shall be liable to pay compensation to persons so affected. And Section 66 deals with ‘hacking with computer systems’ and provides for imprisonment up to three years or a fine, which may extend up to two years or both. The following are some of the key parts of the act: 1. It provides for a regulatory regime to supervise the digital signature system, essential for carrying out financial transactions through the Internet and other electronic modes. It also provides for the appointment of a controller and other authorities for the purpose of the act. 2. To enable electronic governance, it provides the use and acceptance of electronic records and agencies, making the interaction between citizen and government easy. 3. It creates civil and criminal liability for contravention of the act. 4. There is a provision to publish an electronic gazette or official gazette where all regulations, rules, orders, bylaws and notifications can be accessed over the Internet. 5. Makes illegal the tampering of computer documents and publishing obscene information in electronic form. 6. The act empowers the controller to decrypt any coded information and direct any agency to intercept any information transmitted through any computer network. 7. It provides for penalties. Any person who without permission of the owner or any other person who is in charge of a computer, computer system or computer network a) Accesses or secures access to such computer, computer system or computer network; b) Downloads, copies or extracts any data, computer database or information from such computer, computer system and computer network including information or data held or stored in any removable storage medium; c) Introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; d) Damages or cause to be damaged any computer, computer system or computer network, data, computer database or any other programme residing in such computer, computer system or computer network; e) Disrupts or causes disruption of any computer, computer system or computer network;
f) Denies or causes the denial of access to any person authorized to access any computer, compute system or computer network by any mean; g) Provides any assistance to any person to facilities, access to a computer, compute system or computer network in contravention of the provisions of this act, rules or regulations made thereund h) Charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system or computer network; He shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. It also provides for penalty for failure to furnish information, return, etc. to the controller of the certifying authority. 8. It provides for the establishment of adjudicatory and appellate authorities. 9. It stipulates penalties for offences, e.g., tempering with computer source and documents hacking, etc. and for contraventions committed outside India, but involving a computer or network located in India; it also provides that any police officer not below the rank of a deputy superintendent is empowered to search and arrest without warrant any person for violating the provisions of the act. It provides for confiscation of any computer system floppies, compact disks, tape drivers or any other accessories, etc. 10. It mandates the constitution of a cyber regulation advisory committee. 11. The act shall override earlier laws. In the end, for India to maintain a leading edge in the IT information technology space, it must take a comprehensive view of cyber security. Not only are stringent laws with severe punishment required, but it is important to educate and create a judiciary with knowledge of cyberspace, IT and communications. Our strategic resources need to be guarded through competent, educated and knowledgeable cyber security professionals. The corporate sector must be encouraged to proportionately contribute to R&D in cyber security programmes in view of the increasing public private partnership ventures. Every nation should come forward with a cyber security policy to check transborder cyber crimes and to bring offenders to justice.
Small business often use security devices and software security products such as a firewall device, anti-virus software and at times intrusion detection and prevention devices. They rely on the experience of their staff, local experts and the vendors to secure their machines. But they often lack routine security validation of their environment and effectiveness of their security solution. As a result, small business is not aware of the security weaknesses introduced in their environment over time. For example, they are not aware of new applications that have been installed with default or easily guessable passwords, whether the firewall rules are up to date and locked down, or whether undesired applications have been installed (P2P), among other aspects. Large business, including government and academic institutions, usually implement good security solutions depending upon their business models/requirements, which may consist of firewalls, proxy servers, VPN, IDS/IPS etc. They generally incorporate the best industry practices and would have
developed policies, standards, processes and procedures to address security within the organization. However, the security requirements are very diverse between large organizations mainly due to the nature of their business and the regulations that they need to fulfil. Often, security takes a back seat due to a lack of understanding of security given the business leads and deadlines, and business decisions that introduce security weaknesses. Business accepts the risk to achieve deadlines, which introduce security holes that remain unaddressed over long periods. Some organizations continue to use an older technology with inherent security risks. Such technologies may coexist on the local network along with newer technologies, thereby increasing the risk. For example, a manufacturing company is likely to be more concerned about the availability of their robots for manufacturing and delivery of products rather than with upgrading the old operating system that’s running the robot. Such business decisions are made by many large organizations that could result in a breach of security and damage their reputation. The above facts are based on common issues observed over the years and I plan to provide the metrics later. In the early days, virus propagation was through floppies and the main characteristics of these viruses, among others, was to perform disruptive or destructive activities such as erase the hard drive or make it unusable, and distort or wipe away characters on the screen. These viruses then evolved from hiding in the hard drive boot sectors to infiltrating programmes and the operating system itself. The main characteristics of the viruses also changed from merely causing damage by gaining and retaining access to the computer. And with this came the objective of stealing information such as banking information, personal information, credit card numbers, passwords etc. This access also enabled hackers to launch attacks and gain similar control over other computers. And as the number of infected computers increased, the hackers developed mechanisms to monitor, update and control them remotely. These types of viruses are termed bots, and they deploy various and perhaps all of the techniques of evasion from antivirus operating system, users and processes etc, and are controlled through command and control (C&C) servers. Some of the bots, such as QAKBOT, were targeted at corporates and had built in features to determine if the user was a corporate user, and if not, to simply exit. Information security education ADVANCED technologies/equipments/systems are rapidly penetrating the Indian market following the reform and liberalization policies being implemented as a priority by the present government. India has also seen the growth of better communication facilities and value added services as a part of the total information revolution in India. The impact of this technological revolution is far-reaching, forcing us to recognize information as a vital resource for management decision making in the country. Just as safeguarding and protection of physical and financial assets of the industry/corporate sector/government played an important role during the industrial revolution, protection of information resources as assets will equally be a major concern during the coming decades. The availability of consistent, integrated and timely information for management decision making at various levels is vital to improve production technology in the manufacturing sector, and to produce quality products at an optimal cost to gain a competitive advantage in international trade.
Information protection assumes a different dimension compared to physical assets protection. Unfortunately, this area has so far been neglected in the country. Professional organizations like the Computer Society of India, Bureau of Indian Standards and Institution of Electrical and Electronics Engineers have organized seminars and debates to make managers, professionals and workers aware of the threats facing the information industry. On the one hand, we want information to be shared between various organizations, persons and countries and, on the other, need to protect sensitive and trade related information. Security is no longer a technology issue; it is considered to be a management issue. Depending upon the type and classification of information, protection measures are available at a cost. This requires a reclassification of information so that appropriate security measures can devised for protecting classified information.
India in the global cyber security market As noted before, by its very nature, the global cyberspace is borderless and cannot be isolated to national or regional boundaries. One of the fundamental concerns on cyber security arise from the fact that the core Internet protocols are insecure and the expansion of Internet is taking place on the same insecure systems. The global explosion in mobile based Internet usage is increasing the vulnerability of the cyberspace. As the Internet has become central to the social, economic and political life of citizens and nations, countries are investing heavily in establishing information and communications technology (ICT) infrastructure to bring more and more citizens online. Thus, protection of the critical ICT infrastructure has emerged as another major challenge, in addition to securing the communications and transactions conducted over the Internet. The vulnerability of the cyberspace is already being exploited by both state and non-state actors.5 The attacks in cyberspace can be mounted by potential adversaries intending to inflict damage on social, economic or commercial interests. They can also be targeted at achieving political or military objectives. They are often aimed at weakening or crippling the critical ICT infrastructure of the adversary to cause denial of access to information and networks or to render them non-functional. In 2007, there were massive cyber attacks on Estonia aimed at disabling the websites of government ministries, political parties, newspapers, banks, and companies. The attackers, suspected to be from a major country with involvement of state actors, employed sophisticated cyber warfare techniques to disable Estonia’s critical ICT networks and e-government infrastructure. The nature of cyberspace makes it difficult to identify the perpetrators of these attacks and an attractive pro-position for enemies who do not want to be engaged in conventional conflicts. There is no contact or physical action across the border and the attacking party can completely deny any involvement. The attacked party may not even be sure as to when and how to react. Both the state and non-state actors have developed capabilities to engage in cyber attacks for prolonged periods without being identified. There are some additional features of critical ICT infrastructure and cyber-space that merit discussion here. Cyber infrastructure is largely owned and operated by the private sector. However,
ensuring cyber security involves a multi-agency and multi-layered effort involving both state and private agencies. This poses a significant organizational and coordination challenge. At an organizational level, cyber security is not merely a technological issue, but a management one as well. This encompasses enterprise risk management and involves human, process reengineering, change management, legal, network and security aspects. While the private agencies are responsible for securing their individual pieces of infrastructure, the seamless flow and exchange of information and interlinkages amongst the networks makes it essential to coordinate the entire effort through an integrated command and control entity that is accountable for cyber security. The roles and responsibilities of all the parties need to be clearly specified.There is a need for governments to establish appropriate policy mechanisms and legal structures. While security investments made by private industry takes care of their individual corporate needs, they might fall short of the requirements to secure a national network-wide infrastructure. Thus, a pure market based approach to ensure cyber security may not work. A key challenge in this regard is to provide for the additional investments that might be required to secure the cyberspace and critical ICT infrastructure for the country. This might come from incentives provided to the industry to generate collective action in a well planned approach to secure the critical ICT infrastructure. A lack of capacity at the executive and policy making levels within organizations is another major challenge in ensuring cyber security. There is a need for a focused approach to build capacities to deal with security incidents, deploy latest technological solutions, provide adequate training to all the relevant levels of employees and deal with process transformation and change management required to achieve this goal. Before we discuss the opportunities and challenges for India in the global cyber security market, it is relevant to discuss the cyber security scenario and the emerging opportunities and challenges within the country and how the government and industry can meet them and benefit from the opportunities. As India develops its ICT infrastructure in an effort to bring more of its citizens online through projects such as the National Optical Fibre Network (NOFN) and makes greater efforts to provide public services electronically through its e-governance projects, the risks for cyber security in the country are going to be much higher in future. It would also make the entire ICT infrastructure and cyber assets in the country far more vulnerable to cyber attacks from both state and non-state actors from countries inimical to India. Are we geared to meet these challenges? The government has recently taken several steps to ensure greater focus on these issues within the country. It has recently notified the National Cyber Security Policy 20137 with the goal of addressing the cyber security domain comprehensively from a national perspective. The main goal of the policy is to make the cyberspace secure and resilient for citizens, businesses, and the government. The policy envisages the establishment of national and sectoral mechanisms to ensure cyber security through the creation of a National Critical Information Infrastructure Protection Centre (NCIIPC). Computer Emergency Response Team (CERT-In) shall act as the nodal agency for coordination of all cyber security and crisis management efforts. It will also act as the nodal organization for coordination and operationalization of sectoral CERTs in specific domains in the country. Though efforts are being made to create an effective policy framework to deal with cyber security in the country, there are areas where significant challenges lie. I would like to mention e-governance as a specific case in point. The country has put in place a separate core ICT infrastructure for e-
governance consisting of state-wide area networks (SWANs) and state data centres (SDCs) in each state and union territory. Common Service Centres (CSCs), run by private village level entrepreneurs (VLEs), act as the front end for delivery of these services in rural areas. Currently, over 100,000 CSCs are operational across the country. Recently, mobile governance has been implemented to bring all government services on the mobile platform. The National e-Governance Plan is the flagship programme in e-governance consisting of 31 Mission Mode Projects (MMPs) spanning across a large number of government ministries and departments both at the national and state levels. During the last seven years of its implementation, NeGP has achieved considerable success with 23 out of the 31 projects delivering services electronically to the citizens and businesses. Though NeGP has been a success, ensuring cyber security remains a big challenge as it involves protecting critical ICT infrastructure such as SWANs, SDCs and the applications of various departments running on them. Though scheme specific guidelines have been issued and several states have made significant efforts to protect their cyber assets, there is a need for a comprehensive policy on cyber security in e-governance and ensuring uniformity in its implementation across the country. Application level security is another important domain where greater effort is required.
The scenario discussed above presents big opportunities for the government and industry to address cyber security comprehensively. As the government moves forward to put a policy framework in place, the IT industry can develop appropriate technological solutions to address the cyber security requirements of the core ICT infrastructure and applications. Massive opportunities for the industry are also opening up in sectors such as defence and telecom where the need for cyber security is more critical. Protecting the cyberspace and critical ICT infrastructure has emerged as a major challenge globally due to the factors discussed above. The Internet has emerged as the central feature affecting the lives of billions globally through e-commerce, banking, travel, e-government, email, etc. With the emergence of smart technologies, a host of utility services such as water supply networks, electricity distribution, among others, are critically dependent on ICT networks. Electronic systems and communications play a key role in the operation of equipment in the defence sector. What are the opportunities and challenges that such a situation presents to nations like India? To analyse these aspects, it is important to understand the key trends in emerging technologies and how they impact the security scenario in cyber space. In the following paragraphs, I discuss seven such key trends and explain how they present challenges and opportunities for the Indian industry globally. The most important phenomenon that is driving the expansion in the usage of Internet worldwide is mobility. The advent of mobile devices has brought an unprecedented number of users online, and has consequently increased the risks associated with cyberspace as many of the mobile and tablet users may be first time users of Internet and may not be skilled enough to understand the risks. An expansion in the usage of smartphones and tablets has also brought into focus the security of the operating systems and applications that run on them. As the usage expands, so will the attempts by hackers to break into these devices and steal sensitive personal and corporate information. While
this poses challenges for the device manufacturers and OS developers, it presents great opportunities for Indian firms working in the mobility domain. As India is known for its prowess in software development, developing security solutions and secure applications for the mobile world is an unprecedented opportunity globally that is just waiting to be grabbed. The second important technology trend that is driving the ICT industry is the emergence of the cloud platform. While this phenomenon emerged a few years ago, it is only now maturing and cloud based solutions are being deployed across a number of domains in business, industry and government. Ensuring proper security of applications and data on the cloud is a major challenge and its entire implications are still not clear. Even a few cloud failures can result in massive breaches in security and devastating loss of data for the users. As the cloud encompasses the entire gamut of infrastructure, platform, and software as services, developing security solutions for this platform presents the Indian industry with an outstanding opportunity globally. A related segment which also presents great opportunities is data centre operations and management. Another related phenomenon is the emergence of security as a service on the cloud. This is another space that offers good opportunities for Indian firms. The third important trend that has recently emerged is the use of multi-factor authentication to improve security. Just a simple password is not enough to ensure access to a host of applications and services in areas such as banking, insurance, financial transactions and government services. In India, an Aadhaar based biometric authentication has emerged as a new mechanism to authenticate the identity of users. This presents an excellent opportunity for Indian industry to develop applications in this domain and address security concerns. The fourth trend impacting on cyber security globally is the continuous morphing of hacker groups and individuals to maintain their anonymity. This poses serious challenges for organizations and government agencies trying to secure cyberspace as the attacks cannot be attributed to any specific entity. However, this situation also presents opportunities to continuously evolve technologies that can help in unmasking the identity of these anonymous attackers. Active cooperation amongst government agencies and organizations internationally is required to achieve the desired objectives in this area. Agencies such as the United Nations are active and the issue of global cyber security is likely to come up at the 68th session of the UN General Assembly in September 2013.8 The fifth trend that is impacting the cyber security scenario is the increasing involvement of state actors in cyber war aimed at crippling the information and communication infrastructure of their targeted countries and crippling their social, economic, government and military activities. There is enough evidence of involvement of state actors in several recent incidents of cyber attacks.9 Stuxnet is a case in point.10 It presents a serious challenge for countries like India, surrounded by several inimical neighbours. However, this also presents the country with a big opportunity to develop solutions to secure its ICT infrastructure and cyber assets. The sixth emerging trend is the related issue of ensuring privacy and confidentiality of information pertaining to individuals and businesses. One of the motivations for cyber attacks is to gain access to or steal information that has commercial value or that helps the attackers to commit fraud with that information. To protect privacy, effective laws and regulations need to be put in place to ensure what data can be used and shared and for what purpose. It also has a bearing on where the data can be stored in servers. This is already a major concern in some domains such as healthcare, where
privacy and security concerns about hosting and sharing health data are significant. As India is the world leader in IT services outsourcing business, it offers a big opportunity for the Indian government to put in place effective policies to assure the international community that the country respects the concerns on privacy and confidentiality of data. Indian industry should exploit this opportunity to get a bigger share of the worldwide market in IT and IT enabled services. Lastly, there is a greater effort being made internationally at the multilateral level to address global concerns on cyber security. Recently, the international Group of Governmental Experts, representing 15 countries including India, has submitted a report to the United Nations secretary general on enhancing cyber security globally. International cooperation in cyber security presents great opportunities for India to spearhead and lead the efforts to build a global consensus around the approaches to address the issues. It would also open up tremendous opportunities for Indian industry to develop and showcase its capabilities to offer technical solutions to deal with the threats. A global concern ‘This world – cyberspace – is a world that we depend on every single day... [it] has made us more interconnected than at any time in human history.’ The growth and dependence on ICT has given rise to new challenges. Consequently, today there is a trade-off in our global village between enjoying the conveniences offered by ICT and minimizing the opportunities its use presents to eavesdropping by nation states on one hand and criminals on the other. While the motives of the former are about power politics and hegemony, the latter are out to cheat gullible and ignorant individuals who are unable to estimate the reach of ICT into their private lives. Criminals in cyberspace are today capable of spreading sophisticated threats through mobile devices, cloud applications and have the ability to infiltrate high value targets. According to a 2011 Norton study, threats to cyberspace have increased dramatically in the past year afflicting 431 million adult victims globally – or 14 adults victims every second, one million cyber crime victims every day.2 Cyber crime has now become a business which exceeds a trillion dollars a year in online fraud, identity theft and lost intellectual property, affecting millions of people around the world, as well as countless businesses and governments of every nation. The challenges faced by governments vis-à-vis cyber security issues are scary as there is no simple way to detect, identify and recover from attackers who cannot be seen or heard, leave behind no physical evidence, and hide their tracks through a complex web of compromised computers. As a result of integration of controls, processing and provision of services through ICT, the sophisticated attackers and/or hackers can disrupt the electronic controls of, for instance, our power grids, water treatment plants and telecommunications networks. They can interfere with the production and delivery of basic goods and services provided by our governments and the private sector. They can easily sabotage privacy by stealing our personal information.
Post the 2008 cyber attacks in Europe, many developed nations began to take note of the opportunities as well as the risks associated with cyberspace and ICT. For instance, the Government Accountability Office (GAO) in its July 2010 report to the Congressional Requesters appraised the enormity of the genie of cyberspace and need for cyber security. The US has an Internet Crime
Complaint Center (IC3) which provides services to both the victims of online crimes and to law enforcement agencies. Its 2011 report reveals that for the third year in a row it received over 300,000 complaints, a 3.4% increase over the previous year. The adjusted dollar loss of complaints was $485.3 million.3 The strategic guideline issued by the government stresses five basic principles viz.: upholding fundamental freedoms; respect for property; valuing privacy; protection from crime; and right of self-defence. The document explicitly spells out the role of the US regarding the future of cyberspace: enlarge the focus through diplomacy by strengthening partnerships at the global level; actively look after its defence through acts of dissuasion and deterrence with the ultimate aim of making progress on the development front which will ensure prosperity and security.
