Protecting Indian Cyber Space

Muktesh Chander, IPS

Abstract
Increasing use of computers, computer networks and

communication technology has resulted in huge amount of vital information being exchanged stored and processed on computers. This is not only true for individuals, various organisations and companies but also for governments and their institutions. The confidentiality,

availability and security of this information are crucial for most organisations to effectively run their E-Commerce or E-Governance model. Cyber security breaches are resulting in huge losses globally.

Peculiar nature and global reach of cyber crimes has forced the organisations to take steps towards managing Information Security issues in a planned manner with a holistic approach. It has been realized that Cyber Security is a complex and multidisciplinary subject and simple, technological product driven, off the shelf solutions are of limited use. India has embraced ICT in a big way. Private companies, government institutes, organizations and citizens are using computers and computer networks like never before. We are fast moving towards a digital society and hence we need to secure our cyber space. Cyber security is now becoming a vital subset of national security and guarding critical information infrastructures is of paramount importance to a nation like India, which is fighting various forms of terrorism in the last several decades. Several advanced nations have realized the dangers to their cyber space and have taken steps to protect it. India needs to evolve its own strategy to protect her cyber space.

ICT Revolution and Indian Cyber Space

For past two decades India is witnessing a great digital revolution which has changed our society in an unprecedented way affecting every ones life. Enabled by technology mission, abundant software talent

and global effect, India is now harnessing the benefits of ICT in a big way. The talent that made India the centre of global delivery in IT over the last 15 years has now developed the skills and experience it needs to apply these learnings at home (Nilekani, 2008). Internet backbones and country-wide fiber optic networks have been created which has brought broadband within reach of average Indian. Department of Telecommunication has target of 20 million broadband subscribers by the year 2010. PC literacy in India has shown a steady growth since 2004. By Sept, 2007 there were 46 million Internet users in India showing an increase of 40% over previous year. There were 23.39 lakh broadband subscribers in India as on 31st March 2007 (TRAI, 2007). Mobile subscriber base in India is also increasing very fast. In November 2008, there were 249 million users in India with about 7.6 million getting added every month (COAI, 2008). The figure is likely to cross 560 million by 2012. Call rates, SMS and MMS services offered by mobile phone companies are becoming cheap and therefore popular particularly with younger generation. Value added services like payment of bills, mobile banking, ticket reservation etc. have further added to its popularity. Mobile commerce, advanced E-Mail, mobile advertising, social networking, Internet surfing, and mobile gaming are likely to emerge as big markets. The market size of such value added services in India is expected to rise to Rs.22,400 crores by 2011. The cellular companies are now heading towards rural areas with value-added services specially designed for rural population. According to internetworldstas.com, India is third among 10 top Internet countries with 60 million users figuring 2

only below China and Japan. With the trends of increased Internet usage, internet advertising is projected to grow by 32% over next five years to reach an estimated Rs. 11 billions in 2021 (PriceWaterHouseCoopers, 2007). Indian netizens have emerged as third biggest online shoppers in the word using credit card (Nielson, 2008). Indian Railways Passenger Reservation System now caters to 5.5 lakh passenger reservations from more than 4000 terminals across the country. Even though it started late in India, now more than 80% of airline tickets are booked electronically. E-Retailing has emerged as a big market where everything from toys, books, home appliances, consumer electronic items, automobiles etc. is being traded. Service sector is also following similar trends. Online jobs, matrimonial services and other classified market have mushroomed. Digital download of music and video is poised to increase its share in E-Commerce market in India. With increase in GPRS enabled services and arrival of 3G services, mobile commerce and mobile value added service industry (MVAS) in India will see huge growth in coming years. India is a favored destination for software development and outsourcing backend operations of multinational corporations all over the world. Government policies have also been a boosting factor for BPO and software industry. Number of persons employed in the BPO sector in India has more than doubled from 220,000 in 2003-2004 to 410,000 in 2005-06 with revenue growth from USD 3.1 billions to USD 6.3 billions (MIT, 2008). Revenue from BPO industry is expected to reach US $ 50 billions by 2012 (NASSCOM, 2008). Government of India has launched a National E-Governance Plan (NeGP) in 2006 comprising of 27 Mission Mode Projects with 10 components with a vision to make government services accessible to citizens in their locality through common service centers (CSC). The objectives are to ensure accessibility, transparency, efficiency and reliability in governance. NeGP envisages establishment of 1,00,000 CSCs in 6,00,000 villages of India which will act as the nodal centers for 3

E-Governance delivery points in the locality of citizens. For the scheme an outlay of Rs. 5742 Crores has been earmarked. National portal of

India now offers as many as 155 online services in 14 sectors and the list is increasing fast. (National portal, 2008). It can be seen very clearly that Indian Cyber Space is growing exponentially and so is our digital dependence on it.

Cyber Crime in India Like other developed and developing countries, India is also facing cyber crime challenge. Before IT Act was enacted, cyber crimes were booked under various sections of Indian Penal Code. Since 2000, Cyber crimes are registered under IPC as well as IT Act. Some of the cities where software industries are situated are showing sharp increase in cyber crime cases registered under IT Act, 2000 as can be seen in Table 1.

City Delhi Bangalore* Gurgaon Chennai Pune Hyderabad Sub-Total Total India

2003 4 7 1 6 4 3 25 60

2004 4 14 10 6 34 68

2005 10 38 4 20 9 77 179

2006 5 27 2 7 10 49 142

2007 10 40 5 4 14 2 70 217

Total 33 126 12 47 43 5 255 666

TABLE 1: CYBER CRIME STATISTICS OF SOME OF THE CITIES IN INDIA *Bangalore Cyber Crime Police Station for Karnataka.

217 cases were registered under IT Act during the year 2007 as compared to 142 cases during the previous year thereby reporting an 4

increase of 52.8%. Out of these 45.6% case were related to cyber pornography, 35% cases were related to Hacking. (NCRB, 2007).Cyber crime is now being noticed in smaller towns in India. World-wide trends of cyber crime are alarming and in India we need to gear up for the challenges ahead (Muktesh1,2009).

Vulnerability of Indian Cyber Space Preparedness for cyber security of Indian organizations, both in public and private sectors, is far from satisfactory and some of the recent incidents are a pointer to the level of existing vulnerability and gaping holes in the Indian cyber security environment. Nearly one in three Indian organizations suffered some financial loss because of cyber attack (CIO, 2006). In 2007 a Swedish ethical hacker blogged details of email accounts and passwords of several Indian government institutions, including Defence Research and Development Organization, National Defence Academy and Indian embassies in several countries (DNA, 2007). In December 2009, all digital records of details pertaining to gate passes allotted to vehicles for the year 2007 which enabled them to enter UP assembly building were lost following a virus infestation in the computer. The loss assumes significance in view of parliament attack in 2001 and recent terror attack in Mumbai (The Hindu, 2008). In October, 2008 five educated cyber criminals were arrested by Noida Police when they illegally transferred Rs. 1.66 crores from the bank account of victim by hacking into his internet bank account (HT, 2008). A major Manesar based multinational IT company has reportedly decided to shift its $ 10 million R & D facility to Australia due to a recent incident of IPR data theft in electronic form which caused it an estimated loss of Rs. 754 crores (Expressindia, 2006). Kingfisher airline reportedly incurred a loss of Rs. 17 Crores and several other airline companies suffered similar losses due to fraudulent ticket purchases from their online booking systems. According to a survey conducted by Readiminds in India 30% of banks reported to have been victims of identity theft/phising during last 5

one year and over 57% of banks still do not have a dedicated budget for online security (Readiminds, 2008). 5475 Indian websites were defaced during 2008. 392 phishing incidents were reported to Computer Emergency Response Team of India (CERT-IN) in 2007 involving banks and financial institutions. Security incidents handled by (CERT-IN) in 2007 have gone up by 124% over previous year. It tracked 146891 bot infected computers in the country (CERT-IN, 2008). Use of unsecured Wi-Fi networks to send terror email by Indian Mujahideen operatives after recent serial blast in Delhi, Ahmedabad, Jaipur etc. has once again highlighted cyber vulnerability exploitation. These are only few examples of cyber security breaches, a large number of which go unnoticed, undetected or unreported for various reasons. General awareness about cyber security amongst average Indian computer users is alarmingly low and so are the investigation an detection capabilities of cyber security breaches by police of most states except in metropolitan cities.

Indian Critical Information Infrastructure Critical Information Infrastructure (C I I) is a subset of all vital installations. As more and more critical systems in vital sectors in India are getting computerized and linked to networks, their vulnerability is increasing. Some of them are:1. 2. 3. 4. Telecommunications and Internet backbones. Electrical power generation & distribution systems including nuclear power stations. Banking and financial systems including stock exchanges. Transportation control systems (including - mass rapid transports like metro rail, air traffic controls, rail and air passenger reservation systems). 5. Communication systems including satellite communication, cell phone communication, microwave links, GPS Navigation, Direct to Home broadcasts. 6

6. 7.

E-Governance and E-commerce Military & Defence installations including their C4 I (Command, Control. Communication, Computers & Intelligence).

8.

Emergency response systems like police, ambulance and fire brigade.

These sectors are crucial for national economy, national security and governance. These sectors are also highly interdependent in a complex way and their proper functioning is also important to many other infrastructures. In general, one of the remarkable features of modern, computer-based society is that a seemingly endless series of small details must function correctly and in cooperation in order to maintain the numerous processes that we take for granted. A single bug, the smallest aberration, so subtle as to be virtually impossible to foresee, can theoretically initiate a complex chain of events, the effects of which can become manifest at a national or even global level. Protecting these critical information infrastructure against disruption of any kind is increasingly crucial in maintaining both domestic stability and national security ( C I I, 2006 ). While we are embracing the Information Technology in a big way, we are realizing that without adequate security, all the new systems may actually create more problems than solve them (Sangi, 2006). This was amply demonstrated when submarine cable connection between India and rest of the world was recently disrupted and when Estonia faced coordinated cyber attacks on its critical information infrastructure for three weeks in April, 2007, compelling NATO leaders to begin to address the need for a systematic strategy to deal with cyber attacks. In the recently notified Information Technology (Amendment) Act, 2008, Government of India has recognized the importance of C I I and has made provision for declaring any organization as the national nodal agency in respect of Critical Information Infrastructure Protection. 7

Cyber War and Cyber Terrorism Why to send a bullet where you can send a byte is the new phrase in cyber space. Cyber weapons can create more havoc in a short time and on a wider target area than the conventional weapons. If used intelligently, on selected important target systems in unison, these cyber weapons act, as what may be called, as Digital Intercontinental Ballistic Missiles (Muktesh2 2003). For modern war C4I (Command, Control, Communication, Computers and Intelligence) are the critical factors. Dayal (2005) suggested that tools of cyber terrorism are exceptional force multipliers when such tools are integrated with conventional weapons causing large scale havoc and disruption. Cyber skirmishes have been noticed for a long time between group of hackers of various countries such as Hezbollah and Hamas, Palestine and Israel, America and China, Russia and Georgia, India and Pakistan etc. Cyber Terrorism threats are being taken seriously and several nations have started gearing themselves for such an eventuality in near future and many have conducted mock exercises. Realising this danger Indian legislature has defined and prescribed punishment for Cyber Terrorism in IT (Amendment) Act 2008 but we have to go a long way in this direction.

Cyber Security Cyber security is a broad subject and various definitions are available. American National Standard Institute (ANSI, 2008) defines cyber security as the protection of any computer system, software program and or data against unauthorized whether disclosure, or transfer,

modification

destruction,

accidental

intentional.

Information Technology (Amendment) Act, 2008 has defined cyber security as protecting information, equipment, devices, computer, computer resources, communication device and information stored there in from unauthorized access, use disclosure, disruption, modification or 8

destruction. Cyber Security stands on a tripod of confidentiality, integrity and availability of data and services commonly known as CIA triad as shown in Picture 1. Confidentiality

Picture 1: CIA TRIAD

Data and Services

Integrity

Availability

(a)

Confidentiality means ensuring that the information does not fall

in the hands of unauthorized persons and is accessible only to authorized persons. It must also remain confidential while on transit. (b) Integrity means that the information remain untampered while

on transit or while kept stored. No unauthorized person must be able to alter the information. Integrity is often discussed as having two dimensions of data integrity and systematically. (c) Availability means the information is accessible to authorized persons whenever required without diminishing its value. Cyber security can not be ensured just by some software tools but has to be managed holistically.

National Cyber Space Protection Strategy Several advanced nations have included protection of their cyber space as a part of their national security. USA had highlighted it in a document National Strategy to Secure Cyberspace as early as 2003 (President, 2003). Cyber Security Strategy of United Kingdom for safety, 9

security and resilience in cyber space has been just released (UK, 2009). Learning lessons from cyber attacks in 2007, Estonian ministry of defence came up with their cyber security strategy (Estonia, 2008). India also needs to develop its own Cyber Security Strategy keeping in view the situation in its neighborhood. Following steps can be initiated immediately. 1. 2. Formulate National Cyber Security Strategy. Identify, categorize and prioritize national information systems and critical information infrastructures whether in private or government sector and make them resilient and secure. Mandatory certification of such infrastructure under ISO 27001:2005 should be undertaken in a time bound manner. We also need to develop our own information security standards and make them mandatory for critical sectors. 3. Establish National Critical Information Infrastructure Protection Authority. 4. 5. Appoint an apex level agency to oversee country-wide implementation of the cyber security measures. Allocate sufficient resources and funds for national cyber defence. 6. Strengthen legal framework with laws similar to US laws like Federal Information Security Management Act, Health Insurance Portability and Accountability Act, GrammLeach-Bliley Act etc. 7. Carry out nation wide mock cyber security exercises to test cyber preparedness and take corrective steps accordingly. 8. Increase cyber surveillance, investigation and detection skills and capabilities of Indian intelligence and police organizations (Muktesh3, 2003).

10

9.

Introduce cyber security courses in higher education to build a cadre of information security specialists and cyber warriors to strengthen our cyber defence mechanism.

10.

Strengthen inter-agency and inter-ministerial coordination on cyber security issues.

11.

Increase information security awareness and education of computer users public and all stakeholders. A nation-wide culture of cyber security needs to be introduced.

12.

Promote use of encryption and digital signatures by departments dealing with sensitive information.

13. 14.

Promote inter-disciplinary research & development in cyber security. Develop indigenous cyber forensics, diagnostics and security tools suitable for Indian conditions.

15. 16.

Secure participation of industry, academia and NGOs for a coordinated response to cyber threats Collaborate with other countries/regional and international bodies for tackling cyber crime & information security issues. International and regional treaties need to be signed in this regard.

Conclusions As we protect our physical boundaries, in the information age we need to protect our cyber space from invisible enemies. Digital India needs a digital fortress with an aim of Information Assurance to all its netizens. Lessons learnt from cyber attacks on other nations and their cyber defence strategies could be of great help in preparing our own cyber defence mechanism in 21st century. We can not wait for a disaster to occur before we act.

11

REFERENCES
1. CERT-IN, 2008, Annual Report 2008 available at http://www.cert-in.org.in/defacementdetails08.htm 2. COAI, 2009, Subscriber figures for September 2009, available at http://www.coai.com/Sub%20Figs/GSM%202009/All%20India%2 0GSM%20sub%20figures%20-%20Sep'09.xls. 3. CIIP, 2006, International CIIP Handbook 2006 Vol. I by Myriam Dunn and Victor Mauer (eds.), available at http://cipp.gmu.edu/archive/5_IntlCIIPHandbook_2006_Vol_I_Swi tz.pdf. 4. CIO, 2006, The Global State of Information Security 2006, available at http://www.pwchk.com/webmedia/doc/632949485891990448_in fo_security_sep2006.pdf 5. Dayal, Denzyl P., 2005, Cyber Terrorism Hoaxes and Law Enforcement, New Delhi: Dominant Publishers and Distributors. 6. DNA, 2007, Daily News & Analysis, Can India survive a Chinese cyber attack, available at http://www.dnaindia.com/dnaprint.asp?newsid=1119824 . 7. Estonia, 2008, Cyber Security Strategy, 2008, available at http://www.mod.gov.ee/static/sisu/files/Estonian_Cyber_Security _Strategy.pdf 8. Expressindia, 2006, Data theft: Firm diverts $ 10 million, News item available at http://cities.expressindia.com/fullstory.php?newsid=205146 . 9. HT, 2008, Cyber thieves nabbed for Rs. 1.6 crores heist in Noida, News item available at www.hindustantimes.com/StoryPage/StoryPage.aspx?id=95a37be d-593a-43d9-a2ae-6a276f3090ba 10. 11. http://www.iamai.in/upload/Research-summaryreport-final.pdf. MIT, 2008, available at http://www.mit.gov.in/default.aspxid+899.

12

12.

Muktesh1, 2009, Current threats and Trends in Cyber Crime, presentation at Conference on International Police Cooperation against Cyber Crime available at http://cbi.nic.in/events/ppt/session1/Current%20threats%20and %20trends.ppt

13.

Muktesh2, 2003, Cyber Terrorism: A Myth or Possibility, Indian Police Journal July-September 2003.

14. 15.

Muktesh3, 2003 E-surveillance available at www.svpnpa.gov.in/Publication/julydec2003.pdf NASSCOM Strategic Review, 2008, available at http://www.nasscom.in/upload/SR2008_Exec_%20Summary.PDF .

16. 17. 18.

National portal, 2008, available at http://india.gov.in/sector.php . NCRB, 2007, Crime in India 2007, available at http://ncrb.nic.in/cii2007/cii-2007/CHAP18.pdf . Nilekani, Nandan, 2008, Imagining India. Ideas for the New Century; New Delhi: Penguine India.

19.

President, 2003, National Strategy to Secure Cyberspace, available at http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf .

20.

PriceWaterHouseCoopers, 2006, Information Security Breaches Survey 2006, available at http://www.enisa.europa.eu/doc/pdf/studies/dtiisbs2006.pdf .

21.

Readiminds, 2008: State of Online Security in Financial Institutions in India 2008, available at http://www.readiminds.com/pressrelease/news_indiastats.htm.

22.

Sanghi, Dheeraj, 2006, Network Security CSI Communications, Volume 30, issue No.8, November, 2006.

23.

Telegraph, 2008, available at http://www.telegraph.co.uk/news/2605021/Britain-underconstant-attack-in-cyberwar.html .

13

24.

The Hindu, 2008, Digital records of UP Assembly car passes lost, News item of December 14, 2008, available at http://www.hindu.com/thehindu/holnus/004200812141080.htm

25.

TRAI, 2007, Annual Report 2006-2007, available at http://www.trai.gov.in/annualreport/AReport2006-07English.pdf .

26.

UK, 2009, Cyber Security Strategy of the United Kingdom. Safety, security and resilience in cyber space, 2009, available at www.cabinetoffice.gov.uk/media/216620/css0906.pdf

27.

Wilson, Clay, 2006, Terrorist Capabilities for Cyber Attack International CIIP Handbook, Vol. II.

14