10/12/13

GovernanceNow.com | India is victim to cyber espionage

Home

News

Views

PSUs

Banking

Bureaucracy

eGov

Login

Register

Home View s Interview India is victim to cyber espionage

India is victim to cyber espionage

In conversation, Muktesh Chander, centre director, national critical information infrastructure protection centre
PRA T A P V IKRA M SINGH | FEBRUA RY 0 8 2 0 1 3 View Im age

Author

Pratap Vikram Singh is Principal Correspondent with Gov ernance Now In Other Stories Sibal holds consultation on draft national ICT policy 2 01 1 Political will critical for ICT Child online protection is an im perativ e Com ing soon: Gov t's Hindi spin on the web - www. . Tim e for tim ely deliv ery of serv ices NOFN is okay but where is the content? Rs 3 5 lakh didn't repair this road... Bihar to m atch Gurgaon and Bangalore in IT : Nitish In a PPP, gov ernm ent m ust be m ore partner-sensitiv e e-District cuts through red tape in citizen serv ice deliv ery In This Section
Most Emailed Most Popular Most Commented

Mu k t esh Ch a n der , cen t r e dir ect or , n a t ion a l cr it ica l in for m a t ion in fr a st r u ct u r e pr ot ect ion cen t r e

A 1 988 batch Indian Police Serv ice (IPS) officer, Muktesh Chander has serv ed in Delhi Police for ov er 20 y ears and is known for deploy ing technology for better policing and traffic management. He is an electronics and telecommunication graduate from Delhi univ ersity and is currently pursuing his PhD in information security management from IIT-Delhi. As centre director of the national critical information infrastructure protection centre (NCIIPC), he is establishing an organisation that will deal 24x 7 with cy ber threats to national security . In an interaction with Pratap Vikram Singh, Chander discusses the emerging profile of newly formed organisation. Can y ou tell us the background of the national critical inform ation infrastructure protection centre (NCIIPC) form ation? Before the amendment of IT Act, 2000 in 2008, there was a prov ision of a protected sy stem under section 7 0. Any one who tampered or manipulated with the protected sy stem was sev erely punished. Later, the term cy ber terrorism was for the first introduced. Under the IT (Amendment) Act, 2008, critical information infrastructure (CII) was defined and an effort to tamper with it was to be considered as an act of cy ber terrorism. Normal cy ber security and critical sectors hav e to be dealt with separately . And a specialised agency has to do this. According to the legislation, the whole cy ber security regime was div ided into two sections: 7 0A and 7 0B for non-critical sectors. Section 7 0B mandates CERT-In as the nodal agency to look after non-critical sectors and section 7 0A was to be giv en to a specialised agency , which ev entually took the form of NCIIPC under the aegis of the national technical research organisation (NTRO). Because of technical ex pertise and v arious other reasons, NTRO got this job. What will be y our m andate? Will it also hav e offensiv e capabilities?

What if tom orrow nev er com es?... Right said Rangarajan... I just want to be a change agent Nilekani... e-Gov lessons from Estonia!...

governancenow.com/views/interview/india-victim-cyber-espionage

1/3

10/12/13

GovernanceNow.com | India is victim to cyber espionage

Protecting an infrastructure has certain steps early warning, prev ention, detection mitigation recov ery and response and business continuity . We will try and prev ent an occurrence (of cy ber attack). We will issue early warning. We will do training and awareness and frame guidelines. This is the mandate NCIIPC has. After taking all precautionary steps, if it still occurs, y ou need to detect it immediately and then take further steps. Many countries like the US and South Korea hav e this mandatory regime for cy ber security compliance, where priv ate organisations hav e to follow certain prov isions. In the same way , we will try and ev olv e similar prov isions. But as on date, we dont hav e such prov isions. On the offensiv e part, we nev er said we will be doing any such thing. To start with, we will ask each ministry and each gov ernment which has computers connected to critical operations to appoint a nodal officer as chief information security officer (CISO) who will ensure that all information security procedures are taken in place. This officer is supposed to interact with senior management like the chief secretary or the head of particular department or public sector undertakings. The CISO will then start the ex ercise of identify ing the lev el of automation and the critical infrastructure within the organisation. At NCIIPC, we will keep rev isiting these issues on periodic audit and v ulnerability testing. When is it being notified? We hav e sent papers to the department of electronics and information technology (DeitY ) and we are awaiting a formal notification as well as promulgation of rules. DeitY is the nodal agency for the implementation of the Act. Notwithstanding a formal promulgation, we are working towards a roadmap for protecting CII. What is the m agnitude of challenge we face in cy ber security ? To my knowledge, no detailed surv ey of CII has been done, so we cant precisely ascertain the magnitude. But NCIIPC will be doing all those required studies. Cy ber espionage of industrial, economic and political nature is one of many cy ber breaches which are taking place in the country . Last y ear, we had a m ajor power blackout across north India of course, due to ov erdrawing of power. But dont y ou agree power plants and power grids are v ulnerable to cy ber attacks? Y es, power plants are v ulnerable to cy ber attacks. The programmable logic controller (PLC) under SCADA sy stem a kind of industrial control sy stem decides the rev olution per minute (RPM) of a motor. If by cy ber manipulation the RPM is increased many times, the motors will burst and the power plant will come to a standstill. The same happened to nuclear centrifuges in Natanz in Iran, where the nuclear enrichment plant was infected by Stux net worm one of the most lethal cy ber weapons. As long as y ou hav e industrial control sy stems gov erned by computers, y ou will remain v ulnerable. What are the latest trends in cy ber threats? Spear-phishing is one. It is a well-crafted mail targeted for certain people (in the upper echelons of the gov ernment and the priv ate sector). Usually , the mail carries malware in the attachment. An innocent-looking PDF file can carry a malware. Malware can be designed for stealing, damaging a particular thing, disrupt or use a sy stem as the launching pad (for sending spam or spreading the infection further). Giv en the dy nam ic nature of threat, will y ou ov ersee the security on a real-tim e basis? Most countries hav e come up with sy stems and processes aiming to protect their v ital assets on a 24x 7 basis. As it ev olv es, NCIIPC will hav e a similar sy stem. The guideline for protecting CII is on the anv il. Training and awareness will be an important activ ity . As and when required, mandatory prov isions will be added so that the directions are complied by CII organisations. Howev er, it will be more of a mutually beneficial relationship between organisations and NCIIPC. We will hav e a cy ber operation centre which will be running 24x 7 for all stakeholders. It has to be a two-way process. Will y ou also m onitor the network? Ev ery thing coming in and going out of the network of a particular organisation is the responsibility of the organisation. Then only they can guard from any intrusion. Each one of them will be monitoring their own network. From theirs, we will also be taking a lot of information, collating and analy sing whether a particular v ector is try ing to target many such networks or not.

anna hazare Bihar BJP CBI

china

congress
India

corruption Delhi egovernance facebook Gujarat High jairam ramesh Kapil Sibal Karnataka Maharashtra
Court

Manmohan Singh
Mum bai Narendra Modi

parliament P Chidambaram
Pranab Mukherjee prime minister rajy a sabha RTI Sonia
Gandhi
UPA

supreme court
m ore tags

Uttar Pradesh

governancenow.com/views/interview/india-victim-cyber-espionage

2/3

10/12/13

GovernanceNow.com | India is victim to cyber espionage

Does that m ean y ou will hav e access control to the networks of all critical facilities? This is a technical question bey ond the scope of this conv ersation. What I can say is that each network must hav e its own intrusion detection and intrusion prev ention sy stems and certain ty pes of tools to monitor what is happening with their network. They are already doing it. But there are better and more secured way s of doing it. Can y ou elaborate on the NCIIPCs fiv e-y ear plan? It is a fiv e-y ear perspectiv e plan about how we are going to identify stakeholders, how we increase the manpower, how we spread training and awareness and how we install our sensors. Sensors will be implanted for detecting malware and threats. We hav e to get connected to stakeholders. Only then two-way information-sharing can take place. Hum an resource has been a challenge. How do y ou plan to address? Cy ber security is a new area and a combination of sev eral disciplines. There is a shortage of trained manpower. A lot of academic institutes and other organisations are working on it. We will also hav e a training div ision to equip all stakeholders. The human aspect of information security has just started gaining importance. The man behind the machine is equally important. Whatev er technology or tools he may use, intentionally or unintentionally , information security will be breached if not practised restraint. How big is y our team ? In the fiv e-y ear plan, we hav e indicated our requirement for HR. We ex pect to be a team of 200 to 300 people in day s to come. How m uch will be the annual spending? It will be too early to say . It could v ary from Rs 50 crore to Rs 200 crore.

Related stories

Stories you might like

Not all services available, CSCs under spotlight after 1st phase Cyber security policy: The missing 'H' PM asks DeitY to formulate NeGP 2.0 "With NII 2.0, w e w ant to change the game" "NeGP 2.0 should make use of social media"

More stories in this section

Striking at the root cause of crime Indian print media w ill become history in 3-5 years: Gerd Leonhard "We need to change our model of financing"

Comments

0 comments Leave a message...

Newest Community Share

No one has commented yet.

Su b s cri b e

Ad d D i s q u s to yo u r s i te
Copyright Info Disclaimer Privacy Policy Terms of Service Help Advertise w ith us Careers Contact Us Sitemap

Copyright 2010 Governance Now

governancenow.com/views/interview/india-victim-cyber-espionage

3/3