Indian Defence Review

Cyber Crime 

In the contemporary would, we are witnessing ever-increasing number of people hooked to online service, which provides a happy hunting ground for cyber criminals, with losses due to cyber crime being in billions of dollars worldwide. While other countries are reporting enormous losses to cyber crime, as well as threats to enterprises and critical information infrastructure (CII), there are hardly any such reports coming out of India other than those relating to cyber espionage. Though the report of the National Crime Records Bureau (NCRB) for 2010 reported an increase of 50 per cent in cyber crime over the previous year, the numbers were quite small in absolute terms. The total number of cases registered across various categories was 698; but these low numbers could be because cyber laws have proved ineffective in the face of the complex issues thrown up by Internet.

As a case in point, though the cyber crimes unit of the Bengaluru Police receives over 200 complaints every year, statistics show that only 10 per cent have been solved; a majority of these are yet to be even tried in the courts; and the cases that did reach the courts are yet to reach a verdict since the perpetrators usually reside in third countries. Even though the Information Technology Act (IT Act) 2000 confers extraterritorial jurisdiction on Indian courts and empowers them to take cognizance of offences committed outside India even by foreign nationals provided that such offence involves a computer, computer system or computer network located in India, this has so far existed only on paper. Similarly, there are relatively few reports of Indian companies suffering cyber security breaches of the sort reported elsewhere. Companies attribute this to the primacy placed on information assurance in the outsourcing business. Industry bodies such as the National Association of Software and Services Companies (NASSCOM) also attribute this to the fact that they have been at the forefront of spreading information security awareness amongst their constituents, with initiatives such as the establishment of the Data Security Council of India (DSCI) and the National Skills Registry.

The Indian government has also aided these initiatives in a variety of ways, including deputing a senior police officer to NASSCOM to work on cyber security issues, keeping the needs of the outsourcing industry in mind. That said, cyberspace is increasingly being used for various criminal activities and different types of cyber crimes, causing huge financial losses to both businesses and individuals. Organised crime mafia have been drawn to cyberspace, and this is being reflected in cyber crimes gradually shifting from random attacks to direct (targeted) attacks. A cyber underground economy is flourishing, based on an ecosystem facilitated by exploitation of zero-day vulnerabilities, attack tool kits and botnets.

The vast amounts of money lubricating this ecosystem is leading to increased sophistication of malicious codes such as worms and trojans. The creation of sophisticated information-stealing malware is facilitated by toolkits such as ZueS, which are sold on Internet for a few thousands of dollars. At the other extreme, components of critical infrastructure such as Programmable Logic Control (PLC) and Supervisory Control and Data Acquisition (SCADA) systems were targeted by the Stuxnet malware that attacked supposedly secure Iranian nuclear facilities. Stuxnet exploited five distinct zero-day vulnerabilities in desktop systems, apart from vulnerabilities in PLC systems, and exposed the grave threat to critical infrastructure such as nuclear plants and other critical infrastructure.

Cyber criminals are using innovative social engineering techniques through spam, phishing and social networking sites to steal sensitive user information to conduct various crimes, ranging from abuse to financial frauds to cyber espionage. While large enterprises are ploughing more resources into digital security, it is the small enterprises and individuals that are falling prey to cyber crime, as evinced by the increasing number of complaints on consumer complaint forums.

Cyber Espionage

The examples of cyber espionage are quite evident, with regular reports of thousands of megabytes of data and intellectual property worth millions being exfiltrated from the websites of both government and private enterprises. While government websites in India have been hacked, the private sector claims that it has not been similarly affected. It may also be that theft of intellectual property from private enterprises is not an issue here because R&D expenditure in India is only 0.7 per cent of GDP, with government expenditure accounting for 70 per cent of that figure. Companies are also reluctant to disclose any attacks and exfiltration of data, both because they could be held liable by their clients and also because they may suffer a resultant loss of confidence of the public.

As far as infiltration of government websites is concerned, cyber espionage has all but made the Official Secrets Act, 1923 redundant, with even the computers in the government’s sensitive departments being accessed, according to reports. The multiplicity of malevolent actors, ranging from state-sponsored to hactivists, makes attribution difficult. The government currently can only establish measures and protocols to ensure confidentiality, integrity and availability (CIA) of data. Law enforcement and intelligence agencies have asked their governments for legal and operational backing in their efforts to secure sensitive websites and to go on the offensive against cyber spies and cyber criminals who are often acting in tandem with each other.

In the current climate of elevated risk created by the vulnerabilities of and threats to the Nations IT infrastructure, cyber security is not just a paperwork drill. Adversaries are capable of launching harmful attacks on IT systems, networks, and information assets. Such attacks could damage both the IT infrastructure and other critical infrastructures. Cyber security is slowly gaining wider adoption in many consumer products for a variety of reasons, due to appreciation of consequences of insecurity, the need for developing secure products, performance and cost penalties, improved user convenience, need for implementing and consistently maintaining security practices, and importance of assessing the value of security improvements. But consumer and enterprise concerns have been heightened by increasingly sophisticated hacker attacks and identity thefts, warnings of a cyber terrorism, and the pervasiveness of IT uses. Consequently, many in the industry and critical infrastructure organizations have come to recognize that their continued ability to gain consumer confidence will depend on improved software development, systems engineering practices and the adoption of strengthened security models and best practices.

In order to highlight the growing threat to information security in India and focus related actions, Government had set up an Inter Departmental Information Security Task Force (ISTF) with National Security Council as the nodal agency. The Task Force studied and deliberated on the issues such as

• National Information Security Threat Perceptions.
• Critical Minimum Infrastructure to be protected.
• Ways and means of ensuring Information Security including identification of relevant technologies.
• Legal procedures required to ensure Information Security.
• Awareness, Training and Research in Information Security.

In line with the recommendations of the ISTF, the following initiatives have been taken by the Government:

• Indian Computer Emergency Response Team (CERT-In) has been established to respond to the cyber security incidents and take steps to prevent recurrence of the same
• PKI infrastructure has been set up to support implementation of Information Technology Act and promote use of Digital Signatures.
• Government has been supporting R&D activities through premier Academic and Public Sector Institutions in the country
• Information Security Policy Assurance Framework for the protection of Government cyberspace and critical infrastructure has been developed.
• The Government has mandated implementation of Security Policy in accordance with the Information Security Standard ISO 27001
• Currently in India 246 organisations have obtained certification against the Information Security Standard ISO 27001 as against total number of 2814 ISMS certificates issued worldwide. Majority of ISMS certificates issued in India belong to IT/ITES/BPO sectors.
• Security Auditors have been empanelled for auditing, including vulnerability assessment & penetration testing of computer systems & networks of various organizations of the government, critical infrastructure organizations and those in other sectors of the Indian economy. Nationwide Information Security Education and Awareness Program has been launched.

The IT infrastructures significance to the country has gained visibility in the recent years due to cyber attacks and rapid growth in identity theft and financial frauds. These events have made it increasingly clear that the security of the IT infrastructure has become a key strategic interest to the government. Although the industry now making investments in security-related infrastructure, their actions are directed primarily at short-term efforts driven by market demands to address immediate security problems. The government has a different but equally important role to play in cyber security assurance in the form of long-term strategies. In this direction, the deliberations of the National Information Board (NIB), National Security Council (NSC) have stressed the importance of a national strategy on cyber security, development of national capabilities for ensuring adequate protection of critical information infrastructures including rapid response and remediation to security incidents, long-term investments in infrastructure facilities, capacity building and R&D. Governments responsibilities in long-term investment and fundamental research will enable development of new concepts, technologies, infrastructure prototypes, and trained personnel needed to spur on next-generation security solutions.

Hence, the above points make it amply clear that we need to develop cyber infrastructures; the IT infrastructure enables large-scale processes throughout the economy, facilitating complex interactions among systems across global networks. Their interactions propel innovation in industrial design and manufacturing, e-commerce, e-governance, communications, and many other economic sectors. The IT infrastructure provides for the processing, transmission, and storage of vast amounts of vital information used in every domain of society, and it enables government agencies to rapidly interact with each other as well as with industry, citizens, state and local governments, and the governments of other nations.

Understanding the threat of cyber warfare and developing capacity for offensive actions in this domain is mandatory. Nations, non-state actors, terrorist groups and individuals pose a challenge to growth, which is increasingly going to be dependent on the cyber security. Cyber warfare will also be central to any hostile or conflict situation. Clearly defined objectives and national doctrine in this regard along with supporting structures and matching capabilities are thus inescapable.