Cyber Security Threats And Challenges

Published Date: 02 Nov 2017

Signature

DSSC, Wellington Name Anil Kumar Mor

Date : Feb 2013 Rank Lt Col

COUNTERSIGNED

DSSC, Wellington

Date : Feb 2013 Signature of Supervisory DS

(iii)

CONTENTS

Chapter

Pages

1

Introduction

1-5

2

An Overview on Cyber Security Threats and Challenges

6-16

3

Indian Cyberspace and Cyber Security Initiatives

17-29

4

Establishment of Unified Cyber Command

30-37

5

The Way Ahead

38-44

6

Conclusion

45-46

Bibliography

47-49

CHAPTER I

INTRODUCTION

"One hundred victories in one hundred battles is not the most skillful. Seizing the enemy without fighting is the most skillful."

Sun Tzu Sixth Century B.C

1. The nature of conflict and war has been impacted by evolution of technology. The modern day conflict is "no contact war" (NCW) [1] with no "physical" or "kinetic" action across borders. Operations are conducted in a covert manner using resources such as agents in the information domain to weaken or strike at an adversary to achieve political objectives. These are clouded in ambiguity and deniability. The enemy is unseen and the victim unsure of how and where to react.

2. Cyber Warfare a component of Information Warfare conducted in cyber domain is new form of war. Today cyberspace is a national asset, which enables a host of business and government services to citizens. Critical infrastructure such as energy, telecommunication, banking, stock exchanges, etc and economies of advanced nations almost entirely depend upon technology in cyberspace. Businesses are leveraging technology to transform their business models. Defence and Police agencies are making strategic use of technology to modernize.

3. Social networking platforms have enabled people to come together and change the way they interact socially. It has not only initiated connections, but has managed to sustain the growing interconnect by engaging people in different interests of their choice. Currently Facebook has 1 billion users, there are 1 billion tweets every week this year with a community of 225 million users. The Arab Spring, Jasmine Revolution, Occupy Wall Street etc have exemplified that the growing community of hundreds of thousands of people can be mobilized for a cause through social media. In contrast, London riots were supposedly fuelled by social media. Recently the regular failure of electricity grid in north India, the mass exodus of people all across the country to North East and Assam riots are testimony to what cyber domain can trigger and its enormous power.

4. Given the kind of activities being carried out in the cyberspace, cyberspace merges seamlessly with the physical world. But so do cybercrimes. Cyber attackers can disrupt critical infrastructures such as financial and air traffic control systems, producing effects that are similar to terrorist attacks in the physical space They can also carry out identity theft and financial fraud, steal corporate information such as intellectual property, conduct espionage to steal state and military secrets, recruit criminals and others to carry out physical terrorist activities. With this growing threat landscape, cyber-readiness of the security systems has been constantly put to test. While security systems are increasingly expensive, launching cyber attacks is relatively much economical. This growing imbalance is a game changer. It has ascertained cyberspace to be offense dominant, wherein defenders have to defend all the time at a heavy cost, while the attacker needs to succeed only once.

5. The damage inflicted by cyber attackers may not be easily recognizable and in some cases, may even go unnoticed. Even if an attack is successfully defended, it is possible to cover tracks and thus attribution of a cyber attack, in some scenarios, becomes very difficult, if not impossible. Tracing a cyber attack is not easy as Internet has no geographical boundaries and cuts across jurisdictions. There are no international laws/agreements that could help in tracing cyber attacks. This makes it all the more difficult to fight back against cyber warfare.

6. Cyber security is a complex issue that cuts across multiple domains and calls for multi-dimensional, multi layered initiatives and responses. It has proved a challenge for govt, the task is made all the more difficult by the inchoate and diffuse nature of the threats and the inability to frame an adequate response in the absence of tangible perpetrators.

7. There is a urgent need to establish National Structure for Cyber Security which clearly defines roles and responsibilities for every stakeholder, establishes coordination & information sharing mechanisms, focuses on building Public Private Partnership models and creates environment for enhancing trust between the industry and government. A fully empowered head for Cyber Security should be appointed, positioned at the highest level within the government. Also we need to establish a Cyber Command within the defence forces to defend the Indian Cyberspace. The Cyber Command should be equipped with defensive and offensive cyber weapons, and manpower trained in cyber warfare.

METHODOLOGY

Statement of Problem

To study & analyse the need to establish unified cyber command at national level to include Services , suggest its structure, envisaged role & capability in Cyber Warfare domain against ever increasing Cyber security threat, to safeguard national interests.

Hypothesis

9. The present & future will see ever growing threat manifestation to national security from Cyber Space which has become fifth dimension of warfare. India being pioneer in IT sector, can successfully secure itself from cyber threat under a unified cyber command. Thus there is urgent need to establish unified cyber command at national level in general & Services level in particular to counter the ever increasing cyber threat.

Justification for the Study

10. Cyber has become a fifth dimension of warfare in recent years. Due to ever increasing dependence on information and communication technologies, especially the Internet, for delivery of services, one of the biggest challenges the world faces is that of cyber security. Governments around the world are formulating cyber security strategies and policies to effectively manage the risks, which are global in nature.

11. Given the importance of cyber security because of it being closely associated with national security. The security situation in 2020 is bound to be far more complex and dangerous. The future will see wired society with the e-governance, communication, power and transportation networks, financial transactions, health and medicine, all dependent on the cyber domain. Alongside will be the aspect of increased transparency and instant dissemination or democratisation of information. All this will also create vulnerabilities and impact on security with disastrous consequences.

12. Today, sophisticated set of nation states and non-state actors are increasingly making efforts to intrude the networked domain of its adversaries. The known activity is fraction of adversary exploitation and there is routine exploitation of known vulnerabilities. The targets and intentions are clearly on gaining operational information and foothold in the networked domain. Operating in a contested environment requires situational awareness and improved defence against cyber attacks.

13. There is urgent need felt at national level and also at services level to understand the nature of threat from cyber warfare and also defensive and offensive cyber warfare measures to be taken. The efforts in cyber domain can only be organised and coordinated by establishing a unified cyber command at national level. Thus there is need to study the structure, role and capabilities of cyber command in detail.

Scope

14. This study has concentrated on taking into account the threat posed by cyber warfare and understanding the need to establish unified cyber command to safeguard national interests. This study proposes to suggest the structure, role and capabilities of unified cyber command of India by carrying out in depth analysis of cyber threat environment and studies of cyber command of developed countries.

Method of Data Collection

15. The major source of information for this study has been from internet. A few books and reference material that were available in the DSSC library have also been consulted. Besides this interaction with senior military officer on the subject have also contributed towards the study. The bibliography of the source is appended at the end of the text.

Organisation of the Dissertation

16. It is proposed to study the subject in the following manner:-

(a) Chapter 1. Introduction.

(b) Chapter 2. An overview on cyber security threats and challenges.

(c) Chapter 3. Indian Cyber space and cyber security initiatives.

(d) Chapter 4. Establishment of Unified cyber command.

(e) Chapter 5. Recommendations.

(f) Chapter 6. Conclusion.

CHAPTER 2

AN OVERVIEW ON CYBER SECURITY THREATS AND CHALLENGES

Cyberspace and its Importance to Nations

1. Cyberspace has no boundaries, it is man-made and ever expanding. It comprises IT domain to include computer networks, computer resources, all the fixed and mobile devices connected to the global Internet. In the evolutionary stage of Internet, the key considerations were interoperability and availability. What started as a closed user group involving academics from a few universities, was thrown open to the world and has grown exponentially ever since. The rapidity in the development of information technology (IT) and the relative ease of using applications has commercialised the use of cyberspace and its expansion dramatically in its brief existence.

2. In today’s networked world, cyberspace is considered as a national asset, it has enabled a host of business and government services to citizens, efficient operations of critical infrastructure depends on it. In fact, economies of many nations across the globe almost entirely depend upon technology in cyberspace. It has become the lifeline of critical infrastructures such as energy, telecommunication, banking, stock exchanges, etc. Businesses are leveraging technology to transform their business models. Defence and Police agencies are making strategic use of technology to modernize.

3. Social networking has gripped the entire world and revolutionised the way people come together and change the way they interact socially. It has not only initiated connections, but has managed to sustain the growing interconnect by engaging people with different interests of their choice. Currently, Facebook has around 800 million users, which are expected to reach 1 billion by August 2012. Tweets on Twitter grew from 500 K in 2007 to more than 4 billion in Q1 of 2010, to over 1 billion tweets every week this year with a community of 225 million users.

The Arab Spring, Jasmine Revolution, Occupy Wall Street etc. have exemplified that the growing community of hundreds of thousands of people can be mobilized for a cause through social media. In contrast, London riots were supposedly fuelled by social media.

4. Activities carried out in the cyberspace domain has merged cyberspace seamlessly with the physical world. Cyberspace has provided a tool for globalisation and tool to Cyber attackers to disrupt critical infrastructures such as financial and air traffic control systems, producing effects that are similar to terrorist attacks in the physical space Cyber attackers and cyber criminals can also carry out identity theft, financial fraud, conduct espionage to steal state and military secrets, recruit criminals and others to carry out physical terrorist activities.

5. Nations across the world are facing, an evolving array of cyber-based threats arising from a variety of sources in cyberspace. The cyber threats can be intentional or unintentional. Unintentional threats can be caused by software upgrades or defective equipment that inadvertently disrupt systems, and intentional threats can be both targeted and untargeted attacks from a variety of threat sources. Sources of threats include criminal groups, hackers, terrorists, organization insiders, and foreign nations engaged in crime, political activism, or espionage and information warfare. These threat sources vary in terms of the capabilities of the actors, their willingness

to act, and their motives, which can include monetary gain or political advantage, among others. Moreover, potential threat actors have a variety of attack techniques at their disposal, which can adversely affect computers, software, a network, an organization’s operation, an industry, or the Internet itself. The nature of cyber attacks can vastly enhance their reach and impact due to the fact that attackers do not need to be physically close to their victims and can more easily remain anonymous, among other things. The magnitude of the threat is compounded by the ever-increasing sophistication of cyber attack techniques, such as attacks that may combine multiple techniques. Using these techniques, threat actors may target individuals, businesses, critical infrastructures, or government organizations.

6. Cyber security is a complex issue that cuts across multiple domains and calls for multi-dimensional, multi-layered initiatives and responses. It has proved a challenge for governments because different domains are typically administered through soiled ministries and departments. The task is made all the more difficult by the inchoate and diffuse nature of the threats and the inability to frame an adequate response in the absence of tangible perpetrators.

Array of Cyber Threats Faced by Nation

7. The security of cyberspace, systems and networks is essential for protecting national and economic security, national data, public health and safety, and the flow of commerce. Ineffective information security controls can result in significant risks to security of the nation which include following:-

(a) Loss or theft of resources and critical data.

(b) Unauthorised access to and disclosure, modification, or destruction of sensitive information, such as national security information, personal taxpayer information and proprietary business information.

(c) Disruption of critical operations supporting critical infrastructure, national defense and emergency services.

(d) Undermining of agency missions and its credibility due to embarrassing incidents that erode the public’s confidence in government.

(e) Use of cyber domain for unauthorized purposes or to launch attacks on other computers systems.

8. Cyber Threats. Cyber threats can be classified on the basis of the perpetrators and their motives, into four categories. These are:-

(a) Cyber espionage.

(b) Cyber warfare.

(c) Cyber terrorism.

(d) Cyber crime.

Cyber attackers use numerous vulnerabilities existing in cyberspace to pose cyber threat. They exploit the weaknesses in software and hardware design through the use of malware. DDOS (Dedicated Denial of Service) attacks are used to overwhelm the targeted websites. Hacking is a most common practice of piercing the defences of protected computer systems and interfering with their functioning. Identity theft is also most common. The scope and nature of threats and vulnerabilities in cyber domain is multiplying with every passing day.

Cyber Warfare. No agreed definition of cyber warfare exists, but many states are indulging in attacking the information systems of other countries for espionage and for disrupting their critical infrastructure. The attacks on the websites of Estonia in 2007 and of Georgia in 2008 have been widely reported in past. Although there is no clinching evidence of the involvement of a state in these attacks, it is widely held that in these attacks, non-state actors (e.g. hackers) may have been used by state actors. Since these cyber attacks, the issue of cyber warfare has assumed urgency in the global media. Many a countries have set up a cyber command to counter the threats and accepted cyberspace as fifth dimension of warfare.

11. Cyber Crime. The increasing online population has become a happy hunting ground for cyber criminals, with losses estimated due to cybercrime being in billions of dollars worldwide. While countries across the globe are reporting enormous losses to cybercrime, as well as threats to enterprises and critical information infrastructure (CII), in India insignificant number of cases has been reported, other than those relating to cyber espionage. Though the report of the National Crime Records Bureau (NCRB) for 2012 reported an increase of 50% in cybercrime over the previous year. Nationally, Andhra Pradesh (349) ranked first, followed by Maharashtra (306) and Kerala (227). In cities, Bangalore (117) reported the most incidents while Visakhapatnam (107) and Pune (83) ranked second and third. Nationally, most cases were reported about loss of computer resources and obscene publications online. All over the country 157 cases of hacking were reported and 65 persons were arrested for the offence. Other offences include misuse of digital signatures, forging digital documents, unauthorized access and breach of confidentiality [2] . The low numbers of cybercrime cases registered could be because cyber laws have proved ineffective in the face of the complex issues thrown up by Internet.

12. Cyber Terrorism. Cyberspace has provided most potent and cheaper tool to non-state actors for planning terrorist attacks, for recruitment of sympathisers, or as a new arena for attacks in pursuit of the terrorists’ political and social objectives. Terrorists have used cyberspace for communication, command and control, propaganda, recruitment, training and funding purposes. From that perspective, the challenge of non-state actors to national security is extremely grave. The government has taken a number of measures to counter the use of cyberspace for terrorist-related activities, especially in the aftermath of the terrorist attack in Mumbai in November 2008. Parliament passed amendments to the IT Act, with added emphasis on cyber terrorism and cybercrime, with a number of amendments to existing sections and the addition of new sections, taking into account these threats.

Further actions include the passing of rules such as the Information Technology (Guidelines for Cyber Cafe) Rules, 2011 under the umbrella of the IT Act. In doing so, the government has had to walk a fine balance between the fundamental rights to privacy under the Indian Constitution and national security requirements. While cyber hactivism cannot quite be placed in the same class, many of its characteristics place it squarely in the realm of cyber terrorism both in terms of methods and end goals [3] .

13. Cyber Espionage. Instances of cyber espionage are on rise with financial losses worth millions being exfiltrated from the websites and networks of both government and private enterprises. The theft of intellectual property from private enterprises is not an issue because R&D expenditure in India is only 0.7% of GDP, with government expenditure accounting for 70% of that figure. Companies are also reluctant to disclose any attacks and exfiltration of data, both because they could be held liable by their clients and also because they may suffer a resultant loss of confidence of the public. As far as infiltration of government networks and computers is concerned, cyber espionage has all but made the Official Secrets Act, 1923 redundant, with even the computers in the Prime Minister’s Office being accessed, according to reports. The governments currently can only establish measures and protocols to ensure confidentiality, integrity and availability (CIA) of

data. Law enforcement and intelligence agencies have asked their governments for legal and operational backing in their efforts to secure sensitive networks and undertake offensive against cyber spies and cyber criminals who are often acting in tandem with each other, and probably with state backing. Offence may not, necessarily the best form of defence in the case of cyber security, as seen in the

continued instances of servers of the various government departments being hacked and documents exfiltrated.

Sources of Cyber Security Threats [4] 

14. Bot-Network Operators. Bot-net operators use a network or bot-net of compromised, remotely controlled systems to coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services bot-networks are sometimes made available on underground markets (e.g. purchasing a denial-of-service attack or services to relay spam or phishing attacks).

15. Criminal Groups. Criminal groups seek to attack systems for financial gain. Specifically, organized criminal groups use spam, phishing, and spyware/malware to commit identity theft, online fraud and computer extortion. International corporate spies and criminal organizations also pose a threat to the nations through their ability to conduct industrial espionage, large-scale monetary theft and to hire or develop hacker talent.

16. Hackers. Hackers break into networks for varied reasons like thrill of the challenge, bragging rights in the hacker community, revenge, stalking, monetary gain and political activism. While gaining unauthorized access one requires a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. With advent of technology attack tools have become more sophisticated and easier to use. The worldwide population of hackers poses a relatively high threat of an isolated or brief disruption causing serious damage.

17. Insiders. The disgruntled organization insider is a principal source of computer crime. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a target system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat includes contractors hired by the organization as well as careless or poorly trained employees who may inadvertently introduce malware into systems.

18. Nations. Nations use cyber tools as part of their information-gathering and espionage activities. In addition, several nations are aggressively working to develop information warfare doctrine, programs, and capabilities. Such capabilities enable a single entity to have a significant and serious impact by disrupting the supply, communications and economic infrastructures that support military power or impacts that could affect the daily lives of citizens across the country. Among state actors, China and Russia are of particular concern.

19. Phishers. Individuals or small groups execute phishing schemes in an attempt to steal identities or information for monetary gain. Phishers may also use spam and spyware or malware to accomplish their objectives.

20. Spammers. Individuals or organizations distribute unsolicited e-mail with hidden or false information in order to sell products, conduct phishing schemes, distribute spyware or malware or attack organizations (e.g., a denial of service).

21. Spyware and Malware Authors. Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware or malware. Several destructive computer viruses and worms have harmed files and hard drives. Some examples include the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, Code Red, Slammer and Blaster.

22. Terrorists. Terrorists seek to destroy, incapacitate or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken the economy, damage public morale and confidence. Terrorists may use phishing schemes or spyware/malware in order to generate funds or gather sensitive information.

Types of Cyber Exploits [5] 

23. Cross-Site Scripting. An attack that uses third-party web resources to run script within the victim’s web browser or scriptable application. This occurs when a browser visits a malicious website or clicks a malicious link. The most dangerous consequences occur when this method is used to exploit additional vulnerabilities that may permit an attacker to steal cookies (data exchanged between a web server and a browser), log key strokes, capture screen shots, discover and collect network information and remotely access and control the victim’s machine.

24. Denial of Service. An attack that prevents or impairs the authorized use of networks, systems or applications by exhausting resources.

25. Distributed Denial of Service. A variant of the denial-of-service attack that uses numerous hosts to perform the attack.

26. Logic Bomb. A piece of programming code intentionally inserted into a software system that will cause a malicious function to occur when one or more specified conditions are met.

27. Phishing. A digital form of social engineering that uses authentic looking, but fake, e-mails to request information from users or direct them to a fake website that requests information.

28. Passive Wiretapping. The monitoring or recording of data, such as passwords transmitted in clear text, while they are being transmitted over a communications link. This is done without altering or affecting the data.

29. Structured Query Language (SQL) Injection. An attack that involves the alteration of a database search in a web-based application, which can be used to obtain unauthorized access to sensitive information in a database.

30. Trojan Horse. A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms. For example, masquerading as a useful program that a user would likely execute

31. Virus. A computer program that can copy itself and infect a computer without the permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers or even erase everything on a hard disk. Unlike a computer worm, a virus requires human involvement (usually unwitting) to propagate.

32. War Driving. The method of driving through cities and neighborhoods with a wireless-equipped computer with a powerful antenna, searching for unsecured wireless networks.

33. Worm. A self-replicating, self-propagating, self-contained program that uses network mechanisms to spread itself. Unlike computer viruses, worms do not require human involvement to propagate.

34. Zero-Day Exploit. An exploit that takes advantage of security vulnerability previously unknown to the general public. In many cases, the exploit code is written by the same person who discovered the vulnerability. By writing an exploit for the previously unknown vulnerability, the attacker creates a potent threat since the compressed timeframe between public discoveries of both makes it difficult to defend against.

Cyber Security Challenges

35. Cyberspace as described above, with its unique characteristics pose numerous challenges in cyber security. The most critical challenge is of coordination and cooperation between different stake holders at national and international levels. A comprehensive framework is required to ensure coordinated response, recovery, intelligence and information sharing mechanism, clarity in roles & responsibility of various agencies and governments. Specified role of industry in public private partnership models is also lacking at the national level. At the international level, absence of globally accepted norms featuring cooperation across jurisdictions to track cyber criminals and their extradition is making it difficult for the law enforcing agencies to bring cyber criminals to justice. Lack of adequate knowledge and training of law enforcing agencies and judiciary in many countries for understanding cyber crimes and relevance of evidence in the form of cyber forensics.

36. Protection of critical information infrastructure has emerged as a major challenge. National Security has traditionally (for air, land and sea) been the sole responsibility of the governments. The new responsibility of securing the critical information infrastructure against the rising number of cyber attacks has come within the ambit of national security. This new responsibility, however, does not lie solely with the government. Private sector has a major role to play, as majority of the critical information infrastructure is owned and operated by the private sector. However, private sector’s investment in security is driven by business requirements and not by national security concerns. So how can government intervene? By incentivizing or regulating the private sector? There is an ongoing debate on which direction the nations should take. Many believe that market forces cannot deliver the required investments and efforts for ensuring public safety and national security. Whereas some believe that too much of government intervention through regulations can undermine business innovation. No clear universal solution to this problem has emerged presently.

37. There is yet another area of global concern, namely the ICT global supply chain. Given the increased dependence on global ICT products, especially in operating critical sectors and growing realization of cyber risks, countries are doubting the integrity of these products, fearing that adversaries may introduce malicious codes / functions to do surreptitious surveillance, disrupt services, or at worst paralyze a nation. Alleviating such doubts and fears to continue benefitting

from global ICT supply chain is one of the biggest challenges the world faces in cyber security today. Where some countries are trying to address this challenge by building global and national capabilities to address supply chain risks without undermining the international competiveness and legitimate trade flow; others are focusing on developing indigenous products to reduce the dependency on foreign players.

38. Another very important challenge requiring ongoing efforts is poor awareness and education about cyber security threats and the need to follow best practices, across different levels – ranging from school children to top government officials, and management in the corporate world. Adding to the problem is the non-serious and reactive approach towards security. Lack of knowledge and awareness among users increases the risk manifold. Because of poor awareness, we become vulnerable and easy victims of social engineering attacks, phishing sites, spurious email communications, etc. Many such cyber threats can be easily mitigated if individuals are aware and vigilant.

39. Other major difficulties in addressing problems related to cyber security at an organizational level include: lack of high quality software development; treatment of security function as a cost centre; compliance driven approach to security; lack of multi-departmental coordinated roadmap; treatment of security as merely a technology issue and not a management issue; and difficulty in calculating Return on Investment (RoI) for security investments.

CHAPTER 3

INDIAN CYBERSPACE AND CYBER SECURITY INITIATIVES

Indian Cyberspace

Indian cyberspace was born in 1975 with the establishment of National Informatics Centre (NIC) with an aim to provide govt with IT solutions. Three networks (NWs) were set up between 1986 and 1988 to connect various agencies of govt. These NWs were, INDONET which connected the IBM mainframe installations that made up India’s computer infrastructure, NICNET (the NIC NW) a nationwide very small aperture terminal (VSAT) NW for public sector organisations as well as to connect the central govt with the state govts and district administrations, the third NW setup was ERNET (the Education and Research Network), to serve the academic and research communities.

New Internet Policy of 1998 paved the way for services from multiple Internet service providers (ISPs) and gave boost to the Internet user base grow from 1.4 million in 1999 to over 150 million by Dec 2012. Exponential growth rate is attributed to increasing Internet access through mobile phones and tablets. Govt is making a determined push to increase broadband penetration from its present level of about 6% [6] . The target for broadband is 160 million households by 2016 under the National Broadband Plan. An indication in support of the rapid pace of adaptation to the Internet in India is that, India’s top e-commerce retailer, Indian Railways, saw its online sales go up from 19 million tickets in 2008 to 44 million in 2009, with a value of Rs. 3800 crore ($875 million) [7] .

3. Even though the Indian govt took a while to convert to computerisation, there has been an increasing thrust on e-governance. The govts e-governance plan is seen as a cost-effective way of taking public services to the masses across the country. Critical sectors such as Finance, Energy, Space, Telecommunications, Defence, Transport, Land Records, Public Essential Services and Utilities, Law Enforcement and Security all increasingly depend on NWs to relay data for both communication purpose and commercial transactions. The National e-governance Program (NeGP) is one of the most ambitious in the world and seeks to provide more than 1200 govt services online.

Indian Economy Going the e-Way

4. Post liberalization in 1991, India witnessed steady economic growth, benefiting from globalization and information revolution. IT revolution has played a crucial role in transforming country’s GDP growth rate. As per recent Boston Consulting Group report [8] the Internet economy of India in 2010 amounted to USD 70 billion (4.1% of GDP) and is estimated to reach USD 242 billion (5.6% of GDP) in 2016. IT is contributing in India’s development in following ways:-

(a) Development of Infrastructure. Airports, metros, highways and augmentation of existing infrastructure which include power generation, financial services, telecom, transportation, defence, etc. Nation’s critical infrastructure are driven and controlled by ICT and it is getting increasingly dependent on IT this includes power grids, air traffic controller, industrial systems, stock exchanges, banking, telecom among others.

(b) e-Governance. Govt is undertaking projects driven by IT to address social, economic and development challenges in the country. Using IT, the govt intends to improve governance by increasing transparency, curbing corruption, time bound delivery of govt services and ensuring financial inclusion. The National e-Governance Plan (NeGP) is designed to take a holistic view of e-Governance initiatives across the country. The purpose is to integrate the initiatives, into a collective vision for a shared cause of delivering benefits to citizens in the remotest parts of the country. The ultimate objective of NeGP is to bring public services closer to home to all citizens as given in the vision statement of NeGP [9] . The NeGP comprises 27 mission mode projects (MMPs) and 8 common core and support infrastructure including State Wide Area Networks and State Data Centres.

(c) Aadhaar. The Aadhaar number provides unique identity, which will become acceptable across India. The project promises to eliminate duplicate and fake identities through effective verification and authentication. Many of the govt’s social benefit programs are envisaged to be linked with the Aadhaar number.

(d) e-Commerce. e-Commerce industry is witnessing phenomenal growth and expected to touch USD 10 billion, an increase of 47% from 2010 [10] . e-payments in India account for 35.3% of the total transactions in terms of volume and 88.3% in terms of value [11] , card circulation both credit and debit was around 200 million in 2010 [12] . The e-commerce is still an untapped potential considering the fact that the Internet penetration [13] in India is only around 8% (rising exponentially) with around 120 million Internet users [14] and India is projected to become the third largest Internet user base by 2013 [15] . With around 894 million mobile subscribers [16] (as on December 2011), m-commerce market is a big opportunity, especially as it promises to bring rural India into the realm of e-commerce.

( e) IT/BPO sector. India is emerging as the IT knowledge hub of the world with many global companies opening their R&D and innovation centres in India. The industry has provided job opportunities to over 10 million people and accounts for 6.4% of India’s GDP. It aims to grow revenues to USD 225 billion by 2020 [17] out of which USD 175 billion will be on account of export of software and services. Cloud Computing is a huge opportunity for India as the next wave of growth for the Indian IT industry.

(f) Modernization of Police and Defence. Defence forces & Police agencies are making strategic use of technology to modernize. Projects such as Crime and Criminal Tracking Network and Systems (CCTNS) and National Intelligence Grid (NATGRID) are flagship projects for modernization of police. CCTNS will connect 14,000 police stations and 6,000 police officers to a centralized database. The goal of CCTNS is to facilitate collection, storage, retrieval, analysis, transfer and sharing of data and information at the police station and between the police station and the State Headquarters and the Central Police Organizations.’ [18] Indian Army has also taken similar initiatives which include creation of an Army Wide Area Network (AWAN) designed to connect all Army formations, units, training establishments and logistic installations in the country for secure and direct information exchange [19] . Army also launched project ‘Shakti’ a fully digitized and integrated Artillery Combat Command and Control System (ACCCS), which is a network of military grade tactical computers automating and providing decision support for all operational aspects of Artillery functions from the corps down to a battery level. [20] 

(g) Social Media. Social media is emerging as a very powerful phenomenon in Indian cyberspace with around 45 million [21] Indians using the social media and the number is increasing every day. It is revolutionizing the way society interacts. Personal Information is becoming the economic commodity on which social networking is thriving. Businesses, Non-Governmental Organizations (NGOs) and even the governments are using this platform for variety of reasons which include communication, marketing, branding, awareness, etc. The social media has also caught the attention of the governments and the regulators worldwide (for wrong reasons) including the Indian govt and there is an on going debate on regulating the social media.

Threat Landscape

5. As nation it’s important for us to continue leveraging technology for overall development of the country & improving lives of the citizens. Thus, it is crucial to comprehensively understand the risks associated with the use of technology and operating in cyberspace. Cyberspace has become a new play field for non state actors & it is getting increasingly linked to national security. The cyberspace is being used by terrorists to spread their message, hire recruits, do encrypted communication, surreptitious surveillance, launch cyber attacks on govt infrastructure, etc. Sophisticated use of technology was made by 26/11 Mumbai attackers which included Global Positioning System equipment, satellite phones, BlackBerrys, CDs holding high-resolution satellite images, multiple cellphones with switchable SIM cards, e-mails routed through servers in different locations, which made it harder to trace them.

6. Cyber attacks targeted at critical information infrastructures (energy, telecom, financial services, defence, and transportation) have the potential of adversely impacting a nation’s economy, public safety and citizens’ lives. These critical infrastructures are mainly owned and operated by the private sector. For example, the telecom sector is mostly owned by the private players, except Mahanagar Telephone Nigam Ltd. and Bharat Sanchar Nigam Ltd. Bombay Stock Exchange and National Stock Exchange are private players wherein most of the transactions are done through electronic medium. Airline industry is dominated by private players with Air India being the only the govt enterprise, Energy & Utility sector though dominated by govt players, the distribution is largely controlled by private partners. The banking sector has large number of private banks. Business requirements and not national security concerns drive the investments made by these private players in securing the infrastructure. This may leave possible security loop holes. India recently witnessed a cyber attack on its state-of-the-art T3 terminal at New Delhi airport that made check-in counters of all airlines non-operational causing public inconvenience. Stuxnet - the deadliest attack vector that has been designed so far & which destroyed a nuclear reactor in Iran has reportedly infected systems in India [22] .

7. As the dependency of critical information infrastructure on technology increases in future and if such infrastructures remain vulnerable, it is possible that adversaries may use cyber attacks on critical information infrastructure to produce impact similar to that in physical attacks / accidents, at worst leading to physical harm like collision of aircrafts because of manipulation with Air Traffic Controlling system, train accidents due to signal malfunctioning or could adversely affect the national economy. Failure of telecommunication services, power grids, oil production and distribution, breakdown of stock markets and banking infrastructure.

8. Given the increased usage of Internet in the country, India is witnessing sharp rise in cyber crimes. Data released by National Crime Records Bureau (NCRB) in 2010 shows this trend. 966 cyber crimes cases were registered in 2010 under the IT Act across India (an increase of around 128% over 2009 and 235% over 2008) and 799 persons in 2010 were arrested (an increase of around 177% over 2009 and around 349% over 2008) for cyber crimes included hacking, obscene transmission, tampering, etc. Cyber attackers have also been repeatedly defacing Indian websites especially government websites. In January 2012 alone, 1425 websites were defaced, with 834 target websites being hosted on ‘.in’ domain [23] . Many high profile cyber espionage attacks targeting systems of senior Indian bureaucrats have been reported in the media [24] .

India’s Cyber Security Initiative

9. Having visualised the cyber security threat & its impact on national security, Indian govt has taken many initiatives to protect the critical infrastructure driven by IT within Indian cyberspace domain. Some of the initiatives are as follows:-

(a) Legal Framework to include enactment of IT Act (Amendment) 2008.

(b) Policy Initiatives.

(c) Cyber Security Initiatives.

10. IT Act (Amendment) 2008. Information Technology Act (IT Act) was enacted in year 2000 to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication. To establish a robust cyber security and data protection regime in the country, the IT Act was amended in year 2008. It provides a comprehensive definition of the computer system & tries to ascertain liability based on the type of cyber crime committed (Hacking, spamming, tampering, identity theft, impersonation, cyber terrorism, pornography, child pornography). The act introduces the concept of ‘sensitive personal information’ and fixes liability of the ‘body corporate’ to protect the same through implementation of ‘reasonable security practices’. In case a body corporate fails to do so, it can be fined upto Rs. 5 crore (approx. USD 1.2 million) by the Adjudicating Officer and civil court can fine amount greater than Rs. 5 crore. The rules issued under the Act, also require body corporates to follow privacy principles such as notice, choice & consent, access & correction, disclosure to third party, etc. The amended Act provides provision for legal action against a person for the breach of confidentiality and privacy, under lawful contract. Critical systems can be declared as ‘protected systems’ under the Act. Security breaches of such systems attract higher prison sentences. The amended Act also enables setting up of a nodal agency for critical infrastructure protection and strengthens the role of CERT-In. This Act creates provision for the central government to define encryption policy for strengthening security of electronic communications. Presently, encryption of upto 40 bits is allowed under the telecom policy. Cyber Appellate Tribunal, which is now operational, is expected to expedite legal proceeding of cyber crime cases. Overall, the IT (Amendment) Act, 2008 is an omnibus and comprehensive legislation which includes provisions for digital signatures, e-governance, e-commerce, data protection, cyber offences, critical information infrastructure, interception & monitoring, blocking of websites and cyber terrorism [25] .

11. Policy Initiatives. The draft version of National Cyber Security Policy was released by the DIT in March 2011 for public consultation. The draft policy has been aimed to enable secure computing environment and adequate trust and confidence in electronic transactions. The draft policy tries to layout the cyber security ecosystem for the country. It covers the following:-

(a) Based on the key policy considerations and threat landscape, the draft policy identifies priority areas for action.

(b) Identifies PPP as a key component.

(c) Identifies key actions to reduce security threats and vulnerabilities

(d) Establishment of National Cyber Alert System for early watch and warning, information exchange, responding to national level cyber incidents and facilitating restoration.

(e) Defines role of sectorial CERTs and establishment of local incident response teams for each critical sector organization.

(f) Implementation of best practices in critical information and government infrastructure protection through creation, establishment and operation of Information Security Assurance Framework.

(g) Establishes framework for Crisis Management Plan for Countering Cyber Attacks and Cyber Terrorism.

(h) Identifies priorities for action for legal framework and law enforcement capability development.

(j) Defines priorities for international cooperation for information sharing.

(k) Identifies indigenous Research & Development as an essential component of cyber security and enlists thrust areas for R&D.

(l) Identifies major actions and initiatives for user awareness, education, and training (capacity building).

(m) Defines responsible actions for network service providers, large corporates and small/medium & home users to secure information and systems.

(n) Identifies various stakeholders (ministries and government departments only) in cyber security and their responsibilities.

12. The Ministry of Communications and Information Technology (MCIT), Govt of India, is formulating a combination of three interdependent and synergistic policies for IT, Telecom and Electronics "Triad of Policies to Drive a National Agenda for Information & Communications Technology and Electronics (ICTE)". The three policies are as below:

(a) National Policy on Electronics, 2011.

(b) National Policy on Information Technology, 2011.

(c) National Telecom Policy, 2011.

13. The integrated policy has twin goals:-

(a) To facilitate the application of new, technology-enabled approaches to overcome developmental challenges in education, health, skill development, employment generation, financial inclusion, governance etc and to enhance efficiency, convenience and access.

(b) To harness the power and capability of India in ICT to meet global demand.

14. Cyber Security Initiatives. Govt and IT industry have taken various initiatives in cyber security. However, much more needs to be done in this area. Major initiatives are summarized below:-

(a) CERT-In. In 2003, Govt set up a the Indian Computer Emergency Response Team (CERT-In) under DIT, MCIT as a nodal agency for responding to cyber security incidents. The IT (Amendment) Act, 2008, recognizes CERT-In as a nodal agency for security incident management and provides it the authority to call for information on security incidents from organizations. CERT-In charter involves collection, analysis, dissemination of information on cyber security incidents through a dedicated infrastructure. It monitors and investigates threats that affect computer systems and forecasts and generates alerts for cyber security incidents. It collaborates internationally for the incident response, tracks incidents affecting both public and private sector and issues security guidelines and advisory on vulnerabilities. It provides technical assistance to organizations in resolving security incidents. It has helped establish sectoral CERTs in defence and banking sectors. To test preparedness of organizations operating critical information infrastructure, CERT-In conducts cyber security drills in partnership with the public and private sector. To help law enforcing agencies (LEAs) solve cyber crimes, CERT-In has developed standard operating procedures for cyber crime investigations. It organizes regular trainings and funds research and other projects in security to academic institutes and industry. It also engages with its counterparts in other countries for increased collaboration and information sharing. CERT-In has developed 12th five year plan on cyber security.

(b) Information Security Education and Awareness. To make up the shortfall of cyber security professionals in the country, DIT initiated the Information Security Education Awareness (ISEA) program in 2005. To spread awareness on cyber security in the country, ISEA program aims at capacity building by introducing information security courses at graduate, post-graduate and doctoral levels, establishing education exchange programs, training system administrators and government officers.

(c) LEA Capacity Building Programs. To address the challenges that Indian LEAs face in handling cyber crimes such as poor knowledge of technology and cyber crime investigation techniques/ tools and cyber forensics, lack of state-of-the-art technical infrastructure, insufficient training facilities & forensics labs in the country. Govt has taken some key initiatives. These initiatives are aimed at building the capacity of LEAs in cyber forensics and cyber crime investigation to curb rising cyber crimes and ensure speedier trials. Ministry of Home Affairs (MHA) will be launching the Cyber Crime Investigation Program (CCIP), which will establish a Cyber Crime Police Station and a Cyber Crime Investigation and Forensic Training Facility in each State and Union Territory and a central National Centre of Excellence for Cyber Forensics Services. The CCIP will create a network of cyber police stations across the country, equipped with state-of-the-art technology and well trained police officers, which can collaborate to benefit from each other’s experiences. The National Centre of Excellence will act as the guiding force, providing thought leadership to the Cyber Crime Police Stations and Cyber Crime Investigation and Forensic Training Facilities by conducting advanced research & development. Under the Directorate of Forensic Science, under MHA, three Central Forensic Labs (CFSLs) have developed capabilities in cyber forensics. Also, there are 28 State Forensic Labs (SFSLs) that are acquiring capabilities in cyber forensics techniques and skills. Resource Centre for Cyber Forensics (RCCF) at Thiruvananthapuram, Kerala under Centre for Development of Advanced Computing (CDAC) has been established to develop cyber forensic tools and to provide technical support and necessary training to LEAs in the country [26] .

(d) Security in e-Governance projects. The National e-Governance Division (NeGD), under DIT, is the Program Management Office of NeGP. Among its various activities, including facilitating implementation of NeGP by various Ministries and State governments, the agency is also responsible for issuing cyber security and data security standards and guidelines for all the e-Governance projects under NeGP. For securing e-Governance projects, Standardization Testing and Quality Certification Directorate (STQC) has developed e-Governance Security Assurance Framework (e-SAFE), which provides list of security controls based on the risk categorization of particular assets.

(e) Common Criteria Certification Scheme. This scheme has been set up by DIT to evaluate and certify IT Security Products and Protection Profiles against the requirements of Common Criteria Standards ver 3.1 R2, at Evaluation Assurance Levels EAL 1 through 4. Presently, the scheme provides national certification. The scheme would also provide a framework for international certification through the National Mutual Recognition Arrangement with the other member countries of Common Criteria Recognition Arrangement (CCRA). Along with 24 other countries, India has already become a member of CCRA as a certificate consuming nation and soon will be recognized as a certificate producing nation. STQC is a certification body of the country with STQC IT, Kolkata centre as the Common Criteria Test Lab [27] .

(f) Sectoral Security. Critical sectors such as banking and telecommunication are strongly regulated through Reserve Bank of India (RBI) and Department of Telecommunications (DoT)/ Telecom Regulatory Authority of India (TRAI) respectively. The regulators keep issuing security guidelines, mandating the companies to implement the same. For example, RBI constituted a working group on ‘information security, electronic banking, technology risk management, and cyber frauds,’ which provided a set of guidelines to banks, covering areas such as IT governance, information security (including electronic banking channels like Internet banking, ATMs, cards), IT operations, IT services outsourcing, information system audit, cyber frauds, business continuity planning, customer education and legal issues. These guidelines serve as a common minimum standard for all banks to adopt. [28] DoT made amendments to the Unified Access Service License Agreement (UASL) in 2011, incorporating security related measures and made the Licensee (Telecom Service Providers) "completely and totally responsible for security."

CHAPTER 4

ESTABLISHMENT OF UNIFIED CYBER COMMAND

Cyber Commands Around The World

1. The cyber warfare threat has not been well appreciated or sufficiently understood. The term Cyber warfare has been loosely used to describe almost all events in cyberspace, irrespective of perpetrator, motive or scale. Cyber warfare forms a part of Information War (IW), which extends to every form of media and inter alia includes aspects of propaganda and perception management. Cyberspace has grown exponentially beyond internet usage and increasingly linked by convergence to every communication device. With increasing connectivity, this divide is narrowing and every citizen or aspect of life is vulnerable. It is also an important constituent of NCW. The scope for exploitation by inimical elements, ranging from mischievous hackers, to criminals, terrorists, non-state actors as also nation states, is thus unlimited. The damage could be immense and countries around the world are pressing ahead and taking steps to build capabilities and capacities for defending themselves, as also taking offensive action in cyberspace.

2. US was the first country to formally declare cyberspace as the fifth domain of warfare. It has also formally classified the use of cyberspace as a "force", a euphemism for offensive capability. In mid 1990s the Chinese adopted the concept of "informationalisation" and have relentlessly built up structures and operations in this domain. Consequent to the raising of the US Cyber Command (USCYBERCOM) [29] , South Korea followed with the creation of a Cyber Warfare Command in Dec 2009. This was also in response to North Korea’s creation of cyber warfare units. The British Government Communications Headquarters (GCHQ) has begun preparing a cyber force, as also France. The Russians have actively been pursuing cyber warfare. In 2010 China overtly introduced its first department dedicated to defensive cyber warfare and information security in response to the creation of USCYBERCOM. The race is thus on. India is a target. There have been numerous incidents of sensitive government and military computers being targeted.

Proposed Structure for Cyber and Information War (CIW) [30] 

3. The national controlling and coordinating agency for CIW should be delegated to NSA with the NSCS . An omnibus board could be created in the NSCS along with a CIW Executive Committee(CIWEC). These could be established by the NIB. Recommended composition and roles of these two bodies is as under:-

4. Composition of CIW Board. The suggested composition of CIW board is as under:-

(a) Chairman. NSA.

(b) Members Govt. Cabinet Secretary, DG RAW, Secy DIT, Representatives from MHA, MEA, I&B, Ministry of Power.

(c) Members MoD. CIDS(Or CDS when created) and DG DRDO.

(d) Private Sector. Chairman NASSCOM / DSCI.

(e) DG CIW.

(f) Member Secretary(Secy). Dy NSA.

5. Charter of CIW Board. The charter will include following tasks:-

(a) Overall review and formulation of policy for CIW.

(b) Formulation of strategy for meeting emerging threats.

(c) Ensure necessary coordination between all public and private agencies at the national level as also monitor implementation of all aspects of CIW.

(d) Enuring all international treaties and agreements are vetted in keeping with needs of national security.

6. Composition of CIW Executive Committee (CIWEC). Dy NSA who is the Secy of the CIW board could chair the CIWEC, DG CIW will be the Secy with support from the NSCS. He will be responsible to ensure day to day coordination and follow up on all CIW issues and report to the apex body through Dy NSA. The composition of this CIWEC could include:-

(a) Members Public Agencies. Chairman NTRO, DG CERT, Reps from MHA, RAW, CSIR, DIT, Public IT related services, ie Finance, Railways, Telecom, Civil Aviation, Power, HR and I&B. Also reps from Rep from MEA who is an expert on international agreements.

(b) Members MoD. Reps of Cyber Command & DRDO.

(c) Private Sector. Reps from NASSCOM / DSCI.

7. Charter of CIWEC. The charter will include issueing policy guidelines and monitoring all activities on a regular basis. It will look into specific aspects such as proactive defence or protection of critical infrastructure. The CSIWEC will meet at least once a month to oversee and report progress on all issues which include:-

(a) International cooperation and all agreements on IT with respect to needs of national security.

(b) Technology development for protection of NWs and systems, as

also proactive defence.

(c) Installation of systems, monitoring and response, especially for emergencies.

(d) Development of HR and public awareness. Recommendations for funding in this regard both in the public and private spheres.

(e) Standardization and certification. This will include creation of test beds.

8. Organisation & Functioning. CIWEC should be an empowered body. DG CIW should ensure executive action and compliance by agencies. All public agencies like the DRDO, HQ IDS, NTRO, DIT, National CERT, CSIR, NIC are represented and could constitute its executive arms. For necessary coordination and follow up, the office of DG CIW in NSCS must comprise of security, legal and technical experts. Policy and conduct of offensive cyber operations could also be coo