Indian Cyberspace And Cyber Security Initiatives

Published Date: 02 Nov 2017

CHAPTER 3

Indian cyberspace was born in 1975 with the establishment of National Informatics Centre (NIC) with an aim to provide govt with IT solutions. Three networks (NWs) were set up between 1986 and 1988 to connect various agencies of govt. These NWs were, INDONET which connected the IBM mainframe installations that made up India’s computer infrastructure, NICNET (the NIC NW) a nationwide very small aperture terminal (VSAT) NW for public sector organisations as well as to connect the central govt with the state govts and district administrations, the third NW setup was ERNET (the Education and Research Network), to serve the academic and research communities.

New Internet Policy of 1998 paved the way for services from multiple Internet service providers (ISPs) and gave boost to the Internet user base grow from 1.4 million in 1999 to over 150 million by Dec 2012. Exponential growth rate is attributed to increasing Internet access through mobile phones and tablets. Govt is making a determined push to increase broadband penetration from its present level of about 6% [1] . The target for broadband is 160 million households by 2016 under the National Broadband Plan. An indication in support of the rapid pace of adaptation to the Internet in India is that, India’s top e-commerce retailer, Indian Railways, saw its online sales go up from 19 million tickets in 2008 to 44 million in 2009, with a value of Rs. 3800 crore ($875 million) [2] .

3. Even though the Indian govt took a while to convert to computerisation, there has been an increasing thrust on e-governance. The govts e-governance plan is seen as a cost-effective way of taking public services to the masses across the country. Critical sectors such as Finance, Energy, Space, Telecommunications, Defence, Transport, Land Records, Public Essential Services and Utilities, Law Enforcement and Security all increasingly depend on NWs to relay data for both communication purpose and commercial transactions. The National e-governance Program (NeGP) is one of the most ambitious in the world and seeks to provide more than 1200 govt services online.

Indian Economy Going the e-Way

4. Post liberalization in 1991, India witnessed steady economic growth, benefiting from globalization and information revolution. IT revolution has played a crucial role in transforming country’s GDP growth rate. As per recent Boston Consulting Group report [3] the Internet economy of India in 2010 amounted to USD 70 billion (4.1% of GDP) and is estimated to reach USD 242 billion (5.6% of GDP) in 2016. IT is contributing in India’s development in following ways:-

(a) Development of Infrastructure. Airports, metros, highways and augmentation of existing infrastructure which include power generation, financial services, telecom, transportation, defence, etc. Nation’s critical infrastructure are driven and controlled by ICT and it is getting increasingly dependent on IT this includes power grids, air traffic controller, industrial systems, stock exchanges, banking, telecom among others.

(b) e-Governance. Govt is undertaking projects driven by IT to address social, economic and development challenges in the country. Using IT, the govt intends to improve governance by increasing transparency, curbing corruption, time bound delivery of govt services and ensuring financial inclusion. The National e-Governance Plan (NeGP) is designed to take a holistic view of e-Governance initiatives across the country. The purpose is to integrate the initiatives, into a collective vision for a shared cause of delivering benefits to citizens in the remotest parts of the country. The ultimate objective of NeGP is to bring public services closer to home to all citizens as given in the vision statement of NeGP [4] . The NeGP comprises 27 mission mode projects (MMPs) and 8 common core and support infrastructure including State Wide Area Networks and State Data Centres.

(c) Aadhaar. The Aadhaar number provides unique identity, which will become acceptable across India. The project promises to eliminate duplicate and fake identities through effective verification and authentication. Many of the govt’s social benefit programs are envisaged to be linked with the Aadhaar number.

(d) e-Commerce. e-Commerce industry is witnessing phenomenal growth and expected to touch USD 10 billion, an increase of 47% from 2010 [5] . e-payments in India account for 35.3% of the total transactions in terms of volume and 88.3% in terms of value [6] , card circulation both credit and debit was around 200 million in 2010 [7] . The e-commerce is still an untapped potential considering the fact that the Internet penetration [8] in India is only around 8% (rising exponentially) with around 120 million Internet users [9] and India is projected to become the third largest Internet user base by 2013 [10] . With around 894 million mobile subscribers [11] (as on December 2011), m-commerce market is a big opportunity, especially as it promises to bring rural India into the realm of e-commerce.

( e) IT/BPO sector. India is emerging as the IT knowledge hub of the world with many global companies opening their R&D and innovation centres in India. The industry has provided job opportunities to over 10 million people and accounts for 6.4% of India’s GDP. It aims to grow revenues to USD 225 billion by 2020 [12] out of which USD 175 billion will be on account of export of software and services. Cloud Computing is a huge opportunity for India as the next wave of growth for the Indian IT industry.

(f) Modernization of Police and Defence. Defence forces & Police agencies are making strategic use of technology to modernize. Projects such as Crime and Criminal Tracking Network and Systems (CCTNS) and National Intelligence Grid (NATGRID) are flagship projects for modernization of police. CCTNS will connect 14,000 police stations and 6,000 police officers to a centralized database. The goal of CCTNS is to facilitate collection, storage, retrieval, analysis, transfer and sharing of data and information at the police station and between the police station and the State Headquarters and the Central Police Organizations.’ [13] Indian Army has also taken similar initiatives which include creation of an Army Wide Area Network (AWAN) designed to connect all Army formations, units, training establishments and logistic installations in the country for secure and direct information exchange [14] . Army also launched project ‘Shakti’ a fully digitized and integrated Artillery Combat Command and Control System (ACCCS), which is a network of military grade tactical computers automating and providing decision support for all operational aspects of Artillery functions from the corps down to a battery level. [15] 

(g) Social Media. Social media is emerging as a very powerful phenomenon in Indian cyberspace with around 45 million [16] Indians using the social media and the number is increasing every day. It is revolutionizing the way society interacts. Personal Information is becoming the economic commodity on which social networking is thriving. Businesses, Non-Governmental Organizations (NGOs) and even the governments are using this platform for variety of reasons which include communication, marketing, branding, awareness, etc. The social media has also caught the attention of the governments and the regulators worldwide (for wrong reasons) including the Indian govt and there is an on going debate on regulating the social media.

Threat Landscape

5. As nation it’s important for us to continue leveraging technology for overall development of the country & improving lives of the citizens. Thus, it is crucial to comprehensively understand the risks associated with the use of technology and operating in cyberspace. Cyberspace has become a new play field for non state actors & it is getting increasingly linked to national security. The cyberspace is being used by terrorists to spread their message, hire recruits, do encrypted communication, surreptitious surveillance, launch cyber attacks on govt infrastructure, etc. Sophisticated use of technology was made by 26/11 Mumbai attackers which included Global Positioning System equipment, satellite phones, BlackBerrys, CDs holding high-resolution satellite images, multiple cellphones with switchable SIM cards, e-mails routed through servers in different locations, which made it harder to trace them.

6. Cyber attacks targeted at critical information infrastructures (energy, telecom, financial services, defence, and transportation) have the potential of adversely impacting a nation’s economy, public safety and citizens’ lives. These critical infrastructures are mainly owned and operated by the private sector. For example, the telecom sector is mostly owned by the private players, except Mahanagar Telephone Nigam Ltd. and Bharat Sanchar Nigam Ltd. Bombay Stock Exchange and National Stock Exchange are private players wherein most of the transactions are done through electronic medium. Airline industry is dominated by private players with Air India being the only the govt enterprise, Energy & Utility sector though dominated by govt players, the distribution is largely controlled by private partners. The banking sector has large number of private banks. Business requirements and not national security concerns drive the investments made by these private players in securing the infrastructure. This may leave possible security loop holes. India recently witnessed a cyber attack on its state-of-the-art T3 terminal at New Delhi airport that made check-in counters of all airlines non-operational causing public inconvenience. Stuxnet - the deadliest attack vector that has been designed so far & which destroyed a nuclear reactor in Iran has reportedly infected systems in India [17] .

7. As the dependency of critical information infrastructure on technology increases in future and if such infrastructures remain vulnerable, it is possible that adversaries may use cyber attacks on critical information infrastructure to produce impact similar to that in physical attacks / accidents, at worst leading to physical harm like collision of aircrafts because of manipulation with Air Traffic Controlling system, train accidents due to signal malfunctioning or could adversely affect the national economy. Failure of telecommunication services, power grids, oil production and distribution, breakdown of stock markets and banking infrastructure.

8. Given the increased usage of Internet in the country, India is witnessing sharp rise in cyber crimes. Data released by National Crime Records Bureau (NCRB) in 2010 shows this trend. 966 cyber crimes cases were registered in 2010 under the IT Act across India (an increase of around 128% over 2009 and 235% over 2008) and 799 persons in 2010 were arrested (an increase of around 177% over 2009 and around 349% over 2008) for cyber crimes included hacking, obscene transmission, tampering, etc. Cyber attackers have also been repeatedly defacing Indian websites especially government websites. In January 2012 alone, 1425 websites were defaced, with 834 target websites being hosted on ‘.in’ domain [18] . Many high profile cyber espionage attacks targeting systems of senior Indian bureaucrats have been reported in the media [19] .

India’s Cyber Security Initiative

9. Having visualised the cyber security threat & its impact on national security, Indian govt has taken many initiatives to protect the critical infrastructure driven by IT within Indian cyberspace domain. Some of the initiatives are as follows:-

(a) Legal Framework to include enactment of IT Act (Amendment) 2008.

(b) Policy Initiatives.

(c) Cyber Security Initiatives.

10. IT Act (Amendment) 2008. Information Technology Act (IT Act) was enacted in year 2000 to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication. To establish a robust cyber security and data protection regime in the country, the IT Act was amended in year 2008. It provides a comprehensive definition of the computer system & tries to ascertain liability based on the type of cyber crime committed (Hacking, spamming, tampering, identity theft, impersonation, cyber terrorism, pornography, child pornography). The act introduces the concept of ‘sensitive personal information’ and fixes liability of the ‘body corporate’ to protect the same through implementation of ‘reasonable security practices’. In case a body corporate fails to do so, it can be fined upto Rs. 5 crore (approx. USD 1.2 million) by the Adjudicating Officer and civil court can fine amount greater than Rs. 5 crore. The rules issued under the Act, also require body corporates to follow privacy principles such as notice, choice & consent, access & correction, disclosure to third party, etc. The amended Act provides provision for legal action against a person for the breach of confidentiality and privacy, under lawful contract. Critical systems can be declared as ‘protected systems’ under the Act. Security breaches of such systems attract higher prison sentences. The amended Act also enables setting up of a nodal agency for critical infrastructure protection and strengthens the role of CERT-In. This Act creates provision for the central government to define encryption policy for strengthening security of electronic communications. Presently, encryption of upto 40 bits is allowed under the telecom policy. Cyber Appellate Tribunal, which is now operational, is expected to expedite legal proceeding of cyber crime cases. Overall, the IT (Amendment) Act, 2008 is an omnibus and comprehensive legislation which includes provisions for digital signatures, e-governance, e-commerce, data protection, cyber offences, critical information infrastructure, interception & monitoring, blocking of websites and cyber terrorism [20] .

11. Policy Initiatives. The draft version of National Cyber Security Policy was released by the DIT in March 2011 for public consultation. The draft policy has been aimed to enable secure computing environment and adequate trust and confidence in electronic transactions. The draft policy tries to layout the cyber security ecosystem for the country. It covers the following:-

(a) Based on the key policy considerations and threat landscape, the draft policy identifies priority areas for action.

(b) Identifies PPP as a key component.

(c) Identifies key actions to reduce security threats and vulnerabilities

(d) Establishment of National Cyber Alert System for early watch and warning, information exchange, responding to national level cyber incidents and facilitating restoration.

(e) Defines role of sectorial CERTs and establishment of local incident response teams for each critical sector organization.

(f) Implementation of best practices in critical information and government infrastructure protection through creation, establishment and operation of Information Security Assurance Framework.

(g) Establishes framework for Crisis Management Plan for Countering Cyber Attacks and Cyber Terrorism.

(h) Identifies priorities for action for legal framework and law enforcement capability development.

(j) Defines priorities for international cooperation for information sharing.

(k) Identifies indigenous Research & Development as an essential component of cyber security and enlists thrust areas for R&D.

(l) Identifies major actions and initiatives for user awareness, education, and training (capacity building).

(m) Defines responsible actions for network service providers, large corporates and small/medium & home users to secure information and systems.

(n) Identifies various stakeholders (ministries and government departments only) in cyber security and their responsibilities.

12. The Ministry of Communications and Information Technology (MCIT), Govt of India, is formulating a combination of three interdependent and synergistic policies for IT, Telecom and Electronics "Triad of Policies to Drive a National Agenda for Information & Communications Technology and Electronics (ICTE)". The three policies are as below:

(a) National Policy on Electronics, 2011.

(b) National Policy on Information Technology, 2011.

(c) National Telecom Policy, 2011.

13. The integrated policy has twin goals:-

(a) To facilitate the application of new, technology-enabled approaches to overcome developmental challenges in education, health, skill development, employment generation, financial inclusion, governance etc and to enhance efficiency, convenience and access.

(b) To harness the power and capability of India in ICT to meet global demand.

14. Cyber Security Initiatives. Govt and IT industry have taken various initiatives in cyber security. However, much more needs to be done in this area. Major initiatives are summarized below:-

(a) CERT-In. In 2003, Govt set up a the Indian Computer Emergency Response Team (CERT-In) under DIT, MCIT as a nodal agency for responding to cyber security incidents. The IT (Amendment) Act, 2008, recognizes CERT-In as a nodal agency for security incident management and provides it the authority to call for information on security incidents from organizations. CERT-In charter involves collection, analysis, dissemination of information on cyber security incidents through a dedicated infrastructure. It monitors and investigates threats that affect computer systems and forecasts and generates alerts for cyber security incidents. It collaborates internationally for the incident response, tracks incidents affecting both public and private sector and issues security guidelines and advisory on vulnerabilities. It provides technical assistance to organizations in resolving security incidents. It has helped establish sectoral CERTs in defence and banking sectors. To test preparedness of organizations operating critical information infrastructure, CERT-In conducts cyber security drills in partnership with the public and private sector. To help law enforcing agencies (LEAs) solve cyber crimes, CERT-In has developed standard operating procedures for cyber crime investigations. It organizes regular trainings and funds research and other projects in security to academic institutes and industry. It also engages with its counterparts in other countries for increased collaboration and information sharing. CERT-In has developed 12th five year plan on cyber security.

(b) Information Security Education and Awareness. To make up the shortfall of cyber security professionals in the country, DIT initiated the Information Security Education Awareness (ISEA) program in 2005. To spread awareness on cyber security in the country, ISEA program aims at capacity building by introducing information security courses at graduate, post-graduate and doctoral levels, establishing education exchange programs, training system administrators and government officers.

(c) LEA Capacity Building Programs. To address the challenges that Indian LEAs face in handling cyber crimes such as poor knowledge of technology and cyber crime investigation techniques/ tools and cyber forensics, lack of state-of-the-art technical infrastructure, insufficient training facilities & forensics labs in the country. Govt has taken some key initiatives. These initiatives are aimed at building the capacity of LEAs in cyber forensics and cyber crime investigation to curb rising cyber crimes and ensure speedier trials. Ministry of Home Affairs (MHA) will be launching the Cyber Crime Investigation Program (CCIP), which will establish a Cyber Crime Police Station and a Cyber Crime Investigation and Forensic Training Facility in each State and Union Territory and a central National Centre of Excellence for Cyber Forensics Services. The CCIP will create a network of cyber police stations across the country, equipped with state-of-the-art technology and well trained police officers, which can collaborate to benefit from each other’s experiences. The National Centre of Excellence will act as the guiding force, providing thought leadership to the Cyber Crime Police Stations and Cyber Crime Investigation and Forensic Training Facilities by conducting advanced research & development. Under the Directorate of Forensic Science, under MHA, three Central Forensic Labs (CFSLs) have developed capabilities in cyber forensics. Also, there are 28 State Forensic Labs (SFSLs) that are acquiring capabilities in cyber forensics techniques and skills. Resource Centre for Cyber Forensics (RCCF) at Thiruvananthapuram, Kerala under Centre for Development of Advanced Computing (CDAC) has been established to develop cyber forensic tools and to provide technical support and necessary training to LEAs in the country [21] .

(d) Security in e-Governance projects. The National e-Governance Division (NeGD), under DIT, is the Program Management Office of NeGP. Among its various activities, including facilitating implementation of NeGP by various Ministries and State governments, the agency is also responsible for issuing cyber security and data security standards and guidelines for all the e-Governance projects under NeGP. For securing e-Governance projects, Standardization Testing and Quality Certification Directorate (STQC) has developed e-Governance Security Assurance Framework (e-SAFE), which provides list of security controls based on the risk categorization of particular assets.

(e) Common Criteria Certification Scheme. This scheme has been set up by DIT to evaluate and certify IT Security Products and Protection Profiles against the requirements of Common Criteria Standards ver 3.1 R2, at Evaluation Assurance Levels EAL 1 through 4. Presently, the scheme provides national certification. The scheme would also provide a framework for international certification through the National Mutual Recognition Arrangement with the other member countries of Common Criteria Recognition Arrangement (CCRA). Along with 24 other countries, India has already become a member of CCRA as a certificate consuming nation and soon will be recognized as a certificate producing nation. STQC is a certification body of the country with STQC IT, Kolkata centre as the Common Criteria Test Lab [22] .

(f) Sectoral Security. Critical sectors such as banking and telecommunication are strongly regulated through Reserve Bank of India (RBI) and Department of Telecommunications (DoT)/ Telecom Regulatory Authority of India (TRAI) respectively. The regulators keep issuing security guidelines, mandating the companies to implement the same. For example, RBI constituted a working group on ‘information security, electronic banking, technology risk management, and cyber frauds,’ which provided a set of guidelines to banks, covering areas such as IT governance, information security (including electronic banking channels like Internet banking, ATMs, cards), IT operations, IT services outsourcing, information system audit, cyber frauds, business continuity planning, customer education and legal issues. These guidelines serve as a common minimum standard for all banks to adopt. [23] DoT made amendments to the Unified Access Service License Agreement (UASL) in 2011, incorporating security related measures and made the Licensee (Telecom Service Providers) "completely and totally responsible for security."

CHAPTER 4

ESTABLISHMENT OF UNIFIED CYBER COMMAND

Cyber Commands Around The World

1. The cyber warfare threat has not been well appreciated or sufficiently understood. The term Cyber warfare has been loosely used to describe almost all events in cyberspace, irrespective of perpetrator, motive or scale. Cyber warfare forms a part of Information War (IW), which extends to every form of media and inter alia includes aspects of propaganda and perception management. Cyberspace has grown exponentially beyond internet usage and increasingly linked by convergence to every communication device. With increasing connectivity, this divide is narrowing and every citizen or aspect of life is vulnerable. It is also an important constituent of NCW. The scope for exploitation by inimical elements, ranging from mischievous hackers, to criminals, terrorists, non-state actors as also nation states, is thus unlimited. The damage could be immense and countries around the world are pressing ahead and taking steps to build capabilities and capacities for defending themselves, as also taking offensive action in cyberspace.

2. US was the first country to formally declare cyberspace as the fifth domain of warfare. It has also formally classified the use of cyberspace as a "force", a euphemism for offensive capability. In mid 1990s the Chinese adopted the concept of "informationalisation" and have relentlessly built up structures and operations in this domain. Consequent to the raising of the US Cyber Command (USCYBERCOM) [24] , South Korea followed with the creation of a Cyber Warfare Command in Dec 2009. This was also in response to North Korea’s creation of cyber warfare units. The British Government Communications Headquarters (GCHQ) has begun preparing a cyber force, as also France. The Russians have actively been pursuing cyber warfare. In 2010 China overtly introduced its first department dedicated to defensive cyber warfare and information security in response to the creation of USCYBERCOM. The race is thus on. India is a target. There have been numerous incidents of sensitive government and military computers being targeted.

Proposed Structure for Cyber and Information War (CIW) [25] 

3. The national controlling and coordinating agency for CIW should be delegated to NSA with the NSCS . An omnibus board could be created in the NSCS along with a CIW Executive Committee(CIWEC). These could be established by the NIB. Recommended composition and roles of these two bodies is as under:-

4. Composition of CIW Board. The suggested composition of CIW board is as under:-

(a) Chairman. NSA.

(b) Members Govt. Cabinet Secretary, DG RAW, Secy DIT, Representatives from MHA, MEA, I&B, Ministry of Power.

(c) Members MoD. CIDS(Or CDS when created) and DG DRDO.

(d) Private Sector. Chairman NASSCOM / DSCI.

(e) DG CIW.

(f) Member Secretary(Secy). Dy NSA.

5. Charter of CIW Board. The charter will include following tasks:-

(a) Overall review and formulation of policy for CIW.

(b) Formulation of strategy for meeting emerging threats.

(c) Ensure necessary coordination between all public and private agencies at the national level as also monitor implementation of all aspects of CIW.

(d) Enuring all international treaties and agreements are vetted in keeping with needs of national security.

6. Composition of CIW Executive Committee (CIWEC). Dy NSA who is the Secy of the CIW board could chair the CIWEC, DG CIW will be the Secy with support from the NSCS. He will be responsible to ensure day to day coordination and follow up on all CIW issues and report to the apex body through Dy NSA. The composition of this CIWEC could include:-

(a) Members Public Agencies. Chairman NTRO, DG CERT, Reps from MHA, RAW, CSIR, DIT, Public IT related services, ie Finance, Railways, Telecom, Civil Aviation, Power, HR and I&B. Also reps from Rep from MEA who is an expert on international agreements.

(b) Members MoD. Reps of Cyber Command & DRDO.

(c) Private Sector. Reps from NASSCOM / DSCI.

7. Charter of CIWEC. The charter will include issueing policy guidelines and monitoring all activities on a regular basis. It will look into specific aspects such as proactive defence or protection of critical infrastructure. The CSIWEC will meet at least once a month to oversee and report progress on all issues which include:-

(a) International cooperation and all agreements on IT with respect to needs of national security.

(b) Technology development for protection of NWs and systems, as

also proactive defence.

(c) Installation of systems, monitoring and response, especially for emergencies.

(d) Development of HR and public awareness. Recommendations for funding in this regard both in the public and private spheres.

(e) Standardization and certification. This will include creation of test beds.

8. Organisation & Functioning. CIWEC should be an empowered body. DG CIW should ensure executive action and compliance by agencies. All public agencies like the DRDO, HQ IDS, NTRO, DIT, National CERT, CSIR, NIC are represented and could constitute its executive arms. For necessary coordination and follow up, the office of DG CIW in NSCS must comprise of security, legal and technical experts. Policy and conduct of offensive cyber operations could also be coordinated in consultation with unified cyber command.

Proposed Structure Unified Cyber Command.

9. While cyber warfare is on going activity during peacetime, however it will form an essential part of preparation of the battlefield in any future conflict. Thus there is a dire need to develop this capacity for a warlike situation. Cyber warfare in a manner is NCW and cyber attacks may also precede the kinetic war. Building this capability will take time and must remain covert and ambiguous. This should be the responsibility of the Armed Forces (HQ IDS) along with the DRDO and other experts. Detailed discussions and consultations in this regard need to be initiated. India must raise a Unified Cyber Command [26] . This will comprise not only the three services but personnel from the DRDO, scientific and technological community. It could work with the space command because many aspects overlap and would economise on resources. It will oversee all activities undertaken during peacetime, as also plan for offensive cyber operations as required, to include preparation of the battlefield. It must work in close concert with the NTRO.

10. To determine the structure it would be prudent to study the mission and objectives of USCYBERCOM as a guide. USCYBERCOM mission is to plan, coordinate, integrate, synchronise and conduct activities to "direct the operations and defense of specified Department of Defense information NWs and prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries." The Command is charged with pulling together existing cyberspace resources, creating synergy and synchronising war-fighting effects to defend the information security environment. It comes under the Strategic Command, which also has the Space Command as a constituent. A similar structure for India could be considered, especially as the US has evolved its structure based on experience and also because it functions as an open democracy. India already has the Strategic Forces Command, which could be augmented with both Space and Cyberspace Wings. These may be of smaller size to start with and will develop in accordance with threats and needs. Each service has its own requirements. The structure therefore has to be need-based and flexible.

11. Mission of Unified Cyber Command. To plan, coordinate, integrate, synchronize, direct and conduct network operations and defense of all defense forces networks. When directed, conduct cyberspace operations in support of Unified Land Operations to ensure freedom of action in cyberspace and to deny the same to our adversaries.

12. Tasks of Unified Cyber Command. Based on the mission, the tasks of unified cyber command will be as under:-

(a) Conduct Cyberspace Operations (CO).

(i) Defensive Cyberspace Operations (DCO).

(ii) Offensive Cyberspace Operations (OCO).

(b) Conduct Information Operations (IO).

(i) Provide IO support to defence forces.

(ii) Provide trained & ready IO capability.

(iii) Provide IO reach back support for planning and analysis.

(iv) Provide operational IO training standards to recruit IO forces.

(c) Cyberspace Force Modernisation Proponent. Capabilities development.

13. Role of Various Components of Unified Cyber Command. The envisaged role of various components of is as follows:-

(a) Armed Forces CERTs. These would monitor traffic, disseminate information, ensure remedial measures to ensure ongoing security to NWs and systems. They would also in a manner be charged with protection of critical infrastructure of each service, i.e. communication backbone, power systems, high-priority NWs. The structure thus envisages a Defence CERT which works in concert with each service CERT.

(b) DIA. Defence Intelligence Agency exists under HQ IDS. Its cyber and information operations elements could work with this command. Intelligence gathering is an accepted reality and cyberspace possibly provides the best scope for this as also information operations.

(c) DRDO. DRDO should conduct specialised research for the armed forces to provide necessary military hardware for conduct of offensive cyber operations and also hardware immune to hostile cyber attacks, which is more relevant due to embedded hardware supplied by our adversaries.

(d) DIARA. Each service has its special requirements and own communication directorates. Joint operations, strategic communications as also high-security NWs need to be coordinated under HQ IDS and the proposed Cyber Command. Cyber operations which are required for preparation of the battlefield. This again would be a tri-service organisation, with additional experts from the DRDO or any other such institution. This would facilitate information assurance & conduct R&D to ensure safety of communication NWs.

(e) Territorial Army (TA). Battalions for Cyber Warfare While cyber warfare is ongoing, there are periods of heightened threat. A recent example was the Commonwealth Games, when NWs were subjected to attacks. There is therefore need to create and maintain a "surge capacity" for crisis or warlike situations. Young IT professionals constitute a vast resource base and a large number would be willing to loyally serve the nation when required. This resource must be capitalised by raising of cyber warfare TA battalions similar to those for Railways and ONGC, which could be embodied when required. In addition to purely "defence" requirements these could also provide for protection of critical infrastructure.

14. Envisaged Capabilities of Unified Cyber Command. The unified cyber command is envisaged to have following capabilities when fully operational:-

(a) Capability to protect all defence assets integrated through ICT.

(b) Capability to undertake offensive cyber warfare in NCW environment.

(c) Capability to integrate various service components for effective cyber deterrence to our adversaries.

(d) Significant contribution to operational cyber planning.

(e) Integrate cyberspace operations in major military exercises.

(f) Collaboration with civilian institutions to develop best cyber practices.

(g) Work with vendors on specific requirements of defence forces in cyber domain.

15. Establishment of unified cyber command within the defence forces with cyber warfare capabilities is must in the interest of national security within cyber domain.

Appreciating that cyberspace is offense dominant, the Cyber Command should be equipped with defensive and offensive cyber weapons and manpower trained in cyber warfare. The command needs to build capabilities in countering cyber espionage and deny the enemy any benefits if it succeeds in breaking defences.

16. The govt needs to provide funds and resources to establish the unified cyber command at the earliest as such a capacity may not be available at present with the defence forces. The industry should provide the govt with expertise on a long term basis to help in establishment of unified cyber command and also training the defence forces personnel in cyber warfare.

CHAPTER 5

THE WAY AHEAD

General Recommendations

1. The rapidity & scale of cyber security threats is likely to grow manifold. This threat will pose a challenge to national security. Thus there is urgent need for the government to adopt a cyber security policy & create a organisation specifically to look into the cyber security of the nation. The govt should immediately adopt such a policy so that urgent actions in a coordinated fashion can be taken to defend India’s economy and society against cyber attacks.

2. Cyber security should be regarded as an integral component of national security. Urgent attention should be given to the issues of cyber crime, cyber terrorism, cyber warfare and CII protection.

3. Establishing National Structure for Cyber Security. The Indian govt need to lay down a well structured and positioned organization for designing, implementing, driving, monitoring and coordinating cyber security initiatives in the country. The envisaged structure should enable effective and efficient decision making which involves consultation across multiple stakeholders – policy makers, various ministries, state governments, defence, intelligence, LEAs, private sector among others. The roles and responsibilities for every stakeholder needs to be defined and should clearly establish coordination and information sharing mechanisms, focus on building PPP models and create environment for enhancing trust between the industry and government. The increasing linkage between cyber security and national security and the involvement of multiple stakeholders, it is very crucial that the cyber security in India is positioned at the highest level within the govt. This will give cyber security the much needed impetus and will help address inter-agency concerns and improve coordination.

4. The NSA, through NIB, should be made in charge of formulating and overseeing the implementation of the country’s cyber security policy within the ambit of a larger national security policy. This body should be serviced by the NSCS for policy measures and DIT and other departments (e.g. Telecom, space, etc.) for operational measures.

5. Establishing of Cyber Coordination Centre. Cyber coordination centre at the operational level, should be staffed by personnel from the relevant operational agencies. This centre would serve as a clearing-house, assessing information arriving in real time and assigning responsibilities to the agencies concerned.

(a) Nodal Agency for Cyber Terrorism and Cyber Crime. MHA should be the nodal agency for handling cyber terrorism as well as cyber crime. To handle cyber terrorism need to implement measures ranging from monitoring and surveillance, investigation, prosecution, etc. Cyber terrorism should be part of the nation’s overall counter terrorism capabilities. The National Counter Terrorism Centre being set up should have a strong cyber component. NIB, with MHA as the nodal agency, should be tasked with the responsibility of formulating and implementing a policy to deal with cyber terrorism. The issues of ethical hacking and immunity for defence and intelligence officers should be considered. In dealing with cyber crime, some of the measures needed will overlap with those required to deal with cyber terrorism but extra effort will be required to ensure greater awareness, strengthening of the legal framework, law enforcement, prosecution, etc. Particular focus to be placed on awareness and enforcement MHA.

(b) Nodal Agency for Cyber Warfare. Headquarters IDS should be the nodal agency for preparing the country for cyber warfare in all its dimensions. Unified cyber command should be created in a time-bound manner with both offensive and defensive components. Since cyberspace remains integral, there should be an appropriate interface between defence and civilian departments.

(c) Cyber Security Education, R&D and Training. It should form an integral part of the national cyber security strategy. The govt should set up a well-equipped National Cyber Security R&D Centre to do cutting edge cyber security R&D. This could be a PPP endeavour. Cyber security research should also be encouraged in public and private universities and institutions. DIT should formulate a roadmap for cyber security research in the country. The country’s strengths in ICT should be leveraged. DRDO should conduct specialised research for the armed forces and NTRO should do so for the country’s intelligence agencies.

(d) CERT for Cyberspace Situational Awareness. DIT’s CERT should be the nodal agency to create and share cyberspace situational awareness in the country. DIT should make public awareness of risks, threats and vulnerabilities in cyberspace and measures to mitigate it. Disaster management and recovery must be an integral part of any national cyber security strategy. The DIT should coordinate its efforts with NDMA and also other govt departments as well as private bodies.

Specific Recommendations

6. Building Technical and Hardware Capability. Adequate emphasis on building adequate technical capabilities in cryptology, digital signatures, testing for malware in embedded systems, operating systems, fabrication of specialised chips for defence and intelligence functions, search engines, artificial intelligence, routers, new materials, SCADA systems, etc. Cyber security should be mandatory in computer science curriculum and even separate programmes on cyber security should be contemplated.

7. Best Practices and Cyber Audit. Emphasis need to be placed on developing and implementing standards and best practices in govt as well as private sector functioning. Cyber security audits should be made compulsory for networked organisations. The standards should be enforced through a combination of regulation and incentives to industry.

8. National Mission in Cyber Forensics. The govt should launch a National Mission in Cyber Forensics to facilitate prosecution of cyber criminals and cyber terrorists.

9. International Cooperation. International cooperation is crucial

to handle cyber crime, cyber terrorism and in managing risks in cyberspace.

It is necessary to participate in multilateral discussions on rules of behaviour in cyberspace. The govt should also consider joining the European Convention on Cyber crime. A 24x7 nodal point for international cooperation with cyber authorities of other countries should be set up. The Indian agencies should also participate in regional fora on cyber security. Engagement of Indian cyber authorities with internationally renowned cyber professional bodies should be encouraged.

10. Understanding Arena of Social Networking. The impact of the emergence of new social networking media, and convergence of technologies on society including business, economy, national security should be studied with the help of relevant experts, including political scientists, sociologists, anthropologists, psychologists, and law enforcement experts. It should be ensured that the issues of privacy and human rights are not lost sight of and a proper balance between national security imperatives and human rights and privacy is maintained.

11. Cyber Warfare Doctrine. There is urgent need to enunciate India’s cyber warfare doctrine which defines objectives and cyber warfare policy. Some of the relevant policy matters should include following in cyber warfare doctrine:-

(a) Formulation of proactive cyber defence policy with emphasis on actions taken in anticipation to prevent an attack against computers and NWs.

(b) Raise a Cyber Command and build up offensive capabilities.

(c) Create a pool of trained people such as Cyber TA Battalions to provide "surge capacity" to bolster the country’s resources during critical periods or in the event of hostilities

(d) Need to critically analyse the impact of social NWs with respect to national security and perception management, especially during crisis.

12. Critical Infrastructure. Govt should initiate and create critical infrastructure to ensure implementation of practices and provide necessary budgetary support for the same. Some of the steps to strengthen the infrastructure should include following:-

(a) Develop security expertise for protection of CII by providing hands on training to professionals, especially from the govt sector.

(b) Establish a mechanism for measuring preparedness of critical sectors such as security index, which captures preparedness of the sector and assigns value to it. Operationalise the mechanism for routinely monitoring preparedness.

(c) Govt should incorporate IT Supply Chain Security as an important element of e-security plan to address security issues.

(d) Govt should promote R&D in private industry through active govt support for industry-led research projects in the areas of security. Establish enabling mechanisms to facilitate this.

(e) Govt need to focus on creating a workforce of security professionals in the country keeping in view the requirements of the future.

(f) PPP model should be explored for taking security to the regions and industry sectors.

(g) Strengthening telecom security is the key pillars of cyber security, especially through development of standards and establishment of testing labs for telecom infrastructure (equipment, hardware).

(h) Capacity building in the area of cyber crime and cyber forensics in terms of infrastructure, expertise and availability of HR and cooperation between industry, LEAs and judiciary.

13. Legal. Legal framework with regards cyber aspects in the country needs to be strengthened and awareness with regards to cyber laws needs to be created. The following actions will strengthen the legal aspects in cyberspace:-

(a) Need for trained and qualified experts to deal with the highly specialised field of cyber security. Awareness with regard to the threat to ICT infrastructure needs to be created and the necessary legal provisions to ensure cyber safety must be developed.

(b) Substantive laws dealing with illegal access, illegal interception, data interference, misuse of devices, computer-related forgery, child pornography, etc. must be implemented.

(c) Procedural laws need to be in place to achieve cooperation and coordination of international organisations and govts to investigate and prosecute cyber criminals.

(d) The police must work closely with both govt and non-govt agencies, Interpol and the public at large to develop a comprehensive strategy to address the problems.

(e) Lobbying at an international level for the harmonisation of existing national legislation to ensure that such laws provide a fair measure of deterrence to cyber criminals and cyber terrorists, thereby making cyberspace a safer place for national and international transactions.

(f) Government must put in place necessary amendments in existing laws or enact a new legislation like a Data Protection/Privacy Act so as to safeguard against the misuse of personal information by various govt agencies and protect individual privacy.

14. Miscellaneous. The following miscellaneous recommendations also need to be studied and analysed thoroughly to ensure full proof cyber security at national level:-

(a) Examine the impact of cloud computing and wireless technologies and formulate appropriate policies.

(b) Make it a mandatory requirement for all govt organisations and private enterprises to have a designated Chief Information Security Officer (CISO) who would be responsible for cyber security.

(c) Establishment of a cyber range to test cyber readiness.

(d) More powers to sectoral CERTs.

(e) Establish an online mechanism for cyber crime-related complaints to be recorded.

CHAPTER 6

CONCLUSION

1. Cyber security, today forms integral part of national security and will continue to be on the govt’s policy agenda. As the threat scenario evolves and the fifth dimension is becoming a complex gambit, there is need for critical information infrastructure protection, government services delivery, public sector services along with industry and national defence will have to respond with appropriate cyber security policies that will involve implementation and testing of security practices.

2. Cyberspace being the fifth common space, it is imperative that there be coordination, cooperation and uniformity of legal measures among all nations with respect to cyberspace. The exponential growth of cyberspace is possibly the greatest development of the current century. Unfortunately, this development has also led to the near-simultaneous growth of the misuse of cyberspace by cyber criminals and in recent times. Cyberspace has been vulnerable to a large number of attacks on crucial information infrastructure by cyber terrorists.

3. LEAs will require upgradation of training and cyber forensics tools; R&D in cutting edge security technology will be essential. All of these and many other projects of national importance will be conceptualised and implemented in PPP. The policy scenario will evolve too. This calls for a vibrant relationship between the government and the industry. To protect own cyberspace and create vulnerabilities for the hostile nations, it will be a vital step to establish unified cyber command at national level. Various models already exist and stood tests of time, thus we need to understand the urgent requirement of creating a structure to pose a credible minimum deterrence as far as cyberspace is concerned. Though establishment of cyber command only, is not going to solve the problem, but a wholesome approach will be required at national level to include all stake holders in curbing cyber crime and cyber terrorism. To meet this end, it is the need of the hour that nations of the world cooperate and make constructive efforts to reduce vulnerabilities, threats and risks to manageable levels

4. It is time that the countries of the world, including India, realise that a well protected cyberspace would only be an asset to developing and developed nations alike. With regard to the present legal situation in India, certain commendable advances have taken place that have placed India in a relatively strong position. However, there are still gaping loopholes not only in legislation but also investigation and enforcement that have allowed India to become prey to cyber crime.