Need of Strengthening Cyber Resilience of Civilian infrastructure
- Cyber, which is regarded as the fifth dimension of warfare, is now largely being employed against civilian targets.
- For instance, several high-profile cyberattacks were reported from the United States during the past several months.
- These attacks were all primarily on civilian targets that were of critical importance.
- Hence, there is a need to defending civilian targets, and more so critical infrastructure, against cyberattacks such as ransomware, phishing, spear phishing, Zero-day software, etc.,
Recent cyberattacks on Civilian infrastructure reported from the United States
- SolarWinds: It was believed to be sponsored by Russia. It involved data breaches across several wings of the U.S. government, including defence, energy, and state.
- Hafnium: Aggressive cyberattack, by a Chinese group. It exploited serious flaws in Microsoft’s software.
- DarkSide: Ransomware attack by Russia/East Europe-based cybercriminals. Attacked the Colonial Pipeline, the main supplier of oil to the U.S. East Coast, compelling the company to temporarily shut down operations.
- Nobellium: Russia-backed group. A phishing attack on 3,000 e-mail accounts, targeting USAID and several other organisations.
Possible motives behind Cyberattacks
Data has become the world’s most precious commodity and reportedly, we create more than three quintillion bytes of data every day. With the growth in the digital world, attacks on data and data systems are bound to intensify for various following reasons,
- One, for nation-states involved in Cyber-attacks, their primary aim is to transform the existing Geopolitical situation in their favor.
- Two, for cybercriminals and for terror groups, the motive is to earn increased profits.
- Three, some companies encounter ‘insider threats’ due to discontent with the management or for personal reasons.
Why the cyber resilience of Civilian infrastructure needs to be strengthened?
Nations around the globe are concentrating on cyber defences to protect military and strategic targets, whereas the priority to protect civilian infrastructure is being overlooked. This needs to be changed for the following reasons.
- One, the use of ‘Zero-day software’ that earlier existed only for the military domain now exists outside the military domain too.
- A zero-day attack (also referred to as Day Zero) is an attack that exploits a potentially serious software security weakness that the vendor or developer may be unaware of.
- It has the capability to cripple a system and could lie undetected for a long time. The most infamous Zero-day software is Stuxnet. It almost crippled Iran’s uranium enrichment Programme.
- Two, the distinction between military and civilian targets is increasingly getting erased. For instance, the 2012 cyberattack on Aramco, employing the Shamoon virus, had wiped out the memories of 30,000 computers of the Saudi Aramco Oil Corporation.
- Three, cyberattacks on unconventional sectors have increased. For instance, Banking and financial services were most prone to ransomware attacks, but oil, electricity grids, and lately, health care, have begun to figure prominently.
- Four, the number of cyberattacks on healthcare systems is increasing. Compromised ‘health information’ is proving to be a vital commodity for use by cybercriminals. The available data aggravates the risk not only to the individual but also to entire communities.
What needs to be done?
Already, Cyber professionals are now engaged in building a ‘Zero Trust-Based Environment’ by employing software-defined solutions. However, much needed to be done
Read Also :-Cyber Attacks on critical Infrastructure
- One needs to build deep technology in cyberspace. New technologies such as artificial intelligence, Machine learning, and quantum computing, presents new opportunities in this regard.
- Two, officials in the public domain and company boards should carry out regular vulnerability assessments and create necessary awareness of the growing cyber threat.
Source: The Hindu
More Related Articles :
|Energy flow in ecosystem||Amrabad tiger reserve||Red tapism|
|Indigo cultivation||Financial year india rbi||ken betwa link project|
Need of Global Rules to protect the Cyberspace
The 21st century is going to be an era of data revolution wherein almost all the activities would be carried on in cyberspace. This calls for creating some global rules to protect cyberspace as their absence has failed to prevent cyberattacks even on powerful countries like the U.S.
- The US created cyberspace as a free, open, decentralized, distributed, and self-governing platform.
- In the current scenario, the domain has gained utmost importance as our critical systems like power, financial or military etc. are connected to it through data.
- Further, the introduction of 5G technology and the Internet of Things would turn everything into a networked object. It would lead to an exponential expansion of data.
- This high usage of data would ease the governance process but would also make the system more prone to cyber-attacks.
Reasons behind Cyberattacks:
- Economic Benefits: A cyberattack gives a hacker access to critical economic data that can be sold for millions in the grey market.
- For instance, a Chinese attack on the weapon design system of the US allows it to develop a competitive advanced defence system. It enables the country to save millions of dollars and years of research and development.
- Ideological Conflict: The free and decentralised structure of cyberspace goes against the ideology of authoritarian countries like Russia and China. This induces them to launch attacks on democratic countries like U.S and India. They have also built firewalls to protect their societies from freedom.
- Geopolitical Interest: One country attacks another country’s data to serve its geopolitical interest in the region. The attack is aimed to cripple the governance structure in another country and induce it to act in a favourable way.
- For instance, IP theft costs the US economy hundreds of billions of dollars annually and reduces US companies’ R&D investment and innovation. The reduced investment and rising losses diminish its geopolitical position.
Factors fueling Cyberattacks:
- No Global Order: Countries have domestic laws and agencies to punish cyber offenders. However, it is difficult to punish if the attacker is located in another country as there are no global rules on cyberspace.
- Low Entrance Threshold: It enables a curious person to learn and become a hacker. This allows him/her to get into infrastructure, financial or military systems without leaving a trace.
- Synergy between State and Non-State Actors: Rogue states and well-organised digital terrorist groups use footloose hackers to invade diplomatic and strategic plans.
- For instance, the October 2020 cyberattack shut down the electrical grid of Mumbai. The New York Times claimed this to be an attack carried out by China with the support of non-state actors.
- Traceability: The advancement in technology has made the traceability of hackers very difficult.
- For instance, the hacking group demanded ransom in bitcoins in the May 7 ransomware attack on Colonial Pipeline, one of America’s largest fuel suppliers. However, the countries can’t trace transactions in cryptocurrency.
- The countries should realise the inefficiencies of domestic laws and institutions in combating cyber attacks.
- For instance, the US has a National Security Agency that conducts surveillance under the authority of the Foreign Intelligence Surveillance Act.
- Similarly, it has a dedicated Cyber Command but still, it was unable to prevent the May 7 ransomware attack on the colonial pipeline.
Thus, the countries must work together to develop global law and technology to implement more aggressive measures against cyberattacks. The focus should be on developing foolproof encryption to protect the nation’s data.
Source: Click Here
“Cybercrime Volunteer Programme” – No Centralised list of Volunteers Maintained
What is the News?
Union Home Ministry has said that it does not maintain a centralised list of volunteers enrolled under the cybercrime volunteer programme. The ministry also said that it is because the police is a “State subject” under the 7th Schedule of the Constitution.
What is the issue?
- A Right to Information Act(RTI) application was filed to know the total number of volunteers applied under the Cybercrime Volunteer Programme.
- But the Union Home Ministry replied to claim for such information directly to the respective States and Union Territories. As it does not maintain a centralised list of volunteers enrolled under the cybercrime volunteer programme.
- Further, the Ministry said that “police” and “public order” were State subjects in the Seventh Schedule of the Constitution. Hence, the States were primarily responsible for the prevention, detection and investigation of crimes through their law enforcement agencies(LEAs).
About Cybercrime Volunteer Programme:
- Firstly, the Ministry of Home Affairs launched the Cybercrime Volunteer programme.
- Secondly, the programme aims to bring together citizens to contribute to the fight against cybercrime in the country. The scheme also aims to assist State/UT in their endeavour to curb cybercrimes.
- Thirdly, under the programme, citizens can register themselves as Cyber Crime volunteers. They will help the law enforcement agencies in identifying, reporting and removing illegal/unlawful online content.
- Fourthly, the program is a constituent of the National Cybercrime Ecosystem Management Unit. This unit is in turn a part of the Indian Cyber Crime Coordination Centre(I4C) scheme.
Concerns against the Programme:
- Culture of Surveillance: Internet Freedom Foundation(IFF), a digital rights group has said that the programme enables a culture of surveillance. The IFF also mentions that the programme could create a potential social distrust by encouraging civilians to report the online activities of other citizens.
- Chances of Misuse: There is no information available on how the Ministry will ensure that the program is not misused to extract misguided personal or political vendettas.
Source: The Hindu
“Paris Call for Trust and Security in Cyberspace” – Microsoft Urges India to Join in
What is the News?
The Microsoft president urged India and the U.S. to join the Paris Call for Trust and Security in Cyberspace. The Paris call for Trust and Security now has 75 countries on board. It deals with the new cybersecurity threats faced in the world.
About Paris Call for Trust and Security in Cyberspace:
- The Paris Call for Trust and Security in Cyberspace was announced in 2018 by the French President. It was announced during the Internet Governance Forum held at UNESCO and the Paris Peace Forum.
- Purpose: It is a non-binding declaration. It calls states, private sector and civil society organizations to work together to promote security in cyberspace, counter disinformation. Also, it aims to address new cyber threats endangering citizens and infrastructure.
Nine Principles: The Paris Call is based on nine common principles. Such as:
- Firstly, Protect Individuals and Infrastructure: Prevent and recover from malicious cyber and digital activities. As it threatens or causes significant, indiscriminate or systemic harm to individuals and critical infrastructure.
- Secondly, Protect the Internet: Prevent activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet.
- Thirdly, Defend Electoral Processes: Strengthen capacity to prevent interferences by foreign actors. Especially those aimed at undermining electoral processes through malicious cyber activities and disinformation.
- Fourthly, Defend Intellectual Property: Prevent information and communications technology-enabled theft of intellectual property. Such as trade secrets or other confidential business information. It provides a competitive advantage to info. Holder.
- Fifthly, Non-Proliferation: Develop ways to prevent the proliferation of malicious software and practices intended to cause harm.
- Sixthly, Lifecycle Security: Strengthen the security of digital processes, products, and services, throughout the lifecycle and supply chain.
- Seventhly, Cyber Hygiene: Support efforts to strengthen advanced cyber hygiene for all actors.
- Eighthly, No Private Hack Back: Take steps to prevent non-State actors, including the private sector, from hacking back for their own purposes.
- Hacking back: It means giving corporations and other hack victims, the permission to counter-attack cyber-threats. The Hacking back can be more aggressive against perpetrators as it is a retaliatory attack.
- Ninthly, International Norms: Promote the widespread acceptance and implementation of international norms of responsible behavior. It also aims to generate confidence-building measures in cyberspace.
Source: The Hindu
Increasing cyber threat and need for Cyber strategy
Synopsis: As per the reports, China is increasing cyber-attacks. India needs to prepare a cyber strategy to tackle cyber warfare effectively.
- Recently, the Recorded Future (a U.S.-based cybersecurity firm) revealed an increase in suspected targeted intrusions against India from Chinese state-sponsored groups.
- Also, according to State authorities in Maharashtra, the October 2020 blackout in Mumbai was directly linked to Chinese cyber-attack.
- Indian cyber agencies such as the National Critical Information Infrastructure Protection Centre (NCIIPC) and the Indian Computer Emergency Response Team (CERT-In) may have information on China’s aggressive cyber campaign.
- Thus, India needs to adopt comprehensive measures to guard its critical infrastructure from the cyber threat posed by China.
What are the revelations made by the Recorded Future?
- One, at least 10 Indian power sector organisations have been targeted, in addition to two Indian ports.
- Two, they have also identified the network infrastructure viz., AXIOMATICASYMPTOTE used for this purpose. Servers of AXIOMATICASYMPTOTE are known to be used by RedEcho. It is a China-linked activity group, that targets India’s power sector, and facilitates the employment of a malware known as Shadowpad.
- ShadowPad is a network intrusion malware that creates a secret path from a targeted system to a command-and-control server to extract information.
- ShadowPad is affiliated with both the Chinese Ministry of State Security and the People’s Liberation Army
What are the recent infamous cyber espionages at the global level?
- Chinese hackers are suspected for the development of a global ‘spearphishing campaign’. It targeted organizations responsible for vaccine storage and transportation. Its objectives are to;
- target vaccine research
- gain future access to corporate networks
- collect sensitive information relating to COVID-19 vaccine distribution.
- Also, recently in 2021, several thousands of U.S. organizations were hacked in by Chinese espionage campaign. The Chinese group, Hafnium, was identified as responsible for this breach. They exploited a series of flaws in the Microsoft software, that enabled them to gain total remote control over affected systems.
- Russia has been accused of cyber interference in the U.S. presidential elections in 2016.
- Also, Russia is currently the prime suspect in one of the greatest data breaches concerning the U.S. Federal government.
- Headlined SolarWinds, cyber-attack in 2020 is a prime example of the damage that can be caused by a cyber-attack.
How other countries are preparing to deter cyber warfare?
- First, the US, to improve its readiness and resilience in cyberspace, made a budgetary allocation of over $10 billion for cybersecurity in his COVID-19 Relief Bill.
- Second, China’s 2021 Defence Budget ($209 billion) gives special weightage to the Strategic Support Force (SSF), which embraces cyber warfare.
The Ukraine example (cyber-attack on the Power grid in 2016) should be a wake-up call for India and the world. It reminds us of the availability of advanced malware to carry out sophisticated cyber-attacks. Hence, preparing a comprehensive cyber strategy, that fully acknowledges the extent of the cyber threat from China and other countries, should be recognised as an immediate necessity.
Sources: The Hindu
Cyber attacks on critical Infrastructure
Synopsis: At present Critical infrastructure of India is vulnerable to cyberattacks. The government have to strengthen its cybersecurity initiatives.
Recently Massachusetts-based firm Recorded Future released a study. It mentioned that Mumbai power outages can be a cyber attack aimed at critical infrastructure. The report also mentioned few important things such as,
- The Cyberattack was carried out by the state-sponsored group Red Echo.
- The Red Echo has close ties to the People’s Liberation Army (PLA) and has also behind many recent cyberattacks by China.
- So the cyberattacks probably carry a message from China.
- Chinese cyberattacks in the past focussed on stealing critical information and not on projecting their cyber potential. But their Cyberattack on India might be different.
What is the critical infrastructure?
These are the physical and cyber systems that are so vital to any country. Any attack on these infrastructures will weaken the economic security or public health or national security of a country.
In general 16 sectors are identified as a critical infrastructure of any country. This includes sectors such as the Defence sector, Energy sector, Emergency services, Nuclear reactors and their materials, etc.
What was India’s response to the cyber attack on critical infrastructure?
- The power minister denied the reports. Further, he mentioned cyberattack was not the reason behind power failure in Mumbai.
- But, the power minister of Maharashtra on the same day mentioned that the Mumbai Cyber Police investigation had suggested a possible cyberattack on critical infrastructure. The cyberattack aimed with the intent to disrupt the power supply.
- National Critical Information Infrastructure Protection Centre (NCIIPC) has also reported cyberattacks by Red Echo to hack the critical grid network.
Government initiatives to protect critical infrastructure from cyberattacks:
- Indian government for the past few decades interested in critical information infrastructure protection (CIIP). So, In 2014 the government made NCIIPC as a national nodal agency for CIIP.
- In 2019, the government also announced a National Mission on Interdisciplinary Cyber-Physical Systems (NM-ICPS). The mission allotted a budget of Rs 3,660 crore for five years, to strengthen the Cyber-Physical Systems(CPS).
- The Bureau of Indian Standards (BIS) also launched the Industrial Cybersecurity Standards (IEC62443). This standard aimed to address and mitigate current and future cybersecurity challenges. Especially in industrial automation and control systems. But the government is yet to adopt the standards.
Vulnerability of Critical Infrastructures:
Critical infrastructure has become increasingly vulnerable to cyber-attacks. The power grid ecosystem is a major target of such cyberattacks.
Critical infrastructures always focused on productivity and reliability during their construction and planning. Further, many of these critical infrastructures were never designed to protect against cyberattacks. This is the main reason for their vulnerability to cyber-attacks.
Suggestions to protect critical infrastructure:
The government has to adopt the BIS Industrial Cybersecurity Standards. This will strengthen cybersecurity.
Apart from that, Ministries and Departments need better budgetary allocations for cybersecurity. The government also need a robust infrastructure, processes and audit system to strengthen cybersecurity.
To strengthen the power sector India needs strong regulation. India can take examples from the North American Electric Reliability Critical Infrastructure Protection (NERC) policy. The policy could serve as a guide to the power sector companies and help in securing their operational technology (OT) networks.
India so far has protected the critical networks like the sensitive Aadhaar ecosystem, the core banking systems etc. To strengthen it further, India can release a new cybersecurity policy addressing wider challenges.
Source: The Indian Express
“Cyber Volunteer programme” for Citizens
What is News?
The Ministry of Home Affairs(MHA) informs the Lok Sabha that a “Cyber Volunteer programme” has been rolled out. The Ministry also informed that the services of Cyber volunteers will be utilized by the State police as per requirement.
About Cyber Crime Volunteers Program:
- Launched by: Indian Cyber Crime Coordination Centre (I4C)
- Aim of Cyber Volunteer programme: To make citizens contribute to the fight against cybercrime in the country. Further, assisting the State/UT Law enforcement agencies in their endeavour to curb cyber crimes.
- Features: Under the Cyber Volunteer programme, citizens can register themselves as Cyber Crime volunteers. They will help the law enforcement agencies in identifying, reporting and removing illegal/unlawful online content.
What is Unlawful Content? The unlawful content has been categorised as the following:
- Contents against sovereignty and integrity of India.
- Any digital contents Against defence of India, Security of the State etc.
- Contents affecting friendly relations with foreign States.
- Content aimed at disturbing Public Order and disturbing communal harmony.
- Any Child Sex Abuse materials.
Terms and Conditions: Cyber Volunteer programme has certain terms and conditions for citizen enrolment as a cyber volunteer. They are:
- The Cyber volunteer is strictly prohibited from certain things. Such as,
- creating social media accounts in the name of this programme
- Issue any statement or express opinions on public platforms on behalf of the Cyber Volunteer programme.
- Cyber Volunteers have to maintain strict confidentiality of tasks assigned or carried out by him/her.
- Volunteers shall be de-registered in case of any violation or breach of the conditions.
- Further, the State nodal officers reserve the right to take legal action.
About Indian Cyber Crime Coordination Centre(I4C):
- Nodal Ministry: It was established in 2018 under the Ministry of Home Affairs(MHA).
- Purpose: I4C act as a nodal point at the National level in the fight against cybercrime.
- Components: I4C has seven key components. They are,
- National Cybercrime Threat Analytics Unit(TAU)
- National Cybercrime Reporting
- Platform for Joint Cybercrime Investigation Team
- National Cybercrime Forensic Laboratory(NCFL) Ecosystem
- National Cybercrime Training Centre(NCTC)
- Cybercrime Ecosystem Management Unit
- National Cyber Crime Research and Innovation Centre.
- Location: New Delhi
About National Cyber Crime Reporting Portal:
- It was launched in 2019. The portal provides a centralized mechanism to the citizens. Using this portal the citizens can report all types of cybercrime incidents with a special focus on cyber crimes against women and children.
Source: The Hindu
Rise of Lateral Surveillance in India
Synopsis: The notification on the IT rules 2021 promotes lateral surveillance. It has given a new meaning to ‘Citizen watch’.
The Indian Cyber Crime Coordination Centre (I4C), under the Ministry of Home Affairs (MHA), launched the Cyber Crime Volunteers Program. It aims to allow citizens to register themselves as “Cyber Crime Volunteers’’ in the role of “Unlawful Content Flaggers”.
- The programme will help law enforcement agencies in identifying, reporting and removal of illegal/unlawful online content.
- The programme will be launched all over the country. It is going to have its test run in Jammu and Kashmir and Tripura.
What is lateral surveillance?
- The surveillance in which citizens watch over one another is called lateral surveillance.
- Main Features of lateral surveillance:
- It is different from typical surveillance. In the typical surveillance, there is a vertical relationship between those being watched(citizenry) and those who are watching(the state).
- The lateral surveillance specifically ensures that the imbalance of power no longer exists.
- It is a form of community policing.
- The United States had the neighbourhood watch scheme. It increased community policing in the 1970s. With the introduction of technology and the development of applications such as Citizen and Next door, monitoring of people and their behaviour has become easier.
What is the extent of lateral surveillance in India, and what are its impacts?
The state-sponsored lateral surveillance has been implemented in India earlier as well. For example, the C-Plan App in Uttar Pradesh launched for keeping a tab on anti-social elements. It is designed to receive inputs from certain identified individuals in villages across the State.
- Firstly, these individuals have been given the responsibility to solve local problems such as providing information about boiling communal tensions or land disputes taking place in their own villages through the mobile application.
- Secondly, the scope of lateral surveillance expanded during the pandemic lockdown. For instance, the Karnataka government released a PDF with the names and addresses of around 19,000 international passengers who were quarantined in Bengaluru.
- Thirdly, lateral surveillance may create a situation where privacy could get weakened for the betterment of the community.
- Fourthly, It can act as a tool for social exclusion. Lateral surveillance makes it easier to discriminate between those who do not conform to the social norms of the majority.
- For example, the LGBT community in South Korea faced harsh comments from the homophobic majority when coronavirus cases were reported from the area where they resided.
- Fifthly, it is harmful because it creates an environment of hate, fear and constant suspicion. This method gives people a duty of keeping an eye out for their own safety which results in an increase in fear of crime in society.
- Sixthly, these threats will increase intolerance, prejudice, racism and casteism in our society. It will also violate the fundamental right to privacy right of free speech.
What will be the outcome of the policy?
- The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 also promotes lateral surveillance.
- For example, there is a provision relating to the user-directed removal of non-consensual sexually explicit content. It will enable mediators to remove or disable access to the information within a short period of time of being notified by users.
- This may result in taking down content and sharing user data without sufficient due process safeguards, violating the fundamental right to privacy and freedom of expression.
Cyber Attacks in India and Institutional arrangements for Cybersecurity
Synopsis: India’s Critical Infrastructure is vulnerable to Cyberattacks from foreign countries. India needs to upgrade its Institutional arrangements for Cybersecurity.
- Recently, The New York Times reported that China is threatening India through Cyber-attacks.
- It raised the possibility that the power outage in Mumbai (on October 13 2020) could have been an attack by a Chinese state-sponsored group.
- In the same direction, Maharashtra’s Home Minister acknowledged a report by the Maharashtra Cyber Cell. The report showed that the grid failure was potentially the result of “cyber sabotage”.
- However, Power ministry contended that the grid failure was not linked to any cybersecurity incident.
Has India been affected by Chinese state-sponsored Cyber security attacks in the past?
India has been attacked by suspected Chinese state-sponsored groups multiple times in the past. For example,
- In 2009, GhostNet (cyber-espionage network) extensively targeted Indian entities. These entities included military establishments, news publications, and even the National Security Council Secretariat.
- After the attack, the Shadow Network investigation by researchers found clear evidence that confidential documents accessed by the attackers.
- Suckfly attack, targeted government and private entities including a firm that provided tech support to the National Stock Exchange.
- Dtrack attack in2019, it first targeted Indian banks, and later the Kudankulam nuclear power plant (Tamil Nadu).
- India also faced an attack from Stuxnet, which had hampered the functioning of nuclear reactors in Iran.
- Apart from state-sponsored Cyber-attacks, there are enough evidence to show that the Chinese are also helping them to dismantle the infrastructure behind some of these attacks.
- More fearfully, WikiLeaks has shown that groups such as the Central Intelligence Agency’s UMBRAGE project have advanced capabilities of ‘false flag attacks. (ability to make other nations responsible for cybersecurity attacks with false proofs)
What are the Institutional arrangements in India related to cybersecurity?
Over the past two decades, India has made a significant effort for providing cyber security, some of them are
- One, Cyber security is given high priority by including cyber portfolios in PMO (Prime Minister’s Office). For example, the National Security Council, chaired by the National Security Adviser.
- The NSA also chairs the National Information Board, the apex body for cross-ministry coordination on cybersecurity policymaking.
- Two, Establishment of National Critical Information Infrastructure Protection Centre under the NTRO. It protects critical information infrastructure,
- Three, in 2015, the Prime Minister established the office of the National Cyber Security Coordinator. It advises the Prime Minister on strategic cybersecurity issues.
- Four, the Computer Emergency Response Team (CERT-In), is the nodal agency. It responds to various cybersecurity threats to non-critical infrastructure.
- Five, The Ministry of Defence has recently upgraded the Defence Information Assurance and Research Agency.
- It aims to establish the Defence Cyber Agency, a tri-service command of the Indian armed forces to coordinate and control joint cyber operations and craft India’s cyber doctrine.
- Six, the Ministry of Home Affairs oversees “coordination centres”. It focuses on law enforcement efforts to address cybercrime, espionage and terrorism.
- Finally, the Ministry of External Affairs coordinates India’s cyber diplomacy with other countries and at international fora like the United Nations.
What are the issues in India’s cybersecurity framework?
- First, the institutional framework for cybersecurity has the following concerns.
- Lack of effective coordination.
- Overlapping responsibilities
- Lack of clear institutional boundaries and accountability.
- Two, India is yet to prepare a Cyber doctrine that defines the limits for offensive cyber operations, or the scope of countermeasures against cyber-attacks.
What is the way forward?
- First, a clear-cut cyber doctrine similar to Nuclear doctrine is needed for protecting cyber spaces. For example, the ‘No First Use’ nuclear posture was critical in preventing a nuclear war despite rising tensions.
- The absence of a credible cyber deterrence strategy allows states and non-state actors to conduct cyberattacks on critical information infrastructure.
- Second, India should push for the debate on global governance architecture regarding Cyber space in international fora based on India’s strategic interests and capabilities.
- It should also push for making binding rules that makes cyberspace-attacks on critical infrastructure illegitimate. (health-care systems, electricity grids, water supply, and financial systems)
- Third, need for improved coordination between the government and the private sector at the national and State levels. It will effectively counter threats from both state actors and their proxies.
- Four, need to publish cyber-attack information in Public domain for enabling meaningful public discussions on future Cyber policies.
Cyber attacks and Cyber Security in India – Explained Pointwise
Recently there were many instances of Chinese led cyber-attacks on Indians and India based companies. A US-based cyber group has informed about Chinese hackers targeting Indian companies that developed Covid-19 vaccines (Covaxin and Covishield). Similarly, another US report informed about a Chinese firm (Red Echo) that was using malware called ShadowPad to target India’s power sector.
There were also evidences that some of these Chinese led cyber-attacks were backed by the Chinese government. Apart from China, India has also faced cyber-attacks from Russia, North Korea and other countries. These examples highlighted the need to strengthen India’s cyber security infrastructure.
What is Cyber Security?
- It is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks.
- There are 4 main types of threat to cyber security:
- Cyber espionage: It is an Intelligence gathering and data theft activity. The data theft will occur without the user’s permission/knowledge.
- Cyber warfare: It refers to the use of digital attacks (like computer viruses and hacking) by one country to disrupt the computers or information networks of another country.
- Cyber terrorism: It refers to the convergence of terrorism and cyberspace. In this, the terrorists will use the internet to conduct violent activities such as threats, loss of life etc. Terrorists will use cyberspace to achieve their political and ideological gains.
- Cyber crime: It is any criminal activity that involves a computer, networked device or a computer network.
Few recent examples of cyber attacks in India
Global Cyber Security Index 2018 positioned India at 23rd place globally. The report mentioned India’s vulnerability to cyber-attacks. Some of the examples of cyber attacks are:
- A Goldman Sachs backed firm Cyfirma has reported that Chinese hacker group APT 10 (also known as Stone Panda) had allegedly attacked the Covid-19 vaccine manufacturers in India. Cyfirma has also mentioned that there were links between the Chinese government and Stone Panda.
- In November 2020 Microsoft detected cyber attacks from Russia and North Korea. Microsoft mentioned that these attacks were targeting the Covid-19 vaccine companies in India, France, Canada, South Korea and the United States.
- Similarly, in February 2021, a US-based cyber company had mentioned about the Chinese group called Red Echo. They cautioned that Red Echo was using malware called ShadowPad to target India’s power sector.
Government initiatives to strengthen Cyber Security in India
The Indian government have taken many steps to strengthen cyber security. They are,
- Information Technology Act (IT) 2000 – It is the primary law for dealing with cyber-crime and digital commerce in India.
- The act covers a broad range of offences including child pornography, cyber terrorism etc.
- Section 75 of the Act empowers the government to punish people located outside India who is accused of the offence.
- National Cyber Security Policy, 2013: The policy provides the vision and strategic direction to protect the national cyberspace. Some objectives of the policy are:
- To create a secure and robust cyber-ecosystem and building adequate trust and confidence in electronic transactions.
- The policy aims to guide stakeholder’s (users) actions for ensuring protection in cyberspace.
- To strengthen the regulatory framework in India for ensuring secure cyber ecosystem.
- To develop suitable indigenous technologies in the ICT sector.
- National Critical Information Infrastructure Protection Centre (NCIIPC):
- The NCIIPC was created by Section 70A of the IT Act.
- It is designated as a national nodal agency in respect of critical information infrastructure protection.
- It aims to protect and safeguard critical information infrastructure (CII) against cyberterrorism, cyberwarfare and other threats.
- CERT-In (Cyber Emergency Response Team – India) – It was created by Section 70B of the IT Act. It is the national nodal agency to respond against computer security threats as and when required.
- National Cyber Security Coordination Centre (NCCC): The NCCC is mandated to perform real-time threat assessment. Further, they also create situational awareness of potential cyber threats to the country. It was made operational in 2017.
- Cyber Swachhta Kendra: It is a platform for users to analyse and clean their systems by removing various viruses, bots/ malware, Trojans, etc. It was launched in 2017.
- Cyber Surakshit Bharat Initiative: It was launched in 2018. The initiative aims to spread awareness about cybercrime. The initiative also focuse on the capacity building of Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.
- Sandes Platform:
- It is an instant messaging platform like WhatsApp. It was previously named as Government Instant Messaging System(GIMS).
- The platform can be used for all kinds of communications by anyone with a mobile number or email id. The platform will ensure secure communication between users.
- It was launched in 2020 for State and Central government employees, now the scope has been extended to every citizen.
Challenges in tackling cyber offences
- Poor cyber security infrastructure: Very few cities in India have cyber crime cells and the establishment of dedicated cyber courts is also very less in India.
- Awareness issue: People don’t report cyber crimes either due to low awareness or fear of harassment.
- There are many data-related problems in ensuring cyber security. Such as,
- The majority of Indian data is stored in data centres located outside India. So, the data storing companies not report cyberattacks to India.
- Growing online transactions have generated bigger incentives for cybercriminals. A recent cyberattack on Zomato(food delivery app) is an example of that.
- Capacity deficit of officials: The law enforcement agencies who are required to conduct cyber investigation often lack the requisite cyber skills and training.
- Anonymity: Cyberspace allows individuals to hide or misrepresent one’s profile using encrypting tools. This creates a larger challenge during the investigation.
- Jurisdictional concern: In cyber offences, an individual can conduct a crime from sitting in a remote location of anywhere in the globe. A recent Wannacry malware attack is a perfect example of that. Even if the person gets identified it requires global cooperation to bring the person and conduct a trial in court.
Suggestions to improve cyber security
- Coordination Enhancement: There is a need to improve coordination at international, national, state and local levels. An important step in this regard could be the signing of the Budapest Convention on Cyber-crime by the Indian government.Budapest Convention on Cyber-crime: It is the first international treaty attempting to address cybercrime. The convention addresses cybercrime by steps such as harmonizing national laws, increasing cooperation among nations and improving investigative techniques in cybercrime.
- Robust Training of law enforcement agencies is the need of the hour. The government will have to provide continuous, robust and effective training to law enforcement agencies and individuals with a special focus on cyber security and safe internet handling techniques.
- Infrastructure Development: This would involve creating more cyber cells, cyber courts and cyber forensic labs so that the violators are duly punished.
- Inculcating Digital Literacy: This can be done by addressing the vulnerabilities of the masses towards cyber offences.
- Responsibility on Service providers: Website owners must be made more cautious towards traffic on their sites and report any irregularity. This will ensure large scale data collection on cyber attacks. These data can be used to create a new cyber security strategy in future.
- Amending of the Information Technology Act: There is a need to put a legal responsibility on companies to conduct regular cyber security audits. For that, the IT Act can be amended to include mandatory cyber security audit by independent agencies.
The recent pandemic has once again shown the importance of cyberspace for mankind. Considering the need for cyber security the government needs to fast pace the National Cyber Security Strategy 2020 and its implementation.
Possible evidence of China’s “Cyber Warfare” against India
What is the News?
A recent report has claimed that Chinese hackers had targeted Indians and Indian based companies. These cyber-attacks have raised concerns over whether China is engaged in cyber warfare with India.
What is Cyber Warfare?
Cyber Warfare refers to the use of digital attacks (like computer viruses and hacking) by one country to disrupt the computers or information networks of another country.
Possible evidences of China’s cyber warfare:
- Surveillance of Indian Individuals:
- A China-based technology company, Zhenhua Data Information Technology was monitoring over 10,000 Indian individuals. These individuals include politicians, judges, industrialists, bureaucrats among others.
- Its aim was to collect information about relevant people and track research papers, articles, patents, and their recruitment positions.
- ShadowPad Malware:
- In February 2021, a US-based cyber company had published a report about the Chinese group called Red Echo. The report mentioned that Red Echo was using malware called ShadowPad to target India’s power sector.
- The Ministry of Power has also confirmed the attempts of this ShadowPad malware in the power sector.
- However, there was no data breach/data loss had been detected so far. Further, the government has also taken action against the threats observed.
- Stone Panda:
- A US-based cyber group has informed about a Chinese hacking group Stone Panda. They informed that the Stone Panda is targeting the IT infrastructure of Bharat Biotech and the Serum Institute of India(SII).
- These companies have developed Covaxin and Covishield. These vaccines are currently being used in the national vaccination campaign against COVID-19.
Reasons for cyber-attacks:
All these surveillance and hacking attempts could be happening for several reasons. Such as,
- Border clashes between India and China: As bilateral tensions continue to rise, cyber-attacks are expected to increase in India.
- Long Term Strategy of China: These cyber-attacks could also be an attempt by China to test and lay the grounds for further operations in future. Sometimes these offensive operations are carried out to distract India and China might be focussing on other cyber activities.
- Competition: The motivation behind Stone Panda’s attack was to extract the companies intellectual property. Further by extracting them, China can gain a competitive advantage over Indian pharmaceutical companies.
Source: The Indian Express
“Cyber security” training to Railway staffs.
What is the News?
To provide Cyber security training to staffs Ministry of Railways has joined hands with the Centre for Development of Advanced Computing (C-DAC). The training will educate its officials on Internet ethics, cyber hygiene and best practices in the use of IT equipment, including mobile phones.
This is a part of C-DAC’s National Cyber Security Strategy. The training was decided based on the recent cyberattacks across the railway network during the ongoing pandemic.
Use of IT infrastructure in Railways:
- The Indian Railways uses IT infrastructure for the Passenger Reservation System (PRS). PRS is the nationwide online passenger reservation and ticketing system for railways.
- E-payment is also provided as part of the Freight Operations Information System(FOIS).
Why cyber security training is needed?
- The PRS includes passengers identities, proof of address, passenger mobile number and net banking/card payment details. So any cyber breach will endanger the sensitive data of the passengers.
- Indian Railways has seen a number of cyber breaches in various IT applications of railways. For example, illegal applications were used to book tickets, bypassing the railway firewall.
- These incidents occurred due to improper handling of the IT assets by the personnel.
- Further, these breaches increased after the lockdown due to an increase in electronic modes of communication in official working. So cyber security training is much needed.
- Hence, it was necessary that all railway officials took responsibility and follow adequate procedures when using IT infrastructure. This is important for ensuring confidentiality, privacy in dealing with official information.
Source: The Hindu
Threat of Deepfakes in India
Synopsis: Deepfakes are becoming a huge threat. This AI-based technology has been used to incite violence and disrepute people. Recently, it was used allegedly used to incite violence in the US.
What are Deepfakes?
- Deepfakes are modified images, text, audio, and video or synthetic media, created with the help of Artificial Intelligence.
- It generates a fake version from an original or real audio-visual content by superimposing new audio or image on an existing media file.
- For example; with the use of AI, the face of a person in an original video can be replaced with the face of another person (Morphing). Now the modified face will mimic the head movements, vocal patterns, and facial expressions of the original one.
- Media is manipulated with such sharpness that it becomes almost impossible to identify the difference between fake and real media. It can only be identified by using AI tools.
Threats of Deep Fakes
- Deep fakes can be used to disrupt the democratic processes like elections in any country.
- It is believed that Capitol Hill violence was incited by using deep fake media which caused misinformation and disinformation.
- Deep Fakes are used to stain the reputations of individuals and spread propaganda against them.
- According to a deep fake tracking research organization, in the month of October alone, over 100,000 fake nude images of women were circulating online.
- Real images for that purpose were acquired through social media accounts.
- The existence of deep fakes causes that much distrust among the public that any true evidence of a crime can easily be dismissed as fake.
- These technologies can be used by terrorist organizations and insurgents to further their agenda of destabilizing state governments. They can spread false information about institutions, public policy, and politicians for this purpose.
- The existing legal framework of many countries including India does not criminalize deep fakes.
Regulations of Deep fakes
In US: As per US law, Social Media Companies cannot be held responsible for the posts on their platforms.
In India: Some provisions in the Indian Penal Code (IPC) and Information Technology Act, 2000 criminalize a few related cybercrimes. But there is no specific law as of now to deal with deep fakes.
Issues in India’s legal system
- Sections 66E, 67, 67A, and 72 of the IT act deal with the violation of privacy and publishing or transmitting obscene material in electronic form.
- But these provisions can also result in penal consequences for the victim, for voluntarily producing such material.
- The Information Technology Intermediary Guidelines (Amendment) Rules, 2018 are insufficient to tackle content manipulation on digital platforms.
- Guidelines require that intermediate companies take necessary steps for the removal of illegal content.
- During the 2019 general election of India, the election commission gave out instructions on the use of social media for election campaigns. Social media companies also agreed to take action to prevent any violations.
- However, it has been reported that social media platforms like WhatsApp were used for spreading misinformation and propaganda during the election.
What are the steps to be taken?
Existing laws are not enough to protect individuals against deep fakes. Only AI-generated tools can be effective in detection.
- AI-based detection tools with the capability to detect deep fakes must be invented as soon as possible.
- In 2020, the University of Washington and Microsoft arranged a workshop with experts to discuss how to avoid deep fake technology from harmfully affecting the 2020 U.S. presidential election. The workshop concluded with the following suggestions:
- Deep Fakes must be included under hateful manipulated media, propaganda, and disinformation campaigns.
- Journalists should be provided with tools to examine the authenticity of images, video, and audio recordings. For that, they require proper training and resources.
- Policymakers need to understand how deep fakes can threaten polity, society, economy, culture, individuals, and communities.
The best way to deal with this menace is AI-backed technological tools to detect and prevent deep fakes. These tools must be invented by the countries in cooperation as soon as possible. If steps are not taken immediately, these technologies are even capable of invoking wars among countries, in this information age.
Issue of privacy and Personal Data Protection Bill 2019
Synopsis– Present data-based technological development and Personal Data Protection Bill 2019 presents a unique challenge to the privacy of individuals.
Introduction Personal Data Protection Bill 2019 –
By Puttaswamy v India (2017) case, privacy was established as a fundamental right. In other cases, MP Sharma v. Satish Chandra (1954) and Kharak Singh v. Uttar Pradesh (1962), as well, Privacy rights were upheld by SC.
However, the development of global technology and implementation of the Aadhaar biometric programme in India have diluted the effect of these rulings. Now there is an urgent need to take a new look at the legal position of privacy in India.
As depicted by Aadhaar based technology and global social media platforms, data has become a new oil i.e., it has become a tool for economic and political gain. It created a stream of data protection legislations, globally. India is also trying to join the league by Personal Data Protection Bill 2019 (DPB).
In India, the Personal Data Protection Bill 2019 (DPB) is currently under consideration by a parliamentary committee. There are various issues in this bill that go against the privacy rights of individuals.
Commercial and Political consequences of the Data Protection Bill (DPB):
Data Collection related issues
- First- Bill will negatively impact the emerging technologies market of India dealing in creation, use, and sale of data that is valued at $1 trillion by 2025.
- Second- The bill requires digital firms who want to operate in India to obtain permission from users before collecting their data.
- Third– Bill also declares that users who provide data are, in effect, the owners of their own data and may control its usage or request firms to delete it.
- European internet-users are able to exercise a “right to be forgotten” and have evidence of their online presence removed.
- Fourth– The bill allows the government to use “critical” or “sensitive” personal data, related to information such as religion, to protect national interest.
- Fifth– Open-ended access to government could lead to misuse of data. Mr. B N Srikrishna, the chairmen of the drafting committee of the original bill, warned that government-access exemptions risk creating an “Orwellian state”.
Issues related to Establishment of Data Protection Authority (DPA)
- Bill aims to establish a Data Protection Authority (DPA), which will be charged with managing data collected by the Aadhaar programme.
- Authority will consist of chairperson and six committee members,
- Members will be appointed by the central government on the recommendation of a selection committee.
- Members will be selected from senior civil servants, including the Cabinet Secretary.
- The government’s power to appoint and remove members at its discretion provides it an ability to influence the independence of agency.
- Unlike similar institutions, such as the Reserve Bank of India or the Securities and Exchange Board, the DPA will not have an independent expert or member of the judiciary on its governing committee.
- The UIDAI, for its part, has a chairperson appointed by the central government and reporting directly to the Centre.
Issues related to government use of data for surveillance
There are instances that suggest, India is acquiring some features of a surveillance state.
- As stated by the Union Home minister recently, police used facial recognition technology to identify people after the anti-CAA protests and the Delhi riots.
- There is a high possibility that police was matching the video offstage with the database of Election Commission and e-Vahan, a pan-India database of vehicle registration.
Issue related to safety of data
There are instances of controversy where government has shown casual approach towards data safety and privacy of its citizens:
- First, Safety concerns were raised during aadhaar data collection, which stores biometric data in the form of iris and fingerprints which is a violation of right to privacy.
- Second instance was of Aarogya Setu contact-tracing app which was allegedly not able to protect the data provided by citizens.
- The Data Protection Bill is a unique opportunity for India, a country with some 740 million internet users. It would be a standard setter for privacy of individuals.
- Inclusive debate needs to take place in the Joint Parliament Committee and then in Parliament to examine the Data Protection Bill and promote transparency.
What is Solar Winds Hack?
News: The ‘Solar Winds hack’, a cyberattack discovered in the United States, has emerged as one of the biggest ever targeted against the US government.In fact, it is likely a global cyberattack.
- SolarWinds Hack also called the Supply Chain attack is a cyberattack discovered in the United States.
- Instead of directly attacking the federal government or a private organisation’s network, the hackers target a third-party vendor which supplies software to them.
- Cyberattack: It is a malicious and deliberate attempt by an individual or organization to breach the information system of another individual or organization.
- Common types of cyber attacks
- Malware: Malware (malicious software) refers to any kind of software that is designed to cause damage to a single computer, server or computer network.
- Phishing: It is the practice of sending fraudulent communications that appear to come from a reputable source, usually through email.The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine.
- Zero-day exploit: A zero-day exploit hits after a network vulnerability is announced but before a patch or solution is implemented. Attackers target the disclosed vulnerability during this window of time.
- Man-in-the-middle (MitM) attacks also known as eavesdropping attacks occur when attackers insert themselves into a two-party transaction. Once the attackers interrupt the traffic, they can filter and steal data.
Draft Data Centre Policy,2020
News: Ministry of Electronics & Information Technology (MeitY) has released the Draft Data Centre Policy,2020.
- Aim: Making India a Global Data Centre hub, promote investment in the sector, propel digital economy growth, enable provisioning of trusted hosting infrastructure to fulfil the growing demand of the country and facilitate state of the art service delivery to citizens.
Key Features of the Policy:
- Infrastructure Status: Provide Infrastructure Status to the Data Centre Sector at par with other sectors like Railways, Roadways and Power.
- Single Window Clearance: A single-window, time-bound clearance system for all the approvals required to set up a data-centre park.
- Incentivization Scheme: Formulation of Data Centre Incentivization Scheme (DCIS) which will specify the intended beneficiaries, applicability criteria and fiscal and non-fiscal incentives for the sector.
- Essential Service: Data centres will be declared as an Essential Service under “The Essential Services Maintenance Act, 1968 (ESMA)” which means that there would be a continuity of services even during times of calamities or crisis.
- Inter-Ministerial Empowered Committee(IMEC): It would be set up under the Chairmanship of Secretary, MeitY with participation from various Central Ministries and State Governments to facilitate the implementation of various measures in the sector.
- Data Centre Industry Council(DCIC): An independent Data Centre Industry Council(DCIC) is proposed to be set up which would act as an interface between the sector and the Government.
- Training: Collaboration with the Ministry of Skills Development and Entrepreneurship(MSDE) and leading academic institutes to impart training to workforce on Data Centre, Digital and Cloud technologies, and facilitate sector linkages for such trained workforce.
- Data Centre: It is a dedicated secure space within a building where computing and networking equipment is concentrated for the purpose of collecting, storing, processing, distributing or allowing access to large amounts of data.
- Data Centre Parks: These are specialized secure Data Zone located with the most conducive non-IT and IT infrastructure and regulatory environment for housing mix of small scale / large scale / clusters of Data Centres to serve the high needs of compute, storage, networking and provision of a wide range of data-related services.