The post originally appeared on the Hindu on 23rd June 2015.
By Saikat Datta
Without a single shot fired or a drop of blood spilled, an entire country can be crippled. That is cyber warfare, and the government must start working right away to combat the new enemy
In late 2006, the U.S Department of Defence detected a major breach in their computer systems leading them to believe that their $337 billion F-35 Joint Strike Fighter (JSF) programme had been compromised. Investigations that started at Pentagon, the department headquarters, revealed that the breach had taken place far away from HQ.
The JSF programme, claimed to be producing one the world’s most advanced combat aircraft, was primarily being developed by the private defence contractor Lockheed Martin, along with many sub-contractors. While the companies were busy meeting deadlines, no one had noticed a deliberate Computer Network Exploitation (CNE) attack that had taken place on their premises.
Unlike the spies of the Cold War era, when collaborators would provide access to secret documents to physically copy and photograph documents, the new age spies didn’t need any physical access. Working over the Internet thousands of miles away, they sucked out thousands of secret documents, jeopardising one of the most secret programmes under development by the U.S military.
Clearly, the nature of the new threat had established that the boundaries that needed to be defended were no longer housed within the walls of a seemingly secure government facility. Instead, they were now far beyond the government’s secure facilities and at places where such an attack was least expected.
In 2007, Estonia, a tiny former Soviet republic, faced one of the most debilitating attacks in modern times. No shots were fired and no tanks rolled across its border. Instead, anonymous hackers, suspected to be operating from Russia, launched a massive cyber-attack on its information systems and brought critical infrastructure sectors such as banking and power to a grinding halt. For three days, the country faced chaos. Systems refused to re-start and ATMs refused to dispense cash, as the financial architecture, based on millions of lines of code, had crashed. The attack, known as a Deliberate Denial of Service (DDoS), had proved what modern warfare could achieve without any blood being spilled.
The attack on Lockheed Martin and Estonia revealed the extent of vulnerability of the systems that operated some of the most critical sectors in a country. From defence to energy, power, aviation and law enforcement, every sector that depended on computer networks was suddenly left extremely vulnerable. This realisation led to the identification of several areas to be designated as “Critical Information Infrastructure” (CII) that would need a slew of measures to be strengthened against future threats.
India’s slow response
The last decade has witnessed a slow but steady realisation within the Indian government that the threats of the future will come from cyberspace. Unfortunately, while the realisation exists, the Indian security establishment has not been jolted into action in the manner in which the Kargil war or the 26/11 terrorist attack on Mumbai galvanised the nation to adopt a series of corrective measures. In 2008, when the Information Technology Act 2000 was amended, the introduction of Section 70A and 70B went largely unnoticed in policy circles.
Article 70A mandated the need for a special agency that would look at designated CIIs and evolve practices, policies and procedures to protect them from a cyber attack. But the then United Progressive Alliance government took another six years to create such an agency. On January 16, 2014, the Department of Information Technology (DIT) issued a notification announcing the creation of a specialised body to protect India’s CIIs. The National Critical Information Infrastructure Protection Centre (NCIIPC) was created and placed under the technical intelligence agency, the National Technical Research Organisation, to roll out counter-measures in cooperation with other security agencies and private corporate entities that man these critical sectors.
Unfortunately, since 2014, there seem to have been few moves to establish the mandate of the government’s 2014 notification. A “critical sector” has been defined under the notification as “sectors that are critical to the nation and whose incapacitation or destruction will have debilitating impact on national security, economy, public health or safety”.
The government has identified 12 sectors that fit the bill and can be covered under the NCIIPC project as mandated by Section 70A of the amended IT Act. These range from energy to power, law enforcement, aviation, banking, critical manufacturing, defence and space. While several of them are housed within the government, sectors such as energy and power are manned by the private sector. While the overarching guidelines for the protection of CIIs were issued by the government in May 2012, the sectors still lack specific guidelines that will address their peculiar challenges in cyberspace.
A joint responsibility
When the U.S government was grappling with its cyber security challenges, there was a clear realisation that it did not have the wherewithal or the scope to protect all the critical sectors. It realised that it needed to work closely with the private sector manning these sectors to establish a foolproof defence system. That was only possible if both sectors — government and private — agreed to come together and establish joint mechanisms to ward off future attacks. This was possible in principle, but in reality, it was a bigger challenge than what most people had anticipated.
The biggest issue on both sides was the lack of trust. The government was essentially a regulator, while the private companies sought as little control as possible. It took several years for both sides to evolve before they could work together, building trust and joint mechanisms to protect each other.
In India, there should be a proliferation of similar efforts at every level led by the NCIIPC. It needs to take the lead, as mandated by the DIT notification to assist in the “…development of appropriate plans, adoption of standards, sharing best practices, and refinement of procurement processes in respect of protection of Critical Information Infrastructure”. This will mean sitting together to conduct joint exercises, map vulnerabilities, build counter-measures and achieve a synergy that it is currently lacking. For a nation that seeks to achieve Prime Minister Narendra Modi’s vision of ‘Digital India’ and ‘Make in India’, the clock is already ticking away. Any delay now will only lead to disastrous consequences.
(Saikat Datta is a Senior Fellow at the Centre)