Cyber Security – CERTs, Policy, etc

The National Security Council Secretariat (NSCS) has formulated a draft National Cyber Security Strategy, which holistically looks at addressing the issue of security of national cyberspace, the government informed the Lok Sabha.

What is the National Cyber Security Strategy?

Conceptualised by the Data Security Council of India (DSCI), the report focuses on 21 areas to ensure a safe, secure, trusted, resilient, and vibrant cyberspace for India.

The main sectors of focus of the report are:

• Large scale digitisation of public services: There needs to be a focus on security in the early stages of design in all digitisation initiatives and for developing institutional capability for assessment, evaluation, certification, and rating of core devices.
• Supply chain security: There should be robust monitoring and mapping of the supply chain of the Integrated circuits (ICT) and electronics products. Product testing and certification needs to be scaled up, and the country’s semiconductor design capabilities must be leveraged globally.
• Critical information infrastructure protection: The supervisory control and data acquisition (SCADA) security should be integrated with enterprise security. A repository of vulnerabilities should also be maintained.
• Digital payments: There should be mapping and modelling of devices and platform deployed, transacting entities, payment flows, interfaces and data exchange as well as threat research and sharing of threat intelligence.
• State-level cyber security: State-level cybersecurity policies and guidelines for security architecture, operations, and governance need to be developed.

What steps does the report suggest?

To implement cybersecurity in the above-listed focus areas, the report lists the following recommendations:

• Budgetary provisions: A minimum allocation of 0.25% of the annual budget, which can be raised up to 1% has been recommended to be set aside for cyber security.
• Ministry-wise allocation: In terms of separate ministries and agencies, 15-20% of the IT/technology expenditure should be earmarked for cybersecurity.
• Setting up a Fund of Funds: The report also suggests setting up a Fund of Funds for cybersecurity and to provide central funding to States to build capabilities in the same field.
• R&D, skill-building and technology development: The report suggests investing in modernisation and digitisation of ICTs, setting up a short and long term agenda for cyber security via outcome-based programs and providing investments in deep-tech cyber security innovation.
• National framework for certifications: Furthermore, a national framework should be devised in collaboration with institutions like the National Skill Development Corporation (NSDC) and ISEA (Information Security Education and Awareness) to provide global professional certifications in security.
• Creating a ‘cyber security services’: The DSCI further recommends creating a ‘cyber security services’ with cadre chosen from the Indian Engineering Services.
• Crisis management: For adequate preparation to handle crisis, the DSCI recommends holding cybersecurity drills which include real-life scenarios with their ramifications. In critical sectors, simulation exercises for cross-border scenarios must be held on an inter-country basis.
• Cyber insurance: Cyber insurance being a yet to be researched field, must have an actuarial science to address cybersecurity risks in business and technology scenarios as well as calculate threat exposures.
• Cyber diplomacy: Cyber diplomacy plays a huge role in shaping India’s global relations. To further better diplomacy, the government should promote brand India as a responsible player in cyber security and also create ‘cyber envoys’ for the key countries/regions.
• Cybercrime investigation: It also suggests charting a five-year roadmap factoring possible technology transformation, setting up exclusive courts to deal with cybercrimes and remove backlog of cybercrimes by increasing centres providing opinion related to digital evidence under section 79A of the IT act.
• Advanced forensic training: Moreover, the DSCI suggests advanced forensic training for agencies to keep up in the age of AI/ML, blockchain, IoT, cloud, automation.
• Cooperation among agencies: Law enforcement and other agencies should partner with their counterparts abroad to seek information of service providers overseas.

What next?

• India has to contend with the importance and necessity of cyber offences as much as cyber defence.
• As of today, India’s primary or possibly only response measures appear to be defensive.
• India has to also invest in more offensive cyber means as a response.

Click and get your FREE Copy of CURRENT AFFAIRS Micro Notes

(Click) FREE 1-to-1 on-call Mentorship by IAS-IPS officers | Discuss doubts, strategy, sources, and more

On April 28, Computer Emergency Response Team (CERT-In) passed a rule mandating VPN (virtual private network) providers to record and keep their customers’ logs for 180 days.

What is VPN?

• VPN describes the opportunity to establish a protected network connection when using public networks.
• It encrypts internet traffic and disguise a user’s online identity.
• This makes it more difficult for third parties to track your activities online and steal data.
• The encryption takes place in real time.

How does a VPN work?

• A VPN hides your IP address by letting the network redirect it through a specially configured remote server run by a VPN host.
• This means that if you surf online with a VPN, the VPN server becomes the source of your data.
• This means your Internet Service Provider (ISP) and other third parties cannot see which websites you visit or what data you send and receive online.
• A VPN works like a filter that turns all your data into “gibberish”. Even if someone were to get their hands on your data, it would be useless.

Why do people use VPN?

• Secure encryption: A VPN connection disguises your data traffic online and protects it from external access. Unencrypted data can be viewed by anyone who has network access and wants to see it. With a VPN, hackers and cyber criminals can’t decipher this data.
• Disguising whereabouts: VPN servers essentially act as your proxies on the internet. Because the demographic location data comes from a server in another country, your actual location cannot be determined.
• Data privacy is held: Most VPN services do not store logs of your activities. Some providers, on the other hand, record your behaviour, but do not pass this information on to third parties. This means that any potential record of your user behaviour remains permanently hidden.
• Access to regional content: Regional web content is not always accessible from everywhere. Services and websites often contain content that can only be accessed from certain parts of the world.
• Secure data transfer: If you work remotely, you may need to access important files on your company’s network. For security reasons, this kind of information requires a secure connection. To gain access to the network, a VPN connection is often required.

What does the new CERT-IN directive say?

• VPN providers will need to store validated customer names, their physical addresses, email ids, phone numbers, and the reason they are using the service, along with the dates they use it and their “ownership pattern”.
• In addition, Cert is also asking VPN providers to keep a record of the IP and email addresses that the customer uses to register the service, along with the timestamp of registration.
• Most importantly, however, VPN providers will have to store all IP addresses issued to a customer and a list of IP addresses that its customers generally use.

What does this mean for VPN providers?

• VPN services are in violation of Cert’s rules by simply operating in India.
• That said, it is worth noting that ‘no logs’ does not mean zero logs.
• VPN services still need to maintain some logs to run their service efficiently.

Does this mean VPNs will become useless?

• The Indian government has not banned VPNs yet, so they can still be used to access content that is blocked in an area, which is the most common usage of these services.
• However, journalists, activists, and others who use such services to hide their internet footprint will have to think twice about them.

Why such move?

• Crime control: For law enforcement agencies, a move like this will make it easier to track criminals who use VPNs to hide their internet footprint.
• Curbing dark-net activities: Users these days are shifting towards the dark and deep web, which are much tougher to police than VPN services.

Back2Basics: Indian Computer Emergency Response Team (CERT-IN)

• CERT-IN is an office within the Ministry of Electronics and Information Technology.
• It is the nodal agency to deal with cyber security threats like hacking and phishing. It strengthens the security-related defense of the Indian Internet domain.
• It was formed in 2004 by the Government of India under the Information Technology Act, 2000 Section (70B) under the Ministry of Communications and Information Technology.

UPSC 2023 countdown has begun! Get your personal guidance plan now! (Click here)

The Union Ministry of Electronics and IT (MeitY) has declared IT resources of ICICI Bank, HDFC Bank and UPI managing entity NPCI as ‘critical information infrastructure’.

Try this PYQ:

In India, the term “Public Key Infrastructure” is used in the context of

(a) Digital security infrastructure

(b) Food security infrastructure

(c) Health care and education infrastructure

(d) Telecommunication and transportation infrastructure

 

Post your answers here.

8

Please leave a feedback on thisx

What is Critical Information Infrastructure (CIC)?

• The Information Technology Act, 2000 explicitly gives definition of CIC.
• It defines CIC as a computer resource, the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety.
• It basically aims to protect the digital assets.
• The government, under the Act, has the power to declare any data, database, IT network or communications infrastructure as CII.
• Any person who secures access or attempts to secure access to a protected system in violation of the law can be punished with a jail term of up to 10 years.

Why is CII classification and protection necessary?

• IT resources form the backbone of countless critical operations in a country’s infrastructure.
• Given their interconnectedness, disruptions can have a cascading effect across sectors.

What led to the classification of CICs?

• In 2007, a wave of denial-of-service attacks, allegedly from Russian IP addresses, hit major Estonian banks, government bodies – ministries and parliament, and media outlets.
• It was cyber aggression of the kind that the world had not seen before.
• The attacks played havoc in one of the most networked countries in the world for almost three weeks.

Recent incidents of CIC incapacitation

• In October, 2020 as India battled the pandemic, the electric grid supply to Mumbai suddenly stopped.
• It hit the mega city’s hospitals, trains and businesses.
• Later, a study by a US firm claimed that this power outage could have been a cyber-attack, allegedly from a China-linked group.
• The government, however, was quick to deny any cyber-attack in Mumbai. But prospects cannot be denied.
• The incident underlined the possibility of hostile state and non-state actors probing internet-dependent critical systems in other countries, and the necessity to fortify such assets.

How are CIIs protected in India?

• Created in January 2014, the National Critical Information Infrastructure Protection Centre (NCIIPC) is the nodal agency.
• It takes all measures to protect the nation’s critical information infrastructure.
• It is mandated to guard CIIs from “unauthorized access, modification, use, disclosure, disruption, incapacitation or distraction”.
• NCIIPC monitors and forecasts national-level threats to CII for policy guidance, expertise sharing and situational awareness for early warning or alerts.

UPSC 2023 countdown has begun! Get your personal guidance plan now! (Click here)

Context

After 100 days of Ukraine crisis, Russia is yet to achieve what can be termed as a decisive victory in any sector of the current conflict.

Reasons for the lacklustre performance of Russia

• Several reasons have been adduced by experts in the West for the lacklustre performance of the Russian army.
• Lack of motivation: There is a lack of motivation and the poor morale of the Russian forces sent to Ukraine.
• Outdated weaponry: Russian weaponry being outdated and ineffective to fight an informationalised war under modern conditions.
• Leadership issue: Russian commanders have also proved inept in devising plans and taking appropriate decisions in battlefield conditions against a determined enemy.

Important role of cyber warfare

• Given that cyber is often touted as the Fifth Dimension of warfare, it may be worthwhile to examine whether this indeed is the first major conflict in which ‘cyber’ is playing a crucial role, allowing a weaker nation with cyber capabilities to use it to its advantage.
• A former Chief of the National Security Agency of the U.S., in his memoirs had said that although cyberspace is a man-made domain, it had become critical to military operations on land, sea, air and in space.
• A former U.S. Secretary of Defence a few years ago,, even talked of a possible ‘cyber Pearl Harbour to paralyze nations and create a profound sense of vulnerability’.
• The Russian military oligarchy is indeed among the world leaders in digital disruption and cyber-methodology.
• One could have reasonably presumed that even before the conflict commenced, Russia would have swamped Ukraine with an avalanche of digital attacks.
• Ukraine, for its part, has its own digital army, including a corps of digital weapons.

Limits of cyber warfare

• There are several publicised instances earlier, of alleged Russian operatives waging a cyberwar against Ukraine.
• Both sides now possess and use malware such as data-wipers which have proved highly effective.
• On the day the Russian invasion of Ukraine began, Russian cyber units are believed to have successfully deployed destructive malware against several Ukrainian military targets.
•  A series of distributed denial-of-service (DDoS) attacks against Ukrainian banking and defence websites occurred simultaneously.
• As far as the conduct of the war is concerned, the string of small-scale cyberattacks cannot be said to have had any material impact on the conduct or outcome of the conflict.
• Hence, the cardinal question is why given that Ukraine has put up such a heroic defence — and to a considerable extent stalled the Russian offensive — Russia has not embarked on a massive all-out cyber-offensive.
• If that be the case, then much of the speculation that cyberattacks in the event of a war provide a perpetrator the capability to enact another ‘Pearl Harbour’ seems highly unrealistic.

Conclusion

It is very likely, and possibly a fact, that there are major difficulties in planning and executing massive cyberattacks on a short timeline to ensure higher efficacy of kinetic attacks.

UPSC 2023 countdown has begun! Get your personal guidance plan now! (Click here)

The Supreme Court has said its technical committee had so far received and tested 29 mobile devices suspected to be infected by Pegasus malware.

Why in news?

• It was alleged that the government used the Israel-based spyware to snoop on journalists, parliamentarians, prominent citizens and even court staff.

What is Pegasus?

• Pegasus is a spyware developed by NSO Group, an Israeli surveillance firm that helps spies hack into phones.
• In 2019, when WhatsApp sued the firm in a U.S. court, the matter came to light.
• In July 2021, Amnesty International, along with 13 media outlets across the globe released a report on how the spyware was used to snoop hundreds of individuals, including Indians.
• While the NSO claims its spyware is sold only to governments, none of the nations have come forward to accept the claims.

Threats created by Pegasus

• What makes Pegasus really dangerous is that it spares no aspect of a person’s identity.
• It makes older techniques of spying seem relatively harmless.
• It can intercept every call and SMS, read every email and monitor each messaging app.
• Pegasus can also control the phone’s camera and microphone and has access to the device’s location data.
• The app advertises that it can carry out “file retrieval”, which means it could access any document that a target might have stored on their phone.

Dysfunctions created

• Privacy breach: The very existence of a surveillance system, whether under a provision of law or without it, impacts the right to privacy under Article 21 and the exercise of free speech under Article 19.
• Curbing Dissent: It reflects a disturbing trend with regard to the use of hacking software against dissidents and adversaries. In 2019 also, Pegasus software was used to hack into HR & Dalit activists.
• Individual safety: In the absence of privacy, the safety of journalists, especially those whose work criticizes the government, and the personal safety of their sources is jeopardised.
• Self-Censorship: Consistent fear over espionage may grapple individuals. This may impact their ability to express, receive and discuss such ideas.
• State-sponsored mass surveillance: The spyware coupled with AI can manipulate digital content in users’ smartphones. This in turn can polarize their opinion by the distant controllers.
• National security: The potential misuse or proliferation has the same, if not more, ramifications as advanced nuclear technology falling into the wrong hands.

Snooping in India:  A Legality check

For Pegasus-like spyware to be used lawfully, the government would have to invoke both the IT Act and the Telegraph Act. Communication surveillance in India takes place primarily under two laws:

1. Telegraph Act, 1885: It deals with interception of calls.
2. Information Technology Act, 2000: It was enacted to deal with surveillance of all electronic communication, following the Supreme Court’s intervention in 1996.

Cyber security safeguards in India

• National Cyber Security Policy: The policy was developed in 2013 to build secure and resilient cyberspace for India’s citizens and businesses.
• Indian Computer Emergency Response Team (CERT-In): The CERT-In is responsible for incident responses including analysis, forecasts, and alerts on cybersecurity issues and breaches.
• Indian Cyber Crime Coordination Centre (I4C): The Central Government has rolled out a scheme for the establishment of the I4C to handle issues related to cybercrime in the country in a comprehensive and coordinated manner.
• Budapest Convention: There also exists Budapest Convention on Cybercrime. However, India is not a signatory to this convention.

Issues over government involvement

• It is worth asking why the government would need to hack phones and install spyware when existing laws already offer impunity for surveillance.
• In the absence of parliamentary or judicial oversight, electronic surveillance gives the executive the power to influence both the subject of surveillance and all classes of individuals, resulting in a chilling effect on free speech.

Way forward

• The security of a device becomes one of the fundamental bedrock of maintaining user trust as society becomes more and more digitized.
• Constituting an independent high-level inquiry with credible members and experts that can restore confidence and conduct its proceedings transparently.
• The need for judicial oversight over surveillance systems in general, and judicial investigation into the Pegasus hacking, in particular, is very essential.

Conclusion

• We must recognize that national security starts with securing the smartphones of every single Indian by embracing technologies such as encryption rather than deploying spyware.
• This is a core part of our fundamental right to privacy.
• This intrusion by spyware is not merely an infringement of the rights of the citizens of the country but also a worrying development for India’s national security apparatus.

UPSC 2023 countdown has begun! Get your personal guidance plan now! (Click here)

Recently, Chinese state-sponsored hackers targeted Indian electricity distribution centres near Ladakh.

Amid a surge in cyberattacks on India’s networks, the Centre is yet to implement the National Cyber Security Strategy which has been in the works since 2020.

Recent trends of Cyber-attacks in India

• As per American cybersecurity firm Palo Alto Networks’ 2021 report, Maharashtra was the most targeted State in India — facing 42% of all ransomware attacks.
• India is among the more economically profitable regions for hacker groups and hence these hackers ask Indian firms to pay a ransom, usually using cryptocurrencies, in order to regain access to the data.
• One in four Indian organisations suffered a ransomware attack in 2021.
• Indian organisations witnessed a 218% increase in ransomware — higher than the global average of 21%.
• Software and services (26%), capital goods (14%) and the public sector (9%) were among the most targeted sectors.

Increase in such attacks has brought to light the urgent need for strengthening India’s cybersecurity.

What is the National Cyber Security Strategy?

Conceptualised by the Data Security Council of India (DSCI), the report focuses on 21 areas to ensure a safe, secure, trusted, resilient, and vibrant cyberspace for India.

The main sectors of focus of the report are:

• Large scale digitisation of public services: There needs to be a focus on security in the early stages of design in all digitisation initiatives and for developing institutional capability for assessment, evaluation, certification, and rating of core devices.
• Supply chain security: There should be robust monitoring and mapping of the supply chain of the Integrated circuits (ICT) and electronics products. Product testing and certification needs to be scaled up, and the country’s semiconductor design capabilities must be leveraged globally.
• Critical information infrastructure protection: The supervisory control and data acquisition (SCADA) security should be integrated with enterprise security. A repository of vulnerabilities should also be maintained.
• Digital payments: There should be mapping and modelling of devices and platform deployed, transacting entities, payment flows, interfaces and data exchange as well as threat research and sharing of threat intelligence.
• State-level cyber security: State-level cybersecurity policies and guidelines for security architecture, operations, and governance need to be developed.

What steps does the report suggest?

To implement cybersecurity in the above-listed focus areas, the report lists the following recommendations:

• Budgetary provisions: A minimum allocation of 0.25% of the annual budget, which can be raised up to 1% has been recommended to be set aside for cyber security.
• Ministry-wise allocation: In terms of separate ministries and agencies, 15-20% of the IT/technology expenditure should be earmarked for cybersecurity.
• Setting up a Fund of Funds: The report also suggests setting up a Fund of Funds for cybersecurity and to provide central funding to States to build capabilities in the same field.
• R&D, skill-building and technology development: The report suggests investing in modernisation and digitisation of ICTs, setting up a short and long term agenda for cyber security via outcome-based programs and providing investments in deep-tech cyber security innovation.
• National framework for certifications: Furthermore, a national framework should be devised in collaboration with institutions like the National Skill Development Corporation (NSDC) and ISEA (Information Security Education and Awareness) to provide global professional certifications in security.
• Creating a ‘cyber security services’: The DSCI further recommends creating a ‘cyber security services’ with cadre chosen from the Indian Engineering Services.
• Crisis management: For adequate preparation to handle crisis, the DSCI recommends holding cybersecurity drills which include real-life scenarios with their ramifications. In critical sectors, simulation exercises for cross-border scenarios must be held on an inter-country basis.
• Cyber insurance: Cyber insurance being a yet to be researched field, must have an actuarial science to address cybersecurity risks in business and technology scenarios as well as calculate threat exposures.
• Cyber diplomacy: Cyber diplomacy plays a huge role in shaping India’s global relations. To further better diplomacy, the government should promote brand India as a responsible player in cyber security and also create ‘cyber envoys’ for the key countries/regions.
• Cybercrime investigation: It also suggests charting a five-year roadmap factoring possible technology transformation, setting up exclusive courts to deal with cybercrimes and remove backlog of cybercrimes by increasing centres providing opinion related to digital evidence under section 79A of the IT act.
• Advanced forensic training: Moreover, the DSCI suggests advanced forensic training for agencies to keep up in the age of AI/ML, blockchain, IoT, cloud, automation.
• Cooperation among agencies: Law enforcement and other agencies should partner with their counterparts abroad to seek information of service providers overseas.

Progress in its implementation

• The Centre has formulated a draft National Cyber Security Strategy 2021 which holistically looks at addressing the issues of security of national cyberspace.
• Without mentioning a deadline for its implementation, the Centre added that it had no plans as of yet to coordinate with other countries to develop a global legal framework on cyber terrorism.

Way forward

• India has to contend with the importance and necessity of cyber offence as much as cyber defence.
• As of today, India’s primary or possibly only response measures appear to be defensive.
• India has to also invest in more offensive cyber means as a response.

UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)

Context

The Ministry of Electronics and Information Technology is likely to come out with new cyber security regulations which will put the onus on organisations to report any cybercrime that may have happened against them, including data leaks.

Damages inflicted by the cyber crimes

• Apart from private firms, government services, especially critical utilities, are prone to cyber attacks and breach incidents.
• The ransomware attack against the nationwide gas pipeline in 2021 in the U.S. virtually brought down the transportation of about 45% of all petrol and diesel consumed on the east coast.
• If it were measured as a country, then cyber crime — which is predicted to inflict damages totalling $6 trillion globally in 2021 — would be the world’s third-largest economy after the U.S. and China.

Provision for reporting the cybercrime

• Clause 25 in the Data Protection Bill 2021 says that data fiduciaries should report any personal and non-personal data breach incident within 72 hours of becoming aware of a breach.
• Clause in EU GDPR: Even the golden standard for data protection, namely the European Union General Data Protection Regulation (EU GDPR), has a clause for reporting data breach incidents within a stringent timeline.
•  This, in principle, is likely to improve cyber security and reduce attacks and breaches.

Why reporting cybercrime is important

• Alerting other organisations: If incidences are reported, the Indian Computer Emergency Response Team and others can alert organisations about the associated security vulnerabilities.
• Precautionary measures: Firms not yet affected can also take precautionary measures such as deploying security patches and improving their cyber security infrastructure.
• Why firms are reluctant to notify the crime? Any security or privacy breach has a negative impact on the reputation of the associated firms.
• An empirical study by Comparitech indicates that the share prices for firms generally fall around 3.5% on average over three months following the breach.
• So, firms weigh the penalties they face for not disclosing the incidents versus the potential reputational harm due to disclosure, and decide accordingly.

Possible solutions

• Periodic cyber security audits:  How will the regulator come to know when a firm does not disclose a security breach?
• It can be done only through periodic cyber security audits.
•  Unfortunately, the regulators in most countries including India do not have such capacity to conduct security audits frequently and completely.
• Empanel third-party auditors: The government can empanel third party cyber security auditors for the conduct of periodical cyber security impact assessments, primarily amongst all the government departments, both at the national and State level, so that security threats and incidents can be detected proactively and incidents averted.
• Evaluation and Certification of cyber security: The Ministry, as part of cyber security assurance initiatives of the Government of India, to evaluate and certify IT security products and protection profiles, has set up Common Criteria Testing Laboratories and certification bodies across the country.
• These schemes can be extended towards cyber security audits and assessments as well.
• Security command centre:  Much like IBM, which set up a large cyber security command centre in Bengaluru, other large firms can also be encouraged to set up such centres for protection of their firms’ assets.

Consider the question “Reporting cyber security breaches is important. Yet, firms are reluctant to report the breaches. Examine the reasons for reluctance on part of the firms and suggest the way forward.”

Conclusion

Such measures will also pass the muster of the EU GDPR, thereby moving India closer to the set of countries that have the same level of cyber security and data protection as that of EU, for seamless cross-border data flow.

UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)

The Ministry of Home Affairs has recommended a ban on 54 Chinese mobile applications that pose a threat to the country’s security.

Legal basis of app ban

• The ban has been enforced under Section 69A of the Information Technology Act, 2000.
• This act empowers to issue directions for blocking for public access of any information through any computer resource.
• This is done in the interest of –
  1. sovereignty and integrity of India
  2. defense of India, security of the State
  3. friendly relations with foreign states
  4. public order (or)
  5. for preventing incitement to the commission of any cognizable offense relating to above

Why MHA has put such a ban?

• Most of these apps were operating as clones or shadow apps of the apps that had earlier been banned by the government.
• There was stealing and secretly transmitting users’ data in an unauthorized manner to servers that have locations outside India.
• These apps largely impact the psychosocial abilities of the users.
• The immediate decision has been taken in a specific strategic and national security

Implications of the ban

• India’s offensive: The move comes as an exercise of coercive diplomacy with China amid the heated exchange of words during the diplomatic boycott on the winter Olympics.
• Hurting china’s ambitions: The ban may affect one of China’s most ambitious goals, namely to become the digital superpower of the 21st century.
• Data nationalization: The ban is also based on the recognition that data streams and digital technology are a new currency of global power.

Issues with the ban

• Not only China: Data privacy and data security concerns are not limited only to Chinese apps.
• Harm already caused: The apps that were banned were very popular in India and the move to block them comes after these apps had already amassed hundreds of millions of users in India.
• Further dependency on China: The ban on Chinese mobile apps is a relatively soft target, as India remains reliant on Chinese products in several critical and strategically sensitive sectors.

Way Forward

• There is a strong case to revise the key legislations and sync them to change the digital environment.
• Data privacy and security remain to be major challenges emanating from the ongoing digital revolution.
• Thus, a data protection law is long overdue.
• India must speed up indigenization, research, and development, and frame up a regulatory architecture to claim data sovereignty.

UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)

Context

Cyber-attacks may be a relatively new phenomenon, but in a short timeframe have come to be assessed as dangerous as terrorism.

A cyber attack is a type of attack that targets computer systems, infrastructures, networks, or personal computer devices using various methods at hand. India is ranked 10th (among 194 countries) in the Global Cybersecurity Index (GCI) 2020 ahead of China and
Pakistan.

The increasing threat of cyber attacks

• Stuxnet Worm in 2010: Resulted in large-scale damage to Iran’s centrifuge capabilities.
• Natanz nuclear facility (Iran) in 2021: Targeted the industrial control systems and destroyed the power supply to centrifuges used to create enriched uranium
• Chinese cyberattack on the power system in Mumbai brought the entire city to a halt.
• Ransomware as a Service (RaaS) — a business model for ransomware developers — is no mere idle threat.
• Advanced Persistent Threats (APT) attacks are set to increase, with criminal networks working overtime and the Dark web allowing criminals to access even sensitive corporate networks.

Tools of Cyberattacks

• Malware: Malicious software to disrupt computers. It can include Viruses, Spyware, Trojans, etc.
• Phishing: It is the method of trying to gather personal information using deceptive e-mails and websites.
• Denial of Service attacks: A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users.
• Hacktivism:  Misusing a computer system or network for a socially or politically motivated reason. For example, hacktivists can block access to Government’s website, deface the government’s website or unblock the sites which have been blocked by the Government.
• Social Engineering: Entice users to provide confidential information. For example, these days u must have come across some of the fake Facebook accounts which are opened in the name of your close friends. First, the cyber attackers send you the friend request in the name of your close friend. Once u accept it, they will ask to request you to transfer some money.

Consequences of Cyberattacks

• Impact on data: Confidentiality, Integrity and Availability of information.
• Impact on Critical Information Infrastructure: Presently, most of the sectors are critically dependent on the use of ICT to carry on their operations. These sectors are Banking and Finance, Power systems, Transport sector, Telecommunication, etc. Cyber attacks on these critical information infrastructures can bring the entire country to a grinding halt. For example, the recent Chinese cyber attack on the power system in Mumbai brought the entire city to a halt.
• Creates Distrust: A cyber-attack on a specific component exposes vulnerabilities in the entire system which may negatively impact relations with allies and adversaries and questions our nuclear reliability.
• Financial loss: Estimates of the cost to the world in 2021 from cyberattacks are still being computed, but if the cost of cybercrimes in 2020 (believed to be more than $1 trillion) is any guide, it is likely to range between $3trillion-$4 trillion.
• Threat to National Security and peace and stability in a country.

Steps taken by India to improve Cyber Security

• Section 66F of ITA: Specific provision dealing with the issue of cyber terrorism that covers denial of access, unauthorized access, introduction of computer contaminant leading to harm to persons, property, critical infrastructure, disruption of supplies, ‘sensitive data’ thefts. Provides for punishment which may extend to life imprisonment.
• National Cyber Security Policy 2013: Policy document drafted by the Department of Electronics and Information Technology. Established National Critical Information Infrastructure Protection Centre (NCIIPC) to improve the protection and resilience of the country’s critical infrastructure information; Create a workforce of 5 lakh professionals skilled in cybersecurity in the next 5 years.
• National Critical Information Infrastructure Protection Centre (NCIIPC): It has been setup to enhance the protection and resilience of Nation’s Critical information infrastructure. It functions under the National Technical Research Organization (NTRO).
• CERT-IN: Organization under the Ministry of Electronics and Information Technology with an objective of securing Indian cyberspace. The purpose of CERT-In is to respond to computer security incidents, report on vulnerabilities, and promote effective IT security practices throughout the country. According to the provisions of the Information Technology Amendment Act 2008, CERT-In is responsible for overseeing the administration of the Act.
• Cyber Surakshit Bharat Initiative: It was launched in 2018 with an aim to spread awareness about cybercrime and build capacity for safety measures for Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.
• Cyber Crisis Management Plan (CCMP): It aims at countering cyber threats and cyber-terrorism.
• National Cyber Coordination Centre (NCCC): It seeks to generate necessary situational awareness of existing and potential cyber security threats and enable timely information sharing for proactive, preventive and protective actions by individual entities.
• National Cyber Security Coordinator (NCSC) under National Security Council Secretariat (NSCS) coordinates with different agencies at the national level for cyber security matters.
• Cyber Swachhta Kendra: This platform was introduced for internet users to clean their computers and devices by wiping out viruses and malware.
• Information Security Education and Awareness Project (ISEA): Training of personnel to raise awareness and to provide research, education, and training in the field of Information Security.

Challenges

• Structural:
  a)Absence of any geographical constraints.
  b)Lack of uniformity in devices used for internet access.
• Administrative:
  a) Lack of national-level architecture for cybersecurity
  b) Security audit does not occur periodically, nor does it adhere to the international standards.
  c) The appointment of the National Cyber Security Coordinator in 2014 has not been supplemented by creating liaison officers in states.
• Procedural
  a) Lack of awareness in local police of various provisions of IT Act, 2000, and also of IPSC related to cybercrime.
  b) Lack of data protection regime.
• Human Resource Related
  a) Inadequate awareness among people about the security of devices and online transactions.

Way forward

• International Convention: Presently, Budapest Convention is the first international treaty that promotes greater cooperation between countries in fighting cybercrimes. India should accede to Budapest Convention at the earliest. It would reduce India’s capacity to combat cybercrimes at a global level.
• PPP Framework for Cyber Security: Presently, most of the cyber security operations are carried out by the Government agencies such as CERT-In. Given the fast-changing nature and intensity of cyber threats, there is a need to leverage private sector expertise in combating cyber crimes through the PPP framework.
• Capacity building and skill development- Recently, according to a report published by NASSCOM, India needs around 10 lakh, cyber security experts. However, presently there are only around 64,000 professionals. One of the main reasons for the lower number of cyber security professionals is due to lack of an adequate number of specialized courses in cyber security, poor training Infrastructure, lack of availability of trainers, etc. Hence, accordingly, the Government has to recognize the lacunae and increase the number of Skilled professionals.
• Promoting Startups in the field of Cybersecurity.
• Investment in R&D to improve Cyber Security- Big data, AI
• Learning from best practices such as the Tallinn manual of the US.

Conclusion

Failure to build resilience — at both the ‘technical and human level — will mean that the cycle of cyber attacks and the distrust they give rise to will continue to threaten the foundations of a democratic society. Preventing erosion of trust is critical in this day and age.

UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)

A New York Times report has claimed that the Indian government had bought the Pegasus Spyware in 2017.

What is Pegasus?

• Pegasus is a spyware developed by NSO Group, an Israeli surveillance firm that helps spies hack into phones.
• In 2019, when WhatsApp sued the firm in a U.S. court, the matter came to light.
• In July 2021, Amnesty International, along with 13 media outlets across the globe released a report on how the spyware was used to snoop hundreds of individuals, including Indians.
• While the NSO claims its spyware is sold only to governments, none of the nations have come forward to accept the claims.

Why is Pegasus so lethal?

• What makes Pegasus really dangerous is that it spares no aspect of a person’s identity.
• It makes older techniques of spying seem relatively harmless.
• It can intercept every call and SMS, read every email and monitor each messaging app.
• Pegasus can also control the phone’s camera and microphone and has access to the device’s location data.
• The app advertises that it can carry out “file retrieval”, which means it could access any document that a target might have stored on their phone.

Dysfunctions created by Pegasus

• Privacy breach: The very existence of a surveillance system, whether under a provision of law or without it, impacts the right to privacy under Article 21 and the exercise of free speech under Article 19.
• Curbing Dissent: It reflects a disturbing trend with regard to the use of hacking software against dissidents and adversaries. In 2019 also, Pegasus software was used to hack into HR & Dalit activists.
• Individual safety: In the absence of privacy, the safety of journalists, especially those whose work criticizes the government, and the personal safety of their sources is jeopardised.
• Self-Censorship: Consistent fear over espionage may grapple individuals. This may impact their ability to express, receive and discuss such ideas.
• State-sponsored mass surveillance: The spyware coupled with AI can manipulate digital content in users’ smartphones. This in turn can polarize their opinion by the distant controllers.
• National security: The potential misuse or proliferation has the same, if not more, ramifications as advanced nuclear technology falling into the wrong hands.

Snooping in India:  A Legality check

For Pegasus-like spyware to be used lawfully, the government would have to invoke both the IT Act and the Telegraph Act. Communication surveillance in India takes place primarily under two laws:

1. Telegraph Act, 1885: It deals with interception of calls.
2. Information Technology Act, 2000: It was enacted to deal with surveillance of all electronic communication, following the Supreme Court’s intervention in 1996.

Cyber security safeguards in India

• National Cyber Security Policy: The policy was developed in 2013 to build secure and resilient cyberspace for India’s citizens and businesses.
• Indian Computer Emergency Response Team (CERT-In): The CERT-In is responsible for incident responses including analysis, forecasts, and alerts on cybersecurity issues and breaches.
• Indian Cyber Crime Coordination Centre (I4C): The Central Government has rolled out a scheme for the establishment of the I4C to handle issues related to cybercrime in the country in a comprehensive and coordinated manner.
• Budapest Convention: There also exists Budapest Convention on Cybercrime. However, India is not a signatory to this convention.

Issues over government involvement

• It is worth asking why the government would need to hack phones and install spyware when existing laws already offer impunity for surveillance.
• In the absence of parliamentary or judicial oversight, electronic surveillance gives the executive the power to influence both the subject of surveillance and all classes of individuals, resulting in a chilling effect on free speech.

Way forward

• The security of a device becomes one of the fundamental bedrock of maintaining user trust as society becomes more and more digitized.
• Constituting an independent high-level inquiry with credible members and experts that can restore confidence and conduct its proceedings transparently.
• The need for judicial oversight over surveillance systems in general, and judicial investigation into the Pegasus hacking, in particular, is very essential.

Conclusion

• We must recognize that national security starts with securing the smartphones of every single Indian by embracing technologies such as encryption rather than deploying spyware.
• This is a core part of our fundamental right to privacy.
• This intrusion by spyware is not merely an infringement of the rights of the citizens of the country but also a worrying development for India’s national security apparatus.

UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)

The article underscores the threat of cyberattacks on the critical infrastructure and also suggests the steps to be taken to secure these infrastructures.

Cyberattack on the power grid

• On October 12 last year, Mumbai plunged into darkness as the electric grid supply to the city failed.
• Recently, a study by Massachusetts-based Recorded Future,  said that the Mumbai power outage could have been a cyberattack aimed at critical infrastructure.
• It was carried out by the state-sponsored group Red Echo.
• As recently as in February, the Centre’s nodal agency National Critical Information Infrastructure Protection Centre (NCIIPC) had reported concerted attempts by Red Echo to hack the critical grid network.
• CERT-In, is reported to have detected the ShadowPad malware in one of the largest supply chain attacks a month after the Mumbai outage.
• Many of the suspected IP addresses identified by NCIIPC and CERT-In were the same and most have been blocked in time.
• The Chinese focus in the past was stealing information and not projecting power, but the situation with India might be different.

Why critical infrastructures are so vulnerable

• As many of these critical infrastructures were never designed keeping security in mind and always focused on productivity and reliability, their vulnerability is more evident today.
• With devices getting more interconnected and dependent on the internet facilitating remote access during a pandemic, the security of cyber-physical systems has, indeed, become a major challenge for utility companies.

Critical information infrastructure protection

• For more than a decade, there have been concerns about critical information infrastructure protection (CIIP).
• In January 2014, the NCIIPC was notified to be the national nodal agency for CIIP and over these years has been working closely with the various agencies.
• In January 2019, the government also announced a National Mission on Interdisciplinary Cyber-Physical Systems (NM-ICPS), with a budget of Rs 3,660 crore for the next five years, to strengthen the sector.

Way forward

• Most ministries and departments need better budget allocations for cybersecurity as well as a more robust infrastructure, processes and audit system.
• The Industrial Cybersecurity Standards (IEC62443) launched by the Bureau of Indian Standards (BIS), has to be adopted soon.
• For the power sector, a strong regulation on the lines of the North American Electric Reliability Critical Infrastructure Protection (NERC) policy could serve as a guide.

Consider the question “Discuss the importance of critical information infrastructure protection (CIIP)? Also mention the steps taken by the government in this regard.” 

Conclusion

Clearly, the incident is a wake-up call for better preparedness in terms of a more robust cyber security ecosystem in place. The new cyber security policy awaiting imminent announcement will hopefully cater to that.

Amid souring relations between India and China last year, evidence has emerged that a Chinese government-linked company’s attempt led to a power outage in Mumbai yesterday and now in Telangana today.

Q.The use of cyber offensive tools and espionage is a fairly active element of the People’s Republic of China. Discuss in light of recent incidences of cyber attack in India.

Red Echo & ShadowPad

• On February 28, a Massachusetts-based firm published a report saying it had observed a steep rise in the use of resources like malware by a Chinese group called Red Echo.
• It aimed to target “a large swathe” of India’s power sector.
• It said 10 distinct Indian power sector organisations were targeted, including four Regional Load Despatch Centres (RLDCs) that are responsible for the smooth operation of the country’s power grid by balancing the supply and demand of electricity.
• Red Echo used malware called ShadowPad, which involves the use of a backdoor to access servers.

India confirms cyber attack

• The Ministry of Power has confirmed these attempts, stating it had been informed in November 2020 about the ShadowPad malware at some control centres.
• The Ministry said it was informed of Red Echo’s attempts to target the country’s load despatch centres in February.
• It had said “no data breach/data loss” had been detected due to the incidents.

What does it imply?

• This is clearly something that is linked to China’s geopolitical interests.
• It is established very clearly that the use of cyber offensive tools and espionage is a fairly active element of what the People’s Republic of China seems to be adopting and encouraging.
• Even when they are not directly in charge of an offensive operation, they seem to be consistently encouraging actors to develop this capability.

PRC’s long term strategy

• These cyber-attacks are seen as an attempt to test and lay the grounds for further operations in the future.
• We need to remember that sometimes these offensive operations are carried out to distract people from other places that they might be targeting or other activities that might be occurring.
• There was an increase in cyber offensive operations and incidents around the world in the second half of 2020 especially targeting the healthcare and vaccine space.
• When vaccine companies are targeted, the motive could be competition.
• The motivation behind Stone Panda’s attack against SII and Bharat Biotech’s IT systems was to extract the companies’ intellectual property and gain a competitive advantage.

Other such attacks: Stone Panda & vaccines

• A Chinese hacker group known as Stone Panda had identified gaps and vulnerabilities in the IT infrastructure and supply chain software of Bharat Biotech and the Serum Institute of India.
• These companies have developed Covaxin and Covishield, which are currently being used in the national vaccination campaign.
• They are also in the process of testing additional Covid-19 vaccines that could add value to efforts around the world.

The ‘SolarWinds hack’, a cyberattack recently discovered in the US, has emerged as one of the biggest ever targeted against the US government, its agencies and several other private companies.

Do you know about the ‘Five Eyes’ group of nations?

Solar-Winds Hack

• It was first discovered by US cybersecurity company FireEye, and since then more developments continue to come to light each day.
• The US termed it as a highly sophisticated threat actor calling it a state-sponsored attack, although it did not name Russia.
• It said the attack was carried out by a nation with top-tier offensive capabilities and the attacker primarily sought information related to certain government customers.

How dangerous is the attack?

• This is being called a ‘Supply Chain’ attack.
• Instead of directly attacking the federal government or a private organization’s network, the hackers target a third-party vendor, which supplies software to them.
• Once installed, the malware gave a backdoor entry to the hackers to the systems and networks of SolarWinds’ customers.
• More importantly, the malware was also able to thwart tools such as anti-virus that could detect it.

The deadliest cyber-attack ever in the US

• The US Energy department which is responsible for managing America’s nuclear weapons is the latest agency to confirm that it has been breached in the SolarWinds cyber attack.