India Cyber Security: Need for More Robust Approach
Even as, “cyber wars,” have become a reality across the globe, India’s security czars have issued a report on Recommendations of the Joint Working Group (JWG) on Engagement with Private Sector on Cyber Security. The pork barreled Report which appears to be designed to benefit the large Information Technology sector in the country has a narrow focus that of convergence in public and private sector on cyber security. The motive is laudable yet the proposals appear to be too infirm to facilitate development of capabilities in meeting the challenges in the cyber domain in real time. Some issues which need consideration are outlined as per succeeding paragraphs.
Given the express task to the National Security Adviser (NSA) Mr Shiv Shanker Menon by the Prime Minister Dr Man Mohan Singh, the National Security Council Secretariat (NSCS) has been seized with this challenge for some time now. In response to a question by a media person on his return from the Non Aligned Meet (NAM) in Tehran the Prime Minister indicated, "I have been asking my NSA to zero in the gaps to find a viable policy to tackle the menace of cyber terrorism threat." Possibly the ambit includes all facets of threats emanating from the cyber domain and not just cyber terrorism.
Ms Vijay Latha Reddy the Deputy National Security Adviser is the point person for cyber security in the NSCS and has been the steering force behind the JWG. While the NSCS is an ideal medium for deliberations on important issues of national security, there are challenges it is likely to face in implementing proposals which essentially fall in the ambit of various ministries. The NSCS can at best push the envelope (files) for implementation yet it being a deliberative body has limitations in execution of the policy or even recommendations of its own report.
Thus there are serious concerns on this front and like many documents hitherto fore the JWG should not remain, “on paper”. Perhaps the issues which involve interests of private sector may get implemented given the vigor in this dimension, whereas when government institutions are involved ground for skepticism does exist.
The recommendations of the JWG Report are based on two seminal studies one by the Institute for Defence Studies and Analyses (IDSA) and a second one by the industry bodies NASSCOM and Data Security Council of India (DSCI). Both these studies released in March 2012, have highlighted some of the key challenges faced by India in the cyber domain and recommended institutional and other mechanisms to overcome the same.
The pace at which changes take place today may have rendered assessment of threats by these reports somewhat dated. Evidence denotes a full fledged cyber war being waged between Iran on one hand and United States and Israel on the other. Attacks on Iranian nuclear and energy infrastructure by the now famous Stuxnet worm have been followed by Duqu, Flame and mini Flame. These have been allegedly carried out by state parties implying US and Israel. On the other hand Iran is being accused of targeting US banking infrastructure and oil companies in the Gulf. Some of these attacks were fairly common denial of service attacks; others have affected the infrastructure for days.
Will the JWG Report prepare us for these scenarios referred to by some as a, “cyber Pearl Harbour,” the answer is clearly no; neither the report is proposed to be so. May be there is a more expansive document in the government domain which will cater for all cyber threats, cyber war, crime, terrorism, espionage and privacy violations. A holistic assessment of threats and strategy to meet these challenges is necessary if we want to realistically face the cyber challenge.
More over a central coordinating agency for cyber security does not exist and but for the NSCS which as has been highlighted is not an executive body the diffused approach split in many ministries, with Information and Communication, Home Affairs and Defence being the principal ones is unlikely to produce quick results.
The differences as well as linkages between cyber and information and communication security have also to be highlighted. These are different domains and have to be addressed separately as well as holistically. The dimension of information threats to societal security spread through the cyber and communication networks is a different ball game altogether and actions in the computer security domain are not likely to prove of help in meeting such challenges.
One common factor in the two reports by IDSA and NASSCOM- DSCI was identification of the need for Cyber Command in the armed forces with defensive and offensive capabilities. Present capability for offensive cyber attacks is likely to be in the National Technical Research Organisation as per some reports. The effectiveness of these is not clear even as some countries ranging from the United States, Russia, China, Iran and Israel are already fielding offensive cyber forces. Raising such units with calibrated capabilities is hopefully under consideration though this may not be reflected in the open domain.
Suffice to say, the JWG Report is hopefully the first step in India’s cyber capability accretion and a concerted campaign to meet this ever expanding challenge has to be undertaken under a nodal executive agency at the earliest.