Revelations by Canadian investigators that a cyber spy ring based in China specifically targeted India’s defence establishment are expected to set off a major cyber security overhaul by New Delhi.
Privileged information suggests the Indian government could seriously consider creating the position of a cyber security czar whose mandate would be to fundamentally overhaul cyber security and bring the currently fragmented networks under a clearly defined structure.
The overhaul will demand a whole new approach outside the bureaucratic confines considering that it necessarily requires tapping the cyber security community constituted by young professionals in their 20s and 30s. Since this community is used to working in a highly non-hierarchical environment with a great deal of personal freedom the government will have to use the office of the cyber security czar as its interface with the young professionals.
Although cyber security had already been coming under government focus for some time now, a 10-month-long investigation by the University of Toronto’s Munk Centre for International Studies, Canadian security firm SecDev Group and US-based cyber sleuthing organisation Shadowserver Foundation has added extra urgency to the task. The investigators have issued a report titled “Shadows in the Cloud: An investigation into cyber espionage 2.0” which highlights how India’s defence establishment was seriously penetrated by cyber attackers based in Chengdu, the capital of Sichuan province in southwest China.
The report exposes widespread penetration of computer systems at the National Security Council Secretariat (NSCS), which is part of the Prime Minister’s Office, Indian diplomatic missions in Kabul, Moscow, Dubai and Abuja, Military Engineer Services, Military Educational Institutions, the Institute of Defence Studies and Analyses, the National Maritime Foundation and some corporations. It is hard to quantify the damage the information obtained by the hackers can cause, but it could be potentially significant.
The report has served to highlight serious flaws and vulnerabilities in India’s official information networks. Those who know how the systems work point to a “lack of discipline” in even seemingly trivial details such as senior government officials in sensitive positions still using email addresses on Yahoo, Hotmail and Gmail. They say inasmuch as no email system can be made foolproof, these free accounts are even less so. Even the use of social networking sites such as Facebook and Twitter are known to be prone to systematic attacks.
Apart from the inherent interest in India’s defence and other establishments because of its rise as a major power, there is also another reason why the country has emerged as an important target. Its position as home to large IT companies which are in turn repositories of vast global information also makes India particularly attractive to hackers. In a sense hacking India could lead to a great deal of diverse economic, financial, health and other forms of valuable intelligence.
One of the primary mandates of any future cyber security czar would be to create a multi-layered security system around its national assets in a manner that no single successful penetration would yield a treasure trove of information in one place. The cyber security czar could also be mandated to lay down standards and code of conduct for those in the government handling data of certain sensitive nature. Informed sources say the czar would report to the National Security Advisor and would often end up operating outside the traditional command and control structure of the Indian bureaucracy because of the kind of monitoring the office would be expected to do.
One specific approach that the Indian government might have to consider adopting relates to what in industry parlance are known as defensive and offensive hackers. While the former’s job would be to ensure strong defences against all attacks, that of the latter would be to actively be part of hackers worldwide who perform the role of flooding malware or malicious software codes used to infiltrate large systems. Such participation is crucial to pre-empting attacks. It is in this context that the Canadian investigation makes an interesting point.
Under the section “Patriotic Hacking” the report says, “The PRC (People’s Republic of China) has a vibrant hacker community that has been tied to targeted attacks in the past and has been linked through informal channels to elements of the Chinese state, although the nature and extent of the connections remain unclear. One common theme regarding attribution relating to attacks emerging from the PRC concerns variations of privateering model in which the state authorizes private persons to perform attacks against enemies of the state.”
Unlike China, which has developed a sizable community of defensive as well as offensive hackers, India has not even begun to evolve a cohesive approach to what cyber security experts regard as a decisive aspect of the information technology-driven world. Since the government cannot officially or even unofficially recruit these hackers, it will have to find creative ways to utilize their services and create enough indirect protections in the event some of them run afoul of law-enforcement agencies which may not know about their existence.
This is clearly a grey area which many cyber security experts say is a necessary evil. It is conceivable that India may have to create its own version of “patriotic hackers” if it has to effectively thwart hacking attacks.