Read Time:11 Minute, 30 Second

Introduction

The nature of war does not alter but its character does. Several seminal events and technological innovations were responsible for these alterations War has expanded from the land and sea domain to air and space with the advent of the modern air force and space orbiters. In the last two decades, warfare discovered yet another powerful medium offered by ubiquitous digital networks, thus establishing the fifth dimension: ‘Cyberspace.

Background  Reality of Cyber Vulnerabilities

Cyberspace vulnerabilities are evident from the annual global statistics of cyber attacks suffered by a majority of nations The 2012CyberCrime report of 24 leading countries by Norton indicated 556 million victims with an estimated loss of $ 110million as shown in Figure Therefore, it cannot be denied that a cyber attack is not an end in itself, but a powerful means to a wide variety of ends, from
propaganda to espionage and Denial of Service (DoS) to destruction of critical
infrastructure.

Global Flavor of Cyber Warfare

The scope and dimensions of the lethality of cyber attacks were evident when the Syrian air defense was reportedly disabled in October 2007 by the Israeli Air Force. In another instance, Russia accrued significant benefits as it tightly integrated cyber operations with kinetic,
diplomatic and strategic communication operations during the 2008 Georgia conflict. In 2009, the reach and range of cyber espionage were also demonstrated by the ‘GhostNet’ program devised by China to snoop on 103 countries. The fundamental methodology practiced by individuals with malicious intent was to inject malicious software universally known as malware. Malware such as TitanRain in 2004, Stuxnet in 2010, Duqu in 2011, Flamer and Disttrack

(Shamoon) in 2012 and Red October in 2013 demonstrated ever increasing levels of sophistication and lethality. The escalating trend in the number of malware recorded up tomid-2013

Indian Cyber Space Perspective

The annual cyber crime statistics released by Norton reported that India suffered losses worth $ 8 billion in 2011. The
annual average number of cyber crimes was estimated to be 42 million on a pan-India basis. Similarly, in another report, Indian Computer Emergency and Response Team (CERT-In) registered a total of 22060 attacks in the year 2012. The trends as shown in Table 1, indicate a staggering 9,58,130% increase since 2004.

Evidence of Cyber Attacks

The most compelling evidence of cyber attacks was the hacking of the Prime Minister’s Office in 2011 and breach of
12,000 sensitive email accounts in 2012 including those of officials from the Ministry of External Affairs (MEA), Ministry of Home Affairs (MHA),Defense Research and Development Organization (DRDO) and the Indo-Tibetan Border Police (ITBP). Such intrusions also permeated into the Indian Armed Forces domain, though with limited success. Overseas cyber attacks were also reported
from the Indian Embassies at Kabul and Moscow, the Consulate General at Dubai and the High Commission at Abuja Nigeria.

Indian Countermeasure Framework

India’s response to cyber threats so far has been reactive and piecemeal. Over the last two decades, India has relied
either on the formation of a new agency or a coordination committee after every major cyber attack or intelligence failure. Complementing these actions, India’s Department of Electronics and Information Technology (DEITY), under the aegis of Ministry of Communication and Information Technology (MCIT), released the country’s maiden National Cyber Security Policy (NCSP) on 02 Jul
2013.The policy document was considered a step in the right direction by the Data Security Council of India (DSCI) and Institute for Defense Studies and Analysis (IDSA). However, it is opined by the author that the policy still overlooks several cyber issues and fails to incorporate lessons learnt by cyber mature nations. Comparatively, in the last three decades the US, UK, Europe/ North Atlantic Treaty Organization (NATO) and China have crossed the Rubicon in cyberspace security and warfare. The essence of their policy, concept and organization are discussed in succeeding paragraphs.

Multiple Cyber Agencies

. Over the last two decades, the responsibility of cyberspace security has been fragmented among several ministries, agencies, departments and even non-government organizations (NGO), thereby making coherent and consistent government-wide action a challenge. Table 2 is a depiction of all the all recognized agencies involved in cyber security.

 

India’s – Cyber Organisation
PM Office/ Cabinet Secy (PMO/ Cab Sec) Ministry of Home Affairs(MHA) Ministry of External Affairs (MEA) Ministry of Defence (MOD) Ministry of Common Info Technology (MCIT) Non Govt Organisation (NGO)
National Security Council (NSC) National Cyber Coordn Centre (NCCC) Country Ministers and Ambassador Tri Service Cyber Command – Pending Operationalisation Department of Information Technology (DIT) Cyber Security and Anti hacking Organisation

(CSAHO)

National Technical Research Orgn

(NTRO)

Directorate of Forensic Science (DFS) Defence Attaches Army (MI) Department of Telecommn (DoT) Cyber Society of India (CySI)
National Critical Info Infrastructure Protection Centre(NCIIPC)  

National Disaster Mgt Authority (NDMA)

Joint Secretary (IT) Navy (DNI) Indian Computer Emergency Response Team CERT-IN Centre of Excellence for Cyber Security Research & Development

In India (CECSRDI)

Joint Intelligence Group (JIG)  

Central Forensic Science Lab (CFSLs)

 

Air Force (AFI)

Education Research Network (ERNET) Cyber Security of India(CSI)
National Crisis Management

Committee (NCMC)

 

Intelligence Bureau (IB)

Def Info Assurance & Research Agency (DIARA) Informatics Center (NIC) National Cyber Security of India (NCS)
Research and Analysis Wing (RAW) Defence Intelligence Agency (DIA) Centre for Development of Advanced Computing C-DAC Cyber Attacks Crisis Management Plan of India (CACMP)
Multi Agency Center (MAC) Defence Research Dev

Authority (DRDO)

Standardisation, Testing and Quality Certification (STQC)
National Information Board (NIB)

Prognosis.

It can be easily concluded that no single official or entity oversees implementation of cyber security policy across the nation, and no single agency has the responsibility or authority to match the scope and scale of the cyber challenge, thereby eluding unity of command in the country. This hypothesis is supported by the following arguments:

Multiple Apex Agencies.

To start with, the apex level itself has as many as six agencies (appended below), which are involved in cyber security management.42 Over and above, the NCSP-13 has prescribed the formation of yet another apex level agency namely, ‘National Cyber Coordination Centre’(NCCC),43 thus adding to the confusion.

  • National Information Board (NIB)44
  • National Security Council (NSC) / National Security Council Secretariat (NSCS)45
  • National Crisis Management Committee (NCMC)46
  • National Disaster Management of Authority (NDMA)47
  • National Cyber Response Center (NCRC)48
  • National Technical Research Organization (NTRO)

 

  • Nebulous Second Tier. The onus at the next level is spread across

the Ministry of Communication and Information Technology (MCIT), Ministry of Defense (MoD), Ministry of Home Affairs (MHA) and Ministry of External Affairs (MEA), thereby diluting accountability and clear lines of reporting.

 

  • Overlapping Responsibilities. Often, agencies have been

assigned overlapping responsibilities. For instance, CERT-IN formed in

2004 vide GoI ITAct of 2000 (70B) under MCIT, was mandated to ensure cyber security of Critical Infrastructure,49 which was later limited to only non-critical structures. Four years later, the National Critical Information Infrastructure Protection Centre (NCIIPC) formed under the NTRO vide GOI under IT (Amendment) Act, 2008, 70A50 was mandated with the protection of critical infrastructure, directly under the Prime Minister’s Office (PMO). At the same time, the National Disaster Management Authority (NDMA) which is under MHA, was also assigned responsibility for protection of cyber critical infrastructure. It can now be seen that three different agencies under three different ministries are operating towards the singular objective of securing critical/non-critical infrastructure.

 

  • In the past, although the lead was taken by DEITY/MCIT in formulating national policy, this ministry does not have jurisdiction over influential ministries/departments like the MoD, MHAand NSCS/NTRO.

 

  • Though the National Security Council/ National Information Board (NSC/NIB) is the sole authority to formulate and promulgate national policies, NCSP-13 was released by DEITY, which operates under another ministry, e. MCIT.

 

  • NIB has become too unwieldy with 21 secretary level51 members drawn from the entire spectrum of Indian ministry and bureaucracy who usually double-hat as NIB members. There are two impediments here; firstly, it takes enormous effort to assemble all NIB members together, and secondly, it leads to decision paralysis and protracted

 

  • CERT-IN is designated as a nodal cyber incident referral agency which is under MCIT but does not have any law enforcement capability/ responsibility which is currently assigned to

 

  • MEA Entry into Cyberspace. MEA too has nudged into

cyberspace as another coordinating agency. It has coordinated bilateral agreements on Cyber Security between CERT-In (under another ministry, MCIT) and USA,52 Korea53 and UK.54 This is another classic example of wires being crossed between two ministries.

(j) Furthermore, the MoD has mandated the Defence Information Assurance and Research Agency (DIARA) and the DRDO as the nodal cyber security agency for the armed forces. The NCSP-13 has not brought out clearly whether their role would be in tandem or isolation in the event of a national cyber crisis.

 

RECOMMENDATIONS

 

Cyber Policy

 Formulation of National Security Policy.

India must formulate an all encompassing National Security Policy (NSP) by the Cabinet Council on Security (CCS) and NSC duly endorsed by the PMO. The National Cyber Security Policy should be a subset of this policy. Thereafter, National Cyber Doctrine can be formulated by NSC/NIB, and Cyber Security Strategy by respective ministries. This would introduce tier-based ‘policy-doctrine-strategy’ formulation and ensure ‘whole-of-nation’ approach in cyber security. The policy document must adequately articulate the role of armed forces and the review cycle.

 

Cyber Organization

 

Revamp Apex Organization.

In sum, there are six apex bodies, five ministries, almost 30 agencies and five coordinating agencies that make up the cyber organization. Needless to say, it requires serious introspection to make the entire structure conducive to effective command and control. It is recommended that GoI reconfigure apex bodies to create a single empowered authority to resolve the predicament of multiplicity at the top level. It is proposed that an exclusive ‘Cyber Security Center (CSC)’ be formed under the National Security Council (NSC), which would be singularly responsible for policy formulation, budget allocation and nationwide implementation. The CSC team should be constituted from personnel who have served in the field of cyber security at MCIT/MoD/MHA/NSCS in the past for a minimum period of five years. The existing and proposed structure As Follow 

Above Image Present Organizational Structure

Above Image Proposed Function-based Hierarchical Structure

A Leaner NIB.

Although NIB saddled with 21 members has overarching control, it is ineffective and too unwieldy. It ought to be reduced to five to six members as the core, and the remaining members associated as subordinate members. It is recommended that at an opportune time NIB be merged with the aforesaid CSC.

 

Remodel Cyber Security Structure.

It can be seen that due to progressive proliferation of multiple agencies, no organization can claim primacy in the Indian cyber security landscape. The overall structure too does not follow any classical configuration, thereby having multiple reporting lines and blurred accountability. It is recommended that the cyber organization be remodeled based on functionality and integrated collaborative structure. One such proposal is summarized in Table 3.

 

  • As CERT-In does not have powers for law enforcement in the cyber domain, it is recommended that this agency be shifted under MHA from This would not only simplify lines of reporting, but also ensure single-point responsibility and accountability of vulnerability assessment and law enforcement.

 

  • The facility at DRDO, which is also foraying into the cyber security domain, must restrict itself to the Armed Forces The onus of design and development of software for cyber security must remain with MCIT as the facility already exists with Centre of Development for Advance Computing (CDAC).

 

  • As a short term goal, MCIT needs to develop basic software on the lines of ‘WhatsApp’ or ‘Facebook’ for India including the Armed Forces and as a long-term goal it must aim to develop our own browser and Operating System (OS).

 

Agencies

 

 

CCS/

/NSC

Indian CSC* NTRO/ NCCC MCIT MHA MOD Pvt

Play- ers

NGO/

Acade

-mic

Function

 

Apex Internat’l Coopn Ext Security S/W and H/W/ Network Int Secy Cyber W/F
National Secy Policy ü
National

Cyber Security Policy (NCSP)

 

 

ü

 

 

 

 

 

þ

 

National

Cyber Doctrine

 

 

ü

 

 

 

 

 

 

Cyber Security

Strategy

ü ü ü ü þ
Cyber W/F /

Offense

ü
Cyber Secy ü þ
Cyber Crime / Terrorism ü þ þ
Critical Infrastructure ü ü þ
Development of S/W / Net Technologies  

 

 

 

ü

 

 

ü

 

þ

 

Interagency

Coordination

ü
Interface with

Pvt Players to Develop H/W

 

 

 

 

ü

 

 

ü

 

þ

 

International Treaties        & bilateral MoU  

 

ü

 

 

 

 

 

 

HR

Development

ü þ
Overall Fiscal

Management

ü ü

 

Above Table Proposed Function-based Cyber Organization. ü indicates direct responsibility of the function and þ indicates supporting role by external agencies.

* Proposed apex agency with sole responsibility of national cyber security

CONCLUSION

 

Given the ubiquitous and dynamic characteristics of cyber power laced with the connotation of transgression at the national and global level, there are several issues that would require governmental consideration. India’s inaugural National Cyber Security Policy (NCSP) is, on the whole, a step in the right direction. The policy hints at organizational mapping with references to CERT-IN and the NCIIPC but the roles and responsibilities of the armed forces, other government agencies as well as the private sector are not clearly articulated thereby making the nation vulnerable to cyber attacks. India has been acknowledged as the information backyard of the world; however, the government’s efforts to address cyber security over the last two decades have only been reactive and piecemeal. Unless the stated policy lacunae and organizational structure are not adapted along the proposed lines, India will continue to remain vulnerable to marauding cyber attacks.

Thanks For Reading This Article

About Post Author

Indian Cyber Troops

Indian Cyber Work For Nation's Wellness And Nation's Security We Share new and unique things with you Jai Hind Jai Shri Ram