Opinion » Lead

Updated: May 19, 2012 00:45 IST

Keeping India safe in cyberspace

Shivshankar Menon
Comment (13)   ·   print   ·   T  T  
The Hindu

There is need to find indigenous technologies and equipment to deal with this constant and undeclared threat

There is increasing concern in the strategic community and the general public about cyber security and we are in the final stages of preparing a whole-of-government cyber security architecture.

Our increasing dependence on cyberspace and the internet is evident. We had over 100 million internet users in India over two years ago. Add to this the 381 million mobile phone subscriptions with internet connectivity and the increasing seamlessness with which all sorts of devices connect to the internet. There are well over 2 billion internet users in the world — a number that doubled in the five years between 2005 and 2010. These figures are growing exponentially. Most of us in one way or the other use and depend on cyber space in the performance of our work and daily life.

Fear of the unknown

Public concern about cyber security is rising, partly because of the weight of anecdotal evidence that is building up about cyber war and attacks. Stuxnet and Ghostnet, for instance, appear to most of us as unseen forces having apparently magical effects in the real world. It is also fear of the unknown, because most persons lack a conceptual framework or understanding that would enable them to deal with the issue.

The other reason for public concern and anxiety is the anarchic nature of the domain of cyberspace, glimpses of which naturally cause alarm. When this is combined with the potential effects of malicious attacks and disruptions in the cyber world upon such basic social necessities as power supplies, banking, railways, air traffic control, etc., it is only natural that people should worry about cyber security.

Nor do the experts help to allay concerns in their choice of the terms they use. We speak of cyber crime, when these acts are not a traditional law and order problem and cannot be dealt with as such, thanks to problems of attribution and punishment and lack of legal frameworks.

We also speak of cyber war, even though conflict or attacks in the cyber world do not follow the rules or logic of war as understood so far in other domains. In this new domain of contention war, espionage, surveillance, control and the traditional security functions, activities and crimes occur but differ from those in traditional domains. Here we have to unlearn some of the lessons we learnt from earlier revolutions. Traditional deterrence hardly works in a battle-space like the cyber world where the speed of operations and attack is almost that of light. At these speeds there is a premium on attacking first, or offence.

The effect of ICT on warfare is evident in command and control, in the new surveillance and communication technologies and in cyber operations which have kinetic effects in the real world. We have seen a new way of warfare, a true RMA, since the early 1990s, enabled by ICT.

Non-state actors

The ICT revolution has also brought power to non-state actors and individuals, to small groups such as terrorists. It has given small groups and individuals the means to threaten and act against much larger, more complex and powerful groups. Since the technology is now available or accessible widely, and is mostly held in private hands, ICT has redistributed power within states.

We see the practical effects of these changes all around us. Look at the social and political effects of new technologies in the turmoil in West Asia. The cocktail of social media, 24-hour television, NGOs and Special Forces create a virtual reality which soon has effects in the real world.

These are not just law and order problems, and they are not amenable to the traditional responses that states are accustomed to. We have seen technology place increasingly lethal power in the hands of non-state actors. The effects can range from the benign to the dangerous, though the technology itself is value neutral. In West Asia today, we see its use by popular movements to mobilise people and influence opinion against regimes across the Arab world. Autocratic regimes across the world now take the power of ICT very seriously.

Equally, intelligence and espionage increasingly rely on what are euphemistically called national technical means, namely cyber penetration and surveillance. The same technologies also empower the state in terms of its capacity for internal surveillance, interception and so on. Their power and reach raise fundamental issues about the lines that a democratic society must draw between the collective right to security and the individual's right to privacy. What makes this more complicated is the fact that these technologies are not just available to the state, where laws and policies can control and limit their use. They are widely available in the public domain, where commercial and individual motives can easily lead to misuse that is not so easily regulated unless we rethink and update our legal and other approaches.

Between states, information technologies and their effects have made asymmetric strategies much more effective and attractive. In situations of conventional imbalance between states we see that asymmetric strategies are increasingly common. Cyber war and anti-satellite capabilities are uses of technology by a weaker state to neutralise or raise the cost and deter the use of its military strength by a stronger country.

In the name of defence all the major powers are developing offensive cyber capabilities as well as using cyber espionage. So are smaller powers who see ICT as an equaliser. One estimate speaks of about 120 countries developing the capacity for cyber warfare. But by its nature, as WikiLeaks showed, the threats in this domain are not just from states. These technologies have also enabled individuals and small groups to use cyberspace for their own ends. We in India are subject to unwelcome attention from many of them.

The government is in the process of putting in place the capabilities and the systems that will enable us to deal with this anarchic new world of constant and undeclared cyber threat, attack, counter-attack and defence. We need to prepare to deal with both threats to cyberspace and risks arising through cyberspace.

While the NTRO is tasked to deal with the protection of our critical security cyber infrastructure, institutions like CERT-IN have proved their worth during events like the Commonwealth Games in defending our open civil systems. We are making a beginning in putting in place a system of certification and responsibility for telecommunication equipment and are working on procedures and protocols which will rationalise communication interception and monitoring. We need to harden our networks. And we will develop metrics to certify and assure that our critical cyber networks, equipment and infrastructure are secure. We need also to create a climate and environment within which security is built into our cyber and communications working methods. And, most important, we must find ways to indigenously generate the manpower, technologies and equipment that we require for our cyber security.

Proactive policy

There is only one part of the IDSA Task Force's recommendations with which I have a difference of emphasis. It speaks about “proactive diplomatic policy” on cyber security, and suggests that multilateral efforts for international internet governance are useful. The Report itself recognises that most proposals for international internet governance are thinly masked efforts to control or shape the internet, and that some are ideologically driven. Inter-governmental rules of the road are certainly desirable. No one can argue against them. But we must be clear that they will not have practical effect or be followed unless they are in the clear self-interest of those who should be following them. Let us, therefore, concentrate on putting our own cyber security house in order. That should be our first priority.

(Shivshankar Menon is the National Security Adviser. This is an edited version of his May 16 speech at the launch of the Institute for Defence Studies and Analyses Task Force report on India's Cyber Security Challenges.)

More In: Lead | Opinion

I was astonished by Mr. Shivsankar Menon's opinion in 'Keeping India
Safe in Cyberspace' (The Hindu, 18 May, 2012) that WikiLeaks'
revelations amount to a threat, in the class of cyber crimes. Threat
they may be to those whose thoughts were out in the open, but for many
others, they are a valuable insight into the hypocritical core that
most governments have within them.

Is Mr. Menon's opinion not a convenient avoidance of the context and
circumstance of those revelations, at the expense of Bradley Manning's
committed effort to compile the vast cache of correspondence, memos,
reports and documents and to hand it over to WikiLeaks for publishing?

That act was just a replication of the age-old art of pilfering and
eavesdropping. Cyber space and means were just the medium and tools to
do the job. In the subject case, that was not very sinister because,
many others had similar access to those materials.

from:  Devraj Sambasivan
Posted on: May 21, 2012 at 04:16 IST

Till I read the last para I thought Mr. Menon would suggest that the
solution of the problem would lie in an inclusive and consultative pan
universe approach rather than exclusive country centered approach. But
he has the reverse ideas. Nobody can deny that cyber waves penetrate
and defies all geographical boundaries and demographic limitations.
With such a sharp power to penetrate isn't it somewhat naive to think
that let India erects it's own cyber security and China will not be
able to develop the counter. If this happens then all the rival
countries would build their cyber capacity to destroy their anti cyber
security. There will arrive a stage when the will be facing
"existential threats" through cyber deterrent as today it's facing due
to nuclear deterrence. So instead of taking singular steps an inclusive
step seeking the consent and inputs from all the nations would be more
effective and truly serve the purpose.

from:  Ajeet Tiwari
Posted on: May 18, 2012 at 23:53 IST

India is one of the largest user of Internet in the world. Along with the technological growth, people are getting more dependent on the Internet. Cyber Crime is one of the heinous crime whose effects are dreadful. The cyber security in India was ignored in the past and now initiatives are undertaken. Along with the Cyber security, Cyber forensics should also be given importence. The cyber security secures the e-governance & ICT (information and communication technology) where as Cyber Forensics secures the base by identifying the loopholes. People who are using internet for private use must use original Anti-virus and update it when required, to protect their personal datas.

from:  Ankita Goswami
Posted on: May 18, 2012 at 21:51 IST

Author narrated a vivid story on Security concern in cyberspace. I
foresee Cyberspace hacking mayhem to the society, if not properly
handled. I think to conquer this menace we must draw few lines to curb
as taking finger prints of user, use protocols for data flows, high
profile software to get trace the end user, by restricting access to few
people to confidential government network, and strong forensic experts
.This story hit the bulls eye by making alert to hoi polloi, social
organization as well as government body.

from:  Prasannajeet Mohanty
Posted on: May 18, 2012 at 18:56 IST

Which is the first constant and undeclared threat? Is he talking about the Government Corrupt Officials and Parties? Why the mainline News Papers like The Hindu always present the views of Establishment(ex or present)without a contrasting views from Industry Professionals, I dont understand. The Governments world over can never understand IT and how it freed the people.The Big Spending Governments are the major threat to IT, not the Terrorists.

from:  Raj Subramanian
Posted on: May 18, 2012 at 17:58 IST

Forget about the stuxnet and other infrastructure. Countries need to fix brains off
moron internet users who put their private lives on internet and expect "Privacy" :)

from:  Steve
Posted on: May 18, 2012 at 15:46 IST

"There is need to find indigenous technologies and equipment to deal with this
constant and undeclared threat"

Well, who is going to find it? Some foreigners? In this society of cyber collies and
back offices (called BPOs and software development), and a large majority of
young (and even old) people running after cricket and bollywood, how can the
youth even imagine finding basics of indigenous education, food, security and
social life?

this is not going to happen anytime soon. Young and old are all drowning in
following somebody (whether local or international)

from:  venkat
Posted on: May 18, 2012 at 15:42 IST

I've loved the freedom that internet has given me and the country. Didn't internet catch the government off guard by allowing movements like IAC headed by Anna Hazare? Would that have been possible without internet? While security is a concern, we must adapt security in an individual level than have our internet lives controlled by government. Freedom first!

from:  Anand I
Posted on: May 18, 2012 at 12:56 IST

This article is typical example of how old world bureacrats view the internet - as a mire of anarchy and militant tendencies. Most of the text of this speech is clear hyperbole and the rest is uninformed conjecture. Multiple studies (google them, if you know how to) have shown that the threat of so-called cyber terrorism is grossly inflated and is fueled mostly by rhetoric by people like Menon.

Just because some group on the internet defaced a couple of sites yesterday, does not mean everything from IB's secrets to our nuclear launch codes are now at the disposal of nerdy terrorists. Bureacrats have taken a page out of politicians' books by going on a diatribe about "the cyber threat" at every such opportunity without understanding what a DDoS attack is or how our most secure networks are not even connected to the internet.

I implore these ignorami to please secure our borders, trains, buses and public places rather than fretting about imaginary threats.

from:  Ameya
Posted on: May 18, 2012 at 11:54 IST

The author and the Indian Government seem to have a problem with freedom. The Internet gives people freedom and the Indian Government doesn't like it.
The Indian public are not concerned with the likes of STUXNET to their public utilities when a rain shower can cause a power cut. The only problem for individuals is identity theft when thieves using other people's identities to obtain goods and services.
Other countries in Asia use and embrace the internet. In India there is fear.

from:  john
Posted on: May 18, 2012 at 06:28 IST

Yes, but first let us make the real space safe. We should worry about
imaginary stuxnets attacking our installations after sorting out real threats of a mundane kind that take aim at our country: poverty, tiny mean microbes, and above all, real education in its true sense. If we work on this, the youngsters of today who are now coding their youth away for money, will take care of stuxnets and bigger threats, and not let graying men in suits worry about them.

from:  Hemachander
Posted on: May 18, 2012 at 05:24 IST

Cyber security is a “Cat and Mouse” game, the IT admin managing a
network or server has to keep himself updated and the computers. Same
goes for the people working in that office or home. But most IT admins
in Govt. sector are Govt. employees and hired on basis other than the
qualification. These then do what all the govt. employees do best.
Instead this should be outsourced to some private Indian company.
Second, any security company will tell you this, if there is a
confidential data then do-not-connect that Machine to internet, period.
But in a large organization where office are far away and need to
access the data, then allow only that which is required, and that too
over secure layer and encrypted files.
One thing that is important is educate them. Also understand that a determined attacked (say Govt. funded) will be able to break in.

from:  vignesh
Posted on: May 18, 2012 at 02:41 IST

A viable approach would be to tax IT companies/services profit and
earmark an amount for the creation of a National Institute of
Communications Research that will attract and retain the best talent
from around the world and will be managed on a pay for performance
basis. Such an initiative can give back to the industry it taxes
through innovations that can be commecialized. With Indian IT industry
being very short term profit focused, it is unlikely that some major
effort will emerge without government coordinating it.

Posted on: May 18, 2012 at 00:52 IST
Show all comments
This article is closed for comments.
Please Email the Editor



Recent Article in Lead

Delhi Chief Minister Arvind Kejriwal shakes hand with Lt. Governor Najeeb Jung, after taking oath of office as new Chief Minister. File Photo: R.V. Moorthy

More constitutional than political

A reasonable case can be made that the Delhi Lieutenant Governor’s discretionary powers do not extend to the appointment of the Chief Secretary without the ‘aid and advice’ of the Chief Minister and his Council of Ministers »