India today is the target of various state and non state actors who are eager to wage a cyber war. Noted lawyer and cyber law and security expert, Advocate Prashant Mali, who has done comprehensive research on cyber warfare, shares with Dataquest, India’s readiness for cyber warfare, and the steps India must take to get an edge in the borderless cyberspace. With more than 20 years of experience, Advocate Prashant Mali is considered to be one of the foremost experts in cyber law in India, and has authored six books on cyber crime.
Some edited excerpts:
1. What is India’s readiness for cyber warfare ?
Ans: India has the required infrastructure in place to deal with peace time covert cyber warfare which include offensive and defensive capabilities. These are the Department of Electronics and Information Technology (DEITy), which includes Indian-Computer Emergency Response Team (CERT-In) and the National Informatics Centre (NIC); the Department of Telecom (DoT); the National Technical Research Organization (NTRO); the Ministry of Defence; the Intelligence Bureau (IB); and the Defence Research and Development Organization (DRDO).
India has its own ‘cyber security architecture’ that comprises of the National Cyber Coordination Centre (NCCC) for threat assessment and information sharing among stakeholders, the Cyber Operation Centre that will be jointly run by the NTRO and the armed forces for threat management and mitigation for identified critical sectors and defence, and the National Critical Information Infrastructure Protection Centre (NCIIPC) under the NTRO for providing cover to ‘critical information infrastructure. the Indian army’s Directorate of Signals and CERT’s of Army, Navy & Air force also play and important role.
India now has the first national cyber security coordinator (NCSC), a position being created to coordinate among all cyber agencies in the country. Young minds are recruited in R&D for cyber security. I feel India also needs a network of patriotic and mercenary hackers that allows the state to deny responsibility. India does has some assets like what I have stated but they need to be more organized and looked after, using them and throwing when not required or recruiting such hackers without any checks and control can be self-disastrous.
The IITs are there since the 60s in India. Still India has not become technologically advanced in anything. The US has benefited more from IITs than India. This is should change now, the new Government has to stop this brain drain from India which happens at the expense of Indian tax payers. I envisage IITs to become forts for Indian cyber defense which could then be ably supported by their alumni across the globe.
2. Can you throw some light on cyber weapons?
I have almost completed writing a paper defining a Cyber Weapon, but the world has not yet accepted the definition of a cyber weapon. I can tell you with full authority that a Cyber weapon is an (Intellectual Property) IP which can be used in peace time and during war time. These weapons largely depend upon Zero Day exploits and vulnerabilities, and have limited shelf life.
3. Is there any International Law or treaty governing incidents of cyber warfare ?
A United Nations body in the second week of July 2015 has agreed for the first time that there are rules of the road in cyberspace that all nations should respect, even during peacetime, the norms agreed by the U.N.’s Group of Governmental Experts include a understanding that nations should not intentionally damage each other’s critical infrastructure with cyber attacks; they should not target each other’s cyber emergency responders; and should assist other nations investigating cyber attacks and cyber crime launched from their territories.
The next U.N. General Assembly must adopt the norms before they’re binding on nations, which looks doubtful. Still, it’s more likely that they will be adopted by other international organizations or individual nations. The group of governmental experts from 20 nations produced a consensus document . The document says the right of self defense applies and you have to observe principles of [the Law of Armed Conflict] in doing it. It is like thinking of ways to say Article 51 without saying it, which authorizes the use of force in self defense against an “armed attack” and would add legitimacy to a military response to a cyber attack that caused death and destruction.
4. Are cyber attacks on Indian infrastructure rising ?
Ans:. Yes, cyber attacks on India increased from about 13,000 in 2011 to 62,000 till mid-2014, with most originating from cyber space of a number of countries including the US, Europe, Brazil, Turkey, China, Pakistan, Bangladesh, Algeria and the UAE, as per a report by (CERT-IN)Computer Emergency Response Team-India.
One of the main reasons being attributed to such attacks is the non-adherence to basic cyber security policy and the extant guidelines by the departments due to which prophylactic measures to prevent the pilferage of data could not be put in place. Nearly a third of Indian organizations do not possess the knowledge to prevent cyber attacks even as the information technology world is turning increasingly vulnerable, according to a recent study by EY’s global information security survey.
India ranks 2nd in social media scams, India ranked 3rd in Asia for ransomware attacks, India is 6th most bot-infected country, About 65% of bot infections reported in metros, 34% of cyber attacks in India were targeted at small businesses, India saw seven ransomware attacks per hour; 170 per day; about 60,000 in 2014.
5. How viable is the PPP model in managing cyber threats ? What are the challenges?
This model has two sides. If not effectively controlled and managed, national security can be compromised in the hands of private players. If implemented with properly monitored SOP, the PPP model could increase our threat mitigation capabilities. Now, we have a full-time director Alok Vijyant for PPP in cyber security, who sits out of Delhi.
PPP has yet to find its feet in the cyber security domain. Cyber security and cyber warfare have so far been under the aegis of the government with private sector participation limited to providing the hardware and technologies needed by the government agencies. A joint working group has met six – seven times to finalize the PPP model. That said, in order to strengthen cyber security, the right public-private partnership model has to be adopted.
7. How are countries aligned to fight cyber attacks across the globe?
Cyber warfare doesn’t just involve nation-states, but also other organizations, such as terrorist groups, companies, political or ideological extremist groups, hacktivists and transnational criminal organizations. It has also been referred to as a type of fourth-generation warfare. The annual report of the Internet security company McAfee back in 2007 said that approximately 120 countries have been developing ways to use the Internet as a weapon and target financial markets, government computer systems and utilities. China, Russia & Iran are the major players in the cyber warfare space, but the feasibility of offensive cyber warfare capability of the weaker states against states with stronger kinetic warfare capability grants them a strategic advantage and enables them to change the balance of power in their advantage.
8. What are some of the key takeaways of the 7th International Conference on Cyber Conflict, which was held in Tallinn, Estonia by NATO which you were invited for recently?
CyCon is the annual NATO Cooperative Cyber Defence Centre of Excellence conference where topics vary from technical to legal, strategy and policy. The pre-conference workshop day, 26 May 2015, featured a variety of talks and hands-on training. The 7th International Conference on Cyber Conflict (CyCon 2015) held on 27-29 May 2015 in Tallinn, Estonia, focused on the construction of the Internet and its potential future development. This year’s topic – “Architectures in Cyberspace” asked what cyberspace is and will be in the coming years as well as what are its characteristics relevant for cyber security.
Admiral Rogers of the United States Cyber Command (USCYBERCOM) said “I hope we do not find a world in which the Internet becomes something that fractures and where the ability to move information freely is controlled,” He emphasized that as no one entity controls the cyberspace, cooperation partnerships are foundational for the future.
“The seas around the world are, much like the cyber domain, not governed by one single nation. We have created maritime norms and have to do the same in the cyber space to ensure a flow of information and ideas,” The Internet cannot be controlled by one single entity, he highlighted. Creating something equivalent to the maritime world that enables us to move ideas, goods and information freely around the globe, the Admiral said. I met and discussed my ideas of cyber warfare and international law with Michael Schmidt, the author of Tallinn Manual. As I was the only person from India, I was humbled to sit and share my thoughts with more than 500 delegates which included heads of cyber commands and cyber security heads from various countries.
9. Which country can be an immediate threat to India in cyber space?
I feel Iran has ulterior motives and the other threat that looms large is from Pakistan. If China is managed, I don’t perceive China as a threat as they are a data hungry state and net IPR infringers. Russia is the leader here and eminent threat to everyone in the globe. They have mass productions of ancillary items required for cyber warfare in place.
10. What should be the mantra to get an edge in this boundary less cyber space for India ?
Some advice which I have is:
1. India must have a National Defence Academy for cyberwarfare, where cadets can be trained and groomed for cyber warfare.
2. A solid database of all ethical and non-ethical Hackers with their cyber security credentials must be available at the Central Government’s disposal with definite registration with checks and controls.
3. Complete indigenization of the Operating System (OS) used for defence and Governmental working purposes.
4. Cyber war games must be conducted between Governmental and private organizations. To make this happen, the government must initially invest to create a robust infrastructure.
5. India should have some policy for the ownership of cyber security companies which are incubated and harnessed in India.
6. Cyber security must become a way of life in India. The topic in small doses should be taught from schools in all languages.
7. Cyber command should be an individual command