By Indrani Bagchi and Vishwa Mohan | TOI
ON THE WEB, 16 October 2012
Recognizing the threat of cyber attacks from a host of hostile entities — ranging from domestic saboteurs to foreign rivals — a new initiative intends to train five lakh cyber warriors in the next five years to meet a critical gap in India’s defences.
A government-private sector plan will look at beefing up India’s cyber security capabilities in the light of a group of experts reckoning that India faces a 4.7-lakh shortfall of such experts despite the country’s reputation of being an IT and software powerhouse.
Efforts to draw a strategic plan for India, being overseen by National Security Advisor ( NSA) Shivshankar Menon, may need to be speeded up as India lacks the research and planning leading western and Asian nations have already undertaken.
Cyber warfare has emerged a top threat to national security with India’s systems subjected to an increasing number — and more sophisticated — cyber attacks. India faced a severe test during the 2010 Commonwealth Games when cyber attacks from Pakistan and China sought to damage information systems.
Most of the attacks India deals with originate from countries like the US, China, Russia, a few east European countries and Iran. Chinese hackers have targeted a large number of institutions, even stealing data from schools run by the armed forces.
A Canadian investigation in 2010 revealed that Chinese hackers had reached Indian missions at Kabul, Moscow, Dubai, Abuja, US, Serbia, Belgium, Germany, Cyprus, the UK and Zimbabwe. A machine at the National Security Council secretariat was tapped as were computers at military engineering services (MES).
Computers linked to the 21 Mountain Artillery Brigade, the Air Force Station at Race Course Road opposite the PM’s residence, the Army Institute of Technology at Pune and Military College of Electronics and Mechanical Engineering at Secunderabad were also compromised.
Capacity building was the core message of the cyber security recommendations unveiled by Menon on Monday. The report — “Engagement with Private Sector on Cyber Security” — said the government would introduce specialized “cyber security related curriculum” in engineering and management courses and establish a multi-disciplinary centre of excellence.
The Centre plans to establish an autonomous institution — Institute of Cyber Security Professionals of India — along the lines of the Institute of Chartered Accounts of India ( ICAI) and make “cyber security audits” mandatory for companies by amending the Companies Act.
A recent report by Bloomberg said a “trove” of confidential data had been mined from the computer of Y C Deveshwar, CEO of ITC, for over a year before the company was alerted. In the public sector, less than 20% of the cyber attacks on national security systems are even reported. Bloomberg quoted security experts to say “networks of major oil companies have been harvested for seismic maps charting oil reserves; patent law firms for their clients’ trade secrets; and investment banks for market analysis that might impact the global ventures of state-owned companies.”
The report identifies four pilot projects including setting up a pilot testing labs, conducting a test audit, study of sample Critical Information Infrastructure and establishment of a multi-disciplinary Centre of Excellence.
India is only following the lead of countries like the US where secretary of defense Leon Panetta said US needed to work on new laws. Panetta warned of conventional attacks combining with cyber strikes.
“This kind of phenomenon is something we need to learn to deal with. This is something new. The important thing for a democratic society like us is how do we do it while maintaining democratic freedoms,” Menon said.
- Creation of Information Sharing & Analysis Centres (ISACs) in various industry verticals by the private sector that should coordinate with sectoral CERTs and CERT-In.
- Provide training to law enforcement agencies (LEAs) in cyber-crime investigation and cyber forensics by establishing training facilities and developing training materials & investigation manuals.
- Promotion and dissemination of cyber security awareness among general public through mutual collaboration.
- Establishment of an “Institute of Cyber Security Professionals of India” for capacity building in security testing and auditing.