|
|
Meeting the Chinese Cyber Insurgency Threat
The recent news reports about the Chinese hackers invading the Indian cyber space has opened up the debate on "Cyber Wars" yet again. Naavi.org has been advocating a National Cyber Security Agency for a long time to address this issue. While USA is already the global leader in military warfare and has also formally structured a presence in Cyber Warfare through the formation of a Cyber Command, China appears to be challenging USA in Cyber warfare.
When Pakistan terrorists were considered a threat to Indian Cyber space and undertook mass defacement of Indian Government websites, there was a private group in Bangalore which had tried to develop counter attacks. This "Private Cyber Army" concept appears to have fizzled out since there was an element of illegality associated with such an operation and it was necessary and a wise move to discontinue this outfit.
However as we have always been advocating, India does need a "Cyber Army" but under the command of the National Security forces. However, there has been no credible move in this regard and unless the Indian army has some secret projects going on, it appears that we are seriously behind the world in this space. Now Chinese appear to be using India as a practice ground for their US warfare against USA and the urgency has increased.
When the Dan Egersted incident revealed that the communication channels of many of our diplomats have been compromised, the only reaction of the Government was to advise its officers not to use e-Mails for critical communication. Now after the recent incidents of reported Chinese Cyber insurgency, Government has come up with another formula viz "Let all officials use two computers one for keeping secret information and the other for normal work". While the logic for such a move is understandable, it is a move which has little practical utility since it may introduce a complacency which is detrimental to the security of information without breaking the possibility of introduction of Trojans and viruses.
It must also be remembered that IBM computers are now being manufactured under the Chinese control and we donot know if the lenovo computers come with an embedded trap door that can enable Chinese authorities to snoop into the contents.
China has also successfully persuaded Microsoft to lodge a copy of the source code of Windows with the authorities to ensure that it is not possessing any software trap doors. But India has failed to do the same despite some noises having been made in the past. China has therefore acquired a defense capability of protecting its computers from software and hardware related trapdoors and India on the other hand has kept both these possibilities open.
Excepting Tamil Nadu, every other State in the Country is Microsoft driven in the e-Governance operations and we never know if our critical Government information is not amenable to snooping.
Before it is too late, we need to find solutions to all these problems.
Last year when Digital Society Day was celebrated by Naavi's Digital Society Foundation, an attempt was made to draw the attention f CERT as well as the then President of India, Dr Abdul Kalam to this burning National Security Issue. However Dr Kalam was on his way out from the office of President and CERT was in the midst of a reorganization attempt following the proposed amendments to ITA-2000 and hence sufficient follow up action did not ensue.
Now after a lapse of nearly 9 months, it is necessary to once again draw the attention of the Indian Public and the Government that a specific action plan is required to set up a "Indian National Cyber Security Force" which should become the focal point of all Cyber Security measures.
One of the problems in India is that different Ministries such as IT /Home/Defense Ministries in the Central Government as well as each of the State Governments will not work in unison and this creates a huge problem in security management scenario. IT ministry has already stated that NIC is responsible for the security of e-Governance operations but NIC may not be equipped to take up this responsibility against a Cyber War from a big force like China or USA.
It is therefore imperative to accept that the solution to National Cyber Security hinges on a finding a "Central Unified Command". This is not so critical in physical space where Army can take care of national security and Police can take care of internal security though even here co-operation becomes vital when dealing with foreign soldiers sneaking into the country and committing local crimes as it happens in terrorist attacks. In the Cyber Space where there are no international borders, it becomes essential that there is one single command that controls both external and internal cyber threats.
It is also necessary to realize that each corporate network connected to Internet itself can be used as a "Trapdoor" for international security agencies to sneak into the trusted Indian networks and hence "Security of Corporate Cyber Space" is also a concern for "National Security".
Keeping all these into consideration, Naavi proposes the following suggestions for national debate and wish this is taken up seriously by the persons concerned with National Security.
Components of the Security Plan
We need to develop an Indian National Cyber Security Policy document in which the following different segments need to be addressed.
- Security of the Critical IT Infrastructure of the Government
- Security of e-Governance infrastructure
- Security against Cyber Crimes
- Security of Information in the industry infrastructure
- Security of Individual desktops/electronic devices
While different agencies present and to be formed , in public and private sector can be assigned the role of securing these individual segments, the Policy should ensure that there is a "Unified Command " and a "Collaborative Structure" with appropriate "Incentives" for the users.
This UCI model of National Cyber Security is further explained below.
1. The Unified Command should be new Defense command on par with Army, Navy and Airforce. (This is in tune with the approach of USA)
2.There should be a National Cyber Security Advisory Board consisting of eminent persons from the public and private sector to provide the overall guidance to the scheme. This advisory Board will provide inputs to the Cyber Command.
3.Security of Critical IT Infrastructure of the Government may be coordinated by CERT reporting to the Cyber Command.
.4. Security of e-Governance Infrastructure may be coordinated by NIC reporting to the Cyber Command
5. Security against Cyber Crimes may be coordinated by a "Indian National Cyber Police Force" to be formed as a pan Indian force. All State Cyber Crime police outfits would be integrated with this All India Cyber Police force with unified command within this outfit. The role which CBI plays in interacting with Interpol will also be handled by this Central Cyber Police force in respect of International Cyber Crimes.
6. Security of Indian Industry infrastructure has to be coordinated by a new Voluntary body to be led by the Insurance Industry promoting "Cyber Crime Insurance". It may be called "Cyber Crime Insurance Society" to which Insurance companies can become members. This body will develop norms for Cyber Crime Insurance and inter-alia introduce standards of security that encompasses all aspects of Information Security known today in the form of ISO 27001, Legal Compliance, Audit Compliance etc. Additionally different industries such as Banking, Software Development, Hardware Development, Automobile etc can form industry level Cyber Security advisory bodies which can focus on the issues of each of these sub segments.
7. The individual Desktop , Laptop security and Mobile security may be coordinated again by the Insurance industry with incentives built into the following of best security practices both at the user end as well as the ISP/MSP/Device Manufacturer end. NGO s can also assist in developing a "Security Culture" with appropriate educational programmes aimed at Schools, Colleges etc.
There is definitely a big challenge ahead of us and it will take a lot of time and effort to achieve this. But let's remember the old truth "Little Drops Make an Ocean". It is time that we start collecting these little drops and hope that in due course the ocean will form.
Suggestions are welcome
Naavi
May 06, 2008
Related Articles:
Indian National Cyber Security...Challenges
Reorienting Information Security Infrastructure
Searching for Solutions to the Threat of Cyber Crime
BPO for BPOs, A Security Solution
Cyber Space Security..You Have a Role in it Too?
Cyber Space Security..Whose Responsibility is It?
Shared Information Security Infrastructure
Indian National Security on the Cyber Space Needs Attention
International Cyber Crime Conference ignores derangedsecurity.com
Cyber Terrorism Should be Recognized as an offence under ITA 2000