Writing 2,500 years ago, Sun Tzu declared in his military treatise The Art of War: “Supreme excellence consists of breaking enemy’s resistance without fighting”. It is a tribute to the Chinese military strategist’s genius that his dictum holds good even today after a couple of millennia, guiding nations, organisations and individuals in gaining control of their adversaries by using the tools of cyber warfare rather than physical engagement. In a world that is increasingly being driven by computer networks, there has been an alarming rise in the volume and sophistication of cyber attacks in the last few years. The most worrying aspect, however, is the shifting target profile of the attacks, whereby even the critical infrastructure of nations viz government services, telecom networks, stock exchanges, power distribution networks, ATCs etc are no longer immune to sophisticated cyber attacks.
In the realm of cyber attacks on critical infrastructure, the world has come a long way from the days when this theme was a favourite of Hollywood directors. Jumping straight from the ‘reel’ life to the real one, it was an incident in July 2010 that stunned the world into disbelief and brought out the frightening capabilities of cyber strikes when centrifuges enriching Uranium in a nuclear plant at Natanz in Iran were made to come to a grinding halt, reportedly by a world super power, not by any physical intervention, but by infecting Programme Logic Controllers of the centrifuges using Superworm Stuxnet. The fact that a highly secure nuclear plant could be penetrated and controlled from a remote country by using nothing more than a computer malware sent shivers down the spine of strategic communities. Bracing the impact of the increasingly sophisticated cyber attacks, most of the countries have embarked upon strategic techno-legal initiatives to thwart them, punish the perpetrators and recover quickly. In the US, the initiatives include, inter alia, adoption of a nation-wide secure network called ‘Trusted Internet Connections’ (TIC) that provides a secure network to conduct the business of the federal government by implementing state-of-the-art security protocols and by limiting external connections and internet points of presence. The US became the first country to fully recognise the strategic importance of the cyber capabilities by adding Cyber Command to its military infrastructure.
There has been a steep rise in the number of cyber attacks in India. The pecuniary loss suffered by individuals and corporations due to such attacks has been rising. However, the most crucial question is whether our critical infrastructure is robust enough to fend off concerted, sophisticated cyber attacks from terror groups or nations inimical to our strategic and economic interests. In April this year, US-based cyber security firm Fire Eye Inc claimed that a Chinese group code named APT30, whose interests are reportedly aligned with that of the Chinese government, regularly conducts cyber reconnaissance of critical infrastructure of India. Today, most of our critical infrastructure is network-driven, which facilitates efficient operations but at the same time leaves much of it vulnerable to sophisticated cyber attacks that can cripple these facilities and their critical services. The fact is that the legacy Supervisory Control and Data Acquisition systems used to control and coordinate activities in the critical sectors like aviation, banking, telecom, stock exchanges etc are obsolete and were not design to withstand a sophisticated attack.
The launching of ‘Digital India’ project by the Indian government is a major milestone in our IT history. The initiative, once implemented, will mark a paradigm shift in the way the citizens interact with the government and vice-versa. A lot has been done in the country to make our cyberspace as impregnable as possible for the cyber threats of various hues. The Information Technology Act enacted in 2000 was amended thoroughly in 2008. However, such is the nature of the cyber threat that even after the comprehensive overhaul, the Act has almost slipped into the realm of obsolescence and chinks in our legislative armour against cyber attacks stand exposed. The act no longer sufficiently addresses the techno-legal aspects of the burgeoning e-Commerce and m-Commerce sectors. In fact, the requisite techno-legal framework is still evolving in the country for emerging areas like Cyber Forensics, e-Discovery, Encryption, Cyber Insurance, Cyber privacy and Data-protection etc, which can benefit from a well thought out strategic initiative focusing on required legislative and administrative interventions.
The unveiling of the National Cyber Security Policy in 2013 was a welcome step in our march towards a secure cyberspace. However, the policy suffers from several shortcomings. For example, the need to have a countrywide secure network for transacting government business has not been emphasised. Similarly, the strategic response to deal with risk emanating due to the adoption of cloud computing has not been delineated properly. Establishment of CERT-IN has gone a long way in not only responding to cyber emergencies but also in continually evaluating cyber threats and responding to them on a real time basis. However, Sectoral expansion of CERT-IN is long overdue. Thankfully, a ‘Critical Information Infrastructure Protection Agency’ has come up, almost a decade after the same was envisaged under section 70(A) of the IT Act. Missing in action is a Cyber Command in the defence forces to harness defensive and offensive cyber capabilities for the national security. Appointment of ‘Chief Information Security Officer’ in the rank of Special Secretary, who will function from PMO, is a welcome move.
Ongoing efforts to establish a ‘National Cyber Coordination Centre’ will certainly bring about better coordination and synergy in the efforts being made by government and private organisations.
Even with the techno-legal measures in place, the scourge of cyber threat cannot be mitigated unless there is widespread awareness amongst general public to adopt secure cyber practices in their professional and personal work spheres. Many commendable campaigns have been launched by governments and organisations like NASSCOM and DSCI. Indeed, time has come to make cyber security as an integral part of the school curriculum. Similarly, there is a dire need to augment the skills of police officials, prosecutors and the magistracy to effectively deal with the perpetrators of the cyber crimes. Tamil Nadu Police Academy has been in the forefront in developing skills of police officers in investigating cyber crimes. The Academy has trained more than a thousand police officers in the advanced skills needed for the investigation of cyber crimes.
The lethality and the sophistication of the cyber threats continue to grow at a menacing speed with every passing day. It is, therefore, imperative to keep pace with the ever-changing threat scenario by continually updating the techno-legal framework and our skill-set, almost on a real-time basis.