Cyber Security Threat

Cyber security threat is an emerging concern for India’s National Security.

India has been victim to the Cyber-attacks number of times in the recent past:

2017: WannaCry and Petya Ransomware
2018: Aadhaar Software hacked and Aadhaar details of the people leaked online
2021: Pegasus issue

India is the third most vulnerable country to Cyber-attacks according to Symantec.

Basics of Cyber Security

Based upon the motive, Cyber threats can be of 4 types:

Cyber Espionage: The act or practice of obtaining secret information i.e., personal, sensitive, classified nature from individuals, competitors or governments using malicious software such as Trojan horses and spyware. Motive is to obtain secret information which could go against our national security.
Cyber Attack: Targets computer information systems, infrastructures, computer networks. Motive is to damage or destroy targeted computer network or system. Impact: Destruction of Communication network.
Cyber Terrorism: Convergence of terrorism and cyber space. Cyberspace has been used the by terrorists for number of purposes such as Planning terrorist attacks, recruitment of sympathisers, spreading propaganda to radicalise people, to raise funding etc.
Cyber warfare: Warfare conducted by a country or its proxies to attack the computer systems in other countries. Can Include- Theft, Vandalism (Defacing Web Pages), Destruction of Critical information infrastructure.

Types of Cyber Security threats

Pegasus

Pegasus is a surveillance spyware that enables the remote surveillance of mobile phones. It has been created by the Israeli tech company NSO.
NSO provides this product to governments and their agencies to boost their national security by tracking the communication of terrorists and criminals. This suggests if the list is real these people were under surveillance by governments.
Pegasus is so powerful as a cyber surveillance tool that it is classified as a weapon goes through export clearances as a lethal weapon would from Israel.Once it infects a phone it can read every message and call, it can turn on the phone remotely to record every conversation made near the device, without the target’s knowledge.However, controversy has started because of its illegal use by the governments to track and put on surveillance of their political opponents.
This has brought to light the surveillance laws that exist in India and how they stand the scrutiny of Right to Privacy recognised by the Puttaswamy Judgement.

Malware

Malware, or malicious software, is any program or file that is harmful to a computer user.
Malware includes computer viruses, worms, Trojan horses and spyware.
Malwares can perform a variety of functions, including stealing, encrypting or deleting sensitive data, altering or hijacking core computing functions and monitoring users’ computer activity without their permission.

Types of Malwares

Virus: Most common type of malware. It can execute itself and spread by infecting other programs or files. Ex. Stuxnet: Malware that targeted Iranian nuclear enrichment facilities.
Worm – It is a type of malware that can self- replicate without a host program. Worms typically spread without any human interaction or directives from the malware authors.
Trojan – It is a malicious program that is designed to appear as a legitimate program. Once activated following installation, Trojans can execute their malicious functions.
Xafecopy
A Trojan Malware.
It is disguised as useful apps and operates normally.Malware uses technology to bypass ‘captcha’ systems designed to protect users by confirming the action is being performed by a human.
Spyware – It is a kind of malware that is designed to collect information and data on users and observe their activity without users’ knowledge.
Pegasus: A spyware developed by Israeli cyber arms firm NSO Group Technologies. Mainly uses exploit links, clicking on which installs Pegasus on the target’s phone.

Distributed Denial of Service

Denials of service (DoS) is a malware attack that prevents or impairs the authorized use of information system resources.
Working: The malware first creates a number of botnets. These botnets then ping a single server all at the same time. As the number of pings are far beyond the capacity of target server, the server crashes and denies service to genuine users and hence the name.
Distributed denial-of-service –is a variant of the denial-of-service attack that uses a coordinated attack from a distributed system of computers rather than a single source.
Unlike other kinds of Cyberattack, DoS assaults don’t attempt to breach the security perimeter. Rather, they aim to make the website and servers unavailable to legitimate users.

Buffer overflow

It is a bug in a computer program that can lead to a security vulnerability. A buffer is a part of the physical memory storage that is temporarily used to store data. Buffer overflows occur when a program or process tries to write or read more data from a buffer than the buffer can hold.
It can give an attacker access to different parts of the internal memory and eventually control the program execution, introducing risks in confidentiality, integrity and availability. Only native code programs are vulnerable to buffer overflows.

BOT

Bot is software that can compromise the victims’ machine and using it for further malicious activities. Bot’s command and control server could direct the activities.

Ransomware

It is malicious software that is injected into the computer to limit the access of the system to the user and encrypt the data.
Cyber criminals demand money in lieu of encryption key (that would unlock all the data and restore the access to the system).
Nowadays, ransom is demanded in terms of Bitcoins.
Examples – WannaCry Ransomware, Locky Ransomware etc.

Man-in-the-middle (MitM) attacks

Occurs when a malicious actor inserts himself as a relay/proxy into a communication session between people or systems.
A MitM attack exploits the real-time processing of transactions, conversations or transfer of other data.

Phishing

It is a form or e-mail spam where a perpetrator sends an official looking fraudulent e-mail message to obtain the victim’s personal and financial information.
In the recent days, zombie computers or botnets are increasingly used for launching phishing attacks.

Spear Phishing

In the recent times IT and ITES companies have increasingly become victims of phishing attacks.
Attackers disguise themselves as business related accounts like vendors, auditors etc to launch attacks on business groups.
Once the business accounts are hacked, they are used a jump-off point to launch attacks on customers.
This type of phishing attacks where the attackers disguise as legitimate accounts to attack a business group or its customers is called spear phishing.

Web Crawler

Also known as a web spider, it is a program or automated script which browses the World Wide Web in a systematic manner.
Web crawlers are mainly used to create a copy of all the visited pages for later processing by a search engine.
Crawlers can also be used for automating maintenance tasks on a Web site, such as checking links or validating HTML code.

Crypto Jacking

Cryptocurrencies are created through a process called mining. To mine digital coins, miners need to use high-end processors that will consume a lot of electricity.Crypto jacking is what some digital coin miners do to illegally gain access to many computers. The miners stealthily drop malware in an unsuspecting user’s computer. These malware runs surreptitiously and turns devices into cryptocurrency-mining botnets.

Unlike most other types of malwares, crypto-jacking scripts do not use the victim’s data. But they drain the CPU’s resources, which slows down the system, increases electricity usage, and causes irreparable damage to the hardware.

Hacktivism

Misusing a computer system or network for a socially or politically motivated reason. For example, the hacktivists can block access to Government’s website, deface government’s website or unblock the sites which have been blocked by the Government.

Social Engineering

Entice users to provide confidential information. Ex., these days you must have come across some fake Facebook accounts which are opened in the name of your close friends. First, cyber attackers send you friend request in the name of your close friend. Once u accept it, they will ask to request you to transfer some money.

Advanced Persistent Threat

It is a type of cyber-attack in which an unauthorised user gains access to a system or network and remains there for an extended period without being detected. They generally do not cause damage to company networks or hardware. Instead, they are focussed on stealing data.

DARKNET

The dark web is part of the internet that is not visible to search engines and requires the use of an anonymising browser called Tor to be accessed.

Deep Web vs. Dark Web: What’s the difference?

The terms “deep web” and “dark web” are sometimes used interchangeably, but they are not the same.

Deep web refers to anything on the internet that is not indexed by and, therefore, accessible via a search engine like Google. Deep web content includes anything behind a paywall or requires sign-in credentials. It also includes any content that its owners have blocked web crawlers from indexing. Medical records, fee-based content, membership websites, and confidential corporate web pages are just a few examples of what makes up the deep web. Estimates place the size of the deep web at between 96% and 99% of the internet. Only a tiny portion of the internet is accessible through a standard web browser—generally known as the “clear web.”

Dark web is a subset of the deep web that is intentionally hidden, requiring a specific browser—Tor—to access, as explained below. No one really knows the size of the dark web, but most estimates put it at around 5% of the total internet. The dark net is most often used for illegal activities such as black markets, illegal file sharing, and the exchanging of illegal goods or services (including stolen financial and private data), and the anonymity of the dark net attracts drug-dealers, hackers, and child pornography peddlers.

IMPACT OF CYBER ATTACKS

Loss of Integrity: Unauthorized changes made to data or IT system can result in inaccuracy, fraud or erroneous decisions that bring integrity of the system under suspicion.
Loss of Availability: An attack on a mission-critical IT system makes it unavailable to the end users.
Loss of Confidentiality: Consequence of unauthorised disclosure of information ranges from loss of public confidence to national security threats.
Physical Destruction: Ability to create actual physical harm or destruction using IT systems.Impact on data: Confidentiality, Integrity & Availability of information
Impact on Critical Information Infrastructure: Presently, most of sectors are critically dependent on use of ICT to carry on their operations. Cyber-attacks on these critical information infrastructures can bring the entire country to a grinding halt. For example, the recent Chinese cyber-attack on the power system in Mumbai brought the entire city to a halt. The local trains, which are considered as Mumbai’s lifeline stopped functioning and people got stranded. Similarly, Stuxnet worm attack on Iranian Nuclear facilities led to destruction of equipment which were controlled by the computers.
Financial loss: According to Data Security Council of India, India has been the second most cyber-attacks affected country between 2016 to 2018.
Affects National Security and peace and stability in a country.

CYBER SECURITY PREPAREDNESS

ITU released Global Cyber Security Index. This index measures the performance of the countries in terms of policies taken by them to improve cyber security. India was placed at 23rd rank among 165 countries. The relatively higher ranking of India shows that India has taken adequate measures for the protection of cyber space.

Section 66F of ITA: Specific provision dealing with the issue of cyber terrorism that covers denial of access, unauthorized access, introduction of computer contaminant leading to harm to persons, property, critical infrastructure, disruption of supplies, ‘sensitive data’ thefts. Provides for punishment which may extend to lifetime imprisonment.
National Cyber Security Policy 2013: Policy document drafted by the Department of Electronics and Information Technology. Established National Critical Information Infrastructure Protection Centre (NCIIPC) to improve the protection and resilience of the country’s critical infrastructure information; Create a workforce of 5 lakh professionals skilled in cybersecurity in the next 5 years.
National Critical Information Infrastructure Protection Centre (NCIIPC): Established under Information Technology Act, 2000 to secure India’s critical information infrastructure. It is designated as the National Nodal Agency in respect of Critical Information Infrastructure Protection. It has been setup to enhance the protection and resilience of Nation’s Critical information infrastructure. It functions under the National Technical Research Organization (NTRO).
CERT-IN: Organization under the Ministry of Electronics and Information Technology with an objective of securing Indian cyberspace. The purpose of CERT-In is to respond to computer security incidents, report on vulnerabilities and promote effective IT security practices throughout the country. According to the provisions of the Information Technology Amendment Act 2008, CERT-In is responsible for overseeing administration of the Act. Sectoral CERT-Ins for dedicated sectors have also been mandated. For ex for finance, power sector etc.
Cyber Surakshit Bharat Initiative: It was launched in 2018 with an aim to spread awareness about cybercrime and building capacity for safety measures for Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.
Cyber Crisis Management Plan (CCMP): It aims at countering cyber threats and cyber terrorism
National Cyber Coordination Centre (NCCC): It seeks to generate necessary situational awareness of existing and potential cyber security threats and enable timely information sharing for proactive, preventive and protective actions by individual entities.
National Cyber Security Coordinator (NCSC) under National Security Council Secretariat (NSCS) coordinates with different agencies at the national level for cyber security matters.
Cyber Swachhta Kendra: This platform was introduced for internet users to clean their computers and devices by wiping out viruses and malware.It is Botnet Cleaning and Malware Analysis Centre.It is a part of the Digital India initiative under the Ministry of Electronics and Information Technology (MeitY).It has been set up in accordance with the objectives of the National Cyber Security Policy.This center is being operated by the Indian Computer Emergency Response Team (CERT-In) under the provisions of IT Act, 2000.
Information Security Education and Awareness Project (ISEA): Training of personnel to raise awareness and to provide research, education and training in the field of Information Security.

S3WAAS

Secure, Scalable and Sugamya Website as a Service
It is a website generating and deployment product hosted on the National Cloud of NIC.
It leverages technology to generate secure websites using GIGW compliant templates which are highly customisable and can seamlessly be deployed on a scalable software defined infrastructure.

TECHSAGAR

An online portal launched by National Cyber Security Coordinator’s office in partnership with the Data Security Council of India (DSCI).
It provides actionable insights about capabilities of the Indian Industry, academia and research across 25 technology areas like Internet of Things (IoT), Artificial Intelligence (AI), etc.

Data Security Council of India

It is a not-for-profit premier industry body on data protection in India.
It has been setup by NASSCOM.

CHALLENGES IN INDIA’S CYBER SECURITY

International Convention: Presently, Budapest Convention is the first international treaty seeking to address Internet and computer crime by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. This convention promotes greater cooperation between countries in fighting cybercrimes.
However, India has not joined this convention. This is because the convention allows for cross border access to data to conduct investigation and India believes that such cross-border access to data can infringe on National Sovereignty.

However, some cyber experts have pointed out that, given threats faced by us, India should accede to Budapest Convention at the earliest.

PPP Framework for Cyber Security: Presently, most of the cyber security operations are conducted by the Government agencies such as CERT-In. Given the fast-changing nature and intensity of cyber threats, there is a need to leverage private sector expertise in combating cybercrimes through PPP framework.
Shortage of Skilled Professionals
Strengthen IT act and National Cyber Security Policy 2013: Some of the experts have pointed out that the present legal and facilitative framework to fight cybercrimes i.e., IT Act and NCSP, 2013 are outdated and not well-equipped enough to handle technologically advanced cybercrimes. Prime Minister has said that the Government is working on new Cyber security Policy 2020.

SECURING SECURE CYBER ECOSYSTEM

Appointment of Chief Information Security Officer in all the Organisations.
Earmark funds towards enhancing cyber security
Provide tax incentives to companies to upgrade information infrastructure
Investment in R&D to improve Cyber Security- Big data, AI
Enhancing Awareness among the people through the awareness campaigns
Stricter regulatory compliance and increased self-reporting of security incidents and breaches – The Reserve Bank of India, as part of its circular on Cyber Security Framework in Banks, has made it mandatory to report data breach incidents to the regulator within two to six hours. Regulatory watchdogs such as the Indian Computer Emergency Response Team (CERT-In) have also directed companies, service providers and intermediaries to disclose the quantum of data exposed and intimate employees and customers.
Surge in cyber insurance to protect critical assets – As per the Data Security Council of India, the global cyber insurance market is expected to grow at a CAGR of 27% from US$4.2 billion in 2017 to US$22.8 billion in 2024.
Crimeware or ransomware as a service is transitioning into a highly profitable industry – Cybercriminals often get generously compensated for delivering or spreading malware and may even get a percentage of the extorted ransom paid per infected device. The global economic downturn caused by the spiralling pandemic has created an ideal situation for both experienced and novice cybercriminals to conduct sophisticated attacks easily.
Updating outdated and open-source software – Cybercriminals these days are continuously on a look out for outdated web software. There is an urgent need for upgrading the software to meet the latest cyber challenges.

CYBER FRAUDS

The COVID-19 outbreak presents a global challenge not just for the medical fraternity and society, but for law enforcement agencies also. Cybercrime, like a pandemic, knows no state borders. A few people are attempting novel ways of defrauding innocents using information and technology. Money is being siphoned off using fake accounts and exploiting vulnerabilities of various applications.

Cases of Cyber frauds in recent times: The Delhi police Cyber Crime, alerted citizens about a fake UPI (Unified Payments Interface) ID of the PM CARES Fund. Cases of fake Facebook accounts are being reported where money has been fraudulently asked for the treatment of alleged patients by hacking their accounts.

The popular video conferencing app Zoom, which can add up to 100 participants in a call, has come across as vulnerable. (‘Zoom raiding’ or ‘Zoom bombing’ can be started, in which hate speech, pornography or other content is suddenly flashed by disrupting a video call on Zoom.)

Safeguards against cyber frauds

Related to Payments

Verifying the destination UPI ID from authentic sources before making any transaction.
If a mobile phone with a UPI-enabled app is stolen, it must be blocked and the bank intimated before it could be misused.
Banks also must adhere to the KYC guidelines issued by the RBI, so that the address of each customer is checked physically.

Related to social media

By keeping the privacy settings at ‘Only me’ or ‘Friends’ and not to share sensitive information on social media.
Privacy settings should be changed for every post and photo.

Interpol’s Advisory

In guidelines for law-enforcement agencies, Interpol warned about the emerging trend of false or misleading advertisements about medical products, setting up of fraudulent e-commerce platforms, phishing etc. during the pandemic. It has recommended to: –

Avoid opening suspicious emails and clicking links in unrecognized emails and attachments.
Have back up files regularly.
Use strong passwords.Keep software updated.
Manage social media settings and review privacy/security settings.

Cyber experts also recommend the use of ‘https’ protocol for secure financial transactions.

A victim of cybercrime should report it to the police immediately. Computer-related wrongs are covered under the Information Technology Act (IT Act), 2000 and wrongdoers are liable for penalty, compensation and criminal liability in appropriate cases.

NATGRID

National Intelligence Grid has signed a MOU with National Crime Records Bureau (NCRB) to access centralised online database on FIRs and stolen vehicles.

National Intelligence Grid (NATGRID) is an integrated intelligence master database structure for counter-terrorism purpose. It seeks to act as a “secured platform” for at least 10 Central security and intelligence agencies like IB, R&AW to have access to databases from 21 providing organisations.

The project aims to allow investigation and law enforcement agencies to access real-time information from data stored with agencies such as the Income Tax Department, banks, insurance companies, Indian Railways, credit card transactions, and more.

NATGRID, like other government initiatives like (UIDAI), is being established through governmental notifications rather than legislation passed in Parliament.

NATGRID as a one-stop solution

Safeguarding from leaks: Secure centralized database to stream sensitive information from various sources without any leaks.
Technology-intensive solutions: Plans to make use of advancement in technology such as big data analysis for generating alerts.
Lower chances of misuse as it involves no human interface.Reduced use of harsh and coercive means to extract information.
Helps in keeping a tab on persons with suspicious backgrounds.

Issues with NATGRID

Widespread misuse of state surveillance capabilities and breach of privacy.
Efficacy in preventing terror has been questioned as police force does not have access to this database.
Lack of legal validity of the project. Presently, certain departmental agencies maintain databases of personal information which helps them provide essential services or maintain law and order. So, the power of maintaining legal databases is implicit because of the nature of functions these agencies perform.

However, there is no implicit or explicit authorization to the convergence of these independent databases. One may argue that the government is not legally prevented from interlinking databases.

Further, it is held that with strong information protection technology, strict authentication norms, external audits and a privacy law, NATGRID is set to become India’s one-stop destination for security and intelligence needs.

National Cyber Security Policy

Cyber Security Policy 2013

National Cyber Security Policy is a policy framework by Department of Electronics and Information Technology (DeitY). It aims at protecting the public and private infrastructure from cyber-attacks.

The policy also intends to safeguard “information, such as personal information (of web users), financial and banking information and sovereign data”.

Ministry of Communications and Information Technology (India) defines Cyberspace as a complex environment consisting of interactions between people, software services supported by worldwide distribution of information and communication technology.

Objective

Ministry of Communications and Information Technology (India) define objectives as follows:

To create a secure cyber ecosystem in the country, generate adequate trust and confidence in IT system and transactions in cyberspace. Thus, enhance adoption of IT in all sectors of the economy.
Create an assurance framework for design of security policies and enabling actions for compliance to global security standards by way of conformity assessment (Product, process, technology & people).
Strengthen Regulatory Framework for ensuring a SECURE CYBERSPACE ECOSYSTEM.
Enhance and create National and Sectoral level 24×7 mechanism for obtaining strategic information regarding threats to ICT infrastructure, creating scenarios for response, resolution and crisis management through effective predictive, preventive, protective response and recovery actions.
Improve visibility of integrity of ICT products and services by establishing infrastructure for testing & validation of security of such product.
Create workforce for 500,000 professionals skilled in next 5 years through capacity building skill development and training.
Provide fiscal benefit to businesses for adoption of standard security practices and processes.
Enable Protection of information while in process, handling, storage & transit to safeguard privacy of citizen’s data and reducing economic losses due to cyber-crime or data theft.
Enable effective prevention, investigation and prosecution of cybercrime and enhancement of law enforcement capabilities through appropriate legislative intervention.

Strategies

Creating a secured Ecosystem.
Creating an assurance framework.
Encouraging Open Standards.
Strengthening The regulatory Framework.
Creating mechanism for Security Threats Early Warning, Vulnerability management and response to security threat.
Securing E-Governance services.
Protection and resilience of Critical Information Infrastructure.
Promotion of Research and Development in cyber security.
Reducing supply chain risks
Human Resource Development (fostering education and training programs both in formal and informal sectors to support Nation’s cyber security needs and build capacity.
Creating cyber security awareness.
Developing effective Public Private Partnership.
To develop bilateral and multilateral relationship in cyber security with other country. (Information sharing and cooperation)
Prioritised approach for implementation.

Salient Features

A National and sectoral 24X7 mechanism has been envisaged to deal with cyber threats through National Critical Information Infrastructure Protection Centre (NCIIPC).
CERT-In has been designated to act as a nodal agency for coordination of crisis management efforts. It will also act as umbrella organization for coordination actions and operationalisation of sectoral CERTs
A mechanism is proposed to be evolved for obtaining strategic information regarding threats to information and communication technology (ICT) infrastructure, creating scenarios of response, resolution, and crisis management through effective predictive, prevention, response and recovery action.
Effective public-private partnership and collaborative engagements through technical and operational cooperation.
R&D of trustworthy systems and their testing, collaboration with industry and academia, setting up of ‘Centre of Excellence’ in areas of strategic importance from the point of view of cyber and R&D on cutting edge security technologies, are the hallmarks of this strategy laid down in the policy.
Developing human resource through education and training programmes, establishing cyber security training infrastructure through public private partnership and to establish institutional mechanisms for capacity building for law enforcement agencies.
Encouraging all organizations whether public or private to designate a person to serve as Chief Information Security Officer (CISO) who will be responsible for cyber security initiatives.
Provisions of fiscal schemes and incentives have been incorporated in the policy to encourage entities to install trustworthy ICT products and continuously upgrade information infrastructure with respect to cyber security.

Issues with the Policy

The provisions to take care security risks emanating due to use of new technologies e.g., Cloud Computing, has not been addressed.
Tackling risks arising due to increased use of social networking sites by criminals and anti-national elements.
Need to incorporate cybercrime tracking, cyber forensic capacity building and creation of a platform for sharing and analysis of information between public and private sectors on continuous basis.
Indigenous development of cyber security solutions as enumerated in the policy is laudable, but these solutions may not completely tide over the supply chain risks and would also require building testing infrastructure and facilities of global standards for evaluation.

Global debate on national security versus right to privacy & civil liberties is going on for long. Objectives of this policy are safeguarding privacy of citizen data; however, no specific strategy has been outlined to achieve this objective

Need for Review of Cyber Security Policy

It was created in the wake Surveillance scandal of the American National Security Agency leaks by Edward Snowdown back in 2013. Since then, new challenges have emerged which need to be addressed.
India is among top 10 countries facing cyber-attacks.
Cyber landscape has witnessed growing digitization as part of the Government’s Digital India push, as well as more sophisticated cyber threats, particularly the WannaCrypt and Petya ransomware attacks.
Government must proactively address India’s ability to respond effectively to cyber threats by outlining an institutional framework ensure the country’s digital safety.
Need for mechanisms for coordination between multiple agencies responsible for cyber security.Crunch of cyber security professionals needs to be addressed.
Little progress in PPP mechanisms for cybersecurity.
Fostering greater civil-military cooperation on cyber security.

Way Forward

Action plan to deal with state-sponsored attacks. In such attacks, government infrastructure, private sector and citizens’ personal details are hacked.
An SOS lockdown policy must be in place to completely take nuclear grids, power grids, financial institutions, and satellite communication off internet immediately, in case of any national security attack.
There must be provisions for or nationwide cybersecurity training of the common mass if the country aims to take its finance and healthcare online.
The security standards should not only be defined for government organizations but also be enforced on private companies with a checklist of requirements.