An extract from Maj. Gen. P.K. Mallick’s essay on Cyber and Space Strategy for India
Indian Cyber Space
The most significant event was the introduction of the Information Technology (IT) Act as early as 2000 and the promulgation of the National Cyber Security Policy by the Ministry of Communications and Information Technology in 2013. The Indian Computer Emergency Response Team (CERT-In) was established in 2004 and continues to act. India has undertaken several steps for the protection, detection and containment of these potentially disruptive attacks against the nation’s networks. Initiatives such as Digital India and Smart City and the increasing involvement of the private sector in nation-building endeavours are progressive steps that are also increasing the scope and complexities of cyber security efforts.
The national cyber security policy lacked the following key elements:
- Milestones and performance measures.
- Cost and resources.
- Roles and responsibilities.
- Linkage with other key strategy documents.
India has taken several steps in the recent past to strengthen its cyber defence capabilities. It is time now to enunciate the National Cyber Security Strategy.
Critical Issues to be Addressed in the Indian Context
Command and Control Set-Up: There should be no ambiguity in the responsibility of organizations for cyber security. In the USA, the National Security Agency and Cyber Command come under the Department of Defence. In the UK, the GCHQ comes under the Foreign Ministry. In Israel, the National Cyber Bureau, directly under the Prime Minister, regulates activity in cyber space. In our context, NTRO has been entrusted with this responsibility which doesn’t come under any ministry and operates directly under the Prime Minister’s Office (PMO). The interplay between the Ministry of Defence (MoD) and the armed forces, Ministry of Home Affairs (MHA), intelligence agencies, both internal and external, needs to be clearly demarcated. Who will carry out offensive cyber operations in a conflict scenario: can an intelligence agency do it, keeping in mind the rules of engagement or the laws of armed conflict?
National Critical Information Infrastructure: The National Critical the Information Infrastructure’s Protection Centre (NCIIPC) was formed under the National Technical Research Organisation (NTRO). For some selected critical infrastructures, NCIIPC takes the lead role. For other non-critical structures, it is the responsibility of the CERT-In. The National Disaster Management Authority (NDMA) under the MHA also has the responsibility for protection of cyber critical infrastructure. Though, it has done very little on this issue. CERT-In is an advisory body and not an implementation agency. Responsibility and authority for all the sub-sectors of the critical information infrastructure should be clearly demarcated and made accountable.
The lead agency to formulate a national security polity is the Ministry of Electronics and Information Technology (MeitY). This ministry does not have control over powerful ministries and departments like the MoD, MHA and NTRO. The way our ministries work, in stovepipe systems, the interaction sharing of information, earmarking of specific roles and assignment of responsibility suffer.
We generally follow the US model. The appointment of the National Cyber Security Coordinator directly under the PMO is seen as a positive development: a lot of good work has been done by the National Security Coordinator. However, he does not have any executive power since he is not under any ministry. He is not in the loop for operations undertaken by the intelligence agencies. The staff for the National Cyber Security Coordinator is meager for a country as huge and diverse as India. In the US, the post of the National Cyber Security Coordinator has been abolished as it was found that this post had become an extra-constitutional authority and was interfering with the routine functioning of the respective ministries responsible for cyber security tasks.
Organisation like the NTRO and national Cyber Security Coordinator are happy to function under the PMO. There is no ministry/legislative control over their functioning. The PMO as such does not have much domain expertise on these niche technology areas. These organizations are protected from routine interference-they have virtual independence. In a way, it is good that they can get things done at a fast pace but there is always a danger of their going overboard and taking unnecessary risks, with grave consequences, when there is no control over them.
Standards and Protocols: We need to have uniform standards, protocols and norms across the country in the cyber domain. The agencies involved are MeitY, Indian Standards Institute (ISI)/Bureau of Indian Standards (BIS) and NCCIPC. Is there a need for a central agency like the National Institute of Standards and Technology (NIST) of the USA functioning under the Department of Commerce?
The Indian IT industry is worth USD 150 billion. It has some well established cyber security procedures. What is the process of exchanging the best practices between this civil sector and the government sector?
There is a serious mismatch of understanding between the civil sector and the government agencies for cyber security. The government agencies feel that the private sector is only interested in grabbing orders but is not serious about developing Indian solutions, does not put in adequate effort in R&D and is not willing to invest in the country’s cyber security infrastructure. On the other hand, the private industry feels that there is very little understanding of cyber security in the top echelons of the government agencies, the procedures are too bureaucratic, rigid, long and time consuming and the vendors are usually treated shabbily. It feels that since it provides cyber security solutions across the globe, it has the expertise. The government should approach the private industry and not the other way around, quoting the recent example of the US Secretary of Defence visiting Silicon valley and interacting with the behemoths for providing support to Department of Defence cyber activities. Surely, there has be a middle ground were sharply divergent views can meet.
The private industry is very sensitive about any cyber breach in its organizations. It always carries out damage control first and does not like to share the information because of commercial reasons. What can NCCIPC and CERT-In do to develop mutual trust and make sure that this information is shared immediately so that mitigation action across the sectors can be initiated?
In a scenario where a big Indian IT giant has been compromised and data has been stolen and the affected company is reasonably certain about where the attack has come from and carries out a hack back against the party, what should be the role of the government agencies? Though the private industry is duty bound to report any breach of cyber security to the government agencies a very large number of such incidents go unreported. What is the mechanism by which punitive action is taken against the defaulters?
Regulatory bodies for each sub-sector of the critical infrastructure must be identified and made responsible and accountable for the respective sub-sectors. For example, if a serious breach in a nuclear power plant takes place, with a potential of great loss to life and property, who should be made accountable? Introduction of private players in the nuclear power sectors will make the issue more complicated. Similarly, who is responsible for the cyber security of the huge defence Industrial base or Defence Public Sector Undertaking (DPSUs) and factories under the Ordnance Factories Board(OFB)? With the recent participation of private industries, the cyber security aspects will acquire more relevance. Who is responsible for the cyber security of the private players of the defence industry?
India does not have any credible code breaking capability, Introduction of 128 or 256 bits keys has made the issue of code breaking extremely difficult. However, this capability exists in the NSA of the USA, Government Communications Headquarters (GCHQ) of the UK and probably with Russia and China. If we do not have this capability, then we must make efforts to develop it. Academia, industry and expertise from countries like Ukraine, Belarus and such other East European Countries and South Africa can be explored.
Delay in Implementation of Projects: After the 26/11 attacks on Mumbai, two very important projects were initiated by the central government on fast track. Both the projects of the National intelligence Grid (NATGRID) and Central Monitoring Systems (CMS) have cost and time overruns and are still not complete. NATGRID does not have linkage to the armed forces.
The National Cyber Security Centre (NCSC), is an organization of the United Kingdome Government that provides advice and support for the public and private sector on how to avoid computer security threats. It became operational in October 2016, exactly one year after the announcement of its establishment. In India, in principal approval for the National Cyber Coordination Centre (NCCC) was accorded in May 2013, with an initial budget allotment of Rs 800 crore. On August 8,2017, the Parliament was informed that only Phase –I of the NCCC had been made operational when the country has adequate funds and expertise, this type of bureaucratic delay is not acceptable for such projects of national security.
R&D in the Cyber Security Field
We have no choice but to have our own software and hardware in niche technology areas as no country shares these. Wikileaks and Edward Snowden have already revealed the capability that the USA has. As an initial effort, Indian researchers should be tasked to develop the same kind of capabilities.
We should take a policy decision to use Indian made switching equipment in our selected critical infrastructure. Indian manufacturers like the Tejas networks should be encouraged. The human resource development policies must be suitably modified to attract the right kind of talent to train and nurture them. In spite of its huge budget, the NSA is most vulnerable from the insider’s threat. Manning and Edward Snowden are the prime examples. The most secret cyber weapons developed by the NSA have been put on the internet and can be used by anybody in the world for cyber operations. What is the policy to thwart the insider threat in our cyber security organizations?
In September 2015, the Indian government released a draft National Encryption Policy that sought to set encryption standards and lay down conditions for decryption of information for lawful investigation. This was hastily withdrawn under pressure from the media. It is time now to catch the bull by the horn. The national security interest must be supreme.
Armed Forces Domain
The cyber security of the three Services is not audited by any outside agencies, including the NCCIPC. The three Services don’t even audit each other. The respective Services certify themselves as cyber secure. This is not acceptable. Cyber security of the IT network of the three Services must be audited by some external agency. In the USA, professional hackers are called in , in a big bounty programme and challenged to hack DoD classified networks, and awarded huge amounts of prize money. This is how they discover vulnerabilities in their networks. The Indian armed forces much also do something like this.
Within the US DoD, there is a organization called Defence Information Systems Agency (DISA), which provides, operates and assures command and control and information sharing capabilities in direct support to joint war-fighters, national level leaders and other missions across the full spectrum of military operations. It works under the DoD’s Chief Information Officer (CIO). In India, the three Services as well as the MoD do not have CIOs. Should we have an organization like the DISA in the MoD as a separate organization and designate it as the CIO of the MoD?
There should be clarity as to what is to be constituted as an act of war in the cyber domain. Factors like loss of life and property, economic impact, diplomatic and political effects can be considered to term such an attack as one of significant consequences.
Who will give permission for offensive cyber operations? What are the rules of engagement?
India procures a huge amount of defence equipment from foreign countries. What the mechanism to check whether there is any malware in the increasingly sophisticated technology areas. No country shares its codes. What is the mechanism in the procurement of equipment procedure and supply chain management system to ensure that bugs are not present?
The human resource development policies for the armed forces in the cyber domain ill require drastic changes to attract and retain talent in such niche technology areas. The present policies are inadequate.
Military Strategy for India in the 21st Century
Edited by Lt Gen. A.K. Singh and Lt Gen. B.S. Nagal
KW Publishers, Pages 345, Price Rs. 1280