The government is planning to designate the Defence Intelligence Agency (DIA) and National Technical Research Organisation (NTRO) as the agencies for carrying out offensive cyber operations, says a report in the Times of India.
The need for an offensive posture in cyberspace has also been highlighted in the recent report of DSCI-Nasscom, “Securing our Cyber Frontiers”. It has recommended, among other things, establishing a cyber command within the defence forces which should be equipped with defensive and offensive cyber weapons and manpower trained in cyber warfare.
Now, all that is perfectly alright these days, we must become capable of launching cyber offensives when the US and China are making strident moves in that direction, but firstly are we capable of defending our cyber infrastructure? What do we make of the recent attacks on government websites? The hackers belonging to the Anonymous group have highlighted India’s preparedness – or lack of it – for a cyber war.
And who were the victims? Ironically, the very agencies that are supposed to make our cyberspace secure. The Indian Computer Emergency Response Team (CERT-In) is the national nodal agency for responding to computer security incidents. It is responsible for coordination of cyber incident response activities and handles emergency measures for cyber security measures. But it was surprising that CERT-In’s own website (http://cert-in.org.in) was brought down on Saturday due to a ‘distributed denial of service’ (DDoS) attack by Anonymous.
If the nodal agency could not prevent cyber attacks on itself, it is an open question if it will be able to defend other government websites and critical cyber infrastructure.
Last week the website of the directorate of Standardisation Testing and Quality Certification (STQC) under the department of electronics and information technology (DietY) was attacked and brought down. The website was unavailable for the whole day on Sunday. The irony is STQC is responsible for providing assurance services in the area of e-governance, IT and cyber security. Thus, the attached office under DietY failed to carry assurance testing for its own website.
The hackers group has hacked the websites to protest against the IT rules which facilitate censorship of internet in the country. A tweet by Anonymous after hacking of the CERT-In website categorically mentioned, “This is your response team #india! They can't even protect themselves. How will they protect others?”
And this is the key question: When CERT-In could not protect itself, is it capable of protecting attacks on others and, more importantly, launch a cyber offensive?