Around 8.30 am on December 17, 2012, a group of senior bureaucrats, defence personnel, intelligence officials and information security managers of a few selected government agencies had gathered at the Manekshaw Centre in the Delhi cantonment. They were going to spend a whole day deliberating on cyber security of critical information infrastructure (including sectors like telecom, finance, banking, nuclear plants, power, transport and space). As soon the first session got over, a top official from the national security council secretariat (NSCS) was speaking to journalists outside the plenary hall.

Seeing this rare opportunity, I asked the official whether the whole buzz around cyber warfare held any element of truth. The official, speaking on condition of anonymity, replied: “What happened to Iran in 2010 post cyber attack on its nuclear enrichment plant? It was closed down for just a couple of weeks. We (India) are a very resilient country. We can survive an eight-hour blackout. So in the worst case, things will just go down for a few days.”

His views on cyber security, marked with indifference, are not an exception but the norm among the top brass in the government, leaving many security experts worried. Contrast this attitude with the decision of the US to see cyberspace as the fifth front of warfare – on par with land, sea, air and space.

While the NSCS is working on restructuring the cyber security governance, experts believe that the government’s efforts are too little, too late. Decision-makers in the government and the private sector have become complacent, given the repetition of attacks on selected organisations. It seems, they have the least situational awareness on cyber security matters and the initiatives undertaken in its aftermath show an absolute ad hoc approach, lacking vision and mission, the experts say.

The government believes cyber security can be overseen merely by issuing guidelines and advisories, which is essentially what the Indian Computer Emergency Response Team (CERT-In) and the newly formed National Critical Information Infrastructure Protection Centre (NCIIPC) are doing. “The country is running on guidelines. We are living in a compliance regime,” says Dinesh Pillai, chief executive officer, Mahindra Special Services Group.

Vulnerabilities

The art and science of breaching a computer system or a network lie in finding and exploiting vulnerabilities in software, somewhat like finding a way to break into a locked house. In cyber world, hackers always have an edge in figuring out the vulnerabilities. These vulnerabilities are then sold in cyber underworld for thousands of dollars. Using the way indicated, cyber criminals introduce malware, which again are developed and sold by software geeks, to perform a particular task.

To prevent a cyber attack, one has to figure out the vulnerability and patch it. Failing to do so can put people, organisations and country as a whole at risk. Of late, a series of cyber incidents in the country has proven the same.

The prime minister’s office (PMO) has been attacked in each of the last three years. In a couple of cases, the hackers adopted the ‘spear-phishing’ technique (sending a malware-laden mail to the target) to infect computers. Ironically, the offices of the national security advisor and the armed forces have been attacked twice too. In the private sector, chairmen and chief executive officers of tobacco, oil and gas and IT companies have suffered from cyber espionage acts. Every time something of this sort happens, the media is handed out a standard line: “Nothing classified has gone out.” The affected computers are scanned and an advisory is issued. And things continue as before.

In January last year, India’s military intelligence (MI) became a victim of cyber espionage. The hacker’s group which snooped into MI’s systems managed to lay hands on top-classified documents of its communications to the mobile manufacturers Nokia, Apple and BlackBerry makers Research-in-Motion seeking help in spying US-China economic and security review commission (USCC). According to an independent expert who works closely with security and intelligence organisations, the incident could have been avoided, had agencies done a detailed investigation of a similar intrusion into PMO and other government offices in November 2010. 

“While analysing the documents at the dump location [Pastebin.com where documents stolen from MI were posted] we came across the same two documents ‘G20 Services.xls’ and encrypted files that were stolen (in 2010). Had agencies pursued the case more seriously, it could have been easy to anticipate further attacks. Or we would have tracked ‘Lords of Dharmaraja’— the group behind the MI leak,” says Rohit Srivastawa, founder, ClubHack, a group of information security professionals. 

In spite of the rise in cyber attacks, the government is yet to take its lessons. “Iran was hit by Stuxnet (a malware, reportedly developed by the US and Israel; it caused shutting down of centrifuges in Natanz nuclear enrichment plant) in 2010. Iran took its lesson in just 12 months. This was evident when Iran promptly figured out Flame (the most sophisticated malware designed ever for espionage) attack on many of its government facilities in 2011-12. It retaliated and attacked Saudi oil firm Aramco, which eliminated data from its 30,000 computers and affecting its production capacity,” says Dinesh Bareja, cyber security advisor to Jharkhand police. Finally waking up to looming dangers and to protect critical information infrastructure, the government has decided to create an agency, NCIIPC, under the aegis of National Technical Research Organisation (NTRO), which was set up in 2004 on the recommendations of a group of ministers post-Kargil. Before NCIIPC, NTRO was given the mandate of dealing with cyber security of critical sectors. However, according to the experts, the agency is yet to prove its credentials. The vulnerability has increased with increase in automation across all sectors.

Critical sectors

Most nuclear and power plants run on industrial control systems, which can be exploited through maneuvering the programmable logic controller (PLC) — a digital system which controls machinery including the speed of motors. When the Iranian nuclear facility was targeted by Stuxnet worm in 2010, it was the PLC component that was exploited. If something similar happens in India, the plants — nuclear enrichment or power production — will be down. In fact, hackers sitting abroad can shut down whole power grids in the country, leading to a blackout like we saw on July 30-31 last year. According to Dr Gulshan Rai, director general, CERT-In, whose team carried out an inspection of the power grid in the capital, the blackout was not caused due to malware (see interview).

An NTRO official says that though the 2012 blackout was not caused by malware, technically it is possible. “While inspecting the national load despatch centre (NLDC), which monitors electricity being drawn from different power grids by different states, we found that the load despatch at the centre was computer controlled. There is a possibility that this could be exploited as well,” the official says.

“A power blackout in the UK in 2004 happened because of a cyber attack on information systems of British Telecom,” says a former intelligence bureau (IB) sleuth. He claims that the threat came from Chinese hackers, though he refuses to speak about the Indian context. 

Equally critical is the transport sector. Flights navigation, radar processing and flight data processing systems are the most critical systems which have been kept in a standalone, secured fashion by airport authority of India (AAI). 

Out of 19,000 employees AAI has, 3,000 work on air traffic system and 2,800 handle communication navigation and surveillance (CNS). These 6,800 employees, through the critical information infrastructure, manage traffic of 1,100 to 1,200 airborne flights on a daily basis.

Fortunately, no malware attack has happened so far on these critical networks, which if compromised can lead to one of the biggest disasters in history. But, according to PK Kapoor, executive director (IT), AAI, a malware attack is not possible as all critical networks have been kept in air-gap security. “It is just a figment of imagination,” says Kapoor, denying any such possibility. 

Nevertheless, the authority has no strict protocol in place to deter employees from using USB devices like pen drives at their workstations. AAI, Kapoor says, has issued “strict guidelines” to all the employees advising them not to carry USB devices at their workstations. Asked if there is a routine security check, he says, “No, we don’t have. But we trust our employees.” 

According to a former NSCS official, an attempt to hack the passenger information system was made in 2006. It was aborted thanks to some patriotic Indian hackers, who informed authorities in time. The attacks originated from Iran, he adds. 

An attempt to shut down the check-in counters at Terminal III of the Delhi international airport was made in 2011. 

Fear of the dragon

The government must secure the cyber infrastructure also because the country has been a target of Chinese hackers group since the early 2000s. A group called ‘Comment’, which is alleged to have performed cyber espionage of people and organisations located in the US and Europe, has links to the people’s liberation army (PLA) of China.

Officials from India and other countries have said that Chinese hackers are soaking information around the world. The information and intelligence thus gathered is put in use in one or the other sector. Americans accuse Chinese hackers of stealing intellectual property, commercial intelligence from oil and gas exploration and services companies and military intelligence through cyber espionage.

An NTRO official, on condition of anonymity, told Governance Now that the state-run Oil and Natural Gas Corporation (ONGC) and a leading private company in the same sector are among the latest victims of cyber espionage over the past couple of years. Three officials we spoke with, however, were not sure of the extent of damage and nature of stolen data. When contacted, ONGC denied of being victim to cyber espionage. 

“During one of our operations we found that the corporation’s information system was hacked by a group,” says the NTRO sleuth. He said the hacker group was working for an Israeli client. ONGC’s international arm, ONGC Videsh Limited (OVL), has operations in 16 countries. Seismic maps, gravity and magnetic data showing probable oil reserves are part of critical data which hackers look out for. 

Speaking about the possible impact of cyber espionage on a company like ONGC, an energy expert working with Chevron, the US-based petroleum company, says, “Operating companies only share a very limited data with their shareholders, government and partners, while keeping long-term business plans with them. Any compromise with this kind of data may affect the company’s future acquisition and bidding, its stock market price and its relation with its partners.”

One of the forensic experts who inspected the computer security of ONGC claims that even basic security systems like an intrusion detection system were not in place. “During a review, we found that basic security system like intrusion detection system (IDS), which is a software tool to monitor network, was not in use,” he says referring to the naïve approach of the multi-billion dollar corporation towards cyber security.

Cyber espionage of service and operator companies in the oil and gas sector has become a global phenomenon. Many US-based oil and gas corporations have been victims of malware-laden emails, resulting in leaking of troves of data to hackers’ command and control centre in China. 

“China is sucking information from many countries including India through cyber espionage. The information thus gathered through espionage is exploited for its commercial and strategic value,” says the former NSCS official, who also held the post of national information security coordinator. 

Vulnerable defence

Indian armed forces have been a victim of Chinese hackers groups for many years. In 2004, a naval admiral got an email giving minutes of a meeting of Pakistan naval commanders. The mail had a PDF attachment, which he opened – only to find later that it carried malware with instructions to collate all files with the word ‘secret’ in filename at one location and send it all to a command and control centre in China.

Over the years tools used to steal information have grown more sophisticated and complex. In November 2011, the Chinese succeeded in bugging the eastern naval command headquarters at Visakhapatanam. This time an infected USB device was used in place of spear-phishing.

Besides, the hackers are getting smarter and expanding their target base. “They have started targeting small and medium businesses in tier 2 and tier 3 cities like Chandigarh. Earlier, the phishing mails were targeted to the senior people. Now mails are sent to human resource managers. The attackers are targeting the weakest point,” says Shantanu Ghosh, managing director, Symantec India.

While there cannot be a foolproof guard against cyber attacks, they can certainly be prevented to an extent. But any effort in that direction would involve governance and processes related issues, which need immediate resolution.

Challenges

One of the primary issues in dealing with cyber security is the lack of focus on defensive and obsession with offensive. Multiple organisations are known to be conducting cyber offensive operations, including the research and analysis wing (RAW), NTRO, IB, defence intelligence agency (DIA) and information warfare cells of the respective three defence services – though only two agencies have the offensive charter: NTRO and DIARA, a joint organisation of the three defence forces.

But on the defence side, there is hardly any organisation which proactively responds and prevents cyber attacks. CERT-In is one organisation which deals with cyber security cases. However, it is a passive organisation. It acts when organisations approach for help after attack. CERT-In has a team of 90 information security professionals. Experts say that CERT-In has a lackadaisical approach towards issuing timely notifications regarding latest vulnerabilities. “A Java 7 vulnerability which came on January 9-10 was notified on CERT-In’s website only on January 14,” says the former NSCS official. 

NCIIPC was formed recently to safeguard critical information infrastructure, but the government doesn’t have a digital inventory of such infrastructure, says Kamlesh Bajaj, CEO, Data Security Council of India. So its first task will be to map the critical assets. Putting stringent guidelines, regulations and ensuring compliance will be the key to cyber defensive strategy. But as of now, NCIIPC doesn’t have any regulatory powers. It will issue guidelines, but it will not have powers to ensure compliance. 

Experts also point at the lack of investment on the security of information  systems in government and private sector. In government, says tech-savvy inspector general of police with National Investigation Agency Loknath Behera, the current investment on deploying security solutions  is quite ad hoc. Behera says the government should increase spending on computer and network’s security. According to Bareja, as the government spends billions of dollar on defence, it should also give the much needed priority to cyber security.  

Human resource

Experts also say that the cyber division of organisations like NTRO and IB are being headed by people who lack hands-on experience of dealing with the cyber technology. NTRO is a case in point. “Dr MS Vijayaraghavan, a scientist from the defence research and development organisation (DRDO), is heading the cyber wing of NTRO. He doesn’t have any specialisation in electronic and cyber warfare. There are close to 100 people who report to Vijayaraghavan,” says a former NTRO official, who has worked with Vijayaraghavan. IB is also said to have complete lack of understanding of technology. While the agency is good in human intelligence gathering, experts say, it doesn’t have good number of technical experts to handle cyber security.

Besides, organisations don’t have specialised team for handling cyber security. In most of the organisations, be it public or private, cyber security is being handled by IT administrators, who lack skills required for dealing with cyber attacks.

“We require a very different set of people with special skills, who can think from a hacker’s perspective. People who can try and find the vulnerabilities through cyber attacking the information systems of the organisation and then certify it accordingly,” says Pillai of Mahindra Special Services Group.

The experts also say that the official appointed as chief information security officer (CISO) in organisations doesn’t have the executive powers. So even if CISO tries to do something she or he is never appreciated or supported  by the top management.  

Secrecy

Additionally, unlike the US and France which have proactive culture of reporting cyber breach incidences, the public and private sectors in the country practise secrecy. Large sections of bureaucracy prefer to let sleeping dogs lie. No thorough inquiry is conducted. As a result, the attackers are encouraged to repeat their success.

Dr Rai of CERT-In admits that the secrecy culture has to change, which may further improve the reporting of cyber incidents. He says the idea of making reporting mandatory is being thought in the government.

Auditing

Organisations hate auditing. If it is done, it is never sudden, but scheduled. “A couple of days before the auditing, the records are cooked up. The passwords are changed and made of eight characters,” says Pillai. According to Pillai, there is a need to change the way auditing is conducted in organisations. Currently, it is more of like a checklist of dos and don’ts done on a piece of paper.

The expert from McAfee India says auditing should be frequent. Microsoft releases a patch every Tuesday. But there are many zero-day vulnerabilities (which are found by the hackers before the software firm), which can be exploited by the hackers. “Now if auditing is done once a year or even six months, how can you be sure of security,” the expert asks. “The auditing has to be real-time.”

(The article was published in February 1-15, 2013 issue of Governance Now.)