North Korea has declared that it is at war with South Korea. As per news reports its nuclear missiles are being positioned to target the US as well as South Korea. In response, the US flew stealth bombers close to the North Korean territory.  This reaction could appear drastic but considering the capabilities of North Korea this is not surprising. Besides its nuclear capabilities, North Korea over the years has built an army of as many as 30,000 cyber warfare specialists which over the years have been trained in various aspects of cyber warfare. This indeed is a serious concern and there is a reason too behind it. While there may be stealth bombers, which have been tried and tested to overcome normal combat, measures to control and combat cyber war are in a fledgling state.

With manifold increase in internet applications using computer networks, development of measures to secure these network and applications has been lagging behind. The malware side of software was not anticipated when the applications were developed. Malware which earlier was at best a nuisance has slowly transformed into ransomware where money is being demanded for undoing the damage caused and of late has taken the shape of actual weaponry targeting national networks, for example, the 2007 cyber attack on Estonia in which the entire nation’s computer network was crippled in cyber attacks. Unleashing of Stuxnet, allegedly to impede Iranian nuclear facilities, showed not only sophistication but also use of cyber capabilities to meet political ends.

India, on its part, too has been facing its share of cyber attacks. Most of these attacks have been related to defacement of websites and collection of information from government networks. These trends are worrisome. Countries, across the world, are scrambling for options to prepare against such attacks.

Most options being tried today are in the area of launching counter offensives in case of a cyber attack and also surveillance options to collect information from rival networks. Ghostnet, allegedly developed by China, has almost engulfed computer networks of entire countries and has been secretly scurrying data from their networks. Alongside surveillance, cyber weapons of different types have been developed. Some of these collect information, others make systems dysfunctional (Wiper) and yet others aim at sabotaging critical national infrastructure (Stuxnet).

In this scenario, it is imperative to build a model which will attempt to make these attacks ineffective. With approximately 12 million internet connection and increase in e-commerce transactions in India, development of this model is a need which can’t remain just a thought process anymore.

One of the first steps towards building this model is to promote and develop research capabilities in the area of internet technologies. This includes issues like crypto analysis, surveillance and interception techniques. These topics need to be part of the curriculum of technological institutions in the country. Attempts of research at IITs/IISc and Indian Standard Institution (ISI) will need to be broad-based so that this encompasses and encourages a much larger section of Indian students.

Apart from education and research, another growing need is to develop and enforce standards for computer hardware and applications. Stories of how hardware manufactured allegedly in China being used for espionage abound on the internet. India should be worried about forays of certain technology firms in India which have otherwise found themselves unwelcome elsewhere in the world. The entry of IT-related companies, particularly those dealing with products need to undergo greater scrutiny to ensure safety and security of Indian data. While ISI does provide standards for most items of day-to-day use, computer software and hardware being sold in India should be certified prior to its sale and use in the country. Development and enforcement of standards like Federal Information Processing Standards (FIPS) and expected assurance level (EAL) ratings which are common in the western world need to be considered, if we need to develop an effective preventive model to combat cyber menace in future.

Alongside these measures it is mandatory that laws dealing with the internet use and application are developed and enforced in the country. Limitations on import and export of software at best are loosely defined and need to be more specific and detailed focusing on confidentiality and integrity of data that they are intended to handle. Controls need to exist to prevent people working on connected leased lines developing software for international markets doing illegal work and illegally colluding in future. Development of privacy laws and restrictions as imposed by green harbour principles of Europe are needed to effectively arm this model. Amendments to the IT Act 2000, which was to enforce digital signature regime, fall short of addressing the scale and nature of these attacks.

Lastly, it is required that the entire area of computer research, development and deployment comes under a regulated purview of an independent entity on the lines of Securities Exchange Board of India (Sebi), which should monitor and direct development of right educational requirements, research initiatives, standards and adjudicate on any disputes. This proposition is not without any parallel. In fact, National Institute of Standards and Technology (NIST) in the US does just this and is supported by National Security Agency (NSA) in its efforts. Attempts by private associations and bodies promoted through private initiatives may be good to initiate the process, but have nowhere been able to match up to national needs. These efforts have to be promoted and nurtured by the government, maybe with private support but by private entities alone.

We may not have stealth bombers to terrorise, but we do have world-class talent in computer software. This talent with proper infrastructural support can build and execute protective cyber shield which will safeguard our critical infrastructure in times of need in future.
 

These are the author's personal views.