Gulshan Rai has over 25 years of experience in the area of cyber security, e-governance and legal framework on IT. He has drafted the IT Act, 2000 and IT (Amendment) Act, 2008. Currently, he is director general of the Indian Computer Emergency Response Team (CERT-In) under the department of electronics and information technology (DeitY) that is the only government agency tasked to respond to cyber incidents in the non-critical sectors. In an interview with Pratap Vikram Singh, Rai speaks about the cyber security challenges.

Do you think the intervention of nation-states in cyberspace has aggravated threats to national security?
It is true that this technology has a potential to create a greater havoc. IT is a dual-use technology. You can make use of it and it can be used by someone else against you. It has a potential and this has been recognised by countries. This technology has three characteristics – virtual, boundary-less and anonymous.

Without being recognised, I can create advantage, disadvantage, from any to many locations and from many to many locations. I can create spoofing, spam. This is the potential which state actors have realised and made use of it.

Does CERT-In have the capability to deal with advanced persistent threats (APTs) like Stuxnet (a sophisticated software or malware widely categorised as a cyber weapon) and other malware?
We have the capability but we need to enhance it. You need to scale up the facility. A system has been put in place. We are scaling it; currently we are running on a 24x7 basis.

Security experts say India is the third most affected country by Stuxnet.

Initially, 60,000 computers were Stuxnet-affected. Stuxnet starts affecting the moment it comes in contact with programmable logic controller (PLC). It gets activated then. This has been prepared in such a manner. Fortunately, there was no PLC which was affected. Only standalone personal computers (PCs) were infected. These PCs were largely in the private sector and a few in the government. Another characteristic of Stuxnet is that it can be passed only through a USB device.

In a span of three months, we removed infections from 30,000 computers in 2011. The first infection we detected was in July 2010. And in a matter of ten months, we removed most of infections. We have been working quite closely with Symantec and Trend Micro on this. We wrote to all the government agencies to scan for Stuxnet infection.

There are multiple organisations like national technical research organisation (NTRO), research and analysis wing (R&AW), intelligence bureau and defence intelligence agency working in the cyber security domain. A recent architecture prepared by the national security council secretariat (NSCS) will delineate roles and responsibilities. How beneficial this will be for CERT-In?
There are a number of agencies, which are operating in the area of cyber security. The whole action needs to be coordinated to have an effective force because this is a very technology intensive area – every day you have new incidences, software, hardware, vulnerabilities coming up. So it is better to pool in and coordinate the expertise available in different places. The challenge is so complex that you need convergence among agencies. Many times miscreants don’t attack you directly. They use your servers for launching an attack somewhere else. Like in the case of Estonia, some Indian servers were used to launch attacks. It keeps happening. There are about 50 command and control servers in India. These 50 are not permanent, they keep changing. It is a large population and you can't secure every system. Even if I install an anti-virus, the moment I don't update it, it gets compromised. So given the complexity, you require institutions to coordinate. 

What will be the key highlights of the upcoming, revised policy on cyber security?
We have made a policy, which addresses all public concerns. There are five components we have addressed. We have research and development, best practices, testing of the products, national watch and warning system, international cooperation, capacity development, supply chain management and legal framework. The focus is to have a public-private partnership and international cooperation. The policy will primarily enable investment from industry and there will be more cooperation among different agencies. 

Can you block the posting of manipulated content over social media – an issue that came up in the wake of Assam violence last year?
That is what I am working on. But social media companies are not ready to cooperate. In case of Honey Singh [the singer in controversy for his allegedly misogynist songs], I wrote to Google. But they wrote back saying this is not a violation of their community guidelines.

Our biggest challenge is we don’t get to know who has posted that data. Until we know that, it makes us our job difficult. More than 500 million people are using social media sites. Sooner or later the social media companies will have to work with the government to see that medium is used for more positively, constructively and not for posting abuses.

During the Commonwealth Games we had 8,000 cyber attacks on the Games network. Can you tell us whether such attacks have been repeated on any other critical facility?
Earlier, you could ascertain who had attacked. Today the attacks are done using hidden tools and so you can't ascertain the identity of perpetrator. They are using the virtual private networks (VPN), where you hide your identity. Its source disguises its location. Different locations are being used. Tracking is becoming more and more difficult because of end-to-end encryption.

Today, we are in a state of conflict. The VPN circuits are given for data protection. But today the perpetrators buy this from telecom service providers (TSP) and use it for malicious purposes. And then privacy law comes into picture. The TSPs don’t reveal customer’s details. So the rules or the law made by the governments are coming in the way of handling those cases because of the nature of technology – virtual, anonymous and boundary-less.

What is the way out?
We are facing this challenge on a routine basis. Technology of decryption is not advancing as much as technology for encryption is. People are using 2,000 bit symmetric technology for encryption, even though the limit is 40 bit. It is a challenge. It is being developed for gainful purposes. But people are also using it for destructive purposes.

What are the challenges you face while dealing with cyber security?
The availability of technology is a challenge. Things are becoming more and more global, technology is moving at a very fast pace. If you don’t have the skill, no one is willing to share the know-how. Technology, the know-how to use it and availability of manpower are major challenges. iPhone 5 was launched recently and Samsung S3 was launched a year back or so. We have challenges in terms of getting forensic data from such devices. 

You need to create lot more expertise in different agencies. We spend a lot of money in training people. We send them to institutions abroad to gain more knowledge there. We spend almost Rs 2 crore on training people. We have arrangements with Microsoft and Cisco for training our people.

For every incident reported, many go unreported. Don’t you think under-reporting should be dealt with through regulation and mandatory compliance?
Reporting of incidents has improved over years. We need to have a trustful relationship with people and organisations – that once reported, the information about an incident will not be disclosed. Any organisation, be it public or private, wants to maintain secrecy on incidents. There are some cultural factors which come into play. The maturity level of society will change.

As we are exposed to new ideas and processes (in cyber security) the perception (about reporting incidents) will improve.  The idea of bringing regulations and making incident reporting mandatory is in the thinking process. A year or two down the line we might come up with such a concept.

And as we bring this culture, we will have to be prepared at the backend. Currently, we are a team of 90 members. But in another year, we will scale it up to 250. The cyber security is now being perceived more seriously in the upper hierarchy in the government and private sectors.