A 1988 batch Indian Police Service (IPS) officer, Muktesh Chander has served in Delhi Police for over 20 years and is known for deploying technology for better policing and traffic management. He is an electronics and telecommunication graduate from Delhi university and is currently pursuing his PhD in information security management from IIT-Delhi. As centre director of the national critical information infrastructure protection centre (NCIIPC), he is establishing an organisation that will deal 24x7 with cyber threats to national security. In an interaction with Pratap Vikram Singh, Chander discusses the emerging profile of newly formed organisation.

Can you tell us the background of the national critical information infrastructure protection centre (NCIIPC) formation?
Before the amendment of IT Act, 2000 in 2008, there was a provision of a protected system under section 70. Anyone who tampered or manipulated with the protected system was severely punished. Later, the term ‘cyber terrorism’ was for the first introduced. Under the IT (Amendment) Act, 2008, critical information infrastructure (CII) was defined and an effort to tamper with it was to be considered as an act of cyber terrorism. Normal cyber security and critical sectors have to be dealt with separately. And a specialised agency has to do this.

According to the legislation, the whole cyber security regime was divided into two sections: 70A and 70B for non-critical sectors. Section 70B mandates CERT-In as the nodal agency to look after non-critical sectors and section 70A was to be given to a specialised agency, which eventually took the form of NCIIPC under the aegis of the national technical research organisation (NTRO). Because of technical expertise and various other reasons, NTRO got this job.

What will be your mandate? Will it also have offensive capabilities?
Protecting an infrastructure has certain steps – early warning, prevention, detection mitigation recovery and response and business continuity. We will try and prevent an occurrence (of cyber attack). We will issue early warning. We will do training and awareness and frame guidelines. This is the mandate NCIIPC has. After taking all precautionary steps, if it still occurs, you need to detect it immediately and then take further steps.

Many countries like the US and South Korea have this mandatory regime for cyber security compliance, where private organisations have to follow certain provisions. In the same way, we will try and evolve similar provisions. But as on date, we don’t have such provisions. On the offensive part, we never said we will be doing any such thing.

To start with, we will ask each ministry and each government which has computers connected to critical operations to appoint a nodal officer as chief information security officer (CISO) who will ensure that all information security procedures are taken in place. This officer is supposed to interact with senior management like the chief secretary or the head of particular department or public sector undertakings.

The CISO will then start the exercise of identifying the level of automation and the critical infrastructure within the organisation. At NCIIPC, we will keep revisiting these issues on periodic audit and vulnerability testing. 

When is it being notified?
We have sent papers to the department of electronics and information technology (DeitY) and we are awaiting a formal notification as well as promulgation of rules. DeitY is the nodal agency for the implementation of the Act. Notwithstanding a formal promulgation, we are working towards a roadmap for protecting CII.

What is the magnitude of challenge we face in cyber security?
To my knowledge, no detailed survey of CII has been done, so we can’t precisely ascertain the magnitude. But NCIIPC will be doing all those required studies. Cyber espionage of industrial, economic and political nature is one of many cyber breaches which are taking place in the country.

Last year, we had a major power blackout across north India – of course, due to overdrawing of power. But don’t you agree power plants and power grids are vulnerable to cyber attacks?
Yes, power plants are vulnerable to cyber attacks. The programmable logic controller (PLC) under SCADA system – a kind of industrial control system – decides the revolution per minute (RPM) of a motor. If by cyber manipulation the RPM is increased many times, the motors will burst and the power plant will come to a standstill. The same happened to nuclear centrifuges in Natanz in Iran, where the nuclear enrichment plant was infected by Stuxnet worm – one of the most lethal cyber weapons. As long as you have industrial control systems governed by computers, you will remain vulnerable.

What are the latest trends in cyber threats?
Spear-phishing is one. It is a well-crafted mail targeted for certain people (in the upper echelons of the government and the private sector). Usually, the mail carries malware in the attachment. An innocent-looking PDF file can carry a malware. Malware can be designed for stealing, damaging a particular thing, disrupt or use a system as the launching pad (for sending spam or spreading the infection further).

Given the dynamic nature of threat, will you oversee the security on a real-time basis?
Most countries have come up with systems and processes aiming to protect their vital assets on a 24x7 basis. As it evolves, NCIIPC will have a similar system. The guideline for protecting CII is on the anvil. Training and awareness will be an important activity. As and when required, mandatory provisions will be added so that the directions are complied by CII organisations. However, it will be more of a mutually beneficial relationship between organisations and NCIIPC. We will have a cyber operation centre which will be running 24x7 for all stakeholders. It has to be a two-way process.

Will you also monitor the network?
Everything coming in and going out of the network of a particular organisation is the responsibility of the organisation. Then only they can guard from any intrusion. Each one of them will be monitoring their own network. From theirs, we will also be taking a lot of information, collating and analysing whether a particular vector is trying to target many such networks or not.

Does that mean you will have access control to the networks of all critical facilities?
This is a technical question beyond the scope of this conversation. What I can say is that each network must have its own intrusion detection and intrusion prevention systems and certain types of tools to monitor what is happening with their network. They are already doing it. But there are better and more secured ways of doing it.

Can you elaborate on the NCIIPC’s five-year plan?
It is a five-year perspective plan about how we are going to identify stakeholders, how we increase the manpower, how we spread training and awareness and how we install our sensors.  Sensors will be implanted for detecting malware and threats. We have to get connected to stakeholders. Only then two-way information-sharing can take place.

Human resource has been a challenge. How do you plan to address?
Cyber security is a new area and a combination of several disciplines. There is a shortage of trained manpower. A lot of academic institutes and other organisations are working on it. We will also have a training division to equip all stakeholders. The human aspect of information security has just started gaining importance. The man behind the machine is equally important. Whatever technology or tools he may use, intentionally or unintentionally, information security will be breached if not practised restraint.

How big is your team?
In the five-year plan, we have indicated our requirement for HR. We expect to be a team of 200 to 300 people in days to come.

How much will be the annual spending?
It will be too early to say. It could vary from Rs 50 crore to Rs 200 crore.