“We have a multi-pronged approach to fighting cyber crimes”: Dr Ajay Kumar
Dr Ajay Kumar, Additional Secretary, Ministry of Electronics and Information Technology, speaks to Executive Editor Ullekh NP about the steps the government of India is taking to enhance the country's cyber security prowess
What are the steps the government is expected to take to enhance cyber security in the face of rising attacks?
In tune with the dynamic nature of Information Technology, continuous efforts are being made to prevent and recover from cyber attacks. As such, the protection of India’s Information Technology infrastructure in general and critical information infrastructure in particular is a dynamic activity and continuing process.
Government is aware of the nature of the threats in Cyber Space. Cyber attacks are being observed from time to time on networks operating in Government, public and private sector. These attacks are observed from the IP addressesof number of countries including USA and China. In the cyber attacks, positive attribution is a challenge, since the attackers are compromising computer systems located in different parts of the world and use masquerading techniques to hide the identity of actual system from which the attacks are being launched.
In order to enhance the cyber security posture of Indian cyber space, Government is following an integrated approach with a series of legal, technical and administrative steps to ensure that necessary systems are in place to address the growing threat of cyber attacks in the country.
Key actions being pursued in this regard are:
• Implementation of National Cyber Security Policy and framework
• Capacity building and training of manpower engaged in operation of critical networks to protect their systems and networks;
• Creation of mechanisms to generate situational awareness about cyber attacks in near real time
• Implementation of cyber assurance mechanisms in the form of security audits, creation of panel of cyber security auditors and conducting mock cyber security drills to assess and improve security posture of organizations.
• Information security education and awareness programs for citizens
• Enhancing international cooperation through bilateral and multilateral dialogues
Are you looking at hiring ethical hackers or teenagers (or young adults) the way US, Israel, Russia and others (and also North Korea) have done to help with combating cyber crime?
Creation of skilled cyber security manpower is an important task to ensure overall security of cyber space. Government is implementing programs to create capacity through formal and informal education programs in collaboration with academic institutes and industry associations. (NASSCOM, DSCI, CII).
Skilled people trained in security aspects of different platforms, software and computer networks are to be used in a meaningful manner to assess the security posture of organisations, business, services and associated systems. As such people with skill set in vulnerability assessment and Penetration Testing are to be used in professional manner and are required by the organizations in Government, Public and private sector to conduct cyber security audits and assessments. Government is empanelling cyber security auditing companies after testing their capabilities in terms of technical skills and certified manpower.
How do you plan to enlist the support of the private sector in this effort?
Government is collaborating with Industry associations to evolve policies, and capacity building initiatives. Programs are devised to create facility for training of Law Enforcement Agencies in cyber forensics, collaborating with academia for information security education and awareness campaigns.
A recent survey by Assocham and PwC on Cybercrime in India found the number of Cyber-crime amplified by a high rate of 350% from 2011 to 2014. How do you react to this shocking report?
As per the latest cyber crime data made available by NCRB, a total of 2876, 4356 and 7201 Cyber Crime cases were registered under Information Technology Act 2000 (IT Act 2000) during 2012, 2013 and 2014 respectively. A total of 601, 1337 and 2272 cases were registered under Cyber Crime related Sections of Indian Penal Code (IPC) during 2012, 2013 and 2014 respectively.
As per the information reported to and tracked by CERT-In, a total no. of 41319, 44679 and 49455 cyber security incidents including phishing, scanning, malicious code, website intrusion, Denial of Service etc., were reported during the year 2013, 2014 and 2015 respectively.
The Information Technology based services and usage of IT and cyber space for businesses are growing exponentially. Internet users in India have grown from 302 million in March 2015 to 380 million in January 2016 and estimate to touch 462 million by June 2016. As such, focus of adversaries is increasing on online systems and stealing of data and credentials to conduct financial frauds.
Enhancing security of cyber space and Information Technology infrastructure is a continuous activity.
• In order to enhance overall trust in IT and online systems, Government is focusing on promotion of best practices and mandating periodic audits of IT infrastructure of key organizations in critical sectors such as Banking & Finance, Defence, Telecom etc.
• National Critical Information Infrastructure Protection Centre (NCIIPC) has been established, as per the provisions of Section 70A of the Information Technology Act 2000, for protection of Critical Information Infrastructure in the country.
• The Indian Computer Emergency Response Team (CERT-In) issues alerts and advisories regarding latest cyber threats and countermeasures on regular basis. CERT-In is working with key organizations and is enabling implementation of cyber crisis management plan. CERT-In is conducting mock drills to enhance cyber security posture of organizations. CERT-In is conducting cyber security trainings for IT / cyber security professionals of Government and critical sector organisations. During the year 2015-16, 24 training programs were conducted covering 960 participants.
• Ministry of Electronics & Information Technology (MeitY) is implementing the project ‘Information Security Education and Awareness (ISEA) Project with an objective of capacity building in the area of Information Security, training of Government personnel and creation of mass Information Security awareness.
Are you taking stock of latest developments in the world of cyber crime? What are the key trends? What are the worries for India? What are our strengths and weaknesses on the cyber security front?
Cyber security incidents observed in the country include phishing and identify theft targeting individuals, Denial of Service attacks on business networks, website intrusions, propagation of malware such as Bots and Ransomware and Spam.
Cyber crimes such as unauthorised access, cyber frauds and social media abuse are also on the rise.
In order to curb cyber crimes the following actions being pursued:
i. The Information Technology Act, 2000 provides a comprehensive legal framework to address the issues connected with cyber crime, cyber attacks and security breaches of information technology infrastructure.
ii. Cyber Crime Cells have been set up in all States and Union Territories for reporting and investigation of Cyber Crime cases.
iii. Government has set up cyber forensic training and investigation labs in CBI Academy Ghaziabad, north-eastern States, Kerala, Jammu & Kashmir and Uttarakhand for training of Law Enforcement officers and Judiciary in these States.
iv. Industry associations such as Data Security Council of India (DSCI), NASSCOM, to setup Cyber Forensic Training Labs in metro cities such as Mumbai, Pune, Bangalore and Kolkata, have taken up tasks of awareness creation and training programmes on Cyber Crime investigation.
v. Academia like National Law School, Bangalore and NALSAR University of Law, Hyderabad are also engaged in conducting several awareness and training programmes on Cyber Laws and Cyber crimes for judicial officers.
vi. Number of Cyber forensics tools for collection, analysis, presentation of the digital evidence have been developed indigenously and such tools are being used by Law Enforcement Agencies.
vii. Indian Computer Emergency Response Team (CERT-In) and Centre for Development of Advanced Computing (CDAC) are involved in providing basic and advanced training to Law Enforcement Agencies, Forensic labs and judiciary on the procedures and methodology of collecting, analysing and presenting digital evidence.
viii. Government has formulated a set of investigation manuals with procedures for Search, Seizure Analysis and Presentation of digital evidence in courts. The manuals have been circulated to Law Enforcement Agencies in all States.
ix. Reserve Bank of India (RBI) issues Circulars/advisories to all Banks on cyber attacks and preventive / detective measures to tackle the same
x. Ministry of Electronics & Information Technology (MeitY) is conducting programs to generate information security awareness. Specific books, videos and online materials are developed for children, parents and general users about information security which are disseminated through Portals like “www.infosecawareness.in”, “www.secureelectronics.in” and “www.cert-in.org.in”.
How good are India’s cyber offensive capabilities?
In tune with the dynamic nature of Information Technology, continuous efforts are required to be made to prevent and recover from cyber attacks. As such, like elsewhere in the world, the protection of India’s Information Technology infrastructure in general and critical information infrastructure in particular is a dynamic activity and continuing process. Government is engaging in various international forums to evolve global cyber norms and responsible online behaviour.