- November 17, 2020
- Posted by: admin1
- Category: MMN
Cyberspace and Cybersecurity
According to Defence White Paper 2009, Cyberspace is a virtual domain, different, to the physical domains of air, sea, land and space. Cyberspace refers to the virtual computer world, and more specifically, an electronic medium that is used to facilitate online communication. Cyberspace typically involves a large computer network made up of many worldwide computer subnetworks that employ TCP/IP protocol to aid in communication and data exchange activities.
- Cyberspace’s core feature is an interactive and virtual environment for a broad range of participants. They can also manipulate electrical, magnetic, and optical impulses to perform complex arithmetic, memory, and logical functions.
- .Cyberspace is the dynamic and virtual space that such networks of machine-clones create. In other words, cyberspace is the web of consumer electronics, computers, and communications network which interconnect the world.
Cyber situation in India –NITI AAYOG
India ranks 3rd in terms of the highest number of internet users in the world after USA and China, the number has grown 6-fold between 2012-2017 with a compound annual growth rate of 44%. • India secures a spot amongst the top 10 spam-sending countries in the world alongside USA • India was ranked among the top five countries to be affected by cybercrime, according to a 22 October report by online security firm ”Symantec Corp”.
SOURCE : NITI AAYOG
STRUCTURE OF CYBER SPACE
Cyberspace has four distinct components—Information, Physical Systems, Cognitive Actions, and People. It simply represents the interconnected space between computers, systems, and other networks. The creation, capture, storage and processing of information is central to the domain.
It exists in the form of bits and bytes – zeroes and ones (0’s and 1’s). In fact, the entire cyberspace is a dynamic environment of 0’s and 1’s which changes every second. These are simply electronic impulses. Also, it is an imaginary location where the words of two parties meet in conversation.
Cyberspace vs. Physical World
|Static, well-defined, and incremental||Dynamic, undefined, and exponential|
|Has fixed contours||Is as vast as the human imagination and has no fixed shape|
Firstly, cyberspace is a digital medium and not a physical space. It is an interactive world and is not a copy of the physical world. Here are some differences between cyberspace and the physical world:
THE IMPORTANCE OF CYBERSPACE TO NATION SECURITY
The control of cyberspace is important not only because of the actions of individual participants but because the infrastructure of cyberspace is now fundamental to the functioning of national and international security systems, trade networks, emergency services, basic communications, and other public and private activities. Because national governments see potential threats to the security of their citizens and to the stability of their regimes arising within cyberspace, they act to control both access and content.
- 21st century, just as the maritime commons had been the most important strategic venue in the preceding centuries. He notes the importance of the cyberspace commons to trade and communication.
- Cyberspace’s information layer is a social construct. Much of the value in cyberspace is stored not only in the code on servers, but also in the various patterns of interaction that take place via the exchange of code between servers.
- Cyberspace is a human-made domain, subject to quick and constant reorganization and reconstruction. This is true of both the physical layer, which is comprised of terminal appliances, fiber-optic cables and radio frequency spectrum, as well of the information layer. 17
- Cyberspace is a venue for military activity. This includes a spectrum of activities across the political, strategic, and tactical levels—from the formation of alliances, to competition for superiority, to low-intensity conflict, espionage and surveillance to complete warfare
- National defense is no longer ensured only through maintaining the sanctity of one’s borders, but is also highly dependent upon the ability to navigate safely, not only through the global commons but also through cyberspace, to ensure that the economic interests of the nation is looked after.
SOURCE: NITI AAYOG
A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general.
Cybercrime is a crime that involves a computer and a network. The computer may have been used to commit the crime and in many cases, it is also the target. Cybercrime may threaten a person or a nation’s security and financial health.
- Identity theft – Identity theft is defined as theft of personnel information of an individual to avail financial services or steal the financial assets themselves.
- Cyberterrorism – Cyberterrorism is committed with the purpose of causing grievous harm or extortion of any kind subjected towards a person, groups of individuals, or governments.
- Cyberbullying – Cyberbullying is the act of intimidating, harassment, defaming, or any other form of mental degradation through the use of electronic means or modes such as social media.
- Hacking – Access of information through fraudulent or unethical means is known as hacking. This is the most common form of cybercrime know to the general public.
- Defamation – While every individual has his or her right to speech on internet platforms as well, but if their statements cross a line and harm the reputation of any individual or organization, then they can be charged with the Defamation Law.
- Trade Secrets – Internet organization spends a lot of their time and money in developing software, applications, and tools and rely on Cyber Laws to protect their data and trade secrets against theft; doing which is a punishable offense.
- Freedom of Speech – When it comes to the internet, there is a very thin line between freedom of speech and being a cyber-offender. As freedom of speech enables individuals to speak their mind, cyber law refrains obscenity and crassness over the web.
- Harassment and Stalking – Harassment and stalking are prohibited over internet platforms as well. Cyber laws protect the victims and prosecute the offender against this offense.
Why is cybercrime increasing?
- Information theft is the most expensive and fastest growing segment of cybercrime. Largely driven by the increasing exposure of identity information to the web via cloud services. But it is not the only target. Industrial controls that manage power grids and other infrastructure can be disrupted or destroyed. And identity theft isn’t the only goal, cyber-attacks may aim to compromise data integrity (destroy or change data) to breed distrust in an organization or government.
- Cybercriminals are becoming more sophisticated, changing what they target, how they affect organizations and their methods of attack for different security systems.
- Social engineering remains the easiest form of cyber attack with ransomware, phishing, and spyware being the easiest form of entry. Third-party and fourth-party vendors who process your data and have poor cybersecurity practices are another common attack vector, making vendor risk management and third-party risk management all the more important.
- According to the Ninth Annual Cost of Cybercrime Study from Accenture and the Ponemon Institute, the average cost of cybercrime for an organization has increased by $1.4 million over the last year to $13.0 million and the average number of data breaches rose by 11 percent to 145. Information risk management has never been more important.
- Data breaches can involve financial information like credit card numbers or bank account details, protected health information (PHI), personally identifiable information (PII), trade secrets, intellectual property and other targets of industrial espionage. Other terms for data breaches include unintentional information disclosure, data leak, cloud leak, information leakage or a data spill.
Other factors driving the growth in cybercrime include:
- The distributed nature of the Internet
- The ability for cybercriminals to attack targets outside their jurisdiction making policing extremely difficult
- Increasing profitability and ease of commerce on the dark web
- The proliferation of mobile devices and the Internet of Things.
What is the impact of cybercrime?
A lack of focus on cybersecurity can damage your business in range of ways including:
- Economic costs: Theft of intellectual property, corporate information, disruption in trading and the cost of repairing damaged systems
- Reputational costs: Loss of consumer trust, loss of current and future customers to competitors and poor media coverage
- Regulatory costs: GDPR and other data breach laws mean that your organization could suffer from regulatory fines or sanctions as a result of cybercrimes
All businesses, regardless of the size, must ensure all staff understand cybersecurity threats and how to mitigate them. This should include regular training and a framework to work with to that aims to reduce the risk of data leaks or data breaches.
Given the nature of cybercrime and how difficult it can be to detect, it is difficult to understand the direct and indirect costs of many security breaches. This doesn’t mean the reputational damage of even a small data breach or other security event is not large. If anything, consumers expect increasingly sophisticated cybersecurity measures as time goes on.
How to protect organization against cybercrime (general suggestions to private and public organization)
There are three simple steps you can take you increase security and reduce risk of cybercrime:
- Educate all levels of your organization about the risks of social engineering and common social engineering scams like phishing emails and typosquatting
- Invest in tools that limit information loss, monitor your third-party risk and fourth-party vendor risk and continuously scan for data exposure and leak credentials
- Use technology to reduce costs like automatically sending out vendor assessment questionnaires as part of an overall cyber security risk assessment strategy
Companies should no longer be asking why is cybersecurity important, but how can I ensure my organization’s cybersecurity practices are sufficient to comply with GDPR and other regulation and to protect my business against sophisticated cyber-attacks.
The term cyberterrorism refers to the use of the Internet in order to perform violent actions that either threaten or result in serious bodily harm or even loss of life. Cyberterrorism acts often aim to achieve political or ideological advantages by means of intimidation, fear and threat.
Sometimes, the definition of cyberterrorism expands to cover the terrorist activities like intentional disruption of computer networks through using various tools like worms, viruses, phishing activities and various other malicious software and programming scripts.
Cyberwarfare encompasses all the actions and processes that aim to attack a nation in order to cause harm that is comparable to the traditional warfare. Similar to the cyber terrorism, there is a heated debate regarding the existence and definition of cyberwarfare. Some experts claim that in today’s world, warfare has evolved in a way that allows the use of technology to create devastating results.
- The U.S. Defence Science Board, in a recent report had cautioned that the U.S. cyber defence capabilities were not up to the mark. It additionally noted that the next decade is bound to witness massive additional deployment of cyber offence capabilities by many nations.
- Significantly, India is consciously and speedily making a serious foray into digital space. India’s vulnerabilities are only bound to grow exponentially. A 2017 study found that India ranked 4th in online security breaches. India also accounted for over 5% of global threat detections.
Cyber spying is the act of engaging in an attack or series of attacks that let an unauthorized user or users view classified material. These attacks are often subtle, amounting to nothing more than an unnoticed bit of code or process running in the background of a mainframe or personal workstation, and the target is usually a corporate or government entity.
The goal is typically to acquire intellectual property or government secrets. Attacks can be motivated by greed or profit, and can be used in conjunction with a military operation or as an act of terrorism
Recent case study
The Indian Express’s ‘China is Watching‘ investigation has spotlighted an elaborate operation by a Shenzen-based technology company with links to the government in Beijing and the Chinese Communist Party, to keep tabs on a very large number of individuals and entities in India.The company, Zhenhua Data Information Technology Co. Limited, calls itself a pioneer in using big data for “hybrid warfare” and the “great rejuvenation of the Chinese nation”
What are the various cyber threats?
1.Cyber threats can manifest in many ways.
- The most visible are cybercrimes, cyber theft, cyber espionage, cyber intrusions etc.
- These are relatively low-end threats.
- Criminal hackers can certainly cause data breaches and even financial loss.
- Countering such large scale threats is important.
- The real danger lies in targeted cyber-attacks coming from adversarial nation states that carry out strategically planned and sophisticated cyber-attacks.
- “Stuxnet Attack”, which damaged the Iranian nuclear centrifuge facility, is thought to be a cooridated operation of the governments of U.S. and Israel.
- Cyber tools are slowly becoming a regular part of the arsenal of nations.
2.What are the challenges?
- Nuclear deterrence works because there is clarity on the destructive potential.
- But this is not the case with cyber warfare.
- Notably, cyber capabilities of an adversary is not all that apparent.
- This is because unlike nuclear arsenal, there are no missiles to be counted.
- Besides these, identifying the time of the start of the attack and tracking the origins of the attack are also complex tasks.
- For these reasons, deterrence in cyber domain cannot operate in isolation.
- It thus needs the support of economic and diplomatic domains as well.
What is required?
The three main components of any national strategy to counter cyber threats are defence, deterrence and exploitation.
- Defence – For the defence of critical cyber infrastructure, National Critical Information Infrastructure Protection Centre (NCIIPC) was established. While this is a positive, it now needs to partner individual ministries and private companies.
- It should put procedures in place to honestly report breaches.
- However, there are limits to defensive strategies in the cyber domain as the field is highly conducive for offensive capabilities.
- Therefore, cyber deterrence and exploitation have become important, although they are complex and not completely understood now. What are the structures that need to be created?
- Militaristic View – The most serious cyber-attacks are when an external state threatens the national security of India by exploiting the cyberspace.
- The danger cannot be countered by an intelligence agency like the NTRO or a research organisation like the DRDO.
- The lead agency to deal with this will have to be the defence services.
- This has to gather intelligence, evaluate targets and prepare cyber-attack plans.
- Also, cyber operations cannot be a standalone activity.
- It has to be integrated with land, sea and air operations, as a part of information warfare.
- Defence Cyber Agency – India is one of the few countries which still do not have a dedicated cyber Command in its military.
- While the setting up of a Defence Cyber Agency has been announced, the effort looks lacklustre and half hearted.
- It is important for a dedicated cyber agency to have significant autonomy.
- It should have an expanded mandate on its own to erect a strong cyber arsenal.
National Cyber Security Policy (NCSP), 2013: Creating a framework for cyber security
The need of NCSP was felt in context of dynamic growth in cyberspace and need to create a safety framework to prevent its misuse. It was felt even more so because of Edward Snowden-led leak which highlighted snooping by USA, which even included Indians.
Vision and objectives of NCSP.2013:
- Secure and resilient cyberspace for citizens, government and businesses.
- Protecting information and National Critical information infrastructure, building capability to prevent and respond to cyber threats, reduce vulnerabilities and damages from various cyber threats.
- Strengthening regulatory structure for secure cyberspace.
- Conformity compliance for global security standards and best practices.
- 500000 skilled professionals in cyber security and research in security technology to align national cyber security with the indigenous technology.
- Effective prevention, investigation and prosecution of cybercrime and enhancement of capabilities through legislative intervention
Features or strategies of NCSP,2013:
- Creating a secure cyber ecosystem: This will start with a national nodal agency to coordinate all cyber security related aspects in country and include all organisations (private and public) for appointing a Chief security officer, earmarking fund for cyber security, adopting trustworthy and safe indigenous technology to protect information.
- Creating an assurance framework: Adopting global best practices for cyber security and compliance with global standards (Ex- ISO 27001 ISMS certification, Vulnerability assessment etc) and identify information infrastructure at each level with risk assessment followed by periodic tests.
- Encouraging Open standards to facilitate interoperability and data exchange among products and services.
- Strong Regulatory framework: Legal standards to regulate technological developments and challenges coming from newer technologies like cloud computing, social media, encryption etc with periodic audit of information infrastructures.
- Creating mechanisms for security threat early warning, vulnerability management and: A 24×7 National Level Computer Emergency Response Team (CERT-In) for all sectors and develop a Cyber Crisis Management plan for response.
- Securing e–Governance services and critical information infrastructures: Promote global best practices and Public Key Infrastructure (PKI) within government for secure communication. Operate a 24×7 National Critical Information Infrastructure Protection Centre as nodal body for protection and protection of such infrastructure to be made part of business plan.
- Promote research and development (Centres of excellence in strategic areas)reducing Supply Chain risks through testing infrastructure, trusted relations with vendor etc.
- Promoting skill development and creating awareness about cyber threats and steps for prevention, while seeking PPP model to achieve cyber security in country and seeking bilateral or multilateral cooperation through information exchange.
Analysing the NCSP,2013: Positives
- Mix of market-driven and regulatory approach: Many like USA went for market-driven approach. It was seen businesses were not forthcoming as it will raise cost. NCSP,2013 takes a balanced approach. Ex- Mandatory audit of information infrastructure (Regulatory) and incentives for adopting good practices, creating security framework.
- CERT-In as nodal agency for coordination on cyber security matters and National Critical Information Infrastructure Protection Centre (NCIIPC) for protection of National Critical Information structure has been strengthening India’s cyberspace.
- PPP model envisaged for cyber security has started and this will help build a better and all-encompassing cyber ecosystem.
- Security implicit in economic growth: The policy highlights role of Information technology in making India IT hub. By incentivising businesses to make security part of business plan it seeks to achieve both.
- Created necessary initial framework for cyber security: From CERT-in to audit machinery, Cyber forensic infrastructure in states, Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre) to make security accessible to all, the policy has been instrumental in driving efforts towards it.
Concerns with NCSP,2013:
- Snooping and privacy concern: Policy seeks to secure the transactions of citizens, companies and public services on the web. While it is commendable, yet, experts argue in absence of Data Protection laws this may lead to government snooping or leakage of data. Ex- Leakage of Aadhar data from government’s site last year
- Concentration of power in few central bodies: Policy talks of National level nodal agencies, but does not mention state level agencies (Ex- State CERT-In) or role of civil society groups or technology experts from outside.
- Regulatory concerns: It has potential to prohibit innovation in times when disruptive technologies are a reality. New start-ups, social media are worried about government sanctions under IT act.
- Double challenge of terrorism and environmental threat overwhelming India’s cyber security policy: The malware attacks at the Kundankulam Nuclear Power Plant and the Indian Space Research Organization (ISRO)Honey trapping of an Indian Air Force Officer in 2018 highlighted shortcomings in protection of critical infrastructure as well as leakage of secret information.
- ‘Critical’ in protection of Critical Information infrastructure is ambiguous and includes many things, which denies aim of protecting these by making task huge.
- Weak cyber offensive and defensive framework: India amidst Chinese aggressiveness on border is aware of threats like Stuxnet malware, a U.S.-Israel joint operation to target Iran’s nuclear enrichment plant in Natanz. But, the NCSP,2013 falls short on that aspect.
- Not in sync with the time: The NCSP,2013 was prepared when cloud computing, social media were seen as newer technology. But, disruptive nature of technology has seen AI, 5G, Internet of Things etc. overwhelming preparedness.
- Multiplicity of agencies with overlapping functions: National Technical Research Organisation (the nodal agency for cybersecurity under National Security Advisor) and the Ministry of Communications and Information Technology impede cooperation lacks cooperation and differs on each other’s jurisdiction.
- Increased cyber threats post-Covid19 led digitation: According to the Ministryof electronics and Information Technology, the number of incidents tripled in July and August this year.
National Cyber Security Strategy (NCSS) 2020
India amidst rising digitisation and cyber threats is seeking to create a secure cyberspace in India. It envisions safe, secure, resilient, trusted and vibrant cyberspace for India’s prosperity. It seeks to fill the gap between emerging needs of cyberspace and the National Cyber Security Policy,2013 (Ex- new technology challenges like AI, 5G,IoT etc).
It seeks to create a separate cadre of cyber security specialists from IT personnel because those who roll out IT infrastructure are generally unable to detect the flaws. It is particularly important when India under BharatNet programme seeks to connect all panchayats through optical fibre network.
It also seeks to bolster Decision support system particularly for defence, intelligence and security purposes.
Pillars of NCSS,2020
- Secure: It envisions securing the cyberspace. Under this strategy has to be made for securing large scale digitisation of public services (increased post Covid19), supply chain security (Both procurement and deployment from global supply chain and also indigenous supply chain), protect Critical Information Infrastructure against state and non-state threats, digital payment (mapping and modelling transactions and third-party security assurance mechanism) and state level cyber security through capacity building and investment.
- Structure, institution and governance by making national cyber emergency bodies accountable and global security norms compliance.
- Budgetary provision to provide for a separate demand for cyber security.
- Research, Innovation and technological development (Ex- A Fund for Fund for cybersecurity R&D)
- Capacity and skill building through national level overarching frameworks under NSDC.
- Audit and assurance to keep pace with the recent digital footprints.
- Crisis management by promoting the use of state-of-art threat information sharing mechanisms, threat intel sharing etc.
- Data security and governance through a data centric approach.
- Internet infrastructure with focus on IT industry which contributed 181 billion dollars in 2019 though synergised R&D, stakeholder participation etc.
- Standard development and creating awareness regarding same
- Cyber Insurance for cyber risk management. Global cyber insurance market is set to reach 22.4 billion dollars by 2024.
- Brand India to seek benefit out of India’s IT capacity.
- Cyber diplomacy to strengthen information sharing and exchange technology
Covid19 has accelerated digitisation in all spheres. But India still suffers huge digital divide (rural vs urban, male vs female etc). Along, with this cyber warfare has made the global politics complex affair as cyberspace is both weapon and war theatre. Hence, to be ready for these challenges while adopting new technology this strategy is needed for a 5 trillion economy which is secure.
National Cyber Security Architecture
Any all-encompassing cyber security architecture in a state needs security of individuals, organisations and government. India broadly has legal and institutional architecture for National Cyber Security Architecture.
Legal and policy regulation of cyber security in India:
- Information Technology, Act 2000 (Amended in 2008): It is the primary law dealing with the cyber crime and electronic commerce in India.
Amendment in 2008 was focussed on cyber security (2000 act was more to regulate e-commerce). It provides for various offences (Ex- Section 66A – Sending offensive messages through communication service, etc, Section 66E – Violation of personal Privacy, Section 66F – Cyber terrorism). It included Data protection (Section 43) and Privacy (section 72), Information Security, Digital Signature, the role of CERT-In etc.
- National Cyber Security Policy, 2013 and now National Cyber Security Strategy, 2020 to gibe direction and strategic inputs with a broad framework for cyber security.
- The personal Data Protection Bill, 2019 for protection of individual’s data on the recommendation of B N Srikrishna committee.
- Cyber Crisis Management Plan (CCMP) for countering cyber threats and cyber terrorism
- National Cyber Security Coordination Centre (NCCC): For situational awareness of existing and potential cyber security threats and enable timely information sharing for proactive, preventive and protective actions by individual entities.
- Cyber Emergency Response Team – India (CERT-In) for responding to computer security incident involving all sectors.
- National Critical Information Infrastructure Protection Centre (NCIIPC) for protection and resilience of India’s critical information infrastructure.
- National Technical Research Organisation (NTRO) a national intelligence gathering agency under National Security Advisor.
- Indian Cyber Crime Coordination Centre (I4C): It is the nodal point in the fight against cybercrime under Ministry of Home Affairs. It seeks to prevent misuse of cyberspace against extremist and terror groups.
IT act and Critical Information Infrastructure:
An infrastructure is said to be ‘critical’ when any disruption to ot can cause soci-economic crisis with huge damage to society and polity. Critical information infrastructure seeks to secure such infrastructure which if falls in wrong hand can create havoc (Ex- leakage of 2 lakh debit card info before few years or aadhar data leakage or Power grid based on smart architechture).
- Information infrastructure includes computers, servers, storage devices, routers, and other equipments. They are always threatened today for breach and cyber attacks by state and non-state actors.
- Section 70 of the IT Act defines “critical information infrastructure (CII)” to be “the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.
- The Central government is vested with the authority to declare information security and associated practices under the IT act. Ex- It delcared UIDAI Central Identities Repository facility as protected.
- Under the IT Act, the government created National Critical Information Infrastructure Protection Centre (NCIIPC), an organization under the National Technical Research Organization (NTRO) to ensure protection of CII.
- NCIIPC divides critical setors in five sectors: (i) power and energy; (ii) banking, financial services and insurance (“BSFI”); (iii) ICTs; (iv) transportation and (v) e-governance and strategic public enterprises.
Thus, India has started good to protect its CII. Yet, few concerns remain:
- Diluting of ‘Critical’ information infrastructure: Ex- Chattisgarh government few years back even included all government department website which didn’t even had critical impact on society. Such actions weaken the whole framework.
- Lacks all stakeholder approach: NCIIPC under NTRO an intelligence agency leads to inter-departmental coordination issues.
- Absence of sector specific guidelines and Standard Operting Procedures in case of cyber attack.
Way ahead for overall cyber security framework for India:
- Establishing state CERT-Ins to coordinate with the central CERT-In.
- Budapest convention: First international treaty addressing internet and computers by harmonising countries laws. India needs to start process to be a part of it in a gradual process to ensure global cooperation and learn from lesson learnt.
- Data security: By passing Data protection bill and focusing on sovereignty of data (India is a net exporter of data), localisation of data storage, filtering out risky apps and websites (Ex- Recent ban on Chinese apps on these grounds).
- Awareness and addressing digital divide due to digital illiteracy by adherence to Paris Call (Regularly changing passwords, updating software and hardware, use licensed software etc.)
- Building India’s offensive as well as defensive capability in cyberspace by investing in R&D.
- Cyber security professionals from IT industry to be trained and build India’s capacity.