India and Cyber Security
In order to highlight the growing threat to information security in India and focus related actions, Government had set up an Inter Departmental Information Security Task Force (ISTF) with National Security Council as the nodal agency. The Task Force studied and deliberated on the issues such as
- National Information Security Threat Perceptions
- Critical Minimum Infrastructure to be protected
- Ways and means of ensuring Information Security including identification of relevant technologies
- Legal procedures required to ensure Information Security
- Awareness, Training and Research in Information Security
In line with the recommendations of the ISTF, the following major initiatives have been taken by the Government
- Computer Emergency Response Team (CERT-In) to respond to cyber attacks
- Public Key Infrastructure (PKI) to support implementation of IT Act and promote use of Digital Signatures
- Critical Infratticure
- R & D via the support to premier Academic and Public Sector Institutions.
- Mandatory complice with ISO 27001
- National Cyber Security Policy 2013
- Empanelment of Security Auditors.
- Nationwide Information Security Education and Awareness Programs
Indian Computer Emergency Response Team (CERT-in)
To enhance the security of India’s Communications and Information Infrastructure through proactive action and effective collaboration, Indian Computer Emergency Response Team (CERT-in) was established in January 2004. The main function of CERT-In is to provide early security warning and effective incident response. It operates on 24 x 7 basis and is actively engaging its users with early warning alerts and advisories. It is aimed at catering to the needs of critical sectors, law enforcement & judiciary and e-governance project owners. Special trainings programs are being conducted for judicial officers and Law enforcement agencies. About hundred personnel from various Government agencies have been trained at the Carnegie Mellon University, USA as Master trainers that can train many more in the country. In the Information Technology (Amendment) Act 2008, CERT-In has been designated to serve as the national agency to perform the following functions in the area of cyber security:
- Collection, analysis and dissemination of information on cyber incidents
- Forecast and alerts of cyber security incidents
- Emergency measures for handling cyber security incidents
- Coordination of cyber incident response activities
- Issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents
CERT-In has taken steps to implement National Information Security Assurance Programme (NISAP) to create awareness in government and critical sector organizations and to develop and implement information security policy and information security best practices based on ISO/IEC 27001 for protection of their infrastructure. CERT-in has established the facility for Computer Forensics for investigation of cyber crimes and to provide hands on training to the law enforcement agencies and judiciary. This infrastructure is being augmented to include network forensics and mobile forensics investigation facility. CERT-In is cooperating with defence, banks, and judiciary and law enforcement agencies in training their officials as well as extending the support in investigation of cyber crimes. The NCSP 2013 had envisaged creation of a National Critical Information Infrastructure Protection Centre (NCIIPC) to act as a 24×7 centre to battle cyber security threats in strategic areas such as air control, nuclear and space. This NCIIPC was created and placed under National Technical Research Organisation to roll out counter-measures in cooperation with other security agencies and private corporate entities that man these critical sectors.
Cyber Security R&D
Research & development activities are promoted under this programme through grant-in-aid support to recognized autonomous R&D organizations and academic institutions proposing to undertake time-bound projects related to the following areas:
- Cryptography and Cryptanalysis
- Network and Systems Security
- Security Architectures
- Vulnerability Detection and Analysis
- Assurance Technologies
- Monitoring, Surveillance and Forensics
Information Technology (IT) Act 2000
Government of India enacted the Information Technology Act, 2000 (IT Act 2000) on 9th June, 2000 that provided a legal framework for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as “electronic commerce“, which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies. Over the years, with several new forms of computer crime, misuse and fraud taking place, a need was felt to strengthen legislation pertaining to information security. Accordingly IT Act 2000 was amended and the Information Technology (Amendment) Act, 2008 was enacted on 5th February 2009 in order to instil confidence in the users and investors in the area of Information Technology in the country. This Act added provisions to the existing Information Technology Act, 2000 to deal with new forms of cyber crimes like publicizing sexually explicit material in electronic form, video voyeurism, cyber terrorism, breach of confidentiality and leakage of data by intermediary and e-commerce frauds.
Controller of Certifying Authorities
The Information Technology Act, 2000 provides the required legal sanctity to the digital signatures based on asymmetric cryptosystems. The digital signatures are now accepted at par with handwritten signatures and the electronic documents that have been digitally signed are treated at par with paper documents. The IT Act provides for the Controller of Certifying Authorities (CCA) to license and regulate the working of Certifying Authorities. The Certifying Authorities (CAs) issue digital signature certificates for electronic authentication of users. The CCA certifies the public keys of CAs using its own private key, which enables users in the cyberspace to verify that a given certificate is issued by a licensed CA. For this purpose it operates, the Root Certifying Authority of India (RCAI). The CCA also maintains the National Repository of Digital Certificates (NRDC), which contains all the certificates issued by all the CAs in the country.
Cyber Appellate Tribunal
Cyber Appellate Tribunal has been established under the Information Technology Act under the aegis of Controller of Certifying Authorities (C.C.A.). The first and the only Cyber Appellate Tribunal in the country have been established by the Central Government in accordance with the provisions contained under Section 48(1) of the Information Technology Act, 2000. The Tribunal initially known as the Cyber Regulations Appellate Tribunal (C.R.A.T.) started functioning from October, 2006.
NASSCOM as part of its initiatives towards creating more awareness on cyber crimes has planned to introduce advanced training programmes with due stress on recent trends in usages of cyber forensic tools and methodologies at its Cyber Labs. Cyber Labs, set up and managed on a public-private partnership model, can register and investigate cyber crimes with the help of the police department and provides training to police officers, prosecutors, military police officers, bank officials and others on cyber crimes. The labs have trained over 3,000 investigators at multiple locations. These law enforcement officials will be able carry out various activities like analysing and scrutinizing data on hard disks, email tracking, extracting evidence using Internet and mobile phones and on cyber crime-related legislation. The media has become an important tool in the modern era. It is the ‘fourth estate’ which helps to further its interests, objectives and goals of the state. But regardless of the degree of independence and impartiality available to the media, In matters of national security and interests, media follows the nationalistic lines. Yet the rapid expansion and development of social media is a threat to national security and can be used to cause problems by propagating certain ideologies, mobilising and organising people.
National Cyber Security Policy 2013
In July 2013, the government of India announced a National Cyber Security Policy 2013 which aims to address the threats emanating from the cyber world. The Policy proposes to:
- Set up different bodies to tackle various levels of threats, along with a national nodal agency, to coordinate all matters related to cyber security.
- Create a National Critical Information Infrastructure Protection Centre (NCIIPC),which will act as a 24×7 centre to battle cyber security threats in strategic areas such as air control, nuclear and space. It will function under the National Technical Research Organisation (NTRO), a technical intelligence gathering agency controlled directly by the National Security Adviser in the Prime Minister’s Office.
- The current agency, Computer Emergency Response Team (CERT-In), will deal with all public and private infrastructures.
- Create a workforce of around 500,000 trained in cyber security.
- Provide fiscal benefits to businesses to adopt best security practices.
- Set up testing labs to regularly check the safety of equipment being used in the country.
- Create a cyber ecosystem in the country, developing effective public-private partnerships and collaborative engagements through technical and operational cooperation.
- Building indigenous security technologies through research.
Digital Army Programme
In a bid to digitize and automate processes, procedures and services for the Indian Army, the Union government launched a dedicated cloud and digital lockers for defence personnel under its “Digital Army” programme as a part of Digital India in November 2015.
- The army cloud infrastructure includes two data centres, both located in Delhi, and a disaster recovery site for replication of critical data using virtualized servers and storage in secure facility.
- This is similar to Meghraj, the national cloud initiative which provides a secure and unified cyberspace for shared government services and infrastructure, provides IT resources on demand, and optimizes utilization of IT infrastructure and resources for government departments.
- The army cloud will provide IT infrastructure including servers for computing, storage, network and network security equipment centrally, for the automation of the Indian Army, the defence ministry said in a Press Information Bureau statement.
- The central data centre will be a software-defined data centre (SDDC)—a data centre that is automated by intelligent software systems. These are more secure and normally deployed for mission-critical enterprise workloads.