4

India’s Cybersecurity – The Landscape

Cyberspace presents all the conditions for a perfect storm; it is open, global but insecure. Usage is at an all time high with users ranging from individuals to corporations to governments, all using the same pipes for the transmission of some or all of their data and communications, and equally subject to the inherent vulnerabilities in cyberspace. Governance is at a nascent stage, with negotiations in different fora proceeding at an excruciatingly slow pace as differences arising from a number of different perspectives have to be resolved. At the same time, the number of attacks with politico-military objectives is on the rise, leading to a steady militarization of cyberspace with many countries forming Cyber Commands to undertake offensive actions in and through cyberspace.

While India was among the first countries to have an Information Technology Act, and to set up a Computer Emergency Response team (CERT), and even to locate responsibility for cybersecurity within the National Security Council, it has subsequently lagged behind other countries in responding to cybersecurity threats.

India has been at the receiving end of various forms of cyber threats; from attacks on critical infrastructure, to cybercrime, to the latest manifestation of the misuse of social media. Responses at the official level have been marked by several mis-steps. Till recently, there was an inadequate appreciation of the cybersecurity threats at the official level, though that is no longer the case. However, the responses to the threats, as well as the effort to shape cyberspace policy at the domestic level, and the contribution to discussions at the international level, still leave much to be desired.

4.1. A snapshot of Asian cyberspace

According to the latest statistics, 44 percent of all Internet users, amounting to nearly a billion people, are in Asia. At the same time, Internet penetration in Asia was at 26.2 percent compared to the global average of 32.7 percent¹. Within Asia, China stood first with an online population of 513 million, followed by India with 121 million and Japan with 101 million. The developed regions of North America, Europe and Oceania were nearly saturated with a penetration rate of 70%. Online population rates are increasingly translating into offline clout, with a resultant say in everything from the development of standards and technologies, to the success or failure of Ecommerce undertakings.

Other characteristics of Asian cyberspace include the following:

– the top 5 countries in terms of average broadband speeds are in Asia, led by Hong Kong. According to the latest Akamai State of the Internet Report, Hong Kong secured the top spot with an average peak connection speed of 49.2 Mbps; South Korea had 47.8 Mbps and Japan claimed third place with 39.5 Mbps².

– China is the hardware factory of the world with economies of scale and government policies ensuring that “Made-in-China” products beat their competitors hollow. This has strategic implications especially in the cyber arena because of fears that such products, especially in sensitive areas such as networking might be compromised.

– India is a leader in IT services and software development, while other countries like the Philippines and Malaysia are also seeking to increase their global share in these sectors.

– According to a McKinsey report, cyberspace contributed 3.5 percent to the economies of 13 countries surveyed in 2011, including India and China.³ As Internet penetration increases, this would be expected to go up proportionately.

– Many countries in Asia are also heavy users of e-governance, with the government of India alone expected to spend about $33 billion on its flagship Unique Identification program by the time it is completed.

– Asia is also home to some of the larger cyberpowers. Cyberpower is, at present, a generic term referring to actual or potential cyber capabilities based on various indices. These include population and the state of technological development.

While threats have existed right from the early days of cyberspace, the sporadic patterns of such attacks and their targets suggested them to be largely the handiwork of hackers and low level criminal elements. The major delivery vehicles were spam mails which contained viruses and malware. The problem was manageable and up-to-date antivirus programs and firewalls were deemed to be sufficient to keep such risks at bay. Subsequently, new forms of malware such as Worms and Trojans, which exploited the vulnerabilities in buggy software, also began to make their appearance. Phishing and denial of service (DoS) attacks also entered the lexicon. All these threats⁴ took advantage of existing vulnerabilities⁵, whether it be in software, networks or security architecture.

While governments and government agencies, from the military to the intelligence community, have always had the ability to carry out disruptive activities in cyberspace, the absence of such activities, other than the attacks out of Russia on Estonian and Georgia in 2007 were attributed to forbearance, keeping in mind the cascading effects of such actions.⁶ But as larger numbers of actors have entered the domain, attacks are becoming more and more disruptive and even destructive in nature. Many perceived red lines have been crossed; it was believed that attacks on critical infrastructure would only take place in conjunction with a kinetic war, that countries would disconnect from the global information grid only with peril to their economies and societies, and that countries with roughly symmetrical capabilities and capacities for cyberwarfare would refrain from attacking each other, but all these have already taken place.

The attractiveness of using cyber as a means of bloodless attacks has led to powers both within and outside the region using these means to achieve politico-military objectives, which is leading to an ongoing cycle of retaliation and counter-retaliation. Thus, a combination of existing fault lines and the easy access to cyberspace as a new means of perpetrating conflict is one of the reasons leading to cyberconflict.

Faced with this developing reality, countries of the Asian region have been at the forefront of reshaping cyberspace according to their perceptions and in some cases, strategic priorities. While a country like North Korea has completely cut itself off from cyberspace, Iran is also on the way to having a separate countrywide intranet which is separate from the Internet. While Saudi Arabia has only one gateway into the country where all data is filtered, China has the great firewall which also performs a similar function. Such restrictions serve a dual purpose of being virtual borders while also allowing for content monitoring under the guise of national security.

While Indian policy makers are aware of the issues and have responded with policies, legislation, organizations and mechanisms that have been put in place over a period of time, the assessment from security analysts is that this is still inadequate to meet the challenges. This is because, as in the real world, India is in a rough cyber neighborhood. It has to balance its commitments to an open, secure and global cyberspace and at the same time surmount the threats thrown up by the vulnerabilities in and through cyberspace to its national security.

4.1.1. Aspects of cyberconflict in Asia

Cyberspace has become a natural adjunct to many of the ongoing conflicts in Asia. The severity and escalation of cyberconflicts in this region is directly proportional to the hostilities offline. Current cyber flashpoints can be located throughout the length and breadth of Asia, ranging from attacks in West Asia, East Asia and, to a lesser extent South Asia. It may be seen that the attacks are carried out through the available infrastructure without respect to geographic boundaries.

4.1.2. West Asia

A combination of the volatility of West Asia and the involvement of technologically advanced powers from both within and without the region in the hostilities there have made this region a frontline of cyberconflict, as well as an indicator of emerging trends in cyberconflict.

The Stuxnet malware in 2010 was the first “cyber-weapon” and its success in disabling Iranian centrifuges brought the issue of cybersecurity to center stage. Stuxnet was directed against the Iranian nuclear program, and suspicions of US and Israeli involvement were confirmed by subsequent reports. These suspicions arose in the first place because of the sophistication of the malware, which, experts declared, could only be engineered through the resources available to a nation state. It was the first large-scale attack on critical infrastructure that ran on SCADA systems.⁷ While there have always been concerns about supply chain integrity, Stuxnet showed how even normal vulnerabilities can be utilized in cyber-attacks. The national origin of companies assumes even more significance in this regard.

Offshoots of Stuxnet have been discovered with regularity since then: the Duqu worm was discovered in September 2011, followed in quick succession by the Mahdi, Gauss and Flame malware. While Flame, Duqu and Gauss were said to share similar digital DNA with Stuxnet, being spread predominantly via USB sticks, their primary purpose seemed to be espionage, with their targets ranging from banking, governmental to energy networks. Flame, in particular, was noted for its modular nature, and its size, averaging 20 MB. Its capabilities ranged from recording Skype conversations and downloading information from smart phones to more mundane activities such as recording audio, screenshots, keystroke and network traffic recording. The Mahdi Trojan seemed to have different godfathers and was spread via phishing emails even though its purpose was also apparently espionage. Infections were reported from Iran, Israel, Afghanistan, the United Arab Emirates, Saudi Arabia, Syria, Lebanon and Egypt.⁸

In April 2012, there were reports of a new virus, Wiper, which was much more malicious, and wiped off the data on all computers that it infected. This virus largely affected networks in Iran. Four months later, the Shamoon virus is reported to have wiped off the data from 30,000 computers of the Saudi Arabian State oil company, Aramco, followed a week later by a similar episode on the networks of the second largest LNG company in the world, Ras Gas of Qatar.

In what has become the norm for such cyber-attacks, despite intense investigations by anti-virus companies, the origins of the malware have remained largely in the realm of speculation and inference. While ownership of the Stuxnet (and by inference, its cousins Duqu, Flame and Gauss) malware was claimed by the Obama Administration for electoral purposes, the Shamoon virus was speculated to be a reverse-engineered version of the Wiper virus unleashed by hackers loyal to the Iranian regime.⁹ Each successive attack represents a relentless and rapid escalation in capabilities and intent on the part of the perpetrators. The increasing use of drones in West Asian conflicts and repeated occurrences of hacking into drones has raised the possibility that such hijacked drones could be turned against their controllers.¹⁰

Iran has shown how rapidly cyber capabilities can be acquired; from having virtually no capabilities before 2009, it has now acquired significant expertise, and is using them. This is what the United States is finding out to its cost as US banks are subject to a sustained volley of DDOS attacks by a hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters, but believed to be Iran retaliating for cyber-attacks on its infrastructure.¹¹ While the United States has begun to raise cybersecurity related issues with China in its strategic dialogues, no such scope exists in the case of Iran, which like the United States, sees advantages in plausible deniablity accorded by cyberspace. In other words, this is the online version of a low-intensity conflict, continuing endlessly till one or the other side ratchets up through retaliation. The end result might very well be different if such a scenario is played out elsewhere since the absence of collateral damage in this case is largely afforded by the technical capabilities of the US.

According to James Lewis, Iran’s expanding cyber capabilities have the potential to change the balance of power.¹² As a guarantor of security in the Persian region, the United States has provided assistance to its allies in the area but the majority of countries are making use of private contractors.¹³

4.1.3. East Asia

Hostilities between countries in East Asia are also mirrored in cyberspace and China is a common factor in many of these conflicts. There have been DDOS attacks emanating from China into the Philippines, Vietnam and Japan, and vice versa. The dispute over Scarborough Shoal/Huangyan Island saw cyber-attacks between China and the Phillipines in April/May followed by a similar showdown between Chinese and Vietnamese hackers in May 2012 following an incident, and attacks by Chinese hackers on Japanese websites following the territorial dispute over the Diaoyu/Senkaku Islands in September 2012.¹⁴

Among the various protagonists in East Asia, North Korea has carried out an aggressive campaign against South Korea using every weapon in its arsenal and inflicting some real damage in the process. South Korea presents an easy target, being one of the most wired countries in the world, while North Korea does not even present itself as a target, having no networks worth speaking of. While not much information is available about the size of North Korea’s cyber corps, South Korean estimates are that it has doubled in the last few years and now numbers around 3,000.¹⁵

China ranks far ahead of the other powers in Asia in terms of both capabilities and potential, according to Western and some Indian analysts. According to Western reports, the PLA has integrated cyberwarfare units since 2003 and has built up a huge cyber military edifice. The Third Department and Fourth Departments of the PLA, responsible for military intelligence, have been described in reports as among the most powerful bureaucracies in not just the military but in China today with their access to every bit of information that criss crosses China.¹⁶

Other countries of the region are far behind the Chinese in incorporating cyberwarfare into general war fighting doctrines and building up capabilities. South Korea published a national cybersecurity strategy where it declared cyberspace to be an operational domain that needed a state level defense system. The National Intelligence Center was tasked with coordinating cybersecurity along with the Korea Communications Commission (KCC). The KCC has focused on a defensive role, detecting, preventing and “responding to cyber assaults”.¹⁷ As with other US allies in the region, South Korea also places a lot of emphasis on extending its relationship to cover cyberspace.

In the case of Japan, in its Annual White Paper, the Japanese Ministry of Defense listed “responding to cyber-attacks” as one of its priority areas. The self defense force (SDF) was tasked with defending not only its own networks but also with “accumulating advanced expertise and skills needed to tackle cyber-attacks” so as to contribute to the government-wide response to cyber-attacks.¹⁸ In addition to the cyber vandalism, intellectual property from Japanese companies has also been the target of hackers with the notable incident being the August 2011 hacking of Mitsubushi Heavy Industries as well as other technology firms.¹⁹ In the same month, 480 members of the Japanese Diet had their email accounts compromised and their machines hijacked with the hijacked machines apparently communicated with a server in China.²⁰

In September 2012, the Japanese Ministry of Defense announced that it would act on the recommendations of a panel constituted to examine threats in cyberspace and would constitute a 100-strong cyber unit with a budget of ¥21.2 billion (US$270 million).²¹ The panel made a number of conceptual definitions, calling cyberspace a domain like air, sea, land and space. It was an essential infrastructure for the SDF to carry out their activities, and it was therefore, their responsibility to secure it. They would have to co-operate with a number of partners both domestically and internationally, and these partners could also be in the private sector.²² Cyber-attacks would be considered on a case-by-case basis, but if carried out as part of a military attack, it would respond in self-defense. ²³

Japan and the United States agreed in 2013 to increase “cyberdefense cooperation with the improvement of individual cyber capabilities and interoperability between the [Japan] Self-Defense forces and U.S. forces, which will also contribute to whole-of-government cybersecurity efforts”²⁴. Taking a leaf out of the US playbook, Japan has also begun to use private contractors to develop cyberweapons.²⁵

While most of the US allies are looking towards close cooperation with the United States, it has entered into a cyberwarfare cooperation program only with Australia, the only one outside of its program with NATO.²⁶ In October 2013, the two countries announced that they were setting up a joint Cyberdefense Policy Working Group to foster “increased cyberdefense cooperation with the improvement of individual cyber capabilities and interoperability between the [Japan] Self-Defense forces and U.S. forces, which will also contribute to whole-of-government cybersecurity efforts”.²⁷

4.2. The Indian cyber landscape

Many commentaries refer to India as a cyberpower,²⁸ something that might appear to be at odds with the reports regarding the vulnerabilities in India’s cybersecurity that appear in the newspapers day after day. The Indian government itself estimates that there are only 556 cybersecurity experts in the country.²⁹

Relatively low levels of computer security largely due to pirated software and the presence of patriotic hackers in the countries of the region have made the region a hotbed of low level hacking and website defacement. The so-called “cyberwars” that break out every now and then are a numbers game, and a hidden hand of the intelligence agencies can also be vaguely discerned. This is also probably why such attacks have not crossed any red lines, despite threats to bring down the financial systems and so on. The near equivalence of hackers in the countries of South Asia would point to a low level form of deterrence in existence. Nearly all upswings in defacements and hacking, which normally follow a tit-for-tat pattern, have ended in truces being called by the hackers on various sides. Though these defacements are not more than the equivalent of digital graffiti, they show that more grievous damage could be easily inflicted.

Figure 4.1. Cybersecurity incidents reported to CERT-IN 2004-2012.

While these occurrences grab the newspaper headlines, the more serious threats are elsewhere. Cyber-espionage and threats to critical information infrastructure are a clear and present, but invisible threat to national security. In the case of the former, given India’s rising power status, sensitive networks and systems are subject to constant attempts at penetration. While some of these intrusions have been discovered by domestic agencies, many others have been discovered by external agencies, pointing to the long distance to be covered in securing Indian networks. With regard to the latter, critical information infrastructure protection is complicated by the fact that much of the infrastructure rests in private hands. This creates problems, not only in co-ordinating cyber-security efforts but also for gauging the extent of the problem, since private companies are reluctant to acknowledge that they have been attacked and more often than not do not report such attacks.³⁰ A second order of threats emanates from the global supply chain in IT products that has been created, which creates ample opportunities for backdoors and vulnerabilities to be inserted into hardware, and increasingly, software.

There is also the overt militarization of cyberspace to be taken into account as more and more countries set up Cyber Commands. There has been no official role for the military in cybersecurity, other than that of protecting its own networks that have been reportedly penetrated on and off.³¹ This, despite the Minister of Defence referring to cyber threats as a major threat to the nation in virtually every speech made to the apex military gathering, the Combined Commanders Conference over the past three years.³² With the cyber arena now recognised as a new domain of war, setting up a force competent to achieve the dual objectives of defending the country from cyber-attacks in war and securing the military’s network operations in peace is one that requires considerable thought.

4.3. The China challenge: a case study

While a combination of these threats could be followed through by any of the countries having advanced cyber capabilities, China is particularly unique in having the means and the motivation, as well as the opportunity, to borrow a formulation from criminal law. China and India have a history of hostilities, especially regarding contested borders, which continues to this day. At the same time, China is among the largest producers and providers of both consumer as well as capital goods in the information technology and other infrastructure spaces.

Reports of Chinese infiltration of sensitive networks is nothing new; in 2007, for instance, US officials were reported as saying that Chinese attacks against the Department of Defense (DoD) had reached the level of a “campaign-style, force-on-force engagement” with actions running the “gamut of technology theft, intelligence gathering, exfiltration, research on DOD operations and the creation of dormant presences in DOD networks for future action.”³³ In that same year, and subsequently, the governments of the United Kingdom³⁴, France³⁵, Belgium,³⁶ Germany³⁷ and India³⁸ also publicly stated that their systems and networks had been infiltrated and attacked by entities that had been traced back to China.

The first known cases of cyber-espionage were targeted at Tibetan organizations based in India. The organized nature of this infiltration was brought to light by a number of reports, beginning with the Shadows in the Cloud Report in 2010, followed by Operation Shady Rat in 2011 and Operation Red October in 2013. While the needle of suspicion points to foreign intelligence agencies, and many of the attacks have been traced to China, conclusive proof is difficult to come by because of the ease with which such attacks can be spoofed in cyberspace. There had been earlier suspicions that probing and espionage efforts might also be coming from a third country and spoofed to make it seem that it was emanating from China.³⁹

There is a considerable amount of Western literature pointing to the fact that the cyber-espionage activities are of a piece with Chinese formulations on assymetric warfare. The earliest elaboration of the Chinese perspective was in the appropriately named treatise on warfare entitled “Unrestricted Warfare” by two colonels of the Peoples Liberation Army in 1999. The authors observed:

Does a single “hacker” attack count as a hostile act or not? Can using financial instruments to destroy a country’s economy be seen as a battle?...Obviously, proceeding with the traditional definition of war in mind, there is no longer any way to answer the above questions. When we suddenly realize that all these non-war actions may be the new factors constituting future warfare, we have to come up with a new name for this new form of war: Warfare which transcends all boundaries and limits, in short: unrestricted warfare.

If this name becomes established, this kind of war means that all means will be in readiness, that information will be omnipresent, and the battlefield will be everywhere. It also means that many of the current principles of combat will be modified, and even that the rules of war may need to be rewritten.

It would seem that the rules of war have indeed been re-written with Peoples Liberation Army units actively involved in cyber-espionage activities not just in wartime, but in peacetime as well.

According to Dean Cheng, PLA thinking on future wars is marked by the 3 nons – non-contact, non-linear and nonsymmetric. ⁴⁰ Non-contact would include computer network operations “that will effectively nullify an opponent’s forces without having to directly confront or engage them”.⁴¹ Following on from that, non-linear and non-symmetric war would take place in many dimensions, both physical and temporal, and not necessarily within a set battlefield or theatre.

Non-symmetric envelopes the previously mentioned strategic objectives of securing advantage over other countries even during peacetime through use of its cyber prowess in every spectrum from political, economic, scientific, and diplomatic and cultural arenas. To the PLA, non-symmetric war justifies the use of methods such as hacking and expropriating intellectual property 1) as a tool for getting access to and parity with the advanced technologies of the West and 2) as part of psychological warfare (through visibly penetrating networks in other countries and raising the spectre of cyber instability).

All of the above has to be juxtaposed against the fact that China is a major supplier to India of infrastructure equipment in areas from power to transport, and crucially to telecom hardware. India bought over $12 billion worth of mobiles, and $8 billion worth of computers and peripherals, making up nearly 23% of total imports.⁴²

Chinese companies are able to beat other companies, both Indian and foreign, by bidding at the lowest possible prices and providing quality products. Indian intelligence agencies have noted similar tactics in neighboring countries as well.⁴³

Chinese manufacturers have about 20% of the Indian telecom market while Indian telecom manufacturers have only 3% of the market. In some sectors such as 3G networks, this can go upto 60%. The Indian government asked a number of its agencies to analyze the risks involved and they reported back, highlighting various issues. One report said Chinese vendors were “supplanting and not supplementing” indigenous players in India’s telecom equipment manufacturing sector. Another report highlighted vendors’ reluctance to share technical information and system keys of their products with Indian operators. (A subsequent report noted that these key have been supplied to Indian companies.)⁴⁴ There have been a few instances of contracts being cancelled, but only with state run telecom companies.

4.4. Responses

4.4.1. Implementing a national cybersecurity policy

Cybersecurity has been within the purview of the National Security Council since 2002 with the National Security Council Secretariat taking many cybersecurity initiatives and participating in international dialogues. The role of the National Security Council Secretariat as the locus of any discussions on cybersecurity and for bringing together the various stakeholders has been honed to perfection. But it has been less successful in the natural corollary of co-ordinating the actions required to translate talk into action. While the need for a cybersecurity co-ordinator at the National Security Council Secretariat has been highlighted in successive reports, it is yet to be translated into action.

The government has been engaged in an intensive exercise to strengthen the country’s cybersecurity, embarking on a multi-pronged strategy, first engaging closely with the private sector, as well as with international partners. However, regular revelations of such attacks by relevant agencies has had the effect of alerting the highest levels of government about the potential threats to critical infrastructure by such easy penetration of networks. A National Cybersecurity Policy that has a carrot and stick approach was released in July 2013 and since then has been proceeding in fits and starts. Despite the long gestation process, the policy was pilloried for falling short of spelling out concrete policies as well as for certain glaring omissions, such as the absence of a specific role for the armed services for ensuring India’s cybersecurity.⁴⁵ In their defense, the National Security Council that has brought out the Policy has made the point that the NSCP is only one part of a 3-part framework including a National Cybersecurity Architecture and a National Cybersecurity Strategy. Even as the other two legs are awaited, the policy itself has been fleshed out through the promulgation of guidelines, beginning with the Guidelines for Protection of National Critical Information Infrastructure with guidelines for other sectors under production.

A national cybersecurity strategy would perforce fill in the many existing lacunae and gaps in thinking on cybersecurity within the country. Even if it does not resolve the tensions between the various interests and priorities of different groups, be it the private sector, law enforcement, or national security agencies, or even infosec professionals, it would try to balance all these requirements to arrive at a consensus that is palatable to all stakeholders. Secondly, it would also give a sense and direction on the overall vision which is lacking at present.

4.5. Creating an institutional framework

An overarching framework is being created with various agencies apportioned different responsibilities. A National Cyber Coordination Center (NCCC) is being set up for threat assessment and information sharing among stakeholders, a Cyber Operation Center to be jointly run by the civilian authorities and the armed forces for threat management and mitigation for identified critical sectors and defense, and a National Critical Information Infrastructure Protection Center (NCIIPC) are some of the agencies created. In addition the military has also been proactive in creating a Cyber Command a long the lines of those created in other countries though there has been little discussion on the contours and responsibilities of such a Command.

The Computer Emergency Response Team-India (CERT-IN) began operations in 2004 with a mandate to “create a safe and secure cyber environment through appropriate policies and legal frameworks”. Specific tasks included creating appropriate cybersecurity standards/guidelines, auditing, networking and points of contact, conducting cybersecurity drills, devising and deploying Crisis Management Plans and Cyber Alert systems, and interfacing with Sectoral CERTS, and Foreign CERTS. The Mumbai Attacks of 1998 which were considerably cyber-enabled from conception to implementation prompted the Government to amend the IT Act in that year itself.⁴⁶ The Information Technology Amendment Act, 2008 provided for a national nodal agency for critical information infrastructure protection which was set up after it was decided to make the NTRO the nodal agency for critical infrastructure.⁴⁷ Section 70 of the IT Act, 2000 defines critical information infrastructure as “the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety”. The National Critical Information Infrastructure Protection Center (NCIIPC) was established under the National Technical Research Organization in 2013, almost five years after being incorporated in the IT Amendment Act, 2008. The increasing instances of state sponsored malicious activities would have been a factor in the creation of this organization and situating it within the NTRO.

The organization’s official mandate is to “Protect critical infrastructure against cyber terrorism, cyberwarfare and other threats”. In pursuit of this mandate, it has been given all powers necessary including interception powers. Oversight is provided by an Advisory Council of 17 representatives from different agencies. Among the sectors identified as critical by it are civil aviation, shipping, railways, power, nuclear, oil and gas, finance, banking, communication, information technology, law enforcement, intelligence agencies, space, and government networks.

There are a number of potential obstacles to the effective working of the NCIIPC. Compared to CERT-In, it is much less public facing which can prove to be a problem in an environment where much of the infrastructure rests in private hands.

4.5.1. Ensuring supply chain integrity

In this unfolding situation that is marred by distrust, supply chain integrity has become paramount with the needle of suspicion pointing towards the hardware and software that make up the brains and body of cyberspace. While much of the equipment used in global networks is supplied by China, the storage and data storage networks are largely the domain of first mover companies, based in the United States but are also dispersed across other developed countries. Many countries rely on trade control mechanisms, but such measures have fallen foul of trade treaties as well as the competitive prices offered by, particularly, the Chinese manufacturers.

The government has tried to use prescriptive policy measures to get companies to go down the referred path. The government in the National Telecom Policy of 2012 set a target for domestic production of telecom equipment to meet Indian telecom sector demands to the extent of 60-80 percent by 2020. The Ministry of Communications and Information Technology has repeatedly urged telecom companies to take note of vulnerabilities in their equipment and told them they would be held responsible and subject to penalties if the vulnerabilities are not addressed. Ironically enough, Huawei was the only company to come forward when the government invited companies to collaborate with the Indian Institute of Science in Bangalore to develop a testing lab to check telecom equipment for malware.⁴⁸ The issue is not so much about hidden backdoors and kill switches as widely reported in the press as the fact that network equipment providers get access to sensitive information in the course of providing after sales support. When the government tried to implement a Preferential Market Access Policy for telecom products, it was the western companies that protested through their governments and forced the government to roll back the policy.⁴⁹

The government is also promoting the establishment of fab manufacturing facilities within the country to the extent of providing seed money and facilitating strategic partnerships with global players.⁵⁰ In addition to reducing the dependence on imports, it is believed that having fab manufacturing facilties within the country would enhance the security of IT products since embedded vulnerabilities are virtually impossible to locate. Other lacunae that have been identified and are being progressively addressed include setting up a Center for Cryptology,⁵¹ and further securing sensitive governmental networks.

4.6. Takeaways

Thinking on the strategic aspects of cybersecurity is still in its infancy in India, partly because of the complex nature of the medium as well as the fact that there have not been any major known attacks through cyberspace. Policy makers have largely concentrated on securing Indian cyberspace through a combination of policies; the National Cybersecurity Policy along with the National Telecom Policy and the National Policy on Electronics as well as subsidiary policies such as the National Telecom Infrastructure Policy all contain prescriptions for securing cyberspace. Implementation of these policies has proved to be a hurdle, evident in the fact that many of these policies are more than a few years old, and implementation has progressed in a sporadic manner. In addition to the complacency brought about by the fact that there have been no major known attacks, the lack of urgency can also be attributed to the conflict between economic and security imperatives. This is best exemplified in the case study of China where the burgeoning needs of the Indian economy have nullified the warnings by the security and intelligence agencies of the inherent dangers in sourcing sensitive items from China. In point of fact, it is the recent revelations made by Snowden that have had a larger impact on Indian cybersecurity policy.

While the United States has been using those revelations to create the conditions for a cyber deterrence with China, there is no indication yet that China is ready to play ball.⁵² They jury is also still out on whether deterrence is a viable concept in the context of cyberspace till such a time that both offensive and defensive capabilities have developed to the extent that they are an existential threat to states.

Chapter written by Cherian SAMUEL. The views expressed are personal and do not reflect the views of the IDSA or the Government of India.

1 Internet World Stats, http://www.internetworldstats.com/stats3.htm.

2 Akamai State of the Internet. 1 Aug. 2012. Akamai. Accessed on 21 Sept. 2012 http://www.akamai.com/stateoftheinternet/>.

3 Manyika, James et al., (ed.), Internet Matters: The Net's Sweeping Impact on Growth, Jobs, and Prosperity. Rep. McKinsey Global Institute, May 2011. Web. Accessed on 15 Sept. 2012. http://www.mckinsey.com/Insights/MGI/Research/Technology_and_Innovation/Internet_matters.

4 A threat was defined by the Computer Emergency Response Team (CERT) in 1993 as “Any circumstances or event that has the potential to cause harm to a system or network. That means, that even the existence of a(n unknown) vulnerability implies a threat by definition”.

5 Vulnerabilities are defined as a) a feature or bug in a system or program which enables an attacker to bypass security measures; b) an aspect of a system or network that leaves it open to attack, and c) the absence or weakness of a risk-reducing safeguard which had the potential to allow a threat to occur with greater frequency, greater impact or both. Anil Sagar, An Overview to Information Security and Security Initiatives in India, Powerpoint Presentation, 18 January 2008. Available online at www.elitex.in/paper2008/anilsagar.ppt.

6 In 2003, the US intelligence agencies drew up plans for a cyber-attack designed to freeze Iraq’s financial system but the Bush administration, concerned about the possibility of a ripple effect leading to worldwide financial havoc, refused to give the go-ahead. The New York Times, Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk, 1 August 2009. Available online at http://www.nytimes.com/2009/08/02/us/politics/02cyber.html.

7 According to are estimate, it took the equivalent of 6 man years and around 1.5 million dollars to develop.

8 Guardian. Cyberwar on Iran more widespread than first thought, say researchers. (2012, September 21). Retrieved from http://www.guardian.co.uk/technology/2012/sep/21/cyberwar-iran-more-sophisticated.

9 However, as David Betz notes, anonymity is as much a problem for the aggressor as it is for the target. Clues have been left in malware software both to misguide and to claim ownership. Betz, D. (2012, June). Cyberpower and International Security [PDF]. Retrieved from http://www.fpri.org/enotes/2012/201206.betz.cyberpower-international-security.pdf.

10 Washington Post. “Remote U.S. base at core of secret operations.” October 26, 2012. Accessed October 30, 2012. http://www.washingtonpost.com/world/national-security/remote-us-base-at-core-of-secret-operations/2012/10/25/a26a9392-197a-11e2-bd10-5ff056538b7c_story.html.

11 New York Times, Bank Hacking Was the Work of Iranians, Officials Say, 8 January 2013. Available online at http://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html.

12 Lewis, James A. Cybersecurity and Stability in the Gulf. Issue brief. 6 January 2014. CSIS. Available online at http://csis.org/publication/cybersecurity-and-stability-gulf. Accessed on 6 February 2014, p. 1.

13 Ibid. p. 4.

14 Japan Times (Tokyo). “Japanese websites come under attack as Senkaku squabble continues”. September 20, 2012. Accessed September 25, 2012. http://www.japantimes.co.jp/text/nn20120920b7.html.

15 N. Korea commands 3,000-strong cyber warfare unit: defector. (2011, June 1). Yonhap. Retrieved from http://english.yonhapnews.co.kr/northkorea/2011/06/01/46/0401000000AEN20110601004200315F.HTML.

16 Stokes, M., and Jenny Lin. The Chinese People’ S Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure. Project 2049 Institute, 2011.

17 “S. Korea charts out national cybersecurity strategy.” Yonhap news Agency. Last modified August 8, 2011. Accessed October 30, 2012. http://english.yonhapnews.co.kr/techscience/2011/08/08/45/0601000000AEN20110808006500320F.HTML.

18 Annual White paper 2012. Report. Tokyo, Japan: Ministry of Defense, 2012. Accessed September 26, 2012. http://www.mod.go.jp/e/publ/w_paper/2012.html.

19 BBC Online. Japan defence firm Mitsubishi Heavy in cyber-attack. BBC. Last modified September 20, 2011. Accessed September 25, 2012. http://www.bbc.co.uk/news/world-asia-pacific-14982906.

20 “Upper House computers also hacked.” Asahi Shimbun. Last modified November 3, 2011. Accessed September 25, 2012. http://ajw.asahi.com/article/behind_news/social_affairs/AJ2011110316472.

21 “Japanese defense panel: Cyber-attacks can be basis for military self defense.” Computerworld. Last modified September 9, 2012. Accessed September 26, 2012. http://news.idg.no/cw/art.cfm?id=409AA657-DC59-0780-FF139675AC1AAE62. This is out of a defense budget of ¥4.7 trillion.

22 Ministry of Defense Panel on Cybersecurity. Toward Stable and Effective Use of Cyberspace. Tokyo, Japan: n.p., 2012. Accessed September 26, 2012. http://www.mod.go.jp/e/d_act/others/pdf/stable_and_effective_use_cyberspace.pdf.

23 Alabaster, Jay. “Japanese defense panel: cyber-attacks can be basis for military self defense.” CIO. 07 Sept. 2012. Accessed on 23 March2013 . Available online at http://www.cio.com/article/715628/Japanese_Defense_Panel_Cyber_Attacks_Can_Be_Basis_for_Military_Self_Defense?

24 “Joint Statement of the Security Consultative Committee: Toward a More Robust Alliance and Greater Shared Responsibilities.” U.S. Department of State., 03 October 2013. Accessed on 22 November 2013. Availabe online at http://www.state.gov/r/pa/prs/ps/2013/10/215070.htm.

25 “Japan Developing Cyber Weapon: Report.” The Australian 2 Jan. 20122 January 2012. Accessed on 5 September 2013. Available online at www.theaustralian.com.au/technology/japan-developing-cyber-weapon-report/story-e6frgakx-1226234630603.

26 Baldor, Lolita. “Cyber cooperation added to US-Australia treaty.” Businessweek, September 15, 2012. Accessed September 27, 2012. http://www.businessweek.com/ap/financialnews/D9POVN5G0.htm.

27 “U.S.-Japan Set Road Map for Next 20 Years Amid Asian Threats.” Bloomberg.com. Bloomberg, 03 October 2013. Accessed on 08 Jan 2014. Available on line at <http://www.bloomberg.com/news/2013-10-03/u-s-japan-to-expand-military-ties-for-first-time-in-16-years.html>.

28 For instance, see Interview with John Mroz, President, East-West Institute, India: An Emerging Cyber power. East West Institute, 24 September 2012. Available online at http://www.ewi.info/idea/india-emerging-cyber-power Accessed on 18 December 2012.

29 “An IT superpower, India has just 556 cybersecurity experts”, The Hindu 19 June 2013. Available online at http://www.thehindu.com/news/national/an-it-superpower-india-has-just-556-cyber-security-experts/article4827644.ece Accessed on 20 June 2013.

30 News of most attacks and incidents of cyber-espionage, whether it be on Reliance, ONGC or ITC have invariably been reported by third parties. The companies concerned have not confirmed such attacks, and in some cases have denied these attacks ever occurred.

31 That has not stopped the Corps of Signals from describing itself as “the lead agency and nodal center for information and cybersecurity both within the Defence Services and at the National level” on the Indian Army’s website. See online at http://indianarmy.nic.in/Default3.aspx?MenuId=Qd7lMkEdWdEACCESSEDON?

32 “Antony Asks Army to Build Cybersecurity Capabilities.” The New Indian Express. 22 Apr. 2014. Accessed on 13 May 2014. Available online at http://www.newindianexpress.com/nation/Antony-Asks-Army-to-Build-Cyber-Security-Capabilities/2014/04/22/article2182471.ece.

33 Federal Computer Weekly, Cyber officials: Chinese hackers attack “anything and everything”, 13 February 2007. Available online at http://www.fcw.com/online/news/97658-1.html#.

34 The Times reported that the Director General of MI5 had sent a letter to 300 chief executives and security chiefs highlighting “concerns about the possible damage to UK business resulting from electronic attack sponsored by Chinese state organizations, and the fact that the attacks are designed to defeat best-practice IT security systems.” The Times, Secrets of Shell and Rolls-Royce come under attack from China’s spies, 3 December 2007. Also see China ‘top list’ of cyber-hackers seeking UK government secrets, Times of London, 6 September 2007. Available online at http://www.timesonline.co.uk/tol/news/world/asia/article2393979.ece.

35 AFP, La France victime de cyber-attaques avec "passage" par la Chine, 8 September 2007. Available online at http://afp.google.com/article/ALeqM5i6dSqt39zfQcKG-I-HZUTRaN3Zvw.

36 vnunet.com, Belgium accuses China of cyber-crimes, Available online at http://in.ibtimes.com/articles/20080520/china-hacking-computer-hacker.htm

37 London Times, China accused of hacking into heart of Merkel administration, 27 August 2007. Available online at http://www.timesonline.co.uk/tol/news/world/europe/article2332130.ece

38 DNA India, Chinese hackers penetrate crucial MEA network, 10 April 2008. Available online at http://www.dnaindia.com/report.asp?NewsID=1159279 Also see DNA India, Cyber-attack on 10 govt websites, 7 June 2008. Available online at http://www.dnaindia.com/report.asp?newsid=1169339

39 Datta, Saikat. “”DNA' “Investigation: PMO Fights Largest Cyber-attack." DNA [Mumbai] 22 Aug. 2011: Accessed on 22 March. 2012. Available online at http://www.dnaindia.com/india/report-dna-investigation-pmo-fights-largest-cyber-attack-1578348.

40 Dean Cheng, The Chinese People’s Liberation Army and Special Operations, Special Warfare, vol.25, issue 3, July-September 2012. Available online at http://www.soc.mil/swcs/SWmag/archive/SW2503/SW2503TheChinesePeoplesLiberationArmy.html.

41 Ibid.

42 These figures have been culled from Zauba.com, a website that provides data on Indian exports and imports.

43 Joji Thomas Philip, Intelligence agencies fear China is trying to encircle India via tech deals with neighboring nations, Economic Times, 23 January 2013. Available online at http://articles.economictimes.indiatimes.com/2013-01-23/news/36505479_1_huawei-and-zte-nepal-telecom-telecom-and-internet-communication.

44 Anupam Dasgupta, “Dragon in your dongle”, The Week, 1 September 2012.

45 See Bhairav Acharya “The National Cybersecurity Policy: Not a Real Policy” ORF Cyber Monitor, vol. 1, no. 1, August 2013. Available online at http://orfonline.org/cms/sites/orfonline/html/cyber/cybsec1.html. Accessed on 23 September 2013.

46 Investigations revealed that the terrorists had used Google Earth used for training, VOIP to communicate with their handlers, and Garmin GPS units and satellite phones were also found in their possession.

47 “Five-year plan in the works to revamp cybersecurity”, Times of India, 18 December, 2012.

48 Bharti Jain, Home ministry may seek review of IISc-Huawei Pact to set up telecom lab, The Economic Times, 28 June 2011. Available online at http://articles.economictimes.indiatimes.com/2011-06-28/news/29722347_1_telecom-gear-chinese-telecom-telecom-equipment. Other companies did not come forward because of worries over intellectual property rights.

49 PMO Defers Extension of Policy of “preferential Market Access’ to Private Telecom Operators.” The Economic Times. 6 July 2013. Accessed on 18 November 2013. Available online at http://articles.economictimes.indiatimes.com/2013-07-06/news/40407662_1_new-telecom-policy-pma-provisions-digital-europe.

50 “India Setting up Cybersecurity Architecture: National Security Advisor.” IBNLive. 22 January 2013. Accessed on 18 May 2013. Available at http://ibnlive.in.com/news/india-setting-up-cyber-security-architecture-national-security-advisor/317028-3.html.

51 “Government Announces Setting up of R C Bose Center for Cryptology–The Economic Times.” The Economic Times 4 March 2014. Accessed on 4 May 2014. Available at http://economictimes.indiatimes.com/industry/et-cetera/government-announces-setting-up-of-r-c-bose-center-for-cryptology/articleshow/31421710.cms.

52 Farrell, Henry. “The Political Science of Cybersecurity IV: How Edward Snowden Helps U.S. Deterrence.” Washington Post. The Washington Post, 12 March 2014. Accessed on 16 May 2014. Available online at http://www.washingtonpost.com/blogs/monkey-cage/wp/2014/03/12/the-political-science-of-cybersecurity-iv-how-edward-snowden-helps-u-s-deterrence/.