National cyber security: Real threat, confused state

Recent cyber attacks by the Chinese on India's sensitive IT infrastructure have exposed the loopholes in national cyber security.

Cyber security, a vital subject and a matter of national concern, usually finds a presence only in quotes, presentations and speeches. It becomes alarming only when our own security establishments and facilities become victims of cyber attacks. A recent example is the attack(s) on our Prime Minister's Office IT infrastructure, which exposes the current state of our national cyber security. Clearly, the traditional methods of fighting a war with guns, ships and aircraft have been replaced with computers, bots, viruses and Trojans. The systems designed to keep our infrastructure secure, are now being used against our own defenses.

One of the things to remember is that our vital infrastructure is becoming increasingly dependent on information technology and communication systems. While the continuous advancement in technology is helping India to gain a strategic edge, it's also making our critical infrastructure more vulnerable to cyber threats. Our national cyber security is weak, and unfortunately has not been given the kind of serious attention it deserves. Every recent terrorist act had technology involvement to some form or other, and proved the weaknesses of our defense mechanisms. Be it a traditional method of terrorism or the use of technology for cyberterrorism, India has failed to deal with it. In addition, an ineffective cyber law and a missing legal framework to deal with cyber terrorism make it easier for terrorists and cyber criminals to succeed in their malicious actions.

Cyber terrorism is a reality of our times, and can't be ignored. This has caused the international community to look at its cyber security initiatives very seriously and build intelligence capabilities in cyberspace. However, in the Indian context, the issue itself is missing from the priority list.

An increasing number of cyber attacks originate from India's neighbors, especially China, which target sensitive critical infrastructure.

 Commenting on the state of ournational cyber security and its impact on India's growth, Bithal Bhardwaj, the advisor of OWASP India says, "India is rapidly becoming an easy target for cyber attacks, and this situation poses great threats—not just to our critical infrastructure, but also to our growing IT sector. The emerging threat from cyber attacks has raised concerns among international businesses regarding their outsourced IT operations and investment in India's growing software market." The response is understandable, considering that India earns billions of dollars in software export revenues from abroad.

The unease was also highlighted by a recent study authored by the Center for Strategic and International Studies that was released during the World Economic Forum's 2010 annual meeting. According to the study, "the risk of cyber attacks is rising, and there is growing concern among IT executives (37%) that the vulnerability of their sector had increased over the past 12 months. Two-fifths expect a major security incident in their sector within the next year. Only 20% think their sector is safe from serious cyber attacks over the next five years."

An independent study, 'On the State of Enterprise Security,' conducted in January 2010, revealed that Indian enterprises suffered an average revenue loss of Rs 5.8 million due to cyber attacks by elusive hackers in 2009. "Each attack had a financial impact on enterprises, besides loss of customer trust and damage to reputation. About 90% of enterprises face a cost to prevent such attacks and comply with regulations, because financial loss in productivity was on the average Rs 8.4 million in 2009."

The recently-held India Technology Leadership Summit 2009, organized by Securitybyte and OWASP, also highlighted the apprehensions about information security in outsourcing. A panel consisting of outsourcers, service providers and regulators, which was moderated by Prof Howard Schmidt, special advisor on cyberspace security to the White House, debated the information security challenges faced by Indian organizations. While our law and policy makers are yet to get out of their state of confusion regarding national cyber security challenges and the legal framework to deal with them, the DSCI (Data Security Council of India—a self-regulated body of Nasscom), OWASP India and Securitybyte have already come forward to help India strengthen its national cyber security capabilities by organizing effective awareness and training programs around real-world cyber security challenges.

The fact that India is not prepared to handle national cyber security incidents is well-known, and the issue has often been raised by both technology and legal experts. There are various government agencies working onnational cyber security initiatives, but the problem is that they all operate in silos. Though most of these agencies share a common mission, they don't talk to each other or share information. This leads to redundant efforts, and an ineffective use of budgets. To top it, there are political and bureaucratic hurdles which make these initiatives unproductive. "As the world gets closer and critical infrastructure gets connected to the Internet, the threat from cyberspace increases, making our infrastructure more vulnerable to cyber attacks. This poses a great challenge for India which has the lowest rate of preparedness in national cyber security measures for its infrastructure, both from the countering and disaster management perspective," says Nish Bhalla, partner, Securitybyte, and director, OWASP Toronto, Canada chapter.

One of the biggest reasons why India needs to be more prepared is the increasing number of cyber attacks originating from its neighbors, especially China, targeted at India's sensitive critical infrastructure. Security researchers from around the world have often mentioned India as being the most vulnerable in the region, maybe because its growing economic strength is being seen as a threat by some countries. Says Greg Walton, one of the researchers at The Citizen Lab, University of Toronto, "If you look at the statistics of the institutions or the targets that were attacked by GhostNet when it attacked global systems, India was by far the hardest hit. India is a software superpower, yet for some reason the country can't seem to get its national cyber security act together."

Enhancing our national cyber security is imperative for the growth, continuity and protection of our businesses, government and citizens. Unless the Indian government takes it seriously, initiatives in this space will never find their way to success. Security is a need, not an expense, and needs to be treated accordingly.

There can be no control or enforcement without an effective governance framework, and the creation of one is crucial in today's scenario. This framework should define the private-public partnership, their roles and responsibilities relating to national cyber security, and the interaction between them. Most of India's IT expertise lies in the private sector, hence a collaborative approach can help to achieve the desired state of enhanced national cyber security capabilities.

About the author: Puneet Mehta is the co-chair of OWASP India, as well as the co-founder and director of OWASP's Delhi Chapter. Mehta is a frequent contributor to TechTarget. He has authored many articles, as well as been quoted in national and international media. Mehta's focus areas include information security, risk management and vulnerability research.

Read more on IT risk management