Syed Nazakat in New Delhi
The numbers tell the story: 9,01,19,369 Indian websites were hacked worldwide in the last three years. Of these, 544 were government sites, including those of the defence wings, ministries and diplomatic missions. In the first quarter of this year, 133 government websites were hacked. Officials do not know exactly what information was stolen, but they confirm that power, aviation, banking and defence communication sectors are the main targets.
Not surprisingly, a recent survey by McAfee, the internet security giant, named India among the nations least able to defend themselves against cyber attacks. Others on the list include Brazil, Romania and Mexico.
Key websites hacked into include that of the Prime Minister’s Office, the National Security Adviser’s office, the defence ministry, air cargo customs (Mumbai), ministry of railways, National Institute of Social Defence, Bharat Sanchar Nigam Ltd, Telecom Regulatory Authority of India and the Central Bureau of Investigation. Most of these attacks originated from China and Pakistan.
Microsoft India’s retail website, http://www.microsoftstore.co.in, was hacked on February 13 by an allegedly China-based group called the Evil Shadow Team. The same group is suspected of hacking into over 600 computers at the ministry of external affairs earlier.
They are also suspects in the 2011 hacker attack on the Indian diplomatic mission in Paris. Hackers accessed the servers of the embassy and copied classified documents including a file on the high power committee on national civil aircraft development, led by G. Madhavan Nair. And, last week, unknown hackers breached the websites of the Supreme Court of India and the Congress party. In another attack, hackers sent a fake email to many journalists, in the name of the Army Headquarters. The mail had an attachment titled, ‘China’s Tibet strategy’.
“Hackers managed to penetrate even those computer systems which were not connected to the internet,” said a senior MEA official. “The sensitive and classified information was stolen and is out there in public domain. It was frustrating.”
National Security Adviser Shivshankar Menon agreed that the security establishment was worried about the attacks on power, banking, railways and air traffic control segments. “Traditional deterrence hardly works in a battle-space like the cyber world, where operations and attacks occur almost at the speed of light,” Menon said at the release of the Institute for Defence Studies and Analyses’s report on cyber security challenges in Delhi last week. “At these speeds there is a premium on attacking first.”
Hackers are, indeed, becoming more audacious and dangerous. Stuxnet, the malware once known to target only Siemens systems, is suspected to have infected the India’s nuclear programme network. Officials are investigating whether India’s lone uranium enrichment facility, the Rare Materials Plant at Rattehalli, Karnataka, was infected with Stuxnet in November 2011. The RMP’s computers had malfunctioned at that time, but a senior government official who is aware of the incident told THE WEEK that the operating system at the plant was clean.
The Indian security establishment is now confused because the recent attacks have come from all over the world. Over the last three years, attacks were made from the US, Mexico, Spain, Brazil, Lebanon, Peru, Morocco, Japan, Korea, Saudi Arabia, Algeria, Nigeria, Turkey, Iran, Pakistan and China.
Officials familiar with several such investigations say the actual attacker is rarely identified or traced because hackers use third-party protocols as fronts to launch an attack. They direct the information stored on the victim’s computer towards a secret website that serves as a drop box, from where the information can be recovered.
Hackers scour the web studying public documents, chatrooms and blogs to build digital dossiers about the jobs, responsibilities and personal networks of targets. Once a target has been chosen, the hackers will then start the process of breaking in and gaining the control. The email address is made to look like it comes from a logical sender.
For example, a few days after North Korean leader Kim Jong-Il died, hackers sent out mails with a malicious attachment named ‘brief_introduction_of_kim_jong_III_pdf.pdf’. Had the host computers opened the attachment or clicked on the link, the malware would have stolen passwords and sent the data to a foreign server. The most common cyber attack in India is made through bots, short for robots, which are autonomous programmes that can interact with computer systems or users. Bots let the hacker take control of computers and steal information. Bots also route unnecessary traffic to the victim computer, overloading it and causing it to crash, in what is known as a “denial of service” attack.
The Computer Emergency Response Team-India (CERT-IN), an apex government agency handling cyber security concerns, traced over 68 lakh bot-affected affected computers in the country in 2010. “The nightmarish scenario for us is that hackers could disrupt or shut down critical infrastructure like aviation,” said an official at CERT-IN. “A cyber attack on essential sectors could easily push the country to the brink.”
Home Minister P. Chidambaram told reporters in Delhi last week that no one was immune to cyber crimes and attacks. “I think all that we have done to protect the infrastructure in the physical space seems to be a lighter task than when we face threats that have been outlined in the cyber space,” he said. To combat cyber attacks, the government is working on a comprehensive plan.
At the National Security Council Secretariat (NSCS), which is headed by the NSA, security and intelligence officials and cyber experts are reviewing India’s strategy for dealing with cyber threats. Menon said the plan was to prepare a cyber security architecture wholly controlled by the government. He said, “The government is in the process of putting in place the capabilities and the systems in India that will enable us to deal with this anarchic new world of constant and undeclared cyber threat, attack, counter-attack and defence.”
The aim of the new plan is to establish a National Cyber Coordination Centre (NCCC), a single window to deal with cyber attacks. Under it, a National Threat Intelligence Centre with multi-stakeholder, real-time, command-and-control centres countrywide will monitor critical infrastructure. “It [NCCC] would scan cyber traffic within the country, flowing at the point of entry and exit, including international gateways,” said a top official of the NSCS. “This will mark India’s first major effort to arm itself in the war against cyber attacks.”
On top of the NCCC, there is a clear delineation of responsibilities of CERT-IN, National Technical Research Organisation (NTRO), Intelligence Bureau, Military Intelligence and other agencies that have a role in fighting cyber intrusions. Officials say that even where there are overlaps, protocol will be laid out to effectively deal with the cyber threat.
The proposed cyber security plan will also bring in expertise from the departments of telecom and information technology and National Informatics Centre (NIC). The NIC, which provides cyber security related services to ministries, and CERT-IN are strengthening their capability, too. “We are building a system to identify threats and vulnerable targets. This is a massive task,” said a CERT-IN official. “Our responsibility lies between proactive and reactive roles.”
The establishment of proposed NCCC and a greater role for NIC and CERT-IN will fill a wide gap in the cyber security system. At present, there is no centralised protocol to deal with cyber threats and attacks. Though the government has formulated a Crisis Management Plan for countering cyber attacks and cyber terrorism, it is in a mess.
Under the CMP, each state is responsible for its own cyber security. But states like Haryana, Bihar, Jammu & Kashmir, Jharkhand, Mizoram, Nagaland, Sikkim and Tripura do not have a protocol to register cyber attacks, leave alone countering them.
At the Centre, too, there is no data available about the number of hacking attempts made on the government websites in the last decade. Officials in the cyber security establishment also point out that despite India being an IT hub, more than 50 per cent of hardware is imported.
“We are vulnerable today because in the case of all our electronic infrastructure, whether it is the internet, local net, military communication systems or radars, 90 per cent of it is imported components,” said V.K. Saraswat, chief of Defence Research and Development
Organisation. “Even the internet network works on imported servers and routers. There is a chance of these devices being provided with bugs and malware. At any point these bugs can be activated.”
The DRDO has appointed a team of scientists and cyber experts to identify the critical infrastructure sites and networks prone to cyber attacks. It is also planning to develop indigenous servers, routers and operating systems. Saraswat said the DRDO’s challenge was first to secure its own operating system and communication functions. “We built our own network [Drona]. There has not been a single attack on Drona, [but] if people do not exercise discipline and, for example, use pen drives [between the systems], then they are making the whole system vulnerable.”
Under the present protocol, exclusive national servers like military networks must be physically, electrically, and electromagnetically isolated from insecure networks like those connected to the internet. The challenge is not limited to safe technology. The lack of trained manpower is a big constraint, too.
In India, while more and more people use internet and the government machinery adopts the concept of e-governance, there are very few people to protect the networks. For example, at the NIC, which maintains the backbone of the government’s IT platform, there are only two persons per district and 15 to 20 persons per state, to fight cyber attacks. The manpower was sanctioned during the 1980s as per the IT requirement at that time. Since then, there has been no increase in manpower, despite the IT boom. No wonder that, at times, the NIC is even unable to prevent its own system from hackers. Recently, a whole sub domain, http://www.indexnews.indmin.net, created under the NIC was found to be fake.
Nuclear power plants: No confirmed attacks, but highly prone to hacking. Suspected attack on Rare Materials Plant at Rattehalli, Karnataka, in November 2011.
Air-traffic control systems: Air cargo customs (Mumbai) website was hacked and data stolen.
Banking: More than money, hackers are looking for sensitive financial information.
Telecom: Communication networks faced a couple of cyber threats in 2011, though these were limited to defacing of BSNL and TRAI websites. Smartphones and wifi networks are most vulnerable.
Power: Malware can tweak the network to cause blackouts, and can overload lines, eventually frying them.
Diplomacy: There have been a series of attacks on the external affairs ministry network. In 2009, more than 600 computers at the ministry were hacked into. Last year the Paris embassy was attacked.
Military: Armed forces are not immune, since their command, control, supplies, and, even some weapons systems, rely on digital systems. Periodic cyber-security audits are conducted by the Army cyber security establishment.
(August, 2012, THE WEEK)