securing our cyber frontiers...SECURING OUR CYBER FRONTIERS 1 Foreword T he whole world suddenly...

securing our cyber frontiers

PROMOTING DATA PROTECTION

NASSCOM-DSCI CYBER SECURITY ADVISORY GROUP REPORT

®NASSCOM

For more information on this report, contact:

DATA SECURITY COUNCIL OF INDIANiryat Bhawan, 3rd Floor, Rao Tula Ram Marg, New Delhi-110057, IndiaPhone: +91-26155070, Fax: +91 -26155072Email: [email protected]

Published in March 2012

Copyright © 2012 NASSCOM and DSCI. All rights reserved.

Designed & Printed bySwati Communications+ 91 11 41659877, + 91 9213132174

Disclaimer

This document contains information that is Intellectual Property of NASSCOM and DSCI. NASSCOM and DSCI expressly disclaim to the maximum limit permissible by law, all warranties, express or implied, including, but not limiting to implied warranties of merchantability, fitness for a particular purpose and non-infringement. NASSCOM and DSCI disclaim responsibility for any loss, injury, liability or damage of any kind resulting from and arising out of use this material/information or part thereof. Views expressed herein are views of NASSCOM and DSCI and /or their respective authors and should not be construed as legal advice or legal opinion. Further, the general availability of information or part thereof does not intend to constitute legal advice or to create a Lawyer/Attorney-Client relationships, in any manner whatsoever.

About NASSCOM

About DSCI

NASSCOM® is the premier body and the chamber of commerce of the IT-BPO industries in India. NASSCOM is a global trade body with more than 1200 members which include both Indian and multinational companies that have a presence in India. NASSCOM's member and associate member companies are broadly in the business of software development, software services, software products, consulting services, BPO services, e-commerce & web services, engineering services offshoring and animation and gaming and constitute over 95 % of the industry revenues in India and employs over 2.24 million professionals. NASSCOM's Vision is to maintain India's leadership position in the global sourcing IT industry, to grow the market by enabling industry to tap into emerging opportunity areas and to strengthen the domestic market in India. NASSCOM aims to drive the overall growth of the global offshoring market and maintain India's leadership position, by taking up the role of a strategic advisor to the industry.

DSCI is a focal body on data protection in India, setup as an independent Self-Regulatory Organization (SRO) by NASSCOM®, to promote data protection, develop security and privacy best practices & standards and encourage the Indian industries to implement the same.

DSCI is engaged with the Indian IT/BPO industry, their clients worldwide, Banking and Telecom sectors, industry associations, data protection authorities and other government agencies in different countries. It conducts industry wide surveys and publishes reports, organizes data protection awareness seminars, workshops, projects, interactions and other necessary initiatives for outreach and public advocacy. DSCI is focused on capacity building of Law Enforcement Agencies for combating cyber crimes in the country and towards this; it operates several Cyber labs across India to train police officers, prosecutors and judicial officers in cyber forensics.

Public Advocacy, Thought Leadership, Awareness and Outreach and Capacity Building are the key words with which DSCI continues to promote and enhance trust in India as a secure global sourcing hub, and promotes data protection in the country.

SECURING OUR CYBER FRONTIERS 1

Foreword

The whole world suddenly appears to be waking up to the cyber security challenge. Countries are framing policies at the national level; there are several international initiatives for global cooperation to meet this

challenge. Why are we all so concerned about the cyberspace? This is because our dependence on cyberspace is expanding, while cyber attacks on critical infrastructure are increasing, and threat landscape is getting worse. Whether it is connecting with suppliers, ordering goods, fl oating e-procurement tenders, making payments to employees and vendors, communicating within and outside of organizations, it is the cyberspace that is used to connect, do business, and reach out to the public. Even military establishments have to use private and public networks for their interactions with suppliers, payment systems, and other organizations in the public and private sectors, although they may use intranets for secure internal communications.

India is no exception - our dependence on technology as a nation is increasing – the Indian economy is going the e-way - growth in e-commerce, e-payments, card circulation, domestic IT market spending, internet user base – are the leading indicators. Government is relying on technology to solve governance problems whether it is service delivery or fi nancial inclusion. Technology has become the lifeline of critical infrastructures such as energy, telecommunication, banking, stock exchanges, etc. Businesses are leveraging technology to transform their business models. Defence and Police agencies are making strategic use of technology to modernize. As a nation we’re as much the victim of cyber attacks as any other country. The attackers are both local, and global – driven by passion for crimes such as fi nancial frauds or terrorism; crime syndicates; nation-states attacking directly or using non-state actors for economic and political espionage. Attacks on critical infrastructure can have crippling eff ects on civilians, with outcomes similar to those achieved by traditional war. Several recent examples testify to this. Cyber security is clearly important for national security.

In such a scenario, it is essential for us as a country to comprehensively understand the threats associated with the use of technology and operating in cyberspace- which has emerged as the fi fth domain after land, sea, air and space; it has no geographical boundaries and cuts across jurisdictions. Public-Private Partnership is the key to enhance cyber security, as more and more critical infrastructure is owned and operated by the private sector. The government has a larger role to lead such initiatives from the front since national security is involved. The policy challenges to incentivize the private sector to spend more on security than what the business case would justify, have to be addressed. On the other hand, the industry needs to be more proactive on engaging with the government on cyber policy issues. It has to take security seriously by raising it to the Board level and giving security leaders more authority and support.

The IT-BPO industry has witnessed phenomenal growth over the years - it has grown from a USD 100 million industry to USD 100 billion this year over a period of 12 years; it accounts for 6.4% of India’s GDP and succeeded in positioning India as the global hub of IT and BPO services. In this journey it has overcome several challenges specifi cally the data protection related concerns of clients and regulators abroad. The industry, through NASSCOM, has taken proactive steps such as the establishment of Data Security Council of India (DSCI) as a self-regulatory organization to create and promote best practices frameworks for data security and privacy protection, keeping in view the target of achieving the industry revenue projection of USD 225 billion by 2020. Given its international experience of managing security and technology expertise, the IT/BPO industry is uniquely positioned to contribute in the cyber security initiatives of the country specifi cally through public-private partnerships.

NASSCOM and DSCI established Cyber Security Advisory Group (CSAG) to bring public and private sector together to deliberate on cyberspace issues, understand the steps taken by other countries, and to identify priority areas for

NASSCOM-DSCI CSAG REPORT 2

action. The key recommendations made by the group, identify ten such areas along with the role of government and the industry for each area. These recommendations have been developed after taking into consideration the ongoing global cyber security eff orts and developments while keeping the Indian environment in context. I strongly believe that the government will fi nd the CSAG Report thought provoking and useful in creating appropriate policy instruments for enhancing cyber security in the country.

I would like to thank all the CSAG members for actively participating in this initiative and making valuable contributions. My special thanks to Dr. Kamlesh Bajaj, CEO, DSCI for steering this Group and leading the DSCI team in preparing this Report. Under his leadership DSCI has helped bring cyber security into focus among the industry and other stakeholders in the country and is emerging as a think tank in data protection and cyber security. On behalf of the Group, I extend my thanks to the DSCI team for driving the overall process in an effi cient, eff ective and collaborative manner.

Rajendra Pawar

Chairman, CSAGChairman, Executive Council, NASSCOM

Chairman & Co-founder, NIIT Group

22 March, 2012


Executive Summary

Cyberspace is emerging as a game changer in the information age. Developed and developing countries are exploiting cyberspace to leap ahead in the future – development and augmentation of critical infrastructure, electronic delivery of government & business services, increasing productivity, new business models, etc. However, the same cyberspace is being equally exploited by terrorists, criminals and even adversary nation-states for disrupting critical infrastructures, stealing secrets, carrying fi nancial frauds, recruiting criminals, etc. What makes cyberspace even more attractive to criminals is that attribution in cyberspace is diffi cult, especially given that cyberspace is borderless and cuts across jurisdictions. It allows criminals to launch attacks remotely from anywhere in the world. Cyberspace is changing the power equations – a bunch of cyber criminals can now take on powerful nations. What’s even worse is that the eff ects of cyber attacks can be similar to physical attacks. National security is getting increasingly linked to cyber security.

A nation’s cyberspace is part of the global cyberspace and no nation can protect its cyberspace in isolation. Cyber security is a global problem requiring mobilization of action both at national and international levels. Nations are at cross roads and there are lot of cyber security policy related discussions and debates taking place around the world. Nations have taken signifi cant eff orts to secure their cyberspace and yet they have been repeatedly attacked.

India is leveraging the power of technology to address its social, economic and development challenges. However, if cyber threats are not addressed through appropriate policy measures, they can disrupt country’s economic development. Though several initiatives have been taken by the government and industry, these eff orts need to be further augmented, given the gravity of the problem. NASSCOM and DSCI created the Cyber Security Advisory

Group (CSAG), having representation from public and private sectors, to recommend the priority policy action items for the government based on the global developments and learning.

The key recommendations of the CSAG are listed below:

1. Create a National Structure for Cyber Security which clearly defi nes roles and responsibilities for every stakeholder, establishes coordination & information sharing mechanisms, focuses on building Public Private Partnership models and creates environment for enhancing trust between the industry and government. A fully empowered head for Cyber Security should be appointed, positioned at the highest level within the government.

2. Design and Implement a Competency Framework for building a competent and adequate Cyber Security Workforce. The Competency Framework should assess the security skills requirements, identify existing gaps & challenges, defi ne competency areas across diff erent security roles and devise strategies and programs for building the required capacity.

3. Create and maintain an Inventory of Critical Information Infrastructure in the country to provide the required visibility over the critical information infrastructure and help prioritize deployment and monitoring of the protection measures.

4. Establish a Centre of Excellence for Best Practices in Cyber Security to institutionalize the development, sharing, collation, distribution and implementation of best practices in the country.

5. Establish a National Threat Intelligence Centre which should integrate all the existing information sources such as sectoral CERTs, intelligence bodies, security alerts issued by security vendors, threats seen by critical sectors and industry to enable cross-domain awareness and a comprehensive view of cyber threats at a national level.


6. Build Capacity of the Law Enforcement Agencies in Cyber Crime Investigations and Cyber Forensics by establishing training facilities in every state and union territory.

7. Build Lawful Interception Capabilities for balancing national security and economic growth by establishing a national centre for performing research in encryption and cryptanalysis.

8. Establish a Centre of Excellence for Cyber Security Research to develop solutions that will protect country’s information infrastructure in the future by defi ning and executing a research roadmap developed based on country’s research needs.

9. Set up Testing Labs for accreditation of ICT products to mitigate security risks arising from procurement of ICT products especially from foreign vendors and yet take full benefi ts from the global supply chain that includes access to world class products, services and expertise at competitive prices.

10. Establish a Cyber Command within the defence forces to defend the Indian Cyberspace. The Cyber Command should be equipped with defensive and off ensive cyber weapons, and manpower trained in cyber warfare.

The government should implement the above recommendations in parallel through eff ective public-private partnerships. The industry should actively support the government in the implementation of these recommendations. Government and industry cannot overcome the cyber security challenge in isolation; the imperative is to work together in a trusted and collaborative environment, leveraging each other’s strengths to strengthen the cyber security posture of the country and take lead in global cyber security eff orts


1. Background ..........................................................................................................................................7

2. Cyber Security – A Global Issue.........................................................................................................9 2.1 Cyberspace – A Game Changer.............................................................................................9 2.2 Cyber Threats..........................................................................................................................10 2.3 Cyber Security Challenges.......................................................................................................12 2.4 The Imperatives.......................................................................................................................13

3. Indian Cyberspace and Cyber Security Initiatives............................................................................15 3.1 Indian economy going the e-Way.......................................................................................15 3.2 The Threat Landscape..............................................................................................................17 3.3 Legal Framework – Information Technology (Amendment) Act, 2008........................19 3.4 Policy Initiatives......................................................................................................................19 3.4.1 Draft National Cyber Security Policy........................................................................19 3.4.2 Triad of Policies to drive a National Agenda for ICTE ..........................................20 3.5 Cyber Security Initiatives.......................................................................................................22 3.5.1 Government Initiatives...............................................................................................22 3.5.2 NASSCOM and DSCI Initiatives..................................................................................24

4. Key Learning and Imperatives for India .............................................................................................27 4.1 Key Learning for India.............................................................................................................27 4.1.1 Cyber Security – A Top Government Priority...........................................................27 4.1.2 Critical Information Infrastructure Protection – Regulate versus Incentivize ...27 4.1.3 ICT Supply Chain Risks – Foreign versus Indigenous.......................................... 28 4.1.4 Encryption – National Security versus Economic Growth ................................... 29 4.2 Imperatives for India .............................................................................................................30

5. CSAG Recommendations..................................................................................................................31 5.1 Key CSAG Recommendations..............................................................................................31 5.2 Additional CSAG Recommendations..................................................................................37

6. Public-Private Partnerships in Cyber Security and Role of DSCI.................................................41

Epilogue..............................................................................................................................................43

Appendix............................................................................................................................................45 I. Proposed National Cyber Security Structure.................................................................................47 II. Global Cyber Security Initiatives......................................................................................................48 United States of America......................................................................................................48 United Kingdom.....................................................................................................................61 Australia..................................................................................................................................65 Japan.......................................................................................................................................69

Contents


1. Background

Over the years NASSCOM has played a vital role in the area of public policy through advocacy in India. It works with the Indian government on a variety of initiatives and issues aff ecting not only the IT/BPO industry but also infrastructure, education and manpower development; employment generation through skill development in the country at large. DSCI, a not for profi t company set up by NASSCOM, has also been closely working with the government on a number of initiatives and issues pertaining to data security, data privacy and cyber security.

Today, given the increasing dependence on information and communication technologies (ICT), especially the Internet, for delivery of services, one of the biggest challenges the world faces is that of cyber security. Governments around the world are formulating cyber security strategies and policies to eff ectively manage the risks, which are global in nature. Department of Information Technology (DIT), Government of India has launched a number of initiatives over the last few years, to enhance cyber security; it has also released a draft national cyber security policy for public consultation. It highlighted Public-Private Partnership (PPP) as a key component as more and more Critical Information Infrastructure is owned and operated by the private sector.

Given the importance of cyber security because of it being closely associated with national security, and the role of private sector; NASSCOM and DSCI constituted Cyber Security Advisory Group (CSAG) with representation of various stakeholders - both from the public and private sectors - to provide recommendations to the government on PPP in capacity building and policy making. The CSAG was chaired by the Chairman of NASSCOM Executive Council, with the CEO of DSCI acting as Member Secretary.

The fi rst meeting of the CSAG was held on 4th October, 2011 at DSCI offi ce. As a result of the discussions held, NASSCOM – DSCI formed 7 sub-groups namely - Critical Infrastructure Protection, Best Practices for Cyber Security, Early

Watch and Warning System, Education & Awareness, Law Enforcement Capability Development, Assurance


in ICT Supply Chain and Cyber Warfare. Members in these sub-groups were requested to deliberate on the threats in their respective areas, study emerging trends and policy evolution and the experience of implementing them in other countries, and evolve policies of relevance to the Indian context.

DSCI consolidated the preliminary recommendations provided by the CSAG members and also did an extensive study by studying polices and initiatives of these countries1 and India’s initiatives to develop its own recommendations. The consolidated preliminary recommendations were brainstormed in the second meeting of the CSAG held on 6th February, 2012 at NASSCOM offi ce. In this meeting, it emerged that the CSAG group should prioritize the existing recommendations to provide the government key priority areas for action, detailing the role of the industry in each such area. As a result, the CSAG group has come out with ten key pragmatic and actionable recommendations which also detail the role of the government and industry. Other recommendations are also detailed for completeness of the CSAG Report.

1 The detailed study of cyber security initiatives of US, UK, Australia and Japan have been presented in the Appendix of this report


2. Cyber Security – A Global Issue

2.1 Cyberspace – A Game Changer

Cyberspace is a global commons, albeit of a new kind, since it is man-made and ever expanding. It comprises IT networks, computer resources, and all the fi xed and mobile devices connected to the global Internet. During the evolutionary stage of the global digital Internet, the key considerations were interoperability and availability. Moreover, it was a closed user group involving academics from a few universities. Suddenly, it was thrown open to the world and has grown exponentially ever since.

Cyberspace is a national asset too, since it enables a host of business and government services to citizens; critical infrastructure depends on it for its effi cient operations. In fact, economies of advanced nations almost entirely depend upon technology in cyberspace. It has become the lifeline of critical infrastructures such as energy, telecommunication, banking, stock exchanges, etc. Businesses are leveraging technology to transform their business models; Defence and Police agencies are making strategic use of technology to modernize.

Social networking platforms – a phenomenon that has gripped the entire world - have enabled people to come together and change the way they interact socially. It has not only initiated connections, but has managed to sustain the growing interconnect by engaging people in diff erent interests of their choice. Currently, Facebook has around 800 million users, which are expected to reach 1 billion by August 2012. Tweets on Twitter grew from 500 K in 2007 to more than 4 billion in Q1 of 2010, to over 1 billion tweets every week this year with a community of 225 million users. The Arab Spring, Jasmine Revolution in China, Occupy Wall Street etc. have exemplifi ed that the growing community of hundreds of thousands of people can be mobilized for a cause through social media. In contrast, London riots were supposedly fuelled by social media.

Given the kind of activities being carried out in the cyberspace, cyberspace merges seamlessly with the physical world. But so do cyber crimes. Cyber attackers can disrupt critical infrastructures such as fi nancial and air traffi c control systems, producing eff ects that are similar to terrorist attacks in the physical space They can also carry out identity theft and fi nancial fraud; steal corporate information such as intellectual property; conduct espionage to steal state and military secrets; and recruit criminals and others to carry out physical terrorist activities. With this growing threat landscape, cyber-readiness of the security systems has been constantly put to test. While security systems are increasingly expensive, launching cyber attacks is relatively much economical. This growing imbalance is a game changer. It has ascertained cyberspace to be off ense dominant, wherein defenders have to defend all the time at a heavy cost, while the attacker needs to succeed only once.

Threats and attack vectors have also been on the rise because most of the vulnerabilities and malicious codes are easily available on the Internet and provide attackers an easy pathway to operate. Without solving security and vulnerabilities issues in existing platforms, we have moved to another level - porting of applications to emerging mobile platforms such as smartphones and tablets, with known vulnerabilities. This has provided cyber criminals a wide range of basket to operate. The damage infl icted by cyber attackers may not be easily recognizable and in some cases, may even go unnoticed. Even if an attack is successfully defended, it is possible to cover tracks and thus attribution of a cyber attack, in some scenarios, becomes very diffi cult, if not impossible. Tracing a cyber attack is not easy as Internet has no geographical boundaries and cuts across jurisdictions. There are no international laws/ agreements that could help in tracing cyber attacks. This makes it all the more diffi cult for the Law Enforcement Agencies (LEAs) to bring cyber criminals to justice.


On one hand, cyberspace has evolved from a totally unregulated techies’ domain, where innovation, new technologies, new services were the only drivers. Indeed it’s innovations in cyberspace that have led to economic growth and globalization. On the other, cyber attacks are on the rise, cyber crimes have been fructifying, cyber espionage is gaining traction and cyber warfare is touted as the realm of next world war.

2.2 Cyber Threats

Security was, and continues to be a ‘bolted on’ rather than ‘built in’ feature. This approach has caused a rapid increase in the vulnerabilities in diff erent platforms, applications, software etc. which are easily exploited by cyber attackers. Innovative applications are developed without factoring security in. It becomes too late when weaknesses in operating systems, network stacks, database management systems, web browsers, web apps are discovered.

Traditional viruses, that were meant to change attributes of a fi le by modifying registry, have come of age. Now a days, what we see is a much bigger and complex threat landscape. Worms, rootkits, botnets, trojans and other highly complex malwares are orchestrated to cause irreparable damage to the critical infrastructure.

Cyber threats and attacks typically emanate from a broad range of adversaries, including both state and non-state actors. These can arise from international syndicates, terrorists, rogue nation states, competitors or disgruntled insiders.

Millions of devices connected to the Internet, ever increasing bandwidths enabled by broadband, social networking uses, in particular, have made cyber crimes possible from the hinterland in every country. The long list of cyber crimes includes identity theft, hacking, fi nancial frauds, child pornography, pornography, data theft, corporate espionage, defamation, etc. The criminals can be young individuals who do cyber crimes just to hone their ‘hacking’ skills, organized national and international gangs who are motivated by easy money, disgruntled employees/ insiders who want to take revenge on their employers. Non-tech savvy criminals are also entering the realm of cyber crimes because of easy availability of tools and techniques such as malicious software, malware, botnets, hacking services, etc in a hidden marketplace operated by syndicates and sophisticated cyber criminals. With access being so easy, there is no bar to entry to the world of cyber crime because such crimes can be committed from afar, in perfect anonymity, without fear of being caught by law. Thus it becomes an attractive option for modern criminals.

Cyber criminals are not operating in isolation. They are collaborating from diff erent geographies and regions. Rise of communities such as “Anonymous” or “Lulzsec” are few examples. What brings them together? Common objectives


- earning profi t or creating havoc – unite them. Given their large funding streams and cross-border free fl ow of information, existing laws are not able to restrain their growing network community. Unlike criminals, the lawful agencies require frameworks to operate, and trust in one another, which is relatively diffi cult.

From a national security perspective, security of critical information infrastructure is becoming a top priority. Over the years, targeted attacks on critical information infrastructures of nations meant to disrupt and impact normal functioning with wide economic consequences have been observed. Attacks on power grids, oil rigs and other critical infrastructures causing heavy outage have made digital nations realize the signifi cance of securing their critical assets due to their increasing interdependency in digital arena. Be it cyber attack on Iran’s nuclear reactor by use of specially crafted ‘stuxnet’ or attacks on Georgia and Estonia, these attacks have impacted severely and got the nation’s think tanks to re-strategize their policies. Possible scenarios that experts are considering as a result of cyber attacks include: mid air collisions of airplanes, trains bumping into each other due to signal malfunctioning, nuclear reactors and power plants becoming un-operational, breakdown of stock markets impacting millions of traders and investors, banking infrastructure coming to a grinding halt, water grids being operated by cyber attackers, unavailability of telecom services etc. Only an armed attack could have led to such disasters before the Internet. No wonder cyber security is getting increasingly linked with national security.

In banking and fi nancial sector, most of the operations are now done online. This sector is arguably the most targeted as the returns are much higher. Millions and billions of dollars, as direct cash cost, have been lost on account of attacks on fi nancial infrastructure. Stealing fi nancial information, credit card details, fi nancial frauds etc. has been on the rise. The fact that more and more personal information is crossing the borders in trans-border data fl ows means that data breaches often aff ect people in multiple countries, and may result in fi nancial frauds – as in TJX case, a retailer in the United States. Nearly 100 million credit and debit cards belonging to people from various regions were exposed when hackers broke into its computer systems and converted some of these into ready-to-use bank cards. Hackers sold the stolen credit card information to people in the United States of America (US) and Europe via the Internet.

National ICT assets are attacked from cyberspace commons without the fear of being identifi ed. Even though most of the assets are owned privately, individual countries are fi nding it diffi cult to handle the criminals, since the origin of cyber attack can be camoufl aged. Growing instances of cyber espionage for stealing critical information and intellectual property have been witnessed. Researchers are of the opinion that some of these high profi le attacks may have been carried out by nation-states directly or through non-state actors or working under the direction and control of the former. Corporate are interested in confi dential information such as business plans of their competitors and nation-states are interested in the military secrets and strategic plans of other nations. In May 2009, President Obama cited one estimate that a trillion dollars worth of intellectual property is stolen worldwide every year.

In March 2011, hackers penetrated French3 government computer networks in search of sensitive information on upcoming G-20 meetings. Also in that month, hackers used phishing techniques to obtain data that compromised RSA’s SecureID authentication technology; the data acquired was then used to penetrate Lockheed Martin’s networks. Google reported a phishing eff ort to compromise hundreds of Gmail passwords for accounts of prominent people, including senior US offi cials. Approximately 24,000 fi les were reported to be stolen from Pentagon in a major cyber attack. In the year 2011 alone, National Aeronautics and Space Administration (NASA) witnessed thirteen major breaches, which NASA said could compromise US national security.4

To stay ahead of the curve, many nation-states are reportedly developing off ensive cyber weapons and are even known to have raised army of cyber attackers. They engage ‘patriotic geeks’ and provide them with a career path in security operations at an early age. On lines of nuclear weapons, an arms race is slowly picking up among nations in cyberspace. This has been one of the reasons for growing disharmony among nations.

2 www.washingtontimes.com/news/2011/sep/29/pentagon-seeks-probe-of-the-cost-of-hacking/3 List of Cyber Incidents: http://csis.org/fi les/publication/120313_Signifi cant_Cyber_Incidents_Since_2006.pdf4 Source- Reuters


2.3 Cyber Security Challenges

Given unique characteristics of cyberspace as described above, there are numerous challenges in cyber security. One of the most important challenges is of coordination and cooperation between diff erent stakeholders - at both national and international levels. Comprehensive framework to ensure coordinated response and recovery, intelligence and information sharing mechanism, clarity in roles & responsibilities of involved agencies and government units, and specifi ed role of industry in PPP models is lacking at the national level. At the international level, absence of globally accepted norms featuring cooperation across jurisdictions to track cyber criminals and their extradition is making it diffi cult for the LEAs to bring cyber criminals to justice. There is also lack of adequate training and knowledge available to LEAs and judiciary in many countries for understanding cyber crimes and relevance of evidence in the form of cyber forensics.

Protection of critical information infrastructure has emerged as a major challenge. National Security has traditionally (for air, land and sea) been the sole responsibility of the governments. The new responsibility of securing the critical information infrastructure against the rising number of cyber attacks has come within the ambit of national security. This new responsibility, however, does not lie solely with the government; private sector has a major role to play majority of the critical information infrastructure is owned and operated by the private sector. However, private sector’s investment in security is driven by business requirements and not by national security concerns. So how can government intervene? By incentivizing or regulating the private sector? There is an ongoing debate on which direction the nations should take. Many believe that market forces cannot deliver the required investments and eff orts for ensuring public safety and national security. Whereas some believe that too much of government intervention through regulations can undermine business innovation. No clear universal solution to this problem has emerged presently.

There is yet another area of global concern, namely the ICT global supply chain. Given the increased dependence on global ICT products, especially in operating critical sectors and growing realization of cyber risks, countries are doubting the integrity of these products, fearing that adversaries may introduce malicious codes / functions to do surreptitious surveillance, disrupt services, or at worst paralyze a nation. Alleviating such doubts and fears to continue benefi tting from global ICT supply chain is one of the biggest challenges the world faces in cyber security today. Where some countries are trying to address this challenge by building global and national capabilities to address supply chain risks without undermining the international competiveness and legitimate trade fl ow; others are focusing on developing indigenous products to reduce the dependency on foreign players.

Another very important challenge requiring ongoing eff orts is poor awareness and education about cyber security threats and the need to follow best practices, across diff erent levels – ranging from school children to top government offi cials, and management in the corporate world. Adding to the problem is the non-serious and reactive approach towards security. Lack of knowledge and awareness among users increases the risk manifold. Because of poor awareness, we become vulnerable and easy victims of social engineering attacks, phishing sites, spurious email communications, etc. Many such cyber threats can be easily mitigated if individuals are aware and vigilant.

Other major diffi culties in addressing problems related to cyber security at an organizational level include: lack of high quality software development; treatment of security function as a cost centre; compliance driven approach to security; lack of multi-departmental coordinated roadmap; treatment of security as merely a technology issue and not a management issue; and diffi culty in calculating Return on Investment (RoI) for security investments.


2.4 The Imperatives

Cyber security is a global problem that has to be addressed globally by all governments jointly. No government can, fi ght cybercrime or secure its cyberspace in isolation. Cyber security is not a technology problem that can be ‘solved’; it is a risk to be managed by a combination of defensive technology, astute analysis and information warfare, and traditional diplomacy5. International community should come forward and initiate discussions that will encourage nations to create PPP models for cyber security. There is an urgent need to have internationally acceptable legal norms regarding territorial jurisdiction, sovereign responsibility, and use of force, investigation and prosecution of cyber crimes, data preservation, etc. for dealing with cyber crimes. Globally acceptable norms for dealing with cyber crimes, and trans-national eff orts for eff ective information sharing will help to secure cyberspace. World bodies such as United Nation (UN) and North Atlantic Treaty Organization (NATO) should take the lead in this regard.

Critical infrastructure protection should be top most national priority and for this, private players also have a major role to play. It needs to be more proactive on engaging with the government on cyber policy issues through PPP. It has to take security seriously by raising it to the Board level and giving security leaders more authority and support.

Development of industry standards and sharing of best practices will better equip organizations to respond to evolving and perennial threats. It will help organizations align their security initiatives to the security technology and services market evolution and benchmark against peers. Organizations should be forthcoming to share cyber incidents so that it helps peers deal with similar situations. Emphasis also needs to be given on developing secure products and services. Security must be prioritized as an embedded function in every development. Focus should also be given on end user training and awareness. Cyberspace cannot remain safe unless its users are aware and vigilant.

Specifi cally, international cooperation is required at following levels6:

National nodal centres on information infrastructure, based on PPP, to cooperate

Global service providers such as Google, Microsoft, Twitter, Yahoo, and Facebook to cooperate with LEAs in all countries and respond to their requests for investigations

Computer Emergency Response Teams (CERTs) to exchange threats and vulnerabilities data in an open way to build an early watch and warning system

Incident management and sharing of information with a view to building an international incident response system

Critical-infrastructure protection: Establishment of an international clearing house for critical-infrastructure protection to share threats, vulnerabilities, and attack vectors

Sharing and deployment of best practices for cyber security

Creation of continued awareness on cyber threats, and international coordination as part of early-watch-and warning system

Acceptable legal norms for dealing with cyber crimes regarding territorial jurisdiction, sovereign responsibility, and use of force to reconcile diff ering national laws concerning the investigation and prosecution of cyber crimes, data preservation, protection, and privacy. Address the problem of existing cyber laws that do not carry enforcement provisions.

Incident response; and transnational cooperation, including establishment of appropriate mechanisms for cooperation. Such measures must include provisions to respond to counter cyber terrorism, including acts of sabotage of critical infrastructure and cyber espionage through information warfare.

Law Enforcement Agencies to Investigate cases, collect forensic evidence at the behest of other countries, and prosecute cyber criminals to bring them to justice.

5, 6 The Cybersecurity Agenda, Mobilizing for International Action- Dr. Kamlesh Bajaj


In the information age, Internet is the engine for global economic growth and the cyber security initiatives of any country should not impede it, instead these initiatives should create enablers for growth of the Internet and other technology innovations. The world has to fi nd a way to cooperate so that the cyberspace—the biggest global commons—remains a driver of economic prosperity of nations and a cloud where people from all countries can safely interact and exchange goods and services.


3. Indian Cyberspace and Cyber Security Initiatives

3.1 Indian economy going the e-Way

Since liberalization in 1991, India has witnessed steady economic growth, benefi ting from globalization and information revolution. Country’s Gross Domestic Product (GDP) growth rate expected to touch double digits mark in coming years. Technology is playing a crucial role in this transformation. As per recent Boston Consulting Group report7 the Internet economy of India in 2010 was USD 70 billion (4.1% of GDP) and is estimated to reach USD 242 billion (5.6% of GDP) in 2016. Technology is contributing in India’s development in following ways:

Development of new infrastructure - airports, metros, highways, etc. and augmentation of existing

infrastructure - power generation, fi nancial services, telecom, transportation, defence, etc. Nation’s critical infrastructure is getting increasingly dependent on technology – power grids, air traffi c controller, industrial systems, stock exchanges, banking, telecom among others are driven and controlled by ICT.

e-Governance - Government is framing policies that intend to leverage power of technology to address social, economic and development challenges in the country. Government is envisaging making the Internet available to every household in India through availability of low cost devices to enable every citizen to participate in the web economy. Using technology, the government intends to improve governance by increasing transparency, curbing corruption, time bound delivery of government services and ensuring fi nancial inclusion. Government is investing more than USD 10 billion on e-Governance through many projects that would transform government functioning. The National e-Governance Plan (NeGP) takes a holistic view of e-Governance initiatives across the country. It integrates the initiatives, whether at the Centre or in States, into a collective vision for a shared cause of delivering benefi ts to citizens in the remotest parts of the country. A massive countrywide infrastructure reaching out to the remotest of villages is evolving, and large-scale digitization of records is taking place to enable easy, reliable access over the Internet. The ultimate objective is to bring public services closer home to citizens, as articulated

7 Boston Consulting Report 2012 : The Connected World- The Internet Economy in G-20


in the vision statement of NeGP8. The NeGP comprises 27 mission mode projects (MMPs) and 8 common core and support infrastructure including State Wide Area Networks and State Data Centres.

‘Aadhaar' is one of the most ambitious projects of the Indian government which is issuing 12-digit unique number to Indian residents. The number will be stored in a centralized database and linked to the basic demographics and biometric information – photograph, ten fi ngerprints and iris – of each enrolled resident. The Aadhaar number provides unique identity, which will become acceptable across India. The project promises that this identity will be robust enough to eliminate duplicate and fake identities through eff ective verifi cation and authentication. Many of the government’s social benefi t programs are envisaged to be linked with the Aadhaar number. The disbursements of government entitlements like Mahatma Gandhi National Rural Employment Gurantee scheme, social security pension, handicapped old age pension, etc are expected to be made through Aadhaar-Enabled Payment Systems (AEPS), using aadhaar number and associated personal information for authentication. The Aadhaar initiative is also expected to give a boost to government’s eff orts for fi nancial inclusion by providing the means for delivery of banking services through Business Correspondents (appointed by Banks) in rural areas.

e-Commerce –this industry is witnessing phenomenal growth; B2C e-commerce is expected to touch USD 10 billion– a growth of 47% from 20109. e-payments in India account for 35.3% of the total transactions in terms of volume and 88.3% in terms of value10, card circulation - both credit and debit - was around 200 million in 201011. The e-commerce is still an untapped potential – given that the Internet penetration12 in India is only around 8% (rising exponentially) with around 120 million Internet users13 and India is projected to become the third largest Internet user base by 201314. With around 894 million mobile subscribers15 (as on December 2011), m-commerce market is a big opportunity, especially as it promises to bring rural India into the realm of e-commerce.

IT/BPO sector – India is the preferred global supplier for IT software and services and is emerging as the knowledge hub of the world with many global companies opening their R&D and innovation centres in India. The industry has provided job opportunities to over 10 million people through direct and indirect employment and accounts for 6.4% of India’s GDP. It aims to grow revenues to USD 225 billion by 202016 out of which USD 175 billion will be on account of export of software and services. Domestic IT market, including telecommunications services and equipment, is expected to touch USD 110 billion by 2012. Cloud Computing is a huge opportunity for India - next wave of growth for the Indian IT industry – as worldwide cloud services revenue are expected to reach around USD 150 billion in 201417. The Indian cloud computing market opportunity is expected to reach USD 16 billion by 202018. Data protection (security and privacy) is perceived to be one of the major challenges in adoption of the cloud.

Modernization of Police and Defence – Police agencies and Defence are making strategic use of technology to modernize. Projects such as Crime and Criminal Tracking Network and Systems (CCTNS) and National Intelligence Grid (NATGRID) are fl agship projects for modernization of police. CCTNS will connect 14,000 police stations and 6,000 police offi cers to a centralized database. The goal of CCTNS is ‘to facilitate collection, storage, retrieval, analysis, transfer and sharing of data and information at the police station and between

8 www.mit.gov.in/content/national-e-governance-plan9 Internet and Mobile Association Of India10 Reserve Bank of India11 Payments in India is going e-way, Celnet report12 Google India13 http://timesofi ndia.indiatimes.com/tech/news/internet/121m-internet-users-in-India-by-2011-end-Report/articleshow/10641973.cms14 Forrester15 TRAI16 NASSCOM-Mckinsey Study: Perspective 202017 Gartner18 NASSCOM – Deloitte Study – ‘Deconstructing the “CLOUD”: The New Growth Frontier for Indian IT-BPO Sector’


the police station and the State Headquarters and the Central Police Organizations.’19 NATGRID, in its fi rst phase, ‘will network 21 sets of data sources to provide quick and secure access to information required by 10 intelligence and law enforcement agencies as part of the counter terror-related investigative processes.’20

Defence has also taken similar initiatives – most notably the creation of an Army Wide Area Network (AWAN) designed to connect all Army formations, units, training establishments and logistic installations in the country for secure and direct information exchange.21 Army also launched project ‘Shakti’ – a fully digitized and integrated Artillery Combat Command and Control System, which is a network of military grade tactical computers automating and providing decision support for all operational aspects of Artillery functions from the corps down to a battery level.22

Social Media – With around 45 million23 Indians using the social media, and the number increasing every day, social media is emerging as a very powerful phenomenon in Indian cyberspace. It is revolutionizing the way society interacts. It is growing rapidly and becoming addictive especially for young Indians who love to connect with one another, make friends, chat, and publish photographs of family and friends. Personal Information is becoming the economic commodity on which social networking is thriving. Businesses, Non-Governmental Organizations (NGOs) and even the governments are using this platform for variety of reasons – communication, marketing, branding, awareness, etc. Whole new communities that encourage people to discuss important issues and come up with innovative solutions to local problems are emerging. The social media has also caught the attention of the governments and the regulators worldwide (for wrong reasons) including the Indian government and there is an ongoing debate on regulating the social media.

19 http://ncrb.nic.in/cctns.htm20 http://blogs.wsj.com/indiarealtime/2011/06/29/qa-natgrid-chief-raghu-raman/21 http://www.defenceindustrydaily.com/indias-army-launches-awan-network-02014/22 http://pib.nic.in/newsite/erelease.aspx?relid=4916123 http://www.watconsult.com/2011/05/45-million-indians-on-social-media-by-2012-are-you-on-it-yet/

3.2. The Threat Landscape

It is extremely important for us as a nation to continue leveraging technology for overall development of the country and improving lives of the citizens. For this, it is crucial to comprehensively understand the risks associated with the use of technology and operating in cyberspace.

Cyber security is getting increasingly linked to national security - the cyberspace is being used by terrorists to spread their message, hire recruits, do encrypted communication, surreptitious surveillance, launch cyber attacks on government infrastructure, etc. Sophisticated use of technology was made by 26/11 Mumbai attackers - Global Positioning System equipment, satellite phones, BlackBerrys, CDs holding high-resolution satellite images, multiple


cellphones with switchable SIM cards, e-mails routed through servers in diff erent locations, which made it harder to trace them.

Cyber attacks targeted at critical information infrastructures (energy, telecom, fi nancial services, defence, and transportation) have the potential of adversely impacting a nation’s economy and public safety, and citizens’ lives. These critical infrastructures are mainly owned and operated by the private sector. For example, the telecom sector is mostly owned by the private players, except Mahanagar Telephone Nigam Ltd. and Bharat Sanchal Nigam Ltd.; Major stock exchanges - Bombay Stock Exchange and National Stock Exchange are private players wherein most of the transactions are done through electronic medium; Airline industry is dominated by private players with Air India being the only the government enterprise; Energy & Utility sector though dominated by government players, the distribution is largely controlled by private partners; the banking sector has large number of private banks. The investments made by these private players in securing the infrastructure are driven by business requirements and not national security concerns. This may leave possible security loop holes. India recently witnessed a cyber attack on its critical information infrastructure - cyber attack on state-of-the-art T3 terminal at New Delhi airport that made check-in counters of all airlines non-operational causing public inconvenience. Stuxnet - the deadliest attack vector that has been designed so far – which destroyed a nuclear reactor in Iran has reportedly infected systems in India.24

As the dependency of critical information infrastructure on technology increases in future and if such infrastructures remain vulnerable, it is possible that adversaries may use cyber attacks on critical information infrastructure to produce impact similar to that in physical attacks / accidents, at worst leading to physical harm – collision of aircrafts because of manipulation with Air Traffi c Controlling system, train accidents due to signal malfunctioning; or could adversely aff ect the national economy – failure of telecommunication services, power grids, oil production and distribution, breakdown of stock markets and banking infrastructure.

Given the increased usage of Internet in the country, India is witnessing sharp rise in cyber crimes. Data released by National Crime Records Bureau (NCRB) in 2010 shows this trend - 966 cyber crimes cases were registered in 2010

under the IT Act across India (an increase of around 128% over 2009 and 235% over 2008) and 799 persons in

2010 were arrested (an increase of around 177% over 2009 and around 349% over 2008) for cyber crimes included hacking, obscene transmission, tampering, etc.

24 http://www.tehelka.com/story_main51.asp?fi lename=Ne261111India.asp25 http://www.cert-in.org.in/26 http://articles.timesofi ndia.indiatimes.com/2010-01-16/india/28147357_1_cyber-criminals-pmo-standalone-computers

Cyber attackers have also been repeatedly defacing Indian websites especially government websites. In January

2012 alone, 1425 websites were defaced, with 834 target websites being hosted on ‘.in’ domain25. Many high profi le cyber espionage attacks targeting systems of senior Indian bureaucrats have been reported in the media.26


3.3. Legal Framework – Information Technology (Amendment) Act, 2008

Information Technology Act (IT Act) was enacted in year 2000 to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication. The IT Act was amended in year 2008, resulting in establishment of a robust cyber security and data protection regime in the country. The IT (Amendment) Act, 2008 provides a comprehensive defi nition of the computer system, and tries to ascertain liability based on the type of cyber crime committed – hacking, spamming, tampering, identity theft, impersonation, cyber terrorism, pornography, child pornography, etc. It introduces the concept of ‘sensitive personal information’, and fi xes liability of the ‘body corporate’ to protect the same through implementation of ‘reasonable security practices’. In case a body corporate fails to do so, it can be fi ned upto Rs. 5 crore (approx. USD 1.2 million) by the Adjudicating Offi cer. Fines greater than Rs. 5 crore can be imposed by the civil court. The rules issued under the Act, also require body corporates to follow privacy principles such as notice, choice & consent, access & correction, disclosure to third party, etc. On the other hand, the amended Act provides provision for legal action against a person for the breach of confi dentiality and privacy, under lawful contract. Critical systems can be declared as ‘protected systems’ under the Act; security breaches of such systems attract higher prison sentences.

The amended Act also enables setting up of a nodal agency for critical infrastructure protection, and strengthens the role of CERT-In. This Act creates provision for the central government to defi ne encryption policy for strengthening security of electronic communications. Presently, encryption of upto 40 bits is allowed under the telecom policy. Cyber Appellate Tribunal, which is now operational, is expected to expedite legal proceeding of cyber crime cases. The cyber security and data protection provisions in IT (Amendment) Act, 2008 are also supported by various other enactments, namely, (i) The Indian Telegraph Act, 1885, (ii) The Indian Contract Act, 1872, (iii) The Specifi c Relief Act, 1963, (iv) The Public Financial Institutions Act, 1983, (v) The Consumer Protection Act, 1986 and (vi) The Credit Information Companies (Regulations) Act, 2005. Overall, the IT (Amendment) Act, 2008 is an omnibus and comprehensive legislation which includes provisions for digital signatures, e-governance, e-commerce, data protection, cyber off ences, critical information infrastructure, interception & monitoring, blocking of websites and cyber terrorism.27

3.4. Policy Initiatives

3.4.1. Draft National Cyber Security Policy

The draft version of National Cyber Security Policy was released by the DIT in March 2011 for public consultation. The draft policy has been aimed to enable secure computing environment and adequate trust and confi dence in electronic

27 http://www.dsci.in/sites/default/fi les/India-Building%20an%20New%20Ecosystem_Vinayak%20v4.pdf


transactions. The draft policy tries to layout the cyber security ecosystem for the country. It covers the following:

Based on the key policy considerations and threat landscape, the draft policy identifi es priority areas for

action

Identifi es PPP as a key component

Identifi es key actions to reduce security threats and vulnerabilities

Establishment of a National Cyber Alert System for early watch and warning, information exchange, responding to national level cyber incidents and facilitating restoration

Defi nes role of sectoral CERTs and establishment of local incident response teams for each critical sector organization

Implementation of best practices in critical information and government infrastructure protection through creation, establishment and operation of Information Security Assurance Framework

Establishes framework for Crisis Management Plan for Countering Cyber Attacks and Cyber Terrorism

Identifi es priorities for action for legal framework and law enforcement capability development

Defi nes priorities for international cooperation for information sharing

Identifi es indigenous Research & Development as an essential component of cyber security and enlists thrust areas for R&D

Identifi es major actions and initiatives for user awareness, education, and training (capacity building)

Defi nes responsible actions for network service providers, large corporates and small/medium & home users to secure information and systems

Identifi es various stakeholders (ministries and government departments only) in cyber security and their responsibilities

The fi nal version of the National Cyber Security Policy, post public consultation is yet to be announced by the government.

3.4.2 Triad of Policies to drive a National Agenda for ICTE

The Ministry of Communications and Information Technology (MCIT), Government of India, is formulating a combination of three interdependent and synergistic policies for IT, Telecom and Electronics - “Triad of Policies to Drive a National Agenda for Information & Communications Technology and Electronics (ICTE)”. The three policies are as below:

National Policy on Electronics, 2011

National Policy on Information Technology, 2011

National Telecom Policy, 2011

The integrated policy has twin goals:

To facilitate the application of new, technology-enabled approaches to overcome developmental challenges in education, health, skill development, employment generation, fi nancial inclusion, governance etc. and to enhance effi ciency, convenience and access; and

To harness the power and capability of India in ICT to meet global demand


All the three draft policies address cyber security, in line with draft National Cyber Security policy. From cyber

security perspective, the focus of the triad policies is on indigenous development of ICT products, services

and techniques to reduce dependence on imports of such products for national security reasons. These draft policies include following policy items on cyber security:

National Policy on Information Technology, 2011

Compliance to international security best practices and conformity assessment (products, processes, technology and people) and creation of incentives for the same

Indigenous development of suitable security techniques & technology

Creation of a culture of cyber security

To create, establish and operate an ‘Information Security Assurance Framework’

National Telecom Policy, 2011

Regulate telecom service providers to take adequate security measures by adopting contemporary security standards

Provide communication assistance to LEAs . Develop and deploy a state of the art system for providing assistance to LEAs

Create an institutional framework to ensure that safe-to-connect devices are inducted into the telecom network

Build national capacity in all areas including security standards, security testing, interception and monitoring capabilities and manufacturing of critical telecom equipment

Provide preferential market access for domestically manufactured products to address the security needs of the country

Undertake a comprehensive review of critical issues such as encryption, security, privacy, interconnection, etc. keeping in view emerging technologies and unique needs of the sector

Adopt best practices to address the issues related to cloud services and Machine-to-Machine (M2M) for example privacy, network security, law enforcement assistance, inter-operability, preservation of cross- border data fl ows to promote a global market for India

Mandate testing and certifi cation of all telecom products for conformance, performance, interoperability, health, safety, security

Indigenously manufactured multi-functional SIM cards with indigenously designed chips incorporating specifi c laid down standards are considered critical

Promote creation of robust, reliable and resilient communication networks

Develop a rational criterion for sharing of costs beyond a threshold limit between government and the service providers in implementing security measures

National Policy on Electronics, 2011

The priorities for action are design and develop indigenous appropriate products through frontier technology/product oriented research, testing & validation of security of products

Provide preferential market access for domestically manufactured/ designed electronic products to address the security needs of the country


3.5. Cyber Security Initiatives

Government and industry have taken various initiatives in cyber security. However, much more needs to be done in this area. Major initiatives are summarized below:

3.5.1. Government Initiatives

CERT-In

Government set up a the Indian Computer Emergency Response Team (CERT-In) under DIT, MCIT in 2003 as a nodal

agency for responding to cyber security incidents. The IT (Amendment) Act, 2008, recognizes CERT-In as a nodal agency for security incident management and provides it the authority it to call for information on security incidents from organizations. CERT-In, through a dedicated infrastructure, collects, analyzes, disseminates information on cyber security incidents. It monitors and investigates threats that aff ect computer systems and forecasts and generates alerts for cyber security incidents. It collaborates internationally for the incident response, tracks incidents aff ecting both public and private sector and issues security guidelines and advisory on vulnerabilities. It provides technical assistance to organizations in resolving security incidents. It has helped establish sectoral CERTs in defence and banking sectors. To test preparedness of organizations operating critical information infrastructure, CERT-In conducts cyber security drills in partnership with the public and private sector. To help LEAs solve cyber crimes, CERT-In has developed standard operating procedures for cyber crime investigations. It organizes regular trainings and funds research and other projects in security to academic institutes and industry. It also engages with its counterparts in other countries for increased collaboration and information sharing. CERT-In has developed 12th fi ve year plan on cyber security. Following fi gure summarizes the responsibilities of CERT-In:

Information Security Education and Awareness

To address the shortfall of cyber security professionals in the country, DIT initiated the Information Security Education Awareness (ISEA) program in 2005. This program aims at building the capacity by introducing information security courses at graduate, post-graduate and doctoral levels, establishing education exchange programs, training


system administrators and government offi cers and spreading awareness on cyber security in the country. The current status of this program can be found at ISEA’s website.28

LEA Capacity Building Programs

To address the challenges that Indian LEAs face in handling cyber crimes such as poor knowledge of technology and cyber crime investigation techniques/ tools and cyber forensics, lack of state-of-the-art technical infrastructure, insuffi cient training facilities & forensics labs in the country, government has taken some key initiatives. These initiatives are aimed at building the capacity of LEAs in cyber forensics and cyber crime investigation to curb rising cyber crimes and ensure speedier trials. Ministry of Home Aff airs (MHA) will be launching the Cyber Crime Investigation

Program (CCIP), which will establish a Cyber Crime Police Station and a Cyber Crime Investigation and Forensic

Training Facility in each State and Union Territory, and a central National Centre of Excellence for Cyber Forensics

Services. The CCIP has been conceptualized based on the detailed project proposal submitted by DSCI. The program will create a network of cyber police stations across the country, equipped with state-of-the-art technology and well trained police offi cers, which can collaborate to benefi t from each other’s experiences. The National Centre of Excellence will act as the guiding force, providing thought leadership to the Cyber Crime Police Stations and Cyber Crime Investigation and Forensic Training Facilities by conducting advanced research & development. This initiative will have active support of the industry through DSCI and NASSCOM-DSCI will act as the knowledge partner of MHA for this program.

Under the Directorate of Forensic Science, under MHA, three Central Forensic Labs (CFSLs) have developed capabilities in cyber forensics. Also, there are 28 State Forensic Labs (SFSLs) that are acquiring capabilities in cyber forensics techniques and skills. Resource Centre for Cyber Forensics (RCCF) at Thiruvananthapuram, Kerala under Centre for Development of Advanced Computing (CDAC) has been established to develop cyber forensic tools and to provide technical support and necessary training to LEAs in the country.29

Security in e-Governance projects

The National e-Governance Division (NeGD), under DIT, is the Program Management Offi ce of NeGP. Among its various activities, including facilitating implementation of NeGP by various Ministries and State governments, the agency is also responsible for issuing cyber security and data security standards and guidelines for all the e-Governance projects under NeGP. For securing e-Governance projects, Standardization Testing and Quality Certifi cation Directorate (STQC) has developed e-Governance Security Assurance Framework (e-SAFE), which provides list of security controls based on the risk categorization of particular assets.

Common Criteria Certification Scheme

This scheme has been set up by DIT to evaluate and certify IT Security Products and Protection Profi les against the requirements of Common Criteria Standards ver 3.1 R2, at Evaluation Assurance Levels EAL 1 through 4. Presently, the scheme provides national certifi cation. The scheme would also provide a framework for international certifi cation through the National Mutual Recognition Arrangement with the other member countries of Common Criteria Recognition Arrangement (CCRA). Along with 24 other countries, India has already become a member of CCRA as a certifi cate consuming nation and soon will be recognized as a certifi cate producing nation. STQC is a certifi cation body of the country with STQC IT, Kolkata centre as the Common Criteria Test Lab.30

Sectoral Security

Critical sectors such as banking and telecommunication are strongly regulated through Reserve Bank of India (RBI)

28 http://www.isea.gov.in/isea/isea/currentstatus.jsp29 http://www.dsci.in/sites/default/fi les/India-Building%20an%20New%20Ecosystem_Vinayak%20v4.pdf30 http://www.commoncriteria-india.gov.in/Pages/CCSOverview.aspx


and Department of Telecommunications (DoT)/ Telecom Regulatory Authority of India (TRAI) respectively. The regulators keep issuing security guidelines, mandating the companies to implement the same. For example, RBI constituted a working group on ‘information security, electronic banking, technology risk management, and cyber frauds,’ which provided a set of guidelines to banks, covering areas such as IT governance, information security (including electronic banking channels like Internet banking, ATMs, cards), IT operations, IT services outsourcing, information system audit, cyber frauds, business continuity planning, customer education and legal issues. These guidelines serve as a common minimum standard for all banks to adopt.31 DoT made amendments to the Unifi ed Access Service License Agreement (UASL) in 2011, incorporating security related measures and made the Licensee (Telecom Service Providers) “completely and totally responsible for security.”

3.5.2. NASSCOM and DSCI Initiatives

NASSCOM Trusted Sourcing Initiative

To promote India as a trusted outsourcing destination, NASSCOM initiated a 4E initiative for outsourcing industry for promotion and enforcement of security. It relies on Engagement with all stakeholders involved, Education of service providers, Enactment to create a policy environment, Enforcement of standards and constant checks. This initiative resulted in establishment of:

DSCI as a Self-Regulatory Organization with a vision to harness data protection as a lever for economic development of India through global integration of practices and standards conforming to various legal regimes. To achieve this vision, DSCI works closely with the Indian government, foreign governments, regulators, industry, clients, LEAs, think tanks and academic institutes in the areas of public advocacy, thought leadership, capacity building, cyber crime investigations and dispute resolution.

Cyber Labs Program under which Cyber Labs were established in four major cities to build capacity of LEAs by training police offi cers in cyber crime investigations and cyber forensics.

National Skills Registry (NSR) to build a robust and credible information repository on the knowledge professionals in the IT/BPO sector via background checks and verifi cation

Worldwide Cyber Security Summit

NASSCOM and DSCI have partnered with EastWest Institute (EWI) - a global think-and-do tank to host the 3rd Worldwide Cyber Security Summit in New Delhi on October 30-31, 2012. It will be India’s fi rst major international summit of cyber security experts from government, business, technology and civil society from around the world. The summit process will comprise forming three high-level working groups of Indian and international experts, each taking on a crucial cyber security issue. One group will develop ways to secure the global ICT supply chain. Another will focus on agreements, standards, policy and regulations to secure the increasing share of our digital world powered by cloud computing. The third will focus on payload security. The fi rst two working groups will be led by NASSCOM and DSCI.

31 http://www.rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=23789


DSCI Initiatives

Since its inception, DSCI has developed strong linkages with the Indian government, industry and global think tanks and provided platforms to bring all the stakeholders in cyber security together for discussing cyber security issues and solutions. It has emerged as a thought leader in cyber security – DSCI has developed best practices in data security and data privacy, published studies and surveys, contributed in development of global standards/ frameworks, represented India at various international forums, trained Indian LEAs and provided advisory/ policy inputs to government/ industry. It has strengthened the government-industry interactions and has developed the operational capability to deliver cyber security projects in PPP mode. Following are some of the major initiatives undertaken by DSCI:

DSCI Security Framework: To overcome the checklist based and compliance based approach to security which fails to address the evolving threats, DSCI has developed DSCI Security Framework (DSF) which focuses on bringing dynamism in security. It is an improvement over existing security standards and frameworks as it enables an organization to focus on real threats in its environment, without worrying about compliance. It enables assessment of organization’s maturity in implementing security in diff erent areas with a view to continually improve the same. Such an assessment further helps organization draw

a strategic plan based on evolution of diff erent disciplines of security, and their interdependencies, with continuous focus on protecting data. DSCI is promoting the implementation of DSF in the industry. DSCI has also developed DSCI Privacy Framework (DPF) which helps organizations design, implement and monitor privacy program.

LEA Capacity Building Programs: Augmenting NASSCOM’s eff orts to build the capacity of LEAs in India, DSCI has expanded the Cyber Labs program. Presently, 4 out of 8 cyber labs have been funded jointly by DIT, respective state and DSCI. Through these labs over 9,000 police offi cers and other offi cials in the LEAs, including judiciary and public prosecutors for investigation and prosecution of cyber crimes, are being trained annually. The knowledge developed, over a period of time, has been systematized in the Cyber

Crime Investigation Manual and distributed to police stations across India. Based on its experience of running cyber labs, DSCI submitted a detailed project report to the MHA, which has been accepted by the ministry and the program will be extended to the entire country in the form of CCIP. This initiative will


have active support of the industry through DSCI and NASSCOM. The DSCI core team on cyber forensics will liaise with the National Centre of Excellence (CoE), and contribute knowledge inputs to all their areas of work; it will mentor and guide the State agencies to operationalize the cyber crime police stations and training centres. DSCI will track cyber crimes, cyber forensic tools, emerging curricula, conferences and other developments to continuously develop the training material and update the content.

DSCI Excellence Awards: To reward organizations and individuals who have shown high level of preparedness and have excelled in the area of information security, DSCI has institutionalized DSCI Excellence Awards. Among various categories, it also has India Cyber Cop Award category to recognize, reward and honour a police offi cer who has done the most outstanding investigation in solving a cyber crime to encourage the police offi cers who have put in extra eff orts to learn cyber forensics to solve cyber crimes.

DSCI Chapters: To create a network of security professionals in the country, DSCI has established ‘DSCI Chapters’ across major cities in India. Presently, over 1200 security professionals are connected together through these chapters. The chapters provide a platform to security professionals in India to collaborate and share best practices. It also provides a mechanism for DSCI to engage with the security experts in the country.

Cyber Security Awareness Program: Under the DIT-NASSCOM funded Cyber Security Awareness Program (Nov’08 – Dec’10), DSCI conducted Cyber Security Awareness Campaigns across the country, published Security Surveys and Publication, conducted Training for over 700 government offi cials, developed Computer based Trainings, developed a national security portal, among other activities.


4. Key Learning and Imperatives for India

Cyber security is a global problem, requiring mobilization of action both at national and international levels. Study of cyber security initiatives of diff erent countries, especially the US reveals how nations are grappling with the challenges of cyber security. Though cyber security problem is a common thread, the approaches taken by nations to address this problem may vary depending on various factors including national priorities, level of dependency of nation’s critical infrastructure on technology, penetration of technology in citizens’ daily lives, number of major cyber related incidents in the past, etc. And yet there are some common trends in cyber security which are emerging worldwide esp. in democratic and progressive countries. Nations such as the US have been spearheading cyber security eff orts for a fairly long time and the lessons learnt by such nations provide valuable inputs to other nations such as India, which are starting to ramp up their cyber security initiatives. But even today, nations like US are not fully secured. They are getting repeatedly attacked. In the year 2011 alone, NASA witnessed 13 major breaches, which NASA said could compromise US national security.32 This shows the seriousness and magnitude of the cyber security problem, which is diffi cult to contain despite phenomenal eff orts and investments, as made by the US.

Nations are at cross roads and there are lot of cyber security policy related discussions and debates taking place around the world, and India, in its own context, can learn from these when fi nalizing its national cyber security policy. This report tries to capture such global developments and through its recommendations, presents the priority policy action items for the government.

4.1 Key Learning for India

4.1.1 Cyber Security – A Top Government Priority

There is a growing realization that cyber security is getting increasingly linked to national security and therefore nations are treating cyber security as a national priority. Consequently, the positioning of the cyber security offi ce/ function is being done at the highest level within the government to give cyber security initiatives the required impetus and help to address inter-agency concerns to improve coordination, given the multi-stakeholder involvement required to address cyber security. Internationally - cyber security has been designated as one of the US President’s key management priorities and a cyber security coordinator has been appointed in the White House; In the United Kingdom, the Offi ce of Cyber Security and Information Assurance reports to the Cabinet; In Australia, the lead agency for cyber security reports to the Prime Minister’s Offi ce.

4.1.2 Critical Information Infrastructure Protection – Regulate versus Incentivize

From a national security perspective, security of critical information infrastructure is a top priority of the governments. Government of India too has identifi ed such critical information infrastructure, namely Defence, Finance, Energy, Transportation and Telecommunications. National Security has traditionally (for air, land and sea) been the sole responsibility of the governments. But as the world has moved into the information age, with increased dependence

32 Source- Reuters


on information infrastructure for production and delivery of products & services, the new responsibility of securing the critical information infrastructure against the rising number of cyber attacks has come within the ambit of national security. This new responsibility, however, does not lie solely with the government; private sector has a major role to play since more than 80% of the critical information infrastructure is owned and operated by the private sector. However, private sector’s investment in security is driven by business requirements and not by national security concerns. So how can government intervene? By incentivizing or regulating the private sector? Though strong and eff ective PPPs are obviously essential, such questions need to be debated and discussed in detail.

US policy focus since Clinton Administration (1998) has been on voluntary PPP and information sharing, with market driven approach to address the problem of critical infrastructure protection. The policy has emphasized on assessing available alternatives to direct regulation including providing economic incentives to encourage the desired behaviour and to regulate only in case of market failure. However, this US policy approach has been criticized primarily for following three main reasons:33

underestimating antitrust, liability and competition related issued in information sharing by private organizations

undermining issues in sharing of classifi ed information by the government with the private sector; and wrongly assuming that organizations will take action if they are made aware of the threats.

The existing policy approach, advocates believe, fails to understand that the market forces cannot deliver the required investments and eff orts for ensuring public safety and national security – voluntary eff orts will always be inadequate. To this extent, the cyber security legislation proposal released by the US government last year focuses on improving cyber security for the citizens, critical infrastructure, and the Federal government’s own networks and computers. For critical information infrastructure protection the proposal aims at establishing a regulatory framework to enhance cyber security of critical infrastructure which includes: owners and operators of critical infrastructure to develop cyber security plans; third party audit of the cyber security plans and reporting to Security & Exchange Commission of the US. Also, to improve voluntary information sharing, it provides industry, state and local governments the required immunity to share cyber security related information with the Department of Homeland Security.

So which approach should India take? Regulate or incentivize the private sector? Though regulations are necessary they should not add to cost without necessarily improving security of critical information infrastructure. Too much of government intervention through regulations can also undermine business innovation; it can make it uncompetitive. The better approach would be to incentivize the private sector to invest in security beyond what is required by business requirements through appropriate instruments such as the government funding, tax reliefs, awards & recognition, liability protection, cyber insurance, etc. Only when such market driven approach fails, should the government think of bringing light weight legislation for critical information infrastructure protection that is developed in partnership with the industry.

4.1.3 ICT Supply Chain Risks – Foreign versus Indigenous

There is a growing trust defi cit in the global ICT supply chain. Countries fear that their adversaries could plant attack vectors in the imported ICT products and services which could be used against them. Many countries, including India, are responding to this threat by emphasizing on development of indigenous ICT products and services especially for critical sectors and government departments, even though the Internet technology and services are the result of global innovation, and the laissez faire spirit is spawning new products, services and companies – which is required for continued growth of economies. The Indian draft National Telecommunication Policy refl ects India’s approach to the ICT supply chain problem - “To provide preferential market access for domestically manufactured products with special emphasis on Indian products for which IPRs reside in India to adequately address the strategic and security needs

33 Cybersecurity Two Years Later: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency


of the country consistent with international commitments.” The US policy, on the other hand, emphasises on building global and national capabilities to address supply chain risks without undermining the international competiveness and legitimate trade fl ow:-

Understand threats, vulnerabilities, and consequences associated with acquisition decisions Develop and employ tools to technically and operationally mitigate risk across the lifecycle of products Develop new acquisition policies and practices that refl ect the complex global market place Develop partnership with industry to develop and adopt supply chain and risk management standards

and best practices

India should be able to mitigate security risks arising from procurement of ICT products especially from foreign vendors and yet take full benefi ts from the global supply chain that includes access to world class products, services and expertise at competitive prices. Giving preference to domestic vendors for national security reasons may not be the right policy direction, primarily for two reasons – Firstly, deploying domestically developed products may not necessarily reduce the supply chain risks, since these need to be tested globally in real life environment. Secondly if other countries take such an approach to this problem, it will adversely impact India’s outsourcing industry, which will be set to lose out to domestic companies in such countries. Therefore, to eff ectively address such risks without aff ecting business competitiveness and country’s image as a promoter of global trade & market, India should build its capacity to mitigate ICT supply chain risks.

4.1.4 Encryption – National Security versus Economic Growth

Use of strong encryption is a must for fostering trust in electronic transactions and to ensure continued growth of e-Commerce, e-Governance, etc. However, India’s telecom policy allows only 40 bit encryption, primarily because the Indian LEAs have the capability to ‘break’ such level of encryption strength. Though section 84A of the IT (Amendment) Act, 2008 has the provision to prescribe encryption strength - “The Central government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption”, the same has not been notifi ed. Lawful interception is a genuine national security requirement, given the increased usage of technology by criminals and terrorists. At the same time, encrypted communication is a must for economic growth of India. Not allowing strong encryption usage in the country – terrorists are using strong encryption anyways since products are available freely online - in the interest of national security does not enhance security; it only hampers the growth and progress of the country. Other countries are responding to this challenge by building lawful interception capabilities, without restricting use of strong encryption for legitimate purposes - In United Kingdom, for example, a ‘National Technical Assistance Centre’ has been established to perform research in encryption and cryptanalysis to build interception capabilities. A ‘Cryptologic Support Group’ exists within National Security Agency in US. Recently, The NSA opened a new ‘Cryptologic Centre’ in Georgia, US which will “provide cryptologic professionals with the latest state-of-the-art tools to conduct signals intelligence operations, train the cryptologic workforce, and enable global communications similar centre needs be established in India to cater to national security requirements without hindering economic growth.”34 To facilitate technology enabled economic growth by building similar lawful interception capabilities without putting restrictions on use of strong encryptions is the way ahead for India.

34 http://www.nsa.gov/public_info/press_room/2012/new_facility_georgia.shtml


4.2. Imperatives for India

Cyber security is a complex global issue and requires collaboration at all ends. Indian government and organizations need to take global leadership in cyber security as there is lot at stake for us as a nation. We need to have a robust cyber space - our government, businesses, LEAs, residents, etc, must build capabilities to address the challenges of cyber security through development & implementation of robust security practices, establishing an effi cient & eff ective national model for coordination & intelligence sharing, leveraging the strengths of public and private sectors through PPP initiatives, building capacity of LEAs and judiciary in cyber crimes & forensics, strengthening international linkages, conducting path breaking research in cyber security, imbibing the culture of security in our daily lives through continuous education and awareness and creating world class security workforce. Detailed recommendations around each of the areas identifi ed in the fi gure below have been provided in the next section of this report.


5. CSAG Recommendations

5.1. Key Recommendations

1. Create a National Structure for Cyber Security35

The Indian government should lay down a well structured and positioned organization for designing, implementing, driving, monitoring and coordinating cyber security initiatives in the country. The structure should enable eff ective and effi cient decision making which involves consultation across multiple stakeholders – policy makers, various ministries, state governments, defence, intelligence, LEAs, private sector among others. The structure should clearly defi ne roles and responsibilities for every stakeholder, establish coordination and information sharing mechanisms, focus on building PPP models and create environment for enhancing trust between the industry and government.

Given the increasing linkage between cyber security and national security and the involvement of multiple stakeholders, it is very crucial that the cyber security in India is positioned at the highest level within the

government. This will give cyber security the much needed impetus and will help address inter-agency concerns and improve coordination.

2. Design and Implement a Competency Framework for building a competent and adequate Cyber Security Workforce

India has a dearth of cyber security manpower required to defend corporate and government ICT infrastructure and this shortage is expected to grow in future as the digitization of processes increases, resulting in increased number of cyber attacks and crimes. To prepare for the future, a competent cyber security workforce needs to be created. To start with a Competency Framework that assesses the security skills requirements, identifi es existing gaps & challenges, defi nes competency areas across diff erent security roles (leaders, auditors, managers, administrators, developers, etc.) and devises strategies and programs for building the capacity such as security certifi cations, cyber security courses and specialization in schools, graduate and post graduate programs, career path in government, etc. should be created and implemented.

35 A proposed National Structure for Cyber Security has been detailed in the Appendix of this document


3. Create and Maintain an Inventory of Critical Information Infrastructure

An inventory of Critical Information Infrastructures in the country should be created and maintained. The inventory could capture various characteristics of the critical information infrastructure such as sector mapping, location, make & model, hardware & software details, owner, custodian, interdependencies, Internet exposure, etc. Such an

inventory will provide the required visibility over the critical information infrastructure in the country and

will help prioritize deployment and monitoring of the protection measures. In case of a cyber attack/ crisis, such an inventory will prove instrumental in determining its possible impact and relevance on diff erent information infrastructures and containing the attack. However, maintaining (keeping it up-to-date) such an inventory at the national level is a herculean task, and therefore the process of collation and maintenance needs to be automated through an effi cient system, which can be accessed over a secure network.

In addition to the building critical information infrastructure inventory, a Digital Architecture for each critical sector should be created and analyzed. This digital architecture of each critical sector will help develop a Sector Profi le from a security perspective that can provide a ‘top level’ view of a sector and thus enable government / regulator/ industry to understand the sector specifi c security issues and take appropriate measures for addressing such issues.


4. Establish a Centre of Excellence for Best Practices in Cyber Security

“Compliance with particular standards or guidelines does not demonstrate that a company’s security practices are adequate across the board. While voluntary adoption of best practices would not supplant existing regulatory enforcement regimes, greater adoption of best practices would likely signifi cantly improve security beyond the baseline required by existing law.”36

The statement above very appropriately highlights the importance of development, collation, sharing and implementation of security best practices in organizations especially those owning and operating critical information infrastructure.37 Though standards and regulatory prescriptions are defi nitely required, the problem arises when organizations start channelizing investments and resources to demonstrate compliance to standards and regulations instead of addressing the real risks. Taking the best practices approach better equips organizations to respond to evolving & perennial threats. It helps organizations align their security initiatives to the security technology and services market evolution and benchmark against peers.

The best practices enable organizations:

to focus on real threats in their environment instead of creating extensive documentation to assess organization’s maturity in implementing security in diff erent areas with a view to continually

improve the same draw a strategic plan based on evolution of diff erent disciplines of security, and their interdependencies,

with continuous focus on protecting data

To institutionalize the development, sharing, collation, distribution and implementation of best practices,

a Centre of Excellence for Cyber Security should be established. This centre will build a national knowledge repository on cyber security. The best practices could be specifi c to a sector (e.g. energy, transport), technology/ system (e.g. Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controller (PLC), process (e.g. patch management), discipline (e.g. application security), etc.

36 Cybersecurity, Innovation and the Internet Economy, The Department of Commerce, Internet Policy Task Force37 The ’PricewaterhouseCoopers, The Global State of Information Security, found that ‘organizations that followed best practices had

zero downtime and zero fi nancial impact, despite being targeted more often by malicious actors.


5. Establish a National Threat Intelligence Centre for Early Watch and Warning

Information sharing on cyber threats, vulnerabilities, cyber incidents / attacks is one of the most critical elements of cyber security. To facilitate information sharing and situational awareness across diff erent stakeholders – industry to industry, government to government, government to industry, intelligence-government, intelligence-industry, intelligence-LEAs, etc, an Information sharing environment should be created by establishing a National Threat

Intelligence Centre (NTIC), enabled by a real time 365X24X7 network, wherein diff erent stakeholders can access the information through a secure connection, based on the authorization granted. The NTIC should integrate all the existing information sources such as sectoral CERTs, intelligence bodies, security alerts issued by security vendors, threats seen by critical sectors and industry to enable cross-domain awareness and a comprehensive view of cyber threats at a national level. NTIC may also be given the responsibility of closing botnets, phishing sites, etc. through a lawful process.

6. Build Capacity of the Law Enforcement Agencies in Cyber Crime Investigations and Cyber Forensics

To curb the increasing number of cyber crimes and ensure speedier trial of cyber crimes, LEAs need to build their capacity in cyber crime investigation and cyber forensics. Presently, Indian LEAs face the following challenges in handling cyber crimes:


Poor knowledge and awareness of technology Poor knowledge of cyber crime investigation techniques / tools and cyber forensics Insuffi cient training facilities in the country Insuffi cient cyber forensic labs in the country Poor awareness of IT (Amendment) Act, 2008 Lack of state-of-the-art technical infrastructure Lack of a national LEA network for collaboration in solving / preventing cyber crimes

To overcome the above challenges, the LEAs and the industry need to collaborate and invest in establishing training centres across the country. NASSCOM and DSCI with the help of the government have established such facilities in eight major cities in the country through the Cyber Labs program. Such initiatives need to be further augmented with active participation from government, industry and the LEAs.

7. Build Lawful Interception Capabilities for Balancing National Security and Economic Growth

The Indian Law Enforcement and Intelligence Agencies should build lawful interception capabilities to monitor electronic communications including encrypted communications in real time. Lawful interception is a genuine national security requirement, given the increased usage of technology by criminals and terrorists. At the same time, encrypted communication is a must for economic growth of India as it fosters trust in electronic transactions including e-commerce, e-governance, online banking, etc. Not allowing strong encryption usage in the country, to fulfi ll national security concerns will hamper the growth and progress of the country. Instead, the Indian Law Enforcement and Intelligence Agencies should build capabilities in cryptanalysis & encryption technologies. For this purpose, a National Centre for performing research in encryption and cryptanalysis to build interception capabilities should be established in India. Such a centre will help to national security requirements without hindering economic growth.

8. Establish a Centre of Excellence for Cyber Security Research

A Centre of Excellence for Cyber Security Research should be established to develop solutions that will protect country’s information infrastructure in the future. This centre will work closely with the government, industry and academia to (not limited to):

Identify critical research needs Identify gaps in present research initiatives


Align existing research initiatives Defi ne the research roadmap / agenda for near, medium and long term Allocate research work to various interested agencies based on their capabilities Allocate funds and resources Monitor progress Ensure application of research in real world scenario (market driven research) Promote development of indigenous security products and services for the global market Coordinate between government, industry and academia

9. Set up Testing Labs for Accreditation of ICT Products to Manage ICT Supply Chain Risks

Testing Labs for accreditation of ICT products that are to be deployed in critical sectors should be established across India. Through these labs, the country should be able to mitigate security risks arising from procurement of ICT products especially from foreign vendors and yet take full benefi ts from the global supply chain that includes access to world class products, services and expertise at competitive prices. Giving preference to domestic vendors for national security reasons may not be the right policy direction, primarily for two reasons – Firstly, deploying domestically developed products may not necessarily reduce the supply chain risks, since these need to be tested globally in real life environment. Secondly, if other countries take such an approach to this problem, it will adversely impact India’s outsourcing industry, which will be set to lose out to domestic companies in such countries. Therefore, to eff ectively address such risks without aff ecting business competitiveness and country’s image as a promoter of global trade & market, India should build its capacity to test ICT products through testing labs. Also, active participation should be taken in the ongoing global eff orts for mitigation of ICT supply chain risks.

10. Establish a Cyber Command to defend the Indian Cyberspace

India should recognize cyberspace zas the fi fth domain after land, sea, air and space that the country needs to defend. For this purpose, a Cyber Command38 within the defence forces with cyber warfare capabilities should be established. Appreciating that cyberspace is off ense dominant, the Cyber Command should be equipped with defensive and off ensive cyber weapons, and manpower trained in cyber warfare. The command needs to build capabilities in countering cyber espionage, and deny the enemy any benefi ts if it succeeds in breaking defences.

38 Some countries around the world including US, South Korea have already established and others are in the process of establishing such command centres.


5.2. Additional Recommendations

Critical Information Infrastructure Protection

1. Each critical sector, through appropriate PPP, should develop and implement a Sectoral Critical Information

Infrastructure Protection Plan which should include Risk Management Framework, Mitigation Plan, Incident Response, Crisis Management, Education & Awareness, etc along with clearly defi ned responsibilities and implementation deadlines. These sectoral plans should be based on a National Critical Information

Infrastructure Protection Framework, which aligns diff erent sectoral plans to meet cyber security requirements of the country. Through sectoral specifi c plan, it will be possible to address the sector security requirements, nature and complexity of operations, security maturity, challenges, technology adoption, applicable laws and regulations, past incidents and trends, etc.

2. A zero tolerance audit process should be established for critical information infrastructure, to ensure that no risks are accepted in critical sectors, as even a single vulnerability, if left unaddressed, can be exploited by adversaries. Critical information infrastructures such as SCADA and PLC systems should be tested regularly to fi nd vulnerabilities in such systems.

3. Consolidate government networks for better security by deploying common robust security solutions, facilitating the reduction of external access points, establishing baseline security capabilities and centralized monitoring.

4. Government should subject its infrastructure to independent third party security audits and testing regularly, given the rising number of cyber attacks against government infrastructure. This will help in the early identifi cation of vulnerabilities and taking corrective actions well in time. It is important to realize that the national infrastructure including government infrastructure is exposed in cyber space and it is better to get audited by a competent external agency, howsoever damaging the fi ndings may be, than being easily attacked by cyber criminals or non-state actors.

Best Practices

5. Promote adoption of security automation protocols to enable effi cient and accurate collection, correlation, and sharing of security relevant information including software vulnerabilities, system confi gurations and network events across disparate systems including government, industry, critical sectors, etc.

Early Watch and Warning System

6. Develop and implement a regularly tested National Cyber Incident Response Plan that establishes a strategic framework for institutional roles & responsibilities, and actions to prepare for, assess, respond to and coordinate recovery from a cyber incident. Such a plan will ensure a unifi ed and well coordinated response to a cyber incident.


7. Create a National Vulnerability Database and a National Cyber Threat Database and correlate them to provide eff ective guidance to critical sectors on cyber risks at a national level. Such a mechanism will optimize organizational eff orts on risk management and more importantly provide the much needed risk intelligence from a central authentic source.

8. Authorize an agency for monitoring critical information infrastructure networks through Intrusion Detection & Prevention Systems or other mechanisms to enable proactive defence and collation of threat related data across networks to generate threat intelligence. However, adequate steps should be taken to ensure that privacy and civil liberties are not compromised in such surveillance.

9. Consolidate Internet gateways for better monitoring including identifi cation and curbing of malicious activities at the gateway level to enable proactive defence and optimization of security eff orts.

10. Promote security testers community to share existing vulnerabilities in critical information infrastructure. There are a lot of youngsters, known as ethical hackers, in the country who have passion for security and want to contribute in country’s cyber security initiative. It is in the interest of the country to tap this talent pool by off ering them incentives and legal protection.

Education & Awareness

11. Celebrate National Cyber Security Week for increasing public awareness on cyber security through radio, print, TV, social media, conferences, etc. Given the increasing importance and dependency on technology esp. the Internet on citizens’ daily lives, ongoing education and awareness through various media is a must.

12. Fund / Incentivize not-for-profi t organizations / NGOs running cyber security awareness campaigns. Through such NGOs a national network for spreading cyber security awareness can be created, to ensure better public outreach and awareness. Some of them could be used as the extended arms of the government through institutionalized arrangements.

13. Create National Centres of Excellence in cyber security education & research in leading universities in India to promote graduate and post graduate level research and development in cyber security and to address evolving cyber security problems / needs of the government and industry.

Legal Capability Development

14. Establish a separate cadre in LEAs for cyber crime investigations; as such investigations require specifi c set of skills and orientation. Aspirants only from technical background such as engineering should be made eligible for joining this cadre. In the defence forces, for example, technical arms such as Signals only recruit aspirants from technical background.

15. Develop a platform such as a cyber cop portal for real time collaboration and coordination between LEAs across the country. Such a portal could be made accessible through a secured connection. Through such a platform, LEAs across India could share best practices, post queries and problems, share latest techniques and tools, share information about cyber criminals and crimes, etc. Such a portal can augment the eff orts for building the capacity of LEAs through effi cient and eff ective information sharing.

16. Compile and share cyber crime cases and judgments across the globe and in India within the Indian LEA and judiciary community for better understanding on global practices and procedures, laws & regulations, investigation techniques, nature, characteristics & handling of cyber crimes, etc.


17. Take eff ective steps to effi ciently operationalize Mutually Legal Assistance Treaty (MLAT) with maximum possible number of countries. This will help in expediting the prosecution of cyber criminals, by increasing collaboration and information sharing with LEAs of other countries and reducing the legal and procedural delays in cyber crime investigations.

18. Actively participate in international eff orts on framing conventions, agreements, laws and collaboration

mechanisms on curbing cyber crimes. Given the global nature of cyber crimes, it is impossible for any particular country alone to curb cyber crimes. India, having a huge stake in cyber space, needs to ensure that its interests are represented at such international forums.

19. Establish Memorandum of Understanding (MoU) with the LEAs of other countries to learn global best

practices. LEAs of many advanced countries have made signifi cant progress in the handling cyber crimes. India has started to develop its capabilities and can immensely benefi t from the practices followed by LEAs and learning of other such countries.

Assurance in ICT Supply Chain

20. Establish a National Strategy for managing the ICT Supply Chain risks, which should focus on streamlining/ standardizing security related aspects of the procurement processes in government and critical sectors, integrated risk management approach, international collaboration, coordination & collaboration within government and between buyers and suppliers among other factors.

21. Encourage development of secure products and services through government procurement policy. Given the amount of investment expected to be made on ICT Infrastructure in e-Governance projects in India (around USD 10 billion), the government should lay emphasis on robust security design, security features, etc. in the products and services it plans to procure. This will incentivize the industry to invest in security by creating security as a diff erentiator in project bids.

22. Create an Information Assurance Analysis Centre with the help of private sector to study information assurance issues in existing and emerging technologies. Given the ever evolving technology landscape, such a centre will help proactively identify the underlying security and privacy risks and how these risks can impact the critical information infrastructure of the country.

23. Establish a Software Assurance Program to reduce software vulnerabilities by encouraging software developers to raise the standard on software quality and security. The emphasis should be on conceptualizing, planning and embedding security in the product / service design phase itself, as presently security, in most cases, is an afterthought. If this proactive approach is adopted, it will considerably reduce the number of vulnerabilities in ICT products and services, making it diffi cult for cyber criminals to launch cyber attacks, conduct cyber frauds, etc.

24. Improve and augment security assurance by working with the private sector through mechanisms such as establishing a rating framework against which security products and services can be rated on various maturity levels of security. This approach will help make security a market driven phenomenon by creating distinction between various products from security perspective.

25. Participate actively in international eff orts to mitigate global supply chain risks such as Common Criteria Recognition Arrangement (India is already a member). Such eff orts are aimed at establishing increased level of assurance in ICT products and services, which can be accepted internationally and opposing creation of non-tariff barriers by making it diffi cult for foreign companies to access domestic markets. India has a huge stake in such initiatives because of its booming outsourcing industry which serves the global market and the domestic industry which leverages global ICT products and services for increased digitization.


Cyber Warfare

26. Defi ne cyber warfare policy, objectives, doctrines, rules, etc that lay down off ensive and defensive contexts and actions, capability development, roles and responsibilities of diff erent agencies, coordination and collaboration mechanisms, etc.

27. Expand cyberspace cooperation with allies and partners to increase collective security - participate actively in international eff orts for establishing global watch and warning system and mechanism for sharing cyber threat intelligence. Also, build and enhance existing military alliances to confront potential threats in cyberspace.

28. Create and implement standards and best practices to secure military networks in partnership with the private sector, which has developed the required expertise and capability by managing majority of the critical information infrastructure over the years. Also, establish ‘.mil’ domain, and operate it professionally for email, and hosting of military server.


6. Public-Private Partnerships in Cyber Security and Role of DSCI

Building successful PPPs in cyber security is critical for India to ensure a secure cyberspace. Majority of the recommendations identifi ed in this report can be eff ectively implemented only through such PPPs. To enable the partnerships, an interfacing agency which brings the government and industry together through an institutionalized framework is required. DSCI, which has worked very closely with the government and the industry since its inception, can play a pivotal role in cyber security initiatives of the country including implementation of the CSAG recommendations by facilitating PPPs. The following credentials validate DSCI’s interfacing role:

Thought Leadership - DSCI is a not for profi t company, working specifi cally in the area of cyber security, data security and data privacy. It has created best practices in security and privacy through DSF and DPF and has published various study and survey reports in data protection. It is engaged with global think tanks and institutions through various programs.

Industry Linkage- DSCI is an industry body having representation across sectors – IT/BPO, Banking, Financial Services & Insurance, Telecommunication, Energy, etc. It has around 600 corporate members and is connected to over 1200 security and privacy professionals across 10 cities in India.

Government Linkage - DSCI works with diff erent government agencies - DIT, MHA, Ministry of External Aff airs, Department of Commerce, Department of Personnel & Training, and Planning Commission on data protection initiatives undertaken by these ministries / departments.

Experience in PPP projects – DSCI has rich experience of executing PPPs in cyber security. It successfully delivered DIT-NASSCOM Cyber Security Awareness Program and is running the DSCI Cyber Labs

program for training LEAs through establishment of cyber labs, jointly funded by DIT, respective State and DSCI.

DSCI can leverage the above credentials to deliver the following services (not limited to) to enhance cyber security in the country and specifi cally with respect to the implementation of the CSAG recommendations:

Advisory and Consultation – DSCI can provide strategy, policy and program related inputs to the government after consulting the industry on specifi c subjects.

Defi ne Partnership Models – For implementing specifi c cyber security initiative or program in PPP mode, DSCI can consult both the government and the industry and recommend best possible partnership model that is capable of meeting the strategic goals of such a project / initiative. As a section 25 not-for-profi t company, it can develop approach for executing projects with government funding, through industry that is acceptable by the government.

Program Management and Execution – For a particular PPP project, DSCI can provide the program management services – defi ning governance mechanisms, monitoring performance and completion, managing budgets & resources, communication, etc. DSCI can also be appointed as the agency for end to end project execution – requirement defi nition & consensus, deployment of in-house resources or sourcing, procurement of infrastructure (IT & non-IT), development of content, distribution, etc.

Knowledge Partner- DSCI can act as a knowledge partner in PPP projects to provide the required expertise during conceptualization and implementation.


Create Platforms – DSCI can create platforms for bringing together the government and industry for discussions on specifi c issues and concerns.

Establish Centres of Excellence – DSCI can build and operate Centres of Excellence (CoE) on diff erent subjects that are of mutual interest to the government and the industry. Such CoEs can be established for creation, sharing, compilation and dissemination of Best Practices in security, Research in cyber security, Technology trends, among others.

Trainings – DSCI can conduct ongoing trainings for identifi ed set of audiences in government and / or industry by arranging relevant experts in security and establishing the required training environment, which can be repeatedly used for conducting training sessions.

Outreach – To increase education and awareness level within the country, DSCI can conduct cyber security campaigns across the country bringing together government, industry, LEAs, academia, school children, home users, etc.

Information Sharing Environment – Being a third party, DSCI can act as an ‘Information Clearing House’ for enabling information exchange within industry and between industry and government.

Based on the activities identifi ed above, DSCI will act as ‘Single Point of Contact’ for both the government and industry in PPP, helping government and industry save eff orts to identify right people, institutions, expertise, channels, etc. The knowledge and learning of running PPP projects will get consolidated at DSCI and can be leveraged to design and run PPP projects in future. Also, a common infrastructure (IT & non-IT) can be created through DSCI, which may be reused for PPP projects, resulting in cost and resource optimization. Very importantly, DSCI, as an interfacing agency, can solve the ‘who will do what’ problem which is very common in a multi-stakeholder environment and more so when government and industry both cannot aff ord to allocate resources on full time basis for executing projects.


Epilogue

Cyber security, as part of national security, is, and will continue to be on the government’s policy agenda. As the threat scenario evolves, critical information infrastructure protection, government services delivery, public sector services along with industry and national defence will have to respond with appropriate cyber security policies that will involve implementation, and testing of security practices. LEAs will require upgradation of training and cyber forensics tools; R&D in cutting edge security technology will be essential. All of these and many other projects of national importance will be conceptualised and implemented in PPP. The policy scenario will evolve too. This calls for a vibrant relationship between the government and the industry.

To address this challenge, it is proposed to convert the CSAG to DSCI Cyber Security Policy Forum (CSPF), which will act as a standing committee of PPP. It will institutionalise the cyber security initiative of the industry and its engagement with the government. As the focal agency for data protection and cyber security, DSCI will anchor and spearhead CSPF.


Appendix


I Proposed National Cyber Security Structure


II Global Cyber Security Initiatives#

United States of America

“Cybersecurity threats represent one of the most serious national security, public safety, and economic challenges

we face as a nation.” – US National Security Strategy 2010

The CSAG studied the cyber security journey of the US over three administrations – Clinton Administration, Bush Administration and Obama Administration, as depicted in the fi gure below:

Clinton Administration

The starting point of the major US cyber security initiatives dates back to 1996, when the President’s Commission on

Critical Infrastructure Protection (CIP) was set up under the administration of President Bill Clinton. The Commission released its report to President Clinton in October 1997, making the following key recommendations:39

facilitate greater cooperation and communication between the private sector and appropriate government agencies by: setting a top level policy-making offi ce in the White House; establishing a council that includes corporate executives, state and local government offi cials, and cabinet secretaries; and setting up information clearinghouses;

develop a real-time capability of attack warning establish and promote a comprehensive awareness and education program streamline and clarify elements of the legal structure to support assurance measures (including clearing

jurisdictional barriers to pursuing hackers electronically); and expand research and development in technologies and techniques, especially technologies that allow for

greater detection of intrusions

Subsequent to the Commission’s Report, Presidential Decision Directive No. 63 (PDD-63) was released in 1998, with a national goal to build the national capability to defend nation’s critical infrastructure from intentional physical

# A detailed study of cyber security initiatives of US, UK, Australia and Japan was conducted by the CSAG, based on the publically available resources. NASSCOM and DSCI does not guarantee, and accept no legal liability whatsoever arising from or connected to, the accuracy, iability,

relevance or completeness of any content presented in this study.

39 Congressional Research Service- Critical Infrastructures: Background, Policy and Implementation


and cyber attacks in fi ve years. To achieve this goal PDD-63 established the necessary structure and programs, based on the recommendations of the President’s Commission on CIP. The Directive40 focused on the following policy items, refl ecting the policy direction taken by the country in cyber security:

Genuine, mutual and cooperative public-private partnerships Voluntary participation of the private sector Market driven approach to address the problem of critical infrastructure protection; regulation to be used

only in case of market failure Identifying and assessing available alternatives to direct regulation including providing economic incentives

to encourage the desired behavior Government to act as a role model for private sector

Based on the above policy items, following structure and programs were created by PDD-63:

Assignment of duties to National Coordinator for Security, Infrastructure Protection and Counter-

Terrorism with reporting to the President through the Assistant to the President for National Security Aff airs, including responsibility for implementation of PDD-63, interagency coordination for policy development and implementation, review crisis activities among others.

Assignment of a Lead Agency (government department) for each critical sector for sector liaison. Each lead agency was directed to appoint a Sector Liaison Offi cial to coordinate with appropriate private sector organizations, through Sector Coordinator.

Creation of National Infrastructure Assurance Council comprising major infrastructure providers and state

40 http://www.fas.org/irp/off docs/pdd/pdd-63.htm


and local government offi cials to enhance the partnership of the public and private sectors in protecting critical infrastructures.

Creation of Critical Infrastructure Coordination Group comprising senior representatives from Lead Agencies, as well as representatives from other relevant departments and agencies, for interagency coordination for implementation of PDD-63.

Sector Liaison Offi cial and Sector Coordinators to work together to create a Sectoral National Infrastructure

Assurance Plan.

Establishment of Critical Infrastructure Assurance Office to integrate sectoral plans to develop National Infrastructure Assurance Plan which covers vulnerability assessment, remedial plans to reduce vulnerabilities, warning requirements and procedures, response strategies, reconstitution of minimum required capabilities, education and awareness programs, research and development needs, intelligence gathering and sharing, needs and opportunities for international cooperation and legislative and budgetary requirements.

Appointment of Critical Infrastructure Assurance Offi cer in each federal agency with the responsibility of securing agency’s critical infrastructure.

Establishment of National Infrastructure Protection Center (NIPC) to be the focal point for federal threat assessment, vulnerability analysis, early warning capability, law enforcement investigations, and response coordination.

Creation of ISACs (by encouraging the private sector to establish the same) for gathering, analyzing, appropriately sanitizing and disseminating private sector information to both industry and the NIPC.

Through the establishment of above identifi ed structures, institutions, councils, plans, etc., the PDD-63 laid the foundational framework for cyber security in the US. The following governments built on this framework to further augment the country’s cyber security initiatives.

Bush Administration

Policy direction and approach of the Bush Administration for critical infrastructure protection was evolutionary expansion of the previous administration. The primary eff ort was directed at working collaboratively and voluntarily with the private sector. However, the focus of Bush Administration’s eff orts was more oriented towards physical threats esp. post 9/11 terrorist attacks, whereas the focus of PDD-63 was more towards cyber threats.

Organizationally, following changes were made during the Bush Administration:

Department of Homeland Security (DHS) was established post 9/11 attacks with a mission of preventing terrorist attacks, reducing the vulnerability of the nation to such attacks, and responding rapidly should such an attack occur. Its responsibilities include safeguarding and securing country’s cyberspace - securing civilian government computer systems, and work with industry and state, local, tribal and territorial governments to secure critical infrastructure and information systems.41 Since its creation, DHS has played much more active role in identifying critical assets, assessing vulnerabilities, and recommending and supporting protective measures. Also, the manpower and resources devoted to these activities have greatly increased.

The Sector Liaison and Sector Coordinator model of PDD-63 was expanded into Government Coordinating

Councils and Sector Coordinating Councils for each critical sector, as depicted below, for increased representation within all the sectors.

41 http://www.dhs.gov/xabout/gc_1240609042614.shtm


Homeland Security Council, supported by the Critical Infrastructure Protection Policy Coordinating

Committee acting as an Interagency coordination group.

National Infrastructure Advisory Council comprising private sector executives, academia, state & local governments to advise the President on enhancing PPP, monitoring development of ISACs and encouraging private sector to perform vulnerability assessments of critical systems.

Appointment and then abolishment of Special Advisor to the President for Cyberspace Security and President’s Critical Infrastructure Protection Board (consisting of federal offi cials to recommend policies and coordinate programs for protecting information systems for critical infrastructure).

Operational units created by PDD-63, such as Critical Infrastructure Assurance Office and National Infrastructure Protection Centre were moved and restructured within DHS.

In addition to the above identifi ed organizational changes, following major developments took place during Bush Administration:

Development of National Infrastructure Protection Plan (NIPP) covering (a) strategy to identify, prioritize & coordinate critical infrastructure protection (b) activities to achieve strategy (c) initiatives for information sharing (d) coordination with other federal emergency management agencies.42 Creation of Sector Specifi c

Plans, utilizing processes outlines in NIPP43.

Enactment of Federal Information Security Management Act (FISMA) in 2002 which requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.44

Release of National Strategy to Secure Cyberspace in 2003, which outlined an ‘initial framework (as depicted in the fi gure below) for both organizing and prioritizing cybersecurity eff orts. It provided direction to the federal government departments and agencies that have roles in cyberspace security. It also identifi ed steps that state and local governments, private companies and organizations, and citizens could take to improve nation’s collective cybersecurity.’45

42 Final version of NIPP was approved in 2006. It was revised in early 2009.43 Sector Specifi c Plans for all the identifi ed critical sectors were developed and reviewed in 2006-200744 http://csrc.nist.gov/groups/SMA/fi sma/overview.html45 The National Strategy to Secure Cyberspace, February 2003


46 http://www.dhs.gov/xnews/releases/pr_1207684277498.shtm47 The Comprehensive National Cybersecurity Initiative

Release of ‘Comprehensive National Cybersecurity Initiative’ (CNCI), which ‘formalized a series of continuous eff orts designed to further safeguard Federal government systems and reduce potential vulnerabilities, protect against intrusion attempts, and better anticipate future threats.’46 It describes twelve initiatives, which have been summarized47 below:


Creation of National Asset Database which contained the list of critical infrastructure across the country. This database has now been automated by DHS through web-enabled Automated Critical Asset

Management System (ACAMS).

Creation of Homeland Security Information Network (HSIN) – ‘a national secure and trusted web-based portal for information sharing and collaboration between federal, state, local, tribal, territorial, private sector, and international partners. It comprises Communities of Interest, which are organized by state organizations, federal organizations, or mission areas such as emergency management, law enforcement, critical sectors, and intelligence. Users can securely share within their communities or reach out to other communities as needed. HSIN provides secure, real-time collaboration tools, including a virtual meeting space, instant messaging and document sharing. HSIN allows partners to work together instantly, regardless of their location, to communicate, collaborate, and coordinate.’48

48 http://www.dhs.gov/fi les/programs/gc_1156888108137.shtm


Obama Administration

Digital infrastructure to be treated as a strategic national asset; Protecting this infrastructure will be a national

security priority; America’s economic prosperity in the 21st century will depend on cybersecurity.

Remarks by President Obama on Securing America’s Cyber Infrastructure

Obama Administration retained the policy and organization of the preceding administration, but directed comprehensive, “clean-slate” review to assess US policies and structures for cybersecurity, soon after President Obama assumed offi ce (in Feb’09). Based on the recommendations of the policy review following actions have been taken:49

Appointment of Cybersecurity Coordinator in the White House.

Cybersecurity designated as one of the President’s key management priorities and establishment of performance metrics through CyberStats program.50

Updation of metrics for FISMA which is used for grading federal agencies on cybersecurity. Shifting the Federal approach from a static, paper-based certifi cation to a dynamic, relevant process based on continuous monitoring and risk assessment.

Privacy and civil liberties offi cial designated to the National Security Council cybersecurity directorate to ensure privacy of citizens is duly considered during development and implementation of cyber security initiatives.

Development of a formal interagency process that clarifies roles, responsibilities, and application of authorities across the federal government and identifi ed additional authorities required by the government to fulfi l its mission.

Creation of National Initiative for Cybersecurity Education (NICE) for cyber-savvy citizens and building cyber-capable workforce. The draft NICE strategic plan released in Aug’11 defi nes strategic goals and objectives, identifi es partners, defi nes cybersecurity knowledge stages and a cybersecurity workforce capability & development model, communication & outreach activities, among other things to achieve NICE mission. The strategic outcomes of this initiative have been depicted in the fi gure below:

49 FACT SHEET: The Administration’s Cybersecurity Accomplishments50 Details of CyberStats program are not available publicly


Release of International Strategy for Cyberspace, which provides a unifi ed foundation for the America’s international engagement on cyberspace issues. The policy priorities laid down by this strategy have been summarized51 below:

51 International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World (May 2011)


Release of Cyber Research and Development Framework – ‘Trustworthy Cyberspace: Strategic Plan for

the Federal Cybersecurity Research and Development Program’ to replace the piecemeal approaches to research with a set of coordinated research priorities. It provides for “a framework for prioritizing cybersecurity R&D in a way that concentrates research eff orts on limiting current cyberspace defi ciencies, precluding future problems, and expediting the infusion of research accomplishments into the marketplace.” 52 The framework also defi nes the national structure for cybersecurity R&D coordination.

Release of National Strategy for Trusted Identities in Cyberspace which envisions establishing a national level ‘Identity Ecosystem’ – “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities—and the digital identities of devices.” 53 This ecosystem is an attempt to overcome the existing shortcomings in the online authentication of individuals and devices that make identity theft and online fraud easier. The strategy emphasizes on collaboration between public and private sectors for creating such an ecosystem.

Release of Cybersecurity Legislation Proposal54 focused on improving cybersecurity for the citizens, critical infrastructure, and the Federal government’s own networks and computers by:

Establishing regulatory framework to enhance cybersecurity of critical infrastructure which includes: owners and operators of critical infrastructure to develop cyber security plans; third party audit of the cybersecurity plans and reporting to Security and Exchange Commission.

Simplifying and standardizing the existing patchwork of 47 data breach notifi cation state laws Synchronizing penalties for computer related crimes with other crimes Enabling DHS to quickly help organizations (private-sector company, state, or local government) when

they solicit help and also defi ning the type of assistance that can be provided by DHS Providing industry, state and local governments the required immunity to share cybersecurity related

information with DHS. Updating FISMA to shift focus from a static, paper-based certifi cation to a dynamic, relevant process Giving DHS more fl exibility in hiring highly qualifi ed cybersecurity professional and permitting

the government and private industry to temporarily exchange experts, so that both can learn from each others’ expertise

Creating a new framework of privacy and civil liberties protection designed expressly to address the challenges of cybersecurity

Development of an interim National Cyber Incident Response Plan which has been tested during CyberStormIII (national cyber exercise). It defi nes organizational roles and responsibilities for cyber incidents, incident response cycle, national cyber risk alert levels, coordination & collaboration mechanisms among other elements required for preparing, responding and recovering from a cyber incident.

52 Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program, December 201153 National Strategy for Trusted Identities in Cyberspace, April 201154 http://www.whitehouse.gov/the-press-offi ce/2011/05/12/fact-sheet-cybersecurity-legislative-proposal


The following fi gure depicts the coordination of cyber incident management:


In addition to implementing the recommendations of the policy review, following major developments have been made / are in the pipeline:

Release of Department of Defense Strategy for Operating in Cyberspace which lays down following fi ve strategic initiatives55 for enabling the defence to operate in cyberspace:

Treat cyberspace as an operational domain to organize, train, and equip to take full advantage of cyberspace’s potential

Employ new defence operating concepts to protect defence networks and systems Partner with other US government departments and agencies and the private sector to enable a whole-

of-government cybersecurity strategy Build robust relationships with US allies and international partners to strengthen collective

cybersecurity Leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological

innovation

To eff ectively operate within cyberspace, through an appropriate organizational structure, a US Cyber

Command has been created. It is single four-star command which consolidates defense’s cyber organizations and operations – “A single chain of command runs from the head of Cyber Command to individual units around the world, enabling the command to oversee all cyber operations and to direct the training and equipping of our force.”56

Release of National Strategy for Global Supply Chain Security to achieve following two goals57:

Promote effi cient and secure movement of goods by resolving threats early, improving verifi cation and detection capabilities, enhancing security of infrastructure and maximizing the fl ow of legitimate trade

Foster a resilient supply chain by mitigating systemic vulnerabilities and promoting trade resumption policies & practices

Establishment of National Cybersecurity and Communications Integration Centre (NCCIC) – a national Early Watch and Warning Centre which works closely with the government at all levels and with the private sector to coordinate the integrated and unifi ed response to cyber and communications incidents aff ecting homeland security. It integrates DHS, Department of Defence, Intelligence Community, Law Enforcement and Private sector and non-governmental partners. It is a 24x7 operations centre that provides both situational awareness and analysis, and signifi cant cyber incident response capabilities.58

Introduction of Cybersecurity Enhancement Act (yet to become a law) which would allocate USD 396 million for cybersecurity research and USD 94 million for providing scholarships to students pursuing cybersecurity studies, over a period of four years. The Act also focuses on increasing public awareness through various campaigns.59

Policy Issues and Criticisms

During three administrations discussed above, the policy focus (till date) has been on – voluntary public-private partnership and information sharing. However, this approach has been criticized primarily for following three main reasons60 – (a) underestimating antitrust, liability and competition related issued in information sharing by private

55 Department of Defense Strategy for Operating in Cyberspace, July 201156 Speech by Deputy Secretary of Defense William J. Lynn, III, Council on Foreign Relations, New York City, Thursday, September 30, 2010 -

http://www.defense.gov/speeches/speech.aspx?speechid=150957 National Strategy for Global Supply Chain Security, Jan’1258 http://www.dhs.gov/xabout/structure/gc_1306334251555.shtm59 http://www.scmagazine.com/cybersecurity-enhancement-act-passed-by-us-house/article/163176/60 Cybersecurity Two Years Later: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency


61 Cyberspace Policy Review62 Cybersecurity Two Years Later: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency63 http://www.whitehouse.gov/the-press-offi ce/remarks-president-securing-our-nations-cyber-infrastructure64 http://blogs.wsj.com/washwire/2010/09/21/former-nsc-offi cial-criticizes-cyber-security-policies/65 Congressional Research Service - Critical Infrastructures: Background, Policy, and Implementation, July 2011

organizations (b) undermining issues in sharing of classifi ed information by the government with the private sector; and (c) wrongly assuming that organizations will take action if they are made aware of the threats. The existing policy approach, advocates believe, fails to understand that the market forces cannot deliver the required investments and eff orts for ensuring public safety and national security – voluntary eff orts will always be inadequate. To overcome this, Center for Strategic and International Studies (CSIS) advocates creation of a light weight regulatory framework, developed in partnership with the industry.

Other main criticisms of the policy include:

Outdated and incoherent legal framework, given the advancements in technology. To overcome this, the policy review recommended development of “a new legislative framework to rationalize the patchwork of overlapping laws that apply to information, telecommunications, networks, and technologies, or the application of new interpretations of existing laws in ways to meet technological evolution and policy goals, consistent with U.S. Constitutional principles.”61

Lack of integrated cybersecurity strategy which aligns priorities, programs, actions, etc. across agencies and stakeholders for well coordinated, unifi ed response to cyber threats.

DHS defends the government systems and DoD defends military and intelligence networks, however, there is no particular agency for defending private networks. The policy relies on voluntary eff orts and market forces for defending private networks, which has been inadequate.62

More focus has wrongly been placed on preventing physical damage though the main motive of cyber attacks has been to steal intellectual property and secrets. It's been estimated that in year 2008 alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion. 63

Former Special Advisor to the President Bush for Cyberspace Security, who was also the National Coordinator to President Clinton - Mr. Richard Clarke, has also criticized the Obama Administration’s cybersecurity policies. As per Mr. Clarke, “the Obama administration so far has failed to do the necessary with regard to cyberwar”; DHS cybersecurity programs are underfunded and the department has “done nothing” about cyber threats to critical infrastructure such as the electric grid; and the Administration has failed to engage public on cybersecurity matters.64

Policy Implementation Issues and Challenges

The policies and programs designed during the three administrations faced following implementation challenges:65

Government – Sector coordination: – The PDD-63 called for appointment of a Lead Agency represented by a Sector Liaison Offi cer to work with the respective private sector, which was encouraged to appoint a Sector Coordinator for this purpose. However, during implementation it took time to identify Sector Coordinators, though the Sector Liaison Offi cers were readily identifi ed. Then there were coordination issues pertaining to the diversity of sectors – some sectors were more organized than others and had more experience of working with the government (through other regulatory frameworks). Also, since some of the sectors such as transportation included diff erent diverse industries such as rail, highways, airlines, waterways, ensuring that all the relevant players were represented was a challenge. This challenge, however, was addressed by the Bush Administration by expanding the Sector Liaison Offi cer and Coordinator model to government coordination and sector coordination councils.


Internal Agency plans for protection of federal systems were too general and lacked understanding of what constitutes ‘critical asset’ and their interdependencies. To overcome this issue, a new program called ‘Project Matrix’ was launched, which provided the required guidance to the federal agencies to identify critical assets, identify their interdependencies and prioritize.

There were communication gaps leading to confusion over applicability of the PDD 63 directive. Many agencies believed that they were not covered under the PDD 63 directive and hence were not required to develop internal agency plans. These issues were later clarifi ed.

There were enforcement issues as many internal agency plans developed by federal agencies were found to be incomplete – many did not identify critical assets and their interdependencies and had not conducted vulnerability assessments; Homeland Security Presidential Directive (HSPD 7) and FISMA helped overcome such enforcement issues.

The Sector Specifi c Plans created utilizing the processes outlined in the NIPP were inconsistent – some were more developed and comprehensive than others.

FISMA implementation laid too much focus on documentation, which wrongly channelized the eff orts of the federal agencies towards compliance to FISMA by documentation creation rather than addressing the real risks.

While creating the National Asset Database for critical infrastructure, there were many infrastructures included that were claimed to be of local importance rather than national importance. There was confusion on what this database should contain – an inventory of assets from which the list of critical assets could be derived or an inventory containing only the prioritized assets.

There were issues when it came to information sharing between diff erent agencies including private and government because of bureaucratic reluctance, legal restraints, lack of trust and confi dence, fears of information misuse, technological diffi culties, among others.


United Kingdom

The Digital Britain, a policy document published in 2009 by the UK government, described the potential of cyberspace - “Only a Digital Britain will secure the wonders of an information revolution that could transform every part of our lives.”66 To achieve the full potential of the cyberspace, UK realizes the importance of securing the cyberspace. Announcing the UK’s fi rst cyber security strategy, alongside updates on national security strategy, UK Prime Minister David Cameron said, “Just as in the nineteenth century we had to secure the seas for our national safety and prosperity, and in the twentieth century we had to secure the air, in the twenty fi rst century we also have to secure our position in cyberspace in order to give people and businesses the confi dence they need to operate safely there.”67

The fi rst Cyber Security Strategy launched in 2009 highlighted the need for government, organizations across all sectors, international partners and the public to work together to meet strategic cyber security objectives by:68

Reducing risk from the UK’s use of cyberspace

Reduce the threat of cyber operations by reducing an adversary’s motivation and capability;

Reduce the vulnerability of UK interests to cyber operations;

Reduce the impact of cyber operations on UK interests;

Exploiting opportunities in cyberspace

Gather intelligence on threat actors; Promote support for UK policies; and Intervene against adversaries;

Improving knowledge, capabilities and decision-making

Improve knowledge and awareness; Develop doctrine and policy; Develop governance and decision making; Enhance technical and human capabilities.

The UK Cyber Security Strategy has been republished by the government in 2011 with a broader perspective and coverage, formulating many new initiatives, collaboration mechanisms and creating of new institutions / groups along with the operationlization of tasks identifi ed in the fi rst strategy document. This strategy was framed to address the cyber security challenges and risks by:

Enhancing the level of knowledge and awareness of the fi eld of cyber security Developing a set of guidelines, policies, doctrines for legal & regulatory issues Developing & defi ning governance model, roles & responsibilities Encouraging knowledge & skills development at technological & personal front Promoting innovation in the fi eld of cyber security with additional funding Establish a cross-government program Safe secure & resilient systems

66 http://www.offi cial-documents.gov.uk/document/cm76/7650/7650.pdf67 http://c4i-technology-news.blogspot.in/2011/11/uk-cyber-security-strategy.html68 http://www.offi cial-documents.gov.uk/document/cm76/7642/7642.pdf


Exploitation of cyberspace for creating opportunities Encouraging International engagement Work closely with the wider public sector, industry, civil liberties groups, the public and with international

partners

To operationalize the strategy, government established an Offi ce of Cyber Security (OCS) under the Cabinet Offi ce, with the primary task of providing strategic leadership and maintaining coherence across the government, with respect to cyber security. OCS became Offi ce of Cyber Security and Information Assurance (OCSIA) in 2010 and coordinates cyber security programs run by the UK government. Under the oversight of the Minister for Cabinet Offi ce, OCSIA looks after fund allocation for National Cyber Security Program (NCSP).69

The NCSP identifi es following key action points: 70

Enhance the skill levels of information assurance and cyber security professionals by establishing programs for certifi ed specialist training by the fi rst quarter of 2012.

Continue to support the Cyber Security Challenge, which organizes competitions for a diverse range of entrants to help identify talented individuals, for addressing the shortage of cyber security experts.

Strengthen postgraduate education to expand the pool of experts having in-depth knowledge of cyberspace.

Strengthen UK’s academic base by developing a coherent cross-sector research agenda on cyber security, building on work done by the government offi ce for science. Also, establish a research institute in cyber security.

Commissioning research to clarify the extent, pattern and nature of the demand for cyber security skills across the private sector.

NCSP is also looking after the investments to ensure a more proactive approach for tackling cyber threats. Together with NATO allies, UK is establishing a common understanding on how best to defend itself against cyber attack, and the role of NATO in the collective defence.

When the OCS was created, a Cyber Security Operations Center (CSOC) was also established to keep an eye on the strength of national cyber security, coordinate the incident response, inform the industry about the risks associated with cyberspace, and provide analysis and overarching situational awareness of cyber threats. CSOC is positioned in the Government Communication Headquarter (GCHQ). GCHQ is a part of the National Intelligence Machinery and works closely with the Security Service and the Secret Intelligence Service for protecting UK’s national security interests. It also includes Communications Electronics Security Group (CESG) to provide advice on information security and support government, defence and key infrastructure clients with a range of information assurance services.71

To reduce the risks to the national infrastructure, an interdepartmental organization - Centre for the Protection of

the National Infrastructure (CPNI) - has been established. It engages with CESG, Security Service, police, business /organization’s security specialists, international partners and respective departments (Communication, Energy, Finance, Transport, Emergency Services, Health, Food, and Water) responsible for national infrastructure sectors for taking an integrated approach for security of national infrastructure. The CPNI delivers advice that aims to reduce the vulnerability in the national infrastructure. It has built up strong partnerships with private sector organizations owning and operating national infrastructure, creating a trusted environment where information can be shared for mutual benefi t. For identifying and managing threats by sharing information with a wider group, a new operational

69 http://www.cabinetoffi ce.gov.uk/content/offi ce-cyber-security-and-information-assurance-ocsia70 UK cyber security strategy 201171 www.gchq.gov.uk/


partnership in the form of a joint public-private sector Cyber Security Hub is being established. It will pool the government and private threat information and pass that out to ‘nodes’ in key business sectors, helping them identify what needs to be done and providing a framework for sharing best practice.

To make security a market diff erentiator and thereby incentivize industry to develop standards and provide guidance to customers when they buy products, Department for Business, Innovation and Skills (BIS) is working with the users, industry and appropriate standards organizations (domestic, European and international) to develop security ‘kitemarks’. The kitemarks will ensure that customers are able to diff erentiate various products based on security.

Government is developing a community of ‘ethical hackers’ to minimize the existing vulnerabilities that could be exploited to perform cyber crimes and to ensure that UK’s infrastructure is robustly protected. Supported by GCHQ and Scotland Yard’s e-crime unit, UK organizes exercises - the Cyber Security Challenge – with intent to help bridge the talent gap in cyber security. The exercise draws thousands of participants who spend weeks shoring up vulnerable home networks, cracking weak codes and combing through corrupted hard drives in a series of tests.72 The government is also planning to develop cyber specialists by setting up a cyber crime unit within the National Crime Agency.73

This will help police departments across the country in tackling cyber-crimes and will also support cyber crime investigations. Given the global nature of cyber crimes, UK is encouraging adoption of international convention on cyber crimes and creation & implementation of compatible frameworks of law that enable eff ective cross-border law enforcement. It also denies safe havens to cyber criminals and encourages other countries to join the ‘24/7 Network’ for cross-border law enforcement that ensures availability of urgent assistance when required.74 UK has established a twenty-four hour centre called National Technical Assistance Centre (NTAC), which is under the control of the Home Offi ce,75 to address the problem of usage of encryption by criminals and terrorists. NTAC facilitates LEAs in complex processing of encrypted material derived from lawfully intercepted computer communications.

To ensure proactive defence against cyber attacks and securing military networks, a new UK Joint Forces Command

is envisaged from April 2012 which will develop and integrate defence cyber capabilities. As a part of this initiative, UK is setting up a new Defence Cyber Operations Group to bring together cyber capabilities from across defence services. This group will include a Joint Cyber Unit, hosted by GCHQ, to develop new tactics, techniques and plans to deliver military eff ects, including enhanced security, through operations in cyberspace. To have a focused system of cyber defence for the armed forces, a new Global Operations and Security Control Centre has been recently started by UK. There is another Joint Cyber Unit embedded within this centre with the primary purpose of developing and using a range of new techniques, including proactive measures, to disrupt threats to UK’s information security.

While it is important to build capability to defend and protect the country from the cyber attacks, it is equally important to keep an eye on emerging threats. With this in view, government is monitoring the most signifi cant emergencies that UK and its citizens could face over the next fi ve years, and has published it in the form of the National Risk

Register (NRR).76 For the identifi ed frauds there is an Action Fraud tool that helps people report them online. This online tool is also going through various improvements for its functionality and accessibility. To raise awareness on online security among general public and small businesses, a joint public-private sector campaign - Get Safe Online has been launched. It is sponsored by government and private companies. It works with a range of community groups and aims to give people the confi dence and know-how to use the Internet securely. It combines marketing and PR activities with a comprehensive website (www.getsafeonline. org) giving up-to-date advice, tools and guidance on cyber good practice. It includes advice on topics such as online shopping, social networking sites, data theft and identity fraud.77

72 http://timesofi ndia.indiatimes.com/home/science/Amateurs-roped-in-to-fi ght-malware-hackers/articleshow/12241559.cms73 http://www.cabinetoffi ce.gov.uk/sites/default/fi les/resources/uk-cyber-security-strategy-fi nal.pdf74 http://www.cabinetoffi ce.gov.uk/sites/default/fi les/resources/uk-cyber-security-strategy-fi nal.pdf75 http://www.cyber-rights.org/documents/ntac.htm76 www.cabinetoffi ce.gov.uk/resource-library/national-risk-register77 UK cyber security strategy 2011


UK’s vision for 2015 is to help shape an open, stable and vibrant cyberspace which the UK public can use safely and which supports open societies with crosscutting knowledge, skills and capability it needs to underpin all the cyber security objectives. UK is planning to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where actions, guided by its core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a help build a strong society.


Australia

The Australian Prime minister, in a statement has indicated that cyber security is top tier national priority. To tackle cyber crimes and related issues, Australian government has taken several initiatives. As a major step, the Australian

Cyber Security Strategy was released in 2009. It aims to create a safe and secure digital space for government and private networks. The strategy document has identifi ed seven strategic priorities, namely: developing threat awareness and response, changing civilian security culture, promoting public–private partnerships, securing government systems, pursuing international engagement, creating an eff ective legal framework and building a skilled cyber workforce. Emphasis was also placed on international collaboration & focused eff orts for development of global standards, expansion of the international legal system’s capacity to combat cyber crime, engagement in bilateral or multilateral agreements to strengthen cooperation on cyber security and active participation in regional forums such as the UN, International Telecommunication Union (ITU), Asia-Pacifi c Economic Cooperation (APEC) etc.; and international working groups such as the Forum of Incident Response and Security Teams (FIRST) and the International Watch and Warning Network (IWWN).

Below is the description of Australian cyber space and security structure. It discusses the responsible departments & agencies, Australian government’s initiatives in eff orts to secure cyber space, special attention to critical infrastructure protection, existing legal framework and other important parameters.

Attorney-General’s Department (AGD)78 is the lead agency for cyber security policy and chairs the Cyber

Security Policy and Coordination (CSPC) Committee. It is responsible for providing government wide coordination on cyber security policy, including crisis management and international collaboration, and providing cyber security guidance to owners and operators of critical infrastructure.

The CSPC79 Committee is the Australian government interdepartmental committee that coordinates the development of cyber security policy for the Australian government. The CSPC Committee:

provides whole of government strategic leadership on cyber security determines priorities for the Australian government coordinates the response to cyber security events, noting that its coordination and policy functions

do not extend to the oversight of operations, and coordinates Australian government’s cyber security policy internationally.

Australian Communications and Media Authority (ACMA) is responsible for the regulation of broadcasting, the Internet, radio and telecom. It gathers evidence and assists in computer fraud and identity theft cases. It also ensures that ISPs and Telecom Service Providers are meeting their regulatory obligations regarding misuse and illegal content. It has also encouraged and played a vital role in the development of cyber security Code of Practice, known as iCode, which provides a consistent approach for Australian ISPs to help inform, educate and protect their clients in relation to cyber security issues. It works with ISPs for the identifi cation of compromised computers and investigates & acts against those involved in the distribution of spam.

The Australian Internet Security Initiative (AISI) collects data from various sources on computers exhibiting ‘bot’ like behaviour on the Australian Internet space. Using this data, ACMA provides daily reports to participating ISPs who in turn inform their customer that their computer appears to be compromised and provide advice on how they can fi x it.

Australian Federal Police (AFP) enforces criminal law and ensures its enactment. In relation to cyber security, the AFP provides a specialized investigative capacity to support investigation and prosecution of

78 http://www.ag.gov.au/Cybersecurity/Pages/default.aspx 79 http://www.ema.gov.au/www/agd/agd.nsf/Page/OrganizationalStructure_E-SecurityPolicyandCoordinationBranch


complex technology enabled crime off ences. It actively engages in the implementation of crime prevention strategies and cooperates with international agencies to solve cyber crime.

Australian Security Intelligence Organization (ASIO)80 has the responsibility of investigating electronic attacks conducted for purpose of espionage, sabotage, terrorism or other forms of politically motivated violence, attacks on the defence system. It collects intelligence both domestically and internationally. It produces threat assessments and protective security advice for government and critical infrastructure.

According to media news, a new cyber espionage watchdog has been created within the ASIO. The reason cited for its setup is to monitor espionage attempts against Australian critical infrastructure assets and releases alerts to agencies and critical infrastructure owners in a manner similar to the Computer Emergency Response Team (CERT) Australia. ASIO has reportedly also established a specialist cyber investigations unit to investigate and provide advice on state-sponsored cyber attacks against, or involving, Australian interests. The unit operates under the supervision of the First Assistant Director-General for Counter-Espionage and Interference.

CERT Australia81 was established in January 2010 and is the national coordination point within the government for the provision of cyber security information. It assists the owners and operators of critical infrastructure and systems of national interest. CERT Australia is also Australia’s offi cial point of contact in the global CERTs to support international collaborations.

Defence Signals Directorate (DSD) is the national authority responsible for the security of ICT across government. It ensures that sensitive government electronic information systems are not susceptible to unauthorized access, compromise or disruption. DSD’s functions and responsibilities include:

providing material, advice and other assistance to State authorities on security issues providing assistance in relation to cryptography and communications technologies and through Cyber Security Operations Centre (CSOC), it is responsible for maintaining a comprehensive

national picture of cyber security threats, through monitoring and analysis of all information sources and rapidly respond to cyber attacks. It provides a central point for sharing information across government and coordinates with other agencies on response activities to enhance Australian government’s ability to prevent cyber attacks. The CSOC provides cyber situational awareness and an enhanced ability to facilitate coordinated responses to, and management of, cyber security events of national importance.

Joint Operating arrangements (JOA) were established by the Australian government whereby operational cyber security agencies (DSD, AFP and ASIO) identify, analyze and respond to cyber events of serious national consequence. The JOA agencies determine which agency has primary carriage of a security event response on the basis of the nature of the event and individual agency responsibilities.

Department of Broadband, Communications and the Digital Economy (DBCDE) has responsibility of working with the ACMA and Internet industry and collaborating internationally ensuring that its international activities align with whole of government objectives.

Australian Government Information Management Offi ce (AGIMO) works with government agencies to ensure that Australian government ICT proposals have adequately considered cyber security risks. It preaches adoption of a government wide approach to the management of common assets and data sharing. It also promotes security and resilience as essential requirements of e-Government initiatives. One of the major tasks carried out by AGIMO is to develop government strategies to help match demand for increasing requirements of skilled cyber security practitioners. Also, it coordinates a strategy with ACMA for managing Internet gateways for the Australian government agencies.

80 http://www.asio.gov.au/81 http://www.cert.gov.au/


82 http://www.minister.dbcde.gov.au/media/media_releases/2009/022

OnSecure is a cooperative project between DSD and AGIMO with the aim of improving the collection of information security event reports in the government and improving the analysis capabilities of such events. Important information on potential threats, vulnerabilities and mitigation derived from the analysis is then disseminated via OnSecure to all government agencies. OnSecure is the central Australian government Internet site for information security material provided by DSD.

Other than the above mentioned agencies and initiatives, Department of Prime Minister & Cabinet has set up National Security and International Policy Group Executive which is supported by various functions such as:

National Security Advisor provides a high level of leadership, direction and coordination amongst national security and intelligence agencies. The NSA is the principal source of advice to the Secretary of the Prime Minister and Cabinet on all policy matters relating to the security of the nation and oversees the implementation of all national security policy. Dy. NSA supports the function of NSA.

National Security Chief Information Offi cer (NSCIO) provides strategic direction and coordination for information sharing across the national security community. This includes harmonizing the broad policy, governance and legislative arrangements currently in place so as to improve interoperability and collaboration, and provide oversight of the national security information management environment.

Cyber Policy Coordinator (CPC) coordinates the whole-of-government approach to cyber policies and activities. The CPC provides strategic leadership and coordination on matters of cyber policy and strategies across the entire cyber ‘spectrum’, from online consumer protection to cyber defence.

In the context of Australian cyberspace, a total of 17 sectors have been labeled as critical infrastructure sectors. CIP is a top priority for Australian government. Since the creation of the Program in 2003, its primary focus has been to share information & best practices with the owners and operators of critical infrastructure and to strengthen & improve their security measures and to help prioritize their risk management. Under this program, they have also developed resilience strategy to protect critical infrastructure. As part of strategy, they have:

Trusted Information Sharing Network (TISN) comprising 7 critical infrastructure Sector Groups (SGs), 2 Expert Advisory Groups (EAGs), Communities of Interest (CoI) and the Critical Infrastructure Advisory Council (CIAC). TISN members include owners and operators of critical infrastructure, government agency representatives and peak national bodies. The TISN, through its SGs and EAGs , seeks to promote the need for investment in resilient, reliable infrastructure with market regulators. It also builds up risk management framework for infrastructure such as SCADA and prepares protective security risk reviews for critical infrastructure.

Critical Infrastructure Program for Modelling and Analysis (CIPMa) is a computer modelling program that uses a vast array of data and information from a range of sources (including the owners and operators of critical infrastructure) to model and determine the consequences of diff erent disasters and threats (human and natural) to critical infrastructure. CIPMa also helps government shape policies on national security and critical infrastructure resilience.

The Australian government has established a new company to build and operate a National Broadband Network (NBN)82 to deliver superfast broadband access for all Australians. In the 2007–08 Budget, the Australian government allocated funds over four years to implement a range of initiatives (listed below) designed to enhance the protection of home users and small businesses from electronic attacks and fraud. Few of these are:

National Cyber Security Awareness Week is organized each year in partnership with industry, community organizations and all levels of government. The Awareness Week aims to educate users on the simple steps they can take to protect their personal and fi nancial information online.


Cyber security website named ’Stay Smart Online’ provides information for Australian internet users on cyber security issues and necessary measures. It off ers information on a wide variety of topics including securing computer, tips to safely bank & shop online and links to resources for parents and teachers to help them protect their children online. Users can also subscribe to free alerts via e-mail, sms and RSS feeds about the latest cyber security threats & vulnerabilities and possible solutions to address them.

Budd:e cyber security education package is a key component of the Australian Government’s commitment to raising the cyber security awareness among school going children. These modules are interactive and self learning and are designed to help students adopt secure online practices and behaviours in a fun way. Cyber security topics covered in the modules include malicious software, securing personal information online and social networking.

National Identity Security Strategy aims to combat the misuse of stolen/assumed identities and fi ght identity crime. Measures adopted include a new system for the electronic verifi cation of documents used as evidence of identity thereby improving registration and enrolment procedure, enhanced security features and Strong authentication standards, ensuring accuracy in the identity information held by government agencies and Biometric interoperability, to confi rm the identity of individuals.

Cyber White Paper: A Cross agency team will develop Cyber White Paper which will bring together and describe the important relationships in the cyber environment between social well-being, economic prosperity and broader national interests. It will provide a framework for interaction across intra government agencies & departments and between government and industry. The fi rst version will be released sometime around June 2012.

Other than the above mentioned programs/initiatives, one of the major initiatives taken by the government is for engaging resources capable of undertaking security practice from an early age. Multi level executable career path is designed to cater to national security requirements and retain the skilled professionals for protection of national assets. The Australian Qualifi cations Framework is the national policy for regulated qualifi cations in Australian education and training. Specially tailored security training programs contribute to a number of career pathways like protective security, security risk management, government investigation and specialist security practitioners, including physical security, ICT security.

Australia has a comprehensive cyber security legal framework, comprising Commonwealth and State legislation. At the Commonwealth level, the key elements of this framework include Australian Security Intelligence Organization Act 1979, Telecommunications (Interception and Access) Act 1979, Criminal Code Act 1995 (as amended by the Cybercrime Act 2001), Telecommunications Act 1997, Intelligence Services Act 2001, Spam Act 2003 and Surveillance Devices Act 2004.

Australia has partnered with allies under Cyber Storm with US, UK, Canada and New Zealand (Five Eye Countries) in cyber storm initiative, to conduct cyber security mock drill exercises for both public and private sector organization that helps them assess their security preparedness simulating crisis as would occur under cyber attack on national critical infrastructure. Cyber storm also conducts regular online war games with organizations and shares online defence and critical information across designated agencies within the DSD and the AG’s Department. It is in news that US and Australian offi cials have decided to include cooperation on cyber security as part of their defence treaty.

From the analysis above, it can be clearly seen that signifi cant steps have been taken by the Australian government to secure its digital ecosystem. Departments and offi ces have well defi ned functions and roles to play with respect to cyber security.


Japan

Japan was one of the fi rst countries to formulate a national cyber security strategy. The Government of Japan started to address IT security issues in 1999. Prior to this, Security Measures for Computer Networks in Large Industrial

Facilities and Countermeasures against Cyber Terrorism & Cracking was released in March 1998.

It was followed by the Action Plan for Building Foundations of Information Systems Protection from Hackers

and Other Cyber threats which was adopted by the Interagency Director-Generals’ Meeting on IT Security on 21 January, 2000. This plan highlighted the need for a governmental structure to respond to cyber threats. It established the need for a national IT security policy. Developing cyber-terrorism countermeasures to protect critical infrastructures and putting the government in-line with the transition to an e-government were also prioritized. Also, raising private sector awareness and enhancing international cooperation were stressed upon. Based on this plan, the Cabinet Secretariat came up with Guidelines for IT Security in July, 2000 and Special Action Plan on Countermeasures

to Cyber terrorism of Critical Infrastructure in December, 2000.

The Cabinet Secretariat IT Security Offi ce was established in February, 2000. Following that, in April, 2000, Branch

for IT Security was established in Cabinet Offi ce for National Security Aff airs and Crisis Management in order to better coordinate the policy and measures among ministries and agencies. The branch is composed of experts from ministries, agencies concerned and from private sector. It proposed the following administrative structures for strengthening IT security:83

Inter-ministerial Coordination Body

Established by the Prime Minister's Decision on February, 29, 2000 under the auspice of the Advanced Information and Telecommunication Society Promotion Headquarters.

Composed of Director General level offi cers

Wisemen Committee for IT Security

Composed of academia, experts and representatives of the private critical infrastructure 2 Working Groups were created under this committee - IT security & Cyber terrorism

In March 2001, IT Strategy Headquarters established e-Japan Priority Policy Program. As a result of this program, an action plan to secure IT infrastructure of the government was created which included establishment of Government

- Private Sector Partnerships and National Incident Response Team.

In 2005, as a major step, National Information Security Centre and Information Security Policy Council were setup to strengthen the cyber security posture in Japan. Following that, the fi rst National Strategy on Information Security

(NSIS) was published in 2006.

Next to follow were the annual plans, focusing on specifi c themes:

Secure Japan 2006 – First step toward a trustworthy society Secure Japan 2007 - Upgrading of information security measures for safe and secure cyberspace Secure Japan 2008 - Intensive eff orts for enhancing information security infrastructure Secure Japan 2009 - All entities should assume they may be subject to accidents Information Security Strategy for Protecting the Nation (May 2010) Information Security Research and Development Strategy (July 2011)

83 http://www.kantei.go.jp/foreign/it/security/2000/0519taisei.html


In February 2009, the Japanese government adopted the second NSIS for the years 2009 through 2011. The three year plan includes four subjects: central and local governments, critical infrastructure, business entities, and individuals. As part of the NSIS process, the Japanese government adopted “Secure Japan 2009.” During this period, large- scale cyber attacks in the US and South Korea, particularly alerted Japan. On 11th May 2010, Information Security Policy Council came up with Information Security Strategy for Protecting the Nation. This Strategy is a compehensive approach that inlcudes the 2nd NSIS and applies for four years (FY2010 to FY2013). Based on this strategy, two annual plans for information security have been devised - 2010 & 2011.


Responsible Ministries and Agencies

List of Ministries responsible for Cyber security in Japan:

Ministry of Internal Aff airs and Communications (MIC)

Ministry of Economy, Trade, and Industry (METI)

Ministry of Defence (MOD)

Other than above mentioned ministries, few important agencies that have been tasked to handle the cyberspace are listed below:

National Police Agency (NPA) is an agency administered by the National Public Safety Commission of the Cabinet Offi ce in the cabinet of Japan, and is the central coordinating agency of the Japanese police system. It has the task of regulating cyber security strategy and provides investigation support in this matter.

National Information Security Center (NISC) was setup in Cabinet Secretariat in April 2005. The head of the NISC is one of three Assistant Chief Cabinet Secretaries. This offi cial has dual responsibilities for national security and emergency response systems, including physical security and cyber security. The main ministries that serve under the NISC are the MIC, METI, NPA and MOD.

Information Security Policy Council (ISPC) was formed under IT strategic headquarters in May, 2005. It is chaired by a Chief Cabinet Secretary. Under the ISPC’s formal direction and in cooperation with the NISC, policies are carried out by the ministries and agencies.

Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)84 is the fi rst CSIRT (Computer Security Incident Response Team) established in Japan. The organization coordinates with network service providers, security vendors, government agencies, as well as the industry associations. Its activities include incident response and analysis, generating security alerts via a weekly report containing potential threats and advisory message, coordination and collaboration with other CSIRTs, vendor coordination

Information Technology Promotion Agency (IPA)85 has the responsibility to solve diverse IT issues and create an IT-based society where people can live their lives feeling secure. IPA is an independent administrative agency promoting Japan’s IT strategies through improving the quality of software development and nurturing IT human resources. Three missions of IPA are:

Assuring the security & reliability of IT in Social Infrastructure Strengthening international competitiveness Cultivate highly skilled world class IT human resource

The Information Technology Security Center (ISEC) is the leading unit for promoting Japanese IT security countermeasures, including raising security awareness to the Japanese citizens, providing alert information on latest security vulnerabilities and publishing security guidelines for enterprises and home users.

National Incident Response Team (NIRT)86 is a sub-agency of Japan’s Cabinet Secretariat; NIRT is responsible for protecting the civilian computer networks from attack and intrusion, primarily at the Cabinet level of the Japanese government.

84 About JPCERT/CC : http://www.jpcert.or.jp/english/about/85 http://www.ipa.go.jp/english/pdf/OrganizationProfi le2011.pdf86 http://www.ists.dartmouth.edu/projects/archives/japanese-cybersecurity-training.html


87 http://www.jnsa.org/en/aboutus/index.html88 http://www.jnsa.org/isog-j/e/about_overview.html89 http://www.nca.gr.jp/jws2008/WS6-07-isepa.pdf90 http://www.nict.go.jp/about/charter-e.html91 http://www.jasa.jp/92 http://www.iajapan.org/93 http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/presentation/pdf/070522_1.pdf

Japan Network Security Association (JNSA)87 is to promote standardization related to network security, and to contribute to greater technological standards in the fi eld, enhancing the public welfare through awareness, education, research and information-dissemination activities related to network security.

Information Security Operation providers Group Japan (ISOG-J)88 has been established to encourage familiarizing the security operation services to improve their service-level through improvement of security operation technologies, training organizations, to contribute to the realization of the IT environment which is safe and can be used with ease.

Information Security Education Providers Association (ISEPA)89 coordinates with NISC, METI & MIC on various education and awareness initiatives. Its activities include information sharing with multiple agencies, providing consultancy and advisory services to organizations and governments, promoting information security as a concept, career map development program, training content development among others. Members include Japan Information Security Audit Association, JNSA, CompTIA, Information Systems Audit and Control Association (ISACA) Tokyo Chapter, International Information Systems Security Certifi cation Consortium (ISC)2, SysAdmin, Audit, Network, Security (SANS) etc.

National Institute of Information and Communications Technology (NICT)90 is the sole national research institute in the information and communications fi eld. It works for advancement of national technologies, contributes to national policies and promotes research and development by cooperating with and supporting outside parties.

Japan Information Security Audit Association (JASA) 91 was established to maintain the prevalence and penetration of the Information Security Audit based on the Authorized Information Security Audit System.

Internet Association Japan (IAJapan)92 is a non-profi t and industry-based organization which was established by the consolidation with Internet Association of Japan and Electronic Network Consortium and was legally permitted by Ministry of Internal Aff airs and Communications MIC and METI. It provides leadership in promoting advanced systems of the Internet and in solving problems which ISPs encounter to when they operate services.

Government Security Operations Centre (GSOC) was established in April 2008 and has the responsibility of monitoring and responding to attacks on government and critical infrastructure.

In total, 10 sectors have been identifi ed as critical based on the fi rst national strategy on information security namely: Telecom, Finance, Civil aviation, Railways, Electricity, Gas, Administrative Services, Medical Services, Water works, Logistics.

Capability for Engineering of Protection, Technical Operation, Analysis and Response (CEPTOAR)93 was created in each of the 10 critical infrastructure fi elds. CEPTOAR is “the function for sharing and analyzing information” to improve the ability to maintain and recover services of critical infrastructures. Critical infrastructure companies communicate and share information provided from governments for prevention of IT-malfunctions, prevention of expansion of suff ering, rapid resumption from suff ering and prevention of recurrence.


All these agencies collaborate and coordinate by sharing information based on the following structure:

Public Sector

Mr. Anil Kumar

Mr. M. D. Agrawal

Mr. M.M. Oberai

Mr. R. K. Sharma

Mr. S.P. Mukhopadhyay

Mr. Rajendra Pawar

Dr. Kamlesh Bajaj

Chairman, Executive Council, NASSCOMChairman & Co-founder, NIIT Group

Chair

Chief Executive Officer, DSCI

Member Secretary

Chief Information Security Officer, Oil & Natural Gas Cooperation Limited

Head- IT, Refinery Division, Bharat Petroleum Corporation Limited

Deputy Inspector General of Police, Central Bureau of Investigation, Economic Offences

General Manager-IT, Bharat Sanchar Nigam Limited

Chief Information Security Officer, State Bank of India

Private Sector

Mr. Adapa Raja Vijay Kumar

Mr. Ameet Nivsarkar

Mr. Arijit Sengupta

Col. Arun Kumar Anand

Mr. Felix Mohan

Mr. Mukesh Aghi

Mr. Murali Krishna

Ms. Nandita Jain Mahajan

Mr. Pankaj Agrawal

Mr. Pazhamalai Jayaraman

Mr. Rajesh Dalal

Mr. Rohan Mitra

Col. Sameer Anukul

Mr. Sanjay Bahl

Mr. Suhaan Mukerji

Mr. Vishal Salvi

Mr. Yazad Patel

Vice President & Global Information Security Leader, Genpact

Vice President, NASSCOM

Chief Executive Officer, BeyondCore

Vice President & Chief Information Security Officer, NIIT Technologies

Senior Vice President & Global Chief Information Security Officer, Bharti Airtel

Senior Vice President and Head of Global IT, Infosys

Chief Privacy Officer and Director, IBM Global Process Services

Chief Information Security Officer & Head IT Governance, Aircel

Chief Information Security Officer & General Manager - Information Risk Management & Policy Compliance, Wipro

Director- Risk Prevention, Carrefour

Chief Information Security Officer, Microsoft India

Chief Information Security Officer, HDFC Bank

Managing Director & Head- IT , Deutsche Bank

Chairman & Chief Executive Officer, Steria India

Vice President - Technology, MakeMyTrip India Private Limited

Manager -Corporate Affairs, Yahoo India Private Limited

Partner, Amarchand Mangaldas

DSCI Team

Mr. Vinayak Godse

Mr. Rahul Jain

Mr. Vikram Asnani

Mr. Mayank Lau

Mr. Rahul Sharma

Mr. Atul Kumar

Director-Data protection

Senior Consultant -Security Practices : Principal Author

Senior Consultant - Security Practices

Consultant- Security Practices

Consultant- Security Practices

Security Analyst

Members (Listed in alphabetical order)

Cyber Security Advisory Group

L: Niryat Bhawan, 3rd Floor, Rao Tula Ram Marg, New Delhi - 110057, IndiaP: +91-11-26155071 | F: +91-11-26155070 | E: [email protected] | W: www.dsci.in

DATA SECURITY COUNCIL OF INDIA®

A NASSCOM Initiative

securing our cyber frontiers...SECURING OUR CYBER FRONTIERS 1 Foreword T he whole world suddenly...

Documents

Transcript of securing our cyber frontiers...SECURING OUR CYBER FRONTIERS 1 Foreword T he whole world suddenly...