Battleground Cyberspace

Close on the heels of the new Homeland Security Department taking charge of all cyber security functions in the US, India is also positionin...

Close on the heels of the new Homeland Security Department taking charge of all cyber security functions in the US, India is also positioning its cyber security plans in an organised form. The Information Technology Act 2000 (IT Act) set the tone for such activities and also provided the legal focus to cyber security efforts, albeit in a very small way. The September 11 attacks in the US and accompanying fears across the globe have provoked governments and corporations to think that cyber protection should be an integral part of all security measures. For the first time, there is an understanding that cyber security is a capital investment, not an ancillary affair.

In India cyber security is being addressed at various levels. The setting up of the high-powered National Information Board (NIB) under the chairmanship of the national security adviser is a major initiative. Recently, the report of the working group on information technology for the 10th Five Year Plan in India positions cyber security as a major focus area. It mentions that Indian corporations and government agencies need to be trained in IT security and specialised institutions need to be developed for the same. At the same time, research in cryptography needs to be given a thrust. There is need to devise a national strategy to counter cyber attacks and an efficient and prompt emergency response structure is call-ed for.

In this context, the concept of critical infrastructure protection (CIP) becomes a fundamental concern. The need to identify critical infrastructures and then define the critical functions is already an important agenda for many nations now. We in India also need to immediately define the same. Already the government has set up an inter-ministerial working group on CIP for this purpose. The goal of the Indian CIP initiative, as envisioned in this working group’s agenda, is to assure the continuity and viability of critical infrastructure and at the same time also ensure RAS (reliability, availability and survivability) of systems. Some references to the CIP policies of nations like the US, Canada, Germany, Switzerland is in order. Most of these nations now have experience in handling their critical functions under their CIP policy and their experience would stand us in good stead. The Chinese CIP strategy could be of relevance, although also of concern to us is China’s simultaneous pursuit of a pro-active information warfare strategy.

There must be a clear agenda for understanding all the issues concerning the Indian CIP. Some issues that crop up immediately are to do with the poor security infrastructure and a careless culture. There is a lack of urgency among senior government functionaries and senior management of corporations to prioritise security. There is almost no security education and awareness among stakeholders. There is also a serious lack of trust between government functionaries and private corporations. This is coming in the way of a teamwork culture that is prevalent in many other countries.

Lack of awareness of the effective use of the existing legal framework and a mechanism to adjust the legal framework to suit the dynamic nature of cyberspace is another important point. Another serious issue of concern is the multiplicity of agencies and the command structure for CIP. In case of a complicated terrorist attack, how to segregate the cyber elements from the general attack and then have a response in no time?

For now the working group will deliberate on two areas — the Critical Information Infrastructure Assurance Protection Plan (CIIAPP) and liaison activity pertaining to threat assessment and sectoral initiatives. In the former, key security organs of the government including the Ministry of Home Affairs (MHA), Defence, Intelligence Bureau (IB), Research and Analysis Wing (RAW), Central Bureau of Investigation (CBI) and National Informatics Centre (NIC) will work out the modalities for CIP including the funding pattern for critical functions. In the latter, individual sectors will have their own committees to study their vulnerabilities and threats. Presently, the definition of critical infrastructure in the Indian context is most important. We need to move fast. Else, the cyber attackers will be here.