Cyber Security – CERTs, Policy, etc
What are the Digital Arrest Scams?
From UPSC perspective, the following things are important :
Prelims level: Digital Arrest Scams
Why in the News?
The Prime Minister in his recent broadcast of “Mann Ki Baat” warned about the ‘Digital Arrest’ scams in India.
What is Digital Arrest?
Details | |
What are they? | A fraudulent scheme where scammers impersonate law enforcement officials to extort money from victims under the false pretence of an arrest. |
Modus Operandi | • Scammers use audio or video calls to intimidate victims. • Claim involvement in illegal activities (e.g., drugs, contraband). • Victims are kept under constant visual surveillance until demands are met. |
Common Tactics | • Use of deepfake videos and fake arrest warrants. • Threats regarding family members being involved in crimes. • Fake claims about parcels containing illegal goods. |
Victim Impact | Victims may face significant financial losses, emotional distress, and a sense of vulnerability due to the intimidation tactics employed by scammers. |
Recent Trends | • Increase in reported cases; over 11 lakh complaints of financial cyber fraud in 2023. • Rising incidents attributed to the expansion of internet users. |
Prevention Measures | • Awareness of scams and verification of callers’ identities. • Immediate disconnection of suspicious calls. • Reporting incidents to local police and cybercrime helplines. |
Legal Framework | • Governed by the Information Technology Act, 2000. • Reports can be filed through the National Cyber Crime Reporting Portal (www.cybercrime.gov.in). |
PYQ:[2017] In India, it is legally mandatory for which of the following to report on cyber security incidents? 1. Service providers 2. Data centres 3. Body corporate Select the correct answer using the codes given below: (a) 1 only (b) 1 and 2 only (c) 3 only (d) 1, 2 and 3 |
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Global Cybersecurity Index, 2024
From UPSC perspective, the following things are important :
Prelims level: Global Cybersecurity Index, 2024
Why in the News?
- India has achieved Tier 1 status in the Global Cybersecurity Index (GCI) 2024, published by the International Telecommunication Union (ITU).
- With a score of 98.49 out of 100, India is now among the top nations demonstrating role-model cybersecurity practices.
About Global Cybersecurity Index (GCI):
Details | ||
Launch | 2015, by the International Telecommunication Union (ITU)
|
|
Objective | • Measures the commitment of countries to cybersecurity based on five pillars. • Helps identify areas for improvement and encourages capacity and capability building. |
|
Five Pillars | • Legal: Laws and regulations on cybercrime and cybersecurity • Technical: Implementation of technical capabilities via national and sector-specific agencies • Organizational: National strategies and organizations implementing cybersecurity • Capacity Development: Awareness, training, education, and incentives for cybersecurity • Cooperation: Partnerships between agencies, firms, and countries |
|
Strengths and Weaknesses | • Most countries are strongest in the Legal pillar. • The Capacity Development and Technical pillars are where most countries are weakest. |
|
GCI 2024 Five-Tier Analysis | • Tier 1 (Role-modelling): Score of 95-100 • Tier 2 (Advancing): Score of 85-95 • Tier 3 (Establishing): Score of 55-85 • Tier 4 (Evolving): |
PYQ:
[2020] In India, under cyber insurance for individuals, which of the following benefits are generally covered, in addition to payment for the loss of funds and other benefits? 1. Cost of restoration of the computer system in case of malware disrupting access to one’s computer 2. Cost of a new computer if some miscreant willfully damages it, if proved so. 3. Cost of hiring a specialized consultant to minimize the loss in case of cyber extortion 4. Cost of defence in the Court of Law if any third-party files a suit Select the correct answer using the code given below: (a) 1, 2 and 4 only (b) 1, 3 and 4 only (c) 2 and 4 only (d) 1, 2, 3, and 4 |
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Southeast Asia origin of at least 45% cyber frauds targeting Indians
From UPSC perspective, the following things are important :
Prelims level: Budapest Convention
Mains level: Internal and External Security; Challenges of Cybersecurity in India
Why in the News?
Over 5,000 unemployed/employed Indians are reportedly trapped in Cambodia and forced to work into cyber fraud, resulting in an estimated Rs 500 crore loss in India over six months.
Present Cybersecurity Status of India:
What is the Budapest Convention? Is India a party to it?
|
Indian Nationals vs. Organised Crimes in the South Asian Region:
- Most web applications use the Chinese language to perform financial fraud, thereby not ruling out the Chinese connection.
- Financial crimes such as digital arrest, stock market scams, investment scams, and romance or dating scams account for a loss of over ₹1,776 crores in 89,054 cases in the first four months of the year spurt in organized crime from Southeast Asia.
- Numerous Indian nationals employed within a suspected fraudulent operation based in Sihanouk City, Cambodia, have voiced their grievances against their employers.
What are the causes of the increase in Organized Financial Fraud?
- Weak Prevention Measures: Online Platforms in India at present account for 89% of all fraud incidents, with 40% of companies losing over $1 million.
- Rapid Digitization and Payment Systems: After the pandemic, there was a massive shift, with the average Indian company now operating at least more than two online platforms in the normal course of business.
- This has made it easier for fraudsters to operate anonymously and target a large number of victims.
- Informal Investigation and Prosecution: India lacks the standardized data formats protocol system from the core banks itself. This makes it difficult to track devices and jurisdictional issues in interstate cases.
- Lack of Deterrence: With only 26% of victims able to recover lost funds, fraudsters are encouraged to target individuals and organizations. The total value of frauds reported in 2021-22 was a staggering ₹60,414 crore.
- Lack of Awareness: Sharing sensitive financial details with others or storing them insecurely it makes a common man vulnerable to fraud.
What are the Initiatives taken by the government to tackle cyber crimes in India?
- National Cyber Security Strategy 2020: Currently being formulated to enhance cyber awareness and strengthen cybersecurity through more rigorous audits.
- Draft Personal Data Protection Bill, 2018: Based on the recommendations of the Justice BN Srikrishna Committee, this bill aims to secure citizens’ data.
- Indian Cyber Crime Coordination Centre (I4C): Approved in October 2018, this initiative addresses all types of cybercrimes in a comprehensive and coordinated manner.
- National Computer Emergency Response Team (CERT-In): Functions as the nodal agency for coordinating all cybersecurity efforts, emergency responses, and crisis management.
- National Critical Information Infrastructure Protection Centre (NCIIPC): Established to protect and ensure the resilience of critical information infrastructure.
Way Forward:
- Update and Enforce Laws: Regularly update the Information Technology Act and other relevant laws to address emerging cyber threats and ensure strict enforcement.
- Upgrade Cyber Defense Systems: Invest in advanced cybersecurity technologies and infrastructure to protect critical information systems.
- Training Law Enforcement: Provide specialized training for law enforcement agencies to equip them with the skills needed to investigate and prosecute cybercrimes.
- Collaborate with Industry: Foster partnerships between the government and private sector to share threat intelligence and best practices.
Mains question for practice:
Q Discuss the current challenges of cybersecurity in India, citing examples of recent trends in cybercrime. What measures have been taken by the Indian government to address these challenges? 15M
Mains PYQ
Q What are the different elements of cyber security? Keeping in view the challenges in cyber security, examine the extent to which India has successfully developed a comprehensive National Cyber Security Strategy.(UPSC IAS/2022)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
What is Doxxing and what can you do if it happens to you?
From UPSC perspective, the following things are important :
Prelims level: Doxxing
Mains level: NA
Why in the news?
In mid-February, a woman reported an incident of doxxing to Mumbai Police after a man shared a video of her dancing and subjected her to harassment online.
What is Doxxing?
- Doxxing involves publicly disclosing an individual’s private information without consent, including personal details like addresses, phone numbers, and more.
- It can lead to severe consequences, including physical, digital, and emotional harm, such as stalking, threats, and loss of privacy.
Legality and Intentions
- While sharing public content may be legal, the intentions behind sharing such content can be malicious and harmful.
- Social media platforms like X take action against users who share information with abusive intent or to harass others.
Consequences of Doxxing
- Victims of doxxing may face numerous challenges, including securing their physical location, clarifying situations with employers, and dealing with a barrage of threats.
- Security measures such as changing passwords, enabling two-factor authentication, and reporting incidents to social media platforms are crucial for safeguarding against doxxing.
Legal Remedy Against Doxxing
- Victims of doxxing can report incidents through platforms like the:
- National Cyber Crime Reporting Portal and
- File FIRs (with law enforcement authorities).
- Social media companies like Meta and Google have tools and mechanisms in place to assist individuals who have been doxxed.
PYQ:[2020] In India, under cyber insurance for individuals, which of the following benefits are generally covered, in addition to payment for the loss of funds and other benefits? 1. Cost of restoration of the computer system in case of malware disrupting access to one’s computer 2. Cost of a new computer if some miscreant willfully damages it, if proved so 3. Cost of hiring a specialized consultant to minimize the loss in case of cyber extortion 4. Cost of defence in the Court of Law if any third-party files a suit Select the correct answer using the code given below: (a) 1, 2 and 4 only (b) 1, 3 and 4 only (c) 2 and 4 only (d) 1, 2, 3, and 4 |
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
India ranks number 10 in World Cybercrime Index
From UPSC perspective, the following things are important :
Prelims level: World Cybercrime Index, India's position
Mains level: NA
Why in the news?
A new research effort, the ‘World Cybercrime Index,’ sheds light on the global cybercrime scenario, ranking India in the 10th position worldwide.
About the World Cybercrime Index
- The World Cybercrime Index has been developed as a joint partnership between the University of Oxford and University of New South Wales, Sydney.
- It has been funded by CRIMGOV, a European Union-supported project.
- The index was developed to identify major cybercrime hotspots globally by ranking countries based on the significant sources of cybercrime at a national level.
- The study ‘Mapping the global geography of cybercrime with the World Cybercrime Index’ has been published in the journal PLOS ONE.
The five major categories of cybercrime assessed by the study were:
- Technical products/services (e.g. malware coding, botnet access, access to compromised systems, tool production).
- Attacks and extortion (e.g. denial-of-service attacks, ransomware).
- Data/identity theft (e.g. hacking, phishing, account compromises, credit card comprises).
- Scams (e.g. advance fee fraud, business email compromise, online auction fraud).
- Cashing out/money laundering (e.g. credit card fraud, money mules, illicit virtual currency platforms).
Key Findings of the Report
- India occupies the 10th position in the cybercrime rankings, with scams involving advance fee payments being the most prevalent type.
- Russia leads the index, followed by Ukraine, China, the US, Nigeria, and Romania, with North Korea, the UK, and Brazil rounding out the top positions.
- Russia and Ukraine emerged as highly technical cybercrime hubs, while Nigerian cybercriminals primarily engaged in less technical forms of cybercrime.
PYQ:[2018] The terms ‘Wanna Cry, Petya and Eternal Blue’ sometimes mentioned in the news recently are related to: (a) Exo-planets (b) Crypto-currency (c) Cyber attacks (d) Mini-satellites |
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Downloading child pornography is an offence
From UPSC perspective, the following things are important :
Prelims level: POCSO Act
Mains level: Child pornography
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
What is End-to-End Encryption? How does it Secure Information?
From UPSC perspective, the following things are important :
Prelims level: Encryption
Mains level: Not Much
Introduction
- In today’s digital age, information is invaluable, and encryption serves as a crucial means to protect it.
- Specifically, end-to-end (E2E) encryption has transformed how human rights organizations, law enforcement, and technology companies handle sensitive information.
What is Encryption?
- Encryption Definition: Encryption involves transforming consumable information into an unconsumable form based on specific rules. Different encryption methods exist, providing varying levels of security.
- Example of DES: The Data Encryption Standard (DES) encrypts text like “ice cream” to a garbled form with a specified key, such as “kite” or “motorcycle.”
- Key Importance: A key serves as the means to unlock (decrypt) encrypted text, ensuring that only authorized individuals can access the original information.
What is End-to-End Encryption (E2E)?
- E2E Encryption Defined: E2E encryption focuses on specific locations through which information travels. In a messaging app, for instance, E2E encryption ensures that messages are encrypted both during transmission and storage, only decrypted when received by the intended recipient.
- Protection in Transit and at Rest: E2E encryption safeguards information during transmission and while stored on servers, providing comprehensive protection.
Mechanisms of Information Encryption
(A) Symmetric vs. Asymmetric Encryption:
- Symmetric Encryption: The same key is used for both encryption and decryption. Examples include DES and Advanced Encryption Standard (AES).
- Asymmetric Encryption: Different keys are used for encryption and decryption. Public and private key pairs, such as Curve25519, exemplify asymmetric encryption.
(B) Hash Functions:
- Hash Function Properties: Hash functions encrypt messages with properties like non-reversibility, fixed-length output, and uniqueness for unique inputs.
- Example of DES Hash Function: DES uses a complex process, including S-boxes, to encrypt messages.
Can E2E Encryption Be ‘Cracked’?
- MITM Attacks: A man-in-the-middle (MITM) attack involves intercepting messages by acquiring encryption keys. Countermeasures include fingerprint comparison to detect tampering.
- Complacency Risks: Users may become complacent, assuming total security. However, malware and backdoors can compromise device security, allowing unauthorized access.
- Metadata Surveillance: While E2E encryption secures message content, surveillance can occur through metadata analysis, revealing information about message timing, recipients, and locations.
- Backdoor Risks: Companies implementing E2E encryption may install backdoors, enabling access for legal or illicit purposes. Examples, like the Snowden affair, highlight potential misuse.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Chameleon Trojan: Compromising Biometric Security on Android Devices
From UPSC perspective, the following things are important :
Prelims level: Chameleon Trojan
Mains level: Not Much
Central Idea
- Security researchers have identified an updated version of the ‘Chameleon Trojan’ malware, capable of disabling biometric authentication methods.
Chameleon Trojan
- The malware’s primary objective is to steal the phone’s PIN by bypassing fingerprint and face unlock security features.
- This trojan attaches itself to legitimate Android applications, such as Google Chrome, to evade detection.
- It operates in the background and is reportedly undetectable during runtime, bypassing Google Protect alerts and other security software.
- It exploits the Accessibility service on Android 12 and earlier versions, while on newer versions, it circumvents Google’s security restrictions through different methods.
Modus Operandi of Chameleon Trojan
- To bypass new restrictions, the malware displays an HTML page instructing users to enable the Accessibility service for the app, compromising device security.
- Once active, it captures on-screen content, navigates using gestures, and steals PINs and passwords, subsequently accessing more sensitive data like credit card details and login credentials.
- The malware also tracks app usage habits to time its attacks when the device is least likely to be in use.
Protection against Chameleon Trojan
- Users are advised to avoid installing Android apps from unofficial sources to reduce the risk of malware infection.
- Be wary of enabling the Accessibility service for apps that are not well-known or trusted.
- Conducting regular security scans on the device can help in identifying and mitigating threats.
- Ensuring that Google Play Protect is enabled at all times is recommended for continuous monitoring and protection against malware.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
We want a Digital India. Just not the one we are living in
From UPSC perspective, the following things are important :
Prelims level: Dark web
Mains level: cybersecurity
Central idea
The increasing frequency of data breaches in India, exemplified by the recent dark web sale of sensitive personal information of 815 million citizens, underscores a pressing cybersecurity challenge. India’s inadequate incident response strategies, lack of transparency, and failure to prioritize cybersecurity pose risks to individuals and national security. A comprehensive approach, focusing on prevention, detection, and transparency, is imperative for building a resilient and secure digital infrastructure in India.
Key Highlights:
- Resecurity, a US company, revealed the sale of sensitive personal data of around 815 million Indians on the dark web.
- The data included Aadhaar numbers, passport information, and addresses, posing a significant threat to individuals.
- Previous instances of data leaks in India, such as the CoWin website breach and AIIMS ransomware attack, highlight a recurring issue.
Key Challenges:
- India faces a rising trend of data breaches, with the potential for severe consequences like identity theft and financial scams.
- Lack of effective incident response strategies in India compared to countries like the US, where cybersecurity standards are being strengthened.
Key Terms:
- Dark web, Aadhaar, Passport number, Ransomware, Cybersecurity, Data breach, Incident response.
Key Phrases:
- “Leaking of sensitive information poses a severe threat to individuals’ financial well-being.”
- “India’s mobile phone usage, enhanced banking access, and growing market size make it an attractive target for bad actors.”
Key Quotes:
- “The constant flow of news about data breaches is normalizing massive losses of personal data.”
- “India’s response to data breaches is criticized for its lack of transparency, accountability, and effective incident response.”
Key Statements:
- “Data breaches are at an all-time high globally, and India is particularly vulnerable due to its economic growth and large population.”
- “Incident response strategies in India are characterized by denials and lack of transparent communication with affected citizens.”
Key Examples and References:
- Resecurity’s revelation of the sale of Indians’ personal data on the dark web.
- Previous data breaches in India, including the CoWin website leak and the AIIMS ransomware attack.
Key Facts:
- The data set on the dark web contained personally identifiable information of approximately 815 million Indian citizens.
- India lacks a long-term cybersecurity strategy, leading to inadequate handling of data breaches.
Key Data:
- The sensitive personal data of 815 million Indians was available on the dark web for a price of $80,000.
Critical Analysis:
- India’s response to data breaches is criticized for its lack of transparency, accountability, and effective incident response.
- The Data Protection Act in India is deemed insufficient, especially in addressing sensitive health information.
Way Forward:
- Prioritize the prevention, detection, assessment, and remediation of cyber incidents in India.
- Establish a cybersecurity board with government and private sector participation for concrete recommendations.
- Adopt a zero-trust architecture and mandate a standardized playbook for responding to cybersecurity vulnerabilities.
- Inform and empower citizens immediately, taking responsibility for their protection and remediation in the aftermath of cyber incidents.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
What is Zero Trust Authentication (ZTA)?
From UPSC perspective, the following things are important :
Prelims level: Zero Trust Authentication (ZTA)
Mains level: Read the attached story
Central Idea
- In response to rising cyberattacks, the Centre has established a secure e-mail system for 10,000 users across critical ministries and departments.
- The National Informatics Centre (NIC) has designed this system, incorporating Zero Trust Authentication (ZTA).
What is Zero Trust Authentication (ZTA)?
- ZTA is a security concept and framework that operates on the principle of “never trust, always verify.”
- This approach to cybersecurity is a significant shift from traditional security models that operated under the assumption that everything inside an organization’s network should be trusted.
- In contrast, Zero Trust assumes that trust is never granted implicitly but must be continually evaluated and authenticated, regardless of the user’s location or the network’s perimeter.
Key Principles of ZTA
- Least Privilege Access: Users are granted only the minimum level of access needed to perform their job functions. This limits the potential damage in case of a security breach.
- Strict User Verification: Every user, whether inside or outside the organization’s network, must be authenticated, authorized, and continuously validated for security configuration and posture before being granted access to applications and data.
- Micro-segmentation: The network is divided into small zones to maintain separate access for separate parts of the network. If one segment is breached, the others remain secure.
- Multi-Factor Authentication (MFA): ZTA often requires multiple pieces of evidence to authenticate a user’s identity. This could include something the user knows (password), something the user has (security token), and something the user is (biometric verification).
- Continuous Monitoring and Validation: The system continuously monitors and validates that the traffic and data are secure and that the user’s behaviour aligns with the expected patterns.
Implementation of Zero Trust Authentication
- Technology: Implementation of Zero Trust requires technologies like identity and access management (IAM), data encryption, endpoint security, and network segmentation tools.
- Policy and Governance: Organizations need to establish comprehensive security policies that enforce Zero Trust principles, including how data is accessed and protected.
- User Education and Awareness: Training users on the importance of cybersecurity and the role they play in maintaining it is crucial.
Benefits of Zero Trust Authentication
- Enhanced Security Posture: By verifying every user and device, Zero Trust reduces the attack surface and mitigates the risk of internal threats.
- Data Protection: Sensitive data is better protected through stringent access controls and encryption.
- Compliance: Helps in meeting regulatory requirements by providing detailed logs and reports on user activities and data access.
- Adaptability: Zero Trust is adaptable to a variety of IT environments, including cloud and hybrid systems.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
In cyber attacks, terror has a found a new face
From UPSC perspective, the following things are important :
Prelims level: cyber attacks
Mains level: evolving landscape of terrorism emphasizes the shift to cyberspace
Central idea
The article underscores the transformation of terrorism into cyberspace, emphasizing the significance of robust cybersecurity measures in the face of escalating state-sponsored cyberattacks.
Key Highlights:
- Mumbai holds the unfortunate title of the most terror-attacked city globally.
- The November 26, 2008 (26/11) attacks were the most audacious, lasting three days.
- Intelligence was available before 26/11 attacks, but preventive measures failed.
- Post-attack, significant changes were made in the police department and security apparatus.
Key Challenges:
- Despite reforms, the landscape of terror warfare has shifted to cyberspace.
- The Russia–Ukraine and Israel–Hamas conflicts demonstrate the growing threat of cyber warfare.
- State-sponsored cyberattacks against India increased by 278% between March 2021-September 2023.
Key Terms and Phrases:
- 26/11 terror attacks, cyberspace, cyber warfare, state-sponsored cyberattacks.
Key Examples and References:
- November 26, 2008, terror attacks in Mumbai.
- Israel-Hamas conflict and the failure of the Iron Dome against cyber threats.
- 2023 India Threat Landscape Report by Cyfirma.
Key Facts and Data:
- State-sponsored cyberattacks on India increased by 278% from March 2021-September 2023.
- India faced 13.7% of all global cyberattacks.
- 13.91 lakh cybersecurity incidents in India in 2022.
Critical Analysis:
- Cybersecurity is of paramount importance in a highly digitized world.
- Recent incidents, including Apple’s warning, highlight the urgency for robust cybersecurity measures.
- The need for nationwide education and training on cyber threats is crucial.
Way Forward:
- Urgent investment in robust cybersecurity measures across government, private sector, and individual citizens.
- Comprehensive education programs, starting in schools, to raise awareness about cyber threats.
- Adequate training and financial support for government agencies to strengthen cybersecurity.
In conclusion, the evolving landscape of terrorism emphasizes the shift to cyberspace, demanding urgent and comprehensive cybersecurity measures, education, and training to safeguard against potential online threats like a “cyber 26/11.”
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
CERT-In exempted from RTI Ambit
From UPSC perspective, the following things are important :
Prelims level: CERT-In, RTI
Mains level: NA
Central Idea
- The Centre has included the Computer Emergency Response Team (CERT-In) in the list of organizations exempted from the Right to Information Act (RTI), 2005.
-
There are 26 other intelligence and security organisations established by the Central government such as the Intelligence Bureau, Research and Analysis Wing, Directorate of Enforcement, and National Technical Research Organisation that are exempt under RTI.
About Indian Computer Emergency Response Team (CERT-In)
Details | |
Nodal Agency | Part of India’s Ministry of Electronics and Information Technology |
Establishment | Formed in 2004 under the Information Technology Act, 2000 Section (70B) |
Inter-agency Coordination | Works with NCIIPC (under NTRO and PMO) and NDMA (under Ministry of Home Affairs) |
Functions | Monitors cyber-attacks, issues security guidelines, liaises with national cybersecurity bodies |
Recent Activities | Hosted ‘Synergy’ exercise in 2022 with international participation |
International Agreements | MoUs with UK, Korea, Canada, Australia, Malaysia, Singapore, Japan, Uzbekistan; cooperation with Shanghai Cooperation Organisation |
Notable Incidents | Reported Android Jelly Bean flaw (2014), Chrome vulnerabilities (2020), WhatsApp vulnerability (2021); investigated AIIMS cyber-attack (2022) |
Cyberattack Statistics (2021) | Faced 11.5 million cyberattack incidents including attacks on infrastructure and government |
Back2Basics: Right to Information (RTI) Act
Enactment | June 15, 2005 |
Objective | Promote transparency and accountability |
Applicability | All public authorities at central, state, local levels |
Scope | Access to information on matters of public interest, government policies, budgets, etc. |
RTI Application | Filed in writing with the concerned public authority |
Response Time | Within 30 days (48 hours for life or liberty issues) |
Exemptions | Some information exempted to protect national security, privacy, etc.
Judiciary |
Fees | Nominal fee varies based on state and information requested |
First Appellate Authority | Filed if dissatisfied with the response |
Second Appeal | Filed with the relevant Information Commission |
Whistleblower Protection | Safeguards against victimization for exposing corruption |
Impact | Promotes transparency, accountability, and good governance |
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Pegasus Spyware Saga: Unveiling the Expert Committee’s Findings
From UPSC perspective, the following things are important :
Prelims level: Pegasus Spyware
Mains level: Whatsapp snooping and related issues
Central Idea
- Several prominent opposition leaders recently reported receiving “threat notifications” from Apple regarding a potential state-sponsored spyware attack on their iPhones.
- This incident has drawn parallels with the Pegasus Spyware Case, which targeted individuals globally, including in India.
About Pegasus Spyware
- Functionality: Pegasus, like its name suggests, is a spyware designed to surveil individuals through their smartphones.
- Covert Installation: It infiltrates a target’s device by enticing them to click on an exploit link, installing the malware without their knowledge or consent.
- Comprehensive Access: Once installed, Pegasus grants the attacker complete control over the victim’s phone, enabling eavesdropping, data retrieval, and even activation of the camera and microphone.
What is the Pegasus Spyware Case?
- Global Revelation: In July 2021, a collaborative global investigative project uncovered the use of Pegasus spyware, developed by NSO Group, an Israeli cybersecurity company, to target mobile phones worldwide, including India.
- Government Denials: The Indian government denied the allegations and accused the opposition of undermining national security but did not explicitly deny using Pegasus.
- Supreme Court’s Involvement: On October 27, 2021, the Supreme Court appointed an Expert Committee headed by Justice R V Raveendran to investigate the allegations, considering their public importance and potential violation of citizens’ fundamental rights.
- Cyber Terrorism: This intrusion constitutes a cyber-terrorism attempt and calls for the application of Section 66(F) of the Information Technology Act 2008 (IT Act) to deal with the perpetrators.
Expert Committee’s Mandate
- Terms of Reference: The committee had seven terms of reference, including determining the entity that procured Pegasus, verifying if petitioners were targeted, and assessing the legal basis for using spyware like Pegasus on Indian citizens.
- Policy Recommendations: It was also tasked with making recommendations on a legal and policy framework for cybersecurity to protect citizens’ privacy.
- Technical Expertise: The committee comprised technical experts from various fields, including cybersecurity and forensic sciences.
Key Findings
- Lack of Conclusive Evidence: On August 25, 2022, the Supreme Court revealed that the expert committee did not find conclusive evidence of Pegasus use in the 29 phones it examined.
- Government Non-Cooperation: The Centre did not cooperate with the committee, as observed by the panel itself.
- Malware Discovery: While malware was found in five phones, it could not be definitively linked to Pegasus.
- Inconclusive Determination: The committee concluded that the limited data available made it inconclusive to determine Pegasus use.
- National Security Concerns: The committee’s report contained information about malware that could pose threats to national security and private confidential information.
Implications and Urgent Action
- Fundamental Right to Privacy: Protecting citizens’ smartphones through technologies like encryption is crucial for national security.
- Need for Inquiry: Establishing an independent high-level inquiry with credible members and experts can restore confidence and ensure transparency.
- Global Cooperation: Given the multinational impact of such attacks, coordinated global cooperation is essential for a thorough investigation.
- Data Sovereignty and Privacy: Citizens’ data sovereignty should encompass their right to privacy, with stringent punishments for privacy violations.
Conclusion
- The Pegasus spyware case, which raised significant concerns about citizen privacy and national security, prompted a comprehensive investigation by the Supreme Court-appointed Expert Committee.
- While the committee did not find conclusive evidence of Pegasus use, it emphasized the potential risks associated with malware and cybersecurity.
- The case remains open, and further developments may shed light on the extent of surveillance and privacy infringements.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
What is the ‘SIM Swap Scam’ — and how can you protect yourself?
From UPSC perspective, the following things are important :
Prelims level: SIM Swap Scam
Mains level: Phishing and other financial crimes
Central Idea
- In recent years, the SIM swap scam has emerged as a significant threat to individuals’ financial security.
- This fraudulent scheme exploits the link between physical SIM cards and banking applications, allowing scammers to gain access to victim’s bank accounts and personal information.
SIM Swap Scam: An Overview
- Exploiting Technological Advances: The SIM swap scam capitalizes on the integration of banking applications with phone numbers, enabling the generation of OTPs (One-Time Passwords) and the receipt of critical bank-related messages.
- Acquiring Personal Data: Scammers begin by collecting victims’ personal details, including phone numbers, bank account information, and addresses, often through phishing or vishing (voice phishing) techniques. Phishing involves sending malware-laden links through emails or messages to steal personal data.
- Forging Victim Identity: Armed with the stolen data, fraudsters visit a mobile operator’s retail outlet, impersonating the victim with forged ID proof. They falsely report the theft of the victim’s SIM card and/or mobile phone. As a result, they obtain a duplicate SIM card. Notably, fraudsters can secure a duplicate SIM even if the original is still functional. All activation messages and information are directed to the scammer rather than the victim.
Why do victims receive Missed Calls?
- Strategic Communication: In contrast to typical scams that involve tricking individuals into divulging OTPs and private data during phone calls, the SIM swap scam operates differently.
- Distraction Tactic: Fraudsters initiate missed calls to their targets, prompting victims to check their phones and potentially ignore network connectivity issues.
- SIM Exchange Execution: Perpetrators use these missed calls as a diversion while they execute the SIM swap. Once the SIM is swapped, fraudsters gain control over all calls and messages through the victim’s SIM, allowing them to initiate transactions unnoticed.
How do scammers withdraw money?
- Phishing Information: After acquiring personal data through phishing attacks, scammers use this information to access bank portals and generate OTPs required for fund withdrawal.
- OTP Access: Having control over the victim’s SIM card, fraudsters receive all OTPs, enabling them to authenticate transactions and steal money.
- Data Sources: Accused individuals purchase data from hackers involved in data breaches or from online portals. Data breaches often involve private companies losing vast amounts of customer data.
- Example: In April, Rentomojo, an electronics and furniture rental company, reported a data breach, acknowledging unauthorized access to customer data due to a cloud misconfiguration.
Arrests and Challenges
- Absence of Arrests: Delhi Police has not made any arrests related to the SIM swap scam. The accused effectively evaded capture by discarding duplicate SIMs and operating from multiple locations.
- Cryptocurrency Conversion: Stolen funds are often converted into cryptocurrency, making tracking Bitcoin or other cryptocurrency transactions impossible due to encryption.
Protecting Yourself from SIM Swap Fraud
- Stay Vigilant: Be cautious of vishing or phishing attacks and avoid clicking on suspicious links or sharing sensitive information.
- Don’t Ignore Missed Calls: Don’t ignore missed calls or switch off your phone, especially if you receive multiple missed calls. Contact your mobile operator immediately if such activity occurs.
- Regularly Update Passwords: Change bank account passwords regularly for added security.
- Set Up Alerts: Register for regular SMS and email alerts for banking transactions to stay informed.
- Report Fraud: In case of fraud, promptly contact your bank authorities to block your account and prevent further fraud.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Dawn of Passkeys: A Password-Free Future
From UPSC perspective, the following things are important :
Prelims level: Passkeys, Password
Mains level: Not Much
Central Idea
- In 1961, MIT computer science professor Fernando Corbato introduced the world to digital passwords, an innovation designed for research purposes. Little did he know the profound societal impact his creation would eventually wield.
Why discuss this?
- Passwords have become nearly synonymous with cybersecurity in the 21st century, albeit with an unsavory connotation.
- Despite efforts to promote robust password practices, “password” and “123456” continue to dominate the list of common passwords, underscoring the pervasive vulnerability of most accounts.
Passkeys: Need for Change
- Ineffectiveness of Passwords: The prevailing authentication method, based on passwords, falls short in ensuring adequate security.
- Big Tech Solution: In response to this predicament, major tech companies propose a solution – passkeys.
Understanding Passkeys
- Web Authentication Standard: Passkeys are a security feature built on the WebAuthentication (WebAuthn) standard.
- Public-Key Cryptography: Passkeys employ public-key cryptography, a potent technique employing a public key (server-side) and a private key (user-side).
- Authentication Process: When users log in, a challenge is sent to their device, which utilizes the private key to solve it and respond. The server then validates the response with the public key, all without storing any secrets, enhancing security.
Getting Started with Passkeys
- Wide Compatibility: Leading tech companies, including Microsoft, Google, and Apple, have collaborated to make passkeys accessible to most recent phones and PCs.
- Operating Systems: Passkeys are available on iOS 16+, iPadOS 16+, macOS Ventura, Android 9+, Windows 10, and Windows 11.
- Web Browsers: Passkeys are supported on popular browsers like Chrome, Edge, Safari, and Firefox.
Creating and Using Passkeys
- Account Requirement: Users need an account with a provider supporting passkeys, such as Microsoft, Google, or Apple.
- Activation Process: To enable passkeys, sign in to a compatible app or website, activate the passkey option, and obtain a unique passkey linked to your account and device.
- Usage: Passkeys can be used with biometrics (e.g., Touch ID, Face ID), QR codes, or device verification.
Future of Passwords
- Inevitable Evolution: While passkeys offer notable advantages over traditional passwords in terms of security and user-friendliness, they still face challenges related to compatibility and user adoption.
- Industry Push: Notably, Google, Apple, and Microsoft are driving the passkey agenda strongly, suggesting that passwords may eventually become obsolete.
Conclusion
- A Security Evolution: The emergence of passkeys as an alternative to traditional passwords marks a significant shift in the realm of cybersecurity.
- Ongoing Transition: As passkeys gain momentum and garner support from tech giants, they may gradually pave the way for a password-free future, promising enhanced security and user convenience in the digital realm.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Inside the Digital World of Cookies
From UPSC perspective, the following things are important :
Prelims level: Cookies and Digital Privacy
Mains level: Read the attached story
Central Idea
- In the online world, digital cookies hold a significant role, contributing to personalization and user convenience.
- These unobtrusive lines of code, quietly stored on devices during website visits, shape the online experiences we encounter.
Understanding How Cookies Work
- Cookies as Digital Keys: Think of cookies as keys to an exclusive club. Just as a club bouncer recognizes regular patrons, cookies remember your login details on websites, eliminating the need for constant re-authentication.
- Enhanced Online Shopping: Websites like Amazon leverage cookies to remember your past interactions, offering tailored product recommendations and an intimate shopping experience.
- Persistent Shopping Carts: Online shopping carts, fueled by cookies, ensure your selections remain intact even after you leave the site, simplifying the checkout process.
- Personalized Advertising: Platforms like Facebook and Google utilize cookies to track online behaviour, serving ads aligned with your preferences.
Types of Cookies
- Session Cookies: Temporary, session cookies function as post-it notes for websites, existing only in your computer’s memory during your browsing session.
- Persistent Cookies: Comparable to bookmarks, persistent cookies remain on your device after your browsing session, retaining login information and preferences.
- Secure Cookies: Sent over encrypted connections, secure cookies are employed for sensitive data like login credentials.
- Third-Party Cookies: Originating from domains other than the visited site, third-party cookies serve tracking and advertising functions, offering both benefits and potential intrusiveness.
Multifaceted Uses of Cookies
- Digital ID Cards: Cookies facilitate user authentication, allowing websites to recognize and keep you logged in.
- Personalization: They remember your preferences, such as language choices and website themes.
- Persistent Shopping Carts: Items added online remain accessible upon your return.
- Analytics Data: Cookies enable website owners to gather valuable data about user interactions for improvements and customization.
- Targeted Advertising: Advertisers employ cookies to display ads aligning with your interests, enhancing online shopping experiences.
Challenges Associated with Cookies
- Privacy Concerns: Cookies can track online behaviour, occasionally infringing upon digital privacy.
- Security Risks: Inadequately secured cookies may expose personal information to cybercriminals.
- User Consent Era: Privacy regulations necessitate websites to seek user consent before deploying specific cookie types, resulting in pop-ups and prompts.
- Third-Party Cookie Debates: Concerns about third-party cookies have led web browsers to limit their usage for user privacy protection.
- Data Deluge: The multitude of cookies can potentially overwhelm your browser, causing a sluggish web experience.
Conclusion
- Complex yet Sweet: Cookies enhance online experiences but also bring privacy and security challenges. As the digital landscape evolves, so will the use and regulation of cookies.
- Analogous to Real Cookies: Just like warm, gooey chocolate chip cookies, digital cookies add a personalized touch to your online adventures, even if they occasionally leave behind a few crumbs.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Draft UN Cyber Crime Convention
From UPSC perspective, the following things are important :
Prelims level: UN Cybercrime Convention , Budapest Convention
Mains level: Not Much
Central Idea
- The Union Home Ministry recently reviewed the draft of the UN Cyber Crime Convention.
- The purpose of this review was to assess the necessary changes in India’s existing systems if the convention is signed and ratified by the country.
UN Cybercrime Convention (Draft) |
|
Background |
|
Timeline |
|
Content of Zero Draft |
|
Focus Areas of Concern | 1. Scope of Cybercrimes: The draft narrows the list of cybercrimes but leaves room for expanding the scope through references to other international conventions.
2. Speech-Related Offenses: While removing certain content-related offenses, it reintroduces them by applying the convention to crimes established under other international conventions. 3. Surveillance Powers: The draft retains surveillance powers, raising concerns about the lack of consensus on legal safeguards. 4. Use of Budapest Convention Language: Some provisions in Chapter IV are based on the 2001 Budapest Convention but with weakened safeguards. |
Recommendations |
|
Why discuss this?
- India enacted the Digital Personal Data Protection Act in August, ushering in a framework for personal data protection within the country.
- This legislation allows personal data to be processed in the interest of India’s sovereignty, integrity, and state security while fulfilling legal obligations.
- Notably, it also mandates that firms disclose to users the identity of other firms entrusted with their data for processing.
- However, the Act explicitly exempts firms from disclosing or sharing data in the case of lawful interception of data.
India’s position on the Convention
India put forth several key positions:
- Deleting Data Transfer Clause: India advocated for the deletion of a clause that encourages state parties to “establish bilateral or multilateral arrangements” to facilitate the transfer of personal data. This underscores India’s emphasis on the sovereignty of its data and its desire to maintain control over cross-border data transfers.
- Authorization for Data Transfer: India expressed its agreement with the clause stating that state parties may transfer personal data to a third country or an international organization only with the prior written authorization of the original transferring state party, subject to effective and appropriate safeguards. This reflects India’s commitment to ensuring data security and responsible handling.
- Designation of Points of Contact: The draft convention outlines that each state party should designate a point of contact available 24/7 to provide immediate assistance for investigations, prosecutions, or judicial proceedings related to cyber criminal offenses. This demonstrates India’s commitment to effective cooperation in addressing cybercrimes.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Maya OS: Everything you need to know
From UPSC perspective, the following things are important :
Prelims level: Maya OS
Mains level: Secured cyber infrastructure
Central Idea
- The Defence Ministry is taking a significant stride towards bolstering its cybersecurity by introducing an indigenous operating system named Maya OS.
- This move aims to replace Microsoft’s Windows OS on all ministry computers, ensuring enhanced protection against cyberattacks.
Understanding Maya OS
- Origin and Purpose: Maya OS is a homegrown operating system developed by the Union Ministry of Defence.
- Name’s Significance: Maya OS draws its name from the ancient Indian concept of illusion, signifying the deceptive appearance of reality.
- Open-Source Framework: Maya OS leverages the Ubuntu platform, embracing open-source principles by utilizing free and publicly available software. This approach enhances transparency, community collaboration, and customization possibilities.
- Chakravyuh Feature: Maya OS introduces the Chakravyuh feature, an end-point anti-malware and antivirus software. It acts as a protective layer between users and the internet, thwarting unauthorized access attempts and safeguarding sensitive data.
User Interface and Features
- Familiar Interface: Maya OS offers a user-friendly interface, mirroring the familiar look and feel of Windows, thereby ensuring a comfortable user experience.
- Application Compatibility: The OS supports commonly used software like Microsoft Office, Adobe Photoshop, AutoCAD, and more, enabling a seamless transition for users.
- Enhanced Security: Maya OS incorporates features such as cloud storage, encryption, digital signatures, and biometric authentication to fortify security measures.
Development Journey
- Initiation in Response to Threats: The development of this OS commenced in 2021, prompted by the rise in cyberattacks targeting India’s critical infrastructure and defence systems.
- Collaborative Efforts: A collaborative effort involving experts from various government agencies like DRDO, C-DAC, and NIC, along with Indian software companies and academic institutions, contributed to the development of Maya OS.
- Swift Progress: The development of Maya OS was accomplished within 6 months, reflecting the dedication and expertise of the collaborative teams.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Cybersecurity threats from online gaming
From UPSC perspective, the following things are important :
Prelims level: NA
Mains level: Online gaming Industry and Cybersecurity threats
What’s the news?
- The video gaming industry has come a long way from Pong in 1972 to the release of Hogwarts Legacy in 2023. The recent surge has been a result of COVID-19, when the market expanded by about 26 percent between 2019 and 2021. However, this popular form of recreation has also imperiled cybersecurity.
Central idea
- The video gaming industry has experienced tremendous growth, transforming from a niche form of entertainment to a multi-billion-dollar global phenomenon. With over US$227 billion in revenue in 2022 and an expected 3.32 billion gamers by 2024, the industry’s popularity is unprecedented. However, this remarkable expansion has also led to a surge in cyberattacks, imperiling cybersecurity.
A Surge in Cyberattacks
- The gaming sector has become a prime target for cybercriminals, experiencing a staggering 167 percent increase in web application attacks in 2021 alone.
- In 2022, the industry witnessed an unprecedented wave of Distributed Denial of Service (DDoS) attacks, with gaming platforms accounting for approximately 37 percent of all such attacks.
- These cyber threats have put gamers at risk, with account takeovers, cheating mods, credit card theft, and fraud becoming disturbingly common.
The Pentagon Leak Case
- One of the most alarming cyber incidents occurred in April 2023, when a Discord server centered around the popular video game Minecraft, became the source of the worst Pentagon leak in years.
- Classified documents, some marked top Secret, were exposed, containing sensitive information about the ongoing Ukraine-Russia conflict, potential issues with Ukrainian ammunition supplies, and intelligence regarding the Russian military.
- Shockingly, the documents also hinted at US surveillance of its allies, specifically Israel and South Korea.
The virtual economy of video games
- The monetization of video games through in-game currencies and microtransactions has given rise to virtual economies.
- While developers offer players the ability to purchase virtual items using real money, the practice has come under scrutiny due to its perceived predatory nature, particularly concerning minors.
- Some countries have outright banned such practices, deeming them a form of online gambling. For example, Belgium banned the purchase of FIFA points, an in-game currency, in the famous football franchise FIFA.
- In February 2023, Austria followed suit, declaring FIFA packs illegal gambling.
The current policy framework around online gaming
- As of April 2023, the Ministry of Electronics and Information Technology (MeitY) in India has implemented new rules to regulate the online gaming industry.
- The current policy framework divides online games into two categories:
- Online real money games: Games that involve real money and are registered with Self-Regulatory organizations (SROs). These games are subject to specific regulations and oversight.
- Games that do not involve real money: Games that do not have any monetary transactions or betting and wagering involved.
The key provisions of the current policy framework
- Ban on online games involving betting and wagering: The new rules explicitly ban online games that have elements of betting and wagering. This move aims to curb illegal gambling activities within the gaming space.
- Obligations for online gaming intermediaries: The rules define the responsibilities and obligations of online gaming intermediaries. These intermediaries are required to follow certain norms, including Know Your Customer (KYC) norms, parental consent, and grievance redressal mechanisms. The objective is to enhance transparency and accountability in the sector.
- Establishment of Self-Regulatory Organizations (SROs): The policy requires the appointment of three SROs, consisting of industry representatives, educationists, and other experts. These SROs play a crucial role in determining which online games are permissible under the regulations.
Limitations of the current policy framework
- Narrow focus: The rules primarily target online games that involve real money transactions and betting. They do not comprehensively address other potential threats like microtransactions, loot boxes, and money laundering using virtual currencies.
- Loopholes: Many online games can bypass the regulations by offering rewards and prizes in virtual currency instead of real money. This allows certain gaming practices, resembling gambling, to continue unchecked.
- Ignoring loot boxes: The rules do not specifically address the issue of loot boxes, which have been controversial and deemed potential forms of gambling in many countries.
- Lack of collaboration: The current policy framework appears to be a unilateral effort by the Indian government without substantial consultation with relevant stakeholders, including industry experts and gamers.
Way Forward
- Strengthen the Regulatory Framework: Expand and make the current policy framework more comprehensive, including microtransactions and loot boxes, to tackle potential gambling-related issues.
- Collaborate with Industry Experts: Engage with gaming companies, cybersecurity experts, and gamers to gain insights into specific cybersecurity threats and devise effective regulations.
- Raise Awareness among Gamers: Educate users about cybersecurity threats, secure practices, and reporting mechanisms for suspicious activities.
- Invest in Robust cybersecurity. Prioritize cybersecurity by investing in encryption, secure authentication, and regular security audits.
- Develop Reporting Mechanisms: Implement efficient reporting systems within gaming platforms to address cyber threats promptly.
- International Cooperation: Collaborate globally to share intelligence and best practices in combating cybercrime.
- Ethical Game Design: Encourage ethical practices that prioritize player well-being over excessive monetization.
Conclusion
- Online gaming is one of the fastest-growing sectors in the global entertainment and media industry and provides a powerful new platform to unite people from all around the world. Consequently, we need to ensure that the industry continues to grow in a safe and responsible manner, and that bad actors looking to tarnish the experience for others are dealt with accordingly.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
IoT & SMART technology threats from China: Pathways for India’s military
From UPSC perspective, the following things are important :
Prelims level: SMART Tech applications
Mains level: SMART Technology, significance, challenges and security threats
What’s the news?
- Chinese software technologies and applications that were once widespread are now facing bans and restrictions worldwide due to data leaks, vulnerabilities, and national security risks.
Central Idea
- While many countries have taken action against Chinese applications, there still exists a concerning lack of clarity on the security risks posed by SMART products with Chinese data sensors, components, and modules. In the context of India’s military establishment, these risks can have significant ramifications.
What is SMART technology?
- SMART technology is a term used to describe devices and systems that have advanced capabilities, connectivity, and the ability to gather and analyze data to make intelligent decisions or respond to user commands.
- SMART technology is an integral part of the broader concept of the Internet of Things (IoT), where everyday objects and devices are connected to the internet and can communicate with each other and with users.
- SMART technology enhances convenience, efficiency, and automation in various aspects of daily life.
Common examples of SMART technology
- SMART Home Devices: Devices like SMART thermostats, SMART lighting systems, SMART speakers (e.g., Amazon Echo, Google Home), and SMART security cameras that can be controlled remotely via a smartphone or voice commands.
- SMART Wearables: Fitness trackers, SMART watches, and other wearable devices that monitor health metrics and activities and sync the data with smartphones or computers.
- SMART Appliances: SMART refrigerators, washing machines, and ovens that can be controlled and monitored through apps on smartphones.
- SMART Cars: Automobiles equipped with advanced sensors and connectivity that can provide real-time navigation, diagnostics, and safety features.
Growing Adoption of SMART Technology
- Increasing Popularity: SMART technology is gaining popularity in various residential and office spaces in India.
- Diverse SMART Products: SMART CCTVs, air conditioners, refrigerators, coffee machines, printers, bulbs, and more are among the diverse SMART products being adopted.
- Remote Operation: These SMART devices offer remote operation and adaptability to user preferences.
- IoT Sector Growth: The IoT sector in India is projected to reach a turnover of US$1.1 billion by 2023, with significant growth observed in the market for IoT products (264 percent increase in Q2 2022).
Security Concerns with SMART Technology
- Ambiguity in Bans: Despite bans on Chinese applications and technology in various countries (UK, US, New Zealand, India), concerns persist regarding SMART products with Chinese data sensors, components, and modules.
- Dependency on Chinese Components: Even SMART products manufactured in the West rely on China for critical data sensors, modules, and transmitters.
- Backend Dependency: Chinese servers often handle data storage and software upgrades for SMART products, creating potential security vulnerabilities.
- Data Transmission Risks: SMART devices could be susceptible to data transmission back to China through embedded backdoors and listening channels.
- UK Report Findings: A report in the UK raised alarms about the potential use of Chinese SMART components to track officials, stifle industrial activity, and harvest sensitive military information.
Addressing Security Concerns in India’s Military Establishments
- Formalizing Security Plans: India’s military needs to formalize strategies to address security concerns related to SMART technologies.
- Categorizing Vulnerable Devices: Analyzing and categorizing SMART products used in non-technical, non-operational military spaces for potential bans on devices relaying information to China.
- Thorough Vetting for New Implementations: Any new software or technologies implemented in military areas must undergo strict vetting for links with China, irrespective of their origin.
- Coherent and Institutionalized Approach: Adopting a coherent and institutionalized approach will enable proactive prevention of data leaks and breaches through SMART technologies and IoT with Chinese linkages, ensuring the safeguarding of sensitive military information.
Conclusion
- India’s military must adopt a coherent and institutionalized approach to prevent data leaks and breaches. Ignoring this reality could leave the country’s military vulnerable to significant security threats. By addressing the risks and establishing robust security measures, India can safeguard its national security and protect sensitive military information from falling into the wrong hands.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
CERT-IN warns against Akira Ransomware
From UPSC perspective, the following things are important :
Prelims level: Akira Ransomware
Mains level: Not Much
Central Idea
- The Computer Emergency Response Team of India (CERT-In) issued a warning about the Akira ransomware, a highly dangerous cyber threat that has been wreaking havoc on corporate networks worldwide.
What is the Akira Ransomware?
- Encryption and Data Theft: Akira ransomware encrypts sensitive data on targeted devices and appends the “akira” extension to filenames, making the files inaccessible to users.
- Shadow Volume Deletion: The ransomware deletes Windows Shadow Volume copies, hindering data recovery options for affected organizations.
- Ransom Demands: The ransomware operators extort victims by demanding a double ransom for decryption and recovery, threatening to leak sensitive data on their dark web blog if payment is not made.
Infection and Working Mechanism
- Spread Methods: Akira ransomware is primarily distributed through spear-phishing emails with malicious attachments, drive-by downloads, and specially crafted web links. It also exploits insecure Remote Desktop connections to infiltrate systems.
- Selective Encryption: The ransomware avoids encrypting specific system folders to maintain system stability.
- Negotiation Process: Each victim is given a unique negotiation password to communicate with the ransomware gang via the threat actor’s Tor site.
Major targets
- Corporate Networks: Akira ransomware targets corporate networks across various sectors, including education, finance, real estate, manufacturing, and consulting.
- Data Exfiltration: In addition to encryption, the threat actors steal sensitive corporate data, using it as leverage in their extortion attempts.
Protective Measures against Akira Ransomware
- Regular Backups: Maintain up-to-date offline backups to ensure data recovery in case of an attack.
- System Updates: Regularly update operating systems and networks, and implement virtual patching for legacy systems.
- Email Authentication: Establish Domain-based Message Authentication, Reporting, and Conformance (DMARC), Domain Keys Identified Mail (DKIM), and Sender Policy Framework (SPF) to prevent email spoofing and spam.
- Strong Authentication: Enforce strong password policies and multi-factor authentication (MFA) to secure user accounts.
- Data Encryption: Implement data-at-rest and data-in-transit encryption to protect sensitive information.
- Attachment Blocking: Block suspicious attachment file types like .exe, .pif, or .url to prevent malicious downloads.
- Security Audits: Conduct regular security audits, especially for critical networks and database servers, to identify vulnerabilities.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Private: LockBit Ransomware
Cyber Security – CERTs, Policy, etc
Cyberattacks: India’s Opportunity To Conceptualize Global Cyber Security Framework
From UPSC perspective, the following things are important :
Prelims level: Ransomware, Recent events of Cyberattacks and malwares
Mains level: Cyberattacks, cyber security infrastructure. Read the attached article
Central Idea
- The past few weeks have highlighted the soft underbelly of our fast-expanding digital networks. Ransomwares have emerged as the most predominant of malicious cyberattacks. Here, the perpetrators demand hefty payments for the release of withheld data. Data show that over 75% of Indian organisations have faced such attacks, with each breach costing an average of ₹35 crore of damage.
Two recent ransomware attacks
- Ransomware attack on AIIMS: The first was the ransomware attack on the servers of India’s premium institute, the All-India Institute of Medical Sciences. Nearly 40 million health records were compromised and it took over two weeks for the systems to be brought online.
- BlackCat breached Solar Industries Ltd.: Soon afterwards, a ransomware gang, BlackCat, breached the parent company of Solar Industries Limited, one of the Ministry of Defence’s ammunition and explosives manufacturers, and extracted over 2 Terabyte of data.
What is mean by Cyber-attack?
- Cyberattacks are unwelcome attempts to steal, expose, alter, disable or destroy information through unauthorized access to computer systems.
- These attacks can target various entities such as governments, businesses, organizations, or individuals, and can have serious consequences such as theft of sensitive information, financial loss, reputational damage, or disruption of critical services.
Who is behind cyberattacks?
- Criminal organizations, state actors and private persons can launch cyberattacks against enterprises. One way to classify cyberattack risks is by outsider versus insider threats.
- Outsider threats: External cyber threats include; Organized criminals or criminal groups Professional hackers, like state-sponsored actors, Amateur hackers, like hacktivists
- Insider threats: Insider threats are users who have authorized and legitimate access to a company’s assets and abuse them either deliberately or accidentally. They include, Employees careless of security policies and procedures, Disgruntled current or former employees, Business partners, clients, contractors or suppliers with system access
Growing vulnerability
- There are malwares that could infect all kinds of computer systems: With the lines between the physical and digital realms blurring rapidly, every critical infrastructure, from transportation, power and banking systems, would become extremely vulnerable to the assaults from hostile state and non-state actors.
- For instance; Cyber capabilities are also playing a pivotal role: As seen in the ongoing conflict in Ukraine, where electronic systems in warheads, radars and communication devices have reportedly been rendered ineffective using hacking and GPS jamming.
- Cyber security breaches would only increase: With the introduction of 5G and the arrival of quantum computing, the potency of malicious software, and avenues for digital security breaches would only increase.
- For instance: This year, cybercrimes are expected to cause damage worth an estimated $8 trillion worldwide.
India’s cybersecurity architecture
- CERT-In: In 2022, the Indian Computer Emergency Response Team (CERT-In), which is India’s cybersecurity agency, introduced a set of guidelines for organisations to comply with when connected to the digital realm. This included the mandatory obligation to report cyberattack incidents within hours of identifying them, and designating a pointsperson with domain knowledge to interact with CERT-In.
- Draft Digital Personal Protection Bill, 2022: India’s draft Digital Personal Protection Bill 2022 proposes a penalty of up to ₹500 crore for data breaches.
- Defence Cyber Agency (DCyA): Recently, India’s armed forces created a Defence Cyber Agency, capable of offensive and defensive manoeuvres. All Indian States have their own cyber command and control centres.
- Cybercrime Co-ordination centre: The Indian Cybercrime Co-ordination Centre (I4C) established by the Ministry of Home Affairs, acts as a nodal point in the response against cybercrime by coordinating with state police forces across the country. It also co-ordinates the implementation of mutual legal assistance treaties (MLAT) with other countries.
Have you heard about “Bluebugging”?
- It is a form of hacking that lets attackers access a device through its discoverable Bluetooth connection.
- Once a device or phone is blue-bugged, a hacker can listen to the calls, read and send messages and steal and modify contacts.
- It started out as a threat for laptops with Bluetooth capability. Later hackers used the technique to target mobile phones and other devices.
Limitations In India’s cybersecurity infrastructure
- Lack of tools to identify: Most organisations lack the tools to identify cyberattacks, let alone prevent them.
- Scarcity of cybersecurity professional: India also faces an acute scarcity of cybersecurity professionals. India is projected to have a total workforce of around 3,00,000 people in this sector in contrast to the 1.2 million people in the United States.
- Private sector participation is limited: Most of our organizations are in the private sector, and their participation remains limited in India’s cybersecurity structures.
Global understanding is essential
- International cooperation is critical: With most cyberattacks originating from beyond our borders, international cooperation would be critical to keep our digital space secure. It would also be a cause which would find resonance abroad.
- Cybersecurity treaties: India has already signed cybersecurity treaties, where the countries include the United States, Russia, the United Kingdom, South Korea and the European Union.
- Multinational frameworks are there but there is no truly global framework: Even in multinational frameworks such as the Quad and the I2U2 (which India is a member of) there are efforts to enhance cooperation in cyber incident responses, technology collaboration, capacity building, and in the improvement of cyber resilience. Yet, there is no truly global framework, with many operating in silos.
- UNGA established two processes on ICT: The United Nations General Assembly establish two processes on the issues of security in the information and communication technologies (ICT) environment.
- The Open-ended Working Group (OEWG), comprising the entire UN membership, established through a resolution by Russia.
- The other is the resolution by the U.S., on the continuation of the Group of Governmental Experts (GGE), comprising 25 countries from all the major regions.
- Differ vastly on many aspects of Internet: The two antagonistic permanent members of the UN Security Council, counted among India’s most important strategic partners, differ vastly on many aspects of the Internet, including openness, restrictions on data flow, and digital sovereignty. Amidst the turbulent current world events, these UN groups would struggle to have effective dialogues.
Conclusion
- The G-20 summit this year in India, which will see participation by all the stakeholders driving the global levers of power, is a rare opportunity to bring together domestic and international engagement groups across the spectrum, and steer the direction of these consultations. India could make an effort to conceptualize a global framework of common minimum acceptance for cybersecurity. This would be one of the most significant contributions made by any nation towards collective security in modern times.
Attempt UPSC 2024 Smash Scholarship Test | FLAT* 100% OFF on UPSC Foundation & Mentorship programs
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
The world of Cyberspace and Cyber sovereignty
From UPSC perspective, the following things are important :
Prelims level: NA
Mains level: Cyber space, cyber sovereignty and its implications
Context
- A state’s desire to control ‘cyberspace’ within its borders is achieved by exercising what is called ‘cyber sovereignty’. While some countries such as the United States (US) support the free flow of information, others like China, by default, restrict the flow for its citizens, leading to the fragmentation of the internet.
Click and get your FREE Copy of CURRENT AFFAIRS Micro Notes
What is mean by Cyber threat?
- A cyber threat or cyber security threat is defined as a malicious act intended to steal or damage data or disrupt the digital wellbeing and stability of an enterprise.
- Cyber threats include a wide range of attacks ranging from data breaches, computer viruses, denial of service, and numerous other attack vectors.
What is cyberspace?
- Defined by Cyber security expert Daniel Kuehl: cyberspace is a global domain within the information system whose distinctive and unique character is framed by the use of electronics and the electromagnetic spectrum to create, store, modify, exchange, and exploit information via independent and interconnected networks using information-communication technologies.
- Traditionally three layers of cyberspace: Traditionally, cyberspace was understood only in three layers: the physical/hardware, neural/software, and data.
- Forth layer of social interaction and sovereignty: Alexander Klimburg, in his book The Darkening Web, introduced a fourth layer that deals with the social interaction among the three layers: “If cyberspace can be said to have a soul or mind, this is where it is. Establishing control over all the layers is necessary to build sovereignty in cyberspace.
What is Cyber sovereignty?
- Term coined by Bruce Schneir: One of the leading voices in internet governance, Bruce Schneier, has coined the term as the attempt of governments to take control over sections of the internet within their borders.
- It is about Internet governance: The term cyber sovereignty stems from internet governance and usually means the ability to create and implement rules in cyberspace through state governance.
- Cyber sovereignty does not necessarily mean governance by state: Cyber sovereignty does not necessarily have to mean governance by a state. It first and foremost refers to the ability to create and implement rules in cyberspace. Alternatively, one could say it refers to the authority to speak the law, i.e., having juris-diction, in cyberspace.
- Technology that drives policy decisions: In contrast to other technologies whose development is driven by policy, here it is technology which drives policy decisions. These characteristics make cyberspace governance complex and lead to confrontations among states and other stakeholders.
Whether states should be held accountable for cyber-attacks emanating from their territory?
- Sovereignty as defined by ICJ: The International Court of Justice (ICJ) defines sovereignty as that which confers rights upon states and imposes obligations on them. This implies that states must control their cyber infrastructure and prevent it from being knowingly or unknowingly used to harm other states and non-state actors.
- Who comes under the cyber sovereignty ambit: The state, or the citizens of the state, if involved in attacking other states or non-state actors’ cyber facilities, also come under the ambit of cyber sovereignty.
Implications of Cyber sovereignty
- Cyber sovereignty restricts the free flow of information: The internet was created to promote the free flow of information, but cyber sovereignty works the other way around. Restricting the flow of information can also put global businesses at risk due to the lack of interoperability it leads to.
- It may lead to data imperialism: Control over the data could lead to new forms of colonialism and imperialism, commonly referred to as ‘data colonisation’ and ‘data imperialism’ in the digital era. States and private players can overreach their powers and violate human rights through cyberspace surveillance, controlling information flow, and enforcing internet shutdowns.
- Implications from the fragmentation of the internet to violation of human rights: The implications are broad, impinging on citizens’ rights such as privacy, freedom of expression, access to information, press freedom, freedom of belief, non-discrimination and equality, freedom of assembly, freedom of association, due process and personal security.
- For instance: Access to geolocation data can give insights into people who participated in a protest. Further, based on a user’s online behaviour, it is possible to determine a person’s sexual orientation, political affiliation and religious beliefs.
Example to understand the Implication of cyber sovereignty
- In 2009, seeking justice for their co-workers whom the Han Chinese killed in a doll factory, Uighurs, a Muslim minority community in China, organised a protest using Facebook and Uighur-language blogs.
- Following this incident, Facebook and Twitter were blocked across the country, and the internet was shut down for ten months in the region.
- Following the incident, the Chinese government, with the help of the private sector, developed AI-enabled applications like the Integrated Joint Operations Platform (Ijop) to monitor the daily activities of Uighur Muslims. This app obtains information like skin colour, facial features, properties owned, payments, and personal relationships, and reports if there are any suspicious activities. An investigation is initiated if the systems flag any person. Data is gathered 24/7 to carry out mass surveillance.
Value addition notes: Consider these for Essays
- Unlike other spaces such as land, sea, air, and outer space, cyberspace was created by humans; therefore, complete control can be established over it.
- Countries have tried to frame policies and rules to regulate cyberspace by building the necessary infrastructure.
- This can be seen as either a defensive mechanism that states use to protect their own critical infrastructure or a framework adopted to exploit other states’ resources.
- It has led to a security dilemma and added fuel to the fire of great-power politics.
- Realising its importance, states have started to see cyberspace as equivalent to physical territory, and are building virtual walls to protect their ‘cyber territory’ with the help of various technologies.
Conclusion
- It is often said that information is wealth, competition has developed between states, and between state and non-state actors, to control and access this wealth. The dichotomy of states trying to protect the data generated in their territory by introducing data protection laws but, simultaneously, wanting to exploit other states’ data is adding to the complexity.
Mains question
Q. Technological advancements have made cyberspace an integral part of human lives. In this context, what do you understand by Cyber sovereignty. Discuss the implications of cyber sovereignty.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Draft cybersecurity strategy has been formulated: Centre
From UPSC perspective, the following things are important :
Prelims level: NA
Mains level: National cybersecurity strategy
The National Security Council Secretariat (NSCS) has formulated a draft National Cyber Security Strategy, which holistically looks at addressing the issue of security of national cyberspace, the government informed the Lok Sabha.
What is the National Cyber Security Strategy?
Conceptualised by the Data Security Council of India (DSCI), the report focuses on 21 areas to ensure a safe, secure, trusted, resilient, and vibrant cyberspace for India.
The main sectors of focus of the report are:
- Large scale digitisation of public services: There needs to be a focus on security in the early stages of design in all digitisation initiatives and for developing institutional capability for assessment, evaluation, certification, and rating of core devices.
- Supply chain security: There should be robust monitoring and mapping of the supply chain of the Integrated circuits (ICT) and electronics products. Product testing and certification needs to be scaled up, and the country’s semiconductor design capabilities must be leveraged globally.
- Critical information infrastructure protection: The supervisory control and data acquisition (SCADA) security should be integrated with enterprise security. A repository of vulnerabilities should also be maintained.
- Digital payments: There should be mapping and modelling of devices and platform deployed, transacting entities, payment flows, interfaces and data exchange as well as threat research and sharing of threat intelligence.
- State-level cyber security: State-level cybersecurity policies and guidelines for security architecture, operations, and governance need to be developed.
What steps does the report suggest?
To implement cybersecurity in the above-listed focus areas, the report lists the following recommendations:
- Budgetary provisions: A minimum allocation of 0.25% of the annual budget, which can be raised up to 1% has been recommended to be set aside for cyber security.
- Ministry-wise allocation: In terms of separate ministries and agencies, 15-20% of the IT/technology expenditure should be earmarked for cybersecurity.
- Setting up a Fund of Funds: The report also suggests setting up a Fund of Funds for cybersecurity and to provide central funding to States to build capabilities in the same field.
- R&D, skill-building and technology development: The report suggests investing in modernisation and digitisation of ICTs, setting up a short and long term agenda for cyber security via outcome-based programs and providing investments in deep-tech cyber security innovation.
- National framework for certifications: Furthermore, a national framework should be devised in collaboration with institutions like the National Skill Development Corporation (NSDC) and ISEA (Information Security Education and Awareness) to provide global professional certifications in security.
- Creating a ‘cyber security services’: The DSCI further recommends creating a ‘cyber security services’ with cadre chosen from the Indian Engineering Services.
- Crisis management: For adequate preparation to handle crisis, the DSCI recommends holding cybersecurity drills which include real-life scenarios with their ramifications. In critical sectors, simulation exercises for cross-border scenarios must be held on an inter-country basis.
- Cyber insurance: Cyber insurance being a yet to be researched field, must have an actuarial science to address cybersecurity risks in business and technology scenarios as well as calculate threat exposures.
- Cyber diplomacy: Cyber diplomacy plays a huge role in shaping India’s global relations. To further better diplomacy, the government should promote brand India as a responsible player in cyber security and also create ‘cyber envoys’ for the key countries/regions.
- Cybercrime investigation: It also suggests charting a five-year roadmap factoring possible technology transformation, setting up exclusive courts to deal with cybercrimes and remove backlog of cybercrimes by increasing centres providing opinion related to digital evidence under section 79A of the IT act.
- Advanced forensic training: Moreover, the DSCI suggests advanced forensic training for agencies to keep up in the age of AI/ML, blockchain, IoT, cloud, automation.
- Cooperation among agencies: Law enforcement and other agencies should partner with their counterparts abroad to seek information of service providers overseas.
What next?
- India has to contend with the importance and necessity of cyber offences as much as cyber defence.
- As of today, India’s primary or possibly only response measures appear to be defensive.
- India has to also invest in more offensive cyber means as a response.
Click and get your FREE Copy of CURRENT AFFAIRS Micro Notes
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
What is Bluebugging?
From UPSC perspective, the following things are important :
Prelims level: Bluebugging
Mains level: Cyber security challenges
Cybersecurity experts note that apps that let users connect smartphones or laptops to wireless earplugs can record conversations, and are vulnerable to hacks through a process called Bluebugging.
What is Bluebugging?
- It is a form of hacking that lets attackers access a device through its discoverable Bluetooth connection.
- Once a device or phone is blue-bugged, a hacker can listen to the calls, read and send messages and steal and modify contacts.
- It started out as a threat for laptops with Bluetooth capability. Later hackers used the technique to target mobile phones and other devices.
- Independent security researcher Martin Herfurt blogged about the threat of bluebugging as early as 2004.
- He noted that the bug exploited a loophole in Bluetooth protocol, enabling it to download phone books and call lists from the attacked user’s phone.
How does bluebugging hack devices?
- Bluebugging attacks work by exploiting Bluetooth-enabled devices.
- The device’s Bluetooth must be in discoverable mode, which is the default setting on most devices.
- The hacker then tries to pair with the device via Bluetooth. Once a connection is established, hackers can use brute force attacks to bypass authentication.
- They can install malware in the compromised device to gain unauthorised access to it.
- Bluebugging can happen whenever a Bluetooth enabled device is within a 10-metre radius of the hacker.
- However, according to a blog by VPN service provider NordVPN, hackers can use booster antennas to widen the attack range.
Why is it a big threat?
- Even the most secure smartphones like iPhones are vulnerable to such attacks.
- Any app with access to Bluetooth can record users’ conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets, some app developers say.
- Through Bluebugging, a hacker can gain unauthorised access to these apps and devices and control them as per their wish.
How can one prevent bluebugging?
Here are some of the ways to prevent bluebugging-
- Turning off Bluetooth and disconnecting paired Bluetooth devices when not in use,
- Updating the device’s system software to the latest version,
- Limiting the use of public Wi-Fi, and
- Using VPN as an additional security measure
Click and get your FREE Copy of CURRENT AFFAIRS Micro Notes
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Online Women safety
From UPSC perspective, the following things are important :
Prelims level: NA
Mains level: Cyber crimes and online safety of Women
Context
- India has one of the youngest youth demographics in the world and among the most active online. As online interactions increase, more content is created and shared among people, helping them form new and wonderful connections. Sometimes, however, these interactions also make them vulnerable to harm.
What constitute as online harassment of women?
- Sharing embarrassing and cruel content about a person to impersonation
- Stalking and electronic surveillance
- Non-consensual use of photography
- Violent threats and hate speech
- Defamation
- Flaming- use of vitriolic and hostile messages including threats, insults
- Trolling
- The online harassment of women, sometimes called Cyber-sexism or cyber-misogyny, is specifically gendered abuse targeted at women and girls online.
- It incorporates sexism, racism and religious prejudice.
How women disproportionately get affected?
- Often women are blamed: Often, crimes that disproportionately impact women devolve into mass panic and lead to an all too predictable top-down discourse around the need to protect our sisters and daughters.
- Curbing the freedom of Women: The reaction, however well intentioned, will end up denying women their freedom and agency by their so-called protectors, many of whom are simply telling women to go offline, to be ashamed of expressing themselves, to stay in their lane.
What is role of intermediaries in preventing such abuses?
- Making intermediary liable: As of now, the intermediaries are not liable for any third-party data or communication link hosted or stored by them.
- Mandatory Data retention by intermediaries: They are required to retain the requisite data for duration as prescribed by the Government and supply the same to the authorities concerned, as and when sought.
- Punishment for Non-compliance is: Highlighting any contravention attracts punishment as prescribed under the IT Act.
What are the Steps taken by the Government?
- IT rules 2021: The Ministry of Electronics and Information Technology notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
- Defined Categories of abuse: They include contents that are defamatory, obscene, pornographic, paedophilic, invasive of another’s privacy, insulting or harassing on the basis of gender, libellous, racially or ethnically objectionable, etc.
- Prohibition on derogatory publications: The intermediaries, on the direction of the court or appropriate government agency, are prohibited from hosting, storing or publishing any information declared unlawful.
- Removal of content within 24 hours: Within 24 hours from the receipt of a complaint from, or on behalf of, an individual about any offensive content, they are required to take all reasonable and practicable measures to remove or disable access to it.
- Meetings of parliamentary committees: Various parliament committees in India have held meetings to discuss the issue of online safety of women over the years, and part of the government’s motivation in notifying the new IT rules had been rooted in the growing concern regarding the safety and security of users, particularly women and children. These are very good tangible steps.
- Amendment in IT act should include the concerns of women: With the IT Act coming up for a rehaul, there is an opportunity to discuss in detail the nature of technology-facilitated abuse, capturing what this means, understanding how cases impact individuals as well as communities, the language needed to capture such offences and the punishment penalties, jail or even rehabilitation programmes for perpetrators. This could be the start of an era of evidence-based discussion.
Conclusion
- Despite these efforts, it is clear that women in India won’t feel safe online anytime soon unless society lets them. What could be helpful here is to elevate the public discourse around technology-facilitated abuse.
Mains Question
Q. How women are vulnerable against online abuse? What is the role of Intermediaries in online abuse case? What are governments efforts to make women friendly cyberspace?
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Cyber threats as a challenge to Internal Security
From UPSC perspective, the following things are important :
Prelims level: NA
Mains level: Cyber Threats and Cyber security measures
Context
- As the 21st century advances, a new danger the cyber threat is becoming a daily monster. It is hardly confined to any one domain though the military is the one most often touted. Rather, it is the civilian sphere where the cyber threat is becoming more all-pervading today and, in turn, a serious menace.
What is mean by Cyber threat?
- A cyber threat or cyber security threat is defined as a malicious act intended to steal or damage data or disrupt the digital wellbeing and stability of an enterprise.
- Cyber threats include a wide range of attacks ranging from data breaches, computer viruses, denial of service, and numerous other attack vectors.
How Cyber threat is ever increasing?
- Increasing Grey Zone Operations: Grey zone Operations which fall outside traditional concepts of conflicts have become the new battleground, especially in regard to cyber warfare. ‘Grey Zone Operations’ are already beginning to be employed to undermine the vital of a state’s functioning, a trend likely to grow. The convergence of emerging technologies alongside new hybrid usages, pose several challenges to nations and institutions.
- Attack on examination: The recent arrest in India, of a Russian for hacking into computers involved in the conduct of examinations for entry into the Indian Institutes of Technology (IITs), is a reflection of how cybercriminals are significantly amplifying their Grey Zone Warfare’ tactics
- Pervasive nature of cyber threat: What is most unfortunate is that not enough attention is being bestowed on the all-encompassing nature of the cyber threat. In the wake of the Russia-Ukraine conflict, the world seems awash with papers on artificial intelligence (AI)-driven military innovations and potential crisis hot zones, along with stray references to new forms of hybrid warfare.
- Weaponization of everything: There is very little about the threat posed by cyber-attacks. Ignored also is the new reality of the weaponization of everything’ which has entered the vocabulary of threats. The latter clearly demands a ‘proto-revolutionary’ outlook on the part of policymakers, which is evidently lacking.
- Becoming a Multi-dimensional threat: Lost in translation is also the nature of today’s weapon of choice, viz., cyber. This lack of awareness is unfortunate at a time when states clearly lack the necessary resilience to face a variety of multi-vector threats.
- Cyber weapon as symbol of national Power: Cyber space has been described by Lt. Gen. Rajesh Pant (retired), India’s current national cyber security coordinator, as a “superset of interconnected information and communication technology, hardware, software processes, services, data and systems”. Viewed from this perspective, it constitutes a critical aspect of our national power.
- Simultaneous attacks in multiple dimensions: Cyber threats are not confined to merely one set of conflicts such as Ukraine, where no doubt cyber tools are being extensively employed extending well beyond this and other conflicts of a varied nature. The cyber threat is in this sense all-pervading, embracing many regions and operating on different planes.
Challenges to India’s cyber security infrastructure
- Structural:
1. Absence of any geographical constraints.
2.Lack of uniformity in devices used for internet access.
- Administrative:
- Lack of national-level architecture for cybersecurity
- Security audit does not occur periodically, nor does it adhere to the international standards.
- The appointment of the National Cyber Security Coordinator in 2014 has not been supplemented by creating liaison officers in states.
- Procedural
- Lack of awareness in local police of various provisions of IT Act, 2000, and also of IPSC related to cybercrime.
- Lack of data protection regime.
- Human Resource Related
- Inadequate awareness among people about the security of devices and online transactions.
What are the Steps taken by India to strengthen cyber security?
- Section 66F of ITA: Specific provision dealing with the issue of cyber terrorism that covers denial of access, unauthorized access, introduction of computer contaminant leading to harm to persons, property, critical infrastructure, disruption of supplies, ‘sensitive data’ thefts. Provides for punishment which may extend to life imprisonment.
- National Cyber Security Policy 2013: Policy document drafted by the Department of Electronics and Information Technology. Established National Critical Information Infrastructure Protection Centre (NCIIPC) to improve the protection and resilience of the country’s critical infrastructure information; Create a workforce of 5 lakh professionals skilled in cybersecurity in the next 5 years.
- National Critical Information Infrastructure Protection Centre (NCIIPC): It has been setup to enhance the protection and resilience of Nation’s Critical information infrastructure. It functions under the National Technical Research Organization (NTRO).
- Computer Security through CERT-IN: Organization under the Ministry of Electronics and Information Technology with an objective of securing Indian cyberspace. The purpose of CERT-In is to respond to computer security incidents, report on vulnerabilities and promote effective IT security practices throughout the country. According to the provisions of the Information Technology Amendment Act 2008, CERT-In is responsible for overseeing the administration of the Act.
- Cyber Surakshit Bharat Initiative: It was launched in 2018 with an aim to spread awareness about cybercrime and build capacity for safety measures for Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.
- Cyber Crisis Management Plan (CCMP): It aims at countering cyber threats and cyber-terrorism.
- National Cyber Coordination Centre (NCCC): It seeks to generate necessary situational awareness of existing and potential cyber security threats and enable timely information sharing for proactive, preventive and protective actions by individual entities. National Cyber Security Coordinator (NCSC) under National Security Council Secretariat (NSCS) coordinates with different agencies at the national level for cyber security matters.
- Cyber Swachhta Kendra: This platform was introduced for internet users to clean their computers and devices by wiping out viruses and malware.
- Information Security Education and Awareness Project (ISEA): Training of personnel to raise awareness and to provide research, education, and training in the field of Information Security.
Conclusion
- With several non-state actors engaging in hybrid warfare and distorting day-to-day practices, including examinations, these pose legal, ethical and real dilemmas. Left unchecked, the world may have to confront a new kind of Wild West, before states find a common denominator for regulating cyber space and lay down proper rules and practices to prevent anarchy and chaos.
Mains Question
Q. Cyber threat is intruding the daily life of citizens and making the internal security more challenging task. Comment what are the policy loopholes in India’s fight against the cyber threat?
UPSC 2023 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Making India’s Quantum Cyberspace resilient
From UPSC perspective, the following things are important :
Prelims level: Quantum Technology
Mains level: Cyber security, Quantum Technology applications, advantages and disadvantages.
Context
- The Army has collaborated with industry and academia to build secure communications and cryptography applications. This step builds on last year’s initiative to establish a quantum computing laboratory at the military engineering institute in Mhow, Madhya Pradesh.
What is mean by quantum computing?
- Quantum computing is an area of study focused on the development of computer based technologies centered around the principles of quantum theory.
- Quantum computing studies computation systems that make direct use of quantum-mechanical phenomena to perform operations on data.
- Classical computers encode information in bits. Each bit can take the value of 1 or 0. These 1s and 0s act as on/off switches that ultimately drive computer functions.
What is quantum Theory?
- Quantum theory explains the nature and behavior of energy and matter on the quantum (atomic and subatomic) level. Quantum theory is the theoretical basis of modern physics.
- The nature and behavior of matter and energy at that level is sometimes referred to as quantum physics and quantum mechanics.
What is quantum computing laboratory that the Army has set up?
- Two research centres: The Army has set up a quantum computing laboratory and a centre for artificial intelligence (AI) at a military engineering institute in Madhya Pradesh. The Army will get support from National Security Council Secretariat (NSCS).
- Purpose of the quantum lab: To spearhead research and training in this key developing field. It said the Indian Army is making steady and significant strides in the field of emerging technologies
- To Train personnel on the cyber warfare: Training on cyber warfare is being imparted through a state of the art cyber range and cyber security labs.
- The Focus areas: Key thrust areas are quantum key distribution, quantum communication and quantum computing, among others.
What is the rationale behind this development?
- To provide facility centre for extensive and dedicated research: The two centres will carry out extensive research in developing transformative technologies for use by the armed forces.
- To transform the current system of cryptography: Research undertaken by the Army in the field of quantum technology will help it leapfrog into the next generation of communication and transform the current system of cryptography to post-quantum cryptography.
- Developing quantum resistant systems: With traditional encryption models at risk and increasing military applications of quantum technology, the deployment of quantum-resistant systems has become the need of the hour.
- Vulnerable existing digital infrastructure: There is a need of upgrading current encryption standards that can be broken by quantum cryptography. Current protocols like the RSA will quickly become outdated. This means that quantum cyber attacks can potentially breach any hardened target, opening a significant vulnerability for existing digital infrastructure. Hack proofing these systems will require considerable investments.
- To be in a League of nations in this sector: For example US: National Quantum Initiative Act has already allocated $1.2 billion for research in defence related quantum technology. China now hosts two of the world’s fastest quantum computers.
India’s developments in this sector so far?
- National Mission on Quantum Technologies and Applications: In 2019, the Centre declared quantum technology a “mission of national importance”. The Union Budget 2020-21 had proposed to spend Rs 8,000 crore on the newly launched National Mission on Quantum Technologies and Applications.
- Successfully demonstrated a Quantum key Distribution (QKD) link: In February 2022, a joint team of the Defence Research and Development Organization and IIT Delhi successfully demonstrated a QKD link between two cities in UP Prayagraj and Vindhyachal located 100 kilometres apart.
What are the challenges facing India?
- Current capabilities are not sufficient: Currently, India has very few capabilities in developing advanced systems capable of withstanding quantum cyber attacks.
- The china challenge: China’s quantum advances expand the spectre of quantum cyber attacks against India’s digital infrastructure, which already faces a barrage of attacks from Chinese state-sponsored hackers.
- Dependence on Foreign hardware: India is heavily dependent on foreign hardware, particularly Chinese hardware, is an additional vulnerability.
How India can make its cyberspace resilient?
- Procuring quantum resistant mechanism from US: India must consider procuring the United States National Security Agency’s (NSA) Suite B Cryptography Quantum-Resistant Suite as its official encryption mechanism. The NSA is developing new algorithms for their cypher suite that are resistant to quantum cyber attacks. This can then facilitate India’s official transition to quantum-resistant algorithms.
- Enhancing cryptographic standards: The Indian Defence establishment can consider emulating the cryptographic standards set by the US’s National Institute of Standards and Technology (NIST) which has developed a series of encryption tools to handle quantum computer attacks. It has developed a series of four algorithms to frame a post-quantum cryptographic standard.
- Diplomatic partnerships in this sector: Diplomatic partnerships with other techno-democracies countries with top technology sectors, advanced economies, and a commitment to liberal democracy can help India pool resources and mitigate emerging quantum cyber threats.
- Active participation in global avenues: Active participation in the Open Quantum Safe project a global initiative started in 2016 for prototyping and integrating quantum-resistant cryptographic algorithms.
- Providing funds and encouragement: India must start its national initiatives to develop quantum-resistant systems. For this, the government can fund and encourage existing open-source projects related to post-quantum cryptography.
- Start implementing the capabilities: The country should start implementing and developing capabilities in quantum-resistant communications, specifically for critical strategic sectors. QKDs over long distances, especially connecting military outposts for sensitive communications, can be prioritised to ensure secure communications whilst protecting key intelligence from potential quantum cyber attacks.
- Establishing nationwide network: Establish a nationwide communication network integrated with quantum cryptographic systems, thereby protecting cyberspace from any cross-border quantum cyber offensive.
Conclusion
- The world is moving towards an era in which the applications of quantum physics in strategic domains will soon become a reality, increasing cyber security risks. India is getting there slowly but steadily. India needs a holistic approach to tackle these challenges. At the heart of this approach should be the focus on post-quantum cyber security.
Mains Question
Q.The world is moving towards an era in which applications of quantum physics in strategic domains will soon become a reality, increasing cyber security threats. In this context, what steps can India take to make its cyberspace resilient and quantum-resistant? Discuss.
UPSC 2023 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Cybercrime in India
From UPSC perspective, the following things are important :
Prelims level: Indian evidence act
Mains level: Cybersecurity
Context
- There has been a steady spike in cases of cybercrime in the last five years.
What is a cybercrime?
- Cybercrime is any criminal activity that involves a computer, networked device or a network. While most cybercrimes are carried out in order to generate profit for the cybercriminals, some cybercrimes are carried out against computers or devices directly to damage or disable them.
What data states?
- India reported 52,974 cases of cybercrime in 2021, an increase of over 5 per cent from 2020 (50,035 cases) and over 15 per cent from 2019 (44,735 cases), according to latest government data.
How many cyber criminals are caught in India?
In 2020, over 18.4 thousand people were arrested on account of cyber-crimes across India.
Who is responsible for cyber security centre or state?
- With ‘police’ and ‘public order’ being in the State List, the primary obligation to check crime and create the necessary cyberinfrastructure lies with States.
- At the same time, with the IT Act and major laws being central legislations, the central government is no less responsible to evolve uniform statutory procedures for the enforcement agencies.
Status of cyber investigation
- There is no separate procedural code for the investigation of cyber or computer-related offences.
- As electronic evidence is entirely different in nature when compared with evidence of traditional crime, laying down standard and uniform procedures to deal with electronic evidence is essential.
What are general guidelines for cyber investigation?
- The broad ‘guidelines for the identification, collection, acquisition and preservation of digital evidence’ are given in the Indian Standard IS/ISO/ IEC 27037: 2012, issued by the Bureau of Indian Standards (BIS).
- This document is fairly comprehensive and easy to comprehend for both the first responder (who could be an authorised and trained police officer of a police station) as well as the specialist (who has specialised knowledge, skills and the abilities to handle a wide range of technical issues).
- The guidelines, if followed meticulously, may ensure that electronic evidence is neither tampered with nor subject to spoliation during investigation.
What is the meaning of digital evidence or electronic evidence?
- Digital evidence is information stored or transmitted in binary form that may be relied on in court. It can be found on a computer hard drive, a mobile phone, among other places. Digital evidence is commonly associated with electronic crime, or e-crime, such as child pornography or credit card fraud.
Arjun Khotkar vs Kailash Gorantyal Judgement
- The Court held that a certificate under Section 65B(4) of the Indian Evidence (IE) Act was a mandatory pre-requisite for the admissibility of (secondary) electronic record if the original record could not be produced.
What is Indian evidence act?
- The Indian Evidence Act, originally passed in India by the Imperial Legislative Council in 1872, during the British Raj, contains a set of rules and allied issues governing admissibility of evidence in the Indian courts of law.
Judicial activism for cyber security
- A significant attempt has been made by the higher judiciary in this field also. As resolved in the Conference of the Chief Justices of the High Court in April 2016, a five judge committee was constituted in July 2018 to frame the draft rules which could serve as a model for the reception of digital evidence by courts.
- The committee, after extensive deliberations with experts, the police and investigation agencies, finalised its report in November 2018, but the suggested Draft Rules for the Reception, Retrieval, Authentication and Preservation of Electronic Records are yet to be given a statutory force.
What needs to be done?
- Upgrade cyber labs: The cyber forensic laboratories of States must be upgraded with the advent of new technologies.
- Digital rupee: Offences related to cryptocurrency remain under-reported as the capacity to solve such crimes remains limited. The central government has proposed launching a digital rupee using block-chain technology soon.
- Empowering states: State enforcement agencies need to be ready for new technologies. The Centre helps in upgrading the State laboratories by providing modernisation funds, though the corpus has gradually shrunk over the years.
- Need for localisation of data: Most cybercrimes are trans-national in nature with extra-territorial jurisdiction. The collection of evidence from foreign territories is not only a difficult but also a tardy process.
Conclusion
- Centre and States must not only work in tandem and frame statutory guidelines to facilitate investigation of cybercrime but also need to commit sufficient funds to develop much-awaited and required cyber infrastructure.
Mains question
Q.With the increasing use of computers in society, cybercrime has become a major issue. Analyse the loopholes in cyber security regime of India by giving suggestions to rectify the same.
UPSC 2023 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
India’s new VPN Rules
From UPSC perspective, the following things are important :
Prelims level: VPN, Cert-In
Mains level: Cyber security challenges for India
On April 28, Computer Emergency Response Team (CERT-In) passed a rule mandating VPN (virtual private network) providers to record and keep their customers’ logs for 180 days.
What is VPN?
- VPN describes the opportunity to establish a protected network connection when using public networks.
- It encrypts internet traffic and disguise a user’s online identity.
- This makes it more difficult for third parties to track your activities online and steal data.
- The encryption takes place in real time.
How does a VPN work?
- A VPN hides your IP address by letting the network redirect it through a specially configured remote server run by a VPN host.
- This means that if you surf online with a VPN, the VPN server becomes the source of your data.
- This means your Internet Service Provider (ISP) and other third parties cannot see which websites you visit or what data you send and receive online.
- A VPN works like a filter that turns all your data into “gibberish”. Even if someone were to get their hands on your data, it would be useless.
Why do people use VPN?
- Secure encryption: A VPN connection disguises your data traffic online and protects it from external access. Unencrypted data can be viewed by anyone who has network access and wants to see it. With a VPN, hackers and cyber criminals can’t decipher this data.
- Disguising whereabouts: VPN servers essentially act as your proxies on the internet. Because the demographic location data comes from a server in another country, your actual location cannot be determined.
- Data privacy is held: Most VPN services do not store logs of your activities. Some providers, on the other hand, record your behaviour, but do not pass this information on to third parties. This means that any potential record of your user behaviour remains permanently hidden.
- Access to regional content: Regional web content is not always accessible from everywhere. Services and websites often contain content that can only be accessed from certain parts of the world.
- Secure data transfer: If you work remotely, you may need to access important files on your company’s network. For security reasons, this kind of information requires a secure connection. To gain access to the network, a VPN connection is often required.
What does the new CERT-IN directive say?
- VPN providers will need to store validated customer names, their physical addresses, email ids, phone numbers, and the reason they are using the service, along with the dates they use it and their “ownership pattern”.
- In addition, Cert is also asking VPN providers to keep a record of the IP and email addresses that the customer uses to register the service, along with the timestamp of registration.
- Most importantly, however, VPN providers will have to store all IP addresses issued to a customer and a list of IP addresses that its customers generally use.
What does this mean for VPN providers?
- VPN services are in violation of Cert’s rules by simply operating in India.
- That said, it is worth noting that ‘no logs’ does not mean zero logs.
- VPN services still need to maintain some logs to run their service efficiently.
Does this mean VPNs will become useless?
- The Indian government has not banned VPNs yet, so they can still be used to access content that is blocked in an area, which is the most common usage of these services.
- However, journalists, activists, and others who use such services to hide their internet footprint will have to think twice about them.
Why such move?
- Crime control: For law enforcement agencies, a move like this will make it easier to track criminals who use VPNs to hide their internet footprint.
- Curbing dark-net activities: Users these days are shifting towards the dark and deep web, which are much tougher to police than VPN services.
Back2Basics: Indian Computer Emergency Response Team (CERT-IN)
- CERT-IN is an office within the Ministry of Electronics and Information Technology.
- It is the nodal agency to deal with cyber security threats like hacking and phishing. It strengthens the security-related defense of the Indian Internet domain.
- It was formed in 2004 by the Government of India under the Information Technology Act, 2000 Section (70B) under the Ministry of Communications and Information Technology.
UPSC 2023 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Explained: Critical Information Infrastructure
From UPSC perspective, the following things are important :
Prelims level: Critical Information Infrastructure (CIC)
Mains level: Read the attached story
The Union Ministry of Electronics and IT (MeitY) has declared IT resources of ICICI Bank, HDFC Bank and UPI managing entity NPCI as ‘critical information infrastructure’.
Try this PYQ:
In India, the term “Public Key Infrastructure” is used in the context of
(a) Digital security infrastructure
(b) Food security infrastructure
(c) Health care and education infrastructure
(d) Telecommunication and transportation infrastructure
Post your answers here.
What is Critical Information Infrastructure (CIC)?
- The Information Technology Act, 2000 explicitly gives definition of CIC.
- It defines CIC as a computer resource, the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety.
- It basically aims to protect the digital assets.
- The government, under the Act, has the power to declare any data, database, IT network or communications infrastructure as CII.
- Any person who secures access or attempts to secure access to a protected system in violation of the law can be punished with a jail term of up to 10 years.
Why is CII classification and protection necessary?
- IT resources form the backbone of countless critical operations in a country’s infrastructure.
- Given their interconnectedness, disruptions can have a cascading effect across sectors.
What led to the classification of CICs?
- In 2007, a wave of denial-of-service attacks, allegedly from Russian IP addresses, hit major Estonian banks, government bodies – ministries and parliament, and media outlets.
- It was cyber aggression of the kind that the world had not seen before.
- The attacks played havoc in one of the most networked countries in the world for almost three weeks.
Recent incidents of CIC incapacitation
- In October, 2020 as India battled the pandemic, the electric grid supply to Mumbai suddenly stopped.
- It hit the mega city’s hospitals, trains and businesses.
- Later, a study by a US firm claimed that this power outage could have been a cyber-attack, allegedly from a China-linked group.
- The government, however, was quick to deny any cyber-attack in Mumbai. But prospects cannot be denied.
- The incident underlined the possibility of hostile state and non-state actors probing internet-dependent critical systems in other countries, and the necessity to fortify such assets.
How are CIIs protected in India?
- Created in January 2014, the National Critical Information Infrastructure Protection Centre (NCIIPC) is the nodal agency.
- It takes all measures to protect the nation’s critical information infrastructure.
- It is mandated to guard CIIs from “unauthorized access, modification, use, disclosure, disruption, incapacitation or distraction”.
- NCIIPC monitors and forecasts national-level threats to CII for policy guidance, expertise sharing and situational awareness for early warning or alerts.
UPSC 2023 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
The Cyber factor in the Russia-Ukraine war
From UPSC perspective, the following things are important :
Prelims level: Not much
Mains level: Paper 3- Cyber warfare threats and challenges
Context
After 100 days of Ukraine crisis, Russia is yet to achieve what can be termed as a decisive victory in any sector of the current conflict.
Reasons for the lacklustre performance of Russia
- Several reasons have been adduced by experts in the West for the lacklustre performance of the Russian army.
- Lack of motivation: There is a lack of motivation and the poor morale of the Russian forces sent to Ukraine.
- Outdated weaponry: Russian weaponry being outdated and ineffective to fight an informationalised war under modern conditions.
- Leadership issue: Russian commanders have also proved inept in devising plans and taking appropriate decisions in battlefield conditions against a determined enemy.
Important role of cyber warfare
- Given that cyber is often touted as the Fifth Dimension of warfare, it may be worthwhile to examine whether this indeed is the first major conflict in which ‘cyber’ is playing a crucial role, allowing a weaker nation with cyber capabilities to use it to its advantage.
- A former Chief of the National Security Agency of the U.S., in his memoirs had said that although cyberspace is a man-made domain, it had become critical to military operations on land, sea, air and in space.
- A former U.S. Secretary of Defence a few years ago,, even talked of a possible ‘cyber Pearl Harbour to paralyze nations and create a profound sense of vulnerability’.
- The Russian military oligarchy is indeed among the world leaders in digital disruption and cyber-methodology.
- One could have reasonably presumed that even before the conflict commenced, Russia would have swamped Ukraine with an avalanche of digital attacks.
- Ukraine, for its part, has its own digital army, including a corps of digital weapons.
Limits of cyber warfare
- There are several publicised instances earlier, of alleged Russian operatives waging a cyberwar against Ukraine.
- Both sides now possess and use malware such as data-wipers which have proved highly effective.
- On the day the Russian invasion of Ukraine began, Russian cyber units are believed to have successfully deployed destructive malware against several Ukrainian military targets.
- A series of distributed denial-of-service (DDoS) attacks against Ukrainian banking and defence websites occurred simultaneously.
- As far as the conduct of the war is concerned, the string of small-scale cyberattacks cannot be said to have had any material impact on the conduct or outcome of the conflict.
- Hence, the cardinal question is why given that Ukraine has put up such a heroic defence — and to a considerable extent stalled the Russian offensive — Russia has not embarked on a massive all-out cyber-offensive.
- If that be the case, then much of the speculation that cyberattacks in the event of a war provide a perpetrator the capability to enact another ‘Pearl Harbour’ seems highly unrealistic.
Conclusion
It is very likely, and possibly a fact, that there are major difficulties in planning and executing massive cyberattacks on a short timeline to ensure higher efficacy of kinetic attacks.
UPSC 2023 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
SC tests phones for Pegasus Spyware
From UPSC perspective, the following things are important :
Prelims level: Pegasus
Mains level: Whatsapp snooping
The Supreme Court has said its technical committee had so far received and tested 29 mobile devices suspected to be infected by Pegasus malware.
Why in news?
- It was alleged that the government used the Israel-based spyware to snoop on journalists, parliamentarians, prominent citizens and even court staff.
What is Pegasus?
- Pegasus is a spyware developed by NSO Group, an Israeli surveillance firm that helps spies hack into phones.
- In 2019, when WhatsApp sued the firm in a U.S. court, the matter came to light.
- In July 2021, Amnesty International, along with 13 media outlets across the globe released a report on how the spyware was used to snoop hundreds of individuals, including Indians.
- While the NSO claims its spyware is sold only to governments, none of the nations have come forward to accept the claims.
Threats created by Pegasus
- What makes Pegasus really dangerous is that it spares no aspect of a person’s identity.
- It makes older techniques of spying seem relatively harmless.
- It can intercept every call and SMS, read every email and monitor each messaging app.
- Pegasus can also control the phone’s camera and microphone and has access to the device’s location data.
- The app advertises that it can carry out “file retrieval”, which means it could access any document that a target might have stored on their phone.
Dysfunctions created
- Privacy breach: The very existence of a surveillance system, whether under a provision of law or without it, impacts the right to privacy under Article 21 and the exercise of free speech under Article 19.
- Curbing Dissent: It reflects a disturbing trend with regard to the use of hacking software against dissidents and adversaries. In 2019 also, Pegasus software was used to hack into HR & Dalit activists.
- Individual safety: In the absence of privacy, the safety of journalists, especially those whose work criticizes the government, and the personal safety of their sources is jeopardised.
- Self-Censorship: Consistent fear over espionage may grapple individuals. This may impact their ability to express, receive and discuss such ideas.
- State-sponsored mass surveillance: The spyware coupled with AI can manipulate digital content in users’ smartphones. This in turn can polarize their opinion by the distant controllers.
- National security: The potential misuse or proliferation has the same, if not more, ramifications as advanced nuclear technology falling into the wrong hands.
Snooping in India: A Legality check
For Pegasus-like spyware to be used lawfully, the government would have to invoke both the IT Act and the Telegraph Act. Communication surveillance in India takes place primarily under two laws:
- Telegraph Act, 1885: It deals with interception of calls.
- Information Technology Act, 2000: It was enacted to deal with surveillance of all electronic communication, following the Supreme Court’s intervention in 1996.
Cyber security safeguards in India
- National Cyber Security Policy: The policy was developed in 2013 to build secure and resilient cyberspace for India’s citizens and businesses.
- Indian Computer Emergency Response Team (CERT-In): The CERT-In is responsible for incident responses including analysis, forecasts, and alerts on cybersecurity issues and breaches.
- Indian Cyber Crime Coordination Centre (I4C): The Central Government has rolled out a scheme for the establishment of the I4C to handle issues related to cybercrime in the country in a comprehensive and coordinated manner.
- Budapest Convention: There also exists Budapest Convention on Cybercrime. However, India is not a signatory to this convention.
Issues over government involvement
- It is worth asking why the government would need to hack phones and install spyware when existing laws already offer impunity for surveillance.
- In the absence of parliamentary or judicial oversight, electronic surveillance gives the executive the power to influence both the subject of surveillance and all classes of individuals, resulting in a chilling effect on free speech.
Way forward
- The security of a device becomes one of the fundamental bedrock of maintaining user trust as society becomes more and more digitized.
- Constituting an independent high-level inquiry with credible members and experts that can restore confidence and conduct its proceedings transparently.
- The need for judicial oversight over surveillance systems in general, and judicial investigation into the Pegasus hacking, in particular, is very essential.
Conclusion
- We must recognize that national security starts with securing the smartphones of every single Indian by embracing technologies such as encryption rather than deploying spyware.
- This is a core part of our fundamental right to privacy.
- This intrusion by spyware is not merely an infringement of the rights of the citizens of the country but also a worrying development for India’s national security apparatus.
UPSC 2023 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
How India’s new VPN rules change the Status Quo?
From UPSC perspective, the following things are important :
Prelims level: VPN, Cert-In
Mains level: Read the attached story
Recently, the Indian Computer Emergency Response Team (Cert-In) issued new directives that require Virtual Private Network (VPN) providers to store user data for five years.
What is VPN?
- VPN describes the opportunity to establish a protected network connection when using public networks.
- It encrypts internet traffic and disguise a user’s online identity.
- This makes it more difficult for third parties to track your activities online and steal data.
- The encryption takes place in real time.
How does a VPN work?
- A VPN hides your IP address by letting the network redirect it through a specially configured remote server run by a VPN host.
- This means that if you surf online with a VPN, the VPN server becomes the source of your data.
- This means your Internet Service Provider (ISP) and other third parties cannot see which websites you visit or what data you send and receive online.
- A VPN works like a filter that turns all your data into “gibberish”. Even if someone were to get their hands on your data, it would be useless.
Why do people use VPN?
- Secure encryption: A VPN connection disguises your data traffic online and protects it from external access. Unencrypted data can be viewed by anyone who has network access and wants to see it. With a VPN, hackers and cyber criminals can’t decipher this data.
- Disguising whereabouts: VPN servers essentially act as your proxies on the internet. Because the demographic location data comes from a server in another country, your actual location cannot be determined.
- Data privacy is held: Most VPN services do not store logs of your activities. Some providers, on the other hand, record your behaviour, but do not pass this information on to third parties. This means that any potential record of your user behaviour remains permanently hidden.
- Access to regional content: Regional web content is not always accessible from everywhere. Services and websites often contain content that can only be accessed from certain parts of the world.
- Secure data transfer: If you work remotely, you may need to access important files on your company’s network. For security reasons, this kind of information requires a secure connection. To gain access to the network, a VPN connection is often required.
What does the new CERT-IN directive say?
- VPN providers will need to store validated customer names, their physical addresses, email ids, phone numbers, and the reason they are using the service, along with the dates they use it and their “ownership pattern”.
- In addition, Cert is also asking VPN providers to keep a record of the IP and email addresses that the customer uses to register the service, along with the timestamp of registration.
- Most importantly, however, VPN providers will have to store all IP addresses issued to a customer and a list of IP addresses that its customers generally use.
What does this mean for VPN providers?
- VPN services are in violation of Cert’s rules by simply operating in India.
- That said, it is worth noting that ‘no logs’ does not mean zero logs.
- VPN services still need to maintain some logs to run their service efficiently.
Does this mean VPNs will become useless?
- The Indian government has not banned VPNs yet, so they can still be used to access content that is blocked in an area, which is the most common usage of these services.
- However, journalists, activists, and others who use such services to hide their internet footprint will have to think twice about them.
Why such move?
- Crime control: For law enforcement agencies, a move like this will make it easier to track criminals who use VPNs to hide their internet footprint.
- Curbing dark-net activities: Users these days are shifting towards the dark and deep web, which are much tougher to police than VPN services.
Back2Basics: Indian Computer Emergency Response Team (CERT-IN)
- CERT-IN is an office within the Ministry of Electronics and Information Technology.
- It is the nodal agency to deal with cyber security threats like hacking and phishing. It strengthens the security-related defense of the Indian Internet domain.
- It was formed in 2004 by the Government of India under the Information Technology Act, 2000 Section (70B) under the Ministry of Communications and Information Technology.
UPSC 2023 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Strontium: A Cyber-Espionage Group
From UPSC perspective, the following things are important :
Prelims level: Strontium
Mains level: Cyber espionage
Recently, Microsoft said that it had disrupted cyberattacks from a Russian nation-state hacking group called ‘Strontium’.
What is Strontium?
- Strontium, also known as Fancy Bear, Tsar Team, Pawn Storm, Sofacy, Sednit or Advanced Persistent Threat 28 (APT28) group, is a highly active and prolific cyber-espionage group.
- It is one of the most active APT groups and has been operating since at least the mid-2000s, making it one of the world’s oldest cyber-spy groups.
- It has access to highly sophisticated tools to conduct spy operations, and has been attacking targets in the US, Europe, Central Asia and West Asia.
- The group is said to be connected to the GRU, the Russian Armed Forces’ main military intelligence wing.
- The GRU’s cyber units are believed to have been responsible for several cyberattacks over the years and its unit 26165 is identified as Fancy Bear.
How does it attack networks?
- The group deploys diverse malware and malicious tools to breach networks.
- In the past, it has used X-Tunnel, SPLM (or CHOPSTICK and X-Agent), GAMEFISH and Zebrocy to attack targets.
- These tools can be used as hooks in system drivers to access local passwords, and can track keystroke, mouse movements, and control webcam and USB drives.
- APT28 uses spear-phishing (targeted campaigns to gain access to an individual’s account) and zero-day exploits (taking advantage of unknown computer-software vulnerabilities) to target specific individuals and organizations.
- It has used spear-phishing and sometimes water-holing to steal information, such as account credentials, sensitive communications and documents.
- A watering hole attack compromises a site that a targeted victim visits to gain access to the victim’s computer and network.
UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Status of India’s National Cyber Security Strategy
From UPSC perspective, the following things are important :
Prelims level: Not much
Mains level: Read the attached story
Recently, Chinese state-sponsored hackers targeted Indian electricity distribution centres near Ladakh.
Amid a surge in cyberattacks on India’s networks, the Centre is yet to implement the National Cyber Security Strategy which has been in the works since 2020.
Recent trends of Cyber-attacks in India
- As per American cybersecurity firm Palo Alto Networks’ 2021 report, Maharashtra was the most targeted State in India — facing 42% of all ransomware attacks.
- India is among the more economically profitable regions for hacker groups and hence these hackers ask Indian firms to pay a ransom, usually using cryptocurrencies, in order to regain access to the data.
- One in four Indian organisations suffered a ransomware attack in 2021.
- Indian organisations witnessed a 218% increase in ransomware — higher than the global average of 21%.
- Software and services (26%), capital goods (14%) and the public sector (9%) were among the most targeted sectors.
Increase in such attacks has brought to light the urgent need for strengthening India’s cybersecurity.
What is the National Cyber Security Strategy?
Conceptualised by the Data Security Council of India (DSCI), the report focuses on 21 areas to ensure a safe, secure, trusted, resilient, and vibrant cyberspace for India.
The main sectors of focus of the report are:
- Large scale digitisation of public services: There needs to be a focus on security in the early stages of design in all digitisation initiatives and for developing institutional capability for assessment, evaluation, certification, and rating of core devices.
- Supply chain security: There should be robust monitoring and mapping of the supply chain of the Integrated circuits (ICT) and electronics products. Product testing and certification needs to be scaled up, and the country’s semiconductor design capabilities must be leveraged globally.
- Critical information infrastructure protection: The supervisory control and data acquisition (SCADA) security should be integrated with enterprise security. A repository of vulnerabilities should also be maintained.
- Digital payments: There should be mapping and modelling of devices and platform deployed, transacting entities, payment flows, interfaces and data exchange as well as threat research and sharing of threat intelligence.
- State-level cyber security: State-level cybersecurity policies and guidelines for security architecture, operations, and governance need to be developed.
What steps does the report suggest?
To implement cybersecurity in the above-listed focus areas, the report lists the following recommendations:
- Budgetary provisions: A minimum allocation of 0.25% of the annual budget, which can be raised up to 1% has been recommended to be set aside for cyber security.
- Ministry-wise allocation: In terms of separate ministries and agencies, 15-20% of the IT/technology expenditure should be earmarked for cybersecurity.
- Setting up a Fund of Funds: The report also suggests setting up a Fund of Funds for cybersecurity and to provide central funding to States to build capabilities in the same field.
- R&D, skill-building and technology development: The report suggests investing in modernisation and digitisation of ICTs, setting up a short and long term agenda for cyber security via outcome-based programs and providing investments in deep-tech cyber security innovation.
- National framework for certifications: Furthermore, a national framework should be devised in collaboration with institutions like the National Skill Development Corporation (NSDC) and ISEA (Information Security Education and Awareness) to provide global professional certifications in security.
- Creating a ‘cyber security services’: The DSCI further recommends creating a ‘cyber security services’ with cadre chosen from the Indian Engineering Services.
- Crisis management: For adequate preparation to handle crisis, the DSCI recommends holding cybersecurity drills which include real-life scenarios with their ramifications. In critical sectors, simulation exercises for cross-border scenarios must be held on an inter-country basis.
- Cyber insurance: Cyber insurance being a yet to be researched field, must have an actuarial science to address cybersecurity risks in business and technology scenarios as well as calculate threat exposures.
- Cyber diplomacy: Cyber diplomacy plays a huge role in shaping India’s global relations. To further better diplomacy, the government should promote brand India as a responsible player in cyber security and also create ‘cyber envoys’ for the key countries/regions.
- Cybercrime investigation: It also suggests charting a five-year roadmap factoring possible technology transformation, setting up exclusive courts to deal with cybercrimes and remove backlog of cybercrimes by increasing centres providing opinion related to digital evidence under section 79A of the IT act.
- Advanced forensic training: Moreover, the DSCI suggests advanced forensic training for agencies to keep up in the age of AI/ML, blockchain, IoT, cloud, automation.
- Cooperation among agencies: Law enforcement and other agencies should partner with their counterparts abroad to seek information of service providers overseas.
Progress in its implementation
- The Centre has formulated a draft National Cyber Security Strategy 2021 which holistically looks at addressing the issues of security of national cyberspace.
- Without mentioning a deadline for its implementation, the Centre added that it had no plans as of yet to coordinate with other countries to develop a global legal framework on cyber terrorism.
Way forward
- India has to contend with the importance and necessity of cyber offence as much as cyber defence.
- As of today, India’s primary or possibly only response measures appear to be defensive.
- India has to also invest in more offensive cyber means as a response.
UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Cyber Insurance in India
From UPSC perspective, the following things are important :
Prelims level: Cyber insurance
Mains level: Read the attached story
As enterprises, the government and the public rely increasingly on digitalisation, cyber insurance has become pivotal to their basic functioning nowadays.
What is Cyber Insurance?
- Cyber insurance is a type of insurance that protects organizations from the effects of cyber-attacks.
- After a cyber-attack/breach, it assists an organization in mitigating risk exposure by setting expenses.
- To put it another way, cyber insurance is intended to cover the fees, expenses, and legal costs involved with cyber breaches that occur after an organization has been hacked, as well as the theft or loss of client/employee information.
- A typical cybersecurity insurance policy, also known as cyber risk insurance, is designed to protect businesses from cybercrime such as ransomware, spyware, and distributed denial-of-service (DDoS) attacks.
- Costs of privacy investigations or litigation following an assault could also be included in the claims.
Why in news?
- As more companies shifted to work from home, there were database breaches and hackings, leading to loss of revenue opportunity across industries.
- As a result, cybersecurity has come to occupy a prime position in a company’s list of governance priorities.
- Even systems believed to be highly secure could be breached in cyberattacks.
Various threats
- Illicit access of financial credentials (a hacker gets access to your online banking details and might therefore be able to steal money)
- Identity theft (an attacker steals your digital identity to purchase goods or services online in your name)
- Data loss due to a technical issue (your personal data gets deleted by a virus or software glitch)
- Illicit publication of personal data (somebody else publishes your private pictures online)
Available insurance options
There are cyber insurance solutions available in the market to protect against losses caused by cyberattacks, including first-party and third-party losses, and cyber extortion.
- First-party insurance: It covers loss caused due to electronic theft, loss of electronic communication, e-vandalism, business interruption (income loss due to fraudulent access causing impairment of operations), and the like.
- Third-party insurance: It covers disclosure liability (any customer claim due to system security failures resulting in unauthorised access), content liability (for alleged copyright infringement), reputational liability, and conduit liability. Expenses cover includes privacy notification expenses, crisis expenses and reward expenses.
Policy moves in this regard
- Last year, the Working Committee set up by the Insurance Regulatory and Development Authority of India (IRDAI) has proposed detailed regulations to address cyber risks.
- The committee has recommended the introduction of a Cyber Liability Policy that will protect the policyholders from cybercrimes.
- The Committee has also underscored the significance of the cover for individuals and recommended for creation of more awareness of such products.
Recommendations made by the Committee:
At present, the cyber insurance policies available address the requirements of individuals reasonably well. However, some areas need improvement. The committee has recommended the following:
- FIR on higher claims: Insurers must not insist on Police First Information Report (FIR) for claims up to Rs. 5,000. However, FIR is a critical requirement to assess claims.
- Clarity in terms and conditions: It is required in exclusion language related to compliance with reasonable practises and precautions. It also needs coverage for bricking costs– loss of use/functionality of hardware as a result of a cyber-incident.
- Standardisation of the Policy: The committee noted that it is a good idea but may not be able to address all the emerging risks and is likely to limit innovation.
Claims covered
(1) Losses
Here is the list of losses that will normally be covered under the IRDAI cyber-insurance policy:
- First Party Losses: Direct Financial Loss, Data recovery, Business Interruption Cover and Mitigation Costs Cover,
- Regulatory Actions: Costs of Regulatory actions and investigations, civil fines and penalties and Defence Costs.
- Crisis Management Costs: Forensic Expert Cover including security consultation, Reputation Damage Cover, Legal Costs Cover for matters including notification, coordination with service providers, strategy etc., Credit and Identity Theft Monitoring Cover, Cyber extortion/ Ransomware Cover, Operation of a 24×7 Hotline, Cyber Stalking, Counselling, Information removal and pursuing action.
- Liability Claims: Legal liability/damages directly arising from privacy or data/ security breach, Defamation, Intellectual Property Right (IPR) infringement and Defence Costs, as per the committee report.
(2) Individual cover
The report states the following salient features of the individual cyber insurance policy.
- Theft of funds: Provides protection in respect of theft of funds due to Cyber incidents or Hacking of insured’s Bank account, Credit/Debit card and/ or Mobile wallets by a Third Party.
- Identity Theft Cover: Provides protection in terms of Defence cost for claims made against insured by third/affected party due to identity theft fraud, provides expense to prosecute perpetrators and other transportation costs.
- Social Media Cover / Personal Social Media: Provides protection in terms of Defence cost for claims made against insured by third/affected party due to hacked social media account of insured, provides expense to prosecute perpetrators and other transportation costs.
- Cyber Stalking / Bullying: Provides expenses to prosecute the stalker.
- Malware Cover / Data Restoration Cost: Provides coverage for data restoration cost due to malware.
- Phishing Cover: Provides protection in respect of financial losses as a result of a phishing attack and provides expense to prosecute perpetrators, as per the committee report.
- Unauthorised Online Transaction: Provides protection against fraudulent use of bank account, credit/debit card, e-wallet by the third party to make online purchasing over the internet.
- Email Spoofing: Provides protection in respect of financial losses as a result of spoofed email attack and provides expense to prosecute perpetrators.
- Media Liability Claims Cover: Provides coverage for defence costs in third party claims due to defamation or invasion of privacy due to Insured’s publication or broadcasting of any digital media content.
- Cyber Extortion Cover: Provides protection for extortion loss as a result of Cyber extortion threat and provides expense to prosecute perpetrators. Report of the Working Group to study Cyber Liability Insurance, as per the committee report.
- Data Breach and Privacy Breach Cover: Provides indemnity for defence costs and damages in respect of claims lodged by a Third-party against the Insured for Data Breach and or Privacy Breach.
Way forward
- Cyber insurance helps cover legal expenses stemming from damages due to a cyberattack.
- It should be part of the company’s overall business continuity strategy, as it helps quickly recover post an incident.
- Companies should first understand the need for cyber insurance solutions, rather than just getting a cyber-insurance cover.
- The ability to identify an attack and quickly shield against it are a few underwriting principles of the insurers.
- Proactive risk management strategies that include ensuring the use of strong passwords, multi-factor authentication, proper firewall usage and access controls over servers and routers are all examples of good digital behaviour.
Try this PYQ from CSP 2020:
Q.In India, under cyber insurances for individuals, which of the following benefits are generally covered, in addition to payment for the loss of funds and other benefits ?
1. Cost of restoration of the computer system in case of malware disrupting access to one’s computer.
2. Cost of a new computer if some miscreant wilfully damages it, if proved so.
3. Cost of hiring a specialized consultant to minimize the loss in case of cyber extortion.
4. Cost of defence in the court of law if any third party files a suit.Select the correct answer using the code given below:
(a) 1, 2 and 4 only
(b) 1,3 and 4 only
(c) 2 and 3 only
(d) 1,2,3 and 4
Post your answers here.
UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Reporting cyber attacks
From UPSC perspective, the following things are important :
Prelims level: EU GDPR
Mains level: Paper 3- Making mandatory the reporting of cyber security breach
Context
The Ministry of Electronics and Information Technology is likely to come out with new cyber security regulations which will put the onus on organisations to report any cybercrime that may have happened against them, including data leaks.
Damages inflicted by the cyber crimes
- Apart from private firms, government services, especially critical utilities, are prone to cyber attacks and breach incidents.
- The ransomware attack against the nationwide gas pipeline in 2021 in the U.S. virtually brought down the transportation of about 45% of all petrol and diesel consumed on the east coast.
- If it were measured as a country, then cyber crime — which is predicted to inflict damages totalling $6 trillion globally in 2021 — would be the world’s third-largest economy after the U.S. and China.
Provision for reporting the cybercrime
- Clause 25 in the Data Protection Bill 2021 says that data fiduciaries should report any personal and non-personal data breach incident within 72 hours of becoming aware of a breach.
- Clause in EU GDPR: Even the golden standard for data protection, namely the European Union General Data Protection Regulation (EU GDPR), has a clause for reporting data breach incidents within a stringent timeline.
- This, in principle, is likely to improve cyber security and reduce attacks and breaches.
Why reporting cybercrime is important
- Alerting other organisations: If incidences are reported, the Indian Computer Emergency Response Team and others can alert organisations about the associated security vulnerabilities.
- Precautionary measures: Firms not yet affected can also take precautionary measures such as deploying security patches and improving their cyber security infrastructure.
- Why firms are reluctant to notify the crime? Any security or privacy breach has a negative impact on the reputation of the associated firms.
- An empirical study by Comparitech indicates that the share prices for firms generally fall around 3.5% on average over three months following the breach.
- So, firms weigh the penalties they face for not disclosing the incidents versus the potential reputational harm due to disclosure, and decide accordingly.
Possible solutions
- Periodic cyber security audits: How will the regulator come to know when a firm does not disclose a security breach?
- It can be done only through periodic cyber security audits.
- Unfortunately, the regulators in most countries including India do not have such capacity to conduct security audits frequently and completely.
- Empanel third-party auditors: The government can empanel third party cyber security auditors for the conduct of periodical cyber security impact assessments, primarily amongst all the government departments, both at the national and State level, so that security threats and incidents can be detected proactively and incidents averted.
- Evaluation and Certification of cyber security: The Ministry, as part of cyber security assurance initiatives of the Government of India, to evaluate and certify IT security products and protection profiles, has set up Common Criteria Testing Laboratories and certification bodies across the country.
- These schemes can be extended towards cyber security audits and assessments as well.
- Security command centre: Much like IBM, which set up a large cyber security command centre in Bengaluru, other large firms can also be encouraged to set up such centres for protection of their firms’ assets.
Consider the question “Reporting cyber security breaches is important. Yet, firms are reluctant to report the breaches. Examine the reasons for reluctance on part of the firms and suggest the way forward.”
Conclusion
Such measures will also pass the muster of the EU GDPR, thereby moving India closer to the set of countries that have the same level of cyber security and data protection as that of EU, for seamless cross-border data flow.
UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Cyber warfare
From UPSC perspective, the following things are important :
Prelims level: NA
Mains level: Cyberwarfare
Alongside the missiles and bombs slamming down in Ukraine, the country has also been hit by a wave of cyber-attacks targeting critical infrastructure companies.
What is Cyberwarfare?
- Cyberwarfare has emerged as a new form of retaliation or passive aggression deployed by nations that do not want to go to actual war but want to send a tough message to their opponents.
- In June 2020, security experts from Cyfirma uncovered a conspiracy by Gothic Panda and Stone Panda, two China-based hacker groups, to target media and critical infra companies in India.
- They led large-scale attacks amid the border stand-off between India and China in Ladakh.
- For many countries, cyberwarfare is a never-ending battle as it allows them to constantly harass and weaken geopolitical rivals.
What has happened in Ukraine so far?
- Ukraine has been one of the primary targets of Russia since 2020.
- The recent spate of attacks started in mid-January and knocked out websites of the ministry of foreign affairs and the ministry of education.
- Government websites and a number of banks have been hit by another mass distributed denial of service (DDoS) attacks.
- DDoS attacks disrupt online services by overwhelming websites with more traffic than their server can handle.
Which countries are behind state-backed cyberattacks?
- Russia is one of the top perpetrators of state-backed cyberattacks.
- According to an October 2021 report by Microsoft Corp., Russia accounted for 58% of state-backed attacks worldwide, followed by North Korea (23%), Iran (11%), and China (8%).
- North Korea is said to have built a cyber-army of 7,000 hackers.
Which companies are targeted and why?
- State-backed cyberattacks are usually carried out to steal state secrets, trade deals and weapons blueprint, or target large multinationals to steal their intellectual property (IP) and use it to build local industry.
- Cryptos are also on the radar now. North Korean hackers reportedly stole cryptos worth $400 million in 2021.
- However, when states launch cyberattacks on other states as a result of worsening of geopolitical relations, the target is usually critical infrastructure firms to disrupt economic activity.
How often is India targeted?
- Such cyberattacks rose 100% between 2017 and 2021, according to a global study by Hewlett-Packard and the University of Surrey.
- In 2019, the administrative network of the Kudankulam Nuclear Power Plant was hit by a malware attack by North Korea-backed Lazarus Group.
- China-backed hackers were believed to be behind a power outage in Mumbai in 2020.
- According to Black Lotus Labs, Pakistan-based hackers targeted power firms and one government organization in India in early 2021 using Remote Access Trojans.
UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
MHA recommends ban on 54 Chinese Apps
From UPSC perspective, the following things are important :
Prelims level: NA
Mains level: Data sovereignty issue
The Ministry of Home Affairs has recommended a ban on 54 Chinese mobile applications that pose a threat to the country’s security.
Legal basis of app ban
- The ban has been enforced under Section 69A of the Information Technology Act, 2000.
- This act empowers to issue directions for blocking for public access of any information through any computer resource.
- This is done in the interest of –
- sovereignty and integrity of India
- defense of India, security of the State
- friendly relations with foreign states
- public order (or)
- for preventing incitement to the commission of any cognizable offense relating to above
Why MHA has put such a ban?
- Most of these apps were operating as clones or shadow apps of the apps that had earlier been banned by the government.
- There was stealing and secretly transmitting users’ data in an unauthorized manner to servers that have locations outside India.
- These apps largely impact the psychosocial abilities of the users.
- The immediate decision has been taken in a specific strategic and national security
Implications of the ban
- India’s offensive: The move comes as an exercise of coercive diplomacy with China amid the heated exchange of words during the diplomatic boycott on the winter Olympics.
- Hurting china’s ambitions: The ban may affect one of China’s most ambitious goals, namely to become the digital superpower of the 21st century.
- Data nationalization: The ban is also based on the recognition that data streams and digital technology are a new currency of global power.
Issues with the ban
- Not only China: Data privacy and data security concerns are not limited only to Chinese apps.
- Harm already caused: The apps that were banned were very popular in India and the move to block them comes after these apps had already amassed hundreds of millions of users in India.
- Further dependency on China: The ban on Chinese mobile apps is a relatively soft target, as India remains reliant on Chinese products in several critical and strategically sensitive sectors.
Way Forward
- There is a strong case to revise the key legislations and sync them to change the digital environment.
- Data privacy and security remain to be major challenges emanating from the ongoing digital revolution.
- Thus, a data protection law is long overdue.
- India must speed up indigenization, research, and development, and frame up a regulatory architecture to claim data sovereignty.
UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Taking a byte out of cyber threats
From UPSC perspective, the following things are important :
Prelims level: Zero Trust Model
Mains level: Paper 3- Cyber security
Context
Cyber-attacks may be a relatively new phenomenon, but in a short timeframe have come to be assessed as dangerous as terrorism.
A cyber attack is a type of attack that targets computer systems, infrastructures, networks, or personal computer devices using various methods at hand. India is ranked 10th (among 194 countries) in the Global Cybersecurity Index (GCI) 2020 ahead of China and
Pakistan.
The increasing threat of cyber attacks
- Stuxnet Worm in 2010: Resulted in large-scale damage to Iran’s centrifuge capabilities.
- Natanz nuclear facility (Iran) in 2021: Targeted the industrial control systems and destroyed the power supply to centrifuges used to create enriched uranium
- Chinese cyberattack on the power system in Mumbai brought the entire city to a halt.
- Ransomware as a Service (RaaS) — a business model for ransomware developers — is no mere idle threat.
- Advanced Persistent Threats (APT) attacks are set to increase, with criminal networks working overtime and the Dark web allowing criminals to access even sensitive corporate networks.
Tools of Cyberattacks
- Malware: Malicious software to disrupt computers. It can include Viruses, Spyware, Trojans, etc.
- Phishing: It is the method of trying to gather personal information using deceptive e-mails and websites.
- Denial of Service attacks: A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users.
- Hacktivism: Misusing a computer system or network for a socially or politically motivated reason. For example, hacktivists can block access to Government’s website, deface the government’s website or unblock the sites which have been blocked by the Government.
- Social Engineering: Entice users to provide confidential information. For example, these days u must have come across some of the fake Facebook accounts which are opened in the name of your close friends. First, the cyber attackers send you the friend request in the name of your close friend. Once u accept it, they will ask to request you to transfer some money.
Consequences of Cyberattacks
- Impact on data: Confidentiality, Integrity and Availability of information.
- Impact on Critical Information Infrastructure: Presently, most of the sectors are critically dependent on the use of ICT to carry on their operations. These sectors are Banking and Finance, Power systems, Transport sector, Telecommunication, etc. Cyber attacks on these critical information infrastructures can bring the entire country to a grinding halt. For example, the recent Chinese cyber attack on the power system in Mumbai brought the entire city to a halt.
- Creates Distrust: A cyber-attack on a specific component exposes vulnerabilities in the entire system which may negatively impact relations with allies and adversaries and questions our nuclear reliability.
- Financial loss: Estimates of the cost to the world in 2021 from cyberattacks are still being computed, but if the cost of cybercrimes in 2020 (believed to be more than $1 trillion) is any guide, it is likely to range between $3trillion-$4 trillion.
- Threat to National Security and peace and stability in a country.
Steps taken by India to improve Cyber Security
- Section 66F of ITA: Specific provision dealing with the issue of cyber terrorism that covers denial of access, unauthorized access, introduction of computer contaminant leading to harm to persons, property, critical infrastructure, disruption of supplies, ‘sensitive data’ thefts. Provides for punishment which may extend to life imprisonment.
- National Cyber Security Policy 2013: Policy document drafted by the Department of Electronics and Information Technology. Established National Critical Information Infrastructure Protection Centre (NCIIPC) to improve the protection and resilience of the country’s critical infrastructure information; Create a workforce of 5 lakh professionals skilled in cybersecurity in the next 5 years.
- National Critical Information Infrastructure Protection Centre (NCIIPC): It has been setup to enhance the protection and resilience of Nation’s Critical information infrastructure. It functions under the National Technical Research Organization (NTRO).
- CERT-IN: Organization under the Ministry of Electronics and Information Technology with an objective of securing Indian cyberspace. The purpose of CERT-In is to respond to computer security incidents, report on vulnerabilities, and promote effective IT security practices throughout the country. According to the provisions of the Information Technology Amendment Act 2008, CERT-In is responsible for overseeing the administration of the Act.
- Cyber Surakshit Bharat Initiative: It was launched in 2018 with an aim to spread awareness about cybercrime and build capacity for safety measures for Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.
- Cyber Crisis Management Plan (CCMP): It aims at countering cyber threats and cyber-terrorism.
- National Cyber Coordination Centre (NCCC): It seeks to generate necessary situational awareness of existing and potential cyber security threats and enable timely information sharing for proactive, preventive and protective actions by individual entities.
- National Cyber Security Coordinator (NCSC) under National Security Council Secretariat (NSCS) coordinates with different agencies at the national level for cyber security matters.
- Cyber Swachhta Kendra: This platform was introduced for internet users to clean their computers and devices by wiping out viruses and malware.
- Information Security Education and Awareness Project (ISEA): Training of personnel to raise awareness and to provide research, education, and training in the field of Information Security.
Challenges
- Structural:
a)Absence of any geographical constraints.
b)Lack of uniformity in devices used for internet access. - Administrative:
a) Lack of national-level architecture for cybersecurity
b) Security audit does not occur periodically, nor does it adhere to the international standards.
c) The appointment of the National Cyber Security Coordinator in 2014 has not been supplemented by creating liaison officers in states. - Procedural
a) Lack of awareness in local police of various provisions of IT Act, 2000, and also of IPSC related to cybercrime.
b) Lack of data protection regime. - Human Resource Related
a) Inadequate awareness among people about the security of devices and online transactions.
Way forward
- International Convention: Presently, Budapest Convention is the first international treaty that promotes greater cooperation between countries in fighting cybercrimes. India should accede to Budapest Convention at the earliest. It would reduce India’s capacity to combat cybercrimes at a global level.
- PPP Framework for Cyber Security: Presently, most of the cyber security operations are carried out by the Government agencies such as CERT-In. Given the fast-changing nature and intensity of cyber threats, there is a need to leverage private sector expertise in combating cyber crimes through the PPP framework.
- Capacity building and skill development- Recently, according to a report published by NASSCOM, India needs around 10 lakh, cyber security experts. However, presently there are only around 64,000 professionals. One of the main reasons for the lower number of cyber security professionals is due to lack of an adequate number of specialized courses in cyber security, poor training Infrastructure, lack of availability of trainers, etc. Hence, accordingly, the Government has to recognize the lacunae and increase the number of Skilled professionals.
- Promoting Startups in the field of Cybersecurity.
- Investment in R&D to improve Cyber Security- Big data, AI
- Learning from best practices such as the Tallinn manual of the US.
Conclusion
Failure to build resilience — at both the ‘technical and human level — will mean that the cycle of cyber attacks and the distrust they give rise to will continue to threaten the foundations of a democratic society. Preventing erosion of trust is critical in this day and age.
UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
What is Pegasus Spyware Controversy?
From UPSC perspective, the following things are important :
Prelims level: Pegasus
Mains level: State survellience and Right to Privacy
A New York Times report has claimed that the Indian government had bought the Pegasus Spyware in 2017.
What is Pegasus?
- Pegasus is a spyware developed by NSO Group, an Israeli surveillance firm that helps spies hack into phones.
- In 2019, when WhatsApp sued the firm in a U.S. court, the matter came to light.
- In July 2021, Amnesty International, along with 13 media outlets across the globe released a report on how the spyware was used to snoop hundreds of individuals, including Indians.
- While the NSO claims its spyware is sold only to governments, none of the nations have come forward to accept the claims.
Why is Pegasus so lethal?
- What makes Pegasus really dangerous is that it spares no aspect of a person’s identity.
- It makes older techniques of spying seem relatively harmless.
- It can intercept every call and SMS, read every email and monitor each messaging app.
- Pegasus can also control the phone’s camera and microphone and has access to the device’s location data.
- The app advertises that it can carry out “file retrieval”, which means it could access any document that a target might have stored on their phone.
Dysfunctions created by Pegasus
- Privacy breach: The very existence of a surveillance system, whether under a provision of law or without it, impacts the right to privacy under Article 21 and the exercise of free speech under Article 19.
- Curbing Dissent: It reflects a disturbing trend with regard to the use of hacking software against dissidents and adversaries. In 2019 also, Pegasus software was used to hack into HR & Dalit activists.
- Individual safety: In the absence of privacy, the safety of journalists, especially those whose work criticizes the government, and the personal safety of their sources is jeopardised.
- Self-Censorship: Consistent fear over espionage may grapple individuals. This may impact their ability to express, receive and discuss such ideas.
- State-sponsored mass surveillance: The spyware coupled with AI can manipulate digital content in users’ smartphones. This in turn can polarize their opinion by the distant controllers.
- National security: The potential misuse or proliferation has the same, if not more, ramifications as advanced nuclear technology falling into the wrong hands.
Snooping in India: A Legality check
For Pegasus-like spyware to be used lawfully, the government would have to invoke both the IT Act and the Telegraph Act. Communication surveillance in India takes place primarily under two laws:
- Telegraph Act, 1885: It deals with interception of calls.
- Information Technology Act, 2000: It was enacted to deal with surveillance of all electronic communication, following the Supreme Court’s intervention in 1996.
Cyber security safeguards in India
- National Cyber Security Policy: The policy was developed in 2013 to build secure and resilient cyberspace for India’s citizens and businesses.
- Indian Computer Emergency Response Team (CERT-In): The CERT-In is responsible for incident responses including analysis, forecasts, and alerts on cybersecurity issues and breaches.
- Indian Cyber Crime Coordination Centre (I4C): The Central Government has rolled out a scheme for the establishment of the I4C to handle issues related to cybercrime in the country in a comprehensive and coordinated manner.
- Budapest Convention: There also exists Budapest Convention on Cybercrime. However, India is not a signatory to this convention.
Issues over government involvement
- It is worth asking why the government would need to hack phones and install spyware when existing laws already offer impunity for surveillance.
- In the absence of parliamentary or judicial oversight, electronic surveillance gives the executive the power to influence both the subject of surveillance and all classes of individuals, resulting in a chilling effect on free speech.
Way forward
- The security of a device becomes one of the fundamental bedrock of maintaining user trust as society becomes more and more digitized.
- Constituting an independent high-level inquiry with credible members and experts that can restore confidence and conduct its proceedings transparently.
- The need for judicial oversight over surveillance systems in general, and judicial investigation into the Pegasus hacking, in particular, is very essential.
Conclusion
- We must recognize that national security starts with securing the smartphones of every single Indian by embracing technologies such as encryption rather than deploying spyware.
- This is a core part of our fundamental right to privacy.
- This intrusion by spyware is not merely an infringement of the rights of the citizens of the country but also a worrying development for India’s national security apparatus.
UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
How to control cyber crime against women
From UPSC perspective, the following things are important :
Prelims level: CERT-IN
Mains level: Paper 2- Cybercrimes against women
Context
The open-source app, Bulli Bai, hosted on the web platform GitHub for “auctioning Muslim women” has laid bare the harassment women face online.
Cybercrimes against women
- As per the Telecom Regulatory Authority of India (TRAI) there were around 825 million internet users in India at the end of March 2021.
- The minuscule amount of rogue elements among these internet users have the lethal capability to create havoc in the nation, its polity, economy and the personal and professional lives of citizens.
- Reluctance to file case: Many times, police officers are approached by anxious parents, days before marriage, seeking help about fake profiles or morphed photographs of their daughters on the internet.
- A formal police case is thus never lodged.
- The stark reality is that cyber blackmailing, stalking and bullying is a humongous issue, causing a lot of stress to women and their families.
- NCRB statistics show that total cyber crimes in India during 2020 were 50,035, and those specifically against women were only 10,405.
Steps need to be taken
- Promt reporting and registration: To find out the true magnitude of cyber crime, prompt reporting and registration are the only options.
- International cooperation through treaties: There are many international gangs which successfully avoid detection as “servers” used by them are located outside India.
- International cooperation through formal treaties and informal channels has to be pursued.
- CERT-IN has been doing commendable work in this regard.
- Registering a criminal case is the first crucial step as it sets the law into motion, leading to tracing, arresting and prosecuting the rogues even if they are located outside the country.
- Increase awareness: There is need to increase awareness about cyber safety and security so that youth, especially young girls and women, take proper precautions while surfing the virtual world.
- Better policing: As for the police, we do need better infrastructure, more special cyber cells and police stations, regular training, and collaboration with cyber experts on a continuous basis.
- Strengthening the capability of forensic laboratories can lead to timely collection of evidence of cyber bullying, threatening, morphing and profiling.
- Many state labs do not have sufficient numbers of cyber experts to seize, preserve and store images of digital evidence essential for securing conviction in courts.
- The central government has given funds to states and Union territories under the Cyber Crime Prevention Against Women and Children (CCPWC) scheme to start “cyber forensic-cum-training laboratories”.
- Fast trial: Fast trial of cyber crimes would indeed help. As per the NCRB, during 2020, court trials were completed in only nine cases of cyber blackmailing and threatening with a 66.7 per cent conviction rate — 393 such cases are pending in courts.
- Systematic training of prosecutors and judicial officers in dealing with cyber crimes would definitely speed up trials.
Conclusion
Prompt reporting of cyber crime by citizens, technically proficient investigation by police adequately supported by forensics, and time-bound completion of court trials are essential for catching cyber offenders who are terrorising people, especially women, in the virtual as well as the real world.
UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Creating safe digital spaces
From UPSC perspective, the following things are important :
Prelims level: Not much
Mains level: Paper 3- Creating safe digital spaces
Context
Various reports have indicated increased incidence of cyberbullying and online child sexual exploitation by adults.
Tackling cyberbullying
- School closures as a response to the COVID-19 lockdowns have led to an unprecedented rise in unsupervised screen time for children and young people, which in turn exposed them to a greater risk of online violence.
- In India, an estimated 71 million children aged 5-11 years access the Internet on the devices of their family members, constituting about 14% of the country’s active Internet user base of over 500 million
- There is growing scientific evidence which suggests that cyberbullying has negative consequences on the education, health and well-being of children and young people.
- Published in 2019 and drawing on data from 144 countries, UNESCO’s report ‘Behind the numbers: Ending school violence and bullying’ highlighted the extent of the problem, with almost one in three students worldwide reporting being bullied at least once in the preceding month.
- Therefore, cyberbullying prevention interventions should aim at tackling all types of bullying and victimisation experiences at the same time, as opposed to each in silo.
Cyberbullying prevention interventions
- Although online violence is not limited to school premises, the education system plays a crucial role in addressing online safety.
- To prevent and counter cyberbullying, the information booklet brought out by UNESCO in partnership with NCERT on Safe Online Learning in Times of COVID-19 can be a useful reference.
- Effective interventions also require gender-sensitive and targeted approaches that respond to needs of learners who are most likely to be the victims of online violence.
- Concerted efforts must be made to provide children and young people with the knowledge and skills to identify online violence so that they can protect themselves from its different forms, whether perpetrated by peers or adults.
- Teachers also play a critical role by teaching students about online safety, and thus supporting parental involvement.
Conclusion
It is imperative that digital and social media platforms are free of cyberbullying, if learners have to access quality education. More importantly, confidential reporting and redress services must be established.
UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
[pib] CERT-In authorized as CVE Numbering Authority (CNA)
From UPSC perspective, the following things are important :
Prelims level: CNA, CVE Program, CERT-IN
Mains level: Cyber security challenges for India
CERT-In has partnered with the Common Vulnerabilities and Exposures (CVE) Program and has been authorized as a CVE Numbering Authority (CNA) for vulnerabilities impacting all products designed, developed and manufactured in India.
What is CVE Program?
- CVE is an international, community-based effort and relies on the community to discover vulnerabilities.
- The vulnerabilities are discovered then assigned and published to the CVE List.
- Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.
- Partners publish CVE Records to communicate consistent descriptions of vulnerabilities.
Mission of the Program
- The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
- The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program.
Who are the CNAs?
- CNAs are organizations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the Vulnerability in the associated CVE Record.
- The CVE List is built by CVE Numbering Authorities (CNAs).
- Every CVE Record added to the list is assigned by a CNA.
- The CVE Records published in the catalog enable program stakeholders to rapidly discover and correlate vulnerability information used to protect systems against attacks.
- Each CNA has a specific Scope of responsibility for vulnerability identification and publishing.
Back2Basics: Indian Computer Emergency Response Team (CERT-IN)
- CERT-IN is an office within the Ministry of Electronics and Information Technology.
- It is the nodal agency to deal with cyber security threats like hacking and phishing. It strengthens the security-related defense of the Indian Internet domain.
- It was formed in 2004 by the Government of India under the Information Technology Act, 2000 Section (70B) under the Ministry of Communications and Information Technology.
UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
National Cyber Coordination Centre (NCSC)
From UPSC perspective, the following things are important :
Prelims level: National Cyber Coordination Centre, CERT-IN
Mains level: Cyber security challenges for India
There are cybersecurity organisations in the country but no central body responsible for safety in the online space said the National Cyber Security Coordinator (NCSC).
National Cyber Coordination Centre
Headed by National Cyber Security Coordinator: Lt. Gen. Rajesh Pant (Retd.)
Objective: To help the country deal with malicious cyber-activities by acting as an Internet traffic monitoring entity that can fend off domestic or international attacks
- The National Cyber Coordination Centre (NCCC) is an operational cybersecurity and e-surveillance agency in India.
- It is jurisdictionally under the Ministry of Home Affairs.
- It coordinates with multiple security and surveillance agencies as well as with CERT-In of the Ministry of Electronics and Information Technology.
- Components of the NCCC include a cybercrime prevention strategy, cybercrime investigation training and review of outdated laws.
Functions
- It will be India’s first layer for cyber threat monitoring and all communication with government and private service providers would be through this body only.
- The NCCC will be in virtual contact with the control room of all ISPs to scan traffic within the country, flowing at the point of entry and exit, including the international gateway.
Cyber-security bottlenecks in India
- India has no dedicated Cyber-security regulation and is also not well prepared to deal with cyberwarfare.
- India has formulated the National Cyber Security Policy 2013 which is not yet implemented.
- NCCC has been classified to be a project of the Indian government without a legal framework, which may be counterproductive as it may violate civil liberties and human rights.
- Some have expressed concern that the NCCC could encroach on Indian citizens’ privacy and civil liberties, given the lack of explicit privacy laws in the country.
Back2Basics: Indian Computer Emergency Response Team (CERT-IN)
- CERT-IN is an office within the Ministry of Electronics and Information Technology.
- It is the nodal agency to deal with cyber security threats like hacking and phishing. It strengthens the security-related defence of the Indian Internet domain.
- It was formed in 2004 by the Government of India under the Information Technology Act, 2000 Section (70B) under the Ministry of Communications and Information Technology.
UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
The outlines of a national security policy
From UPSC perspective, the following things are important :
Prelims level: Not much
Mains level: Paper 3- Dimensions of national security policy in 21st century
Context
National security concepts have, in the two decades of the 21st century, undergone fundamental changes. Cyberwarfare has vastly reduced the deterrent value of conventional deterrents.
Emergence of cyberwarfare
- In the 21st century, after cybertechnology enters as an important variable in nations’ defence policies.
- Geographical land size or GDP size will be irrelevant in war-making capacity or deterrence.
- These fundamental changes are entirely due to the earlier 20th century innovations in cybertechnology and software developments.
- Drones, robots, satellites and advanced computers as weapons are already in use.
- Some examples of further innovations are artificial intelligence and nanotechnology.
- Tracking those cyber warfare threat will need a new national security policy.
- By credible accounts, China, recently, publicly cautioned Indians to sit up and take notice by using cybertechnology to shut down Mumbai’s electric supply in populated areas of the city, for a few hours.
Four dimensions of national security policy
- Objectives: the objective of the National Security Policy in the 21st century is to define what assets are required to be defended, the identity of opponents.
- Although the novel coronavirus is perhaps accidental, it has completely destabilised peoples globally and their governments in all nations of the world over.
- This is a preview of the kinds of threats that await us in the coming decades which a national security policy will have to address by choosing a nation’s priorities.
- Priorities: National security priorities will require new departments for supporting several frontiers of innovation and technologies such as hydrogen fuel cells, desalination of seawater, thorium for nuclear technology, anti-computer viruses, and new immunity-creating medicines.
- This focus on a new priority will require compulsory science and mathematics education, especially in applications for analytical subjects.
- Strategy: The strategy required for this new national security policy will be to anticipate our enemies in many dimensions and by demonstrative but limited pre-emptive strikes by developing a strategy of deterrence of the enemy.
- For India, it will be the China cyber capability factor which is the new threat for which it has to devise a new strategy.
- Resource mobilisation: The macroeconomics of resource mobilisation depends on whether a nation has ‘demand’ as an economic deficit or not.
- If demand for a commodity or service is in deficit to clear the market of the available supply of the same, then liberal printing of currency and placing it in the hands of consumers is recommended for the economy to recover the demand-supply parity.
- A way to increase demand is by lowering the interest rate on bank loans or raising the rates in fixed deposits which will enable banks to obtain liquidity and lend liberally for enhancing investment for production.
- If it is ‘supply’ that is short or in deficit compared to demand, then special measures are required to incentivise to encourage an increase in supply.
Conclusion
National security at its root in the 21st century will depend on mind-boggling skills in the four dimensions mentioned above.
UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
What is Border Gateway Protocol (BGP) ?
From UPSC perspective, the following things are important :
Prelims level: Border Gateway Protocol
Mains level: Internet blackout
The outages at Facebook, WhatsApp and Instagram occurred because of a problem in the company’s domain name system. At the heart of it was a BGP or Border Gateway Protocol issue.
What is BGP?
- Simply put, it is the protocol that runs the internet or makes it work.
- Since the internet is a network of networks, BGP is the mechanism that bounds it together.
- When the BGP doesn’t work, internet routers can’t really figure out what to do and that leads to the internet not working.
- The routers — big ones — keep up on updating other possible routes that are used to deliver network packets to the last possible source.
- In this case, Facebook platforms were the last point of destination and BGP problem meant Facebook was unable to tell other networks know that it was on the internet.
How does it work?
- The BGP is like an entity that is responsible for creating and more importantly updating maps that lead you to sites like Google, Facebook or YouTube.
- So if someone is responsible for making and updating the map, and they make a mistake, then the traffic — or users — will not end up reaching that place.
How did a BGP issue affect Facebook?
- A BGP update message informs a router of any changes you’ve made to a prefix advertisement or entirely withdraws the prefix.
- There were a lot of routing changes from Facebook last night and then routes were withdrawn, Facebook’s Domain Name Server went offline.
Role of DNS
- DNS is the phonebook of the Internet.
- People access information online through domain names — timesofindia.com or facebook.com.
- Internet browsers use IP or Internet Protocol addresses and what DNS does is that it translates domain names to IP addresses to browsers can load Internet resources.
- If DNS is the internet’s phone book, BGP is its postal service.
- When a user enters data in the internet, BGP determines the best available paths that data could travel.
UPSC 2022 countdown has begun! Get your personal guidance plan now! (Click here)
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
The epoch of cyberweapons
From UPSC perspective, the following things are important :
Prelims level: Zero day vulnerability
Mains level: Paper 3- Cyberwarfare-Fifth dimension
Context
The controversy over the use of Pegasus spyware for snooping highlights the threats posed by cyber-weapons.
The emergence of the cyber weapons epoch
- Cyberattacks on institutions such as banks and on critical infrastructure have proliferated to an alarming extent, signaling the emergence of the cyber weapon epoch.
- Privacy has been eroded and the Internet has become a powerful weapon in the hands of those seeking to exploit its various facets.
- Fifth dimension of warfare: Cyber is often touted as the fifth dimension of warfare — in addition to land, sea, air and space.
The domain of everyday life
- Cyber, as the domain of military and national security, also co-exists with cyber as a domain of everyday life.
- The war is no longer out there.
- It is now directly inside one’s drawing-room, with cyberweapons becoming the weapon of choice.
- Israelis today dominate the cyber domain along with the Chinese, Russians, Koreans and, of course, the Americans.
- The linkage between sabotage and intrusive surveillance is but a short step.
Cyberattacks during the past decades
- Beginning with the 2007 devastating cyberattack on Estonia’s critical infrastructure, this was followed by the Stuxnet worm attack a few years later on Iran’s nuclear facility.
- The Shamoon virus attack on Saudi Aramco occurred in 2012.
- In 2016, a cyberattack occurred on Ukraine’s State power grid; in 2017 there was a Ransomware attack (NotPetya) which affected machines in as many as 64 countries.
- United Kingdom’s National Health Service fell prey to the Wannacry attack the same year.
- The series of attacks happened this year on Ireland’s Health Care System and in the United States such as ‘SolarWinds’, the cyber attack on Colonial Pipeline and JBS, etc.
What are the threats posed by cyberattacks?
- Cyberweapons carry untold capacity to distort systems and structures — civilian or military.
- Cyberweapons also interfere with democratic processes, aggravate domestic divisions and, above all, unleash forces over which established institutions or even governments have little control.
- As more and more devices are connected to networks, the cyber threat is only bound to intensify, both in the short and the medium term.
- What is especially terrifying is that instruments of everyday use can be infected or infiltrated without any direct involvement of the target.
- The possibilities for misuse are immense and involve far graver consequences to an individual, an establishment, or the nation.
- It is not difficult to envisage that from wholesale espionage, this would become something far more sinister such as sabotage.
Way forward
- Deeper understanding: Dealing with ‘zero day’ vulnerabilities require far more thought and introspection than merely creating special firewalls or special phones that are ‘detached’ from the Internet.
- Recognising the mindset: What is needed is a deeper understanding of not only cyber technologies, but also recognising the mindsets of those who employ spyware of the Pegasus variety, and those at the helm of companies such as the NSO.
- Short-term remedies are unlikely to achieve desired results.
- No use of AI: Artificial Intelligence (AI) is often seen as a kind of panacea for many of the current problems and ills, but all advances in technology tend to be a double-edged sword.
- If truth be told, AI could in turn make all information warfare — including cyber related — almost impossible to detect, deflect or prevent, at least at the current stage of development of AI tools.
Conclusion
All this suggests that security in the era of ever-expanding cyberweapons could become an ever-receding horizon.
Back2Basics: Zero-day vulnerability
- The term “zero-day” refers to a newly discovered software vulnerability.
- Because the developer has just learned of the flaw, it also means an official patch or update to fix the issue hasn’t been released.
- So, “zero-day” refers to the fact that the developers have “zero days” to fix the problem that has just been exposed — and perhaps already exploited by hackers.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Back in news: Pegasus Spyware
From UPSC perspective, the following things are important :
Prelims level: Pegasus
Mains level: Whatsapp snooping
Telephone numbers of some noted Indian journalists were successfully snooped upon by an unidentified agency using Pegasus software.
Pegasus Spyware
- All spyware do what the name suggests — they spy on people through their phones.
- Pegasus works by sending an exploit link, and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone.
- A presumably newer version of the malware does not even require a target user to click a link.
- Once Pegasus is installed, the attacker has complete access to the target user’s phone.
- The first reports on Pegasus’s spyware operations emerged in 2016, when Ahmed Mansoor, a human rights activist in the UAE, was targeted with an SMS link on his iPhone 6.
What is the new threat?
- Pegasus has evolved from its earlier spear-phishing methods using text links or messages to ‘zero-click’ attacks which do not require any action from the phone’s user.
- This had made what was without a doubt the most powerful spyware out there, more potent and almost impossible to detect or stop.
How do zero-click attacks work?
- A zero-click attack helps spyware like Pegasus gain control over a device without human interaction or human error.
- Zero-click attacks are hard to detect given their nature and hence even harder to prevent.
- Detection becomes even harder in encrypted environments where there is no visibility on the data packets being sent or received.
- Most of these attacks exploit software that receive data even before it can determine whether what is coming in is trustworthy or not, like an email client.
Answer this PYQ from CSP 2018:
Q.The terms ‘WannaCry, Petya, Eternal Blue’ sometimes mentioned news recently are related to
(a) Exoplanets
(b) Crypto currency
(c) Cyber attacks
(d) Mini satellites
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
New online platform maps Pegasus spread
From UPSC perspective, the following things are important :
Prelims level: Pegasus
Mains level: Whatsapp snooping
An online database about the use of the spyware Pegasus was recently launched by the Forensic Architecture, Amnesty International and the Citizen Lab to document attacks against human rights defenders.
What is Pegasus?
- Last year, one of the biggest stories that broke into cyberspace was WhatsApp’s reports that 1,400 of its users were hacked by Pegasus, a spyware tool from Israeli firm NSO Group.
- All spyware do what the name suggests — they spy on people through their phones.
- Pegasus works by sending an exploit link, and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone.
- A presumably newer version of the malware does not even require a target user to click a link.
- Once Pegasus is installed, the attacker has complete access to the target user’s phone.
Why is Pegasus dangerous?
- What makes Pegasus really dangerous is that it spares no aspect of a person’s identity. It makes older techniques of spying seem relatively harmless.
- It can intercept every call and SMS, read every email and monitor each messaging app.
- Pegasus can also control the phone’s camera and microphone and has access to the device’s location data.
- The app advertises that it can carry out “file retrieval”, which means it could access any document that a target might have stored on their phone.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Global Cybersecurity Index 2020
From UPSC perspective, the following things are important :
Prelims level: Global Cybersecurity Index
Mains level: Cyber security challenges for India
India has made it to the top 10 in Global Cybersecurity Index (GCI) 2020 by ITU, moving up 37 places to rank as the tenth best country in the world on key cybersafety parameters.
Global Cybersecurity Index
- GCI assessment is done on the basis of performance on five parameters of cybersecurity including legal measures, technical measures, organizational measures, capacity development, and cooperation.
- The performance is then aggregated into an overall score.
- For each of the five aspects, all the countries’ performance and commitment are assessed through a question-based online survey, which further allowed for the collection of the supporting evidence.
India’s progress
- As per the ranking, India has moved up by 37 places to rank as the tenth best country in the world.
- The US topped the chart, followed by the UK and Saudi Arabia tied on the second position, while Estonia was ranked third in the index.
- India has also secured the fourth position in the Asia Pacific region, underlining its commitment to cybersecurity.
Its significance
- The affirmation by the UN body of India’s efforts on cybersecurity comes just ahead of the sixth anniversary of Digital India on July 1.
- India is emerging as a global IT superpower, asserting its digital sovereignty with firm measures to safeguard data privacy and online rights of citizens.
Back2Basics: International Telecommunication Union
- ITU is the United Nations specialized agency for information and communication technologies – ICTs.
- Founded in 1865 to facilitate international connectivity in communications networks. It is Headquartered in Geneva, Switzerland.
- It allocates global radio spectrum and satellite orbits, develops the technical standards that ensure networks and technologies seamlessly interconnect, and strives to improve access to ICTs to underserved communities worldwide.
- Recently, India got elected as a member of ITU Council for another 4-year term – from 2019 to 2022. India has remained a regular member since 1952.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Cyberattacks reveal vulnerabilities in critical infrastructures
From UPSC perspective, the following things are important :
Prelims level: Ransomware
Mains level: Paper 3- Threat of cyberattacks
The article highlights the threat posed by cyberattacks to our critical infrastructure and suggest the ways to deal with the the ever evolving threat.
Civilian targets of cyberattacks
- Several high-profile cyberattacks were reported from the United States during the past several months.
- These attacks were all primarily on civilian targets, though each one was of critical importance.
- Obviously cyber, which is often referred to as the fifth domain/dimension of warfare, is now largely being employed against civilian targets.
- Most nations have been concentrating till date mainly on erecting cyber defences to protect military and strategic targets, but this will now need to change.
Challenges
- Defending civilian targets, and more so critical infrastructure, against cyberattacks such as ransomware and phishing is almost certain to stretch the capability and resources of governments across the globe.
- The distinction between military and civilian targets is increasingly getting erased and the consequences of this could be indeterminate.
- In the civilian domain, two key manifestations of the ‘cat and mouse game’ of cyber warfare today, are ransomware and phishing, including spear phishing.
- Banking and financial services were most prone to ransomware attacks till date, but oil, electricity grids, and lately, health care, have begun to figure prominently.
- Ransomware attacks have skyrocketed, with demands and payments going into multi-millions of dollars.
- India figures prominently in this list, being one of the most affected.
- Compromised ‘health information’ is proving to be a vital commodity for use by cybercriminals.
- All indications are that cybercriminals are increasingly targeting a nation’s health-care system and trying to gain access to patients’ data.
- The available data aggravates the risk not only to the individual but also to entire communities.
- Cybercriminals are becoming more sophisticated, and are now engaged in stealing sensitive data in targeted computers before launching a ransomware attack.
- Also, today’s cybercriminals, specially those specialising in ransomware and similar attacks, are different from the ordinary criminals.
- Many are known to practise ‘reverse engineering’ and employ ‘penetration testers’ to probe high secure networks.
Way forward
- The need to be aware of the nature of the cyber threat to their businesses and take adequate precautionary measures, has become extremely vital.
- Cybersecurity essentially hinges on data protection.
- As data becomes the world’s most precious commodity, attacks on data and data systems are bound to intensify.
- With mobile and cloud computing expanding rapidly cybersecurity professionals are now engaged in building a ‘Zero Trust Based Environment’, viz., zero trust on end point devices, zero trust on identity, and zero trust on the network to protect all sensitive data.
- Building deep technology in cyber is essential.
- New technologies such as artificial intelligence, Machine learning and quantum computing, also present new opportunities.
- Pressure also needs to be put on officials in the public domain, as also company boards, to carry out regular vulnerability assessments and create necessary awareness of the growing cyber threat.
Consider the question “Several high-profile cyberattacks across the world have exposed vulnerabilities in the critical infrastructure of even advanced nations. In light of this, examine the challenges posed by cyberattacks and suggest measures to deal with these challenges.”
Conclusion
The threat posed by the cyberattacks highlights the need for improved defences against actual, and potential, cyberattacks by all countries across continents.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
What is Fastly Internet Outage?
From UPSC perspective, the following things are important :
Prelims level: Content delivery network (CDN)
Mains level: Need for data localization
Several big websites around the world went down for about half an hour because of a major issue with the content delivery network (CDN) of American cloud computing services provider Fastly.
Global internet outage: Which websites were affected?
- com, Reddit, Twitch, Spotify, Pinterest, Stack Overflow, GitHub, gov.uk, Hulu, HBO Max, Quora, PayPal, Vimeo and Shopify are some of the big names.
- Prominent news websites impacted were the Financial Times, the Guardian, the New York Times, CNN, and Verge, to name some.
- Most users would have seen a 503 error when trying to access these websites, indicating that the browser was not able to access the server.
What is Fastly?
- Fastly is a cloud computing services provider, which offers CDN, edge computing, cloud storage services.
- All of its geographies, including the three stations it has in India — Chennai, Mumbai and New Delhi — were suffering from “Degraded Performance”.
Answer this PYQ from CSP 2018:
Q.The terms ‘WannaCry, Petya, Eternal Blue’ sometimes mentioned news recently are related to
(a) Exoplanets
(b) Crypto currency
(c) Cyber attacks
(d) Mini satellites
What is a CDN?
- A CDN refers to a geographically distributed group of servers that work together to provide fast delivery of Internet content.
- They house content close to the telecom service providers’ networks.
- Majority of web traffic across the world today is routed through CDNs.
- Platforms such as Netflix, Facebook, Amazon — ones with large quantities of data held in global libraries — host their geographically relevant content closer to where that content is to be consumed.
- This ensures the end customer is able to access the content faster.
- Another reason companies rely on these CDNs is to help protect their sites against traffic spikes, distributed denial of service (DDOS) attacks, etc.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
The march towards an equitable data economy
From UPSC perspective, the following things are important :
Prelims level: GDPR
Mains level: Paper 3- Data governance
The article explains the data governance norms we need to adopt to secure better societal outcomes.
Whatsapp privacy issue
- New terms of service circulated by WhatsApp, caused a stir among the user.
- It informed users that data about chats with business accounts would be shared with Facebook.
- These policies seemed unfair to India as they were not applicable to the European Union (EU), given their strong data protection policies.
Acceptable levels of data exchange
- Default norms provide power to the tech platforms to collect, analyse and monetize data with complete control.
- This undergirds business models that seem undesirable for society—with harms to privacy and free speech.
- Global discussions about alternatives to the “exchange of data for free services” are becoming nuanced.
3 Norms in the data governance
1) Recognition of individual and collective rights related to data
- It was generally accepted that extraction of data to access free services was a fair exchange with individuals.
- Emergence of existential threats related to privacy and democracy have highlighted the role of guaranteeing human and civil rights.
- There has been significant global progress through regulations on individual data rights.
- A United Nations Conference on Trade and Development (UNCTAD) report claims that 128 of 194 countries have put in place legislations for data protection and privacy.
- However, this protection is insufficient as it is centered on individuals and does not account for safety of groups.
- The next wave of data governance ideas will seek to protect collective harms and build on the foundation of individual agency and control.
2) Data sovereignty
- One-size-fits all global norms of data governance are changing and being replaced by region-specific ideas.
- Greater acceptance for “data sovereignty” assertions across India and Europe is a welcome shift towards crafting governance that is respectful of local nuances and inclusive of civic participation.
- The EU general data protection regulation (GDPR) had created an early lighthouse example.
- On the other hand, the US has adopted a light regulation approach—there is no comprehensive country-wide data protection law.
- Closer home, India is finalizing the contours of a country-wide and cross-sector personal data protection bill, which reflects local norms.
3) Value creation for all stakeholders
- So far, data economy has operated in a completely unregulated space, creating a “winner takes all” market, with concentrated profits and little contribution to local taxes.
- A healthy economy requires value creation for all stakeholders.
- As tech platforms take up the profitable role of acting as the gateway to all information and social connections, they have a greater accountability and responsibility to contribute to the economy.
- India’s digital tax through the 2% “equalization levy” is an attempt to make the tech giants pay for revenues earned in India.
Consider the question “What should be norms of data governance we must adopt for achieving better societal outcomes?”
Conclusion
Formal adoption of regulations and setting up of enforcement institutions will lead to meaningful progress in the right direction.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Why the Personal Data Protection Bill matters
From UPSC perspective, the following things are important :
Prelims level: IT Act 2000
Mains level: Paper 3- Personal Data Protection Bill and related issues
The existing data protection framework based on IT Act 2000 falls short on several counts. The Personal Data Protection Bill seeks to deal with the shortcoming in it. The article explains how the two differs.
Need for new data protection regime
- The need for a more robust data protection legislation came to the fore in 2017 post the Supreme Court’s landmark judgment in Justice K.S. Puttaswamy (Retd) v. Union of India.
- In the judgment, the Court called for a data protection law that can effectively protect users’ privacy over their personal data.
- Consequently, the Committee of Experts was formed under the Chairmanship of Justice (Retd) B.N. Srikrishna to suggest a draft data protection law.
- The Personal Data Protection Bill, 2019, in its current form, is a revised version of the draft legislative document proposed by the Committee.
Issues with the existing data protection framework
- The Information Technology Act, 2000 governs how different entities collect and process users’ personal data in India.
- However, entities could override the protections in the regime by taking users’ consent to processing personal data under broad terms and conditions.
- This is problematic given that users might not understand the terms and conditions or the implications of giving consent.
- Further, the frameworks emphasise data security but do not place enough emphasis on data privacy.
- As a result, entities could use the data for purposes different to those that the user consented to.
- The data protection provisions under the IT Act also do not apply to government agencies.
- Finally, the regime seems to have become antiquated and inadequate in addressing risks emerging from new developments in data processing technology.
How the new regime under Data Protection Bill 2019 is different
- First, the Bill seeks to apply the data protection regime to both government and private entities across all sectors.
- Second, the Bill seeks to emphasise data security and data privacy.
- While entities will have to maintain security safeguards to protect personal data, they will also have to fulfill a set of data protection obligations and transparency and accountability measures.
- Third, the Bill seeks to give users a set of rights over their personal data and means to exercise those rights.
- Fourth, the Bill seeks to create an independent and powerful regulator known as the Data Protection Authority (DPA).
- The DPA will monitor and regulate data processing activities to ensure their compliance with the regime.
Concerns
- Under clause 35, the Central government can exempt any government agency from complying with the Bill.
- Similarly, users could find it difficult to enforce various user protection safeguards (such as rights and remedies) in the Bill.
- For instance, the Bill threatens legal consequences for users who withdraw their consent for a data processing activity.
- Additional concerns also emerge for the DPA as an independent effective regulator that can uphold users’ interests.
Consider the question “What are the issues with the present framework in India for data and privacy protection? How the Personal Data Protection Bill seeks to address these issues?”
Conclusion
The Joint Parliamentary Committee that is scrutinising the Bill is expected to submit its final report in the Monsoon Session of Parliament in 2021 Taking this time to make some changes in the Bill targeted towards addressing various concerns in it could make a stronger and more effective data protection regime.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Forestalling the cyber threats India faces
From UPSC perspective, the following things are important :
Prelims level: CERT-In
Mains level: Paper 3- Identifying the cyber threat
The article highlights the threat of a cyber attack on India’s critical infrastructure and suggests the need to take preventive measures.
Targetting the infrastructure
- The U.S.-based cyber security firm, Recorded Future revealed that the past blackout in Mumbai was linked to the cyber attack from China.
- Recorded Future had also found an increase in malware attacks targeting the Indian government, defence organisations and the public sector.
- Also that, coinciding with Chinese incursions in Eastern Ladakh, certain Indian power facilities had been targets of a cyber attack.
- This indicates that India’s key infrastructure facilities, such as the power sector, are now in the crosshairs of a hostile China.
- Indian government agencies, such as the National Critical Information Infrastructure Protection Centre (NCIIPC) and the Indian Computer Emergency Response Team (CERT-In) needs to be on its guard.
Exploiting vulnerabilities
- China’s cyber offensive is directed against many advanced nations as well.
- In attempting this, what China is doing is essentially exploiting to perfection the many vulnerabilities that software companies (essentially those in the West), have deliberately left open (for offensive purposes at an opportune time).
- Exploiting this loophole, and also turning matters on its head, it is companies in the western world that are now at the receiving end of such antics.
- Chinese cyber espionage sets no limitations on targets.
- Towards the end of 2020, and as the world prepared for large-scale deployment of COVID-19 vaccines, their attention was directed to vaccine distribution supply chains around the world.
Way forward
- Nations should beware and be warned about how cyber attacks can bring a nation to its knees.
- This was well demonstrated way back in 2016 through a major attack on Ukraine’s power grid.
- The Ukraine example should be a wake-up call for India and the world, as in the intervening five years, the sophistication of cyber attacks and the kind of malware available have become more advanced.
- India, could well be blindsided by Chinese cyber attacks on critical infrastructure if the latter sets out to do so, unless prophylactic measures are taken in time.
Consider the question “Examine the threat posed by cyber attack on the critical information infrastructure? Suggest the ways to deal with it.”
Conclusion
Cyber’ could well be one of China’s main threat vectors employed against countries that do not fall in line with China’s world view. Drawing up a comprehensive cyber strategy, one that fully acknowledges the extent of the cyber threat from China, has thus become an imperative and immediate necessity.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Critical information infrastructure
From UPSC perspective, the following things are important :
Prelims level: CERT-In
Mains level: Paper 3- Critical information infrastructure protection
The article underscores the threat of cyberattacks on the critical infrastructure and also suggests the steps to be taken to secure these infrastructures.
Cyberattack on the power grid
- On October 12 last year, Mumbai plunged into darkness as the electric grid supply to the city failed.
- Recently, a study by Massachusetts-based Recorded Future, said that the Mumbai power outage could have been a cyberattack aimed at critical infrastructure.
- It was carried out by the state-sponsored group Red Echo.
- As recently as in February, the Centre’s nodal agency National Critical Information Infrastructure Protection Centre (NCIIPC) had reported concerted attempts by Red Echo to hack the critical grid network.
- CERT-In, is reported to have detected the ShadowPad malware in one of the largest supply chain attacks a month after the Mumbai outage.
- Many of the suspected IP addresses identified by NCIIPC and CERT-In were the same and most have been blocked in time.
- The Chinese focus in the past was stealing information and not projecting power, but the situation with India might be different.
Why critical infrastructures are so vulnerable
- As many of these critical infrastructures were never designed keeping security in mind and always focused on productivity and reliability, their vulnerability is more evident today.
- With devices getting more interconnected and dependent on the internet facilitating remote access during a pandemic, the security of cyber-physical systems has, indeed, become a major challenge for utility companies.
Critical information infrastructure protection
- For more than a decade, there have been concerns about critical information infrastructure protection (CIIP).
- In January 2014, the NCIIPC was notified to be the national nodal agency for CIIP and over these years has been working closely with the various agencies.
- In January 2019, the government also announced a National Mission on Interdisciplinary Cyber-Physical Systems (NM-ICPS), with a budget of Rs 3,660 crore for the next five years, to strengthen the sector.
Way forward
- Most ministries and departments need better budget allocations for cybersecurity as well as a more robust infrastructure, processes and audit system.
- The Industrial Cybersecurity Standards (IEC62443) launched by the Bureau of Indian Standards (BIS), has to be adopted soon.
- For the power sector, a strong regulation on the lines of the North American Electric Reliability Critical Infrastructure Protection (NERC) policy could serve as a guide.
Consider the question “Discuss the importance of critical information infrastructure protection (CIIP)? Also mention the steps taken by the government in this regard.”
Conclusion
Clearly, the incident is a wake-up call for better preparedness in terms of a more robust cyber security ecosystem in place. The new cyber security policy awaiting imminent announcement will hopefully cater to that.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
China’s cyber eye and India
From UPSC perspective, the following things are important :
Prelims level: Not Much
Mains level: Cyber attacks as China's tool
Amid souring relations between India and China last year, evidence has emerged that a Chinese government-linked company’s attempt led to a power outage in Mumbai yesterday and now in Telangana today.
Q.The use of cyber offensive tools and espionage is a fairly active element of the People’s Republic of China. Discuss in light of recent incidences of cyber attack in India.
Red Echo & ShadowPad
- On February 28, a Massachusetts-based firm published a report saying it had observed a steep rise in the use of resources like malware by a Chinese group called Red Echo.
- It aimed to target “a large swathe” of India’s power sector.
- It said 10 distinct Indian power sector organisations were targeted, including four Regional Load Despatch Centres (RLDCs) that are responsible for the smooth operation of the country’s power grid by balancing the supply and demand of electricity.
- Red Echo used malware called ShadowPad, which involves the use of a backdoor to access servers.
India confirms cyber attack
- The Ministry of Power has confirmed these attempts, stating it had been informed in November 2020 about the ShadowPad malware at some control centres.
- The Ministry said it was informed of Red Echo’s attempts to target the country’s load despatch centres in February.
- It had said “no data breach/data loss” had been detected due to the incidents.
What does it imply?
- This is clearly something that is linked to China’s geopolitical interests.
- It is established very clearly that the use of cyber offensive tools and espionage is a fairly active element of what the People’s Republic of China seems to be adopting and encouraging.
- Even when they are not directly in charge of an offensive operation, they seem to be consistently encouraging actors to develop this capability.
PRC’s long term strategy
- These cyber-attacks are seen as an attempt to test and lay the grounds for further operations in the future.
- We need to remember that sometimes these offensive operations are carried out to distract people from other places that they might be targeting or other activities that might be occurring.
- There was an increase in cyber offensive operations and incidents around the world in the second half of 2020 especially targeting the healthcare and vaccine space.
- When vaccine companies are targeted, the motive could be competition.
- The motivation behind Stone Panda’s attack against SII and Bharat Biotech’s IT systems was to extract the companies’ intellectual property and gain a competitive advantage.
Other such attacks: Stone Panda & vaccines
- A Chinese hacker group known as Stone Panda had identified gaps and vulnerabilities in the IT infrastructure and supply chain software of Bharat Biotech and the Serum Institute of India.
- These companies have developed Covaxin and Covishield, which are currently being used in the national vaccination campaign.
- They are also in the process of testing additional Covid-19 vaccines that could add value to efforts around the world.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Sandes: the government’s new Instant Messaging Platform
From UPSC perspective, the following things are important :
Prelims level: Sandes
Mains level: Secured instant messaging
The National Informatics Centre (NIC) has launched an instant messaging platform called Sandes on the lines of WhatsApp. Open initially only to government officers, it has now been released for the common public as well.
Features of Sandes Platform
- The instant messaging app, called Sandes, has an interface similar to many other apps currently available in the market.
- Like WhatsApp, the new NIC platform can be used for all kinds of communications by anyone with a mobile number or email id.
- Although there is no option to transfer the chat history between two platforms, the chats on government instant messaging systems or GIMS can be backed up to a users’ email.
- It also offers features such as group making, broadcast message, message forwarding and emojis.
- Further, as an additional safety feature, it allows a user to mark a message as confidential, which will allow the recipient to be made aware the message should not be shared with others.
Why need such instant messaging platform?
- Following the nationwide lockdown, the government felt the need to build a platform to ensure secure communication between its employees as they worked from home.
- The idea for a secure communication network dedicated exclusively to government employees has been in the works for the past four years.
- In August 2020, the NIC released the first version of the app, which said that the app could be used by both central and state government officials for intra and inter-organisation communication.
- The app was initially launched for Android users and then the service was extended to iOS users.
Limitations of the app
- The limitation, however, is that the app does not allow the user to change their email id or registered phone number.
- The user will have to re-register as a new user in case they wish to change their registered email id or phone number on the app.
Do you remember?
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
What is NetWire Malware?
From UPSC perspective, the following things are important :
Prelims level: Malwares
Mains level: Cyber attacks and the treats posed to national security
This newscard is an excerpt from the original article published in The Hindu.
Try this question from CSP 2018:
Q.The terms ‘WannaCry, Petya, Eternal Blue’ sometimes mentioned news recently are related to
(a) Exoplanets
(b) Crypto currency
(c) Cyber attacks
(d) Mini satellites
What is NetWire?
- NetWire, which first surfaced in 2012, is a well-known malware.
- It is also one of the most active ones around.
- It is a remote access Trojan, or RAT, which gives control of the infected system to an attacker. Such malware can log keystrokes and compromise passwords.
Threats posed
- This malware essentially does two things:
- One is data exfiltration, which means stealing data. Most anti-virus software is equipped to prevent this.
- The other involves infiltrating a system, and this has proven to be far more challenging for anti-virus software.
- NetWire is described as an off-the-shelf malware, while something like Pegasus, which used a bug in WhatsApp to infiltrate users’ phones in 2019, is custom-made and sold to nations.
Back2Basics: Classification of malicious softwares
Viruses
- A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program.
- It spreads from one computer to another, leaving infections as it travels.
- Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-of-service (DoS) conditions.
- Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program.
- When the host code (alternative word for a computer program) is executed, the viral code is executed as well.
Ransomware
- Ransomware is a type of malicious software that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.
- While some simple ransomware may lock the system in a way that is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion.
- This encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.
Worms
- Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage.
- In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate.
- To spread, worms either exploit the vulnerability on the target system or use some kind of social engineering to trick users into executing them.
- A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided.
- More advanced worms leverage encryption, wipers, and ransomware technologies to harm their targets.
Trojans
- A Trojan is a harmful piece of software that looks legitimate.
- After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses).
- Trojans are also known to create backdoors to give malicious users access to the system.
- Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.
- Trojans must spread through user interaction such as opening an email attachment or downloading and running a file from the Internet.
Bots
- “Bot” is derived from the word “robot” and is an automated process that interacts with other network services.
- Bots often automate tasks and provide information or services that would otherwise be conducted by a human being.
- A typical use of bots is to gather information, such as web crawlers, or interact automatically with Instant Messaging (IM), Internet Relay Chat (IRC), or other web interfaces.
- They may also be used to interact dynamically with websites.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
New ideas needed for online privacy policies
From UPSC perspective, the following things are important :
Prelims level: Data Protection Bill provisions
Mains level: Paper 3- Issues of informed consent to the online privacy policies
The article discusses challenges posed by online privacy policies and suggests some ideas to make them more user friendly.
Issues with online privacy policies
- Such policies are not designed for easy reading.
- These policies are full of legal jargon and most are difficult to read.
- Most policies are exclusively in English, which is clearly inadequate in a country where no more than 12 per cent are comfortable with the language.
- A human-centric study across India found that even people who couldn’t read or write, when made aware of what they were consenting to, cared deeply about it.
- Online consent is, therefore, a false choice for most Indians.
Importance of consent in data ecosystem
- Consent is also the fulcrum of India’s fast-growing data ecosystem.
- The Data Protection Bill under consideration by Parliament lists consent as a legal ground for data processing.
- Last year, NITI Aayog sought public comments on the Data Empowerment and Protection Architecture (DEPA), a system that will connect an individual’s financial, health, telecom and other data so that it can be moved from one provider to another.
- DEPA intends to use consent to ensure that users remain in control of their data.
New ideas needed to give users greater control
1) Business as steward of consumer trust
- Businesses need to become more responsible stewards of consumer trust.
- Experiments suggest that making consumers read privacy policies by getting them to stay on the “privacy policy” page for a few minutes, led to increased trust in businesses and greater data sharing.
- Businesses can adopt such ideas to make users trust them more.
2) Regulatory bodies need to guide consumers
- Consumers do not have the time or knowledge to go through privacy policies.
- The food regulator’s food safety certifications and the Bureau of Energy Efficiency (BEE)’s rating guides have become part of our everyday lives.
- Similarly, a “privacy rating” for apps can help individuals make more informed choices about their data.
- Such “rule of thumbs” can help them cut through the jargon, trust businesses more and share more data.
3) Running awareness campaign
- Governments and industry associations can play an enabling role by running innovative awareness campaigns that leverage local contexts, and relatable narrative styles.
- The campaign should include awareness about messages logging off from public computers, and not sharing phone numbers easily.
4) Some other ideas
- The “burden of proof” on privacy should rest with providers rather than consumers.
- Businesses should act as fiduciaries of user data and act in the best interest of the user than simply maximising profits.
-
Regulators can create a new class of intermediaries that warn consumers about dangerous practices, represent them, and seek recourse on their behalf.
Consider the question “What are the issues with the consent to the online privacy policies? Suggest the measures to give users greater control over their digital destinies.
Conclusion
By educating and empowering every Indian, we will enable her to participate fully in India’s digital economy, and thereby create a meaningful digital life for every Indian. Only then will the true potential of Digital India be realised.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
What is the SolarWinds Hack?
From UPSC perspective, the following things are important :
Prelims level: SolarWinds Hack
Mains level: Cyber attacks and the treats posed to national security
The ‘SolarWinds hack’, a cyberattack recently discovered in the US, has emerged as one of the biggest ever targeted against the US government, its agencies and several other private companies.
Do you know about the ‘Five Eyes’ group of nations?
Solar-Winds Hack
- It was first discovered by US cybersecurity company FireEye, and since then more developments continue to come to light each day.
- The US termed it as a highly sophisticated threat actor calling it a state-sponsored attack, although it did not name Russia.
- It said the attack was carried out by a nation with top-tier offensive capabilities and the attacker primarily sought information related to certain government customers.
How dangerous is the attack?
- This is being called a ‘Supply Chain’ attack.
- Instead of directly attacking the federal government or a private organization’s network, the hackers target a third-party vendor, which supplies software to them.
- Once installed, the malware gave a backdoor entry to the hackers to the systems and networks of SolarWinds’ customers.
- More importantly, the malware was also able to thwart tools such as anti-virus that could detect it.
The deadliest cyber-attack ever in the US
- The US Energy department which is responsible for managing America’s nuclear weapons is the latest agency to confirm that it has been breached in the SolarWinds cyber attack.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Five Eyes (FVEY) group of nations
From UPSC perspective, the following things are important :
Prelims level: ‘Five Eyes’ group of nations, End-to-end encryptions
Mains level: Not Much
India joins the UK in drive known as ‘Five Eyes’ group of nations, as a seventh member against encrypted social media messages.
Map the countries in ‘Five Eyes’ group of nations.
‘Five Eyes’ group of nations
- The Five Eyes (FVEY) is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States.
- The origins of the Five Eyes alliance can be traced back to the Atlantic Charter, which was issued in August 1941 to lay out the Allied goals for the post-war world.
- These countries are parties to the multilateral UK-USA Agreement, a treaty for joint cooperation in signals intelligence.
- India is among seven countries to back a UK-led campaign against end-to-end encryption of messages by social media giants such as Facebook, which they say hinder law enforcement by blocking all access to them.
A formal expansion
- The UK and India joined this group to ensure they do not blind themselves to illegal activity on their platforms, including child abuse images.
- This marks an expansion of the so-called “Five Eyes” group of nations, a global alliance on intelligence issues, to include India and Japan.
For a common cause
- All members claim that end-to-end encryption policies such as those employed by the social media giant erode the public’s safety online.
- They have made it clear that when end-to-end encryption is applied with no access to content, it severely undermines the ability of companies to take action against illegal activity on their own platforms.
- It also prevents law enforcement investigating and prosecuting the most serious crimes being committed on these services such as online child sexual abuse, grooming and terrorist content.
Back2Basics: End-to-end encryption
- End-to-end encryption (E2EE) is a system of communication where only communicating users can read the messages.
- It is regarded as the most secure way to communicate privately and securely online.
- By encrypting messages at both ends of a conversation, end-to-end encryption prevents anyone in the middle from reading private communications.
- In principle, it prevents potential eavesdroppers – including telecom providers, Internet providers, and even the provider of the communication service – from being able to access the cryptographic keys needed to decrypt the conversation.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
BlackRock Android Malware
From UPSC perspective, the following things are important :
Prelims level: Malwares
Mains level: Data privacy issues
Various security firms have alerted about new malware, called BlackRock.
Try this question from CSP 2018:
Q.The terms ‘WannaCry, Petya, Eternal Blue’ sometimes mentioned news recently are related to
(a) Exoplanets
(b) Cryptocurrency
(c) Cyberattacks
(d) Mini satellites
BlackRock
- BlackRock isn’t exactly a new malware. In fact, it is based on the leaked source code of the Xeres malware, itself derived from a malware called LokiBot.
- The only big difference between BlackRock and other Android banking trojans is that it can target more apps than previous malwares.
How does it work?
- BlackRock works like most Android malware. Once installed on a phone, it monitors the targeted app.
- When the user enters the login and/or credit card details, the malware sends the information to a server.
- BlackRock uses the phone’s Accessibility feature and then uses an Android DPC (device policy controller) to provide access to other permissions.
- It can be used to send and steal SMS messages, hide notifications, keylogging, AV detection, and much more.
Threats posed
- The new malware can steal information like passwords and credit card information from about 377 smartphone applications, including Amazon, Facebook, and Gmail.
- It is so powerful that it makes antivirus applications useless.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
What are Deep Fakes?
From UPSC perspective, the following things are important :
Prelims level: Deep Fake
Mains level: Cyber bullying and other threats posed by AI
Cybercrime officials in India have been tracking certain apps and websites that produce vulgar photographs of innocent persons using Artificial Intelligence (AI) algorithms. These images are then used to blackmail victims, seek revenge or commit fraud on social networking and dating sites.
The most notorious misuse of AI is knocking the door. The Deepfake is an application of Deep Learning (an axiom of AI and Machine Learning). UPSC may ask a mains question about the challenges posed by AI-based technology.
What is Deep Fake?
- Cybercriminals use AI software — now easily available on apps and websites — to superimpose a digital composite (assembling multiple media files to make a final one) on to an existing video, photo or audio.
- They are computer-generated images and videos.
- Using AI algorithms a person’s words, head movements and expressions are transferred onto another person in a seamless fashion.
- That makes it difficult to tell that it is a deepfake unless one closely observes the media file.
Threats posed
- Because of how realistic deepfake images, audio and videos can be, the technology is vulnerable for use by cybercriminals who could spread misinformation to intimidate or blackmail people.
- With real-time face tracking it is becoming easier to fabricate believable videos of people doing and saying things they never did.
- There are rising cases of “revenge porn” i.e. creation of sexually explicit videos or images that are posted on the Internet without the consent of the subject as a way to harass them.
What are the catfish accounts?
- Catfishing refers to the practice of setting up fictitious online profiles most often for the purpose of luring another into a fraudulent romantic relationship.
- A “catfish” account is set up a fake social media profile with the goal of duping that person into falling for the false persona.
What can we do to protect yourself?
- A basic check of their social media profiles, comments on the images and whether similar profiles exist could help determine if the person is genuine.
- While it is not easy to keep track of who downloads or misuses the user images, the best way to protect is to ensure that we are using privacy settings on social media profiles.
- If one feels his/her image has been used without prior permission, they could use freely available reverse image search tools to find images that are similar to yours.
- One can also be mindful of who he/she is conversing with on the web.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Private: Challenges to Internal Security through Communication Networks
From UPSC perspective, the following things are important :
Prelims level: Not Much
Mains level: Threats to the internal security through communication networks
Context
The Ministry of Home Affairs notification through its Cyber Coordination Center on ZOOM Application after Computer Emergency Response Team’s (CERT-IN) raised concerns on video conferencing through the app in lockdown situation once again exposed the threats to the internal security through communication networks.
Security and Communication Networks
- In the age of data revolution and AI and ML, the security regime has opened to a new and most fundamental threat dimension in the virtual world in the form of cybersecurity threats and the safety of the use of communication networks.
- The world economy is increasingly being digitized and the big data storage and internet security are in the state of the perennial threat of attacks.
What are communication Networks?
Communication networks are defined as “the computer resource, the incapacitation or destruction of which shall have a debilitating impact on national security, economy, public health or safety” in the IT Act, 2000. They form a part of our critical information infrastructure.
The communication networks are crucial to the critical infrastructure connectivity such as
1) Civil Aviation
2) Shipping
3) Railways
4) Power
5) Nuclear technology
6) Finance and Banking
7) Law enforcement
8) Defence
9) Space etc.
Communication networks must not be confused with computer networks such as WAN, LAN, etc. because they are merely one form of the communication network.
What are the Key Security threats to communication networks?
The major security threats to communications network can take the form of the following ways-
- Economic threats such as frauds, attack on banking communication infrastructure, acquisition of critical data such as customer’s credit/debit card data, Financial theft to destabilize the economy
- Information warfare
- Destabilizing critical infrastructure like Nuclear power plants, power grids, Dams, Share Market operations through cyber attacks. g. Stuxnet’s alleged involvement in destabilizing Iran’s Nuclear programme.
- Data theft through social media applications, infringement of privacy
- Penetrating value chain of production of communications network infrastructure and spying through this penetration
- Theft of critical medical history data of a nation’s citizens
- Data alteration and data destruction on the website and impairing its operations
- Intellectual property right infringement through digital piracy
The threat to communications network can be of following types
1) Unauthorised release of information- called Passive attack
2) Unauthorised modification of information- Active attack
3) Unauthorised denial of normal service to users-Active Attack
Explanation of Key Terms
Network and Packet sniffing
- Smaller packet bundles of large information are picked and processed by applications through “off-network”.
- This kind of application that interprets the network packets is called packet sniffers. This poses a grave threat to government and business data flow.
Man-in-the-middle attacks
It refers to access to network packets coming across networks. It implements network sniffers and routing and transport protocols to do data theft, gaining access to the system’s internal network resources, Denial of service, the introduction of new information in existing networks to manipulate the system.
Denial of services (DoS)
- This is the most infamous attack among attacks on communication networks and most difficult to eliminate. The ease of attack and potentiality of damages make them an important threat that deserves special attention.
- Distributed denial of services attack refers to a simultaneous attack on many systems which temporarily brings down the targeted website/system.
IP spoofing
- IP spoofing is an attack from an attacker outside the targeted network by pretending to be a trusted computer.
- It can use the IP address of the targeted network or an authorized and trusted IP address.
- It leads to the injection of malicious data or command structure in the existing communication networks between clients.
Phishing
- It refers to gaining private and personal information for identity theft, using fraudulent e-mails making them appear to be received from legitimate sources.
- Luring targets to give critical information such as Bank account, credit card details, Login ID, and passwords.
Brute force attacks
The repeated password attacks to identify user account passwords and creating a backdoor for future access.
Virus or Trojan Horse attacks
- Viruses and trojan horse applications are a threat to end-user computers.
- Viruses are malicious software attached to a programme to execute a directed, unwanted task on the user’s workstation.
- Trojan horse is an application disguised to hide the original identity of attack tools. It not only attacks the user system but also spreads through engaging in automatic spread to known systems.
Ransomware
- It is a type of malware that restricts access to certain information from the actual owner to demand a ransom paid to the creator of malware.
- They use encryption, locking the system to deny user access to important information. A recent instance was the attack by WannaCry ransomware.
What are the types of cyber threats?
1) Cyber Espionage
It is an act of obtaining secret information using computer networks without the permission of secret holders from individuals, competitors, enemy countries for economic, political, military purposes. In 2009, PMO was an alleged victim of cyber espionage by chinese hackers.
2) Cybercrime
- Cybercrime is an offensive action by individuals/organizations targeting computer information systems, networks with an intention to damage or destroy critical information and infrastructure.
- According to NCRB, the instances of cybercrimes are at an all-time high now due to the penetration of communication networks.
3) Cyberwarfare:
Cyber Warfare is nation-state actor actions to penetrate an enemy/competitor nation’s computers or networks with the intent of causing damage or disruption.
What are the features of the cyberwar?
- Independent theatre of war due to the development of the internet and sophisticated communication infrastructure
- An undefined (virtual) space as it is impossible to protect national cyberspace by just controlling and monitoring internet networks inside its territory as cyberspace is truly global.
- It is a No contact war as the attacker does not need to be present at the site of the attack. The malware like Stuxnet can be penetrated in any link of the global value chain of communications infrastructure and then controlling the target can be from distant places.
- Disguised attacks and attackers make it even more dangerous and untraceable and it surely complicates cybersecurity policy.
What is cybersecurity?
Cybersecurity is making cyberspace safe from threats, i.e. cyber-threats. “cyber-threats” means the malicious use of ICT as a target or as a tool by malevolent actors. It involves three things
- A set of activities, intended to protect computers, computer networks, related hardware, and devices software, and the information they contain and communicate, including software and data, as well as other elements of cyberspace, from all threats, including threats to national security.
- The protection intended in the application of these activities and measures;
- The associated field of research and analysis, aimed at implementing those activities and improving their quality.
What is the government doing to secure communications networks?
- The National Telecom Policy 2012 has set targets for domestic manufacturing of telecom equipment to meet 60 to 80 per cent of demand.
- The National Telecom Policy 2018 stresses on developing robust digital communications network security frameworks.
- The Computer Emergency response team (CERT) at both the national and state-level have been formed to respond to cyberattacks.
- IT Act, 2000
1) Section 43A- compensation for the failure of protection of data
2) Section 72A- Punishment for disclosure of information in breach of lawful contract
3) Section 67C- Punishment with imprisonment of up to 3 years for anyone who intentionally or knowingly contravenes the provisions
4) Section 69- Power to issue directions for interception/monitoring/decryption of any information through any computer source.
- A number of other measures, such as making local certification mandatory, have been announced.
- The Ministry of Communications and Information Technology has also repeatedly urged telecom companies to take note of vulnerabilities in their equipment and told them they would be held responsible and subject to penalties if the vulnerabilities are not addressed
National critical information infrastructure protection centre (NCIIPC)
- It is a national nodal agency for the protection of critical information infrastructure
- It helps in Coordination, sharing, monitoring, collecting, analysing and forecasting threats.
- It holds Responsibility to Develop plans, adopt standards, share best practices and refine procurement processes.
- Exchange of knowledge and experiences with CERT-IN and other organisations is done in order to better coordinate.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
Private: Challenges to Internal Security through Communication Networks
From UPSC perspective, the following things are important :
Prelims level: Various terms mentioned
Mains level: Challenges to Internal Security through Communication Networks
Context
The Ministry of Home Affairs notification through its Cyber Coordination Center on ZOOM Application after Computer Emergency Response Team’s (CERT-IN) raised concerns on video conferencing through the app in lockdown situation once again exposed the threats to the internal security through communication networks.
Security and Communication Networks
- In the age of data revolution and AI and ML, the security regime has opened to a new and most fundamental threat dimension in the virtual world in the form of cybersecurity threats and the safety of the use of communication networks.
- The world economy is increasingly being digitized and the big data storage and internet security are in the state of the perennial threat of attacks.
What are communication Networks?
Communication networks are defined as “the computer resource, the incapacitation or destruction of which shall have a debilitating impact on national security, economy, public health or safety” in the IT Act, 2000. They form a part of our critical information infrastructure.
The communication networks are crucial to the critical infrastructure connectivity such as
1) Civil Aviation
2) Shipping
3) Railways
4) Power
5) Nuclear technology
6) Finance and Banking
7) Law enforcement
8) Defence
9) Space etc.
Communication networks must not be confused with computer networks such as WAN, LAN, etc. because they are merely one form of a communication network.
What are the Key Security threats to communication networks?
The major security threats to communications network can take the form of the following ways-
- Economic threats such as frauds, attack on banking communication infrastructure, acquisition of critical data such as customer’s credit/debit card data, Financial theft to destabilize the economy
- Information warfare
- Destabilizing critical infrastructure like Nuclear power plants, power grids, Dams, Share Market operations through cyber attacks. g. Stuxnet’s alleged involvement in destabilizing Iran’s Nuclear programme.
- Data theft through social media applications, infringement of privacy
- Penetrating value chain of production of communications network infrastructure and spying through this penetration
- Theft of critical medical history data of a nation’s citizens
- Data alteration and data destruction on the website and impairing its operations
- Intellectual property right infringement through digital piracy
The threat to communications network can be of following types
1) Unauthorised release of information- called Passive attack
2) Unauthorised modification of information- Active attack
3) Unauthorised denial of normal service to users-Active Attack
Explanation of Key Terms
Network and Packet sniffing
- Smaller packet bundles of large information are picked and processed by applications through “off-network”.
- This kind of application that interprets the network packets is called packet sniffers.
- This poses a grave threat to government and business data flow.
Man-in-the-middle attacks
- It refers to access to network packets coming across networks.
- It implements network sniffers and routing and transport protocols to do data theft, gaining access to the system’s internal network resources, Denial of service, the introduction of new information in existing networks to manipulate the system.
Denial of services (DoS)
- This is the most infamous attack among attacks on communication networks and most difficult to eliminate. The ease of attack and potentiality of damages make them an important threat that deserves special attention.
- Distributed denial of services attack refers to a simultaneous attack on many systems which temporarily brings down the targeted website/system.
IP spoofing
- IP spoofing is an attack from an attacker outside the targeted network by pretending to be a trusted computer.
- It can use the IP address of the targeted network or an authorized and trusted IP address.
- It leads to the injection of malicious data or command structure in the existing communication networks between clients.
Phishing
- It refers to gaining private and personal information for identity theft, using fraudulent e-mails making them appear to be received from legitimate sources.
- Luring targets to give critical information such as Bank account, credit card details, Login ID, and passwords.
Brute force attacks
The repeated password attacks to identify user account passwords and creating a backdoor for future access.
Virus or Trojan Horse attacks
- Viruses and trojan horse applications are a threat to end-user computers.
- Viruses are malicious software attached to a programme to execute a directed, unwanted task on the user’s workstation.
- Trojan horse is an application disguised to hide the original identity of attack tools.
- It not only attacks the user system but also spreads through engaging in automatic spread to known systems.
Ransomware
- It is a type of malware that restricts access to certain information from the actual owner to demand a ransom paid to the creator of malware.
- They use encryption, locking the system to deny user access to important information. A recent instance was the attack by WannaCry ransomware.
What are the types of cyber threats?
1) Cyber Espionage
It is an act of obtaining secret information using computer networks without the permission of secret holders from individuals, competitors, enemy countries for economic, political, military purposes. In 2009, PMO was an alleged victim of cyber espionage by chinese hackers.
2) Cybercrime
- Cybercrime is an offensive action by individuals/organizations targeting computer information systems, networks with an intention to damage or destroy critical information and infrastructure.
- According to NCRB, the instances of cybercrimes are at an all-time high now due to the penetration of communication networks.
3) Cyberwarfare
Cyber Warfare are nation-state actor actions to penetrate an enemy/competitor nation’s computers or networks with the intent of causing damage or disruption.
What are the features of the cyberwar?
- Independent theatre of war due to the development of the internet and sophisticated communication infrastructure
- An undefined (virtual) space as it is impossible to protect national cyberspace by just controlling and monitoring internet networks inside its territory as cyberspace is truly global.
- It is a No contact war as the attacker does not need to be present at the site of the attack. The malware like Stuxnet can be penetrated in any link of the global value chain of communications infrastructure and then controlling the target can be from distant places.
- Disguised attacks and attackers make it even more dangerous and untraceable and it surely complicates cybersecurity policy.
What is cybersecurity?
Cybersecurity is making cyberspace safe from threats, i.e. cyber-threats. “cyber-threats” means the malicious use of ICT as a target or as a tool by malevolent actors. It involves three things-
1) A set of activities, intended to protect computers, computer networks, related hardware, and devices software, and the information they contain and communicate, including software and data, as well as other elements of cyberspace, from all threats, including threats to national security.
2) The protection intended in the application of these activities and measures;
3) The associated field of research and analysis, aimed at implementing those activities and improving their quality.
What is the government doing to secure communications networks?
- The National Telecom Policy 2012 has set targets for domestic manufacturing of telecom equipment to meet 60 to 80 per cent of demand.
- The National Telecom Policy 2018 stresses on developing robust digital communications network security frameworks.
- The Computer Emergency response team (CERT) at both the national and state-level have been formed to respond to cyberattacks.
IT Act, 2000
- Section 43A- compensation for the failure of protection of data
- Section 72A- Punishment for disclosure of information in breach of lawful contract
- Section 67C- Punishment with imprisonment of up to 3 years for anyone who intentionally or knowingly contravenes the provisions
- Section 69- Power to issue directions for interception/monitoring/decryption of any information through any computer source.
- A number of other measures, such as making local certification mandatory, have been announced.
- The Ministry of Communications and Information Technology has also repeatedly urged telecom companies to take note of vulnerabilities in their equipment and told them they would be held responsible and subject to penalties if the vulnerabilities are not addressed
National critical information infrastructure protection centre (NCIIPC)-
- It is a national nodal agency for the protection of critical information infrastructure
- It helps in Coordination, sharing, monitoring, collecting, analysing and forecasting threats.
- It holds Responsibility to Develop plans, adopt standards, share best practices and refine procurement processes.
- Exchange of knowledge and experiences with CERT-IN and other organisations is done in order to better coordinate.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
[op-ed snap] We should offer to safeguard the world’s telecom networks
From UPSC perspective, the following things are important :
Prelims level: Not much.
Mains level: Paper 3- Cyber security in the wake of Huawei ban and concerns over cyber security in 5G age.
Context
India should grab cybersecurity opportunities instead of focusing on smaller issues like import tariffs during Trump’s visit.
Opportunity for India in the US-China trade war
- Technology will be an important front in the emerging trade war between the US and China.
- It will create significant opportunities for India as global supply chains re-adjust to geopolitical pushes and pull.
- In manufacturing: The immediate opportunity is in across-the-board manufacturing, especially if the Government puts in place a special task force to unclog the regulatory issues.
- In cybersecurity: Beyond manufacturing, the unfolding US-China technology war is creating opportunities for India in the cybersecurity space on a scale that could match Y2K.
Balance national security and industry economics
- The UK’s approach: It is a carefully constructed middle path.
- Not allowing high-risk vendors: The UK decided that “high-risk vendors” will not be permitted in its core networks.
- High regulatory and security oversight: High-risk vendors will also be subject to higher levels of regulatory and security oversight.
- Ability to switch: Operators are expected to have the ability to switch away from such vendors should the government so require.
- 35% restriction: The UK restricted to less than 35% of the equipment base of each telecom operator.
- The EU approach: The European Union is likely to adopt some variant of the British approach.
- This means Chinese-made equipment will be deployed across EU countries but under tighter surveillance, audit and assurance regime.
How is it going to create opportunities?
- 5G and more need for more security professionals
- More base stations: 5G networks will employ many more base stations than existing networks.
- The internet of things (IoT) is set to bring billions of connected sensors and devices online.
- The requirement of security professionals: Tightening security norms will require both telecom firms and their customers to employ a lot of cybersecurity professionals in a wide range of roles, of varying levels of sophistication and sensitivity.
- Shortage of cybersecurity professionals
- The problem is: the world is already short of cybersecurity professionals.
- Even before 5G networks are rolled out, estimates suggest that there are 2 to 3 million unfilled cybersecurity vacancies around the world.
- Scrutiny of the Chinese vendors and employment opportunities: The more stringent the security regimes around Chinese vendors, the greater the demand for cybersecurity professionals security regimes around Chinese vendors, the greater the demand for cybersecurity professionals.
- Where is the opportunity for India? The industry is responding to this shortage by employing more automation.
- But demand for human will increase: The demand for trustworthy, reliable and competent human beings to keep an eye on cyber threats will only increase.
- Where can hundreds of thousands of technology professionals who might be able to fill this gap come from? India and China.
- Advantage India: Chinese firms and individuals are unlikely to be chosen to keep an eye on Chinese equipment makers and state-linked cyber attackers, it is advantage India.
Can India grab this opportunity?
- Inadequate professionals in India: India doesn’t have adequate numbers of cybersecurity professionals either.
- Skill initiative by the government: The government has launched a skills initiative to plug the shortage, but we’re far away from addressing our own cybersecurity needs.
- India has all the necessary conditions to become as big a player in the global cybersecurity market.
- India has the numbers, the companies and the market-driven economic models that can produce the skills that the industry wants.
- Private sector’s role: During the 1990s’ information technology boom, India produced hundreds of thousands of software engineers not because of any government skills development programme, but because private firms popped up and supplied the skills that people and their employers wanted.
Way forward
- Government to government arrangements: Unlike the Y2K days, the global demand for cybersecurity professionals has entry barriers that firms and individuals cannot easily cross on their own. Government-to-government arrangements can help Indian firms and individuals get clearances for cybersecurity roles.
- Developing cybersecurity partnership: India will have to work on developing cybersecurity partnerships with the US, UK and the EU, focused on opening up their markets to Indian firms.
- Win the trust: The latter, for their part, must work on gaining the trust of the West’s national security establishments.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
[pib] Indian Cyber Crime Coordination Centre (I4C)
From UPSC perspective, the following things are important :
Prelims level: Indian Cyber Crime Coordination Centre (I4C)
Mains level: Cyber Security and various protection mechanisms
Union Minister for Home Affairs has inaugurated the Indian Cyber Crime Coordination Centre (I4C) and also dedicated National Cyber Crime Reporting Portal to the Nation.
I4C
- The scheme to setup I4C was approved in October 2018 to deal with all types of cybercrimes in a comprehensive and coordinated manner.
- At the initiative of Union Ministry for Home Affairs (MHA), 15 States and UTs have given their consent to set up Regional Cyber Crime Coordination Centres at respective States/UTs.
- It has seven components:
- National Cyber Crime Threat Analytics Unit
- National Cyber Crime Reporting Portal
- National Cyber Crime Training Centre
- National Cyber Crime Research and Innovation Centre
- National Cyber Crime Forensic Laboratory Ecosystem
- Platform for Joint Cyber Crime Investigation Team
- Cyber Crime Ecosystem Management Unit
About National Cyber Crime Reporting Portal
- National Cyber Crime Reporting Portal (www.cybercrime.gov.in) is a citizen-centric initiative that will enable citizens to report cyber crimes online through the portal.
- All the cyber crime related complaints will be accessed by the concerned law enforcement agencies in the States and Union Territories for taking action as per law.
- This portal was launched on pilot basis on 30th August, 2019 and it enables filing of all cyber crimes with specific focus on crimes against women, children, particularly child pornography, child sex abuse material, online content pertaining to rapes/gang rapes, etc.
- This portal also focuses on specific crimes like financial crime and social media related crimes like stalking, cyber bullying, etc.
- This portal will improve coordination amongst the law enforcement agencies of different States, districts and police stations for dealing with cyber crimes in a coordinated and effective manner.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
Cyber Security – CERTs, Policy, etc
[op-ed of the day] Data and its discontents
From UPSC perspective, the following things are important :
Prelims level: Nothing much
Mains level: Paper 3-Cyber security
Context
The Personal Data Protection Bill which was introduced in Lok Sabha contains a certain provision that might have implications for India’s digital economy. These provisions must be carefully considered as Parliament reviews the proposed legislation.
What are the stated objectives of the bill?
- The first purpose deals with privacy concerns.
- Its purpose is to safeguard the constitutional guarantee of privacy for Indian citizens
- The second purpose is to provide a just and equitable vision for the future of India’s digital economy
What are the incongruent provisions?
- One of the provision enables the central government to direct the regulated entity under the act to provide anonymised personal data.
- The government wants to use this anonymised personal data to enable the targeted delivery of services or evidence-based policymaking
- The above provisions could have certain implications that need to be carefully considered.
Anonymised data and issues with it
- Under the bill, anonymised data refers to data from which all the markers of identity have been irreversibly removed.
- Recent research shows that the present methods of anonymisation are imperfect.
- With the use of modern machine learning techniques, the data released as “anonymous” can be re-identified.
- So, the approach to regulation of anonymised data must be contextual and sectoral- with a focus on finance and healthcare.
Use of big data and AI in governance
- The government also plans to use big data and artificial intelligence within governance and planning systems.
- The use of these techniques has the potential to increase government capacity and transparency.
- It can also help in making an informed decision about economic and social planning.
- However, the provision ignores the multiplicity of existing and inchoate rights like IPRs (Intellectual Property Rights), copyrights and trade secret protections.
Consequences of the conflicting provision
- While the government wants the data to be open for acquisition similar to the power of “eminent domain” over land, but it comes in conflict with existing laws.
- It comes in conflict with the copyright acts, intellectual property rights, and trade secret laws.
- Databases are commercially significant for commercial companies.
- Overlap of these existing rights within the government system can jeopardise accountability and transparency.
Problems with Big data and AI in governance
- Unregulated use of the database in governance could have consequences for the people and communities who are being made visible or being invisible by this data.
- A shift from a qualitative method like census to the quantitative method like big data which is collected in a different context and used for a different purpose may not be smooth.
- Such data will be incomplete for governance.
- The data could also be replete with biases of the private entity collecting the data.
- So, the use of this unregulated data for policymaking or targeting beneficiaries could be disastrous.
Way forward
The regulation of non-personal data must take into account both the potential harms to individual privacy as well as the wider social and political consequences of the use of data for governance.
Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024
i want to become a C.E.O of github
hi everybody iam your fan of facebookand twitter and isntagram