From UPSC perspective, the following things are important :
Prelims level : Zero Trust Model
Mains level : Paper 3- Cyber security
Cyber-attacks may be a relatively new phenomenon, but in a short timeframe have come to be assessed as dangerous as terrorism.
A cyber attack is a type of attack that targets computer systems, infrastructures, networks, or personal computer devices using various methods at hand. India is ranked 10th (among 194 countries) in the Global Cybersecurity Index (GCI) 2020 ahead of China and
The increasing threat of cyber attacks
- Stuxnet Worm in 2010: Resulted in large-scale damage to Iran’s centrifuge capabilities.
- Natanz nuclear facility (Iran) in 2021: Targeted the industrial control systems and destroyed the power supply to centrifuges used to create enriched uranium
- Chinese cyberattack on the power system in Mumbai brought the entire city to a halt.
- Ransomware as a Service (RaaS) — a business model for ransomware developers — is no mere idle threat.
- Advanced Persistent Threats (APT) attacks are set to increase, with criminal networks working overtime and the Dark web allowing criminals to access even sensitive corporate networks.
Tools of Cyberattacks
- Malware: Malicious software to disrupt computers. It can include Viruses, Spyware, Trojans, etc.
- Phishing: It is the method of trying to gather personal information using deceptive e-mails and websites.
- Denial of Service attacks: A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users.
- Hacktivism: Misusing a computer system or network for a socially or politically motivated reason. For example, hacktivists can block access to Government’s website, deface the government’s website or unblock the sites which have been blocked by the Government.
- Social Engineering: Entice users to provide confidential information. For example, these days u must have come across some of the fake Facebook accounts which are opened in the name of your close friends. First, the cyber attackers send you the friend request in the name of your close friend. Once u accept it, they will ask to request you to transfer some money.
Consequences of Cyberattacks
- Impact on data: Confidentiality, Integrity and Availability of information.
- Impact on Critical Information Infrastructure: Presently, most of the sectors are critically dependent on the use of ICT to carry on their operations. These sectors are Banking and Finance, Power systems, Transport sector, Telecommunication, etc. Cyber attacks on these critical information infrastructures can bring the entire country to a grinding halt. For example, the recent Chinese cyber attack on the power system in Mumbai brought the entire city to a halt.
- Creates Distrust: A cyber-attack on a specific component exposes vulnerabilities in the entire system which may negatively impact relations with allies and adversaries and questions our nuclear reliability.
- Financial loss: Estimates of the cost to the world in 2021 from cyberattacks are still being computed, but if the cost of cybercrimes in 2020 (believed to be more than $1 trillion) is any guide, it is likely to range between $3trillion-$4 trillion.
- Threat to National Security and peace and stability in a country.
Steps taken by India to improve Cyber Security
- Section 66F of ITA: Specific provision dealing with the issue of cyber terrorism that covers denial of access, unauthorized access, introduction of computer contaminant leading to harm to persons, property, critical infrastructure, disruption of supplies, ‘sensitive data’ thefts. Provides for punishment which may extend to life imprisonment.
- National Cyber Security Policy 2013: Policy document drafted by the Department of Electronics and Information Technology. Established National Critical Information Infrastructure Protection Centre (NCIIPC) to improve the protection and resilience of the country’s critical infrastructure information; Create a workforce of 5 lakh professionals skilled in cybersecurity in the next 5 years.
- National Critical Information Infrastructure Protection Centre (NCIIPC): It has been setup to enhance the protection and resilience of Nation’s Critical information infrastructure. It functions under the National Technical Research Organization (NTRO).
- CERT-IN: Organization under the Ministry of Electronics and Information Technology with an objective of securing Indian cyberspace. The purpose of CERT-In is to respond to computer security incidents, report on vulnerabilities, and promote effective IT security practices throughout the country. According to the provisions of the Information Technology Amendment Act 2008, CERT-In is responsible for overseeing the administration of the Act.
- Cyber Surakshit Bharat Initiative: It was launched in 2018 with an aim to spread awareness about cybercrime and build capacity for safety measures for Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.
- Cyber Crisis Management Plan (CCMP): It aims at countering cyber threats and cyber-terrorism.
- National Cyber Coordination Centre (NCCC): It seeks to generate necessary situational awareness of existing and potential cyber security threats and enable timely information sharing for proactive, preventive and protective actions by individual entities.
- National Cyber Security Coordinator (NCSC) under National Security Council Secretariat (NSCS) coordinates with different agencies at the national level for cyber security matters.
- Cyber Swachhta Kendra: This platform was introduced for internet users to clean their computers and devices by wiping out viruses and malware.
- Information Security Education and Awareness Project (ISEA): Training of personnel to raise awareness and to provide research, education, and training in the field of Information Security.
a)Absence of any geographical constraints.
b)Lack of uniformity in devices used for internet access.
a) Lack of national-level architecture for cybersecurity
b) Security audit does not occur periodically, nor does it adhere to the international standards.
c) The appointment of the National Cyber Security Coordinator in 2014 has not been supplemented by creating liaison officers in states.
a) Lack of awareness in local police of various provisions of IT Act, 2000, and also of IPSC related to cybercrime.
b) Lack of data protection regime.
- Human Resource Related
a) Inadequate awareness among people about the security of devices and online transactions.
- International Convention: Presently, Budapest Convention is the first international treaty that promotes greater cooperation between countries in fighting cybercrimes. India should accede to Budapest Convention at the earliest. It would reduce India’s capacity to combat cybercrimes at a global level.
- PPP Framework for Cyber Security: Presently, most of the cyber security operations are carried out by the Government agencies such as CERT-In. Given the fast-changing nature and intensity of cyber threats, there is a need to leverage private sector expertise in combating cyber crimes through the PPP framework.
- Capacity building and skill development- Recently, according to a report published by NASSCOM, India needs around 10 lakh, cyber security experts. However, presently there are only around 64,000 professionals. One of the main reasons for the lower number of cyber security professionals is due to lack of an adequate number of specialized courses in cyber security, poor training Infrastructure, lack of availability of trainers, etc. Hence, accordingly, the Government has to recognize the lacunae and increase the number of Skilled professionals.
- Promoting Startups in the field of Cybersecurity.
- Investment in R&D to improve Cyber Security- Big data, AI
- Learning from best practices such as the Tallinn manual of the US.
Failure to build resilience — at both the ‘technical and human level — will mean that the cycle of cyber attacks and the distrust they give rise to will continue to threaten the foundations of a democratic society. Preventing erosion of trust is critical in this day and age.