India's cyber-defenses full of holes
By Indrajit Basu
KOLKATA - It's reminiscent of an action movie. The year is 2017 and two rival
countries - India and China - are fighting a war. The conflict is not being
fought with guns, tanks and aircraft but computers, bots, viruses and Trojans.
The soldiers are not troops, but hackers.
The scenario was enacted by the Indian military last year in a cyber-warfare
simulation called the "Divine Matrix". Officially, the likelihood of a Chinese
cyber-strike has since been played down. This is a big mistake, experts say,
given the poor state of India's cyber-security.
A recent investigation by McAfee, the software security firm, revealed that as
cyber-attacks rise globally, India is emerging as
an easy hunting ground.
Worse, the vulnerability not only poses a threat to the government, military,
and infrastructure, it also carries a huge risk for international businesses
that have outsourced IT operations or bought software in India.
"That India is under-prepared is well known, and experts often raise concerns
about how the government's IT systems could be crippled in a war," said
Shivarama Krishnan, an IT security expert at a firm of global consultants.
"While that threat is valid, I think the real worry is someone attacking the IT
systems of the private sector."
Krishna added that India could be used as a route to attack the IT systems of
other countries, since it is linked to important networks like the United
States' financial sector. "Cyber-criminals could take advantage of the
vulnerability in the IT security systems here and cripple financial services
there," he said.
India's US$60 billion software industry derives over 85% of its revenues from
abroad. The US's financial services, retail, manufacturing, infrastructure
(like electricity and telecoms) as well as medical services account for 60% of
these export revenues.
Across the world more critical infrastructure is being connected to the
Internet, leaving it more vulnerable, says McAfee, with India having the lowest
rate of security measures for its infrastructure. India also topped McAfee's
charts for malicious traffic in Asia.
Although China last year cut its security budgets by 40% for
government-sponsored cyber-security cooperation among operators of critical
infrastructure, it still had the highest rate of participation, said McAfee.
The firm painted a detailed picture of how countries are defending their
critical networks in the report, "In the Crossfire: Critical Infrastructure in
the Age of Cyberwar".
The report said as data is increasingly stored online, security is increasing
in sophistication. However, hackers and cyber-criminals are still managing to
stay a step ahead.
India in particular faces more frequent cyber-attacks. For instance, in 2009,
more than 6,000 websites were hacked and defaced, compared to 1,752 in 2006.
Greg Walton, one of the researchers at The Citizen Lab at the University of
Toronto that created a sensation last year by discovering the existence of
GhostNet, a global cyber-spy network that allegedly originated in China, said
India was particularly vulnerable.
"If you look at the statistics of the institutions or the targets that were
attacked by GhostNet when it attacked global systems, India was by far the
hardest hit by that operation," he said. "India is a software superpower yet
for some reason the country can't seem to get its cyber-security act together."
Legally, India is also seen as an easy target. "The Indian IT act and related
local laws are oriented towards primarily addressing fraud and copyright
violations; they are not security oriented," said Gurmeet Kanwal,
founder-director of The Center for Land Warfare Studies, an autonomous
think-tank on strategic studies and warfare.
The other major issue is cost. Indian is touted as a low-cost outsourcing
destination and "security is always an expensive proposition", said Desai of
MitKat, a consultancy firm. "Often Indian service providers cannot adopt
security measures that on a par with international standards."
India can ill-afford to ignore this new challenge to its security, say Kanwal.
He says information warfare can start anywhere and carry on silently in peace
time, comparing it to "acupuncture warfare" a term that refers to seeking out a
country's weak points.
India should adopt an inter-ministerial approach to dealing with the emerging
threat, according to Kanwal. A special agency should be formed to spearhead
India's cyber-war efforts, and the country should have its own national
cyber-security adviser, he maintains.
"But above all", said Walton, "even if government and specific security
agencies are wake up to the threats of information warfare, the country's
corporate sector is still oblivious. It is time that this sector wakes up too."
Indrajit Basu is a correspondent for Asia Times Online based in Kolkata.