Monthly Archives: March 2014

National Security Policy Of India: Some Techno Legal Suggestions

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBNational Security is a very vast and complicated field to manage as it encompasses various facets of security. It includes traditional security of borders and infrastructure to Cyber Security of the Indian Infrastructure and Cyberspace. India has been lax on the front of National Security in general and Cyber Security in particular. The National Cyber Security Policy of India 2013 has been drafted recently and its actual and full implementation is still missing.

Further, various components of National Security are still operating in vacuum and independent of each other making the entire concept of National Security a façade. For instance, the Cyber Security Policy of India is still not a part of the National Security Policy of India. In fact, we have no National Security Policy of India that is presently implemented by Indian Government. The Cyber Security Policy of India must be an “Essential and Integral Part” of the National Security Policy of India.

DNA India has reported that the current UPA Government led by Prime Minister Manmohan Singh is set to unveil a draft of National Security Policy for public debate. The National Security Advisor Shiv Shankar Menon has already started working in this regard so that a well defined strategic policy framework can be adopted by the new Government after a public debate. It seems the intention is to make the National Security Policy of India operational after the 2014 Elections are over. This is logical as well as such crucial policies cannot be implemented at time of uncertainties. The National Security Council (NSC) has already proposed three pronged Cyber Security Action Plan for India.

The UPA Government has its own share of successes like securing Indian borders and avoiding any big threat from outside, getting the non-permanent member status of the UN Security Council, obtaining a permanent seat at the Arctic Council and a chair at G-8 negotiations, etc. So the “Failures and Achievements” of the present UPA Government are somewhat balanced in nature.

India already has a doctrine for its defence as well as strategic forces, both for conventional and sub-conventional wars. But the new doctrine will be over-arching, comprehensive and will incorporate elements of foreign and internal security policies.

Though the proposed draft of the Policy is still at the infancy stage yet it may act as a resource guide to deal with Indian National Security issues. The proposed Policy would look at all aspects of National Security including the Economic, Technological, Political, Cyber as well as Scientific. It would also streamline the Security Strategy and address the systemic lacunae in the absence of a clear and comprehensive policy.

A “Special Focus” upon Cyber Security is need of the hour. To start with a dedicated Cyber Security Law of India must be formulated. A robust and comprehensive Telecom Security Policy of India must also be immediately formulated. Further, Draconian and Disabling Laws like Information Technology Act, 2000 and Indian Telegraph Act, 1885 must be “Repealed” as soon as possible. Civil Liberties and National Security Requirements must be “Reconciled”. A dedicated Privacy Law of India must also be formulated immediately to strengthen Privacy Rights in India.

During the exposure of engagement of E-Surveillance by the National Security Agency (NSA) of U.S., James Clapper confirmed that NSA is targeting Foreign Citizens for Surveillance. This E-Surveillance is further “Combined” with Tactics and Techniques of Cyber Warfare, Cyber Espionage and Cyber Terrorism, etc. The traditional Cold War Era may be over but the Technology Assisted Cold War is still in vogue. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, etc have simply proved this point.

These Malware are not the tasks of a group or company but expert malware makers that are supported by Developed Nations. The United States has been accused of making these Malware in the past and it is also believed that U.S. is the biggest buyer of Malware in the World. U.S. has also been accused of using a combination of Radio Waves and Malware to spy upon other Countries. It is well known that Global Cyber Espionage Networks are being actively and covertly used to Spy on other Nations. This is evident from the fact that the Command and Control Servers of Malware FinFisher were also found in 36 Countries, including India.

These Malware used Cyber Attack Methods and Vectors that are far beyond the Capacity of Traditional Cyber Security Mechanisms to Trace and Prevent. This becomes a serious Cyber Security Issue when Critical ICT infrastructures are at stake. For instance, the critical Infrastructure Protection in India and its Problems, Challenges and Solutions (PDF) are still to be looked into with Great Priority by Indian Government. It is only now that India has declared that NTRO would protect the Critical ICT Infrastructures of India. Similarly, a Tri Service Cyber Command for Armed Forces of India is in Pipeline. Nevertheless, the Cyber Security Infrastructure of India is Weak and it must be improved as soon as possible.

Countries across the World have started to strengthen their Cyber Security Capabilities. While protecting their own Cyberspace domain, various Countries must understand that Cyber Security is an International Issue (PDF) and not a National one. Therefore, an International Cyber Security Treaty is Required (PDF). As far as India is concerned, the Cyber Warfare Policy of India (PDF) and E-Surveillance Policy of India (PDF) must be urgently drafted and implemented. Similarly, Self Defence and Privacy Protection in India must be ensured.

India’s own Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc are violative of Civil Liberties Protection in Cyberspace. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. The proposed National Security Policy of India must address this issue as well on a priority basis.

New Cyber Espionage Malware Named Uroburos/Snake Detected By Cyber Security Researchers

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBThe traditional Cold War Era may be over but the Technology Assisted Cold War is still in vogue. Developed Nations have been making and using Sophisticated Malware that is well beyond traditional and modern Cyber Security Mechanisms. Even well trained Cyber Security Professionals cannot detect them till these Malware have already achieved their Surveillance and Espionage tasks.

For instance, Malware like Stuxnet, Duqu and Flame have simply proved this point. They kept on creating havoc for many years in an undetectable and covert manner. They were detected only recently and since then their variants have been making rounds in the Cyberspace.

These Malware are not the tasks of a group or company but expert malware makers that are supported by Developed Nations. The United States has been accused of making these Malware in the past and it is also believed that U.S. is the biggest buyer of Malware in the World. U.S. has also been accused of using a combination of Radio Waves and Malware to spy upon other Countries. It is well known that Global Cyber Espionage Networks are being actively and covertly used to Spy on other Nations. This is evident from the fact that the Command and Control Servers of Malware FinFisher were also found in 36 Countries, including India.

Countries across the World have started to strengthen their Cyber Security Capabilities. While protecting their own Cyberspace domain, various Countries must understand that Cyber Security is an International Issue (PDF) and not a National one. Therefore, an International Cyber Security Treaty is Required (PDF). In the absence of international harmonisation in this crucial field, countries would keep on attacking one another in the Cyberspace.

In the latest news in this regard, G Data Security experts have analysed (PDF) a very complex and sophisticated piece of malware, designed to steal confidential data. G Data refers to it as Uroburos, in correspondence with a string found in the malware’s code and following an ancient symbol depicting a serpent or dragon eating its own tail.

According to G Data Uroburos is a rootkit, composed of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities. It can steal information (most notably: files) and it is also able to capture network traffic. Its modular structure allows extending it with new features easily, which makes it not only highly sophisticated but also highly flexible and dangerous. Uroburos’ driver part is extremely complex and is designed to be very discrete and very difficult to identify.

BAE systems have labelled it as “Snake” (PDF) and it has identified two distinct variants, both highly flexible but with two different techniques for establishing and maintaining a presence on the target system. In general, its operation relies on kernel mode drivers, making it a rootkit. It is designed to covertly install a backdoor on a compromised system, hide the presence of its components, provide a communication mechanism with its command and control (C&C) servers, and enables an effective data exfiltration mechanism. At the same time, Snake exposed a flexibility to conduct its operations by engaging these noticeably different architectures.

According to media reports, ‘Uroburos’ has been stalking its victims since as far back as 2005 and large enterprises and governments need to pay urgent attention to the threat it. It now transpires that Snake has been slithering silently around networks in the U.S. and its NATO allies and former Soviet states for almost a decade, stealing data, getting ever more complex and modular and remaining almost invisible.

Culling data from malware research sites (i.e. those to which suspected malware samples are submitted for inspection), it has been spotted 32 times in the Ukraine since 2010, 11 times in Lithuania, 4 times in the UK, and a handful of times altogether from the US, Belgium, Georgia, Romania, Hungary and Italy.

These are very small numbers but cyber security firm(s) believes that on past experience they are highly indicative. While they represent a tiny fraction of the number of infections that will have occurred in these countries and beyond, they can be used to reliably infer that Snake has been aimed at Western and Western-aligned countries pretty much exclusively. While none have specifically named Russia as the originator for this malware yet some have put the country under suspicion.

Hints of the malware’s provenance have surfaced from time to time. In 2008, the U.S. Department of Defense (DoD) reported that something called, Agent.btz had attacked its systems, an incident later attributed on more than one occasion to the Russian state without further elaboration. Beyond that the evidence is circumstantial and it is very difficult to attribute Cyber Criminality with great certainty.