The traditional methods of espionage are things of the past. Now most of the crucial and sensitive information and data are stored on computers and electronic devices. Naturally, computers and information and communication technology (ICT) associated with government and companies are the primary target of those seeking espionage in the modern era. This process of infiltration and breach of sensitive and top secret government and corporate computers is known as cyber espionage.
Cyber espionage in India is not a new concept but has been in existence since last decade. Further, cyber espionage may be done by an insider or an outsider by exploiting the vulnerabilities in the cyber security of an organisation. The real problem is that cyber espionage is inexpensive and relatively easy to commit and it is also very difficult to prove with absolute certainty. In short, without a conclusive “authorship attribution” cyber espionage is largely a lost battle. This is the reason why the Defense Advanced Research Projects Agency (DARPA) of United States is soliciting innovative research proposals in the area of cyber attribution.
If we analyse the cyber attacks trends against India for the past few years it would be apparent that the frequency and sophistication of various cyber attacks has significantly increased. This has been well analysed and documented by the cyber security developments of India 2015 and cyber security trends in India 2016 by Perry4Law Organisation (P4LO). Sophisticated cyber espionage malware like Uroburos/Snake, FinFisher, etc are easily defeating the cyber security safeguards. The global cyber espionage operation named SafeNet was discovered in the year 2013 that infected computers across the globe.
Recently it was reported in the media that a cyber espionage group named Danti could have breached the computer of top ranking bureaucrats in the government. Cyber espionage groups like Danti usually sends an e-mail carrying a malware or a malicious link, which seems to be originating from a government official mail or an e-mail from some government department. Once such malware is activated by either opening of the malicious downloaded file or by clicking at the malicious link, the malware is silently installed upon the victim’s system. It works in a stealth manner and keeps on stealing the sensitive information and sending it to the designated server in an encrypted and coded manner.
India has neither a dedicated cyber security law nor a mandatory cyber breach disclosure norms as on date. Even the cyber security infrastructure of India is grossly deficient as it cannot tackle sophisticated cyber attacks and malware. We do not have any cyber warfare policy of India (pdf), cyber terrorism policy of India, critical infrastructure protection policy of India (pdf) and cyber espionage policy of India. Even the important encryption policy of India (pdf) is missing till now. Constitution of the Tri Service Cyber Command for Armed Forces of India has skipped many deadlines and it is yet to be established. All we have is a defective and outdated cyber security policy formulated in the year 2013 that needs urgent reformulation.
As far as Indian cyber law is concerned, it has become almost redundant and it needs an urgent amendment, preferably a re-enactment. Even Indian Telegraph Act needs to be repealed as it carries many draconian e-surveillance and phone tapping related provisions that have no place in a modern democratic society like India. However, the worst blow came from Indian Supreme Court that has virtually killed the cyber law due diligence (pdf) instead of strengthening the same. Clearly, India lacks the required techno legal framework that alone can help it in fighting against cyber crimes and sophisticated national and international cyber attacks.
Another area of concern is the absence of adequate cyber security of e-governance services in India. Indian government is pushing its Digital India project without any civil liberties and cyber security safeguards. For instance, we have inadequate cyber security for smart grids, smart cities, critical infrastructures, nuclear facilities, satellites, governmental informatics infrastructures, defense networks, etc and Digital India cannot succeed in the absence of a robust and resilient cyber security for these critical infrastructures. We do not have an implementable cyber attacks crisis management plan of India that can be relied upon in case of a sophisticated cyber attack.
At a time when US law enforcement and intelligence agencies have acquired trans border hacking powers, it would be naive to assume that the same would not be used against Indian computers. The truth is that US is pushing other nations towards cyber warfare and cyber espionage race. In this background it is imperative that Indian government must not only enact dedicated and techno legal cyber security laws for India but also insulate Indian cyberspace and computers from foreign cyber attacks and cyber espionage attempts. We at Perry4Law Organisation (P4LO) strongly recommend that a dedicated cyber espionage policy of India must be urgently formulated by Indian government in these circumstances. P4LO would be happy to assist Indian government and other national and international stakeholders in formulation of cyber espionage policy in general and amended cyber law and cyber security laws in particular.
As per media reports, Indian government is contemplating to frame a comprehensive policy to deal with cyber espionage and other threats related to it. The policy that may enable setting up of a panel of experts who can work closely with the security establishment is being closely monitored by the Prime Minister’s Office. Indian government is also working in the direction of bringing suitable changes in the existing laws to make them more compatible and contemporary to the present time requirements. The cyber security manpower would also be strengthened along with upgrading the cyber security infrastructure to tackle cyber attacks. P4LO welcomes these positive developments and wishes all the best to Indian government in this regard.