Indian governmental institutions remain unmoved by the disclosures on Tuesday of the large-scale penetration of Indian computer systems and the theft of data, including classified, restricted and secret.
The Ministry of External Affairs had nothing to say in reaction to details in the report, Shadows in the Cloud, published by a collaboration between the Information Warfare Monitor and the Shadowserver Foundation, outlining data theft and system penetration in Indian embassies. The Ministry of Defense was similarly quiet, with no response forthcoming, to questions posed by news reporters.
But privately, sources in the Defense Ministry and the armed forces appeared merely satisfied that most of the data stolen was already in the public domain. “Institutions like the Institute for Defense Studies and Analyses (IDSA) and the National Maritime Foundation (NMF) work mainly with data that’s in the open,” said one officer. A source at the NMF, who declined to be identified for the purpose of this report, too said the same, but admitted, “In spite of the nature of our data, it is troubling that our systems are so vulnerable and open to attacks. Clearly we need to take a hard look at our system security.”
Sources that StratPost spoke to at the National Defense College (NDC), who again declined to be identified for this report, admitted a larger problem. “It is clear that this is an issue of national security and affects assets that are strategic in nature. But so far we have failed to put together a unified approach in dealing with the problem. While the armed forces and the intelligence agencies do have their own initiatives for cyber security, nobody seems to be talking to each other. Naturally, this leads to duplication and a lack of focus,” said one source at the NDC.
Another officer at the Ministry of Defense, also blamed the defensive mindset that prevails in the Indian security establishment. “Strategy is by nature offensive. If we want to achieve a robust cyber policy, we need to establish cyber deterrence, on the lines of nuclear deterrence, at least at some level. This requires us to take an offensive posture and demonstrate our potential. After all, cyber operations can be used as weapons against strategic targets too,” he said.
While the US Pentagon is already actively discussing the setting up of a doctrine for cyber operations, which would provide solutions for the determination of the nature of cyber operations and, for instance, when and whether they constitute an act of war. India has no such initiative at present, with only some individual services, forces and agencies arriving at their own independent opinions on the matter.
Cyber security analyst Subimal Bhattacharjee, who also heads a multinational defense corporation in India, thinks the penetrations were more of a show of strength, considering the public nature of most of the documents stolen. But he also thinks India needs a national approach. “Indian institutions are working hard to secure their systems and the effort is sincere. But all of this is not adding up to a national strategic plan.”
For starters, he recommends a major audit of all critical networks and then the creation of a national cyber security plan to lead to a national apparatus for cyber security. “The government should quickly enact a national critical infrastructure protection policy which will cover intelligence, defensive and offensive functions. All the islands of cyber defence activities in the defence forces, research labs, academic institutions and in the corporate sectors should be integrated into a common entity so that coordinated responses can be attained,” says Bhattacharjee.
Gulshan Luthra, editor of India Strategic, one of the defense news publications that was penetrated, is hiking security measures. “While much of the data is in the public domain, often we do have sensitive information like contact details of subscribers, background information for exclusive stories and data gathered from closed-door seminars. Being a media organization, we cannot eschew the internet. But we realize the security imperatives and to start with, we have decided to move all such sensitive information to stand-alone computers,” he says.
Luthra, who is a member of the Governing Body of the Institute for Defense Studies and Analyses (IDSA), an institution that was also reported by the study to have been penetrated, also thinks cyber security is not taken very seriously by officials in the government. Talking from experience, he says “Often senior officers use personal assistants to access emails and other information on computers, adding to the number of people with access and knowledge of what could be sensitive information. This is because most of them have no idea about computer systems and have a mindset which is not security conscious.”
Ankit Fadia, author of The Unofficial Guide to Ethical Hacking, thinks creating skilled manpower in India is a real problem, and says there is a dearth of institutions for training individuals in cyber operations. “Where is the talent going to come from?” he asks. Not surprised by the penetrations, he says, “We tend to wait for something to happen before we do anything.”