The Cyber Threats
As I write this, the government is planning to widen the scope of its cyber-security coordinator in the wake of incendiary internet data that swept the country recently and forced an exodus of northeastern people from Pune and Bengaluru. The idea is to toughen cyber laws to prevent such hate campaign. At present, the cyber-security coordinator functions in the National Security Council Secretariat. He has to now take a more holistic view and look at other options before suggesting additional counter-measures.
It is said that morphed pictures were specifically designed in Pakistan (whether it was the work of individual Pakistanis or that of the Pakistani government is a different matter) and that was used by some misguided elements in India to cause communal tensions and riots all over the country. Cyber security, thus, has to deal with a domain where there are no boundaries. The ubiquitous use of computers and other electronic devices is creating a rapidly rising wave of new and stored digital information. And they always can be misused.
Of course, this is not the first time that India has witnessed such cyber-related turbulence. Few years back, there were attacks by the Chinese hackers to the computers in the Prime Minister’s Office (PMO). The hackers had aimed high—their targets were the cream of India’s national security set-up: the then National Security Advisor MK Narayanan, the then Cabinet Secretary KM Chandrashekhar, the then PM’s Special Envoy Shyam Saran and the then Deputy National Security Advisor Shekhar Dutt. The four and up to 26 others were squarely in the crosshairs of the hacking attempt. It is said that the Chinese hackers were desperately trying to access data on India’s position at the Copenhagen Climate Summit.
In March 2009, a China-based cyber spy network had hacked into the government and private systems of 103 countries, including those of many Indian embassies and the Dalai Lama. In May 2008, hackers from China attacked the Ministry of External Affairs’ (MEA) website. Despite official denials, at least one website reported that the hackers had stolen the login identities and passwords of several Indian diplomats. In any case, a huge number of Indian websites have been at the mercy of an anti-India community from time to time.
That hackers from across the Indian borders could become the new threat point for the government was realised for the first time when during the nuclear tests at Pokhran in 1998, Pakistan hacked into the websites of Zee News and India Today. The Pakistan-based hackers, GForce Pakistan and Pakistani Hackerz Club, owned up the intrusion, leaving threatening messages and demanding a stoppage to the N-Tests. Even after the Parliament attacks in December 2001 and later a massive troop standoff between India and Pakistan, several hacking incidents were reported.
It may be noted that the Pakistani hackers targeted the Indian website www.armyinkashmir.com, which was providing factual information about daily events in the Kashmir Valley in 1999. The hackers posted photographs showing the Indian security forces allegedly killing Kashmiri people and blamed the Indian government for “atrocities” in Kashmir. Obviously, it had the intended impacts in the Valley. Similarly, in 2008, the techno-savvy terrorists based in Pakistan used Internet to send terror emails a few seconds before triggering the serial blasts across the country.
In December 2008, the Eastern Railways portal was hacked by Whackerz-Pakistan. The official site www.easternrailway.gov.in bore a strange look. When opened, the top scroll on the site, which normally consists of official announcements, had unusual notes. The first note read: “Cyber war has been declared on Indian cyberspace by Whackerz-Pakistan (24 Dec-2008).” This was followed by two other abusive notes. The threat note also claimed that servers of Indian financial institutions would also be hacked with the help of the group’s members working in computer departments of “foreign companies”. The scene became grimmer after the 26/11 Mumbai attacks in 2008. The Pakistani group, Pakistan Cyber Army, hacked into the websites of the Indian Institute of Remote Sensing, the Centre for Transportation Research and Management, the Kendriya Vidyalaya of Ratlam (a chain of schools run by the Indian Army) and the Oil and Natural Gas Corporation of India (ONGC). The damages took a long time to fill.
Hostile neighbours, or for that matter external enemies, can always create havoc by indulging in what is called cyber war. For instance, it is now an open secret that Russia launched an unprecedented cyber war against Estonia in May 2007, soon after Estonian authorities began removing a bronze statute depicting a World War II-era Soviet soldier in Tallinn (Capital of Estonia). Though officially Russia denied, the fact was that its cyber attack virtually crippled Estonia’s digital infrastructure by clogging the websites of the President, the Prime Minister, and the Parliament as well as staggering the country’s biggest bank and the sites of several daily newspapers. In fact, the attack totally destroyed Estonia’s financial system for few weeks.
It may be noted here that when one talks of cyber security, one deals with hostile governments as well as individuals. And when talks of individuals, it is obvious that cyber criminals, unlike other criminals, are educated. In fact, the demographic of a typical cyber-criminal is changing rapidly, from bedroom-bound geek to the type of organised gangster more traditionally associated with drug-trafficking, extortion and money laundering. Cyber-criminals can earn thousands of bucks a day without leaving their homes. In fact, to make more money than can be made selling heroin (and with far less risk), the only time the criminal needs to leave his PC is to collect his cash. And most of these criminals are young, mainly in the age group of 18 and 30.
It is against this background that many experts suggest that one of the first things to emphasise while investigating the chain of actions for a cyber attack is the initial starting point where individuals begin thinking about and rehearsing in their minds the nature, method, and target for the attack. Perhaps the key point of the historical and social significance of the emergence of civilian cyber warriors can be found in the social psychological significance of the event. The reassessment of the usual assumptions of the inequalities of the levels of power between nation-states and citizens establishes new relationships among institutions of society, government, and individuals.
Dealing with cyber crimes is no doubt a Herculean task, given the fact that the technology involved here is so fast changing that any law would find it difficult to keep pace. Secondly, any effective law will need international cooperation in the sense that the criminal is not necessarily physically present in the country where the crime is committed. And unfortunately, there are no international rules and conventions as yet to deal with the cyber crimes.
And as regards the national laws, in a democratic country such as India, there will be a debate over boundaries of information security dealing with the governmental interventions and the privacy landscape. How to deal with the Internet transmits identity information, how to authorise and attribute the information collection are all tricky issues. In India, we have another sensitive issue to deal with. That is the fact that cyber crimes come under both traditional Indian Penal Code (IPC) and the Information Technology Act, 2000, which has been amended in 2008. And here lies the confusion. Since policing is a “State” subject and the complaints have to be lodged with the local police, it all depends under what laws the police registers the cases, and it so happens the police prefers the age-hold IPC. Because the local police is not conversant with the intricacies of the IT Act, which is a central legislation. But once the case is under IPC, then the method of investigation has to be under the guidelines associated with the IPC. And if one goes by that method, it will be extremely difficult to prove the most of the cyber crimes, experts say.
Even under the IT Act, investigations in India are not that easy. And this is mainly due to the lack of what is called The Cyber Forensics. We know that how forensic devices are important in normal criminal investigations to gather evidence to prove in the court. But to prove the cyber crimes, electronic evidence and their collection and presentation have posed a challenge to the investigation agencies, prosecution agencies and judiciary. In fact, not to speak of the police officers, in India lawyers and judges are not properly trained in cyber law aspects to prosecute and punish suitably the cyber criminals. In the absence of proper training, there is almost no conviction of cyber criminals in India.
Therefore, overcoming the cyber threats is going to be a prolonged and complicated affair, an affair that needs relentless indulgence by both the technology and laws of the land. The threat simply cannot be ignored.
By Prakash Nanda