A malware attack was launched against the closing ceremony of the Commonwealth Games in October 2010. Indian cyber security snoops traced it to a computer in an Ashoka Hotel VIP suite, and switched off the machine. “This was one of the 8,000 such attacks made against the Commonwealth Games infrastructure,” said informed sources.
India has largely finished rolling out a revamped cyber security structure for the country, covering not only surveillance but also duller aspects like laws and administration.
India’s cyber security programmes also use metadata-based systems like the recently exposed US National Security Agency’s PRISM system. “We are into metadata usage,” said a source. Such programmes do not snoop into the contents of electronic communication. They search for patterns in the manner emails, phone calls and SMSes are sent and delivered. “We don’t get into individual emails.”
India’s metadata system’s name and technical specifics are unknown. But it is much simpler than the US one.
It does not store and analyse communications in anything as detailed a fashion as PRISM. It is run by the telecom department and the Computer Emergency Response Team, not the intelligence agencies.
“Our system does not collect specific data, not even names,” said a source. “If we go into individual emails, we have to seek legal permission.” The limits to such surveillance are laid out in the amended Information Technology Act.
The plan is to let the present cyber security framework function for 2-5 years, allowing the government to “learn lessons” on how to improve it. With 15 states and many government bodies having set up cyber security panels, much of the administrative backbone is in place. The main concern is the poor cyber security awareness in the broader population. There are hopeful signs: secureyourpc.in gets 100,000 hits a day.
“It is not possible to ensure 100% security,” say sources. “But no cyber intrusion has been able to compromise the country’s national security yet.”
“Other governments regularly check us out with cyber attacks, check out our systems, attempt intelligence acquisition…they test to see how good we are.” Why else attack the infrastructure of the Commonwealth Games, sources noted, something of no practical use.
Will India develop a cyber offensive capacity? Notably, the new structure does not include regulations limiting what India can do in the cyber realm outside its borders.