When India tested its nuclear weapons in 1998, the US got a shock of significant magnitude. CIA officials said they did not know about the tests until then prime minister Atal Bihari Vajpayee went on television to announce it four hours after the event. Till then, the seismic data, from which the test could have been detected, had apparently not been analysed yet. The fleets of US spy satellites had been fooled; the multi-billion dollar intelligence network of the only superpower on earth had egg on its face.
This spurred the US to focus on its intelligence gathering in India. It would appear that the efforts have borne fruit.
If the suspicions being expressed by Indian intelligence agents are true, the US may now be in possession of information on India’s war plans for the army, navy and air force. The atomic energy establishment, which no foreign agency is known to have breached significantly in the past, may also have been compromised. Even ISRO data is thought to have leaked to the US spy agencies. Put together, it represents a leak of massive proportions.
It happened because of some smart work on the part of the US agents, and the curious ‘chalta-hai’ type of loophole that is so typical of India. The National Security Council Secretariat — the repository of all this information — is not secured anywhere near as well as the individual intelligence agencies and military headquarters are. In fact, even its staff comprises a large number of part-timers on short contracts. Many of them receive meagre salaries in the range of Rs 15,000-Rs 20,000 a month.
The story so far is that SS Paul, a disgruntled computer analyst with the NSCS, passed on secret data from NSCS computers to Rosanne Minchew, third secretary in the US embassy in Delhi, for $50,000 (Rs 23 lakh). He did this by storing the data on USB drives and taking it out. The operation was on for about a year. Paul eventually got caught because a wing of Delhi Police knew Minchew’s role in the US embassy. They put her mobile under observation and found she was receiving SMS’ from a number that turned out to be Paul’s. He was put under surveillance, and was found to be passing classified information to her.
Investigations in the case showed that Paul had been introduced to Minchew by Commander Mukesh Saini of the NSCS. Saini was the man heading the National Information Security Coordination Cell, and was an important part of the Indo-US Cyber Security Forum. In his capacity as National Information Security coordinator, he was in touch with sector cyber security officers and systems administrators in various ministries, departments and security forces. Investigators now believe Paul was not the only one who Saini introduced to US intelligence. At least five others are under suspicion for passing information to Paul, who passed it further to Minchew.
The case has prompted the Intelligence Bureau to ban cell phones with advanced features from its premises. It already has software, specially developed for its use, to detect the use of USB drives on its intranet. This software logs the time a USB drive is inserted into a computer and the time it is taken out, gives the ID of the computer and its user, and lists the files accessed. The log report is sent to a designated computer.
This software was not deployed at the NSCS. Sensitive ministries and departments also don’t have this software.
However the problem is being seen by experts as more human than technical. If the people tasked with cyber security themselves sell out, it can’t be considered a technical failure, they point out.
Cyber security expert Subimal Bhattacharjee points out that India does not have a policy on critical infrastructure protection. Moreover, security systems are not properly deployed, he adds, otherwise checks and balances would exist so that a person’s colleagues would get to know if he was taking out data. His views are echoed by J Prasanna of K7 computing, who says system administration and cyber security responsibilities should never be concentrated in one person. Banning cellphones, or USB devices, or keeping computers off the Internet do not ensure security, he adds. Monitoring use is a better option.