India's cyber-defenses full of holes
By Indrajit Basu
KOLKATA - It's reminiscent of an action movie. The year is 2017 and two rival countries - India and China - are fighting a war. The conflict is not being fought with guns, tanks and aircraft but computers, bots, viruses and Trojans. The soldiers are not troops, but hackers.
The scenario was enacted by the Indian military last year in a cyber-warfare simulation called the "Divine Matrix". Officially, the likelihood of a Chinese cyber-strike has since been played down. This is a big mistake, experts say, given the poor state of India's cyber-security.
A recent investigation by McAfee, the software security firm, revealed that as cyber-attacks rise globally, India is emerging as an easy hunting ground.
Worse, the vulnerability not only poses a threat to the government, military, and infrastructure, it also carries a huge risk for international businesses that have outsourced IT operations or bought software in India.
"That India is under-prepared is well known, and experts often raise concerns about how the government's IT systems could be crippled in a war," said Shivarama Krishnan, an IT security expert at a firm of global consultants. "While that threat is valid, I think the real worry is someone attacking the IT systems of the private sector."
Krishna added that India could be used as a route to attack the IT systems of other countries, since it is linked to important networks like the United States' financial sector. "Cyber-criminals could take advantage of the vulnerability in the IT security systems here and cripple financial services there," he said.
India's US$60 billion software industry derives over 85% of its revenues from abroad. The US's financial services, retail, manufacturing, infrastructure (like electricity and telecoms) as well as medical services account for 60% of these export revenues.
Across the world more critical infrastructure is being connected to the Internet, leaving it more vulnerable, says McAfee, with India having the lowest rate of security measures for its infrastructure. India also topped McAfee's charts for malicious traffic in Asia.
Although China last year cut its security budgets by 40% for government-sponsored cyber-security cooperation among operators of critical infrastructure, it still had the highest rate of participation, said McAfee.
The firm painted a detailed picture of how countries are defending their critical networks in the report, "In the Crossfire: Critical Infrastructure in the Age of Cyberwar".
The report said as data is increasingly stored online, security is increasing in sophistication. However, hackers and cyber-criminals are still managing to stay a step ahead.
India in particular faces more frequent cyber-attacks. For instance, in 2009, more than 6,000 websites were hacked and defaced, compared to 1,752 in 2006.
Greg Walton, one of the researchers at The Citizen Lab at the University of Toronto that created a sensation last year by discovering the existence of GhostNet, a global cyber-spy network that allegedly originated in China, said India was particularly vulnerable.
"If you look at the statistics of the institutions or the targets that were attacked by GhostNet when it attacked global systems, India was by far the hardest hit by that operation," he said. "India is a software superpower yet for some reason the country can't seem to get its cyber-security act together."
Legally, India is also seen as an easy target. "The Indian IT act and related local laws are oriented towards primarily addressing fraud and copyright violations; they are not security oriented," said Gurmeet Kanwal, founder-director of The Center for Land Warfare Studies, an autonomous think-tank on strategic studies and warfare.
The other major issue is cost. Indian is touted as a low-cost outsourcing destination and "security is always an expensive proposition", said Desai of MitKat, a consultancy firm. "Often Indian service providers cannot adopt security measures that on a par with international standards."
India can ill-afford to ignore this new challenge to its security, say Kanwal. He says information warfare can start anywhere and carry on silently in peace time, comparing it to "acupuncture warfare" a term that refers to seeking out a country's weak points.
India should adopt an inter-ministerial approach to dealing with the emerging threat, according to Kanwal. A special agency should be formed to spearhead India's cyber-war efforts, and the country should have its own national cyber-security adviser, he maintains.
"But above all", said Walton, "even if government and specific security agencies are wake up to the threats of information warfare, the country's corporate sector is still oblivious. It is time that this sector wakes up too."
Indrajit Basu is a correspondent for Asia Times Online based in Kolkata.
http://www.atimes.com/atimes/South_Asia/LC12Df05.html
India's cyber-defenses full of holes
Linear Mode
