Are the biggest threats to India now coming from the Internet? According to Kapil Sibal, Union minister of communications and information technology, cyber war is a continuing threat the nation faces.
It was widely reported in April last year that hackers broke into defence ministry systems and accessed sensitive secrets. The PTI report from the time states that these included computers at Indian embassies in Germany, Italy, the US and the high commission of India in the UK.
Among the stolen data was what appeared to be encrypted diplomatic correspondence, two documents marked secret, six restricted, and five confidential.
The websites of the Central Bureau of Investigation (CBI) and 270 more organizations were hacked in December 2010. The hackers left a message on the CBI site saying this was in retaliation for an alleged attempt to hack 40 Pakistani government websites.
At the second Global Cybersecurity Summit in Delhi last month, Sibal said: “We need a legal framework as we are dealing with some of the best minds. We also need a community of ethical hackers.”
For the country: Gawde (left) with A.P.J. Abdul Kalam in 2006.
The government has a number of organizations that work in the field of cyber security. This includes both organizations within the Armed Forces and the civilian fields, but there is a strong need to build a trusted group of experts to call upon.
Building this pool of ethical hackers is something that needs to start with the very youngest, according to Dominic K., moderator, MalCon, a conference for hacking, and principal of the Information Sharing and Analysis Center (Isac), New Delhi.
He says: “We work with the government to make it possible for people to devote time to this national cause. The government is aware of the problems, but a detailed process and mechanism to identify and train experts is lacking.” Isac helps with that.
Isac works with the government to ensure that the hackers included in their database are properly trained and regularly updated. The National Security Database (NSD), Dominic says, will test their skills rigorously. After that, they will be put through psychometric tests to judge if they can be trusted to handle sensitive information.
Candidates who make the grade will be entered into the database and categorized under their area of specialization—fraud investigation, Web security and mobile security, to name some.
Shantanu Gawde (15) and Harsh Shah (17) are research volunteers at Isac who have worked on projects important to national security.
Seven years ago, at age 8, Gawde was a Microsoft-certified software engineer. At 9, he was an Oracle-certified professional and by 10, he had completed .NET framework certification. As part of a hacking demonstration in November, he created a program to highlight security flaws in Microsoft’s Xbox console and Kinect peripheral, to turn the device into a spy camera.
Rajshekhar Murthy, director at Isac, says: “A lot of Windows-based applications will be developed for Kinect and the device will become widespread—and an exciting target for visual and audio intelligence. At MalCon research labs, we promote proactive security research and the malware utilizing Kinect is only a proof of concept.”
Shah was already interested in hacking when he started learning two years ago. He learnt by reading on the Internet and frequenting chat rooms famous for hacking, slowly updating his skill set. For example, he has created tools that can allow a user to get full access to target computers via the Outlook email client.
Gawde and Shah have both worked with agencies such as the National Technical Research Organisation (NTRO) to track and prevent a hacking attack on the Indian embassy in Bangladesh, and both have been working on analysing security weaknesses of government sites. Details on the websites and systems being tested are, of course, classified, but the entire project is overseen closely by NTRO.
Alok Vijayant, director, information dominance group, NTRO, says there is a need to channel young people into useful paths. He says, “We would not have got Tendulkar had his parents forced him to become an engineer and likewise, if a child has interest in a subject through which he can convert his ideas into clear-cut deliverables—why not?”
He adds: “Information security research is a key capability for any country to secure its cyberspace. Security professionals can help the country by verifying their technical skills with the NSD and provide their expertise where needed.”
The community of ethical hackers that Sibal is calling for would go a long way in plugging the security holes in government systems, as long as young people like Gawde and Shah also get support from all the right quarters, adds Vijayant.