Threats and Vulnerabilities to India’s Information Infrastructure

Threats and Vulnerabilities to India's Information Infrastructure

New Delhi: While the Indian economy is on an upswing, growing consistently at an average of over 9%, there are serious security concerns that loom ahead on the horizon, challenging our extraordinary progress. These concerns pertain not only to traditional security threats, such as terrorism, communal or sectarian violence, crime and militancy/ insurgency but increasingly include non-traditional and unconventional threats as well.

In addition to major terrorist attacks on our commercial and financial centre – Mumbai, which are largely perceived as efforts to undermine our economic strength, there have been recent attacks on our scientific institutes, such as the alleged terror attack on the Indian Institute of Science (IIS) Bangalore in December 2006.

While our prowess in science and technology, and more specifically in Information Technology (IT), forms the cornerstone of our economy, in reality these comprise soft targets, which are highly vulnerable to a myriad of threats, ranging from physical acts of terrorism to electronic attacks on information assets.

The IT industry has recorded phenomenal growth in the last five years, especially software services, Information Technology Enabled Services (ITES) and the Business Process Outsourcing (BPO) sector. While capitalizing on India’s geographic location (suitable time zone) and massive pool of skilled English speaking manpower, companies have struck innovative business outsourcing models to garner maximum profits.

Robust ICT infrastructure

However, all this has been possible only in the backdrop of a robust Information and Communication Technology (ICT) infrastructure. In the last decade or so, the government, public sector and private companies have seen tremendous opportunity in the sector and have accordingly invested large capital in building up suitable information infrastructure. This includes submarine undersea cables, satellite transponders or receivers, and massive on-ground, telecom and Internet connectivity.

As businesses grew, there were immense demands to expand the infrastructure, which were adequately met from time-to-time. However, we have become increasingly dependent on this infrastructure, and as a result, our vulnerabilities have also risen manifold. Today, we are highly vulnerable to any disruption, even if it is of a short-term nature, infrastructure and IT development notwithstanding.

The risk spectrum is extremely broad, ranging from non-state actors waging cyber-attacks, adversaries carrying out information warfare (IW) and deviant individuals wreaking havoc on the information superhighway with deadly electronic viruses and worms. It is not in the scope of this article to delve into technicalities or details of these, but it is pertinent to note that United States (US) which is the most wired nation in the world and thus most susceptible to IW, has not experienced any major IW attack on its infrastructure.

The world’s sole superpower is highly paranoid and has conducted numerous simulation games on its critical information infrastructure, but till date there has not been any significant instance of a cyber attack (or cyber-terrorism) targeting it.

This is not to say that threat does not exist. Probably, non-state actors do not currently possess the kind of capabilities required to conduct advanced cyber attacks. Nonetheless, even in the Indian context, a disruption on any critical information infrastructure, such as the Indian Railways computer network, Reserve Bank’s financial network or the National Stock Exchange’s system is likely to incur heavy financial losses as well as result in widespread chaos.

Industrial espionage

It is well documented that terrorists use the same infrastructure and technology that is freely available to plan and coordinate their violent actions. Whether it is satellite imagery through Google Earth, terrorist propaganda through Jihadist websites, or communication through electronic mail and instant messaging; the exploitation of ICT infrastructure by terrorist outfits is on the rise. We may impose certain restrictions, but technology is a double-edged sword, and the perpetrators of evil will always find a way of circumventing these checks.

Worldwide trends also indicate a rise in cyber-crime. With banks getting networked and offering conveniences like Internet Banking and Any Time Money (ATM), a new generation of white collar criminals are unleashing cleverer and more lucrative methods of stealing money.

In recent times, gangs of ATM thieves have been nabbed from India’s major cities revealing that the threat is not just restricted to foreign countries. In the information age, where information is power, cyber criminals are not always targeting financial networks; they may also steal information or classified documents. In fact, industrial espionage has taken a new form, with professional hackers coming onto the scene and pilfering secret information from business rivals or sensitive installations.

‘Insider’ threat

In India’s case, the most pertinent risk is taht of ‘Insider threat’. Several information security surveys have pointed out that the greatest information security threat to an organization is not from an adversary or a criminal, but from an insider. The insider may be a former employee, a disgruntled worker or someone who is just financially motivated. A case in point is the recent arrest of three former employees of the BPO, MphasiS BFL during April 2007 from Pune for allegedly stealing over $350,000 from four Citibank customers. Financial losses aside, the incident had an adverse impact upon the company’s credibility and reputation, especially amongst global clients.

Since this was not the first of its kind and given the media attention that such incidents attract, the data theft case proved to be a huge blow to the Indian BPO industry and it lost several business opportunities during the period. Also, recently we had the Naval war room case where senior officers were implicated of espionage and passing vital national security information. The officers had apparently used thumb/ pen (USB) drives to extract information from the computers on the classified networks. Both, the BPO and the War Room case highlighted the ease with which employees could access vital information and pass it on to the wrong hands.

In the absence of adequate information security safeguards, and advancements in technology making dissemination and distribution of information easier, protection of vital information constitutes a major challenge.

Information security installations

In India, we have not had a case of a surreptitious programmer masquerading a malicious code, a virus or a worm programme on the Internet. In the past, destructive viruses, such as the Lovebug, Nimda Worm and the Code Red resulted in widespread disruption of the World Wide Web (WWW) and other networks connected to the Internet. Web based companies suffered huge economic losses due to these viruses. Some of the perpetrators were identified and charged under the Computer Fraud and Abuse Act while others were too clever to be nabbed.

In response to the threat and growing awareness, organizations are looking at information security (INFOSEC) more seriously than ever before and implementing appropriate strategies. These include the implementation of INFOSEC technologies, such as Firewalls, Biometrics, Intrusion Detection Systems (IDS), anti-virus programs, logging mechanisms etc. Technology is further strengthened when INFOSEC practices and policies are put in place.

Several companies are adopting the BS 779, ISO 17799 or similar information security mechanism which are standardized security policies and standards procedures. Organizations are chalking out stringent information security practices for employees, and employing dedicated security professionals to enforce these. Finally, it is very important to have up-to-date legislation. While we have the IT Act catering to information security, there are several loopholes and lacunae in the act that need to be plugged. As technology is rapidly changing, legislation must keep pace in order to punish those who breach security.

Training and coordination to meet Information Security needs

At a larger level, as far as national security is concerned, training and coordination is the key to achieve information security. There is a need for making conscious effort, maybe on the lines of what the US has done, in identifying critical information infrastructure and carrying out vulnerability assessment/s. Thereafter, suitable agencies need to be trained and tasked with relevant mandates.

Towards this end, the Indian CERT (Computer Emergency Response Team) was established as the nodal agency to monitor and respond to information security threats. Similarly, cyber cells have been set up in various state police departments to fight the rising menace of cyber crime. However, the approach seems to be reactive and is in response to actions of the perpetrators’, who would always have the advantage of changing tack and outsmarting various security mechanisms. Probably, a lot is being done in the area of information security, but it is in pockets of isolation. A lot more coordination and information sharing between the various agencies involved in information security is imperative.

Expand concept of national security

With changing times and threat scenarios, it is imperative that we redefine our concept of national security and expand it to include new and emerging threats. There is no denying that information infrastructure is highly vulnerable, but the spectrum of threats is much too broad and may even be unrealistic, especially in terms of IW and cyber-terrorism.

A pragmatic trend analysis based on practical experiences would determine the real threat and chart the way forward in protecting our vital information assets. Finally, unless we secure our information highways, it will be erroneous and misleading for us to claim being an information superpower.

Prashant Bakshi is a Defence Analyst and Former Fellow IDSA and can be contacted on