August 2, 2013

Securing India’s cyberspace

India should enhance its domestic capabilities in cyber-security, in terms of the development of institutional, legislative and technical mechanisms, and create a base of skilled professionals supporting government and private efforts to secure cyberspace. 

After years of slumber, India appears to be awakening to the challenges inherent in governing electronic communication in the country. In July 2013, the government published its National Cyber Security Policy (Refer to the Takshashila Institution’s comments on the Department of Information Technology’s (DoIT’s) March 2011 draft of the National Cyber Security Policy). This was followed closely by news of progress in the implementation of a framework for lawful electronic interception, referred to as the Central Monitoring System (CMS) (Refer to the Takshashila Institution’s discussion document on India’s Central Monitoring System). Cyber-security as a domain of governance is something that most countries are grappling with and India is no exception. Indeed, India is projected to lead the world in Internet traffic growth over the next five years, making it critical for New Delhi to both collaborate with other countries and develop domestic capabilities to secure this rapidly growing domain.


The implementation of the CMS makes for an interesting case study on how the government of India has approached threats to India’s cyber security thus far. The initial mandate of the CMS included lawful interception of all telecommunications and Internet data. But the interception of calls made through BlackBerry devices posed a hurdle due to the device’s unique architecture and security controls. Prolonged negotiations between the government of India and Research in Motion (now BlackBerry Limited) ensued and now appear to have concluded.  A recent report in The Times of India indicates that BlackBerry Limited will provide the government of India the ability to intercept data from non-corporate BlackBerry devices.

However, technological challenges with regard to intercepting data from popular websites such as Gmail and Facebook are proving harder for the government to overcome. Their use of strong encryption has impeded the ability of government agencies to intercept and monitor content transmitted through these websites.

The mandate of the CMS, therefore, is now effectively reduced to intercepting land and mobile telephony data and unencrypted internet traffic, leaving large swathes of encrypted internet traffic unmonitored. Given these challenges, it is not clear why the government decided to proceed with a programme with such extensive a mandate. One can surmise that either the Indian government wasn’t given appropriate technical input, or that it chose to ignore the input and proceed with the implementation of the CMS. Either way, it does little to inspire confidence in a program that is apparently being implemented to mitigate threats to India’s national security.

Indeed, other than India’s National Security Advisor (NSA) Shivshankar Menon, few others in India’s political leadership have clearly articulated the challenge India faces with regard to cyber-security or laid out a vision for the way forward. In an internal note to the Home Ministry, the NSA aptly described cyberspace as an “anarchic, lawless domain” and favoured an approach involving enhanced cooperation with other countries on cyber-security, rather than single-handedly attempting “grand pursuits” (an apparent reference to the CMS).

Cyber-security is already a component of the US-India Homeland Security Dialog. But old suspicions linger and continue to hinder closer cooperation between India and the US. Bridging the trust deficit between India and the US will take time to overcome, but if the story of Indo-US ties over the past two decades tells us anything, it is that these challenges can indeed be overcome. It is time that the profile of the cyber-security dialog be elevated to address both Indian and American concerns to current and emerging threats in cyberspace.

In this regard, the government India will not be not the only beneficiary of an elevated cyber-security relationship with the US. Certainly, working closely with the US and developing protocols on information sharing will potentially allow India to overcome technological challenges and gain access to information that can identify and mitigate threats. But equally, the US has a vested interest in developing closer ties with India on cyber-security. A US House of Representatives Foreign Affairs subcommittee hearing in July highlighted the need for closer collaboration with India on cyber-security, given the manifestation of common threat perceptions in cyberspace (via China and Pakistan).

That both the US and India are leading sources of international spam presents security risks that impact not just these two countries and their businesses, but the rest of the world as well. Thus, closer collaboration between India and the US in identifying and eliminating ‘botnets’ and other sources of spam was identified as being important by Karl Rauscher, Distinguished Fellow at the East West Institute, during the same US congressional hearing.

A third beneficiary of closer India-US cooperation in cyber-security, though not immediately apparent, could potentially be India’s citizens, particularly with regard to legal interception.  Since the intention to implement the CMS was announced by the Indian government, India’s legal experts and open society advocates have mounted vehement opposition, charging the government with giving itself extensive powers that circumscribe the constitutional rights of citizens. Their concerns are not without merit.  The absence of privacy and data retention laws in India means that there is no clarity over how and under what conditions personal data of India’s citizens is stored and how it may be used.

The concern that data captured through the CMS could be susceptible to political misuse therefore is valid. However, the inability of government agencies to decrypt secure data transmissions from popular Internet websites means that they are effectively reliant on foreign service providers and their host governments to obtain access to data.

Now, such an arrangement could curtail India’s ability to obtain information timely to mitigate threats, let’s say in the event of an ongoing terrorist attack, or in the case of the suspected organised rumour-mongering that saw thousands of Northeast migrants flee Bangalore in August 2012. But it could also prevent misuse if strong data privacy and retention legislation exists in the foreign country (e.g. the US) that governs the use and disclosure of such information.  The potential for political misuse and overreach would therefore be limited by design.  Of course, Indian displeasure over the US’s clandestine collection of its citizens’ personal data is well warranted, but that is a subject for a separate discussion.

Given the limitations in technology and jurisdiction that impede India’s ability to substantially secure cyberspace, collaborating with, or seeking the assistance of other countries should be an essential component of India’s approach.  However, the goal for the government of India should be to enhance domestic capabilities in cyber-security, both in terms of the development of institutional, legislative and technical mechanisms, as well as a base of skilled professionals supporting government and private efforts to secure cyberspace.  These are mid- to long-term projects no doubt, but they require adequate stewardship, and investment in resources and capacity building by the government and the country’s private institutions.

Photo: Intel Free Press

Fatal error: Uncaught Error: [] operator not supported for strings in /home/customer/www/ Stack trace: #0 /home/customer/www/ layers_post_meta(5108) #1 /home/customer/www/ require('/home/customer/...') #2 /home/customer/www/ load_template('/home/customer/...', false, Array) #3 /home/customer/www/ locate_template(Array, true, false, Array) #4 /home/customer/www/ get_template_part('partials/conten...', 'single') #5 /home/customer/www/ include('/home/customer/...') #6 /home/customer in /home/customer/www/ on line 62