Professional Documents
Culture Documents
Cyber Security FINAL
Cyber Security FINAL
REFERENCE NOTE.
No.34/RN/Ref./October/2015
For the use of Members of Parliament Not for Publication
CYBER SECURITY
-------------------------------------------------------------------------------------------------------------------------------
The reference material is for personal use of the Members in the discharge of their Parliamentary duties, and is not
for publication. This Service is not to be quoted as the source of the information as it is based on the sources
indicated at the end/in the text. This Service does not accept any responsibility for the accuracy or veracity of the
information or views contained in the note/collection.
CYBER SECURITY
INTRODUCTION
The emergence of the Internet led to the evolution of cyberspace as a fifth domain of
human activity and in last two decades, Internet has grown exponentially worldwide. India too
has witnessed significant rise in cyber space activities and it has not only become one of the
major IT destinations in the world but has also become the third largest number of Internet
users after USA and China. Such phenomenal growth in access to information and
connectivity has on the one hand empowered individuals and on the other posed new
challenges to Governments and administrators of cyberspace.
Cyber space has unique characteristics viz. anonymity and borderless, coupled with
enormous potential for damage and mischief. This characteristics not only adds to the
vulnerabilities but also makes cyber security a major concern across the globe since it is
being exploited by criminals and terrorists alike to carry out identity theft and financial fraud,
conduct espionage, disrupt critical infrastructures, facilitate terrorist activities, steal corporate
information and plant malicious software (malware) and Trojans. The emergence of cloud
and mobile technology has further complicated the cyber threat landscape. All this makes
cyber security an issue of critical importance with profound implications for our economic
development and national security1.
1 nd
Lok Sabha, Standing Committee on Information and Technology, 52 Report on Cyber Crime, Cyber Security and Right to
Privacy, February 2014, p. 1
2
CYBER CRIME
Significant increase in cyber space activities and access to internet use in the country
has resulted in increased opportunities for technology related crime. Coupled with this, lack of
user end discipline, inadequate protection of computer systems and the possibility of
anonymous use of ICT – allowing users to impersonate and cover their tracks of crime, has
emboldened more number of users experimenting with ICT abuse for criminal activities. This
aspect, in particular, has a significant impact in blunting the deterrence effect created by legal
framework in the form of Information Technology Act, 2000 and other well-intended actions of
enhancing cyber security in the country. As a result, today Indian cyber threat landscape, like
other parts of the world, has seen a significant increase in spam & phishing activities, virus
and worm infections, spread of bot infected systems. The rate of computer infections and
spam & phishing activities in the country keep fluctuating, making India figure among the
active sources, as is generally seen in developed economies with high rate of IT usage.
2
Ibid, pp. 5-7
3
5 Phishing Bank Financial Using social Section 43, 66, Immediate take-
Frauds in engineering 66C down of phishing
Electronic techniques to (Compensation websites.
Banking commit identity and Strong
theft punishment of authentication
three years mechanisms for
with fine) financial and
electronic banking.
User awareness on
phishing attacks.
Keeping the
computer systems
secure being used
for transacting with
the financial
As per the Cyber Crime data maintained by National Crime Records Bureau (NCRB),
incidence of cyber crimes (IT Act + IPC sections + SLL crimes) have increased by 69.0% in
2014 as compared to 2013 (from 5,693 cases in 2013 to 9,633 cases in 2014). A total of
2876, 4356 and 7201 Cyber Crime cases were registered under Information Technology Act,
2000 during 2012, 2013 and 2014 respectively. A total of 601, 1337 and 2282 cyber crime
cases were registered under Cyber Crime related sections of Indian Penal Code (IPC) during
2012, 2013 and 2014 respectively4. (See Annexure)
CHALLENGES
The cyber threat landscape is dynamic and evolving with innovative
technologies, techniques and actors and offenders are well versed with technology
and they are exploiting the lack of situational awareness of defenders. Cyber threats
like espionage and Denial of Service (DoS) attacks to offensive actions by adversarial
State and Non-State actors. Several countries are developing sophisticated malicious
codes as lethal cyber weapons. Large scale mapping of SCADA (Supervisory Control
and Data Acquisition) devices using specialized tools, pose major challenge for any
country.
3
Ibid, p. 8
4
Rajya Sabha Unstarred Question No. 1815, dated 5.8.2015
7
GOVERNMENT INITIATIVES
Cyber security requires a coherent conceptualization, clear vision of purpose and
objectives and a time bound plan of action. Formulation of a national approach involves using
elements of national power including political, economic, military and technological
capabilities during peace and war to achieve national objectives.
The Government has adopted an integrated; multi pronged strategy covering aspects
such as technical, administrative, legal and people steps to protect the cyber space6.
5 nd
Op.cit., 52 Report on Cyber Crime, p. 13
6
Ibid, p.34
8
In support of the National Cyber Security Policy, key cyber security projects, viz.,
National Cyber Coordination Centre (NCCC) and Botnet Cleaning & Malware Analysis
Centre, have been identified for implementation with a view to securing the cyber space in
the country and creating a secure cyber ecosystem7.
7
Rajya Sabha Starred Question No. 177, dated 13.3.2015
8
Rajya Sabha Unstarred Question No. 2155, dated 7.8.2015
9
Technology Act, 2000 provides a legal framework for protection of Privacy and Security of
data in digital form. Section 70 provides for declaration of any computer resource which
directly or indirectly affects the facility of Critical Information Infrastructure, to be a
protected system. Section 70A provides for establishment of a National Critical
Information Infrastructure Protection Centre (NCIIPC) as a national nodal agency in
respect of Critical Information Infrastructure Protection. Section 65, 66, 66A, 66B, 66C,
66D, 66E, 66F, 67, 67A and 67B contain provisions for deterrent punishment against host
of cyber related offences.
In addition, Section 70B and Section 69B of the IT Act provide for seeking information and
collection of data/information related to cyber incidents. These provisions help in security
incidents prevention and prediction. Section 84 A allows for prescription of suitable modes
or methods of encryption for promotion of secure e-commerce and e-governance in the
country. Separate rules for cyber cafes help in regulating the malicious activities that can
be carried out in cyber cafes and provide a mechanism to prevent and deal with instances
of cyber crime in an effective manner9.
CERT-In has been designated under Section 70B of the Information Technology
(Amendment) Act, 2008 to serve as the national agency to perform the following functions
in the area of cyber security:
• Collection, analysis and dissemination of information on cyber incidents
• Forecast and alerts of cyber security incidents
• Emergency measures for handling cyber security incidents
• Coordination of cyber incident response activities
• Issue guidelines, advisories, vulnerability notes and whitepapers relating to information
security practices, procedures, prevention, response and reporting of cyber incidents
• Such other functions relating to cyber security as may be prescribed 10
9
Rajya Sabha Starred Question No. 177, dated 13.3.2015
10
India, Department of Electronics and IT, Ministry of Communication and IT, Annual Report 2014-15, pp. 57-58
10
In accordance with the provision contained under Section 48(1) of the IT Act 2000, the
Cyber Regulations Appellate Tribunal (CRAT) has been established in October, 2006. As
per the IT Act, any person aggrieved by an order made by the Controller of Certifying
Authorities or by an Adjudicating Officer under the Act can prefer an appeal before the
Cyber Appellate Tribunal (CAT). This Tribunal is headed by a Chairperson who is
appointed by the Central Government by notification as provided under Section 49 of the
IT Act 200011.
11
Ibid, p. 60
11
So far the projects have been initiated for (i) establishment of cyber security training
facility for Uttarakhand Police, (ii) Setting up of National Digital Crime Resource and
Training Centre at SVP National Police Academy, Hyderabad, (iii) Enhancement of cyber
forensic training lab for advanced training and capacity building in North East states, (iv)
Creation of mass cyber security awareness through training and campaign mechanism in
North East states and (v) Conducting Cyber crime awareness workshops for law
enforcement agencies.
International Collaboration
Security Co-operation is in progress between US-CERT and CERT-In for cyber security
incident resolution, information exchange and capacity building. CERT-In is collaborating
with overseas CERTs such as US-CERT, JP-CERT and Korean-CERT for incident
response and resolution. CERT-In in association with Ministry of External Affairs is
working to collaborate bi-laterally and Multi-laterally for enhancing cooperation in the area
of Cyber Security. Memorandum of Understandings (MoUs) are in place with Product and
Security vendors for vulnerability remediation.
Digital India
In tune with the dynamic nature of Information Technology, continuous efforts are required
to be made to prevent and recover from cyber attacks. The Government of India under the
flagship programme of “Digital India” has a vision of providing digital infrastructure as a
utility to every citizen in safe and secure cyberspace. Digital Locker system has been
implemented, which envisages provision of private space on a public cloud to each citizen
where he/she can keep public records and can even exchange it for availing various
services. Digital Locker implements secure authentication mechanism to prevent leakage
of data through Cyber attacks. Further, eSign framework enables citizens to digitally sign
a document online using Aadhaar authentication13.
12
Ibid, pp. 59-60
13
Lok Sabha Starred Question No. 233, dated 5.8.2015
12
In addition to the above major initiatives, the Government has also taken the following
specific measures to deal with cyber threat :
i). National Policies on IT, Telecom and Electronics: ‘Triad Policies’ came out in
2011 and lay down requirements for addressing cyber security concerns across
respective domains.
ii). Draft IoT (Internet of Things) policy: Released by DeitY in October 2014 to solicit
inputs from the industry and others on cyber security concerns in the IoT ecosystem.
v). All Central Government Ministries / Departments and State / Union Territory
Governments have been advised to conduct security auditing of entire Information
Technology infrastructure. All the new government websites and applications are to
be audited with respect to cyber security prior to their hosting. CERT-In provides
necessary expertise to audit IT infrastructure of critical and other ICT sectors.
vi). Indian Computer Emergency Response (CERT-In) has empanelled a total no. of 51
security auditors to carry out security audit of the IT infrastructure of Government,
Public and Private sector organizations.
vii). All major websites are being monitored regularly to detect malicious activities.
viii). Close watch is kept to scan malicious activities on the important networks in the
Government, Public and Service Providers.
ix). The Government has circulated cyber security policies and guidelines for
implementation by all Ministries/Departments.
x). Sectoral CERTs have been functioning in critical sectors such as Defence, Finance
and Power for catering to critical domains. They are equipped to handle and respond
to domain specific threats emerging from the cyber systems.
xi). Steps have been taken up for development of cyber forensics tools, setting up of
infrastructure for investigation and training of the users, particularly police and judicial
officers in use of tools to collect and analyze the digital evidence and present them in
Courts.
xii). India has been recognized as 'Certificate Issuing Nation' in the area of cyber security
testing under the Common Criteria Recognition Arrangement (CCRA). Under this
13
xiii). Cyber Crime Cells have been set up in States and Union Territories for reporting
and investigation of Cyber Crime cases.
xiv). The Government has set up cyber forensic training and investigation labs in the
States of Kerala, Assam, Mizoram, Nagaland, Arunachal Pradesh, Tripura,
Meghalaya, Manipur and Jammu & Kashmir for training of Law Enforcement and
Judiciary in these States.
xv). In collaboration with Data Security Council of India (DSCI), NASSCOM, Cyber
Forensic Labs have been set up at Mumbai, Bengaluru, Pune and Kolkata for
awareness creation and training programmes on Cyber Crime investigation. The
National Law School, Bengaluru and NALSAR University of Law, Hyderabad are also
engaged in conducting several awareness and training programmes on Cyber Laws
and Cyber Crimes for Judicial Officers.
xvi). More than 26000 Police Officers and 600 judicial officers have so far been trained in
the Training Labs established by the Government.
xvii). The Government of India has notified its Email Policy for all government officials both
at Centre and State level.
xx). CERT-In and Centre for Development of Advanced Computing (CDAC) are involved
in providing basic and advanced training to Law Enforcement Agencies, Forensic labs
and judiciary on the procedures and methodology of collecting, analysing and
presenting digital evidence.
xxi). CERT-In also conducts training programmes regularly to Chief Information Security
Officers, System Administrators, Network Administrators of different organizations in
Public and Private Sector in relevant areas of Cyber security such as vulnerability
assessment, advanced Cyber threat detection and mitigation, mobile security and
latest cyber security technologies to build capacity at organization level leading to
Cyber Intelligence skills
xxii). Government has also taken steps to put in place a Framework for Enhancing Cyber
Security, which envisages a multi-layered approach for ensuring defence-in-depth
with clear demarcation of responsibilities among the stakeholder organizations in the
country14.
14
Rajya Sabha Question No. 2155, dated 7.8.2015
14
CONCLUSION
Cyber Security is a multi-dimensional concept, a complex issue straddling many
disciplines and fields. Nations have to take appropriate steps in their respective jurisdictions
to create necessary laws, promote the implementation of reasonable security practices,
incident management, and information sharing mechanisms, and continuously educate both
corporate and home users about cyber-security. It, therefore, calls for a strategic and holistic
approach requiring multi-dimensional and multi-layered initiatives and responses at national
and global level15.
15
NASSCOM Cyber Security Task Force, Data Security Council of India, 2015
Annexure
State/UT wise cases registered and percentage variation under IT Act, related section of IPC and SLL crimes under Cyber Crime during 2012-2014
State/UT 2012 2013 2014#
Total Total Total Cyber PVAR Total Total Total Cyber PVAR Total Total Total SLL Total Cyber PVAR
Offences Offences Crime Offences Offences Crime Offences Offences Offences Crime
under IT Act under IPC Offences under IT Act under IPC Offences under IT Act under IPC Offences
Andhra Pradesh 429 25 454 22.0 635 16 651 43.4 171 74 37 282 -56.7
Arunachal Pradesh 12 0 12 -14.3 10 0 10 -16.7 14 4 0 18 80.0
Assam 28 0 28 -9.7 154 0 154 450.0 379 0 0 379 146.1
Bihar 23 7 30 -21.1 23 116 139 363.3 114 0 0 114 -18.0
Chhattisgarh 49 10 59 -24.4 91 10 101 71.2 106 15 2 123 21.8
Goa 30 2 32 77.8 57 1 58 81.3 36 26 0 62 6.9
Gujarat 68 10 78 16.4 61 16 77 -1.3 105 114 8 227 194.8
Haryana 66 116 182 304.4 112 211 323 77.5 135 9 7 151 -53.3
Himachal Pradesh 20 0 20 66.7 24 4 28 40.0 32 1 5 38 35.7
Jammu & Kashmir 35 0 35 150.0 46 0 46 31.4 30 0 7 37 -19.6
Jharkhand 10 25 35 6.1 13 13 26 -25.7 93 0 0 93 257.7
Karnataka 412 25 437 173.1 513 20 533 22.0 1010 2 8 1020 91.4
Kerala 269 43 312 27.3 349 34 383 22.8 401 46 3 450 17.5
Madhya Pradesh 142 55 197 91.3 282 60 342 73.6 148 121 20 289 -15.5
Maharashtra 471 90 561 42.7 681 226 907 61.7 511 1347 21 1879 107.2
Manipur 0 0 0 - 1 0 1 - 5 7 1 13 1200.0
Meghalaya 6 0 6 0.0 17 0 17 183.3 47 13 0 60 252.9
Mizoram 0 0 0 -100.0 0 0 0 - 22 0 0 22 -
Nagaland 0 0 0 - 0 0 0 - 0 0 0 0 -
Odisha 14 13 27 125.0 65 39 104 285.2 49 75 0 124 19.2
Punjab 72 6 78 -1.3 146 10 156 100.0 186 27 13 226 44.9
Rajasthan 147 7 154 5.5 239 58 297 92.9 542 145 10 697 134.7
Sikkim 0 0 0 -100.0 0 0 0 - 4 0 0 4 -
Tamil Nadu 39 2 41 -8.9 54 36 90 119.5 146 26 0 172 91.1
Telangana - - - - - - - - 688 15 0 703 -
Tripura 14 0 14 - 14 0 14 0.0 5 0 0 5 -64.3
Uttar Pradesh 205 44 249 118.4 372 310 682 173.9 1659 78 0 1737 154.7
Uttarakhand 4 0 4 -33.3 23 4 27 575.0 42 0 0 42 55.6
West Bengal 196 113 309 442.1 210 132 342 10.7 316 39 0 355 3.8
TOTAL STATE(S) 2761 593 3354 60.1 4192 1316 5508 64.2 6996 2184 142 9322 69.2
A & N Islands 2 0 2 - 18 0 18 800.0 5 8 0 13 -27.8
Chandigarh 33 0 33 230.0 9 2 11 -66.7 25 23 7 55 400.0
D&N Haveli 0 0 0 -100.0 0 0 0 - 3 0 0 3 -
Daman & Diu 0 0 0 -100.0 1 0 1 - 1 0 0 1 0.0
Delhi UT* 76 8 84 -15.2 131 19 150 78.6 169 67 1 237 58.0
Lakshadweep 0 0 0 - 0 0 0 - 1 0 0 1 -
Puducherry 4 0 4 100.0 5 0 5 25.0 1 0 0 1 -80.0
TOTAL UT(S) 115 8 123 4.2 164 21 185 50.4 205 98 8 311 68.1
TOTAL (ALL INDIA) 2876 601 3477 57.1 4356 1337 5693 63.7 7201 2282 150 9633 69.2
# Andhra Pradesh and Telangana were carried out from erstwhile Andhra Pradesh. * implies data is provisional for the year 2014.
Source: Rajya Sabha Unstarred Question No. 1815 dated 5.8.2015