Last week, in a hotel in a Washington DC suburb, the US Defense Advanced Projects Agency (DARPA) hosted a symposium. The goal was to reach out to the geek community to find a solution to a problem that seems to be on the top of many minds—cyber security. It was clear from the remarks of the leaders of the Pentagon’s far-out research agency, that as of now they have run out of ideas for ways to protect the US military, and by extension, other American computer networks, from attacks by hackers.
There is an irony here: Darpa helped create the internet yet it finds itself unable to cope with the dark side of what it has helped create. Besides the government, many American companies including some prime defence contractors have had their computers hacked and some of their most sensitive files compromised. What the Darpa is looking for is the proverbial magic bullet. As of now defence against hackers constitutes identifying malware, removing it from the system and waiting for the next attack.
This is bad news for countries like India. In the past four years or so, many websites belonging to the government have been subject to cyber attacks. By their very nature the authors of these attacks have been difficult to pin down. The attacks vary—some are probing attacks to map out networks, others are deeper probes to locate and extricate important data. Yet, even something as innocuous as the Commonwealth Games of 2010 suffered as many as 8,000 attacks.
This indicates that the scale of what has to be protected is enormous and goes well beyond what is called National Critical Infrastructure. Figures in the 2009 Annual report of the Indian Computer Emergency Response Team (CERT-In) show that phishing attacks had risen from just 3 in 2004 to 374 in 2009, peaking at 604 the year before. Likewise, network scanning and probing attacks had gone up from 11 in 2004 to 303 in 2009. Website compromise through malware propagation had gone up from 835 in 2008 to 6,548 in 2009, the last year for which Cert-In figures are available.
In June 2008, hackers struck at nearly 10 websites in various ministries over a period of 24 hours. But it was the Ministry of External Affairs which has been a major target. In February 2009, several of its over 600 computers were found to be infected with a spyware which tracks or controls user action. In this case, the spyware would automatically “copy” an email being sent by an office and dispatch it to another address as well.
In an interview with The Times ( London), India’s then National Security Adviser M.K. Narayanan confirmed that his own office, as well as two other government departments, were targeted on December 15, 2009. He also spoke of an earlier incident when a Trojan had been embedded in an email with a pdf attachment, allowing the attacker to access the computer remotely, download and also delete files.
More recently, in July 2011, Indian government systems faced one of the most serious and sophisticated attacks till now. In the early hours of July 12, emails from one address with an attached Microsoft Word document titled “cms.ntro:daily-elec.mediareport (2011)” were sent to the top officials of India’s security system, including the NSA, the Principal Secretary to the Prime Minister, and the Special Secretary (Internal Security) in the MHA. The document purported to be a daily report issued by the government’s Central Monitoring System which tracks radio broadcasts of neighbouring countries. Any attempt to open it would have actually resulted in the release of malware that established itself in their computer systems. Fortunately, the intrusion was prevented.
In an April 2010 report, Information Warfare Monitor, working with Shadowserver Foundation came out with a report titled, Shadows in the Cloud—Investigating Cyber Espionage 2.0. This report categorically asserted that it had uncovered a suspected Chinese cyberwar offensive against India. Among the Indian institutions targeted were the National Security Council Secretariat (NSCS) headed by the NSA. During the period of observation, fourteen documents, including two marked “Secret”, and those assessing the situation in the North East, and Maoism, were taken out by hackers.
Computers of the Indian embassies in Kabul, Moscow, and consulates in Dubai and Abuja, Nigeria were compromised. Military units such as the 21 Artillery Brigade in Assam, the Air Force Station at Race Course Road, New Delhi, and the Air Force station in Darjipura near Vadodara were compromised.
Among the documents withdrawn was a detailed briefing on a live fire exercise, and another relating to the Pechora surface to air missile. Military educational institutions such as the Army Institute of Technology in Pune and the Military College of Electronics and Mechanical Engineering in Secunderabad were also attacked and 21 documents exfiltrated from them.
Who is responsible for these attacks? The “Shadows” investigators, as well as “The Dark Visitor”, a blog that researches Chinese hacking activities, have concluded that there are strong links of the attacks to Chengdu. This is interesting, since Chengdu’s University of Electronic Science and Technology has had a strong association with the Chinese hacking community. It is also the location of one of PLA’s Technical Reconnaissance Bureaus and the headquarters of the military region that deals with India.
The “Shadows” own assessment is tentative, even though it says that “this investigation and our analysis tracks back directly to the PRC”. It also says that the information may be moving from the underground fraternity of hackers to the Chinese state.
In early August 2011, the computer security company McAfee said in a report that there had been a series of cyber attacks on the networks of 72 organisations across the world, including the United Nations, governments and corporations, over a five-year period. India and the UN were, McAfee says, the primary target of the intrusions.
While it did not name the country, it did say that there had been “one state actor” behind the attacks. It takes little imagination to guess that the country in question is China. The sharply escalating nature of cyber attacks against India led to the government of India creating a Crisis Management Plan whose key action was the creation of the CERT-In as the national nodal agency in cyber security which works with international CERTs. Sectoral teams have also been created along with teams of security auditors that can provide a wide range of services on a commercial basis.
The legal basis of the national cyber security action in India is laid out by the Information Technology Act of 2000 which was amended in 2008. Under this, the government has the authority to scan Indian cyber space, detect incidents and threats, audit practices and protect critical and other infrastructure. India has only recently announced procedures and protocols for communications monitoring and interception, but like the rest of the world, it has some way to go before security can be assured in its networks and systems. Ever since the 2009 intrusions, the NTRO has been actively involved in the cyber security of India’s national security apparatus.
Days after the August 2011 report by McAfee, the Chinese government released a report claiming that far from being the aggressor, China was the victim when it came to cyber attacks. The report claimed that about half of the 493,000 cyber attacks on the websites of the Chinese government and other agencies in the past year “originated from abroad, particularly the United States and India”. The report was prepared by the National Computer Network Emergency Response Coordination Centre, which is said to be the Chinese government’s “primary computer security monitoring network”.
If the Chinese claim to be victims and the US says it is unable to guarantee protection against cyber attacks, countries like India are in trouble. There is need for those charged with cyber security in the country to look deeper, perhaps within our own IT institutions and companies, for talent that can come up with the necessary solutions.
Mail Today November 11, 2008