“Influences on social media” that promote “violent extremist ideologies” are among the biggest cyber threats right now, Satish Chandra Jha, the chairperson of National Technical Research Organisation (NTRO), said at Nullcon on March 5. The other threats are data breaches, business espionage, phishing and distributed denial of service attacks, polymorphic malware that change features to be better at contamination, and supply chain contamination. He also said that India is among the five key targets of global cyberattacks.
Jha said that the government of India was aware of the challenges this posed and had created the National Critical Information Infrastructure Protection Centre (NCIIPC) in 2014 to counter threats to critical information infrastructure. NCIIPC recognises six sectors as part of critical information infrastructure: transport, power and energy, telecom, government, strategic and public enterprises, and banking, financial services and insurance. During his welcome address, Jha drew attention to NCIIPC’s Responsible Vulnerability Disclosure Program (RVDP) that allows people to report vulnerabilities in Indian critical information infrastructure to the central government.
Set up in 2004, the NTRO is the technical intelligence agency under the National Security Advisor in the Prime Minister’s Office. The NCIIPC, an agency under the administrative control of the NTRO, was sent to clean up in mid-September 2019, after a “malicious activity” in the external (information technology, not operational) network of the Kudankulam Nuclear Power Plant was detected earlier that month. Jha has been heading the NTRO since 2018 and has previously been the Special Director in the Intelligence Bureau. NTRO was one of the sponsors of Nullcon, an annual information security conference.
India needs to be more proactive about cyber security: Jha also said that he was “agitated” by “growth” in the country. Comparing India to Israel, where they have an organised system and “security is a key consideration”, he said that India severely lags behind. “Any product they [Israelis] develop, they consider the security aspect of it, be it missiles or cyber products,” he said.
NCIIPC’s advisories are not binding: At another panel discussion, Major General Sandeep Sharma, who is part of the NTRO and was instrumental in bringing out the Army’s Cyber Security Strategy, explained that the advisories with suggested patches for security vulnerabilities that NCIIPC issues are not binding except when a system is declared “protected”. “If a system is declared ‘protected’, they [the system operators] have to report the breach, following which the Intelligence Bureau also gets involved,” he said.
Digital attribution is practically impossible, says NTRO chief
Jha said that at an international level, the lack of coordination and global policy on dealing with cyber threats is a major problem. Calling attribution of cyberattacks at a global level “shoddy, exasperating and practically impossible”, he said that “anonymous platforms like the dark web and scores of messaging apps make situation more difficult”.
Attribution requires looking at patterns, but that is not foolproof: Sharma said that the question of attribution is very difficult. Attribution is primarily determined by “how people from a particular country use their vectors to attack a particular country”, he explained.
Sharma said that this includes looking at the techniques, metadata, components of the attack such as the layout of the keyboard, the time of the attack, etc. Even then, he cautioned, “you cannot say with full confidence” that “this is the country from where the attack originated”. “So all these are pointers, suspected pointers,” he said. Such factors “automatically point out to geo-political context,” he later added.
“Everyone follows the Stuxnet pattern. Nobody attacks from a source within their own country. … But the way you understand it is using the components of the attack, you detect certain patterns.” — Major General Sandeep Sharma, NTRO
Motivation of North Korean hackers remains unclear: Sharma said that the motivation of North Korean hackers behind the hack at Kudankulam Nuclear Power Plant’s IT network remains unclear. “That is where the threat intelligence framework comes into the picture. Is it helping somebody else? Or is it a plan for the future? Nobody knows. So if I can decipher that, that will be the best framework that we can ever develop,” he said.
NTRO part of task force working on National Cyber Security Strategy
“Cyber security requires multi-stakeholder approach that includes the government, academia, industry, and platforms like Nullcon,” Jha added. He said that the NTRO is working with the National Cyber Security Coordinator’s Office on the National Cyber Security Strategy. The National Cyber Security Coordinator’s office has created a task force which includes representatives from NCIIPC, MeitY, DoT and other agencies, to work on the Strategy.
No clarity on critical personal data yet: NTRO is “not yet” working on critical personal data since the Personal Data Protection Bill has not been “drafted” (read: enacted) yet, Sharma said. “The work of the concerned people will only start once the Bill is passed. [It is] too premature to say that because there is no clarity on the protection bill itself,” he explained, since “what changes will take place, nobody knows”.
Issue of data localisation is ‘very difficult’: “There is one school of thought that servers should be within India, nothing should go out. Another school of thought, if everything is inside, how do you interact with the world. So the data has to flow and come back, has to flow out and come back,” Sharma said. Even if from a cyber security point of view the server should be within India, that “server also needs to send some data outside”, he pointed out. “India is not an independent entity, whatever we produce we can’t consume it ourselves. We got to send it outside to consume. And we need products from outside. Very difficult one,” he said.
Disclosure: I had been invited by Nullcon to conduct a workshop on the Personal Data Protection Bill, 2019, and my stay and travel were sponsored by the organisers.