In the movie Sneakers (1992), Robert Redford is tricked into stealing a decoder device that can break encryption codes and hack into the most secure computer systems. Turns out, the perpetrators behind the operation want the device to destabilise the world economy and unleash anarchy.
Then again in the action movie Live Free or Die Hard (2007), Bruce Willis fights cyber terrorists who want to take control of the US' transportation grids (including airports, railroads, and traffic lights) and the stock markets.
Reel life scripts are usually far removed from real life. Or are they?
Consider this. Recent media reports suggest that CBI believes a possible virus attack could have been the reason for the technical problems at Indira Gandhi International Airport in Delhi, in June. Delhi International Airport Ltd blamed it on a back-end server glitch. The `glitch' brought down the passenger processing system at the airport for several hours, and delayed flights on that particular day.
Another report by IT security firm Trend Micro has warned that Indian defence companies are the current target of cybercriminals. Last month, Trend Micro researchers claimed to have unearthed a campaign of targeted attacks that “successfully compromised” defence industry companies in India, the US, Japan and Israel.
Eyeing the State
But what really deepened the worry lines was McAfee's report on how Government agencies across the world are being targeted by hackers. In early August, the security vendor claimed that an Indian Government agency was among 72 global organisations that were hacked. The report did not reveal the identity of the Indian agency nor country from where the “intrusion” originated. But it said that the “intrusion” lasted for two months starting September 2010. The entire investigation was spread over a period of five years. Other “compromised” parties included the US Federal Government agency, US State Governments, Canadian Government agency and South Korean Government agency.
“The increasing complexity of IT systems has expanded the surface area open for attack,” says Mr Sanjay Bahl, Chief Security Officer of Microsoft Corporation India. “The sophistication of malware used for attacks is increasing and there is a lack of awareness about the risks among the users and policy makers,” he adds.
Treading carefully
In fact, there are times when even the simplest of tactics can succeed in sabotaging networks. Today, most Government departments and citizen services delivery agencies are hooked to the Internet. An innocent click on an unknown email attachment can download a hidden malware onto the computer and allow attackers to gain real-time control of the system, steal passwords or hack sensitive information. Further, even momentary outages in information systems in critical sectors like defence, energy, financial markets, space, telecom and transport could be chaotic.
Crisis Management
On its part, the Government has put in place a ‘National Crisis Management Plan' to protect IT infrastructure in critical sectors such as petroleum, aviation, banking, power and telecom.
The base document - prepared by the Department of IT in consultation with other departments in 2009 - outlines a strategy to deal with cyber attacks. It lists the role of various stakeholders including the Ministries and Departments as well as the contingency plan to deal with cyber attacks.
It also identifies crisis in the context of IT infrastructure - hacking, phishing, malicious code attacks, ‘denial of service' attacks, virus attacks, data centre disruptions, and even defacement of sites. The document talks about the guidelines for ‘incident handling' and even the team structures that need to be in place.
The document is updated on an annual basis, said an official who did not wish to be named.
Taking off from this crisis management plan framework, as many as nine States (including Himachal Pradesh, and Madhya Pradesh) and 14 Ministries (Civil Aviation Ministry, Department of Telecom, Steel Ministry amongst others) have prepared their own documents and are in the process of implementing the same, the official said.
In addition, the Indian Computer Emergency Response Team or CERT-In has been conducting mock drills to test the ability of various agencies and sectors to respond quickly to cyber attacks.
CERT-In is a nodal agency for responding to computer security incidents as and when they occur. So far, five sector specific mock drills have been conducted. The next one is slated for November this year.
That said, given a growing roster of gadget-toting bureaucrats and Government employees, and the fact that Government departments themselves are readily embracing technology for day-to-day operations, experts believe that cyber security needs to shift to a higher gear. Another big driver is the host of citizen services that are now moving online.
Starting from scratch
But there is no silver bullet. And so the approach has to be multi-pronged. More investments need to flow into technology, research and user awareness. “In departments that are just getting computerised, you need to tell employees that plugging pen drives into the computer may introduce a virus threat in the work environment. New users may not even be aware,” says Vinoo Thomas, Technical Product Manager, McAfee Labs.
India needs to build cyber threat awareness programs even at the high school level, so students, when they start working, are aware of best security practices, adds Nath of Trend Micro.
Many industry experts feel that the Government needs to build a special team, led by and comprising of security specialists. This team of experts need to be empowered to take quick decisions in the event of a cyber attack.
“Sophisticated attacks demand domain experts who can take charge, identify and analyse situations…that is lacking today,” said an industry observer.
The industry also says that multiple Government agencies dealing with cyber security can, at times, pose a challenge. “There is CERT-In, the IT Department, NTRO and NIC. It is not clear as to who owns complete accountability for cyber security,” said a cyber security veteran on conditions of anonymity.
Of course, where cyber security is involved, one can never be too careful. Remember, when it comes to the chinks in the cyber amour, the potential victim needs luck by his side each time. For the attacker, just one lucky break is enough.