Policing cyber crimes: Need for National Cyber Crime Coordination Centre

• JAYADEV PARIDA

Photo: Aleksandar Andjic

Over the years, cyber threats as well as incidents of cyber crimes have grown exponentially. With a wanton disregard to borders, both physical and virtual, sophisticated criminals are exploiting the speed, convenience and anonymity of the Internet to execute a range of criminal activities that cause serious harm in India and elsewhere.

The 2014 National Crime Records Bureau (NCRB) Statistics Report registered a total of 9,322 cyber crime related incidents in 29 States and 300 such cases in seven Union Territories (UTs). These figures mark a 69.2 surge in States and 62.2 percent increase in seven UTs from the previous year. The bulk of cases have been registered under the Information Technology Act, Indian Penal Code (IPC) and Special & Local Laws (SLL) Cognizable Crimes. The cases have been registered under IPC sections 419, 420 and 509 for ‘financial gain’ and ‘insult to modesty of women’ respectively.

The advent of Digital India and Smart City initiatives have brought about a paradigm shift in terms of connectivity, services and threats for both urban and rural eco-systems. While greater connectivity promises wider deliverables, it also paves the way for the emergence of new vulnerabilities. Indeed, smart cities need smarter policing, and better information sharing across states and with the central government. This challenge raises three related questions. First, how should the Indian Police Service prepare to address these cyber-related threats? How can policy formulation keep pace with a changing environment? Finally, how can we improve intra-state coordination on cyber issues?

Cyber crime in India

On May 20, 2016, the Indian Police Foundation, in collaboration with Observer Research Foundation (ORF) and Federation of Indian Chambers of Commerce & Industry (FICCI), organised a seminar on ‘Cyber Crime — strategic vision and an action plan for mitigation of threats from the cyber world’. The seminar comprised a host of dignitaries and experts from industry, government, think tanks, and civil society organisations. The discussion focused on the entire gamut of cyber issues (viz. cyber security, cyber threats, cyber terrorism, cyber law, and primarily cyber crime), while also addressing the specific challenges to the Indian Police Service.

The opening address of the panel focused on the importance of responding to the cybercrime, threats to internal security and mitigation strategy. The seminar began with an understanding that cyber security is not just an Indian concern, but also a global one. In his welcome address, Mr. N. Ramachandran, President of the Foundation, cautioned that mitigating new age threats requires the police service to ‘see the writings on the wall’. During his introductory remarks, the Chairman of the Foundation, Mr. Prakash Singh, lamented that ‘while India is an IT power, New Delhi cannot claim to be a cyber power’. Growing vulnerabilities, absent coordination within government, and fragmented cyber security architecture collectively hinder India’s development as a cyber power. Currently, cyber crimes in India fall under two different acts, the IT Act and the Indian Penal Code. These laws, however, are increasingly inadequate in the face of new threats. Moreover, the government needs to be adroit in managing technology, policy formulation and its implementation. Mr. Singh also stressed that New Delhi should engage with like-minded countries and get the ‘men from the open market to enhance the capability to deal with threats’.

The seminar was moderated by Mr. Raghu Raman, former CEO of NATGRID & Group President of Reliance Industries Ltd. He contended that cyber attacks, like Distributed Denial of Service (DDoS), are completely different from online radicalisation, since cyber criminals are able to subvert the content of networks to achieve their goals. This is an issue deserving the sustained attention and engagement of both policy makers and law enforcement officials.

The Deputy National Security Advisor (NSA) of India Dr. Arvind Gupta delivered the first key note address. He outlined some major cyber crime incidents such as the cyber attack on the Bangladesh Central Bank this year. Deputy NSA recommended that the Indian Police Service prioritise ‘training, intra-state coordination, international cooperation and capacity building’ in this area. The fundamental challenge for India was the lack of ‘made in India’ products, he said. In addition, he mentioned that India, as a net importer of technology and services, faces international legal constrains in obtaining information in real time since online data and servers are located outside India.

Dr. Gulshan Rai, the National Cyber Security Coordinator of the Government of India, delivered the second keynote address. Starting with an example of a fake site, which sought to phish people’s confidential information, Dr. Rai sought to bring home the nature of the threat to the seminar participants. These phishing sites are criminal in two ways: they impersonate legitimate sites to obtain revenue or confidential information, and infringe on intellectual property. The challenge dealing with these sites is that they are hosted outside of India and the motives of perpetrators remain unclear. Turning to consider developments outside of India, Dr. Rai shared that the December 2015 cyber attacks on Ukraine were the most sophisticated form of attacks since Stuxnet. The actors behind such attacks could be either state proxies or non-state actors. The challenge for India, he noted, was creating a central agency to tackle these issues. Fortunately, the Ministry of Home Affairs (MHA) is interested in setting up a cyber crime cell in India. Dr. Rai concluded with a call for the creation of a National Cyber Crime Coordination Centre.

Dr. Muktesh Chander, Director General of Police (Goa), addressed the threats to internal security from the cyber world in the third keynote speech. Sharing about the multiple cyber threats India faces, Dr. Chander recommended the acceleration of efforts to enhance cyber capabilities for Digital India. He revealed that Computer Emergency Response Teams-In (CERT-In) handled 13,0338 cases related to cyber attack in 2014. In addition, 77, 28,408 bot-infected systems were tracked in India and 25,037 Indian websites were defaced in 2014. As per the Indian Information Technology Act, only an officer with the rank of inspector or above can investigate such cyber-related crimes. More disconcerting was the fact that 99 percent of reported incidents were cyber crimes and there remains a shortage of police personnel to investigate all these cases. Dr. Chander also stressed that India faces a growing number of cyber-related threats from its neighbourhood, particularly Pakistan and China. Vulnerabilities are present even in innocuous Smartphone applications such as ‘Torch, Angrybird, SmeshApp, WeChat’. He also reported that the incidence of social media and cyber ransom-ware in India was increasing. Against this backdrop, there is a need for better awareness and cyber security practices in governments, corporations and homes.

What followed were a series of panel discussions that expanded on the issues raised by the keynote speakers. The first panel focused on cyber crime threats and mitigation strategies. Dr. Anja Kovacs, Director of The Internet Democracy Project, underscored the need for greater cooperation between civil society organisations and the police. Such engagements would ensure greater acceptance from citizens especially as the Government of India seeks to maintain the right balance between security and civil liberties. Mr. Chandrasekhar, Group Director of Microsoft India’s Government Affairs and Public Policy, reiterated the need for robust mechanisms of cooperation between the government and the private sector. Given the increasing dependence on the internet, Mr. Jiten Jain, CEO of India Infosec Consortium, called for greater investment in cyber security. Finally, Mr. Pawan Duggal, an Advocate of the Supreme Court of India, urged for the updating of existing legal frameworks to deal with crimes on ‘draknet’ mobile and social media platforms. This would require a review of electronic evidence rules and stronger capacity building.

The second panel tackled the issue of online radicalisation. Mr. Alok Joshi, Chairman of the National Technical Research Organisation, sized up the threat of ISIS by pointing out how the very concept of a caliphate has injected a transnational element to the movement. Mr. Ajai Sahni, Executive Director of the Institute for Conflict Management, highlighted the complexities of online radicalisation and shared about the structural deficits that impede effective government action. He however noted that the lower incidence of radicalisation in India arises from the fact that the subcultures, which are conducive for radicalisation, are fortunately not present here. Acknowledging the new threat of online radicalisation, Mr. P. C. Haldar, the former Director of the Intelligence Bureau and a member of the National Security Advisory Board, called for the creation of a protocol to manage the requirements of privacy and public safety.

The last panel discussion of the seminar dealt with the police response to cyber crime. Recognising the crucial question of legality and illegality, Mr. Ramanjit Chima, the Head of Google’s Public Policy and Legal Team, reiterated the need for greater dialogue between the government and private sector. He added that the subsequent steps to prevent, prosecute and coordinate can only be taken when a legal framework has been established. Mr. Arun Mohan Sukumar, Head of ORF’s Internet Governance Initiative, opined that the Government of India’s position on cyber security required more clarity and coherence. India, as a net requester of online information, has had to work with the US Department of Justice (DOJ) since US laws prohibit direct sharing of information from social media companies to foreign governments. This process has proven challenging for India since the US DOJ has no incentive to facilitate this process.

Overall, India does not possess adequate institutional mechanisms as well as a coherent strategy to deal with cyber crime. This is evident from the fact that out of the 29 States and seven UTs, only 19 States and two UTs possess cyber crime cells. However, it is hoped that this conference would have raised greater awareness and spurred urgent action to remedy the cyber gaps at the state and national level.

With additional inputs by M. Koo, Researcher, Observer Research Foundation, New Delhi.

• CYBER AND MEDIA
• CYBER SECURITY AND INTERNET GOVERNANCE
• INDIA
• CYBER SECURITY
• CYBER AND TECHNOLOGY
• MEDIA AND INTERNET

The views expressed above belong to the author(s).

• ISSUE BRIEFS AND SPECIAL REPORTS
• MAR 03 2016

The Cyber Command: Upgrading India’s national security architecture

• ARUN MOHAN SUKUMAR
• COL. R.K. SHARMA

India is increasingly vulnerable to cyber attacks that range from intrusions that affect the integrity of data to large-scale attacks aimed at bringing down critical infrastructure. This vulnerability is largely a function of India’s digital economy, which is a net information exporter  that relies heavily on devices manufactured outside the country. Another complicating factor is the density of India’s cyberspace, which does not permit a uniform legal or technical threshold for data protection laws. This paper proposes a security architecture that can improve inter- agency coordination, help respond to cyber attacks, and prevent them in many circumstances. The primary goals of the National Cyber Security Agency a Cyber Command  that brings together the Armed Forces and civilian agencies are twofold: improve the country’s resilience and defence systems against serious electronic attacks, while enhancing its own intrusive, interceptive and exploitative capabilities.

• CYBER AND MEDIA
• CYBER SECURITY
• ISSUE BRIEFS AND SPECIAL REPORTS
• NATIONAL SECURITY

2016

Dec

31

• EVENTS

Cashless society and cyber security

• CASHLESS
• DEMONETISATION

As a part of the demonetisation process, the Government of India has begun laying greater stress on facilitating a cashless society or a ‘less cash’ society. It may take years and to reach to the results and there is an urgent need to look into that direction.

This discussion will examine the demography and geography-linked logistics of enabling the last Indian to replace currency-based transactions for daily needs, the technological infrastructure, and the differentiated requirements of cyber security, that are crucial.

Speaker

Deepak Vijayaraghavan is a financial and an IT Consultant working in Chennai.

India and Russia sign cyber agreement, pushing the frontier for strategic cooperation

• ARUN MOHAN SUKUMAR

• BRICS
• CYBER
• INDIA
• RUSSIA

In the backdrop of seemingly flailing bilateral ties, India and Russia signed a far-reaching cyber security agreement on the sidelines of the BRICS summit in Goa that began today. At the insistence of Moscow, the text of the agreement is unlikely to be made public. Officials familiar with the agreement suggest it is “open-ended”, paving the way for cooperation not just in tackling cyber crime, but also in matters of defence and national security. In addition to establishing a high-level dialogue on cyber issues, the agreement also allows governmental agencies to start working together on counter-terrorism.

Negotiations around the India-Russia cyber agreement began early this year, but its timing is extraordinary. Moscow is ascendant on the world stage, with its display of military power in the Crimea and Syria pitting it against the United States and its allies in contests for zones of influence. Bilateral relations have plummeted after the US formally accused Russia of attempting to hack the Democratic National Committee’s communications, in addition to manipulating online electoral rolls. In August, the “crown jewels” of the US National Security Agency — its tool-kit of penetrative and exploitative cyber weapons — were leaked by a group identifying itself as “Shadow Brokers”, which some have asserted is based in Russia. Reports have since emerged that the US is considering a proportionate, retaliatory response, which is likely to have lasting consequences for the stability of cyberspace. Analysts were initially reluctant to compare cyber arms control negotiations with antecedents from the nuclear weapons regime or other Weapons of Mass Destruction (WMDs). At this stage, however, it looks like history is set to repeat itself: following a brief, but highly disruptive phase of confrontation or posturing between both, Russia and the United States will likely come to the table to negotiate “rules of the road” for the use or threat of use of cyber weapons. These conversations may trigger formal negotiations on arms control, culminating in a treaty, or at the very least, the creation of an entity akin to the UN Committee on the Peaceful Uses of Outer Space (COPUOS).

The UN Group of Governmental Experts tasked with identifying cyber norms — itself originally a Russian initiative — has done commendable work in fleshing out a code of conduct for states, and in particular, highlighting their responsibility to prevent non-state actors from using their territory or digital infrastructure. The GGE reports, nevertheless, are not legally binding on UN member countries. It is also likely the term of this group will come to an end after the current round of meetings involving 25 countries (India included) finish in the summer of 2017. The GGE is a useful initiative, but its work would come to naught if its reports are not followed up by any meaningful effort to codify them as international law.

Thanks to its pro-active diplomacy, India is unlikely to be blindsided by a bilateral conversation between Russia and the United States on cyber arms control. Its agreement with Russia leaves New Delhi as the only major power to have concluded formal negotiations with both Moscow and Washington D.C. (diplomats assert the US-India deal is a “framework”, while the one with Russia an “agreement”). This opens up a unique opportunity for India, not only to prevent the rise of exclusionary non-proliferation regimes, but also emerge as a crucial interlocutor and indeed, the convenor of important conversations on the stability of digital spaces.

The cyber agreement also appears to be an indicator of the desire on both sides to take bilateral relations forward. The initial push to sign a “memorandum of understanding” on “information security” came from Moscow, but India moved slowly, especially as Russia had been aggressively pushing for greater inter-governmental involvement in internet governance issues at the 2015 BRICS summit in Ufa and the Shanghai Cooperation Organisation (which, technically, India is yet to join). The signing of the US-India cyber framework agreement, however, opened up room for negotiation, because the baseline norms in that document clearly indicated India’s appetite for multi-stakeholder engagement, while ensuring greater government role in matters of security. (As a result, the agreement with Russia has been ‘security-heavy’, although it purportedly removes references to “information” security, because India interprets the term in a strictly technical sense, without any political or economic connotation.)

Formal negotiations on the agreement were concluded by mid-September, with a view to sign it during President Vladimir Putin’s visit to Goa for the BRICS summit. While there were delays in clearing the document, it is telling that the Prime Minister’s Office, led by the National Security Council Secretariat, made it clear this week to all concerned ministries this document had to be signed in Goa. Whether the India-Russia agreement will translate immediately into military-to-military cooperation on cyber defense is not certain, but it sets the ball rolling for sustained engagement and information sharing on both sides. For India, it is a chance to resuscitate what has been perceived as a weakening of strategic cooperation with one of the world’s most advanced cyber powers. For Russia, the deal is a coup: faced with strident criticism in Europe for its military actions, and adversarial signals from the United States, its agreement with New Delhi undermines any collective effort to isolate Moscow. Capitals in the West will be watching this development closely, especially the trajectory of India-Russia cooperation in the articulation of cyber norms.

• COMMENTARIES
• CYBER SECURITY
• CYBER SECURITY AND INTERNET GOVERNANCE

The views expressed above belong to the author(s).

Bundeswehr: Cyber security, the German way

• ISABEL SKIERKA

There are a number of measures the Bundeswehr needs to take to fill the ranks of its planned cyber command.

Reaction test at the Gamescom trade fair in Cologne

Photo: Marco Verch/Flickr

• CYBER COMMAND
• CYBER WAR
• ESPIONAGE
• GERMANY
• SABOTAGE
• URSULA VON DER LEYEN

In late April 2016, German Defense Minister Ursula von der Leyen unveiled a plan to establish a dedicated “cyber and information command” in the German military, the Bundeswehr. A reorganisation of the armed forces to bolster its computer systems and network defence capabilities had long been overdue and was discussed in the German Federal Ministry of Defence for more than a decade. [1]

But when the Defense Minister announced the cyber security plans for the armed forces, she faced significant scepticism from parts of the German public. Several media outlets and politicians warned of the dangers that Germany could gear up toward ‘cyber war’ and engage in an uncontrollable digital arms race. [2] This view was aptly expressed at a parliamentary hearing by a German security policy expert who argued that the development of “preparatory measures for placing malware in opponents’ computer systems” amounted to a “colonisation of the web [which] contradicts the German culture of military restraint.” [3] Many argued that the Bundeswehr should adopt purely defensive measures to protect its own networks and not conduct any operations in foreign networks. [4] The Ministry of Defence itself responded that the Bundeswehr would act only within the provisions of its constitutional mandate and would not engage in any offensive computer network operations, unless it was mandated to do so by the Parliament.

This year’s debate over the Bundeswehr’s relatively modest new cyber plans shows how the German public’s long-fraught relationship with its military and intelligence agencies now encompasses the digital arena. The Edward Snowden revelations in 2013 brought the field of cyber security out of its niche existence in Germany, sparking a debate and anti-surveillance backlash that was more intense in the country than just about anywhere else. The Snowden revelations also shone a spotlight on how far behind the curve the German government was in the realm of cyber security. In the three years since, Germany has struggled to shape a new digital agenda to improve both its IT security efforts and its cyber intelligence capabilities. It has been hampered both by limitations in resources and personnel, as well as the German public’s unease with surveillance and the use of force.

The German government has in recent years launched a range of digital security initiatives, including a law regulating the protection of critical infrastructure. This article focuses on one of the latest and most controversial initiative: plans to form a new cyber command in the German military. The debate around the plans and the nascent efforts to implement are emblematic of the broader political and institutional tensions in Germany at the intersection of information security and national security.

The reorganisation of the Bundeswehr’s cyber capabilities

Until recently, the German armed forces played a minor role in cyber security compared with militaries in North Atlantic Treaty Organization allied countries such as the United States, France or the United Kingdom. This year’s adoption of a military strategic guideline for cyber defence and reorganisation of the armed forces for this purpose thus set a milestone in German defence policy. From the military’s new White Paper published shortly after, it becomes clear that cyber security has become an integral part of national defence strategy in the context of hybrid and conventional warfare threats. The word ‘cyber’ alone appears 74 times in the 125-page White Paper. [5]

The strategy has been hyped both by proponents and critics, either as a major step forward towards being able to finally defend the nation in the digital realm, or as a dangerous move toward Germany’s participation in a possible cyber war.

Looking at the reorganisation more closely, it is firstly a task that any large organisation or company faces on the path of digitalisation: the Bundeswehr has to maintain a reliable and secure IT architecture for its 280,000 users. Beyond that, it has to recruit highly qualified personnel, keep pace with technological innovation, and reflect often conflicting political interests.

To date, the Bundeswehr’s cyber defence capabilities consist of three components: a Computer Emergency Response Team (CERT), a secretive ‘computer network operations’ (CNO) unit, and participation in an inter-agency centre for information sharing. The CERT is responsible for incident response of the Bundeswehr’s networks and systems. On the offensive side, the CNO unit is part of the ‘strategic reconnaissance and intelligence’ command, and is able to intrude into and disrupt foreign networks and systems. It employs around 80 IT security experts. In addition, the Bundeswehr contributes to the information sharing in the ‘National Cyber Defense Center’, which is led by the Federal Office for Information Security (BSI). [6] However, the center consists of only around ten members in total and its existence has been declared unjustified by the German Federal Court of Audit on grounds of a lack of effectiveness. [7] It will likely be strengthened by an updated national cyber security strategy.

With its new cyber security plan, the Ministry of Defence established two new organisational structures: a cyber and information domain (CIR) command in the military and a cyber/IT department in the Ministry of Defence. [8] “We have a great deal of expertise in the Bundeswehr, but we must bundle it more sensibly, make it more visible, and set it up to be more powerful,” Defence Minister von der Leyen said when she announced the plan in April. [9]

The CIR command will combine existing IT capabilities of the Bundeswehr and become operational in April 2017. An inspector with the rank of a lieutenant general will lead the CIR, in which 300 officers will command around 13,700 soldiers. These soldiers will be assigned to CIR from other branches of the military, the criterion being that they have been dealing with IT in one way or the other in their previous jobs. The command’s responsibilities include IT security, military intelligence, geo-information, and operative communications. The cyber/IT department in the Ministry will be responsible for the IT architecture and information security of the Bundeswehr. It will become operational by October 2016 and be headed by a chief information officer (CIO). The new CIO has already been found and comes from one of the biggest German industrial firms: Klaus-Hardy Mühleck from ThyssenKrupp. [10]

Human resources

One of the major challenges for the military will be to recruit, educate, and train the personnel necessary to fulfil the task. While the 13,500 soldiers that are supposed to staff the cyber command represent existing personnel to be assigned from other branches of the military, many of the other positions that compose the ‘top layer’ of the cyber command and the cyber/IT department will need to be more highly qualified.

There are a number of measures the Bundeswehr needs to take to fill the ranks of its planned cyber command: it needs to offer more flexibility in the armed forces’ institutionalised career tracks, pay higher salaries for experts, and offer education for new recruits and advanced training possibilities.

According to the Bundeswehr’s report on expanding its cyber security capabilities, it is planning steps to improve career opportunities and salary levels for IT security experts. [11]The report does not further specify these measures and it remains to be seen how the Defence Ministry is going to implement them. In the fields of education and training, the Ministry has already taken more concrete action. It has launched a new cyber security studies Masters programme at the Bundeswehr University from which around 70 students will graduate every year. [12] While it will take years until a sufficiently large number of graduates will be able to work in the Bundeswehr, this is an important first step. Moreover, the military has launched a large scale advertising campaign and promised to accept some applicants without formal educational qualification, recognising that it is already having trouble recruiting sufficient personnel for the military as a whole.

All of these measures will help, but won’t succeed in fully staffing the necessary workforce in the coming years. Therefore, the armed forces will need to consider hiring private contractors for some tasks — potentially raising some of the same legal and security issues that have emerged related to the National Security Agency contractors in the US. [13] So far, the Bundeswehr has only suggested it will cooperate with reservists who are now working in IT security.

Innovation

A major challenge for the government will be how to ensure it has access to the technologies it needs in order to stay on the leading edge of technological innovation of electronic and cyber defence. This is an issue that governments struggle with around the world. The Bundeswehr will need to cooperate more closely with research institutions and private sector firms. The ministry wants to make this issue a priority by establishing a separate sub-department on cyber innovation and wants to expand cooperation with private companies and start-ups.  In the mid-to long-term the military should probably think about establishing a supporting technological innovation agency modelled after the US Defence Advanced Research Projects Agency.

Use of force in the digital domain

Perhaps the most difficult issue, however, is how the military’s new cyber capabilities will fit with Germany’s culture of military restraint. As mentioned earlier, Germany’s postwar constitution requires any use of force by Bundeswehr troops abroad to be mandated by the Parliament — an expression of Germany’s postwar suspicion of an overly powerful security apparatus. [14]

The Defence Ministry said this year that the requirement for a parliamentary mandate also holds true for cyber operations. [15] In the context of the current threat landscape of hybrid warfare and conventional warfare, a realistic scenario is that the offensive use of cyber capabilities is one of several means that Parliament allows the Bundeswehr to use as part of a broader mission mandate. In fact, a report from September 2016 publicised the Bundeswehr’s only publicly known offensive cyber operation to date was part of Gemrany’s mission in Afghanistan, mandated by parliament. [16]

The requirement for a parliamentary mandate presents several challenges. While in theory, it seems simple to distinguish between offensive and defensive measures in the digital domain — anything that happens in the Bundeswehr’s own networks is defensive and anything that involves action in foreign networks crosses the threshold to offensive action — this distinction is not easily upheld in practice. Since the threshold for when a computer network operation is equivalent to an armed attack is not clearly defined in international law, it also remains unclear when the Bundeswehr would require the involvement of the Parliament. Moreover, in practice, operations which have been deemed to require secrecy for their success, have been subject only to limited parliamentary control. [17] This might be the case for operations in the digital sphere, which rely on secrecy even more than conventional attacks. [18] Hence, the executive and legislative need to consider a range of different scenarios when examining this question.

In addition, it is not clear whether the Bundeswehr itself is capable of conducting its own sophisticated cyberattacks — raising legal questions about cooperation with intelligence services, which are also viewed with caution by much of the German public. With its current operational capabilities, it is unlikely, that the Bundeswehr would be capable of launching a major computer network attack, for example, as a retaliatory measure. Depending on the target, attackers would need intelligence about the characteristics of the network and systems they want to breach and the vulnerabilities that can be used. This kind of work is the task of intelligence agencies in most cases and indeed all publicly known large-scale cyber espionage or sabotage attacks — for example, Stuxnet, the Saudi Aramco hack, the German Bundestag hack, the US Office of Personnel Management hack — seem to have mostly been projects of intelligence agencies. [19]