India's Cybercrime Complaints Up 79%Experts Prescribe Steps to Improve Defenses
India's Computer Emergency Response Team received 96,383 cybercrime complaints from January through September. That amounts to 10,709 complaints per month - 79 percent more than the 5,982 complaints received per month in 2013. What can information security leaders do to improve defenses and reduce these complaints?
Communications and IT minister Ravi Shankar Prasad recently expressed his concern to Parliament about the proliferation of information technology and increasing cybersecurity violations in India, similar to the trend worldwide. He stated that the government has taken up a slew of measures to tackle cybersecurity violations and cybercrime as part of the recently launched "Digital India" mission that aims to transform India into a digitally empowered society. And he called upon government agencies to take greater protective measures.
"All central government ministries or departments and state or Union Territory governments have been advised to conduct security auditing of entire information technology infrastructure," the minister said.
This discussion comes in the wake of growing cybercrime incidents in the country, as stated by CERT-In, which received reports about security incidents including phishing, malicious code and website intrusions.
In 2013, according to CERT-In, 71,780 incidents were reported from January through September, compared with the 96,383 reported during the same period this year. Also, according to the National Crime Records Bureau, during September 2014 alone, about 14,150 sites were hacked in the country.
Why the Increase?
One of the reasons cited for the rise in attacks and complaints is the acute shortage of skilled cybersecurity professionals available to mitigate threats and vulnerabilities.
Also, some critics maintain that India's cybersecurity budget for 2013-14, which stood at the equivalent of $7.76 million USD, is inadequate to support the security posture to defend sophisticated threats.
Experts also say that India's national cybersecurity policy is restricted to being merely a draft paper, and its implementation has been tardy.
"The existing policy talks about threats and cybersecurity, but the institutional mechanism to run the function, role of stakeholder in the cybersecurity life cycle and classification of threats are missing," says Neeraj Aarora, a cyber lawyer and forensics examiner.
Creating awareness has been the first step toward fighting cybercrime, as the government has initiated the Information Security Education and Awareness project to develop human resources in the area of information security at various levels.
Additionally, according to government sources, all the new government websites and applications are to be audited with respect to cybersecurity prior to their hosting.
CERT-In has empanelled 45 security auditors to carry out security audit of the IT infrastructure of government, public and private sector organizations. It says a close watch is on to scan malicious activities on the important networks in the government, public and service providers, and that all the ministries/departments of the central and state governments have been asked to implement the crisis management plan to counter cyber-attacks and cyberterrorism.
Dr. Gulshan Rai, CERT-In's director general, says the scope of defensive measures includes a near real-time understanding of the types of threats, possible targets and the source of trouble for any effective predictive, preventive and protective measures to be taken up. "This will allow us gain better visibility into actions in the cyberspace and help the top management make better informed decisions," he says.
What the Experts Advise
What more can be done to respond to and reduce complaints?
A common sentiment echoed among security practitioners is the lack of transparency and the need for a fair process in dealing with cybercrime. Bangalore-based Dr. K Harsha, chief security architect of the HK Group, emphasizes the need to adopt gateway-level protection and monitoring tools, besides having cybercrime cells certified by CERT-In or any other authorized body conducting periodic security audits.
"A periodic review at every state's cybercrime cell and enhancing its capabilities, and putting systems in place for automatic report generation and submission ... for periodic assessment of the crime rate is most needed," Harsha says.
Mumbai-based Prashant Mali, a cyberlaw and cybersecurity expert and advocate at the High Court, also recommends that CERT-In should have statewide sectoral cyber-emergency incident response teams that are automated to delegate the necessary work.
"The work process at CERT-In is bureaucratic in nature," he says. "That should be made transparent and online-friendly to be able to deal with the growing cybercrime."
Among the recommended steps to reduce cybercrime: Define the cyber boundaries of the country, then set up procedures for blocking of malicious websites, based on analysis. Mali recommends a national zero-day exploit mechanism that would create awareness among enterprises on how to address cyber-attacks by creating a security drill in a simulated environment.
Some experts believe that the only way to deal with growing cybercrime is to focus on a cybersecurity life cycle process comprising five steps: identify, protect, detect, respond and recover. The basic requirement is to create the institutional framework comprising the monitoring and coordinating agency and other institutions to implement the process.
Other defense measures include implementing security standards, strengthening the security framework at micro and macro levels and amending IT Act 2000 and other laws.
V. Rajendran, president of Cyber Society of India, Chennai chapter, argues that to fight against cyberterrorism, enhanced coordination among all government agencies on information sharing, and creation of a cybersecurity monitoring or regulating agency, are areas that need focus. Rajendran also recommends a national-level firewall for better monitoring of website content, a speedier process of taking action for monitoring or intercepting Web content and putting national-level Web filters in place. He also supports amendments to the existing laws, if necessary.
"Much more than the severity of punishment and multitude of laws," Rajendran says, "what's required is the certainty of punishment to those who violate cyberlaws, which alone will serve as a deterrent."
On CERT-In's behalf, Rai says the agency is adopting a suitable posturing that can help in effectively monitoring and dealing with cybercrime and cyber-attacks.
"Maturity in cyber-activities is not a matter of handful of developed nation states," Rai says. "It is essential to develop global cyberspace norms to regulate and guide responsible behavior in cyberspace."