Hardware and software based malware are very common these days. They have also become the favourite tool of intelligence agencies around the world to snoop upon their targets. Kaspersky Lab recently revealed that intelligence agencies used hardware based stealth malware to do eavesdropping upon targets of interest. Similarly, it has also been reported that the pre installing of Adware in laptops by Lenovo compromised the cyber security of these infected laptops.
Now Kaspersky Lab has further reveled that the U.S. National Security Agency (NSA) may have been planting surveillance software into hard drives and other essential computer equipment sold around the world for more than a decade through Equation Group. The Equation Group manipulated hard drives manufactured by Toshiba, Seagate, IBM, Western Digital and others dating back as far as 2001.
This has serious national security, telecom security and civil liberties implications around the world. For instance, Indian government has still not notified the norms for import of telecom equipments in India and has been postponing the same from time to time. This means such malware ridden hardware can be easily imported into India and they can be dangerously deployed for critical infrastructures (PDF). In fact, Huawei was accused of breaching national security of India by hacking base station controller in AP. Even the national cyber security policy of India 2013 is not at all effective in meeting the cyber security requirements of India.
Costin Raiu, Kaspersky’s lead researcher on the project, informed that while the Equation Group was able to steal files on any of the infected computers, they assumed full control only of computers used by high-value targets. Malicious firmware and BIOS are also big security threats for all stakeholders. Persistent BIOS infection using hidden rootkit is especially annoying and a major cyber security threat for India.
India needs to develop both offensive and defensive cyber security capabilities to tackle sophisticated cyber attacks. Cyber security breaches are increasing world over and India has its own share of the same. In this inter connected world, cyber security has become a major challenge for all countries. As on date the international legal issues of cyber attacks have yet to be resolved.
There are many cyber security challenges before the Narendra Modi Government. As per the cyber security trends of India 2015 by Perry4Law Organisation (P4LO), India needs to take urgent steps to strengthen its cyber security infrastructure. We believe that cyber security should be an integral part of the national security of India.
Narendra Modi Government has already started working in this direction. The Prime Minister Office (PMO) has already appointed Dr. Gulshan Rai as the first chief information security officer (CISO) of India. This is a significant step in the direction of strengthening of cyber security infrastructure of India.
Secondly, Narendra Modi has suggested to Nasscom that a task force be set up to solve the growing cyber security menace in India. According to Nasscom the taskforce would be constituted within a period of one month. We believe such a task force would provide valuable suggestions and implementation plans to strengthen Indian cyber security.
However, it would not be an easy task to ward off sophisticated and stealth malware that are the real problem for India. We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) strongly recommend that indigenous capabilities in the hardware and software development must be developed by India to avoid possible malware and backdoors. We also recommend that a new cyber security policy of India 2015 must be urgently formulated by Indian Government keeping in mind the requirement and need of a techno legal framework in India.