Intelligence agencies and law enforcement technology in India is still trying to catch up with the contemporary law enforcement requirements. Law enforcement and intelligence agencies of India must also establish and follow cyber security best practices for their investigations.
Cyber security best practices in India are still to be established. Similarly, we have no dedicated cyber security laws in India. We must ensure cyber law awareness in India and cyber security awareness in India. The cyber security policy of India is yet to be formulated and implemented.
There is an urgent need to establish the cyber security infrastructure of India. Fortunately, a legislation mandating strict cyber security disclosure norms in India is in pipeline. Further, regulations and guidelines for effective investigation of cyber crimes in India may also be prescribed very soon.
Cyber attacks against India have increased significantly. Recently, the computer systems of DRDO and security officials were breached and sensitive files were leaked. Further, companies and banks in India are not reporting cyber attacks, cyber crimes and cyber frauds. The real impact and consequences of cyber attacks against India are not ascertainable in these circumstances.
A crisis management plan of India for cyber attacks and cyber terrorism is need of the hour. The same may be helpful in investigating not only cyber terrorism cases in India but also cases of traditional terrorist activities. Institutions like national cyber coordination centre (NCCC) of India, national counter terrorism centre (NCTC) of India, etc may be helpful in preventing cyber attacks against India. Further, these institutions may also help in acquiring the offensive and defensive cyber security capabilities in India.
However, there is an urgent need develop cyber security skills development in India and techno legal skills development in India of law enforcement and intelligence agencies of India. Further, parliamentary oversight of intelligence agencies of India is also required.
Recently, the national investigation agency (NIA) of India published an advertisement in a newspaper that many labelled as lacking professionalism and good cyber security practice. In the advertisement, NIA had announced a reward of Rs 10 lakh for information on the 21 February Hyderabad blasts. In addition to the landline phone number and postal address of its Hyderabad branch, the agency has given a gmail id on which people can send information/ leads that will help apprehend those responsible for the blasts.
On the face of it this seems to be a normal advertisement. But from the perspective of cyber security, this is a nightmare. If NIA is receiving such sensitive information on servers of third party private companies this may compromise not only the blast investigation but also make the sensitive information so received susceptible to third party scrutiny without even India or NIA knowing the same.
In the absence of uniform email ids provided by the national informatics centre (NIC), it is a common practice for government departments to exchange information on servers of private companies. The only solace in this situation is the fact that it is much easier to crack NIC servers than cracking the servers of Google. Recently Indian national informatics centre’s (NIC) server were compromised and used to attack computers of other nations. NIC has to make its cyber security more robust and resilient.
However, this does not mean that NIA or Indian government agencies must host their emails upon third party servers. India must invest upon developing its cyber security infrastructure and all sensitive emails must be sent and received through such infrastructure alone.
In United States the proposed laws like Computer Fraud and Abuse Act 2013 would provide many e-surveillance powers to US law enforcement and intelligence agencies. Even existing laws of US would allow law enforcement and intelligence agencies to do eavesdropping without court warrant in many circumstances. Further, in US e-surveillance and eavesdropping has become very easy by active use of executive orders.
Even the controversial cyber intelligence sharing and protection act (CISPA) would allow sharing of sensitive information by network service providers (NSPs) with the intelligence agencies very easy. In the past, the White House threatened to veto the CISPA if Congress approves it in its current form. Through a statement of administration policy on cyber intelligence sharing and protection act (CISPA), the Obama administration said CISPA treats domestic cyber security as an intelligence activity whereas it should be a civilian one.
CISPA was reintroduced to the US House in February 2013 that would allow the exchange of electronic information between Internet service providers and US government possible. The White House has threatened to veto the cyber security law, CISPA, once again citing privacy concerns.
When US is so serious about civil liberties why cannot India be serious about the same? Let us hope that Indian cyber security infrastructure would be established very soon and NIA would use well secure Indian e-mail infrastructure to deal with its internal communications.