By Sachin Shridhar
May 04 2015
Cyber security is a threat that India is taking lightly despite the fact that 26% of the world’s attacks originate here
The beauty of cyber crime is that on most occasions, unknowingly you are both a victim and a perpetrator of the crime. It is like a person infected with a highly contagious disease who is unaware of it and as he parties around, he spreads the contagion. Mindless usage of the net with no knowledge or regard for cyber security has made us the largest nation from where as large as 26 per cent of the world’s DDoS (distributed denial of services) attacks originate. The list prepared by Norton, a cyber solutions company, include the US (17 per cent), Singapore, Vietnam and China as other major culprits.
DDoS attacks disrupt websites by bombarding them with traffic from multiple sources, resulting in online service becoming unavailable for a period of time. The attack to spread, uses all infected machines and distribute it in geometric progression and cripple the target by bombardment of multifold and relentless traffic till the site collapses. This is not a lone example but the norm where most studies put India at the top of the heap for being the leading victim as also the leading perpetrator of cyber crimes of all kinds.
Computer malwares and viruses are least respectful of geographical boundaries and government hierarchies. We have a “computer emergency response team” (CERT), an apex body under the aegis of department to electronics and IT. However, it does not have any over-riding wherewithal or authority and is generally content at offering advisories. As a result, each civil and military department has been making scattered attempts with piecemeal budgets, limited access to talent and generally lukewarm efforts to train its IT teams and fortify its networks. We talk of the world witnessing a silent and covert cyber war. Now, wars need warriors whereas in our bureaucracy obsessed country, our response has been largely secretarial. Today, we have government bodies, task forces, core groups and so on, but no real hands on cyber experts who will roll up their sleeves and clean up the mess.
The tooth-to-tail ratio of our cyber army is like those of the pre-British era nawabs where the khansamas, retainers and entertainers were more in numbers than the fighting soldiers. Our cyber security establishments look like any other secretariat of the government. That government networks are a hugely compromised lot is known across the cyber security world. In June 2014, the National Informatics Centre servers were reportedly attacked. The mail traffic of all central government officials is run through this network and the NIC hosts most government websites. The fact that the root directory was captured by hackers, fake digital certificates were issued and, importantly, that the attacks remained undetected for many days speaks of our preparedness and level of technical expertise available in hand with the government.
Inevitably, it leads us to the question: how prepared are we then?
The National Cyber Security Policy 2013 (NCSP) of the government projected that India needs at least 5 lakh security experts. Based on the recommendations of its task force, the University Grants Commission had asked that cyber security be introduced at both the undergraduate and post-graduate levels nationwide. Now how many schools, colleges or universities have you heard that offer dedicated courses — degrees, diplomas or fast track — of any kind on cyber security? We are not even talking of the quality of instruction here. What exists instead are a few courses offered by small privately run academies — more hole-in-a-wall kind of operations — with limited budgets, unstructured curriculum and mediocre trainers.
The genesis of the reason for the poor response from formal education system is that cyber threats are constantly evolving in their complexity and sophistication. It requires the trainer to be in touch with the latest developments on a day to day basis. Somehow, with the cushy permanence of teaching jobs at universities and engineering colleges, with senior teaching faculty having learnt computers in an era bygone, there is neither any compulsion nor existing knowledge to teach the subject. Those who know the subject hands on, are mostly self-taught young hackers — at times college dropouts. The system is deeply suspicious of them. With our fascination for fancy degrees BTech, Mtech, MS et al, rather than the skills possessed, the system has inbuilt inflexibility and irrationality to benefit from the pool of knowledge that exists but cannot or will not be used.
The lack of meaningful employment and non-recognition of their talent has its perilous consequences. Many get pushed to fringe jobs where their knowledge is barely used. Many fall prey to the allure of petty cyber crimes that give easy money and an incredible high of controlling and disrupting the networks of the system which has refused to acknowledge their prowess. India, as a result, is one of the most thriving markets for peddling stolen wares (credit card details, contacts, addresses, rival’s data etc.) through many underground hacker forums that exist and flourish. Only a few of these talented and mostly self-taught youngsters make it to western shores where their knowledge and creativity is more likely to be acknowledged. But the number is miniscule as most of such youngsters come from smaller towns and not from wealthy backgrounds to be able to organise, say, a US migration.
Either way, the country is not better off and we remain as far from any meaningful intervention to shore up our cyber security as we were before the lofty pronouncements of the NCPS is made. It is time someone took note.
(The writer is founder and chairman of Starlit group and has co-founded cyber security company Lucideus Tech)
No comments:
Post a Comment