8 June 2020

Lt Gen. (Dr) Rajesh Pant on India's National Cyber Security Strategy, Indo-US cooperation, end-to-end encryption and more

By Aditi Agrawal and Nikhil Pahwa
Source Link

On May 29, we interviewed Lt Gen. (Dr) Rajesh Pant, India’s National Cyber Security Coordinator, over the phone. We discussed the role of the Coordinator, what to expect from the National Cyber Security Strategy, the impact of COVID-19 on cybersecurity, India’s submission to the UN Open-ended Working Group, the Personal Data Protection Bill and much more. (Note that the interview has been lightly edited for clarity.)

On the role of the National Cyber Security Coordinator

MediaNama: What are the functions and powers of the office of the National Cyber Security Coordinator? Does it only cover national security, or does it also cover cybercrime?

Lt General Pant: In 2013, the cabinet had approved the National Cyber Security Policy. In that, there were a number of new institutions that were proposed. For example, there is an institution called the NCIIPC — National Critical Information Infrastructure Protection Centre — for the CII [critical information infrastructure]; then, for threat analysis, there was the NCCC — National Cyber Coordination Centre; for cybercrime, there was the I4C — Cyber Crime Coordination Centre under the MHA; and as a coordinator of all these aspects, there was an appointment created called the National Cyber Security Coordinator [NCSC]. This was part of the Policy.


As you are aware, the National Security Council is chaired by the Prime Minister and it comprises four major ministries, two in North Block and two in South Block — External Affairs, Finance, Defence and Home. Two external, two internal. These four cabinet ministers and the Prime Minister form the National Security Council. That’s the highest decision-making body for taking decisions on national security. And the secretary general of this council is the National Security Advisor, Mr [Ajit] Doval. To provide a secretariat for the Security Council, we have an organisation called the National Security Council Secretariat. It has various verticals: there is a vertical that handles internal threats, vertical that handles strategic threats, etc. So, I am part of this National Security Council Secretariat. And the aim is to advise this Council in overseeing and compliance of all the cybersecurity aspects including implementation of action plans in cybersecurity by the nodal agencies, evaluation and analysis of incidents, then forming incident response monitoring teams. There’s a training part also. There’s an aspect of international forums and providing consultation and guidance to state governments. And also engage with the private industry for formulation of policies. So that’s basically the role of the NCSC.

MediaNama: We couldn’t find it in the allocation of business rules, so we were wondering how it structurally works.

Lt General Pant: That’s because the National Security Council Secretariat is still shrouded in a lot of intelligence activities. Like, you know, [for the] NTRO, you may not find business rules. But, NSCS recently, I think two months back, once the NSA [National Security Advisor] became a cabinet minister’s post, then there has been some inclusion in the rules of business, something happened recently.

MediaNama: We were able to find an allocation for NCCC, not for the Secretariat itself.

Lt General Pant: Maybe.
On the National Cyber Security Strategy and India’s priorities

MediaNama: In your view, what are some of the key cybersecurity threats that India faces? In that sense, what are your key priorities for the next 6 months to a year? What is it that you want to see at the end of 6 months or a year?

Lt General Pant: You will be surprised. Why 6 months? I wonder if you have heard of what we have been doing for the last, almost 10 months now. We are creating a National Cyber Security Strategy from 2020 to 2025. This task force for creating this strategy was convened last year in July and it is an inter-ministerial task force. I am the chairperson of that task force. And we have had about 20-odd presentations, then we have had interactions with industry, academia, think tanks. Then, in December, we put out a portal www.ncss2020.nic.in. Then we got about 300 responses. When I say 300 responses, [it] means, let’s say, NASSCOM is one response so that represents [a number of industries], CII again represents a number of industries, etc. Having got all these responses, then we made our strategy. And we were about to release it, in March sometime — when I say release, it means it was going to the press for publishing — when this COVID-19 impact came.

Since this virus has changed the threat scenario to a great extent, we have now added a section on tele-working — work from home, remote working, tele-working, all that is similar. The entire section has been added and, in some places, it [the Strategy] has been tweaked because in the next five years, lot of the impact of COVID is going to be felt. Consequently, there will an impact on the cybersecurity part also. We have done that and now it’s going through its versions of cabinet paper being approved, etc.

That’s why I said that I will not limit myself to the next six months, but if you are talking of the immediate impact work from home has first of all created the problem of end point security. So earlier, in enterprises, they were well established parameters, defences were there, and you know there was a firewall, ITS, IPS, anti-APT, behaviour analysis and all that was being done inside the premises. But now, with people working from home, now the end point is there in the residences. Firstly, the end point, we are not sure what is the software in that, what are the updates in that, what are the anti-virus in that. Then, the home router that they are using, most of us, use very weak passwords, and we are not even clear what is access point encryption. And then from your home, it goes to a building where there is an optical fibre switch which again is open; there is no security there. And then it goes to the ISP, we don’t know, what is the network security of that. And then it comes to the enterprise. And even if you are using a VPN, which most people today have started using to provide some sort of a security, there are issues in that because that VPN aggregator that was there in your enterprise, now has to, in a sense, be used to monitor all the aspects of a distributed networks. The whole concept of cybersecurity in an enterprise has changed. Work from home has made very many major changes.

MediaNama: What would be your key priorities going forward?

Lt General Pant: The first priority at a national level is to try and bring some synergy into the various verticals that are presently involved in the cybersecurity. For example, the incident response is being handled by CERT-In, which is under the Ministry of Electronics and IT. The network is provided by the Department of Telecommunications, which is under the Ministry of Communications. The critical information infrastructure protection is under the NTRO, which is under the NSA. The cyber diplomacy is being done by the Ministry of External Affairs. The cybercrime is being handled by the Ministry of Home Affairs. The cyber awareness, to some extent, is being done by MHRD and the Ministry of I&B. There are a number of different ministries handling all these major aspects which I just spoke of. This is my first priority — to synergise the overall functioning so that we move in a particular direction.

And I haven’t spoken of threat intelligence — all these agencies require threat intelligence for them to provide cyber protection and they are all getting threat intelligence from their own sources and paying for it and paying different people.

My aim is to create a centralised sort of an architecture where threat intelligence is obtained by, let’s say, one or maximum two agencies, and they distribute it.

And then there is also a concept of a National Malware Repository which, I wonder if you understand, that almost anyone who finds a malware today, they report it to agencies which are based in Singapore, etc. So everyone comes to know what is the malware, who has got it. And their database is being built up, you know. We are trying to create an indigenous thing. And there are no indigenous solutions, putting it simply, except for two or three companies like Quick Heal and K7 and maybe one more within the country which are creating some of our own indigenous solutions. I mean, everything else, end point, you take a lot of hardware switches, or router or whatever products you take — it’s all, you know, the agencies are all abroad.

So indigenisation is a concern. As I said, getting everyone together on a common platform is a concern. And trying to quickly establish norms for teleworking, since you mentioned what are my priorities, because what people are saying is that remote working was but 10% people were doing remote working. From 10%, it went to 100% during lockdown. So now they are saying it will come down to about 50-60%. People are saying that we just want 30-40% people to come to our offices and even within the government, there are some draft circulars floating around as to how can we function, let’s say, by coming three days a week, or working remotely, etc. That is all going to have a direct impact on cybersecurity. That is one of the immediate concerns as to how do we tackle this part.
On NATGRID

MediaNama: Is the NCSC responsible for systems like NATGRID, and the Central Monitoring System, and what is the status of the rollout of those systems?

Lt General Pant: Yeah, NATGRID is different. It is a project under MHA. They have got a separate CEO. As you know, you are aware of the project, and there is a set of users of threat intelligence and there is a subset of suppliers for intelligence.

MediaNama: It’s a project that is forever delayed.

Lt General Pant: But you know, there the centre-state part comes in. In my conversation so far, I haven’t discussed the states. But what also needs to be done is that barring a few states like Telangana, Karnataka, Delhi, Gujarat, and Maharashtra, the other states have not yet established there security operation centre [SOC], state level I am saying, and the CCERTs, etc. And states have to do a lot of work and the sectors have to do a lot of work. I mean the finance, the power, everyone, as per the plan has to create its own SOC, security operation centre, for cybersecurity because one CERT-In cannot look after such a large nation as ours. As per the plan, there are to be sectoral SOCs, there are to be state SOCs. A lot of work also needs to be done on that aspect also.
On the procurement of hardware and software

MediaNama: How does the government procure hardware and software from private companies or international partners, and that includes technology such as 5G, drones, facial recognition software, COVID-19 apps, etc.? Are there standards or processes laid out for it?

Lt General Pant: The urgency of COVID-19 was such that, if you are talking of an app like Aarogya Setu, since there was no vaccine, the only way out was contact tracing. And for contact tracing, you needed an app to be hosted on a data centre big enough to handle 40-50 crore Indians at least, the database of that. And there are some APIs which are associated with this app for AI, etc. So the whole thing had to be done very quickly.

MediaNama: The question was more about government procurement of, let’s say, hardware and software from private companies and international partners, especially in the context of 5G, drones, and facial recognition technology. COVID-19 aside, actually.

Lt General Pant: So 5G, there is a process which is being done by the Department of Telecommunications where it starts with a trial spectrum being given. So that notification is out. Some vendors, in fact all vendors have been given that … very cheaply, it’s ₹5,000 or something. They are supposed to demonstrate use cases in areas of health, education, etc. So everyone is there.

MediaNama: Are there any cybersecurity concerns there in terms of procurement?

Lt General Pant: Yeah, yeah. I mean 5G is…I mean you are aware why USA has banned [Huawei] and most of the European countries including the Prague Proposals, they are following suit. And the Five Eyes — the five countries with which USA shares intelligence with — they are following the same thing. Definitely, I mean, it’s not a pure telecom sector. 5G, since you have also been reading a lot about it, is going to touch all sectors — from agriculture to transport, everything. One has to be doubly, triply careful about handing over controls to somebody else in case the chips are down. Like in the USA, they have said that minimum two players will be there for every operator or some 35%, not more than that, or something like that. So different countries have different policies. A lot of laws are being passed at the moment. You may hear of some interesting developments.
On Data Sovereignty, India’s position at UN’s Open-ended Working Group, and the Data Protection Bill

MediaNama: In terms of follow-up to hardware and software procurement, does India procure any software as cyber weapons? Is there a process to import or export them? There has been a discussion at the Open-ended Working Group [OEWG] at the UN regarding global procurement of cyber weapons. What is India’s position, policy on procurement of cyber weapons?

Lt General Pant: No, no. I don’t think anyone will be speaking of cyber weapons, sale or anything like that.

MediaNama: There are entities that sell cyber weapons to countries. Do we have a process for import?

Lt General Pant: No, no, no way. No way. In fact, in the UN, there is, we are member of the UNGGE, the sixth one that is currently in progress for two years. And, there are 11 principles of norms of good behaviour and responsible behaviour on the internet that were agreed to in the 2015 one because in 2017 it collapsed because Russia and China now are going a different way.

MediNama: Through the OEWG [Open-ended Working Group]?

Lt General Pant: Yeah, OEWG is the 182 nations — that was basically to appease the other nations and they should also form a part of decision making in the UN. In the last meeting, there was another twist that came, that the International Humanitarian Law is normally for war but cyber operations are conducted during peace time so the International Humanitarian Law also doesn’t apply in the cyberspace. The Russians, the Chinese and Mexico and Cuba are on one side and US and the West on the other.

The fault lines developing at an international level are getting more and more serious as far as the cyberspace is concerned. That’s one aspect. That’s a troubling aspect, I think.

MediaNama: Specifically, on that point, in India’s submission to the UN OEWG pre-draft [Editor: the submission was removed from the UN website shortly after it was uploaded], we have said that we agree that International Law applies to cyberspace. But we have also said that there are certain gaps in the application of international law to cyberspace, and we should explore new laws to cover those gaps. So what are the gaps that you see? What should those laws cover?

Lt General Pant: No, specifically I will not be able to answer that. But, our position has consistently been that we believe in a UN-led sort of a body, a multilateral body to handle the aspects. For example, there is a lot of pressure on us to join the Budapest Convention. Some other regional forums are also there. So far consistently we have said that we will follow the approach of a UN-led sort of consortium. So, there’s no need to go into gaps because the language of UN is full of legalese.

MediaNama: On the OEWG point, India has proposed a new form of sovereignty principle saying that it should be based on the ownership of data. If India has sovereignty on data of all Indian citizens, irrespective of territorial considerations, just curious about how do we as a country envision that to be implemented? For example, if there are some Indian citizens who have their data in the US and that data gets breached or misused, does that mean that India can retaliate on behalf of Indian citizens who are in the US? How does this idea of sovereignty over data work beyond territorial considerations?

Lt General Pant: So, there is a link to what you are saying to our PDP 2019 Bill, the Personal Data Protection Bill of 2019, which is presently being examined by a sub-committee [joint committee] led by Meenakshi Lekhi in the Parliament. And that is the one that has gone very deeply into all aspects of personal data, what is sensitive data, what should remain inside the country, what can go out with a copy in the country and what can go out cross border free flow, etc. I am really hoping that this Bill comes out in some of the sessions of Parliament this year because somehow we have not appreciated the value of data. If you see what USA Federal Trade Commission has fined Facebook $5 billion for the Cambridge Analytica leak of [data of] 81 million Americans. There are many other cases of Italians, British Airways, etc. So the GDPR in the EU. The others are well aware of [value of data].

And the CLOUD Act. USA, their companies anywhere in the world, they have the power to get that data. Somehow, we have lagged behind in this aspect of realising the value of data, realising what needs to be stored and how, what are the responsibilities of the data fiduciaries and the data processors and the data principals — all that needs to come out. If you read the Bill, the moment it is passed, the first thing that is going to happen is that the Data Protection Authority of India is going to be established with a chairperson and 6 full time members and they have been given about 4 months to go into detail and specify all this —

MediaNama: In this version of the Bill, the timeline for fulfilling the provisions of the Bill, including setting up of the DPA, hasn’t been given. 

Lt General Pant: Till the time it is passed in Parliament, the final version, we are not sure. But broadly, we are aware that it will take about 2 years for it to get implemented fully , that’s what they are saying, because the DPOs — data protection officers — have to come up in various places, the whole framework is to be established. So the point is that the value of data has to be appreciated and known to all of us, at whatever level we are — individual, business, government — and then it has to be implemented. I mean, that’s where the sovereignty aspect that you mentioned comes in. People are writing a lot about this; some are getting very nationalistic and very sentimental about it also.
On the CLOUD Act and the Indo-US partnership

MediaNama: Is India considering signing a data access agreement with the US under the CLOUD Act? How would the adequacy requirements work there? Or could there be an exception granted to India under COMCASA [Communications Compatibility and Security Agreement] 2016?

Lt General Pant: I mean, no other country, as yet has been able to sign an agreement —

MediaNama: UK and Australia have.

Lt General Pant: Their closest ally UK, after three years, recently signed that. We have got some feelers in the US about this, and we have just started working on it. It will take time. But I think we have a long way to go. Let’s get our own house in order first.

MediaNama: What was the outcome of the Indo-US ICT working group meeting held in October? There was no statement, no outcome that was issued post that meeting? 

Lt General Pant: That’s a regular sort of affair with the US. One year it is here, one year it is there. There are some three-four working groups in that for capacity building, for sharing information.

But with the US, I can tell you, that we have raised our association a couple of notches higher this time after the 30th Septemeber meeting. Earlier, let’s say, if there was a CERT to CERT cooperation, now we are on something like AIS — automatic intelligence sharing — sort of arrangement, so almost in real-time we get intelligence from there. So like that, it has become a strategic sort of a partnership now rather than just a normal meeting that takes place once a year. But definitely, since you have just reminded me of the meeting, we have started exchanging a lot of inputs and other aspects also.
On end-to-end encryption

MediaNama: Since you mentioned tele-working and how it is a priority, how do you think India can balance privacy of its citizens and its national security or public order interests? Because the Indian government has sought backdoor access to end-to-end encrypted systems. Wouldn’t adding backdoors make our citizens less secure? You can’t make people secure by having systems that have vulnerabilities like backdoors.

Lt General Pant: Absolutely, absolutely. We don’t want any systems with any vulnerability. As far as backdoors, etc. are concerned, normally, in telecom systems, there is a concept of remote maintenance, etc. That is why some of these things are deliberately left open. But nobody accepts vulnerabilities in any system. There are very strict VAPTs — Vulnerability Assessments and Penetrating Tests — done and there is a standard of security of equipment assurance levels; the scale is 1-7 levels. And then there are various standards, tests and NIST guidelines that have to be met. There is no way that deliberate backdoors would be left…anywhere or something for any surveillance or something because the LEAs [law enforcement agencies] anyway have a judicial right in case they want anything.

MediaNama: We seem to be specifically demanding that access especially the Five Eyes issued a statement asking Facebook not to implement end-to-end encryption on its various platforms. The IT Minister went out and said that this justifies India’s demand for traceability in end-to-end encrypted systems. Traceability wouldn’t be possible in such systems without breaking that or instituting backdoors. There’s a history there, for instance with the clipper chip in the US where they couldn’t implement it because it would have made the systems more vulnerable. What are your views on that demand for access? How do you balance that?

Lt General Pant: This is a separate discussion on traceability. Actually, all these OTT platforms, the intermediaries, there’s a discussion everyday on what is their liability because they are, because the content is coming through the pipe. So the telecom service provider is bound by licence conditions to meet some of the guidelines, but for content providers, there is no jurisdiction, except there’s Section 79, Rules 3 and 4 which do give some intermediary guidelines, but the aspect of traceability is very important from the LEA point of view. The UK is trying something where it has to go through their server or something like that. And there are some aspects that we are discussing as to how to enforce this aspect in the sense that, if you recall that, many years back, just making a call to USA was about ₹100 for 3 minutes or something like that. Today, you are talking for almost free on WhatsApp. Those are communication services being provided but they are not under any licence conditions. So, shouldn’t those be treated as a communication service? And when I say licence conditions, I don’t mean that they should pay something extra or something; it’s just that there is some control over them.

This is a subject of current debate as to how do we control these services and apps, etc.

There’s a conference every week, twice a week. In this conference, we get about 1,000 tweets which people from all over the country have said that these tweets are derogatory and each tweet is seen one-by-one, and then there is a meeting with all the social media platforms as to which can be brought down and which cannot be brought down. This is a very crazy sort of way of going about things, as to how do we control the content, how do we address this issue on traceability, because right now we are assuming that there are more good people in the cyber world than bad ones and if you see what are we gaining by end-to-end encryption and what are we losing.

This privacy versus security debate, it comes down to the crux of it. And my view is that if I am not doing anything wrong, let us say, I am also a social media user, if I am not doing anything wrong, then why do I need end-to-end encryption? Who am I hiding things from? But the guy who needs it, he is doing the wrong thing. He may be planning a terrorist attack or something. He is the guy who actually needs it, I don’t need it.

MediaNama: In a democratic setup, that might also have a negative impact on democracy. For example, opposition politicians prefer to use end-to-end encrypted platforms because they feel that their communications will remain private. It is as much about trust as it is about security and privacy. And if you know that your communication is being monitored, you cannot trust that the communication will not be used against you at a later point in time, which is not necessarily because you are doing something wrong. 

Lt General Pant: Anyway, I think we have passed it. All over the world now, it is end-to-end encryption so it will be difficult to go back. But the point is now as and when it is required on how to implement it [traceability], you guys have to come out with some solutions.
On the alleged cyber attack on the Kudankulam Nuclear Power Plant

MediaNama: What were the lessons that Indian learnt from the cyberattack on the Kudankulam Nuclear Power Plant? What were the legal steps that were taken?

Lt General Pant: I don’t think there was a cyberattack. In an interconnected world, can you stop anyone from dialling your mobile number? I don’t think so. Similarly, if somebody wants to send me a mail, I cannot stop that person from sending a mail to me. That mail may have a link. Even if I click on that link, the worst-case scenario, something happens. Let us say a malware is downloaded on my computer. When we investigated that Kudankulam case, we found that firstly, it was an internet facing computer. There are three types of network in any sector: there is an internet facing network, there is an administrative network which is called the intranet which is only within those employees — it could be space sector, it could be power or something —, and then there’s the control system that [inaudible], the OT as it is called — the operational technology. OT is air gapped, administrative system is air gapped, and then there is the internet [connected] computer with which you deal with suppliers and things like that. So, I won’t call it a cyberattack, but if this guy has reached the last stage or something, that is when I would get worried.

One lakh of these things happen every day in National Informatics Centre. And you see them coming from USA because the server is hired in USA, he is going through 4-5 hops, and then he is coming through the dark web, so there is no traceability, no attribution. We haven’t spoken of the dark web. Many things have been happening there.

I wouldn’t put too much stress on that Kudankulam thing. Yeah, it sounded nuclear and all that, but from the cyber keychain, if there are seven steps on the keychain, it was just around the first two or something like that.

MediaNama: Was that intrusion ever adequately attributed?

Lt General Pant: You cannot attribute, that’s what I am trying to tell you. The lakhs of cases that take place [every day], you cannot attribute because he has hired a server in USA, from some data centre. From that data centre, he has sent you a mail with that malware attachment. The last IP [address] that you get is that US server. Even if you have an arrangement with the Americans, they tell you that the next hop will take you to the Netherlands and another server. Then it will go to Germany and another sever. And nowadays, they are coming through Tor so if he has gone inside the thing and come out, we can forget about attribution.

All the attribution that is done normally is what is called as, depending upon the nature and the TTP, it is called, — Tactics, Techniques and Procedures — used for conduct the attack and the sample that he has used. Countries assess something called APTs — Advanced Persistent Threats. So various numbers are given. One, let’s say the Israelis could give them numbers, the Americans give it animals or something. So panda could be the same as APT or something. This way, the identification is done, that this most probably belongs to an attack by this group. But otherwise, where is the attribution?

MediaNama: Even US attributed one, on the Equifax case.

Lt General Pant: Yeah, it is signalling. It is to send a message that we know you did it or something like that. But technically I am speaking, technically attribution is very, very difficult.
On transparency

MediaNama: How important is transparency in cybersecurity? For instance, CERT has stopped reporting spamming attacks, NCRB has stopped giving out data on breaches. How important is transparency from a trust point of view?

Lt General Pant: I don’t know why they should stop giving out data because transparency, unless it is causing some sort of another pandemic or some other concern, at least in our fields, we share this information, we share these attacks. That’s why I said that that PDP Bill is very important. I mean you know the fines in GDPR, [€20 million] or 4% of your turnover, if you don’t report within 72 hours. I am very eagerly waiting for this Bill to come. At least it will send a message to people as to which world we are living in.

No comments: