In the wake of the recent denial of service (DoS) attacks by hacker groups on government websites and those owned by private organisations, the Indian Computer Emergency Response Team (CERT-In) has become more vigilant and is working towards an international agreement to fight cyber crime. Gulshan Rai, director general of CERT-In, tells Kirtika Suneja that lack of information in this area makes it difficult to catch offenders.
How does CERT-In respond to serious cyber attacks like the recent DoS ones?
The recent DoS attacks were largely from within the country and the time we take to respond to these attacks can be anywhere between 5 minutes to a few hours. However, we only deal with the technology aspect of such attacks and the home ministry handles the crime. We deal with cyber security as technology incidents only while the home ministry considers this criminal action as an offensive incident.
With the increase in number of cyber attacks, is there a need to amend the IT Act?
There is no need to change the IT Act because with the proliferation of information technology (IT) and use of smartphones, more people have started using gadgets which has led to a rise in attacks such as DoS, phishing, hacking, defacement, espionage and intrusions. The problem is twofold. First, the cycle time of software is short and software are not properly tested due to which vulnerabilities exist even before the software is introduced. The second issue relates to people not being trained enough in such technologies. Moreover, there is no international law for the internet today.
Is this a reason for low conviction rate in cyber crime?
More people are reporting cyber crime and it is a good sign. Convictions have happened but the problem arises in collecting and analysing evidence.
So, are you working on such a law?
An international law is being discussed to set cyber norms and how to exchange information because there is no data at present which can be exchanged in case of such attacks. In fact, we have received 800 comments on the dreaft National Cyber Security Policy and it will be finalised soon.
The debate on government regulating the social media was not received positively. What is the progress on the talks with the social media companies?
We never wanted to regulate social media but we just have one issue which relates to the posting of related images and ads on the social media whenever someone posts on the network. The posting of related ads means that someone has access to that data and is reading it.
The telecom and technology industry also has issues with the encryption policy of the government.
Encryption is fine in business but the problem is when individuals do it without control.
Interception laws are very strong now and the security agencies are under pressure to monitor data real time. They want the facility to be able to do that. We are working on an encryption policy also to address this issue.
