India is still without an end-to-end cyber security system for its government including one for the Prime Minister’s Office.
Even as India has sharpened its offensive on black money this weekend at the G-20 summit, experts are pointing to the weakness in Indian cyber security architecture as a key problem in this regard.
In fact, among the G20 nations meeting at Brisbane this weekend, India is a rare one that is still without an end-to-end cyber security system for its government including one for the Prime Minister’s Office. Top officials of the government working on the subject said they are aware of this lacuna in the security architecture.
The problem is compounded because no domestic entity has been able to offer a security system that can take care of espionage like the Edward Snowden variety of which India too was a victim.
Indian government cyber security agencies have recently found for instance that the finger print based RAX system to protect voice based communication has been jettisoned by several secretaries in whose offices it was installed, as the finger print reader suffered glitches not letting calls go through.
Kamlesh Bajaj, CEO of Data Security Council of India agreed that at present the security standards governing data communication between members of the Union Cabinet were below global benchmarks. “Unfortunately our policy says any entity communicating within the government can only offer a 40-bit encryption. But even the RBI or telecom companies offer 128-bit encryption, so there is an anomaly between what the policy is and what the actual security environment is”, he said.
Bajaj’s team working through The Software Alliance has just released recommendations on security standards government agencies should mandate from companies in the cyber sphere. He points to tax agencies as some of the most vulnerable ones.
Marcus Klische, security advisor, BlackBerry, says the espionage challenge staring the Indian government is similar to what the German or the US government faces. “No government will obviously go public with the level of risk it faces. But within a government the solutions need to be those which work unobtrusively,” he said without mentioning RAX.
He cites the example of German chancellor Angela Merkel whose conversations got tapped simply because she found it easier to use a non-secure device.
BlackBerry is, of course, an interested party in the debate as its key product is a secure communication system that governments like Germany and China have adopted to keep safe from prying eyes.
Speaking at Brisbane at the G-20 summit, Prime Minister Narendra Modi too touched on the need to stiffen cyber security standards.
Speaking about black money and the risk it creates for economies, he noted “Resilience of our financial system will also depend on (level of) cyber security.” Incidentally before speaking at the summit Modi had a long chat Merkel.
Bajaj, a former employee of the National Informatics Centre says there is no agency in India, not even the Intelligence Bureau which can decrypt communication algorithms of mails from abroad.
But Indian government mails were at risk, he said. “Broadly you could say a mail from within the Cabinet will not be a very secure mail,” he noted. Top officials of the department of information technology acknowledged that a lot of work was going on to rectify this vital chink but refused to share details of those.
Klische said cyber standards between governments especially the G-20 could soon demand levels of technological protection a la global trade standards. He pointed to the risk of hacking into top government sites that he said were often financed by “unsafe nations”.
Klische who is a member of Europol’s security group (Interpol’s European arm) said “the attackers will first try to route traffic through a safe route like a company but which has cyber connections abroad. From there it will hop back to the original aim of attack say a nuclear site or whatever”. The
answer is to adopt a security technology in the top rungs of the government that fits into the life of those using it, he claims. Bajaj says one way to ensure this is to immediately mandate standards for buying software, and he points out this is particularly true for financial arms of the government.
CLEAR AND PRESENT DANGER
* India remains without an end-to-end cyber security system for its government including one for the PMO
* The problem is compounded because no domestic entity has been able to offer a security system that can take care of espionage
* Among others, tax agencies are particularly vulnerable to security breaches