The role played by geospatial technology in human lives can be observed in the way the world is dealing with some current challenges, such as the COVID-19 pandemic and the ongoing Russia-Ukraine war. Let me speak about the role of robust cybersecurity in geospatial technology.
GIS has a source of information, a network, or media through which information passes. It has a destination where the information will be stored. It has a processor. It has storage. Though it is an information system, it is prone to cyberattacks and this makes the issue of cybersecurity important. So, the attack vector can either attack the source of information network or media storage or the network, including the Cloud, resulting in loss and corruption of data. This is why it is pertinent for cybersecurity to be embedded in geospatial technology.
The Government of India (GoI) has initiated a number of steps in the last few years to strengthen our cybersecurity and ensure that cyberspace remains safe. GoI approved the national security directive on the telecom sector on December 16, 2020. Under this, all products connected to the telecom network of India have to be procured and adopted from trusted sources — from trusted countries, companies and their related supply chains. Besides, a number of agencies have been created in the past few years to oversee and strengthen cybersecurity in different sectors.
The National Critical Information Infrastructure Protection Centre (NCIIPC) was created as a nodal agency for the protection of critical sectors like transportation; railways; banking, financial services and insurance (BFSI); aviation; and other strategic sectors. The Indian Cyber Crime Coordination Centre (I4C) was created under the Ministry of Home Affairs to tackle cyber fraud. Under the Ministry of Electronics and Information Technology, the National Cyber Coordination Centre was created for threat prediction. For public awareness on information security and training, the Information Security Education & Awareness (ISEA) center was created. Three years ago, we set up the Defence Cyber Agency, specifically for the defense sector. And under the Ministry of External Affairs, the Cyber Diplomacy Division was created.
Most semiconductor devices, such as integrated circuits (ICs and printed circuit boards are manufactured and imported from countries like Taiwan, China, the US, Europe, and South Korea. It then becomes important to keep track of the global supply chain. Malware can either be a type of software or hardware. It could also be a part of the firmware itself. For example, one extra line while manufacturing an IC can compromise user data. Therefore, for both hardware and software, the supply chain needs to be checked and tested.
The Mandatory Testing and Certification of Telecom Equipment (MTCTE) was notified by the Government of India on September 5, 2017. Under this scheme, all telecommunications equipment, whether imported or indigenously manufactured, has to be tested and certified against Essential Requirements (ERs) issued by TEC (Telecom Engineering Centre). TEC the technical arm of the Department of Telecommunications (DoT) and the designated agency for testing telecom equipment by designated labs. The responsibility for framing security related requirement and security certifications lies with the Bengaluru-based National Centre for Communication Security (NCCS).
We created the Defence Cyber Agency in November 2019 in the line of cyber command; it is now fully functional. This agency will be converted into a full-fledged command in the future as we are facing challenges like manpower and land allotment.
Just like the government’s policy on nuclear weapons (‘no first use’), we too have a ‘no first attack’ policy in place. In cyber deterrence, we have full capability to attack in case any state actor dares to touch us. That is where cyber deterrence comes into play. However, we are not out to harm any country by using offensive cyberattack.
The attack vector can either attack the source of information network or media storage or the network, including the Cloud, resulting in the loss and corruption of data. This is why it is pertinent for cybersecurity to be embedded in geospatial technology.
We are one of the few countries focusing on critical infrastructure, including the health sector. We created the National Critical Information Infrastructure Protection Centre (NCIIPC). Recently, we conducted the first national cyber exercise, NCX India 2022, which took place from April 18 to April 29, where we got chief information security officers and decision-makers from all critical sector organizations.
First, we trained the officers and decision-makers and then we put them through an exercise where we simulated a ransomware attack on the power sector and the oil sector. Then, a rehearsal was conducted.
We took extra security steps to protect our critical sectors — telecom and power. We formed a sectoral telecom emergency response team, even though there is the Indian Computer Emergency Response Team (CERT-In) — a nodal agency to deal with cybersecurity threats like hacking and phishing. We also created a power-CERT to deal with different verticals in this sector — power generation, distribution, transmission, and grid operation.
In cybersecurity, there are two verticals: services and products. Services mean audits, education, training, etc. We are self-reliant in all aspects of services within the country so far. However, on the products side, equipment may come from anywhere in the world.
There is a long chain of products starting from endpoint security (end-user devices like desktops, laptops, and mobile devices) to network, and our challenge is to protect every element of this network. There is Cloud security and data-centered security, and there are various aspects of firewalls, seams, prevention systems, detection systems, and security operation centers. Cybersecurity is a global common like the climate, the pandemic, and the environment. So, global commons require global solutions and we should not be particular about having everything within the country.
All products connected to the telecom network of India have to be procured and adopted from trusted sources from trusted countries, companies and their related supply chains.
We should not always react to a situation, rather we should try to prevent it. For this, we need to invest more in the education and awareness of our people to make them practice better cyber hygiene. The individual human being is the weakest link in the cyber security chain.
Technically, I can do a lot of things to protect the system but if a human being falls prey to a phishing attack or a malware dropper or some other attack vector, the entire system gets compromised. Our people should be careful while installing various apps on smartphones so that hackers do not take advantage of them. We have started training programs in schools on cybersecurity. Investing in education and awareness is the best endpoint measure to ensure the security of our laptops and phones.
As a nation, we are losing in terms of data value as we are late in shaping our data protection bill. The Ministry of Electronics and Information Technology introduced the Personal Data Protection Bill, 2019, in the Lok Sabha. The Bill seeks to protect the personal data of individuals and establishes a Data Protection Authority for the same. But it is still at a standing committee. We need a data protection framework urgently.
One can recall the case where personal data belonging to 87 million US Facebook users was sent to Cambridge Analytica. Afterwards, Facebook was fined USD 5 billion. It can happen in any country. A lot of companies operating in the EU have been fined under the General Data Protection Regulation of Europe (GDPR).
Unlike the EU, we don’t have any regulations in place to ensure that data stays inside the country. At the very least, personal and sensitive data must stay inside the country. This is part of sovereignty.
The UN has this concept pertaining to the sovereignty of nations. Data of any nation is also sovereign and has to be regulated by the law of the land.
Though biometric Aadhaar data is stored and protected within India, some data centers are located outside the country. This is why we urgently need a data protection framework and bill.
We held an exercise called the National Cyber Exercise 2022 from April 18 to April 19, which was aimed at seeing how prepared we are. We made two teams from 150 participants from critical sectors like Power and CERT, as well as from private companies. They attacked each other and both had to defend themselves from the other’s attack. One team attacked the computers of the second team while the latter tried protecting itself. The result was encouraging. We are well prepared and the National Security Council Secretariat is doing an excellent job in ensuring that their systems remain safe.
We do have a robust regulatory framework in place, otherwise technology would be prone to misuse. For the cyber security part, we have the IT Act, amended in 2008, which is well crafted. On April 28, 2022, fresh directions were issued under the IT Act 70B, mandating everyone in India to report a cyber incident within six hours of its occurrence. We have also specified that logs need to be maintained for 180 days because we can then review them to find out how the particular malware has entered the system.
We have also laid down guidelines for data centers that are not regulated since we found out that a lot of people hire virtual private servers (VPS) and carry out attacks through these centers. The details of people hiring these virtual private servers are not revealed as these companies are private.
© Geospatial Media and Communications. All Rights Reserved.
