29. Strengthening National Security through Cyber Security Clusters

 

Strengthening  National Security Through Cyber Security Clusters

March 2021

Abhay Vaidya

 

 

Abhay Vaidya is Associate Director, Pune International Centre. He has worked as a journalist for over three decades with prominent media houses in India.

The Pune International Centre is grateful to its members Commodore Anand Khandekar (Retd.) and Mr. Sanjay Kanvinde for reviewing this paper and making valuable suggestions.

 

Synopsis

Prime Minister Narendra Modi’s call for Atmanirbharta (self-reliance) coupled with the renewed emphasis on India’s strategic partnerships with the United States, Japan Australia, Israel and France should be harnessed by India to bridge the enormous deficiencies in Cyber Security. In this context, the development of Cyber Security Clusters in cities with a strong presence of the IT industry and educational institutes merits attention and support from the central and state governments.

Cyber Warfare, Cyber Espionage, Cyber Terrorism and Cyber Crime, which includes internet-driven siphoning of vast amounts of money from bank accounts, constitute the cold reality of the Cyber Age of the 21st century. Cyber space has already been designated as the ‘fifth dimension of warfare.’ While India has been rapidly marching ahead with digitization and internet-based technologies, cyber security capabilities continue to lag behind.

The absence of a robust Cyber Security Ecosystem in the country and adequately trained manpower in cyber security has exposed India to serious vulnerabilities in national security. India ranks 21st and China ranks 2nd in the 2020 National Cyber Power Index of Harvard University’s Belfer Center for Science and International Affairs.

This situation can be reversed through a multi-pronged strategy such as conscious efforts based on Atmanirbharta (drive towards self-reliance) along with close collaboration with strategic partners such as the US, Israel and France to build capabilities in cyber security. Cyber Security Clusters could also be developed in cities such as Pune, Hyderabad, Chennai, Bangalore and Noida which have a readily available talent pool of students, along with an ecosystem of IT firms, defence establishments and R&D labs.

A good beginning has been made in Hyderabad with the establishment of the Hyderabad Security Cluster with support from the Telangana government. In January 2020, a cyber security Centre of Excellence, established jointly by the Telangana government and Data Security Council of India (DSCI), a non-profit body set up by the Nasscom (National Association of Software and Service Companies), was inaugurated here. On similar lines, a cluster can be established in Pune where the Pune International Centre (PIC) policy research think tank has already submitted a proposal and a blueprint to the Maharashtra Government. There is a huge potential to not only generate thousands of jobs in this domain but also strengthen India’s soft power strategies by assisting and collaborating with other nations to develop strong cyber security systems. But for that to happen, India has to first become a leader in this field.

Advent of the Cyber Age

The opening decades of the 21st century have been witnessing mind-boggling technological advancement and capabilities with high speed computerization, bigger and better internet bandwidths, Industry 4.0, artificial intelligence, machine learning and Big Data applications. These are all key elements of a technologically-driven society, embracing virtually all aspects of our lives, in a period of human history which will inevitably be designated as the Cyber Age. Computers and internet-driven technologies are increasingly beginning to dominate the life of the Common Man, from the cradle to the graveyard, bringing with it critical issues of cyber security.

Definition and Significance of Cyber Security

The United States Government’s Cybersecurity & Infrastructure Security Agency (CISA) has defined Cyber Security as “the art of protecting networks, devices and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity and availability of information.”

CISA has noted that virtually everything now relies on computers and the internet — be it personal and official communication (e.g., email, smart phones, tablets), entertainment (e.g., interactive video games, social media, apps), transportation (e.g. navigation systems), shopping (e.g. online shopping, credit cards), medicine (e.g. medical equipment, medical records) and so on.

Poor cyber security can expose critical data to vulnerabilities such as malware erasing database; a breach into the system and altering of files. Someone else’s computer can be used to attack others and poor cyber security can also lead to crimes such as embezzlement of funds through illegal transfers.

The vast spectrum of cyber security stretches from the right to privacy of individuals to issues of financial security of individuals and the banking system and national security. In keeping with the demand of the times, India not only needs to create a strong defence mechanism in cyber security but also a strong deterrent capability against cyber attacks from a variety of state and non-state actors including rouge states, terror organisations, state-sponsored organisations and enemy  nations.

Cyber Space: 5th Dimension of Warfare

In 2016, a group of national security and IT experts participated in a discussion chaired by P.C. Haldar (former Director, Intelligence Bureau) on Cyber Space: Challenges and Opportunities at the Pune International Centre’s annual ‘Pune Dialogue on National Security’ (PDNS-2016). They noted that Cyber Space had emerged as the fifth dimension of warfare, where wars would be fought inside people’s homes, in power stations and various other critical infrastructures of a nation.[2]

“The dividing line between internal and external threats to securities is increasingly getting blurred as geography loses its salience in the virtual world,” the PDNS-2016 report noted. Given this reality, India needs to develop a Cyber Deterrence Doctrine, as was done with the ‘No First Use’ doctrine of deterrence on nuclear issues. “Other countries need to be aware of our cyber offensive capabilities as part of the Cyber Defence Doctrine,” the report said. 

Iran initiated advanced cyber capabilities after it suffered the Stuxnet cyber attack on its nuclear facilities in 2010. In the case of China, the People’s Liberation Army has created specialized units (PLA Unit 61398, for e.g.) who are engaged full time in creating high quality malware to advance cyber offensive capabilities.

“China is one of the countries which has created cyber crime and cyber warfare capabilities, which are termed ‘advanced persistent threats’ in the field of computer security, “PIC’s paper on ‘Strategic patience and flexible policies: How India can rise to the China challenge,’ has noted. The emergence of cyber crime led by state actors is one important dimension of the India-China relationship, the paper by authors Ambassador Gautam Bambawale (Retd.), Dr. Vijay Kelkar, Dr. Raghunath Mashelkar, Dr. Ganesh Natarajan, Dr. Ajit Ranade and Prof. Ajay Shah observed.[3]

The authors, who are influential voices in the policy making establishment in India, pointed out that such a situation not only exposes India to the danger of attacks by state actors upon government and private systems but could also pose a danger to the IT exports industry in the country which works for global clients.  Global solutions would therefore be necessary on cyber warfare and cyber crime.

Most Powerful Cyber Nations

In 2020, Harvard University’s Belfer Center for Science and International Affairs under the Kennedy School ranked the most powerful cyber countries in the world[4] as follows:

  1. United States
  2. China
  3. United Kingdom
  4. Russia
  5. Netherlands
  6. France
  7. Germany
  8. Canada
  9. Japan
  10. Australia

While Israel ranked 11th most powerful nation in cyber space, Estonia ranked 14th and India, 21st, ahead of Iran, Ukraine and Italy (Fig.1 below). This index was based on an “all of country approach” based on seven national objectives that countries were pursuing using cyber means. These seven objectives were:

1) Surveillance and Monitoring of Domestic Groups

2) Strengthening and Enhancing National Cyber Defences

3) Controlling and Manipulating the Information Environment

4) Foreign Intelligence Collection for National Security

5) Commercial Gain or Enhancing Domestic Industry Growth

6) Destroying or Disabling an Adversary’s Infrastructure and Capabilities; and

7) Defining International Cyber Norms and Technical Standards.

This study noted that China continued to build on its cyber strengths and was leading the world in many indices. These included Cyber Surveillance where China was the most powerful followed by Russia and the United States in the third place. China also ranked first in “Cyber power in commerce” followed by the U.S.

“In-line with recent headlines in Western countries, China tops the Growing National Cyber and Technology Competence objective. Along with DPRK (North Korea) and Iran, China is one of only three countries assessed to be pursuing this objective through both legal and illegal means,” the study noted.

Examples of Cyber Attacks

One of the worst cyber attacks in history occurred in May 2017 when the WannaCry Ransomware Cryptworm infected computers running the Microsoft Windows Operating System with demands of ransom payment in Bitcoin crypto currency.

WannaCry was estimated to have infected more than 200,000 computers in 150 countries and according to Andy Bochman, senior grid strategist (national and homeland security), Idaho National Laboratory, USA, the damage caused by this cyber attack was estimated at $4 billion.[5] On December 19, the BBC reported that the US and UK had blamed North Korea for this attack. 

In June 2017, the NotPetya cyber attack targeted at banks, power utility firms and ministries in Ukraine came to light. This attack also had an impact on non-Ukrainian companies such as the Danish shipping company Maersk, pharmaceutical giant Merck and the chocolate manufacturer Cadbury. This cyber attack caused damage estimated at $850 million, according to Bochman.

Ukrainian authorities blamed Russia for this attack. While there was no official response from the CIA, the Washington Post reported on January 13, 2018: “The CIA has attributed to Russian military hackers a cyber attack that crippled computers in Ukraine last year, an effort to disrupt that country’s financial system amid its ongoing war with separatists loyal to the Kremlin.”

In February, 2021, an alleged cyber attack took place on India’s power infrastructure: According to a New York Times report on February 28, 2021, the power grid collapse of two hours that took place in Mumbai on October 13was “part of a broad Chinese cyber campaign against India’s power grid, timed to send a message that if India pressed its claims too hard (on Ladakh), the lights could go out across the country.”[6] This occurred four months after Indian and Chinese soldiers clashed at Galwan Valley in Ladakh.

Although the Maharashtra Home Minister, Mr. Anil Deshmukh said on March 1 that the power grid failure was the result of a “cyber sabotage,” the central government’s Ministry of Power denied that the power outage was caused by a malware attack.

Cyber Attacks on the Rise

Accenture, the strategy and consulting multinational said in its 2018 report ‘State of Cyber Resilience: Gaining Ground on the Cyber Attacker’ that between 2017 and 2018, 87% of cyber attacks had been thwarted but the number of attacks were also rising. Cyber attackers were described by Bochman as “sophisticated, well-funded, patient and constantly evolving.”

Scott Berinato (Senior Editor, Harvard Business Review) and Matt Perry (senior graphics Editor, Harvard Business Review) have noted that according to the 2018 Data Breach Investigations Report, “for every 74 unsuccessful attacks, there was just one breach.”[7]

Cyber Security in India Needs to be Strengthened

A comparative ranking of 76 nations on cyber security by the UK-based technology analysis firm Comparitech in 2020 ranked Denmark at 76 with the best cyber security. India was ranked 18 and China, five notches above, at 23.

In a paper on ‘Seven cyber security trends for India in 2020,’ Siddharth Vishwanath, Leader, Cyber Security, Price Waterhouse Cooper (PwC) India, noted the following[8]:

  1. i) Heavy Digitisation was under way as a result of introduction of the Goods and Services Tax (GST), launching of technology-dependent Government programmes like Digital India and Smart Cities Mission.
  2. ii) Consequently, there was a rise in cyber threat levels. The 2018 CERT-In (The Indian Computer Emergency Response Team) annual report stated that there were 2,08,456 incidents of cyber attacks in India in 2018, compared to 53,081 in 2017 – a huge increase of 292%.

iii) The cyber security market in India was set to grow from USD 1.97 billion in 2019 to USD 3.05 billion by 2022, at a compound annual growth rate (CAGR) of 15.6.%. The growth rate was pegged nearly 1.5 times the global growth rate of cyber security expenditure.

  1. iv) Renewed focus on building breach response capabilities: There will be increased focus on adopting security operations centres (SOCs) to strengthen breach response capabilities.
  2. v) Increased need for endpoint security: Organisations will begin to recognise the fact that most of the breaches today start at the endpoint, allowing threat actors to sneak into the company networks. The number of endpoints (including mobile devices) continues to rise and so does the business data being processed/stored in them.
  3. vi) Training and upskilling workforce in cyber security skills and focus on cyber awareness of senior leadership will take the centre stage: The biggest cyber security challenge faced by Indian organisations is the shortage of adequately skilled cyber security professionals. A research study by the Information Systems Audit and Control Association (ISACA) in 2019 said that 59% organisations worldwide have vacant cyber security positions. This was a sign of serious lack of professionals in the domain of cyber security. Organisations will also invest in cyber security awareness programmes to educate their senior leadership, management and board members to help them to understand and measure the impact of cyber security risks on their businesses. The move would enable organisations to set the tone from the top to brace for and fight against cyber attacks, the study said.

Steps taken by India to bolster cyber security include the setting up of the National Critical Information Infrastructure Protection Centre (NCIIPC) under the National Technical Research Organisation (NTRO) to protect critical infrastructure such as national power grids, defence, banking and financial sector, insurance, power, telecom communications and transportation from cyber attacks. Designated as a national nodal agency under Section 70A of the IT Act, 2000, this body has been empowered with a wide-ranging mandate to face the challenge of securing national infrastructure.

Drawing attention to serious gaps in the cyber security ecosystem, security experts at PDNS 2016 noted that “vast amounts of imported hardware, including defence hardware poses high vulnerability as hardware manufacturing is not done in India.” The question then arises: “Does India even have the capacities to test the hardware and ensure that no malware has been embedded in it?” defence experts asked at the PDNS session on cyber security. Along with hardware vulnerability, Cyber Security Management is critical and four aspects need to be addressed: manpower, processes, technology and management, the experts noted.

National Cyber Security Framework for India

A National Cyber Security Framework would require two broad approaches:

  1. The creation of a National Cyber Security Culture which will percolate among the masses to ensure a basic level of cyber hygiene and security consciousness.
  2. The generation of a steady stream of qualified professional manpower to serve as the backbone of the National Cyber Security Framework for the country.

In 2015, The Economic Times reported that the Union Ministry of Information and Technology had estimated that by 2015, India would need five lakh cyber security professionals. It quoted Nasscom (National Association of Software and Service Companies) President R Chandrashekhar as stating: The estimate is that we have just about 50,000; we need at least one million skilled people by 2020.”[9]

The current scenario presents critical challenges which can be turned into opportunities. In this regard, the PDNS 2016 had highlighted the following issues:

  • Many state governments are adopting cyber technology and asking their departments to go online. However, the overall cyber security standards are very poor and need to be addressed urgently.
  • Given the need to test imported hardware, especially defence hardware to ensure that no malware has been embedded, India needs to have adequate number of testing facilities which can be done through public-private partnerships.
  • The need for a large workforce of IT security professionals stands reiterated from various quarters again and again. IT and national security experts at the PDNS noted that “the best age to find a good security professional at the base level would be around 18-22. People of this age-group are needed to work on cyber security 24×7.” However, in India, bright IT students end up doing routine jobs at IT companies rather than experimenting with hardware and software. “From a security perspective, universities and institutions need to introduce courses in defensive and offensive capabilities,” the PDNS noted.

Accelerating Cyber Security Through Cyber Security Clusters

National security experts at the PDNS 2016 noted that India could “accelerate her cyber security journey from 20 years to 10 and from 10 to 5 by creating cyber security clusters.”

A good beginning has been made in Hyderabad with the establishment of the Hyderabad Security Cluster with the support of the Telangana government. On July 12, 2018, the Netherlands Embassy in India noted: “The Hyderabad Security Cluster (HSC) and The Hague Security Delta (HSD) – the World’s largest security cluster, have rolled out their first joint initiative – The Hague-India Cyber Security Summer School, a five-day programme being conducted in Hague and Hyderabad simultaneously. HSC was one of the initiatives launched during the visit of Mark Rutte, the Prime Minister of Netherlands to India on May 24, 2018. HSC and HSD are working together to bring crucial advancements in cyber security for the mutual benefit of both the countries.”[10]

 In January 2020, the Cyber Security Centre of Excellence established jointly by the Telangana government and Data Security Council of India (DSCI), a non-profit body set up by the Nasscom (National Association of Software and Service Companies) was inaugurated.

Following the success of the Hyderabad initiative, there has been interest in setting up similar clusters in Bangalore, Ahmedabad and Haryana, the Hyderabad Security Cluster CEO Zaki Qureshey said in an interview to The Hindu.[11]

Since Cyber Security Clusters are vital for India’s national security, the central government should introduce incentives for state governments to promote such clusters wherever feasible. Cities such as Pune, Bangalore, Chennai and Noida, among others in the country which have a healthy mix of professional educational institutions, IT industry and security experts, are ideally suited for this.

The PDNS noted that Pune “with its vibrant ecosystem of IT and Cyber Security companies, academic institutions, defence and government labs is willing to take the lead and has already established such a cluster. Government funding and technology support is required to develop this first nascent cluster so as to establish a national template for further replication.”

These same aspects with greater elaboration were presented in 2016 by the PIC in a detailed vision document and a blueprint to the Maharashtra Government.[12] The proposal identified the College of Engineering, Pune (COEP), which had signed an MOU with Tel Aviv University in February, 2015, for creating trained manpower in the cyber security and smart governance domains as the “academic anchor” for this initiative. The proposal sought funding of Rs. 200 Crore from the Maharashtra Government over a period of five years for setting up the cluster. This vision envisaged the setting up five Cyber Security Chairs of international repute to fulfill deep bench academic needs, attract global entrepreneurial talent to set up companies, establish world class facilities and infrastructure and create a network of innovation centres, labs and business accelerators among other such initiatives.

Air Marshal Bhushan Gokhale (Retd.), Convenor, PDNS,  noted: “We have tremendous vulnerability in the area of cyber security and at a time when we are aggressively going digital, we need to make sure that we have the tools to prevent cyber attacks and tools to mitigate, so that we can be up and running after a cyber attack. Close collaboration with Israel is, therefore, very important.” He said strategic relations with Israel were very important in the areas of defence technology cooperation and intelligence gathering. “At the top of everything is intelligence because what we need is predictive, pre-emptive and proactive intelligence to deal with terrorism. Israelis are very good at predictive intelligence,” he noted.[13]

Commodore Anand Khandekar (Retd.), one of the visionaries of the Pune Cyber Security Cluster said, “We envisage collaboration between the government, industry, academia and users.” While the government can be the facilitator, others such as COEP, TAU and cyber industries can come together to establish the cyber security cluster and promote start-ups and establish linkages between India, Israel, USA and UK.[14]

Cyber security Product Innovation

One important growth area for Indian technocrats in the cyber security domain is in product innovation.

This has been very clearly recognised by the Government of India which, among various initiatives, launched the ‘Cyber Security Grand Challenge’ under the auspices of the Ministry of Electronics and IT and the Data Security Council of India (DSCI) in January, 2020. The top prize in this competition was Rs. One crore with total prize money of Rs. 3.2 crore under various categories.

The DSCI’s Indian Cyber Security Product Landscape 2.0 report released in December 2020 noted that the current base of 225+ companies had evolved and grown from 175+ companies in 2018. In terms of revenue, the cyber security product industry grew 2x times in the last 2 years, with a revenue of USD 1016 Mn. As compared to the IT product industry CAGR during 2018-20, the cybersecurity product industry CAGR was ~6X times higher at ~39% from 2016-2020.[15]

The 2018 report noted that the cyber security product companies reflected a fine blend of pure-play cyber security product companies and those offering both products and services. These companies comprised traditional solution providers and those innovating with new age technologies such as Artificial Intelligence, Machine learning, Automation, Big Data and Analytics, Encryption, Blockchain, Quantum Cryptography and Deception, among others.

Speaking about the report, Ajay Sawhney, Secretary IT and Electronics, Government of India, said: “It is quite an impressive story that Indian product companies are marking their footprints, not only in

domestic market but also globally, with many emerging companies showing steep growth. Cybersecurity is a strategic sector for country’s defence and it is reassuring to see many young companies building nextgen security solutions using AI/ML, Big Data/Analytics, Blockchain, Encryption, Forensics etc. Though a promising story is being created, yet a lot more needs to be accomplished.”[16]

Digital Security and India’s Soft Power

While India’s soft power has had a silent influence over the millennia through the spread of Buddhism in East Asia and the spread of Yoga, Ayurveda and the Indian Diaspora throughout the world, since Independence, India has consciously used soft power as an instrument of foreign policy. This has been through the sharing of resources, infrastructure development and capacity building among the developing nations of South Asia, West Asia and Africa in domains such as medicine, education, space diplomacy, IT and other areas. Assisting and collaborating with other nations to develop strong cyber security systems can become an important part of India’s soft power outreach provided the country first becomes a leader in this field.

Conclusion

A holistic perspective of the existing situation suggests that while rapid strides are being made in digital governance, widespread computerization and deployment of internet-based technologies, the demands of cyber security have not kept pace, resulting in serious vulnerabilities. There is need for a multi-pronged strategy, a time-bound plan and focused action points to address the existing reality. 

  • Without strong capabilities in cyber security, the nation stands exposed to a variety of cyber attacks from a range of state and non-state actors. Considering that cyber warfare has emerged as the fifth dimension of warfare, India can no longer afford to lag behind in cyber security capabilities.
  • Address the need for the creation of adequate manpower and the pursuit of advanced capabilities in cyber security technologies.
  • The existing weakness can be transformed into an opportunity by initiating a multi-pronged approach to improve cyber security standards through Atmanirbharta (drive towards self-reliance), the establishment of Cyber Security Clusters in different parts of the country, and close, strategic collaboration with allies on this front. The central government should introduce incentives for state governments to establish such clusters, which would help create an effective Cyber Security Ecosystem in the country and help strengthen national security.
  • Continue to take steps to encourage product innovation in cyber security as this would help Indian start-ups identify growth and business opportunities on a global scale while raising Indian capability in this newly-emerging critical area of national security.

[1]Cybersecurity & Infrastructure Security Agency. (2001). What is Cybersecurity? Retrieved from: https://www.cisa.gov/tips/st04-001

[2]Pune Dialogue on National Security. (2016). Summary of Discussion – “Cyber Space: Challenges and Opportunities”. Hosted by Pune International Centre, The Tribute Trust, Policy Perspective Foundation (PPF) and Centre for Advanced Strategic Studies (CASS).

[3]Gautam Bambawale, Vijay Kelkar, Raghunath Mashelkar, Ganesh Natarajan, Ajit Ranade, Ajay Shah. (2021) Strategic patience and flexible policies: How India can rise to the China challenge. Pune International Centre.

[4]Sussman Bruce. (2020). Top 10 Most Powerful Countries in Cyberspace. Secureworldexpo.com. Retrieved from: https://www.secureworldexpo.com/industry-news/top-10-most-powerful-countries-in-cyberspace

[5]Harvard Business Review. (2019) Cyber security: Insights You Need from Harvard Business Review. Boston, Massachusetts, Harvard Business Review Press.

[6] Sanger E David and Schmall Emily. (Feb 28, 2021). ‘China Appears to Warn India: Push Too Hard and the Lights Could Go Out.’ The New York Times.

[7]Harvard Business Review. (2019). Cyber security: Insights You Need from Harvard Business Review. Boston, Massachusetts, Harvard Business Review Press.

[8]Vishwanath Siddharth. (2018). What lies ahead: Seven cyber security trends India will witness in 2020. PwC India. Retrieved from https://www.pwc.in/consulting/cyber-security/blogs/what-lies-ahead-seven-cyber-security-trends-india-will-witness-in-2020.html

[9]ET Bureau. (2015). Economic Times. Cyber security: 1 million cyber security professionals needed by 2020. Retrieved from: https://economictimes.indiatimes.com/tech/internet/cyber-security-1-million-cyber-security-professionals-needed-by-2020/articleshow/48661717.cms

[10]Netherlands Embassy in India. (2018). Hyderabad and The Hague—Partners in Cyber Security! Retrieved from: https://m.facebook.com/story.php?story_fbid=1012144235615476&id=205056992990875

[11]The Hindu. (May 9, 20219) CoE in security breach investigations in city next year. Retrieved from:  https://www.thehindu.com/news/cities/Hyderabad/coe-in-security-breach-investigation-in-city-next-year/article27073551.ece

[12]Pune International Centre. “High Level Proposal to Government of Maharashtra for Cyber Security Cluster Pune,” October, 2016.

[13]Vaidya Abhay. (2017). As India, Israel come closer, Pune’s cyber security cluster vision grows stronger. Hindustan Times. Retrieved from: https://www.hindustantimes.com/pune-news/as-india-israel-come-closer-pune-s-cyber-security-cluster-vision-grows-stronger/story-u37GD37kiSaNs66gw4fA5L.html

[14] Vaidya Abhay. (2017). As India, Israel come closer, Pune’s cyber security cluster vision grows stronger. Hindustan Times. Retrieved from: https://www.hindustantimes.com/pune-news/as-india-israel-come-closer-pune-s-cyber-security-cluster-vision-grows-stronger/story-u37GD37kiSaNs66gw4fA5L.html

[15] DSIC’s Indian Cybersecurity Product Landscape 2.0’ (2020).

file:///C:/Users/user/Downloads/India%20Cybersecurity%20Product%20Landscape%202020.pdf

[16] DSCI Press Release (6 December 2018) https://www.dsci.in/sites/default/files/Product%20launch%206DecAISS2018.pdf