Tag Archives | GoI

The “mirror” effect

The National Security Council Secretariat of GoI seems to be claiming that the Executive Order issued by the US President on February 12 titled “Improving Critical Infrastructure Cybersecurity

in many respects mirrors the initiatives taken by India in it’s document on framework of cyber security.

A document issued by security brass of the country, which was reviewed by ET, cites at least 12 instances where the US order mirrors India’s cyber security framework that was drafted in 2011. These include setting out a cyber security policy, defining critical infrastructure, information sharing between departments and protection of civil liberties.

Reading this, two things jump out – the insecurity that this claim projects and the fact that frameworks and plans like these are not even worth the cost of paper it is written on [1] if it is not put to practise.  Given that the GoI’s National Cyber Security Policy (Draft PDF) wants the CERT-IN to

act as a nodal agency and co-ordinate all matters related to information security in the country

we shouldn’t expect getting out of this self-dug pit any time soon.

 

[1] Yup, I said “paper” because, you know what, a lot of GoI reports and documents are scans of printed documents!

Comments { 1 }

“Hacked and shamed” and beyond

Rohan Joshi and your truly have a brief in August 2011 edition of Pragati covering the “weird” compromise of National Security Guards’ website and the downtime of National Investigation Agency’s website.

Defacement of websites is a routine occurrence and usually not a cause of major concern, apart from the embarrassment caused by the negative publicity. However, unauthorised access to the email system is a different matter altogether. Depending upon the practices being followed, this could either have leaked encrypted digital communication between various officials in NSG and beyond, which would be of no practical use to the attacker, or could have revealed unencrypted emails discussing sensitive topics. The details have been sketchy but at least one media report states that the computer system used by an arm major-general had been ‘hacked’ into, as it was discovered that a number of “letters” were sent on the behalf of the general officer.

After the brief was sent off to the editors, the Minister of State for Communications and Information Technology, Sachin Pilot, told the Lok Sabha via a written reply that a total of 117 Government websites were defaced during the period January – June, 2011. With regards to the situation of the NIA’s website the press release goes on to say:

The reply further stated that the information on the website of National Investigation Agency (NIA) is temporarily disabled. Since the website of National Investigation Agency was not hacked, no inquiry in this regard has been conducted.

It has been a month since the website was taken down and it still is in the state of “maintenance“, which begs the question – why just the NIA website? It sure does looks like the site was compromised in some form or the other. Will we ever know the truth about what was compromised? Unlikely!

Comments { 2 }

Takshashila responds to GoI’s discussion draft on National Cyber Security Policy

The Department of Information Technology, Government of India issued a discussion draft on National Cyber Security Policy (pdf) on 26th March 2011 and invited comments on it. In our opinion this draft of the national policy is a considerable initial step and the government should be commended for being attuned to the threats and challenges facing the management of cyberspace and taking steps to address them. We feel that the document substantially addresses several areas and processes related to cyber security, particularly incident response, vulnerability management and infrastructure security.

However, we have identified some areas of improvement, including scope, ownership, resource allocation and management, technical and non-technical controls, which we present for the government’s consideration. This Takshashila policy advisory document (pdf) provides comments and feedback on the draft.

Feel free to provide your input on the original discussion draft or our response to it, in the comment section below.

Comments { 1 }