Under threat: Does India have no mechanism to fight cyber attack?

Is India prepared for a cyber attack? And if yes, who is in charge of it? The fate of an RTI application on the subject has raised some worrying questions.


Does the Indian government have any authority thatdeals with cyber attacks? Maybe there is no such body/ department or maybe the government just doesn't want to tell us. The fate of a right to information (RTI) application seeking clarity on this subject worryingly indicates that the government has no clue whatsoever as far as combating cyber espionage is concerned.

The case in point is an RTI filed byProf Arun Mehta, president of Bidirectional Access Promotion Society, a Delhi based NGO, seeking information on what the government had done about a massivecyber attack on Indian computers by the Chinese, as revealed by a Canadian report titled Shadows in the cloud: Investigating Cyber Espionage 2. The report revealed that of 139 IP addresses attacked by China globally, the highest (62) were from India.

 Under threat: Does India have no mechanism to fight cyber attack?

The fate of an RTI application paints a worrying picture of India's capability to fight cyber crime

Affected institutions, according to the report, included the Nations Security Council Secretariat, Military Engineering Services, Military Educational Institutions, Institute of Defence Studies and Analysis, National Maritime Foundation and Indian embassies in Kabul and Moscow.

Following the release of the report, Mehta filed an RTI application with the Department of Electronics and Information Technology (DIT), Ministry of Communications and IT on 13 April 2010 asking "if an investigation has been launched by the government to probe the Chinese hacking, the process of interacting with the investigating team, and what are the security recommendations emanating"

The DIT forwarded Mehta's application to the Indian Computer Emergency Response Team (CERTIN). CERTIN provided him with a copy of India Today magazine's interview with Greg Walton- one of the authors of the Canadian report, andpage four of the said report which contained an executive summary.

This, certainly, was not the information sought by the applicant.

In December 2010, Mehta tried again. He submitted the same query with the DIT, but received the same information: a copy of the interview and page four of the "Shadows" report.

In March last year however, the Ministry responded differently to the same set of questions. It said that it had forwarded the query to the 'concerned department' and a reply was awaited.

The applicant is still waiting for the reply.

Interestingly, a month after the release of the "Shadows" report, then Minister of Communications and Information Technology A Raja made a reference to theChinese cyber attack. In response to a question in the Rajya Sabha, Raja said "An agency of the Government has been investigating such types of attacks... an investigation has already been launched into the matter."

Mehta filed another RTI application with the DIT giving reference to Raja's statement and asking for details of the mentioned agency. This time too, the DIT forwarded his query to the 'concerned authority'. This mysterious authority has still not replied.

Not giving up, Mehta filed another query on 13 February, but this time he did not mention the Chinese cyper espionage incident in his application, instead asking,"who in the Government of India is responsible for protection of the country from cyber attacks.

The query was forwarded to the Ministry of Communication and IT who in turn forwarded it to the Ministry of Home Affairs. The MHA forwarded it to back to the Ministry of Communication and IT. DIT informed Mehta (reply dated April 3, 2012) that "Cert-In analyses the reported incidents and provides technical advisory to the reported parties for taking further steps for mitigation of such attacks in future"

The Information Technology Act, section 70 (A) says that the government has to notify an agency responsible for protecting India from such cyber attacks. "I was eager to know if they had established such an agency. And if yes, what were the details," Mehta told Firstpost.

On8 May 2012, he filed RTI application with the DIT asking if such an agency has been notified."Government has not yet notified any agency under Section 70(A) of the Information Technology (IT) Act 2000 as national nodal agency in respect of Critical Information Infrastructure Protection," was DIT's response.

So here it is. The next time we come under cyber attack, we will have no choice but to just sit and watch. At least the story of Mehta's RTI applications does not indicate any other possibility.


Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.