Cyber Security

You are here

  • Share
  • Tweet
  • Email
  • Whatsapp
  • Linkedin
  • Print
  • Himanshu Singh asked: What is the current Internet Governance architecture and the ongoing negotiations on the subject?

    Cherian Samuel replies: Internet Governance architecture at present can be divided into a technical stream and a policy stream. The technical stream largely follows a networked governance model with bodies such as the Internet Engineering Task Force, the Internet Architecture Board, the Internet Research Task Force and the Internet Engineering Steering Group, working together to resolve technical issues and create standards and protocols to facilitate innovation and progress. Members of these groups include operators, academics, and representatives of government and industry, amongst others.

    The policy stream is split between the hierarchical model as exemplified through organisations such as the International Telecommunications Union (ITU) and the network governance model, through the creation of bodies such as the Internet Governance Forum which seeks to follow a multi-stakeholder approach.

    Governments have largely found it difficult to navigate the network governance model where they occupy just one of the seats at the table along with other stakeholders. However, due to the varied issues and their increasing complexity with the relentless march of technology, governments will increasingly have to play a more prominent role in internet governance.

    The Working Group on Internet Governance set up by the UN secretary general in 2003 described Internet governance as “the development and application by Governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet.” Ten years on, governments are still at the stage of building consensus on shared principles, and so there is still a long way to go.

    Ashwini Kumar asked: How do national security structures of any country strike a balance between surveillance and privacy? How far CMS fits into it?

    Cherian Samuel replies: Surveillance has always been an essential function of a government, carried out through its intelligence agencies. On balance, it has been seen that people are willing to forego their privacy to a considerable extent in return for security. At the same time, privacy is increasingly seen as an individual right and governments have had to walk a fine line between intruding into the individual’s space in the interest of national security and ensuring that privacy rights are not trampled upon in the process.

    Cyberspace has brought a new dimension to this dilemma in that governments, if they so desire, can obtain a veritable deluge of information ranging from communication to location records. There is a legitimate concern that such untrammelled power has the potential to be misused. Checks and balances in the form of minimisation and oversight procedures have not been able to cope with the data deluge. While a global debate is on in the wake of the Snowden revelations about the US and other countries using the current dominant positions of their internet companies to collect intelligence, countermeasures might result in a reduction in external surveillance, not necessarily internal monitoring.

    The Central Monitoring Service is currently an open source intelligence gathering service under the National Technical Research Organisation (NTRO). While there have been reports that the CMS has also been tasked with analysing internet content, the establishment of such a system is still in the early stages, and in no way compares with the scale and size of the surveillance capabilities of the US National Security Agency.

    National Cyber Security Policy 2013: An Assessment

    The public-private partnership and emphasis on research and development are the key features of the document calling for collaborative engagements and operational cooperation with industry and academia.

    August 26, 2013

    Sivaramakrishnan asked: What are the basics of cyber security?

    Reply: Kindly refer to the IDSA Task Force Report (2012) on “India's Cyber Security Challenges” (free download) and the Keynote Address delivered by India’s National Security Advisor Mr. Shivshankar Menon at the release of the report on May 16, 2012.

    Also refer to the following IDSA publications:

    Ajey Lele, “Cyber Security Dilemma”, IDSA Comment, June 18, 2013.

    Arvind Gupta, “CBMs in Cyber Space: What Should be India’s Approach?”, IDSA Comment, June 27, 2012.

    Cherian Samuel, Emerging Trends in Cyber Security, IDSA Comment, March 28, 2012.

    Amit Sharma, “Cyber Wars: A Paradigm Shift from Means to Ends”, Strategic Analysis, Routledge, 34 (1), January 2010.

    Subimal Bhattacharjee, “The Strategic Dimensions of Cyber Security in the Indian Context”, Strategic Analysis, Routledge, 33 (2), March 2009.

    Cyber Security Dilemma

    Any cyber architecture can be viewed as a doubled edged sword – either ignore it and be exposed or use it to one’s advantage. Cyber espionage is here to stay.

    June 18, 2013

    Sonny asked: Is cyber warfare actually a war? How does it affect India's security?

    Reply: Refer to the IDSA Task Force Report titled, “India's Cyber Security Challenges”; and, the Edited Transcript of IDSA Cyber Security Report Release & Panel Discussion, including the Keynote Address by Amb. Shivshankar Menon, National Security Advisor, May 16, 2012, at

    Also, refer to the following:
    Arvind Gupta, “CBMs in Cyber Space: What should be India’s Approach?”, IDSA Web Comment, June 27, 2012.

    Cherian Samuel, “Emerging Trends in Cyber Security”, IDSA Web Comment, March 28, 2012.

    Amit Sharma, “Cyber Wars: A Paradigm Shift from Means to Ends”, Strategic Analysis, 34 (1), January 2010.

    Subimal Bhattacharjee, “The Strategic Dimensions of Cyber Security in the Indian Context”, Strategic Analysis, 33 (2), March 2009.

    China’s ‘String of pearls’ in Space

    A ‘pearl’ could be viewed as a sphere of influence seeded, secured and maintained through the use of economic, geopolitical, diplomatic or military means. The ‘string of pearls’ is about China’s unambiguous maritime strategy that investments in increasing its sea power. This is essentially a multi-pronged strategy that challenges dominant US interests in the Indian Ocean and sends a clear message to India that the Indian Ocean is not India’s ocean by increasing the dependence of the littoral states in the region on China.

    March 21, 2013

    Jaya Pradeep asked: What are the pros and cons of India agreeing to International Telecommunication Regulations (ITRs) especially from the point of view of internet, free speech, cyber security, etc?

    Cherian Samuel replies: Signing the ITRs would have made very little difference within India since there is comparatively very little regulation within the country. However, it could have provided a fig leaf to the actions of governments that have tried to tightly control internet content in other countries.

    In and of themselves, the proposed ITRs are quite innocuous, with even the contentious provisions, such as, the Article (5A) on the "Security and robustness of networks" and Article (5B) on "Unsolicited bulk electronic communications" or spam being, on the face of it, necessary for the well-being of cyberspace. At the same time, the apprehensions that these provisions would be liable to misuse through deliberate misinterpretation are also well-founded given attempts at controlling the Internet by several countries. The passing of these ITRs would have legitimised such efforts and this was the reason why there was opposition on the part of other countries to bring the Internet within the ambit of the ITRs and giving a greater role to the International Telecommunication Union (ITU).

    India, with the third largest Internet user base, is increasingly seen as a swing state on matters of internet governance. The Indian Government decided to take a considered view on signing the ITRs and is one of the 45 countries that have deferred that decision. Countries have to ratify the ITRs by January 1, 2015.

    Some takeaways from the Budapest Conference on Cyberspace

    Even as imagined and real cyber security threats scale new heights, the story coming out of the recently concluded Second International Conference on Cyberspace in Budapest was one of a widening gulf between countries, notwithstanding the stated intent of bridging differences through dialogue.

    October 11, 2012

    Ganesh Pol asked: Why did we fail to detect and diagnose the cyber terror attacks on our leading IT city despite the fact that it emanated from a very "traditional source"?

    Cherian Samuel replies: To recap the sequence of events leading to Bangalore, on the 20th of May 2012, a 26 year old woman was murdered in the Rakhine State of Myanmar. The ensuing riots that started in Myanmar around the 3rd of June left 80 dead and 80,000 displaced. Pages were created in Pakistan and West Asia, and even as far as Australia, containing misleading information and morphed pictures and placed on Facebook, and other social networking sites and websites, primarily to incite the population in those countries to rise up in protest. These had the desired effect not just in those countries but also in India where they were juxtaposed with unconnected incidents in Assam to inflame passions and threat of violence against people from the North-East of the country.

    Detection of misinformation on social media of the type that led to the events in Bangalore is not possible without the creation of considerable investment in different capabilities. If one considers the data flowing through the social media networks, as per statistics, Facebook gets 5 billion pageviews a month in India alone, and Youtube gets about a billion pageviews. On a global scale, 60 hours of video are uploaded to youtube every minute and 4,000 tweets are sent every second. Moreover, there is a very thin line between monitoring data and monitoring content and there is a big question mark as to whether monitoring data alone will be sufficient. There are many issues to be resolved before an efficient monitoring mechanism can be put in place.