Monday, December 05, 2011

India: an army of ethical hackers

For the coming cyber war, an army of geeks offers India its services.

By Jason Overdorf
GlobalPost (December 5, 2011)

NEW DELHI, India — To paraphrase an old saw: It takes a geek to catch a geek. That's the logic behind a new Indian response to the growing threat of cyber war, anyway.

Indian authorities were stunned by the impact of the Stuxnet virus on Iran's nuclear facility at Natanz last year. Now, in the wake of repeated assaults on Indian company and government web sites, an organization of self-professed "white hat" hackers is recruiting its own army.

“If you see the statistics, less than 15 percent of Indians use the internet, but we are already No. 1 when it comes to virus infections and we are No. 2 in cyber crimes,” said Rajshekhar Murthy, an Indian hacker and entrepreneur.

Last month, at Malcon — the malware conference Murthy founded in 2010 — the security expert's nonprofit Information Security and Analysis Center (ISAC) unveiled plans to create a national registry of hackers with the training to protect the country's critical electronic infrastructure.

Called the National Security Database (NSD), the body will accredit and train hackers who pass an exam that will cost about $500 a whack.

“The NSD is a project to address the broader need, not just to identify the best security professionals in India,” said Murthy. The idea is to identify “where these professionals can assist the country not only in solving cyber crimes but in addressing policy issues and assisting in reforms to create better governance of IT security across critical infrastructure projects.”

Not a moment too soon, either.

“As the government is trying to spread its reach through financial inclusion and e-governance projects, it's crucial that we are able to handle cyber crime,” said Murthy.

At a curtain raiser for next year's Global Cyber Security Summit in New Delhi, Information Technology Minister Kapil Sibal called for just such a community of ethical hackers last week.

And for good reason. Already, a drive to eliminate corruption and increase efficiency through e-governance had made many government services vulnerable to attack, and Sibal aims to introduce a bill in parliament this session mandating that all government services be automated.

"To combat cyber crimes and make the cyberspace secure, there is a need for greater government-to-government collaboration on sharing of information, global vision to deal with hackers, legal framework that addresses the requirements at the global, and wider public-private collaboration," Sibal told reporters last month.

Last year, state-owned ONGC found some of its oil rigs had been infected by Stuxnet — and only narrowly escaped catastrophe because they operate on ABB, not Siemens, systems, according to a recent report in India's Tehelka magazine. Similar virus problems were detected at a power generation facility in Gujarat and a communications satellite providing the feed to state-owned Doordarshan television and several DTH broadcasters.

And researchers from the Munk School of Global Affairs at the University of Toronto claimed in 2010 that Chinese hackers had cracked Indian government computers to dig out sensitive information related to defence, foreign affairs and the Dalai Lama, according to another report.

But can a team of rogue operators compete with state-sponsored cyber espionage?

When Stuxnet hit Iran, experts immediately fingered Mossad and the CIA because the man-hours needed to create the complex worm more or less guaranteed it was a state-sponsored project. And one of the biggest failures of India's intelligence agencies is that they rarely listen to each other — much less to outsiders who literally speak in code.

http://www.globalpost.com/dispatch/news/regions/asia-pacific/india/111204/india-hackers-technology-computers