India’s Cybersecurity Challenge

India has a big job on its hands as it tries to drive a culture of cyber security through a country of 1.2 billion people. Danny Bradbury reports on its progress

In 1947, on opposite sides of the globe, two things were born. One was very large, and one was exceedingly small. Modern India came into being, after the signing of the Indian Independence Act by the British. Meanwhile, in a California laboratory, William Shockley and his colleagues invented the first transistor.

Over the next 60 years, the two would develop together in a way that no-one could have imagined. The transistor would become so small that 2.5 billion of them would fit on a chip. India’s economy would balloon to be the third largest in the world (by OECD measurements) – and technology would be one of its driving forces. Now, India can no longer ignore its IT security responsibilities. The country, which recently launched its own cybersecurity policy, is taking steps to establish its credentials as a secure place for data to be stored and processed.

Technology is a fast-growing phenomenon in India. It has a maturing outsourcing segment that indigenous IT industry body NASSCOM says topped $100 billion in total revenues in 2012. Consumer-focused IT, however, is less prevalent. The consulting firm McKinsey says the Indian e-commerce market has grown an average of one-third each year since 2005. It will reach $2 billion in revenue by 2015, at which point India will have 38 million active online shoppers. Compared to the US, these numbers are minuscule, but it shows promise for the Indian market.

“India is in a unique situation. They have a lot of highly educated people in the country but also large parts of the country that are still developing, creating a low penetration rate for the internet”, says Karl Rauscher, CTO of the EastWest Institute, a global think-tank that focuses on challenges to world peace. “Yet they are also a contributor. They are one of the largest software producers in the world.”

This contrast begs the question: as India’s IT status grows, is its cybersecurity keeping up with growth in the IT sector?

Growing Pains

India is waking up to cybersecurity, observes Naveen Hegde, research manager for Asia-Pacific software at IDC, the IT analyst firm. Nonetheless, cybersecurity initiatives have largely been reactive, with modest acceptance. “Security is still a check-the-box exercise for many organizations, with spending limited to whatever is needed to survive compliance audits”, he warns.

There is lots of room for growth as Indian organizations begin to acknowledge the need for better cybersecurity. PricewaterhouseCoopers says the information security market in India will grow by 18% this year, adding that regulatory compliance is a key driver.

Anand Naik, managing director of sales for India at Symantec, agrees that regulators are pushing the issue. “This is a fast-developing market, with regulators in industries such as telecommunications, BFSI (banking, financial services, and insurance) and government taking significant steps in building awareness and creating frameworks or mandates that encourage organizations to follow best practices”, he says.

Making it Official

India has come some way toward implementing security regulations in specific verticals, along with a couple of key regulations across the board. The watershed regulation was the IT Act 2008. This amended an original 2000 Act, adding specific information security and privacy measures. It also labeled cyber crime a punishable offense under the Indian Penal Code.

In 2011, the Reserve Bank of India (RBI) introduced a set of recommendations, including the formation of separate information security groups within banks. The recommendations also suggest banks maintain adequate resources proportional to their size and scope of operation. It clearly pointed to financial institutions as ultimately responsible for their own information security and advocated for CISO positions within each.

Most recently, India’s new national cyber security policy set out plans for an effective IT security framework throughout the country, and includes several priorities. A 24/7 mechanism for cybersecurity emergency response is among these, creating situational awareness regarding threats to information and communications technology (ICT) infrastructure. The policy also promises a legal framework for safe operations in cyberspace.

IDC’s Hegde says that the policy focuses not just on government entities and big business, but on home users too. “It aims to create a secure computing environment, and build capacities to strengthen the current setup with focus on manpower training”, he observes.

More Demand

One hope is that the new national policy will help protect personal information during processing, handling, and storage. “The policy clearly says that the issue of cyber security needs to move beyond traditional technological measures such as anti-virus and firewalls”, Hegde explains. “This will certainly drive demand for more advanced security solutions, and will create more infosecurity professionals.”

The country is preparing to train a lot more of these professionals. National Security Adviser, Shivshankar Menon, said last year there was a “critical shortage” of cyber security professionals. Menon unveiled a report from a joint working group exploring public–private partnerships on cybersecurity. It recommended establishing a competency framework for cyber security skills, including a set of certification schemes.

Kamlesh Bajaj, head of the Data Security Council of India, announced last October that it would train half a million cyber security experts in the next five years. As part of the initiative, an Institute of Cyber Security Professionals of India would be created for security testing and auditing, and police would also be trained in cyber crime investigations.

Some 10,000 of these experts are likely to come from a partnership between the EC-Council, which runs the Certified Ethical Hacker program, and the Institute of Advanced Network Technology, a for-profit organization involved in Indian IT training.

These private–public partnerships will become increasingly important in combating cyber crime, because security advocates need industry on board. For many businesses, funding security efforts can be a problem, even if the will is there. Deepak Rout, who was the chief security advisor and director of privacy at Microsoft India until summer 2012, predicts that 60% or more of tier-one companies will already employ a CISO if their sector is heavily regulated. There are many sectors that are critical to the country that doesn’t have regulations, he adds, including manufacturing.

Even for companies that have been told to tighten up security, it can be hard to find the wherewithal to execute. “That monitoring and testing ability is a critical requirement for cyber security, and telecom providers need a competent security operations center to have adequate security visibility”, Root explains.

For second- and third-tier companies, pushing security through is a struggle. “Huge investments are essential to developing adequate security oversight capacity and may not always be viable from a business perspective”, he argues.

In fact, putting regulations into practice is one of the biggest challenges facing Indian authorities. Root gives the RBI guidelines as an example. “It is world-class, but there’s a big gap between adoption in letter, and [in] spirit. To enforce, it requires a large body of auditors to validate.”

The other issue is the fragmented approach to cybersecurity. Aside from industry and central government, there is another stakeholder in Indian cybersecurity: local states. There are 28 of them, and seven union territories. Individual states in India have a large degree of control over localized cybersecurity efforts.

Eyes of the World

As India deals with these issues internally, the world’s eyes are upon it. As a major hub of IT and business process outsourcing, it must continue to be seen as a trustworthy destination for the world’s data. And yet, the nation has had its problems.

US authorities recently highlighted data breaches at EnStage and ElectraCard Services, operating in Bangalore and Pune. These two credit card processing companies were declared the weak links leading to a global banking heist that saw $45 million stolen from ATMs, according to Reuters. So, how safe is the West’s data in India?

IDC’s Hegde remains unfazed. Data breaches like these will happen, but they are also far more common in the US. Ultimately, the responsibility rests with the client that’s outsourcing its data processing, he says. “There is a need for stricter SLAs [service level agreements] between the Indian outsourcing firms and their international clients. Further, it’s essential that there is a regular audit of these SLAs”, he asserts.

While India continues to grapple with these domestic issues, it faces challenges on the world stage. The country is not a signatory of the European Convention on Cybercrime, even though many other non-European countries have jumped on board. Australia ratified and put the law into force this year, as did the Dominican Republic. Japan has enacted it, and both Canada and South Africa have signed it. The US has also ratified the agreement.

This absence disappoints Rauscher. “In the whole area of harmonizing legal frameworks, there’s really a missed opportunity in the fact that there’s a lack of co-ordination across borders”, he says. But there are signs that local Asian cybersecurity partnerships could be developing. At the Third International Summit on Cyber Security, held in New Delhi last year, the leaders of the Chinese and Indian Computer Emergency Readiness Teams (CERTs) agreed to cooperate with each other on fighting spam and botnets. “Recently, India has been identified as a top contributor of spam internationally, but what we have seen as a summit is that they have taken these messages very seriously”.

In the short term, India has much to do as it confronts the same cybersecurity issues faced by the rest of the world. The legislators are hard at work, but with an apparent disconnect between what happens on paper and what’s done in practice, it will take a cultural shift before it can steer itself into safe waters.

On the other hand, the nation’s attempts to bolster its cybersecurity expertise is admirable, especially given the already strong competition for IT staff in a growing Indian technology economy. Fortunately, the government is taking positive legislative measures to focus the lens on cybersecurity.

A Cisco Router Speed Test

In my previous blog, I explained how I confirmed that my client’s wireless equipment would be able to handle a planned increase in bandwidth of a wireless WAN at a remote site. My next step in this network upgrade project was testing the router to make sure it also can handle 100 Mbps, up from 60 Mbps.

The client’s router is a Cisco Integrated Services Router 2821, which is no longer supported by Cisco. Unfortunately, my client can’t afford to replace equipment as soon as it is out of support. Like most small IT shops, this company runs equipment until it fails.

To start, I went to Cisco’s website and found a performance table that showed it could handle 87 Mbps using Fast/CEF switching. However, the table also shows that the tests were performed using 64- byte packets. Most links have a variety of packet sizes, so 64 bytes is a bit too low for our purposes. Not only is the packet size an issue, but depending on the router’s configuration, performance will change.

The best thing I could do was to take a backup router that has the same configuration and specifications as the production router and run some of my own tests. I did not have access to traffic generation or service-level test tools, so I simply used two laptops running iperf. Using Windows laptops isn’t optimal, but that’s all that I had.

My first test is to establish a baseline of laptop performance. I removed all unnecessary protocols from the laptop network adapters, leaving only IPv4, and disabled the WiFi adapters since the wireless adapters had internet access and the testing was conducted via their gigabit Ethernet ports. I disabled the firewall and made sure no applications were running in the background. Finally, I connected the laptops directly to one another using a patch cable. Since Microsoft uses Automatic Private IP Addressing when DHCP is not present, I didn’t have to bother with static IP addresses. My goal with this test is to ensure that the laptops can generate more than 100 Mbps since that is the proposed new service speed.

When using the iperf server, I configured the window size for 65 kilobytes to maximize throughput since the default was 8K. The client was configured with the same window size parameter and a -r to perform a download in addition to the default upload test.

In these kinds of situations, I prefer to run five tests to get a representative sample. Sometimes I drop the highest and lowest values to eliminate any anomalies but decided not to in this case.

Cross-over cable test

Server command; iperf -s -w 65k

Client command; iperf -c darth -w 65k -r

This shows that the laptops can clearly generate more than 100 Mbps on a consistent basis.

Router with routing test

With this next test, I  configured the test router the same way as the production router with the exception of NAT. I wanted to perform a NAT test separately, to better document its impact on performance.

The laptops required static IP addresses and a default gateway to traverse the router.

Since this testing used laptops running Microsoft Windows, these results were effectively the same as the first. Since iperf will use the largest packet available, this test also proves that we get more throughput than Cisco documented.

The last test involved NAT, so I added the applicable NAT commands and static maps. Unfortunately iperf was unable to perform a download (-r), so I simply reversed client and server roles.

Iperf through router with NAT

These results are the most interesting of all since you can clearly see that performance decreases and that one interface out performs the other depending on its role (inside vs outside).

In the end, I proved that the existing router can handle the 100 Mbps service using some laptops, iperf, and a consistent methodology.