On August 15, 2012, in what Vanity Fair dramatically termed "history's first known cyber war", hackers calling themselves the Cutting Sword of Justice inserted a sophisticated virus called Shamoon into 30,000 computer hard-disk drives in the headquarters of Saudi Arabian oil giant Saudi Aramco.
Soon after the Shamoon attack, it became clear that Washington did not regard this as the work of amateurs. Speaking publicly in New York on October 11, 2012, then US Defence Secretary Leon Panetta, who had often raised the spectre of a "cyber Pearl Harbour", described what could happen in such an attack.
America is hardly the only one in this game, with China reportedly nurturing a sophisticated cyber warfare capability with which to target US computer networks as a part of its strategy of "asymmetric warfare". In March, security consultancy firm Mandiant accused the Shanghai-based People's Liberation Army Unit 61398 of stealing commercial secrets from US companies.
But the government has understood that an ostrich-like response to the digital threat - which is to have as little digitisation as possible - is not a viable, long-term strategy. The economic ministries are finding that volumes of data are becoming larger and larger. And the compulsion for more open governance requires the Internet to be harnessed, mastered and adequately secured.
This makes users vulnerable. Intelligence sources say, in the recent past, malicious activities against Indian networks have originated from hosts in 20 different countries: US, Brazil, Nigeria, China, Iran, Russia, North and South Korea, Japan, Taiwan, Australia, Ukraine, Romania, Israel, France, UK, The Netherlands, Germany, Poland and Pakistan. "As India becomes more networked, we will become more vulnerable to cyber attack. Coordinating between multiple agencies will become a growing challenge," says a top government cyber security official.
Under the National Security Advisor (NSA), the government has begun rolling out an expansive cyber security policy. This aims to create a secure computing environment and generate the high level of public trust and confidence in electronic transactions that is essential for a modern e-economy. The new framework is rooted in the Information Technology Act 2000, specifically Sections 43, 43A, 72A and 79 which require companies to comply with data security and privacy protection. On May 8, the Cabinet Committee on Security cleared a National Cyber Security Framework. Senior officials who are spearheading this effort describe it as a "multi-layered approach that ensures defence in-depth." Put simply, that means making things difficult for a hacker - he must have to hack through successive layers of defences in order to breach the network.
In all this, the private sector has been allowed an unprecedented role in partnering government bodies. In July 2012, a joint working group was set up with representatives from both the public and private sectors, which considered how the two could work together. On Oct 15, 2012, the group's report was released by NSA, laying out a roadmap for engaging the private sector.
Besides incorporating the private sector, the new policy also appears to have successfully bridged the federal divide between central and state governments. Unlike the National Counter Terrorism Centre, which many state governments had opposed as an infringement on their federal autonomy, almost every state is cooperating wholeheartedly on cyber security.
Then there is the Indian Computer Emergency Response Team (CERT-In), with its network of sector-specific CERTs, which is designated under the Information Technology Amendment Act, 2008 as the national custodian of information relating to cyber-security. Its job is to issue forecasts and alerts, coordinate responses to incidents of cyber-attack, and issue guidelines and advisories as required. CERT-In is also required to conduct regular cyber-security drills, within the country and bilaterally with other countries.
Preparing for the time when India's power grids and transport systems are networked over the internet, the National Critical Information Infrastructure Protection Centre is being set up. To remain state-of-the-art in a field in which last week's technology is already out-dated, a high-powered committee under the Principal Scientific Advisor to the government will control a national R&D fund that will set priorities for research and indigenisation. Backing this up will be a Centre of Excellence in Cryptology, which will be set up in IIT Kolkata.
But the big question remains: is India's cyber establishment purely defensive, or have our cyber czars begun creating the cyber-kinetic attack capabilities that can destroy enemy equipment and infrastructure - assets that the US and China have painstakingly built?
Along with the initiative to protect computer networks, the government is also moving boldly into the sensitive realm of information monitoring. A recent Reuters report says that New Delhi has launched a massive surveillance programme, called Central Monitoring System, which is reportedly capable of monitoring all of India's 900 million landline and mobile phone subscribers and 120 million internet users.
Making the new system unusually draconian is the discretion it provides bureaucrats to approve requests for surveillance, which can be made by any one of nine government agencies, including the Central Bureau of Investigation, Intelligence Bureau and Income Tax Department.
The recent expose on the US government's monitoring of communications through the so-called Prism project and the worldwide outrage that it led to highlighted an increasingly vociferous debate over cyber security: between security on the one hand and privacy and civil liberties on the other.
Meenakshi Ganguly, the South Asia director of Human Rights Watch, points out that Indian agencies tend to leak data that should remain private. "There is always the danger of private data and conversations going out to unauthorised recipients. A central monitoring system is vulnerable to misuse. An innocuous comment can be interpreted as a threat to someone or something; and we have seen that the response of the state can be ugly," she says.
"We need a new set of very tight laws. If we are going to live with surveillance, we need an internationally accepted protocol that protects the public from misuse of data. Unless that comes into place, the central monitoring system will be misused by apparatchiks," says Ganguly.