The National Cyber Coordination Centre (NCCC) is considered to be one of the several tools being built by the government to monitor the country's web traffic. At a time when the recent expose of the US' PRISM programme has the entire world worried about its privacy online, NCCC has already received much flak from the country's privacy activists for being a snooping tool.
But is it?
While privacy experts have slammed the project for arming the government with unprecedented powers to monitor web content in the garb of national security, the government says their reactions are knee-jerk and the arguments are based on incomplete knowledge of the project.
Supporters of the project claim that in the wake of rising cyber threats to the country's internal and economic security, the government has a strong case for the project which will just track the internet traffic flowing through the country, without watching the content. Business Standard gets a sneak peek into the functioning of the project and here is the government's version of the project as it sees it, along with two expert takes on the project just as they said it.
So, is NCCC a potential snooping tool of the future or is it an honest effort by the government to fight cyber crime? You decide.
According to three government officials closely associated with the project, who did not want to be identified, the intent is to watch the traffic flowing through the internet pipes of the country. The idea is to check malicious activity in general and in strategic sectors and sensitive government organisations in particular, without accessing the content.
"It is like knowing who is posting letters to whom without opening them to see what is written inside," said one of the officials.
Currently, the government wakes up after an attack . In most cases, the attacks go unreported. With this system in place, there will be some visibility about the state of traffic in the country, and information on where the higher volumes of traffic are coming from, where the malicious content is flowing from, where the botnets are located, from where the viruses are spreading etc.
At the moment, it is being done by private companies like Symantec, IBM and TrendMicro, which are running enterprise level security operation centres. They have a group of enterprises for whom they are doing similar kind of activity. But, that visibility is not there at the country level, a problem which this tool will fix.
On why it should not be construed as a snooping tool, the officials said the network flow analysis, which they were doing, was like getting a phone bill with details of calls made, numbers, durations, etc, without the actual conversation. "In wire tapping, it's a full packet capture. So you are able to listen to the full conversation. But here, I am not doing that. If I have to capture the entire packet, I will have to duplicate that or create a mirror image.
So, I will have to put some kind of a port mirroring device to capture the entire traffic. But if I have to just monitor the traffic flow of any organisation, I don't have to put any hardware. That feature is already available in the router and only a command has to be enabled for it." The flow doesn't collect any data and is non-intrusive, officials claim. "There is nothing malicious in it. All countries have a body such as NCCC."
The major activity involved in NCCC will be traffic analysis. Most organisations have a traffic pattern — for instance, when there is a surge in usage or a dull period. In NCCC, these flows will come from different networks, and on that basis, the traffic will be analysed and anomalies will be identified. For instance, if there is a break in traffic, it will immediately be noticed. The traffic flow will be at the country level, not just at the organisational level.
The traffic coming into the country as well as that going out will be seen. In case of an external attack, the traffic will be cut off at the external gateway itself. All important government websites are hosted on the National Informatics Centre network, which will be studied by NCCC. Other important government websites can be monitored separately. For detection of attacks, two techniques will be deployed — pro-active technique and defensive technique. In the pro-active technique, the attack can be seen as coming by the use of network traffic flow analysis. Honey nets or pots are deployed which act as lures for attackers.
In the defensive technique, immediate action can be taken after an attack has been identified.
The data which is actually captured includes: time of usage, date, duration, interface, flags, source internet protocol, destination internet protocol, source code, destination code, packet size and the number of packets.
"If somebody is trying to hack into a website, it requires deeper inspection of the packets. So, we will not be able to tell that, but if someone is doing continuous spamming, we will be able to very easily track that," one of the officials said.
A detailed project report of the Rs 600-crore project, currently under the ministry of communications and information technology, is being prepared. But there is not much clarity on who will finally execute it and whether private technology companies will be roped in to build the infrastrsucture or the government will build it on its own.
Also, the government would not require any additional permission to build this tool, as the Information Technology Act allows it to do so. "We are not monitoring content after all," re-emphasised one of the government officials.
If the government has to snoop, it can do it irrespective of anything. The current laws allow it to monitor data flow or call records across the country. Through this tool, the government is trying to build the first layer to track the network flow, which is unencrypted.
At least, after this system, if some country is launching a cyber attack, we will know about it. Yes, the privacy concern is there to some extent. But it is a part and parcel of the game. Any country, especially a knowledge economy, needs to have a system in place. But adequate protection will also be required to make sure that it is really hard for someone to misuse it.
It will surely up the government's capability to sniff but by that logic, even the policeman on the road should not be given a pistol. He can kill but can also protect us. So we need this defence mechanism. I wouldn't worry about even a few people being snooped as I am more worried about the 1,200 million people not being safe.
It should take at least three to four years to stabilise, by when the privacy law should also be in place to avoid any indiscriminate usage.
- Sivarama Krishnan, executive director, PricewaterhouseCoopers
On the face of it, it doesn't seem like a snooping tool. But it depends on how it gets implemented. It's aimed as a tool for network monitoring, but sometimes monitoring turns into surveillance.
Someone who has the ability to look at traffic can also look at the details. But in a country like ours, some sort of control/monitoring from the security dimension is required. But it depends on where the boundary is. As long as you do it for the right perspective, it is fine but continuous mass scale snooping can be very serious from the individual's privacy perspective.
I believe we don't have serious traffic monitors, so it's for the right reasons. There are precedents of other countries also having it to monitor and control. So, it is a step in the right direction – it will give us good ability to use as a defence or as a preventive mechanism however if not controlled, an ability of this type can be misused and the line between national security and intrusion into privacy is just a matter of stronger executive control.
The government has authority to monitor email traffic on demand today. But it is pretty important to build this kind of capability, which takes long to build. So, we need to start now instead of waiting for things to go wrong.
- Akhilesh Tuteja, executive director, KPMG