The posting of adverse comments and content on social media websites such as Facebook and Twitter has led to many arrests recently. Gulshan Rai, director general of India's Computer Emergency Response Team (CERT-In), tells Sahil Makkar that information technology rules are well-drafted. He says the government requests social media websites to remove content only because of court orders. Edited excerpts:
There is a lot of criticism that the government is trying to censor content and wants to control events on social media.
The government certainly doesn't regulate social media with respect to the freedom of expression as enshrined in the Constitution. Whatever orders (to remove content) have been issued, are based on court directions. Organisations or individuals bring court orders for blocking information or material on the internet. We pass on these orders to the Department of Telecommunications for further instruction to internet service providers or ISPs (such as Airtel, Tata, and MTS) or intermediaries (such as Facebook or Google). We have not issued any orders on our own to block or remove content. The court orders are mostly in respect to infringing content that is against any religion or community.
So the government doesn't take down any post or content from the internet on its own?
No, we don't. We respect the freedom of expression. Not a single case has been cited by the social media to us.
The information technology (IT) rules drafted by your department are said to be draconian. Why do people get arrested for posting comments on Facebook and Twitter?
No, they are not at all draconian. Last year, we had a cyber advisory committee meeting and also an open-house session, where everyone said these rules were in order and the government had given due diligence while drafting them. This is part of the cyber advisory committee that includes the service industry and police agencies. There could be implementation issues, but not a single case has been reported to us after we issued the advisory, which was also endorsed by the Supreme Court.
But a lot of arrests are taking place these days. Are the police misusing the law?
There could be cases of ignorance. The laws were drafted on the lines of laws elsewhere in the world. The US, Australia and South Africa have the same laws. No specific instance has been brought to my notice.
Would you consider amending these laws?
No, there is no such proposal. There is nothing wrong in the law, but there could be issues in their implementation. And also, people can't abuse others on social media. We respect the freedom of expression and value it as per our Constitution.
How do you deal with Google and Twitter when they refuse legal requests to take down anti-national content from the internet?
They comply with court orders to a certain extent. When they don't, we issue the directions of blocking the webpage through ISPs. But again, it is done according to court orders. The sharing of information, however, is a problem. They don't give us any information if the internet protocol (IP) address is registered outside India. Then they ask us to come through mutual legal-assistance treaties. Such things have to be sorted out through bilateral discussions.
Do we have the power to block such websites in case they fail to comply with court directions?
Why should we think about blocking? These are issues that can be discussed among the agencies. These problems are not only in India but also in the rest of the world. We should not think of blocking websites. They do a good job by disseminating information to the society. We should try solving the problem rather than aggravating it.
CERT-In is one of the agencies responsible for cyber security in India. How safe are we?
This is an evolving area and lots of new technologies are coming up each day. With technology comes complexity and new threats. So, at no point of time can there be 100 per cent security. Till now, we have done reasonably well and the security systems are getting enhanced.
What are the key threats?
The key threats in the country are attack on general and e-commerce websites. Malware and virus are getting into the system through email, downloading of files and music, pen drives and sometimes through trusted websites as well.
Where do these attacks originate from?
It is difficult to gauge this because of the complexity of technology. We have seen attacks coming from American, European and Chinese cyberspaces. But it is difficult to pinpoint the origin of these attacks. The attackers hack systems in one country to launch an attack in another. It is difficult to collect evidence since it is scattered across different regions.
How many attacks did you handle last year?
Last year, there were around 70,000 incidents. Our efforts are to mitigate these incidents within four to five hours. In most cases, we have managed to do so. We have expertise and capabilities in almost all the realms of cyber security. Earlier, CERT was trying to handle all such incidents. But now we have subsets of CERT in various sectors such as power, telecom, energy and finance. One CERT cannot handle all sectors. CERT is working with the private sector and government agencies. The response has been very good so far.
You mentioned e-commerce sites were the main target of attacks last year. Was that so?
The attackers launched denial-of-service-attacks on these websites, so that customers couldn't use them. This restricted the websites from doing any business. Someone may have launched these attacks because of commercial reasons. Industry rivals could also be behind this.
How do you protect sectors such as nuclear installations, refineries and power grids?
So far, these sectors are fairly safe. They are not connected to the network. These sectors are modernising, but they are strengthening their capabilities simultaneously. We regularly conduct cyber mock drills and create awareness about latest threats. Two exercises with important sectors are conducted every year.
What is the private sector's response?
The private sector's response is very good. They are also charged up and have increased their investment towards cyber security.
How big is the cyber security market in India?
As of now, the cyber security market is around $500-550 million and it is growing 20-25 per cent annually.
What are the challenges you are facing?
There are many challenges in terms of people, process and technology. Incidents and attacks are getting sophisticated and new technologies are used by the perpetrators. We need to train our people, expand our capabilities and install new technologies. The challenge is to move the way cyber space is dynamically moving.
