July 8, 2006
When India tested its nuclear weapons in 1998, the US got a shock of
significant magnitude. CIA officials said they did not know about the
tests until then prime minister Atal Bihari Vajpayee went on television to
announce it four hours after the event. Till then, the seismic data, from
which the test could have been detected, had apparently not been analysed
yet. The fleets of US spy satellites had been fooled; the multi-billion
dollar intelligence network of the only superpower on earth had egg on its
This spurred the US to focus on its intelligence gathering in India. It
would appear that the efforts have borne fruit.
If the suspicions being expressed by Indian intelligence agents are true,
the US may now be in possession of information on Indias war plans for the
army, navy and air force. The atomic energy establishment, which no
foreign agency is known to have breached significantly in the past, may
also have been compromised. Even ISRO data is thought to have leaked to
the US spy agencies. Put together, it represents a leak of massive
It happened because of some smart work on the part of the US agents, and
the curious chalta-hai type of loophole that is so typical of India. The
National Security Council Secretariat the repository of all this
information is not secured anywhere near as well as the individual
intelligence agencies and military headquarters are. In fact, even its
staff comprises a large number of part-timers on short contracts. Many of
them receive meagre salaries in the range of Rs 15,000-Rs 20,000 a month.
The story so far is that SS Paul, a disgruntled computer analyst with the
NSCS, passed on secret data from NSCS computers to Rosanne Minchew, third
secretary in the US embassy in Delhi, for $50,000 (Rs 23 lakh). He did
this by storing the data on USB drives and taking it out. The operation
was on for about a year. Paul eventually got caught because a wing of
Delhi Police knew Minchews role in the US embassy. They put her mobile
under observation and found she was receiving SMS from a number that
turned out to be Pauls. He was put under surveillance, and was found to be
passing classified information to her.
Investigations in the case showed that Paul had been introduced to Minchew
by Commander Mukesh Saini of the NSCS. Saini was the man heading the
National Information Security Coordination Cell, and was an important part
of the Indo-US Cyber Security Forum. In his capacity as National
Information Security coordinator, he was in touch with sector cyber
security officers and systems administrators in various ministries,
departments and security forces. Investigators now believe Paul was not
the only one who Saini introduced to US intelligence. At least five others
are under suspicion for passing information to Paul, who passed it further
The case has prompted the Intelligence Bureau to ban cell phones with
advanced features from its premises. It already has software, specially
developed for its use, to detect the use of USB drives on its intranet.
This software logs the time a USB drive is inserted into a computer and
the time it is taken out, gives the ID of the computer and its user, and
lists the files accessed. The log report is sent to a designated computer.
This software was not deployed at the NSCS. Sensitive ministries and
departments also dont have this software.
However the problem is being seen by experts as more human than technical.
If the people tasked with cyber security themselves sell out, it cant be
considered a technical failure, they point out.
Cyber security expert Subimal Bhattacharjee points out that India does not
have a policy on critical infrastructure protection. Moreover, security
systems are not properly deployed, he adds, otherwise checks and balances
would exist so that a persons colleagues would get to know if he was
taking out data. His views are echoed by J Prasanna of K7 computing, who
says system administration and cyber security responsibilities should
never be concentrated in one person. Banning cellphones, or USB devices,
or keeping computers off the Internet do not ensure security, he adds.
Monitoring use is a better option.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.