October 20, 2016
India’s cybersecurity grid has serious chinks in its armour. A severe shortage of trained professionals and the inability to produce them could cost India dear.
Recent vandalisation of some Indian websites by hackers from Pakistan has excited public opinion in the aftermath of the surgical strikes carried out by Indian Special Forces across the the Line of Control in Pakistan-Occupied Kashmir. But the more serious attacks – before and after – have not attracted the attention they deserve.
Consider this. On July 20, a prominent public sector bank in India suddenly witnessed $ 170 million disappear from its accounts. As the cybersecurity team desperately tried to track the outflow of funds, they could see payments being shifted to at least five countries in South Asia. By afternoon, the outflow had been sent to bank accounts in Vietnam, Cambodia, Taiwan, Malaysia and Hong Kong.
The bank immediately alerted India’s Computer Emergency Response Team. India, and the country’s cybersecurity specialists began to track the transfer. Finally, they zeroed in on some key bank accounts in Hong Kong, which had received a large portion of the funds. Indian diplomats were asked to contact the bank that held the stolen money and asked to stop payouts until further notice. But the banks refused.
“They told us that they could not process the request unless we got a court order from the local courts,” a top cybersecurity official explained. “Over night we had to move papers and people to ensure that a case was filed and a stay order issued.”
On receipt of the order, the local bank in Hong Kong stopped all payouts and began the procedure to reverse the money transfer, as similar reversals were initiated in the other countries. In a matter of days, the bank was able to recover the entire $ 170 million.
One more breach
Earlier this month, a major Indian private bank received an alert from a top government official overlooking cybersecurity that a breach in their data centre had been detected. The bank, with its headquarters in Mumbai, initially refused to believe that such a breach could have taken place. However, as more data was presented to the chairperson and managing director of the bank, an investigation was carried out and the breach was confirmed.
In both cases, cyber attacks led to what could have been extremely sensitive and embarrassing hacking from abroad.
These attacks on India’s financial sector were not new. In April 2015, the Indian banking sector across the country was subjected to a distributed denial of service attack, but cybersecurity protocols in place ensured that the cyber attack did not succeed.
Nor have these attacks stopped. A malware (malicious software) had been detected this month that led to ATMs of another prominent private Indian bank being crippled.
What makes it even more serious is that these attacks are not confined to the financial sector.
Earlier this month, newspapers reported that Jammu Air Traffic Control was often jammed by Pakistani hackers when flights were coming into land. The pilots landing the commercial aircrafts suddenly heard Pakistani patriotic songs over the radio frequency they used to be in contact with the Air Traffic Control in Jammu. So far, the commercial pilots have managed to make do by turning to the Indian Air Force’s Northern Control in Udhampur for help, who in turn then call up the Jammu ATC on landline and get alternate frequency that the pilots can use to be in direct touch. How disastrous this could be if the very landing systems were targeted can only be imagined.
Recent reports in Pakistani papers quoted Pakistani hackers as claiming that they had managed to hack into the systems of the Madhya Pradesh police, which are used to track police vehicles on patrol using their GPS coordinates. Indian security officials did not consider these reports as reason for any major worry, but the fact that such vulnerabilities exist should definitely have set investigative and corrective measures moving.
It is in the light of these developments that we should look at the state of cybersecurity in India.
Earlier, in March this year, when the National Intelligence Board (a body created after the Kargil war to review major security threats) met, the first two presentations were on this very issue: the status of India’s cybersecurity.
Chaired by the National Security Adviser, Ajit Doval, the first presentation by India’s first National Cybersecurity Coordinator, Dr Gulshan Rai, pointed out the major gaps that continue to dog India’s cyber landscape.
A second presentation by officials from the National Critical Information Infrastructure Protection Centre also flagged the criticality of the threat that India faces.
The picture that emerged in these two presentations, in the words of the officials present at the meeting, was “quite grim”.
Currently, India’s cybersecurity grid suffers from several major holes. It badly needs statutory and fiscal support.
A National Cybersecurity Coordination Centre, cleared by the cabinet with a budget over Rs 900 crore, in March 2015, is still waiting to take off. This was designed to be a national Security Operations Centre, which could respond to any cyber attack as soon as it was detected. While the appointment of the first national cybersecurity coordinator quickly came through, there has been just no movement on getting this Centre operational.
The Information Technology Act 2000, passed by the Atal Behari Vajpayee government was designed to help the Indian Information and Technology industry to take off. It failed to foresee hacking and security as an emerging threat, so much so that it did not find even a mention of “cybersecurity”. This was corrected in 2008, when section 70(A) and 70(B) were introduced by way of an amendment to the Act. This broadly divided India’s cyber landscape into two halves – Critical and not-critical sectors.
Currently, the government has mandated five broad sectors as critical – power and energy, transportation, finance, information technology and strategic public enterprises.
While defence and intelligence services were also deemed critical, they were left to the Defence Research and Development Organisation. The other sectors were brought under National Critical Information Infrastructure Protection Centre, an organisation created in January 2014. Despite its shortage of staff and resources, this Centre managed to make a lot of headway by creating systems and protocols for entities in the designated critical sectors. It also came up with the draft guidelines for the power sector, which are currently with the ministry of power for final approval.
However, the biggest shortcoming has been the absence of trained manpower. “We just don’t have adequate people who have worked with Supervisory Control and Data Acquisition or Industrial Control Systems, a senior scientist, working on cybersecurity in the government said. “We also need people who understand network architecture, encryption, cryptography, but we just don’t have enough schools to produce them,” this top scientist added.
In May 2013, the then Minister for Information Technology, Kapil Sibal, had stated that India would need about 5,00,000 cybersecurity professionals. However, India seems nowhere close to the mark. With Information and Technology companies now reporting sluggish growths in the last quarter, officials feel that this will prove to be a further setback for future IT and cybersecurity professionals.
Meanwhile, under Prime Minister Narendra Modi’s Digital India programme, the government has ambitious plans to connect over 2,50,000 Panchayats through a national optical fibre network, which means, many more services will go online as millions connect to the internet. For cybersecurity professionals fretting over encryption and secure payments and services, the scale will make a quantum jump by December next year.
With Aadhar aiming to put details of a billion plus Indians into a database, it has exponentially increased the risk of cyber attacks. The 2014 breach of data of Yahoo users offers a glimpse into the real dangers that India will face increasingly as more data of its citizens is digitised.
Time, as a senior security official, said, is running out.
Disclaimer: The views expressed above are the author’s own