Is India Prepared or Preparing Itself to Counter Cyberattacks?

“LOCKDOWN SEES SPURT IN CYBER-CRIMES: KERALA RECORDS HIGHEST NUMBERS OF ATTACKS.”

A comprehensive analysis of cyberattacks during the lockdown has found that Kerala recorded the highest number of cyberattacks during this period.

“NAVY SAILOR DUPED OF RS 1.4 LAKH IN ONLINE FRAUD” — Times of India, Kolkata

An Indian Navy sailor alleged that he was conned out of around Rs 1.4 lakh after he tried to buy a second-hand scooterette on an online classified advertisement platform. Asked to pay through a money wallet, the complainant, Anil Sanap, was tricked into paying twice for the same two-wheeler that was never delivered to him, police said.

“RETIRED NAVY OFFICER LOSES 83000 TO ONLINE FRAUD” — Hindustan Times, Mumbai

At least 37 people were allegedly duped on OLX, an online classified site, by fraudsters who used leaked soft copies of Aadhaar and ID cards of CISF and Army personnel.

“MAN LOSES 42000 WHILE PURCHASING LIQUOR ONLINE IN MUMBAI” — The Hindu

The accused asked the victim to pay through PayTm and siphoned off the amount each time the victim paid.

Cyberattacks On the Rise

A tremendous rise in cyber crimes since the global outbreak of COVID-19 has prompted Indian security agencies to look for ways to boost their capabilities to deal with phishing, malware, viruses and other online attacks on government servers.

COMING SOON: Indian Cyberspace — Secure Bhi, Private Bhi

India’s vision of a $5 trillion economy consists of $1 trillion worth of digital components, a pie that almost all corporates of the globe would want their fingers well entrenched in. The populace in India, of course, is showing no signs of slowing down their demand for advancements and developments in the Indian cyberspace, given how they take to smartphones like fish take to water. This is further fuelled by very low-cost handsets, affordable tariffs and the quantum leap in ensuring availability of content in almost all Indian languages.

Inserting a monkey wrench in the above cyber dreamspace is the cybercrime! This activity has gone up four times from 2017 to 2018 and has further multiplied to dizzying levels in 2020 with the wretched COVID-19 playing the lead role. Amongst the very few groups of people who have benefitted from the pandemic and have a lot to thank for in this period are cybercriminals. It is akin to a heaven-sent opportunity for criminals — A Festive Night Without An End! But for the victims and general populace — A Nightmare Without An End!

More than 4,000 fraudulent portals emerged within two months. On a typical day in April 2020, Google alone had blocked 240 million spam messages and 18 million phishing scams. Similar sounding UPI (Unified Payments Interface) IDs had popped up soon after the Prime Minister of India had announced the PM CARES Fund.

In India these cybercriminals are wonderfully aided, encouraged, and almost red-carpet welcomed to hack, scam, siphon-off, impersonate, steal data and/or money, indulge in child pornography, cyber-espionage, cyberstalking, blackmail, threaten — all and sundry — individual citizens, corporates, banks, government institutions, medical facilities, the list is endless. These miscreants can bring cities or entire nations to a standstill if they hack into and infect the power grids, railways, ports or airports with ransomware. They can hack into social media and spread fake news that can flare up social tensions.

Red-carpet welcomed? How? By the lack of comprehensive laws, rules & regulations, the absence of homogeneity in the architecture of hardware and software in institutions, lack of cyber-defence skills and knowledge…once again, this list is endless. Queering this pitch further is the lack of user skills in people using computers, smartphones and the like for sensitive tasks such as online transactions — both in the individual and corporate professional sectors.

Cybersecurity threats may manifest within a technical context as well — like an unpatched software vulnerability, a malicious software or link — but mostly, their key strategy is to prey on our carelessness, greed and ignorance — the basic human vulnerabilities. This would only get further amplified with the onset of 5G, artificial intelligence, augmented reality, robotics, quantum computing, and the growing advancement in the field of Internet of Things.

There is a vital need to secure, strengthen, and synergise the policy toolkit in this realm. In addition to the Information Technology Act, 2000 and the upcoming data privacy law, the Indian government has initiated action on the National Cyber Security Strategy (NCSS) 2020.

NCSS CONTOUR MAP — Tech is Global, Policy is Local

Okay, here’s the technical description first: It is a set of common and interoperable standards that make ‘packets’ of data traverse the global cyberspace crisscrossing continents, oceans and even spacebut a government’s writ runs basically on its jurisdiction. What does this even mean?! India is a member of the Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG). Both are under the aegis of the UN. A global consensus on this? A kid will roll his eyes! Instead, India should consider joining or leveraging existing frameworks like the Convention on Cybercrime and the Paris Call. After all, cybersecurity has become a geopolitical issue, as reiterated multiple times by the Prime Minister incumbent.

Security by Design, Budgeting by Default

The Prime Minister’s IT Task Force set up in 1998 recommended that 1–3% of each ministry’s budget be set aside for IT. This is laughably inadequate in 2020. The NASSCOM recommends 10% of every IT budget in the government be earmarked for cybersecurity exclusively. But what is the actual budget allocated for cybersecurity by India currently? We have no clarity of the actual figures. There have been vague intentions declared and assurances provided on allocations, but no definite figures given. This is where India should be very clear and concise. So, a budgeting by default for cybersecurity is as vital as oxygen is to life!

Security vs Privacy — A False Binary

“If you want security, privacy goes out the window and vice versa.” So said a cybersecurity expert not so long ago.

But is it so? In reality, both can and must coexist. In fact, they reinforce and strengthen each other — paradoxical, but true. We cannot have data privacy without data security! Thus the NCSS and the data protection framework should be consistent with each other. Exceptions and exemptions must be narrowly crafted in compliance with the principles of lawfulness, fairness, transparency, and proportionality laid down by the Supreme Court in its 2017 privacy judgment.

Prevention is Always Better than Cure

We need proactive preventive measures against cyberattacks. A majority of data breaches or cyberattacks can be mitigated if we take care of the basics of cybersecurity: use only licensed and updated software, use different and difficult passwords for different services and devices, use multi-factor authentication and strong encryption, and the like.

Bidirectional Partnership

The government and the private sector should trust each other and share their assessments proactively, and handle intelligence services on threat vectors without jeopardising contractual obligations or intellectual property. In the IT sector (especially in cyberspace and the internet) neither can exist without the other.

Pragmatic, Predictable, Flexible

The cybersecurity guidelines issued by RBI, SEBI, IRDAI and PFRDAI should be greatly synergised under the aegis of the Financial Stability and Development Council (FSDC). This will bring greater sanity and clarity for the regulators as well as for the regulated entities.

Amongst the Top 10 by 2025

India has been significantly improving its rank in the World Bank’s Ease of Doing Business Index each year. We must endeavor to be included in the top 10 within the Global Cybersecurity Index as well by 2025.