CYBERIAN WAR FRONT
WITH CYBER CRIME OPENING UP A NEW BATTLEFRONT, INDIA NEEDS TO FORTIFY ITS INFORMATION NETWORKS AGAINST MALWARE
How well is India prepared to combat the extremely plausible threat of a cyber war?
this year, a series of powerful cyber attacks using the Petya malware swamped the websites of several Ukrainian organisations, including banks, ministries, newspapers and electricity firms. The radiation monitoring system at Ukraine’s Chernobyl nuclear power plant went offline. Metro trains, regular trains and flights came to a halt at several locations. Ukraine accused Russian security services of being involved in the attack and claimed that they were also behind the hacking of Ukrainian state energy computers in December 2016 causing a power cut in the northern section of capital Kiev. A year ago, in 2015, hackers infected information systems of three power distribution companies in Ukraine, temporarily disrupting supply.
While Russia, locked in a bitter conflict with Ukraine since 2014, has rubbished such claims, global security experts claim that the country is using Ukraine as a testing ground for cyber war. This echoes what Maj. Gen. Aviv Kochavi of Israel said in 2014: “Cyber will soon be revealed to be the biggest revolution in warfare, more than gunpowder and air power utilisation in the last century.”
Meanwhile in India, almost two months before the June attack on Ukraine, a group of 80 defence, strategic and intelligence experts, including former Intelligence Bureau chief P.C. Haldar, former navy chief Adml Arun Prakash, former air chief P.V. Naik and former diplomats Shyam Saran and Ronen Sen, urged the Narendra Modi government to “take urgent steps” to improve cyber security in the country. An IIT Kanpur report submitted to Parliament in July warned: “The danger of cyber crime is looming large on the defence, education and telecom sectors. Around 164 government websites were hacked in 2015.” The study said attacks from the Equation group—a clandestine CIA and NSA program, as per WikiLeaks—infected the telecom, military and research sectors.
Warnings such as these as well as the tense relationship with neighbours Pakistan and China have left cyber experts in the country wondering whether India can handle a Ukrainelike situation. In December last year, the Union home ministry indicated that Pakistani intelligence agencies were spying on Indian security forces via malware on mobile apps such as ‘Top Gun’ (game app), ‘mpjunkie’ (music app), ‘vdjunky’ (video app) and ‘Talking Frog’ (entertainment app). Earlier in 2016, Google removed ‘SmeshApp’ from Play Store amid allegations that it was being used by the ISI to spy on the Indian army.
The AsiaPacific CyberSecurity Dashboard prepared by Microsoft trade group Business Software Alliance (BSA) says: “While India does have an early warning system and a
national computer emergency response team, there is no clear national incident management structure for responding to cyber security incidents.” To plug this gap, the Modi government has created the post of a cyber security chief under the Prime Minister’s Office. The incumbent also heads the National Cyber Coordination Centre, set up this year to scan the country’s web traffic for cyber security threats and to coordinate with the two agencies involved in cyber security: the Computer Emergency Response Team–India (CERTIN) and the National Critical Information Infrastructure Protection Centre (NCIIPC). The NCIIPC, formed in 2014 under the National Technical Research Organisation, is concerned with the security of critical information infrastructure (CII), which currently includes power and energy, banking, financial institutions and insurance, information and communication technology, transportation, egovernance infrastructure and strategic public enterprises and defence and intelligence agencies (see India’s Cyber Architecture). Defence and intelligence agencies have been kept out of its purview; they are the responsibility of the Defence Research and Development Organisation. CERTIN, formed 10 years before NCIIPC, under the Union ministry for electronics and information technology, is responsible for all noncritical systems as well as for collecting reports on all cyber crimes.
Security experts believe the country’s cyber security architecture is well equipped to handle an attack on its critical infrastructure such as nuclear plants, power plants and power grids, the transport sector and identityrelated platforms such as Aadhaar. “We have enough firewalls to protect our critical infrastructure,” says Subimal Bhattacharjee, former country head of General Dynamics and a commentator on cyberspace affairs. “It’s not that external elements have not launched any attack, but India has enough technological expertise to counter such attempts.”
Munish Sharma, associate fellow (cyber security project) at the Institute for Defence Studies and Analyses, says, “In almost all cases, officials who did not follow the standard operating procedures facilitated the cyber attack. They browsed the internet from an office computer in which classified information was stored,” he says. In 2016, 33,147 websites were hacked in India, up from 28,481 in 2013.
What hobbles the war against cyber crimes is the lack of cyber security experts. In 2013, the National Cyber Security Policy outlined the need for 500,000 skilled cyber security professionals in the next five years. India currently has some 50,000. Nasscom estimates the demand for security work
force will rise globally to six million by 2019, up from four million in 2015, with a projected shortfall of 1.5 million. Keeping this in mind, Nasscom and the Data Security Council of India have established a cyber security task force to create a million cyber security jobs. For the moment, though, this does not seem to be a priority for the government, going by the Union budget. From Rs 56 crore in 201516, cyber security allocation has dropped to Rs 41 crore in 201718.
The bigger risk, say Sharma and Bhattacharjee, lies in the lack of digital hygiene in critical as well as noncritical sectors. A survey conducted in the power and energy sector reveals that many organisations have neither a formal information security policy nor training for information security awareness. This, given that human error plays a larger role in business security breaches today compared to two years ago, especially for companies in maturing economies, as reported by a 12country survey done by the Computing Technology Industry Association in 2016. The July 20, 2016, Union Bank of India hacking, for instance, was triggered after an employee clicked on a phishing email that released malware into the bank’s servers. An amount of $171 million from UBI found its way to accounts in two banks in Cambo dia and one each in Thailand, Taiwan and Australia. Thanks to swift action by the bank’s top team, the money was routed back. “Many organisations, including government ones, do not follow strict norms for using external portable devices such as USB drives, mobile phones and personal laptops. Most government officials use personal email IDs instead of @nic email ID, a huge compromise on data security,” says Sharma.
According to a 2017 survey by Symantec, India is fourth among countries targeted by ransomware— malware that forces its victims to pay a ransom through online payment modes such as bitcoins to regain their data. In September 2016, Trend Micro Inc., a global leader in security software and solutions, reported that over 180 Indian companies were victims of ransomware in the first half of 2016. Earlier this year, in the WannaCry ransomware attack that affected 200,000 organisations in 150 countries, the victims in India included the Andhra Pradesh police, four manufacturing companies, two retailers, the India operations of a multinational, two banks and the Chennai facility of an automaker.
Not surprisingly, then, Indian businesses bled over $1 million in data losses between 2015 and 2016, according to a July 2016 survey by data
storage firm EMC Corporation. An IBM study said the average total cost of data breach for firms rose by 9.5 per cent.
Yet Indian boardrooms have been slow in reacting to the growing threat. The recently published Global Information Security Survey 2016-17 by consultancy firm EY highlighted that cyber risks do not get the required attention at organisations. The EY survey has 38 per cent of respondents, which include IT executives, managers of large and globally recognised firms as well as key government entities, saying their boards are not “fully knowledgeable” about cyber risks. More than half the respondents did not have a formal threat intelligence program, while 44 per cent did not have the capabilities to identify vulnerabilities. In a 2015 survey of Indian companies by KPMG, 94 per cent respondents admitted that cyber crime was a major threat for organisations, but only 41 per cent said it was part of the board agenda; 58 per cent respondents said cyber defence expenditure formed less than 5 per cent of total IT spend and 78 per cent respondents said they did not have a cyber crime incident response plan.
But the scenario is gradually changing. From 2015-16, US technology research firm Gartner saw a 10.6 per cent jump in the security spend of Indian enterprises. Security company Palo Alto Networks says 92 per cent Indian companies have increased their cyber security budgets in the past year. Joining the effort, the Centre too has set up a botnet- and malware-cleaning centre that will detect and clean malware in citizens’ devices. A botnet is a private network of computers that can harm or attack any network with malware.
The security impetus is significant given that the government’s push for a cashless economy and digital India has expanded the threat of data breach. The demonetisation exercise in November 2016 saw a spurt in digital transactions and growth in the use of mobile wallets such as PayTM, not to mention the government’s promotion of digital payment apps such as BHIM. Though there has been no study linking the demonetisation drive and the rise in cyber crimes, an analysis of the CERT-IN data shows that one cyber crime was reported every 10 minutes in India in the first six months of 2017, up from a crime every 12 minutes in 2016. Of the 27 cyber risk advisories issued by CERTIN this year, nine pertained to digital payment modes. However, during the whole calendar year 2016, there were no advisories about digital payment tools. Ajeet Bajpai, director general, NCIIPC, has recently said: “Post demonetisation, the banking and financial sector has become the most critical. Earlier, cyber threats were of nuisance value, now they are disruptive and may become destructive.” The Union government is in the process of setting up a separate CERT for financial services. According to an October 2016 Assocham report, credit and debit card fraud cases topped the cyber crimes chart and have increased six times in the past three years. Last year saw cyber attacks compromise more than 3 million ATM and debit cards through Hitachi-engineered ATM machine hacking.
Yet, the country’s police forces are still not prepared to handle cyber crimes, as the then Union home secretary Rajiv Mehrishi pointed out at the india today State of the State Conclave in Jaipur on June 24. Records with the National Crime Records Bureau (NCRB) show that between 2013 and 2015, the number of reported cyber crime cases doubled—from 5,693 to 11,592. In 2014, a survey by cyber security expert Pawan Duggal revealed that for every 500 instances of cyber crime, only 50 are reported, and of those 50, an FIR is filed in only one case. No wonder, the conviction rate in cyber crimes is an abysmal 0.7 per cent, as stated in the 2015 NCRB report.
In a recent meeting of the consultative committee of MPs attached to his ministry, Union minister for home Rajnath Singh said that there was a need to start a larger discussion and generate ideas for reorganising the ministry in a manner that it could meet the rapidly changing security environment and emerging threats such as cyber crimes. Another crucial area is securing evidence for cyber crimes, as the source of crime may be distributed over different services, providers, locations and often jurisdictions. India is still not part of the 2004 Budapest convention, the only international treaty on sharing of digital evidence. India refused to participate because the US drafted the treaty without consulting India.
For a crime-free digital India, what’s needed is a two-pronged approach—a nationwide hygiene campaign to preempt attacks likely through human error and sensitising law-enforcing agencies on cyber laws and procedures.