Before infection spreads
AIIMS episode shows big cyber-security review is needed
The ransomware attack on the country’s premier health care institution, the All India Institute of Medical Sciences (AIIMS), serves as a wake-up call. It should prompt a comprehensive review of cyber-security guidelines. The Digital India policy targets putting all sorts of government functions and customer-facing services online, and encouraging cashless transactions. Protecting against cyber-attacks and creating disaster recovery systems assume great urgency.
In ransomware attacks, criminals take over IT systems and encrypt these to make data unreadable. Then they demand ransom payment to decrypt the system and hand access back. Ransomware attacks target municipal systems, health care (including the UK’S National Health Service), financial services (many banks have been hit), and other businesses.
Bad actors can also take over vulnerable systems to steal data, degrade those, or render them unusable. Assaults have shut down power grids (in Ukraine and Australia), stock exchanges (including the country’s leading bourse, the National Stock Exchange, or NSE, in 2021), nuclear facilities (Iran), telecom networks (Georgia), airlines, and government websites (too many to name), etc. In addition, there have been innumerable breaches of intellectual property (IP) and personal data.
Governments also cultivate a capacity for cyber-attacks. This would be vital in a modern shooting war. It is deniable and useful in a “grey war” without violent physical conflict. The NSE attack is attributed to hackers acting on behalf of a neighbouring government. The North Korean government has been accused of ransomware attacks. The attack on Iran’s nuclear facilities was coordinated by two governments. Cyber-attacks on Ukrainian and Georgian infrastructure coincided with physical conflict with Russia. Google claims it has been targeted by hackers operating from Chinese government institutions to steal IP.
There is a huge gap in India’s cyber-security policy: Health care was not considered critical infrastructure before the AIIMS attack. This, despite being a prime source of sensitive data and an essential 24X7 service. India’s health care providers are a prime target for cybercriminals. About 28 per cent of the global attacks on health care providers in 2021 targeted Indian health care.
As Digital India expands, more institutions become critical nodes and potential sources of cyber-infection. Other vulnerabilities will surely be exposed. Every bank branch is connected to the banking system, and to the Unified Payments Interface stack, and linked to non-banking financial companies, stock exchanges, toll fastags, and fintech providers. Passport information is processed by private service providers. The civil aviation system is totally digital.
Aadhaar connects a swathe of sectors. The national power grid is “smart” and connected to dozens of different generators and distributors. Gas distribution networks are “smart”. Every ministry has a website. Plus, there are the defence and aerospace establishments and other government institutions connected to private servers.
All these are targets and a comprehensive cyber-security policy must take this into account. Moreover, instead of reacting to breaches as and when discovered, agencies like the Indian Computer Emergency Response Team must institute proactive outreach programmes to prevent incidents occurring across public and private spaces.
In practical terms, there will always be soft targets, given the expanding scope of Digital India, and given that citizens using digital services have varying levels of sophistication. Hence, backup and disaster recovery policies also have to be instituted and upgraded continuously. It may even be argued that possessing retaliatory capacity is a useful form of defence in that it may deter targeted attacks by other governments. Incidents like the AIIMS episode make it apparent that far more in the way of oversight and investment in cyber-defence is necessary, along with regular policy reviews. This must be part and parcel of the Digital India initiative.