Skip to main content

Vulnerable in cyberspace (thehindu)

The ‘Legion’ hacks expose the dire state of cybersecurity in India. Frequent data breaches will steadily erode the confidence of Internet users and deter them from using digital gateways

An expansive cyberattack on critical information infrastructure in India — communications, banking technologies, healthcare services — may be currently under way. What’s worse, many of these operations have likely attained their objective.

If that sounds hyperbolic, sample the comments made to news outlets by a representative of the group ‘Legion’, which has claimed responsibility for hacking emails and Twitter accounts belonging to the Indian National Congress, the industrialist Vijay Mallya, and journalists Barkha Dutt and Ravish Kumar. Buried in their profanity-laced correspondence with The Washington Post and FactorDaily, this group has claimed access to “over 40,000 servers” in India, “encryption keys and certificates” used by some Indian banks, and confidential medical data housed in “servers of private hospital chains”.



‘Legion’ claims it has no interest in selling confidential data because its members make enough money by selling “weaponised exploits”. If the email and Twitter hacks have indeed been conducted by a group that trades in “zero-days” — software glitches that exist at the time of creation of an application, but are discovered by technical experts and sold to parent companies, rivals, governments or criminals — then these intrusions should be taken very seriously. Stuxnet, the cyber weapon developed jointly by the United States and Israel to slow down Iranian nuclear centrifuges, used a zero-day exploit that falsified digital certificates, allowing it to run in Windows operating systems. If Legion has gained access to, say, a ‘Secure Socket Layer’ (SSL) certificate that an Indian bank’s website uses to validate its authenticity to a user’s computer or mobile phone, the group could easily retrieve confidential login information and cause unmitigated financial loss.

Trust in digital transactions

The group’s next target, ‘Legion’ claimed in an interview, would be mail servers hosted by the government. In comparison to what ‘Legion’ claims it can do, the hacking of popular Twitter accounts amounts to little more than acts of online vandalism, intended to popularise imminent leaks of data. In other words, the actual hacking of confidential information appears complete, and the public is left waiting for it to be divulged. Nothing could be more corrosive for the trust reposed in digital transactions as more Indian users switch to online payment gateways in the aftermath of demonetisation.

The ‘Legion’ hacks expose the dire state of cybersecurity in India. If the country’s digital assets are today vulnerable to espionage and disruptive attacks, there are institutional, economic and social factors fuelling their neglect. The Centre is yet to identify and implement measures to protect “critical information infrastructure” indispensable to the country’s governance. The National Informatics Centre (NIC), which hosts the government’s mail servers, has been compromised several times in the past: until a few months ago, its users did not rely on two-factor authentication (or 2FA, in which the user provides two means of identification) to access sensitive government communications. The welcome measure to appoint a National Cyber Security Coordinator in 2014 has not been supplemented by creating liaison officers in the States; the Computer Emergency Response Team (CERT-In) is woefully understaffed.

The private sector is equally culpable in its failure to report and respond to breaches in digital networks. Data made available by Interpol for 2015 suggest 1,11,083 security incidents were handled by CERT-In but less than 10 per cent of those were registered with law enforcement agencies. Electronic fraud is notoriously underreported in India, whether it is directed at the payment interface or the e-commerce website. There are neither voluntary, sector-specific standards for reporting data breaches nor industry backchannels for sharing confidential security information. Most Indian applications available on Android and iOS stores allow for automatic updates or patches, increasing the likelihood that an exploit or malware can be introduced without the user’s knowledge.


Perhaps the most important factor is attitudinal. The continued perception among Indian elites that cybersecurity is “optional” is evident in that ‘Legion’ has successfully targeted highly visible politicians, journalists and industrialists. Partisan commentary has chosen either to speculate on the identity of perpetrators or celebrate the embarrassment of their political opponents. NIC email servers are often blamed for their poor security, but most Indian companies that rely on Gmail for official communication also do not make 2FA mandatory for its employees.

Human element in cyberattacks

Cybersecurity in India is waved away as the remit of technical experts, while businesses and users believe their data can be protected through high-end devices or ‘air-gapped’ networks. However, most sophisticated cyberattacks have all involved a human element: Stuxnet needed the physical introduction of infected USB devices into Iran’s nuclear facilities; the 2016 cyber-heist of $950 million from Bangladesh involved gullible (or complicit) bankers handing over SWIFT codes to hackers. Similarly, ‘Legion’ has not targeted first-generation Internet users but tech-savvy public figures who presumably use secure phones for communication. This episode underscores the difficulty in protecting digital networks if human involvement continues to be the weakest link in the chain.



The government’s practiced apathy in the wake of cyberattacks has only encouraged their repetition. Post-demonetisation, the Centre has pushed the citizenry to go ‘cashless’, without building capacity and awareness on the security of devices or transactions. If anything, regulators have slid back on commitments needed from businesses to protect digital payments. The Reserve Bank of India’s recent decision to waive 2FA for transactions less than Rs.2,000 treats each individual transaction as a self-contained unit, without acknowledging that devices once infected will also compromise higher-value payments. Frequent data breaches will steadily erode the confidence of Internet users and deter them from using digital gateways. For a government which has staked its future heavily on the success of the Digital India programme, this is an outcome it can ill afford.

Comments

Popular posts from this blog

Cloud seeding

Demonstrating the function of the flare rack that carries silver iodide for cloud-seeding through an aircraft. 
Water is essential for life on the earth. Precipitation from the skies is the only source for it. India and the rest of Asia are dependent on the monsoons for rains. While the South West Monsoon is the main source for India as a whole, Tamil Nadu and coastal areas of South Andhra Pradesh get the benefit of the North East Monsoon, which is just a less dependable beat on the reversal of the South West Monsoon winds.

SC asks Centre to strike a balance on Rohingya issue (.hindu)

Supreme Court orally indicates that the government should not deport Rohingya “now” as the Centre prevails over it to not record any such views in its formal order, citing “international ramifications”.

The Supreme Court on Friday came close to ordering the government not to deport the Rohingya.

It finally settled on merely observing that a balance should be struck between humanitarian concern for the community and the country's national security and economic interests.

The court was hearing a bunch of petitions, one filed by persons within the Rohingya community, against a proposed move to deport over 40,000 Rohingya refugees. A three-judge Bench, led by Chief Justice of India Dipak Misra, began by orally indicating that the government should not deport Rohingya “now”, but the government prevailed on the court to not pass any formal order, citing “international ramifications”. With this, the status quo continues even though the court gave the community liberty to approach it in …

Indian Polity Elections (MCQ )

1. Who of the following has the responsibility of the registration of voters
a) Individual voters
b) Government
c) Election commission
d) Corporations


2. Democracy exists in India, without peoples participation and co operation democracy will fail. This implies that
a) Government should compel people to participate and cooperate with it
b) People from the government
c) People should participate and cooperate with the government
d) India should opt for the presidential system


3. Which of the following are not the functions of the election commission
1) Conduct of election for the post of the speaker and the deputy speaker, Lok sabha and the deputy chairman, Rajya sabha
2) Conduct of elections to the state legislative assemblies
3) Deciding on all doubts and disputes arising out of elections

a) 1 and 2
b) 1 and 3
c) 2 and 3
d) 2

4. Which of the following electoral systems have not been adopted for various elections in India
1) System of direct elections on the basis of adult suffrage
2…