Skip to main content

Vulnerable in cyberspace (thehindu)

The ‘Legion’ hacks expose the dire state of cybersecurity in India. Frequent data breaches will steadily erode the confidence of Internet users and deter them from using digital gateways

An expansive cyberattack on critical information infrastructure in India — communications, banking technologies, healthcare services — may be currently under way. What’s worse, many of these operations have likely attained their objective.

If that sounds hyperbolic, sample the comments made to news outlets by a representative of the group ‘Legion’, which has claimed responsibility for hacking emails and Twitter accounts belonging to the Indian National Congress, the industrialist Vijay Mallya, and journalists Barkha Dutt and Ravish Kumar. Buried in their profanity-laced correspondence with The Washington Post and FactorDaily, this group has claimed access to “over 40,000 servers” in India, “encryption keys and certificates” used by some Indian banks, and confidential medical data housed in “servers of private hospital chains”.

‘Legion’ claims it has no interest in selling confidential data because its members make enough money by selling “weaponised exploits”. If the email and Twitter hacks have indeed been conducted by a group that trades in “zero-days” — software glitches that exist at the time of creation of an application, but are discovered by technical experts and sold to parent companies, rivals, governments or criminals — then these intrusions should be taken very seriously. Stuxnet, the cyber weapon developed jointly by the United States and Israel to slow down Iranian nuclear centrifuges, used a zero-day exploit that falsified digital certificates, allowing it to run in Windows operating systems. If Legion has gained access to, say, a ‘Secure Socket Layer’ (SSL) certificate that an Indian bank’s website uses to validate its authenticity to a user’s computer or mobile phone, the group could easily retrieve confidential login information and cause unmitigated financial loss.

Trust in digital transactions

The group’s next target, ‘Legion’ claimed in an interview, would be mail servers hosted by the government. In comparison to what ‘Legion’ claims it can do, the hacking of popular Twitter accounts amounts to little more than acts of online vandalism, intended to popularise imminent leaks of data. In other words, the actual hacking of confidential information appears complete, and the public is left waiting for it to be divulged. Nothing could be more corrosive for the trust reposed in digital transactions as more Indian users switch to online payment gateways in the aftermath of demonetisation.

The ‘Legion’ hacks expose the dire state of cybersecurity in India. If the country’s digital assets are today vulnerable to espionage and disruptive attacks, there are institutional, economic and social factors fuelling their neglect. The Centre is yet to identify and implement measures to protect “critical information infrastructure” indispensable to the country’s governance. The National Informatics Centre (NIC), which hosts the government’s mail servers, has been compromised several times in the past: until a few months ago, its users did not rely on two-factor authentication (or 2FA, in which the user provides two means of identification) to access sensitive government communications. The welcome measure to appoint a National Cyber Security Coordinator in 2014 has not been supplemented by creating liaison officers in the States; the Computer Emergency Response Team (CERT-In) is woefully understaffed.

The private sector is equally culpable in its failure to report and respond to breaches in digital networks. Data made available by Interpol for 2015 suggest 1,11,083 security incidents were handled by CERT-In but less than 10 per cent of those were registered with law enforcement agencies. Electronic fraud is notoriously underreported in India, whether it is directed at the payment interface or the e-commerce website. There are neither voluntary, sector-specific standards for reporting data breaches nor industry backchannels for sharing confidential security information. Most Indian applications available on Android and iOS stores allow for automatic updates or patches, increasing the likelihood that an exploit or malware can be introduced without the user’s knowledge.

Perhaps the most important factor is attitudinal. The continued perception among Indian elites that cybersecurity is “optional” is evident in that ‘Legion’ has successfully targeted highly visible politicians, journalists and industrialists. Partisan commentary has chosen either to speculate on the identity of perpetrators or celebrate the embarrassment of their political opponents. NIC email servers are often blamed for their poor security, but most Indian companies that rely on Gmail for official communication also do not make 2FA mandatory for its employees.

Human element in cyberattacks

Cybersecurity in India is waved away as the remit of technical experts, while businesses and users believe their data can be protected through high-end devices or ‘air-gapped’ networks. However, most sophisticated cyberattacks have all involved a human element: Stuxnet needed the physical introduction of infected USB devices into Iran’s nuclear facilities; the 2016 cyber-heist of $950 million from Bangladesh involved gullible (or complicit) bankers handing over SWIFT codes to hackers. Similarly, ‘Legion’ has not targeted first-generation Internet users but tech-savvy public figures who presumably use secure phones for communication. This episode underscores the difficulty in protecting digital networks if human involvement continues to be the weakest link in the chain.

The government’s practiced apathy in the wake of cyberattacks has only encouraged their repetition. Post-demonetisation, the Centre has pushed the citizenry to go ‘cashless’, without building capacity and awareness on the security of devices or transactions. If anything, regulators have slid back on commitments needed from businesses to protect digital payments. The Reserve Bank of India’s recent decision to waive 2FA for transactions less than Rs.2,000 treats each individual transaction as a self-contained unit, without acknowledging that devices once infected will also compromise higher-value payments. Frequent data breaches will steadily erode the confidence of Internet users and deter them from using digital gateways. For a government which has staked its future heavily on the success of the Digital India programme, this is an outcome it can ill afford.


Popular posts from this blog

SC asks Centre to strike a balance on Rohingya issue (.hindu)

Supreme Court orally indicates that the government should not deport Rohingya “now” as the Centre prevails over it to not record any such views in its formal order, citing “international ramifications”.

The Supreme Court on Friday came close to ordering the government not to deport the Rohingya.

It finally settled on merely observing that a balance should be struck between humanitarian concern for the community and the country's national security and economic interests.

The court was hearing a bunch of petitions, one filed by persons within the Rohingya community, against a proposed move to deport over 40,000 Rohingya refugees. A three-judge Bench, led by Chief Justice of India Dipak Misra, began by orally indicating that the government should not deport Rohingya “now”, but the government prevailed on the court to not pass any formal order, citing “international ramifications”. With this, the status quo continues even though the court gave the community liberty to approach it in …

Khar’s experimentation with Himalayan nettle brings recognition (downtoearth)

Nature never fails to surprise us. In many parts of the world, natural resources are the only source of livelihood opportunities available to people. They can be in the form of wild shrubs like Daphne papyracea and Daphne bholua (paper plant) that are used to make paper or Gossypium spp (cotton) that forms the backbone of the textile industry.

Nothing can compete with the dynamism of biological resources. Recently, Girardinia diversifolia (Himalayan nettle), a fibre-yielding plant, has become an important livelihood option for people living in the remote mountainous villages of the Hindu Kush Himalaya.

There is a community in Khar, a hamlet in Darchula district in far-western Nepal, which produces fabrics from Himalayan nettle. The fabric and the things made from it are sold in local as well as national and international markets as high-end products.

A Himalayan nettle value chain development initiative implemented by the Kailash Sacred Landscape Conservation and Development Initiati…

India’s criminal wastage: over 10 million works under MGNREGA incomplete or abandoned (hindu)

In the last three and half years, the rate of work completion under the Mahatma Gandhi National Rural Employment Guarantee Act (MGNREGA) has drastically declined, leading to wastage of public money and leaving villages more prone to drought. This could also be a reason for people moving out of the programme.

At a time when more than one-third of India’s districts are reeling under a drought-like situation due to deficit rainfall, here comes another bad news. The works started under the MGNREGA—close to 80 per cent related to water conservation, irrigation and land development—are increasingly not being completed or in practice, abandoned.

Going by the data (as on October 12) in the Ministry of Rural Development’s website, which tracks progress of MGNREGA through a comprehensive MIS, 10.4 million works have not been completed since April 2014. In the last three and half years, 39.7 million works were started under the programme. Going by the stipulation under the programme, close to 7…