Skip to main content

Vulnerable in cyberspace (thehindu)

The ‘Legion’ hacks expose the dire state of cybersecurity in India. Frequent data breaches will steadily erode the confidence of Internet users and deter them from using digital gateways

An expansive cyberattack on critical information infrastructure in India — communications, banking technologies, healthcare services — may be currently under way. What’s worse, many of these operations have likely attained their objective.

If that sounds hyperbolic, sample the comments made to news outlets by a representative of the group ‘Legion’, which has claimed responsibility for hacking emails and Twitter accounts belonging to the Indian National Congress, the industrialist Vijay Mallya, and journalists Barkha Dutt and Ravish Kumar. Buried in their profanity-laced correspondence with The Washington Post and FactorDaily, this group has claimed access to “over 40,000 servers” in India, “encryption keys and certificates” used by some Indian banks, and confidential medical data housed in “servers of private hospital chains”.



‘Legion’ claims it has no interest in selling confidential data because its members make enough money by selling “weaponised exploits”. If the email and Twitter hacks have indeed been conducted by a group that trades in “zero-days” — software glitches that exist at the time of creation of an application, but are discovered by technical experts and sold to parent companies, rivals, governments or criminals — then these intrusions should be taken very seriously. Stuxnet, the cyber weapon developed jointly by the United States and Israel to slow down Iranian nuclear centrifuges, used a zero-day exploit that falsified digital certificates, allowing it to run in Windows operating systems. If Legion has gained access to, say, a ‘Secure Socket Layer’ (SSL) certificate that an Indian bank’s website uses to validate its authenticity to a user’s computer or mobile phone, the group could easily retrieve confidential login information and cause unmitigated financial loss.

Trust in digital transactions

The group’s next target, ‘Legion’ claimed in an interview, would be mail servers hosted by the government. In comparison to what ‘Legion’ claims it can do, the hacking of popular Twitter accounts amounts to little more than acts of online vandalism, intended to popularise imminent leaks of data. In other words, the actual hacking of confidential information appears complete, and the public is left waiting for it to be divulged. Nothing could be more corrosive for the trust reposed in digital transactions as more Indian users switch to online payment gateways in the aftermath of demonetisation.

The ‘Legion’ hacks expose the dire state of cybersecurity in India. If the country’s digital assets are today vulnerable to espionage and disruptive attacks, there are institutional, economic and social factors fuelling their neglect. The Centre is yet to identify and implement measures to protect “critical information infrastructure” indispensable to the country’s governance. The National Informatics Centre (NIC), which hosts the government’s mail servers, has been compromised several times in the past: until a few months ago, its users did not rely on two-factor authentication (or 2FA, in which the user provides two means of identification) to access sensitive government communications. The welcome measure to appoint a National Cyber Security Coordinator in 2014 has not been supplemented by creating liaison officers in the States; the Computer Emergency Response Team (CERT-In) is woefully understaffed.

The private sector is equally culpable in its failure to report and respond to breaches in digital networks. Data made available by Interpol for 2015 suggest 1,11,083 security incidents were handled by CERT-In but less than 10 per cent of those were registered with law enforcement agencies. Electronic fraud is notoriously underreported in India, whether it is directed at the payment interface or the e-commerce website. There are neither voluntary, sector-specific standards for reporting data breaches nor industry backchannels for sharing confidential security information. Most Indian applications available on Android and iOS stores allow for automatic updates or patches, increasing the likelihood that an exploit or malware can be introduced without the user’s knowledge.


Perhaps the most important factor is attitudinal. The continued perception among Indian elites that cybersecurity is “optional” is evident in that ‘Legion’ has successfully targeted highly visible politicians, journalists and industrialists. Partisan commentary has chosen either to speculate on the identity of perpetrators or celebrate the embarrassment of their political opponents. NIC email servers are often blamed for their poor security, but most Indian companies that rely on Gmail for official communication also do not make 2FA mandatory for its employees.

Human element in cyberattacks

Cybersecurity in India is waved away as the remit of technical experts, while businesses and users believe their data can be protected through high-end devices or ‘air-gapped’ networks. However, most sophisticated cyberattacks have all involved a human element: Stuxnet needed the physical introduction of infected USB devices into Iran’s nuclear facilities; the 2016 cyber-heist of $950 million from Bangladesh involved gullible (or complicit) bankers handing over SWIFT codes to hackers. Similarly, ‘Legion’ has not targeted first-generation Internet users but tech-savvy public figures who presumably use secure phones for communication. This episode underscores the difficulty in protecting digital networks if human involvement continues to be the weakest link in the chain.



The government’s practiced apathy in the wake of cyberattacks has only encouraged their repetition. Post-demonetisation, the Centre has pushed the citizenry to go ‘cashless’, without building capacity and awareness on the security of devices or transactions. If anything, regulators have slid back on commitments needed from businesses to protect digital payments. The Reserve Bank of India’s recent decision to waive 2FA for transactions less than Rs.2,000 treats each individual transaction as a self-contained unit, without acknowledging that devices once infected will also compromise higher-value payments. Frequent data breaches will steadily erode the confidence of Internet users and deter them from using digital gateways. For a government which has staked its future heavily on the success of the Digital India programme, this is an outcome it can ill afford.

Comments

Popular posts from this blog

NGT terminates chairmen of pollution control boards in 10 states (downtoearth,)

Cracking the whip on 10 State Pollution Control Boards (SPCBs) for ad-hoc appointments, the National Green Tribunal has ordered the termination of Chairpersons of these regulatory authorities. The concerned states are Himachal Pradesh, Sikkim, Tamil Nadu, Uttarakhand, Kerala, Rajasthan, Telangana, Haryana, Maharashtra and Manipur. The order was given last week by the principal bench of the NGT, chaired by Justice Swatanter Kumar. The recent order of June 8, 2017, comes as a follow-up to an NGT judgment given in August 2016. In that judgment, the NGT had issued directions on appointments of Chairmen and Member Secretaries of the SPCBs, emphasising on crucial roles they have in pollution control and abatement. It then specified required qualifications as well as tenure of the authorities. States were required to act on the orders within three months and frame Rules for appointment [See Box: Highlights of the NGT judgment of 2016 on criteria for SPCB chairperson appointment]. Having ...

High dose of Vitamin C and B3 can kill colon cancer cells: study (downtoearth)

In a first, a team of researchers has found that high doses of Vitamin C and niacin or Vitamin B3 can kill cancer stem cells. A study published in Cell Biology International showed the opposing effects of low and high dose of vitamin C and vitamin B3 on colon cancer stem cells. Led by Bipasha Bose and Sudheer Shenoy, the team found that while low doses (5-25 micromolar) of Vitamin C and B3 proliferate colon cancer stem cells, high doses (100 to 1,000 micromolar) killed cancer stem cells. Such high doses of vitamins can only be achieved through intravenous injections in colon cancer patients. The third leading cause of cancer deaths worldwide, colon cancer can be prevented by an intake of dietary fibre and lifestyle changes. While the next step of the researchers is to delineate the mechanisms involved in such opposing effects, they also hope to establish a therapeutic dose of Vitamin C and B3 for colon cancer stem cell therapy. “If the therapeutic dose gets validated under in vivo...

SC asks Centre to strike a balance on Rohingya issue (.hindu)

Supreme Court orally indicates that the government should not deport Rohingya “now” as the Centre prevails over it to not record any such views in its formal order, citing “international ramifications”. The Supreme Court on Friday came close to ordering the government not to deport the Rohingya. It finally settled on merely observing that a balance should be struck between humanitarian concern for the community and the country's national security and economic interests. The court was hearing a bunch of petitions, one filed by persons within the Rohingya community, against a proposed move to deport over 40,000 Rohingya refugees. A three-judge Bench, led by Chief Justice of India Dipak Misra, began by orally indicating that the government should not deport Rohingya “now”, but the government prevailed on the court to not pass any formal order, citing “international ramifications”. With this, the status quo continues even though the court gave the community liberty to approach i...