The government must beef up defence against cyberattacks as threat of bigger security breaches looms large
Just as we are reeling under the malicious WannaCry attack - a ransomware from the WCry family that has affected over 3,00,000 computers in more than 150 countries - researchers have discovered its more deadly version, called EternalRocks. EternalRocks uses seven NSA (National Security Agency) exploits for Windows as compared to just two used by WannaCry. Even though the potential damage of EternalRocks is yet unfathomable, the onslaught of WannaCry is a wake-up call for governments around the world to beef up their preparedness against large-scale attacks.
The Indian government has downplayed the impact of WannaCry so far. In the first few days of the attack, IT Secretary Aruna Sundararajan said that the attack has been limited to five-six isolated instances, and "there are no reports of a substantial scale to indicate that Indian systems have been hit". Russian multinational cybersecurity and anti-virus provider Kaspersky Labs, however, found that India was the worst hit.
The government's aim to transform the Indian economy into a cashless one is laden with cybersecurity challenges. Its push for digital economy contrasts with the seriousness with which it is handling cybersecurity matters. Consider this: in the last Budget, the government committed to spend Rs 40.48 crore on cybersecurity in 2017/18, lower than the Rs 44.80 crore allocated in 2016/17. In fact, the total expenditure was much higher - Rs 55.96 crore - in 2015/16.
The incidence of cyberattacks is growing at a rapid clip. CERT-In (Indian Computer Emergency Response Team), the nodal agency that coordinates all matters related to cybersecurity in the country, reported 50,362 incidents in 2016 - a rise of 12 per cent from 44,679 cases in 2014. The actual incidents could be 10-times higher as most cases are not reported to CERT-In.
The National Crime Records Bureau (NCRB), which also prepares statistics on cybercrime, states that the number of cases relating to cybercrime has nearly doubled, from 4,356 in 2013 to 8,045 in 2015. Uttar Pradesh tops the chart with 2,208 registered cases, followed by Maharashtra (2,195) and Karnataka (1,447). The number of convictions in 2015 was only 193.
Till about a few years ago, a large number of attacks in India were simple and involved website defacement, phishing and intrusions. Of late, the attacks have become sophisticated. Last year, in one of the biggest cyber breaches till date, hackers targeted ATMs of leading banks using Hitachi systems to steal four-digit PINs (personal identification numbers) of millions of customers.
Early this year, the National Payments Corporation of India reported a bug in the Unified Payment Interface (UPI) application of Bank of Maharashtra which resulted in Rs 25 crore moving out of bank accounts to unknown beneficiaries. Two more banks have reportedly witnessed breaches in their UPI apps.
Evidently, the current security infrastructure and expertise are not adequate to handle big threats. CERT-In, set up under the Department of Information Technology in 2004, is frequently attacked by hackers.
In 2012, after the power blackout in vast regions of India, the government decided to classify cyberattacks into two categories: critical and non-critical. Assets that fall under critical areas are now monitored by National Critical Information Infrastructure Protection Centre (NCIIPC). Last year, NCIIPC told financial institutions to review their critical infrastructure. "A question still prevails: what assets are important and critical. For example, a bank with several thousand branches..assuming if a sizeable sample is critical, then it would be fairly time-consuming to conduct the audit and patch the gaps," says Akshay Garkel, partner (IT security, risk advisory services) at BDO India.
The fact that India didn't have a cybersecurity policy till 2013 puts it behind several developed countries by five to eight years. The government is now working on building sector-specific information-sharing centres for telecom, manufacturing, financial services, and others. "The role of CERT-In has been defensive. It needs to get better in intelligence collection, and proactively look for future threats and engage in offensive mechanism," says an expert.
Another factor that makes India unprepared is the lack of trained cybersecurity professionals. In 2013, the cybersecurity policy stated that there's a need to create 500,000 professionals skilled in cybersecurity in the next five years. Estimates put the current workforce at around 50,000. The low rate of cybercrime convictions coupled with manpower shortage, and the lack of a thriving culture within the government put India on the back foot in this digital war.