'Digital India' in Dire Need of Safety Policy Reboot - Cybersecurity Experts

Some experts say the need of the hour is for India to update its cybersecurity policy to respond to growing threats in cyberspace. Information warfare specialists hint at the local storage of digital information as the key to the cybersecurity of the country.
Sputnik

New Delhi (Sputnik): The afternoon of the first Friday of April was a telling statement on India's biggest nightmare — a digital meltdown. It was so glaring that the National Media Centre in the capital Delhi was abuzz with media persons seeking to ascertain the news of around 10 government websites, including those of the Ministry of Defense and the Ministry of Home Affairs, was hacked and the government seemed clueless. No government official was ready to speak, prompting the day's headlines to thrive on speculations with television channels running news flashes attributing the mischief to a "Chinese" hacker.  

The Defense Ministry website was showing Mandarin characters in an error message which further gave strength to the conspiracy theory. In panic, the Ministry of Home Affairs shut down its portal, creating further speculations.

In the absence of an official statement, the press based their news reports on a tweet by Defense Minister Nirmala Sitaraman which confirmed the alleged hack. A sense of a massive cyberattack engulfed the air.

The general sense was that it was a digital offensive targeted against India and perpetrated by none other than its neighbor China. There was a sudden outrage among social media users who accused the government of failing to protect the nation's digital assets and letting India be vulnerable to cyber threats.

However, late in the evening, National cybersecurity head Gulshan Rai conveyed that all 10 websites hosted by the National Informatics Centre (NIC) went down due to "a hardware failure" while declining to comment on the possibility of a cyberattack by any neighboring country.

"There is no hacking or coordinated cyberattack on the website of central ministries. There was a hardware failure in the storage network system at the NIC which resulted in a number of government websites being serviced by that system going down. We are working to replace the hardware and these websites will be up soon," Rai said in a statement putting to rest all speculations.

UK Cyber Security Centre Warns Companies Against Using China's ZTE Equipment
The National cybersecurity head, who directly works under the supervision of Indian Prime Minister Narendra Modi, also confirmed that a total of ten websites, including that of the Central Bureau of Investigation, the Central Vigilance Commission, the e-gazette of India, and the websites of the Ministries of Law, Civil Aviation, Defense, Home Affairs, Labor, Water Resources and Science & Technology suffered due to the hardware failure. 

Nevertheless, experts say that India needs a robust framework not only to protect the cyber assets, but also quickly assess threats in view of the experience.

"Technical glitches happen, especially when you have so many hardware and software products connected online. The immediate reaction of the hack (on Friday, 6th April 2018) was in haste and caused all the confusion but no such hack took place. We need to have a more robust framework for response, reporting, and reaction," cyber expert Rakshit Tandon told Sputnik.

Rakshit Tandon

The brief period of inaccessibility of the government websites and the ensuing panic was symptomatic of a situation which India is facing. Even if it was not a hack, the hardware failure is worrying for the billion plus nation, say experts.

The cyber emergency in India was not the first. Last year, the Home Ministry websites had to be temporarily shut down following a cyberattack. This was in close heels to a hack of the website of the elite Indian special force National Security Guard (NSG) by a suspected Pakistan based group. In 2016, data from Indian missions in Africa and Europe were hacked and posted online by unknown hackers. 

Cisco Cyberattack Targeted Russian-Language Internet Segment - Kaspersky Lab
The Indian Computer Emergency Response Team (CERT-In), the premier cyber security agency of India had stated in a reply in Parliament that until June 2017 India had more than 27,000 cyberattacks of all levels and cost the economy around $4 billion.

The Hindustan Times in a report predicts that with India embarking on an ambitious digitalization mode, the total losses from cybersecurity threats for the country could touch $20 billion over the next ten years.

Experts also blame the lack of a clear commitment on the part of the government as a reason for loopholes in India's cybersecurity net, calling for greater participation of the individual and private institutions in the country's digital preparedness.

READ MORE: Not So Friendly: Indian Minister Raises Espionage Concern Over Imported Gadgets

"We have a national cybersecurity policy but we don't have a clear commitment from the government when it comes to financial allocations. The government must fund small and medium-sized enterprises to produce innovative cybersecurity products and services. Separately, the government must fund research by corporations, civil society organizations, educational organizations, and individuals which should be published in peer-reviewed open access journals and also presented at national and international cybersecurity academic conference," Sunil Abraham, executive director, Centre for Internet and Society told Sputnik.

Sunil Abraham

"India has the best minds when it comes to hacking. In fact, a majority of the top hackers in the world are Indians but they are not part of India's security apparatus and not in the country's service," Rizwan Shaikh, ethical hacker and one of the youngest information security consultants in South Asia told Sputnik.

Rizwan Shaikh

Rizwan was in the news recently when he drew the attention of the government about the severe lacuna in the Indian Railway system which is called the backbone of Indian economy employing around 1.3 million people and running 13,000 passenger trains daily.

The ethical hackers cannot sustain in the government ecosystem, they need patronage and incentives in terms of recognition, but the government of India lacks any such program. There was a program launched recently by the Ministry of Information Technology but it has failed to attract good minds due to its lack-luster management. In India, even if I find a loophole, there is no reporting system to intimate and no proper heads to initiate action, Rizwan added.

Cyber Security Challenges are Real, Alarming - India's Top Telecom Official
The Indian government has multiple stakeholders to monitor and report on digital emergency situations. The plethora of agencies begin with the nodal agency of the Ministry of Electronics and Information Technology, there is a hub called the National Critical Infrastructure Information Protection Center, then there is the interior security ministry of Home Affairs which is the oversight authority over all investigative agencies in the country and there is a new institution by the name national Cyber Coordination Centre created recently.  

Rakshit Tandon says that "a sudden spurt in online transactions especially after demonization (in October 2016), coming of 4G mobile networks, cheaper smartphones, and the prestigious vision of 'Digital India' have made the country and its population more prone to cyber threats."

Moreover, with the controversy of the British political consulting firm Cambridge Analytica allegedly using personal details of Indian social media users has created a sense of insecurity among the online population of the country.

In view of the threat to personal and national digital security, Sunil Abraham calls for an approach to a complete upheaval the country's cyber laws to combat the threat. He says simply user behavior change is not sufficient for keeping Indians safe from digital harm.

"First, India needs a comprehensive omnibus data protection law, in the lines of the GDPR which exists for the EU. Second, India needs amendments to our existing competition law. Once the law has been updated to give the regulator powers to go after Internet monopolies —we need a comprehensive investigation of the anti-competitive activities, especially in the digital advertising sector. Change in user behavior is not sufficient to mitigate harms resulting from Internet monopolies. These harms can only be addressed via appropriate, comprehensive and proactive action by lawmakers and regulators," Sunil Abraham said.

Information warfare specialists hint at the local storage of digital information as the key to cybersecurity of the country.

"A nation the size of India can never be a comfortable partner for other great powers who will always be uneasy of the latent power of this sleeping giant. Consequently unlike Japan, South Korea or Singapore, we cannot rely on a security umbrella from another great power to reach our full economic potential," Pavithran Rajan, information warfare specialist based out of Bangalore, told Sputnik.

Pavithran Rajan is a former Indian Army officer-turned writer and trainer on cyber issues.

READ MORE: India Lacks Adequate Legal Provisions to Check Data Theft — Legal Experts

The need for a data protection law was triggered by the debate on individual privacy. However, the importance of this data for national security must not be overlooked. The solution lies in localizing the sensitive data of Indian citizens within the boundaries of India. While currently the infrastructure for this may not exist, it would come up if the data controllers wish to continue to take advantage of the size of the Indian market, he added.

Rajan feels that data protection for India is vital as it is on the cusp of a major technological advancement and has opined that the country needs to put in place legal stipulations on data transfers.

Pavithran

"The advent of the IoT (Internet of Things technology) would exponentially increase the volume of data being generated. Any new infrastructure being created for IoT should also make arrangement for data to be stored in India. We understand that cross-border flows of data cannot be completely stopped. However, no sensitive personal data should be permitted to go outside the country. There should be legal restrictions on the transfer of data to controllers who have no presence in India," Pavithran Rajan told Sputnik.

READ MORE: Cybercrimes Cost World $600Bln, 0.8% of Global GDP Annually — Think Tank

The earliest technology-based law in India was the Indian Telegraph Act of 1885 which is still operational and encompasses the telephone services as well. With the advent of the digital age, India brought in the Information Technology Act in the year 2000 and lastly, a National Cybersecurity Policy was drafted and presented for action 2013, but its actual implementation has not yet taken place. With the fast changing digital ecosystem, India, the largest democracy in the world, struggles to keep pace with the threats it faces and the dangers seem imminent.

The views expressed in this article are those of the speakers and do not necessarily reflect those of Sputnik.

Discuss