ADVERTISEMENT
Cybersecurity is India's Achilles heel
DHNS
Last Updated IST

The media is abuzz with reports of India’s quest to go digital and cashless. Are we ready to go fully digital? Never mind that only 17% of Indians own smartphones, and that mobile data costs money. Forget that poverty, illiteracy and lack of awareness is staggering, but the biggest issue is cybersecurity.

Have our banks, telecom service providers, mobile phone-makers ensured security of our bank accounts, digital wallets, OTP delivery mechanism and privacy of the transactions? Has the government passed adequate cyber security laws and adopted cyber policies to ensure that a customer is not responsible for cybertheft of his/her funds? Do we have the customer service culture in place for helping victims of cybertheft? In my opinion, the answer to all these are in the negative.

On October 20, we found out that 3.4 million debit card accounts were compromised with what could be a case of ATM hacking. Reported cybercrime incidents shot up from 13,301 in 2011 to 3,00,000 in 2015, according to an Assocham report. Unless legally bound, most cybercrimes remain unreported as companies do not divulge their weak defence against cyberbreaches. According to the same report, 72% of financial services and insurance companies surveyed admitted to being victimised by cyberattacks in 2015.

According to a KPMG survey in 2015, 17% of the cyberattacks are by internal perpetrators and 56% were resulting from a nexus between internal and external perpetrators. Insider threat is a huge problem world over, and in India it might be worse as we see bank officials, and even the Reserve Bank of India (RBI) employees, caught recently for fraud. Protecting systems from disgruntled personnel is much harder than from external perpetrators.

In 2015, the Reserve Bank of India (RBI) imposed certain cybersecurity requirements for banks. The Securities and Exchange Board of India also formulated cybersecurity requirements for stock exchanges. While these requirements are comprehensive and require the banks and exchanges to implement security controls, monitor high privilege users and mandatorily report all breaches, it lacks pragmatism. I spoke to many rural and cooperative bank IT employees and found that no roadmap for gradual implementation of these requirements were provided, resulting in a huge burden on smaller banks lacking in financial wherewithal to implement all these at one go.

There should be a cybersecurity maturity model and phased roll-out plan. Hiring adequately trained personnel is hard if not impossible. I have grave doubts if banks of all sizes and functions can do all these. Only paper compliance without actually defending their infrastructures will provide false sense of security.

Manpower is probably our biggest problem in cybersecurity. Unfortunately, we do not have enough experts to train people. Most universities lack expertise to offer comprehensive curriculum, resulting in a severe shortage of degree programmes, diplomas or even private training to generate the requisite manpower. The policy makers seem to be confused as to what cybersecurity expertise entails.

Most cybersecurity researchers in India are actually experts in cryptography, which is only a tool for cybersecurity. It is rare that a cyberattack is based on breaking cryptographic algorithms. Usually, weaknesses in the implementation of crypto-algorithms compromises a key.

But the bigger dangers lurk in the network, in the routers, in the operating system, in the application software and also in the overall architecture and protocols. India mainly needs experts for securing hardware, networking, system architecture, software and protocols.

According to some reports, currently we have less than 1,000 people in India with adequate cybersecurity expertise. This is a huge policy failure in projecting manpower requirements and taking actions by academics, institutes and funding agencies. A huge effort by the government is required to rectify cybersecurity manpower development.

Terrifying prospects
Another terrifying prospect looms in our critical infrastructure sector. Power grid, automated manufacturing, nuclear plants, railway signalling and  air-traffic control are so weakly protected and unprepared for cyberattacks that it is staggering. A 2012 style blackout of vast regions of India might happen again, but this time by cyberattack. In 2013, by an act of Parliament, the National Critical Information Infrastructure Protection Centre (NCIIPC) was created. Its function should be similar to cybersecurity sections of the US Homeland Security department. However, due to severe lack of expertise, the NCIIPC has not been adequate in their role so far.

The inadequate role of Computer Emergency Response Team (CERT), Delhi, in alerting the industry and research institutes must change to adopt a very proactive and leading role similar to CERT in the US. At present, they seem to be working in firefighting mode, rather than proactive threat intelligence collection, remediation, trend forecasting and warning of relevant entities along with actionable intelligence. The Information Sharing Centres (ISACs) for sector-specific cyberattacks must be proactively formed and brought to action. Except perhaps for the financial industry ISAC, other sector-specific ISACs seem to be non-existent or non-functioning.
Though we have adopted a number of positive steps by creating a cybersecurity policy, established CERT and created NCIIPC, we are at least 10 years behind the US, China, Israel, UK and other countries in this regard. Severe lack of cybersecurity product industry also compromises our independence in protecting our infrastructure. The government’s intervention in creating a startup culture in cybersecurity products is urgently required.

Finally, our IT law, too, is outdated. We need real experts in cybersecurity to make a revision of the IT Act and lead the various entities. We urgently need to improve by a comprehensive revision of policy, law, business environment, governance and technology innovation. Until then, we have an exposed Achilles heel and we are lucky that no Trojan prince has taken a very serious shot at us.

(The writer is chair professor, Department of Computer Science and Engineering, IIT-Kanpur)

ADVERTISEMENT
(Published 25 December 2016, 00:40 IST)