India is the third most cyber-threatened nation, and yet is one of the least cybersecure nations in the world. With cyberspace emerging as the fifth dimension for war after land, air, water, and space, is India prepared?
In March this year, a perfectly legitimate-looking malware email with a Covid-19 health advisory was received by Indian diplomats from hackers (allegedly Pakistani, state-sponsored) posing as the Home Ministry. Since the escalation of border tensions with China, intelligence firm Cyfirma has traced cyberattack plans on several Indian government agencies and private companies to hacking groups connected with the People’s Liberation Army, China. In March-April alone, cyber attacks on the masses in India spiked by 86%, triggered by the pandemic panic. All of these have been aimed at gaining access to sensitive information, passwords, and extorting/stealing huge amounts of money.
Cyber warfare: why and how?
The war on digital systems, state-owned and private, is not a post-2010 phenomenon. In 2007, Russia had operated a full-force hybrid attack on Estonia. Russia’s propagation of fake news first led to riots; and hacking into and taking down of government, media, and financial servers ensured that communication and control weren’t possible. One person died while hundreds were injured in the riots. In 2011, the Stuxnet, reportedly sponsored by the US and Israel, disabled nuclear control systems in Iran. This could’ve led to an ‘Iranian Chernobyl’ if it wasn’t dealt with. In June 2020 alone, there have been at least three significant attacks targeting entities of international significance.
There are no clear international laws, treaties, or understanding governing this space. The debate over how to determine the fatality of a cyber attack or whether military action in response is justified still stands. Secondly, there is no predetermined scope of casualties. It takes weeks to track the source of an attack, and there is no telling if the source location state had anything to do with the attack or not. Similarly, there is no telling how many people will be affected, a virus acts like a round of ammunition. Moreover, cyber attacks are far easier and cheaper to carry out than military ones, but can have as dangerous impacts on actual on-ground activities. Figure this: You can ‘buy’ an entire information theft campaign on the dark web for as low as $183. It is hard to imagine the exact effects of a cyber attack on a state’s health network at this sensitive time, but it is prudent to foresee its potential for putting lives at risk.
It’s not just about the state, corporate systems are equally at risk. In the past decade itself, brands like eBay, Yahoo!, and UnderArmour which have a wide global user base, were attacked and personal information, including financial data, of customers was stolen. With corporations, the motives behind attacks are diverse. It could be anything from state-sponsored trade wars, to rival corporations’ malignant attempts, to political motives of hacktivists.
How safe are we as Indian citizens and customers?
Even in 2018, India Inc. lost at least $500,000 due to cyber attacks. In 2019, Aadhar details of 6.9 million Indians were exposed. These are just two out of a multitude of figures. In 2018, hackers had siphoned off Rs.94 crore from a Cosmos Bank branch through malware. All of these and several others of such kind, have all happened after 2013.
In 2013, India was lauded for being one of the very few nations to come up with a cybersecurity policy. However, the 2020 update to the policy, which should’ve ideally been expedited in the currently precarious geopolitical, military, and healthcare scenario, isn’t out yet. The most fundamental systemic flaw is that there is no single central body for cybersecurity- instead, there are 36 of them, each with a different structure. Each state has its own mechanism. Another issue is that some government operations still work with legacy systems or outdated software/hardware, a prime reason why the state becomes a soft target.
The corporate sector is laidback due to lack of government policy, along with lack of seriousness on their own account towards employing a constant security mechanism. The digital economy has been pegged at 24% of our total output by 2024. And yet there is an attitude of risk mitigation as opposed to risk management. We haven’t had a majorly devastating attack yet, but there’s no reason to wait till it does.
For an emerging ‘Digital India’, this is going to war with all the right weapons but no protective gear.
How do we avoid an Estonia?
It begins with learning from Estonia’s solutions. The 2007 attack had taken down banks, media outlets, and parts of the government. Estonia focussed on not just cyber incident response, but also on developing the government’s own cybersecurity capacity and digital infrastructure. They now have a Cyber Defence Unit with IT professionals trained by the Defence Ministry who remain under secrecy. Estonia also famously put cybersecurity on the UN Security Council agenda, and now stands atop the worldwide cybersecurity list.
If a small country like Estonia could bring about such sustainable changes, there’s a lot more than India can do. Investigators have long been asking for a dedicated cybersecurity fund. Students must be taught basics at the school level. It shouldn’t take you expert knowledge in IT to know what are the kind of links and attachments you shouldn’t click, or why you need an updated antivirus.
At an industry level, we need a uniform ministry of experts, which oversee R&D on a large scale. Small businesses are often the ones that neglect cybersecurity mechanisms in order to cut costs. The ministry can encourage them by incentivising them for testing certifications, for example. As per research, the current scenario of increasing threats and increasing security is expected to bring the Indian cybersecurity industry opportunities worth $35 billion by 2025.
With an industry that carries bright prospects, and better security for the entire nation, there are incentives abound for the state to fire its turbochargers in this race. For an ideal safe enterprise, safe state, and safe citizen country, the key is to integrate public, private, and on-ground efforts.
Snehal is Columnist at GGI.
She is a writer, poet, music aficionado, Oxford comma proponent, and a lot of other things. She also writes on personal finance for 'Qrius Creative Labs'. She has worked as a copywriter, content writer, scriptwriter, creative strategist, and direction assistant at multiple organisations in the past.
Snehal is a graduate from the Bachelor in Mass Media, Advertising from St.Xavier's College, Bombay.