Credit: Jayachandran/Mint
Credit: Jayachandran/Mint

Putting firewalls in place for a digital economy

India's cybersecurity efforts and infrastructure have been sorely lacking thus far

During the Bharatiya Janata Party’s parliamentary meet on Friday, Prime Minister Narendra Modi declared that people should make the digital economy a way of life as it would be “transparent and effective". Fair enough; he is largely correct about the benefits even if we have taken issue in these pages with the manner in which his government has pivoted on the impetus for the currency swap. But there is a caveat: A digital economy comes with its own pressure points and vulnerabilities.

In the words of a member of Legion—a hacker collective allegedly responsible for the hacks of Indian politicians’ and media personalities’ Twitter accounts—in an interview with FactorDaily last week, the group has “confidential data pertaining to NPCI [National Payments Corporation of India] hub servers, and even the encryption keys/certificates used by some banks in India. So, theoretically, we could generate ‘fraudulent’ financial messages! Does that make #DigitalIndia safe? Maybe Modi should think all of this through before launching it."

The claim remains unverifiable for now. But the government has taken it seriously enough for the ministry of electronics and information technology under Ravi Shankar Prasad to mandate a cybersecurity audit of the financial sector, review the Information Technology Act and recruit expert personnel to detect and respond to threats. This is all to the good—but if it goes beyond lip service, it will be a rare episode of New Delhi giving cybersecurity efforts the attention they deserve.

The matter goes beyond the digital economy into the realm of national security. Indeed, the former is a potential vector of attack with regards to the latter—as are critical infrastructure, governance systems and the like. In US President Barack Obama’s words, as applicable to India as it becomes increasingly networked as they are to the US, “In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency… the loss of electricity can bring businesses, cities and entire regions to a standstill."

The debit card hack affecting about 3.2 million cards earlier this year was among the biggest ever financial data breaches in India. Also this year, Symantec, a major global cybersecurity firm, claimed that a number of Indian organizations—including central government systems, a financial institution and a vendor to a stock exchange—had been breached by Suckfly, a cyberespionage group. August saw details of the Scorpene submarine programme published online. In past years, a large number of valuable Indian targets have been breached—from corporate entities and embassies to prominent individuals and military institutions.

Ostensibly, successive governments have taken at least some steps to shore up cybersecurity: The Computer Emergency Response Team (CERT-In), a nodal agency responsible for dealing with cyber threats, was established in 2004, and Prasad has stated that the Centre is moving to set up a National Cyber Security Coordination Centre. But far too many vulnerabilities remain. The government’s financial outlay on cybersecurity is a fraction of what it needs to be, for instance. And as Sushil Kambampati has pointed out in The Wire, the lack of effective regulations and transparency must be addressed. Take the Securities and Exchange Board of India’s cybersecurity policy. It requires reports on detected breaches to be quarterly—far too tardy to be of much use. Nor does it mandate informing the public. That mandatory disclosure of an attack or attempted attack must be implemented in both the public and private sectors. The lack of it has a dual effect: it reduces the chances of effective analysis, response and planning, and it contributes to the consumer ignorance—and consequently, wariness—of digital transactions that is a major barrier to Modi’s goal of a digital economy.

Over the years, Indian governments and institutions have seemed to regard cybersecurity as a secondary issue. This is a grave error in judgement. Historically, interdiction of shipping and resources for economic disruption, espionage, direct attacks on critical infrastructure and propaganda have all been part of nations’ toolkits in the case of conflict. These can all be achieved via digital means now. Witness the hacking of US company Lockheed-Martin’s F-35 stealth fighter programme or the massive wave of Russian cyberattacks against Estonia and Georgia in 2007 and 2008, respectively. The vulnerable Supervisory Control and Data Acquisition systems managing India’s vital infrastructure such as oil pipelines and steel plants make it particularly vulnerable here.

Or take old-fashioned theft—a remote affair now, as the $81 million stolen from Bangladesh’s central bank’s New York Federal Reserve account earlier this year via malware attack on the Swift interbank transfer network underscored. Data theft can be as damaging for both individuals and corporations, perhaps more so. The just-revealed hack of a billion Yahoo accounts in 2013 illustrates just how vast the scope of such thefts can be.

Modi’s vision of a digital economy—indeed, a digital nation—is a fine one. But his government must also work on putting firewalls in place.

Is the government doing enough to improve India’s cybersecurity efforts? Tell us at views@livemint.com

Close
×
My Reads Logout