As October was winding down, the media in India went berserk with reports of a cyber-attack at the Kudankulam Nuclear Power plant. After initially denying the incident, the Nuclear Power Corporation of India (NPCIL) admitted to the breach that occurred when a user connected a malware-infected personal computer to the administrative network.
Of course, those of us working in the IT industry may turn back and ask: What the hell happened to the security protocols within the plant and the periphery? Because if the protocols had been in place, there is no way an external computer could have even been plugged into the network. But then, that’s how most of government works in India. At least, that’s what we think.
The Computer Emergency Response Team (CERT-In) speculated a malware attack much earlier that breached India’s largest nuclear power facility’s administrative network.
And, this is just one recent example of India’s enduring cyber-attacks on high profile institutions. Most incidents were associated with Internet of Things (IoT) and affected connected devices and infrastructure. While it is clear that no sector is immune to cybercrime, what is disturbing is the government’s reluctance to admit the breach as well as the lackadaisical attitude in handling such a grave issue.
This raises the bigger question: Is India prepared for a high-profile cyber-attack even in the future?
According to cyber security major Symantec, India is among the top three countries in the world after the US and China when it comes to phishing and malware attacks. Its share in mobile malware is reportedly as high as 24%. In 2017, there was one security breach every 10 minutes in India.
Threat vectors including ransomware, virus infectors and crypto jacking have become rampant in high-tech government sectors including defense, navy, space research, power and energy and citizen services, among others, indicating a big threat to our critical infrastructure that can create havoc if not managed proactively considering the country is increasingly moving towards a digital economy.
Need for Proactive Action
Across the world, the defence cyber operations has been put under a well-defined single command and control. For instance, the Government Communications Headquarters (GCHQ) of the United Kingdom is responsible for all things related to protecting cyber infrastructure. Similarly, the Cyber Security Agency of Singapore reports to the Prime Minister and is responsible for the complete spectrum of defensive cyber operations. The National Security Agency of the US too has the complete command and control.
The India scenario is very different. Until now the government lacks a proper cyber security framework and standard operating procedures. The last National Cyber Security Policy upgraded in 2013 (an extension of the Information Technology Act, 2000) needs an overhaul, owing to the changing regulatory norms, changing cyber threat landscape and increased digital adoption. The proposed National Cyber Security Policy that is slated for release in early 2020 is likely to emphasize on cybersecurity awareness and hygiene – and this is certainly the need of the hour.
However, Srinivasan Sriram, co-founder, iValue InfoSolutions told CXOToday, “Just having a policy doesn’t work, but it’s the government’s effectiveness in enacting the Data Protection Laws, say on the lines of European Union’s General Data Protection Regulation (GDPR), making it the responsibility of the businesses or agencies will ensure privacy and protection of their customer data.”
In his opinion, effective implementation happens when the central government replicates the CERTs at the state-level to ensure speedier incident response. In addition, setting up of Defense Academy that provides rigorous training to cyber cadets and also establishing Cyber Police Cadre at the State Police level that can effectively tackle the growing cyber-crime related complaints from common citizens.
Investing in technologies foster innovation to create data-driven solutions is also a key enabler for government organizations in curbing cyber threats. The government of India to strengthen cyber security must consider investing in building a business ecosystem that can leverage technologies such as artificial intelligence (AI) and robotics to improve operations and enhance productivity.
Finally, building a robust, reliable, and scalable cyber defense infrastructure will require significant investments in telecom equipment. In this context, Sriram said, “The government must establish testing labs in India that will certify the equipment only after rigorous tests.”
Securing the Digital Future
As India is on the verge of stepping into the digital future, it must be secured with robust cyber defenses and work towards creating more employment in the cyber security space. In his blog ‘How vulnerable are governments to cybercrime?’ security evangelist David Ferbrache, and former Head of Cyber & Space at the UK Ministry of Defence mentioned that cybercrime is a growing phenomenon, and people with the skills to combat this threat are in high demand.
“Today’s governments can’t compete with private sector salaries, so it’s hard to keep hold of the best talent. Workforce planning should assume that specialists may only stay for a few years, and look to create a production line of new, young talent to succeed them,” he wrote in his blog.
Taking a cue from this, the India governments should also widen their collaboration with private companies to include talent sharing. Cyber security specialists could rotate roles between the public and private sectors, as part of their natural career development. It wouldn’t just help government; it would also give these individuals a higher personal profile.
This way, the government can arrive at a global understanding in order that the cyberspace remains open, safe and secure.