Why India’s Cybersecurity Needs an Immediate Overhaul
Drones have become the new face of cyberwar in India. They are being remotely flown into our country to attack vital installations as was witnessed when a couple of drones bombed the Indian Air Force (IAF) station in Jammu on 27 June. Not that the rankled IAF is sitting still. It has initiated a process of acquiring 10 anti-drone systems, according to news agency ANI.
Countering these drone attacks is critical since many drones today are powered with artificial intelligence (AI) and equipped with global positioning system (GPS) and 4K resolution cameras to make them smart enough to sneak in undetected and affect the morale of civilians too.
These drone attacks, of course, are simply pointers that India needs a rock solid cybersecurity strategy in today’s interconnected digital world. The reason: while the virus causing the global pandemic will someday become endemic with the help of vaccines, medical technology interventions, and government policies, we cannot say the same about cybercrime.
Online viruses that are let loose on individuals, companies and governments by unscrupulous hackers will only become more sophisticated in the coming years as the world becomes more connected with the infusion of AI, robotics, and the Internet of Things (IoT).
What’s at stake?
At stake is the data, reputation, money, and even properties of individuals, companies, and governments too. This February, for instance, Air India revealed that 10 years’ worth of its customer data including credit cards, passports and phone numbers were leaked in a massive cyber-attack on its data processor in February. Two months later, reports noted that personal data from 533 million Facebook accounts was leaked online for free.
And on 27 June, RestorePrivacy reported that the data of 700 million people was put on sale on the dark web by a hacker who claimed to have obtained them from professional networking site LinkedIn’s application programming interface (API). LinkedIn, however, insisted that this was “not a data breach… (and that) this data was scraped from LinkedIn and other various websites and includes the same data reported earlier this year in our April 2021 scraping update”.
It’s clear that a country like India needs to be on guard every single moment of the day. Check Point Research in a May report highlighted that India is the worst-affected country with 213 weekly ransomware attacks per organization. Ransomware is malware that attacksthe devices of users, encryptsthe data but unlocks it only for a specified amount of money or bitcoins as ransom from an individual or company.
The Verizon Business 2021 Data Breach Investigations Report revealed 5,258 breaches from 83 contributors across the globe. The report added that phishing and ransomware attacks rose 11 per cent and 6 per cent respectively, expectedly on the back of remote work. Our own research reveals that data breaches take place almost daily but remain undetected for almost 270 days on an average.
India climbs up the security ladder
What augurs well amid all this negative news is the fact that India has jumped 37 places to rank 10th in the Global Cyber Security Index (GCI) that was published by the International Telecommunication Union (ITU) in late June. The US topped the list. The UK and Saudi Arabia were tied to the second position, while Estonia was ranked third. India, incidentally,was ranked fourth in the Asia-Pacific region. To put matters in perspective, though, India was ranked 5th when the first GCI edition was launched in 2014. Three years later, it slipped to the 23rd position; then fell further to 47 to rise to the current 10th position.
GCI assesses countries based on their performance on five cybersecurity parameters. These are: legal measures, technical measures, organisational measures, capacity development, and cooperation. The performance is then aggregated into an overall score. India has shown vast improvement in all these parameters. The country scored a total of 97.5 points out of 100.
What’s working in favour of India is that on the legal front, it does have a potent Information Technology Act 2000. The country also has the ‘Cyber Swachhta Kendra’ (Botnet Cleaning and Malware Analysis Centre) as a part of the Indian Computer Emergency Response Team (CERT-In),
CERT-In, an office within the Ministry of Electronics and Information Technology (Meity), has been set up to analyse BOTs/malware characteristics and provide information and enable citizens to remove these BOTs/malware. India also has several cybercrime cells and the National Cybercrime reporting portals that cater to complaints pertaining to cybercrimes with a special focus on cybercrimes against women and children.
Besides, the country is also experimenting with the use of AI to fight cybercrime by using machine learning to look for historical patterns to predict future behavior of hackers.
But it’s time for more steps
A lot more, however, needs to be done since hackers are always a step ahead. Cyber crimes in India have risen 500% and India is one of the top 3 attacked countries in the world, according to the government’s own admission at a press meet this month. According to a 28 June report by the International Institute for Strategic Studies (IISS), “India has a good regional cyber-intelligence reach but relies on partners, including the United States, for wider insight. The strengths of the Indian digital economy include a vibrant start-up culture and a very large talent pool.”
The report concludes: “From the little evidence available on India’s offensive cyber capability, it is safe to assume it is Pakistan-focused and regionally effective. Overall, India is a third-tier cyber power whose best chance of progressing to the second tier is by harnessing its great digital-industrial potential and adopting a whole-of-society approach to improving its cyber security.”
This perception needs to be changed, and to be fair, the Indian government is taking the right steps. It has announced that it plans to release a new National Cyber Security Policy by the end of this year. The first such policy was drafted about eight years ago. The time is right for the change.
(The author, Naveen Jaiswal, is founder and director of Vehere—a firm that provides Heuristics and AI-powered solutions for real-time Cyber Situational Awareness)