An expansive cyberattack on critical information infrastructure in India — communications, banking technologies, healthcare services — may be currently under way. What’s worse, many of these operations have likely attained their objective.
If that sounds hyperbolic, sample the comments made to news outlets by a representative of the group ‘Legion’, which has claimed responsibility for hacking emails and Twitter accounts belonging to the Indian National Congress , the industrialist Vijay Mallya , and journalists Barkha Dutt and Ravish Kumar. Buried in their profanity-laced correspondence with The Washington Post and FactorDaily , this group has claimed access to “over 40,000 servers” in India, “encryption keys and certificates” used by some Indian banks, and confidential medical data housed in “servers of private hospital chains”.
‘Legion’ claims it has no interest in selling confidential data because its members make enough money by selling “weaponised exploits”. If the email and Twitter hacks have indeed been conducted by a group that trades in “zero-days” — software glitches that exist at the time of creation of an application, but are discovered by technical experts and sold to parent companies, rivals, governments or criminals — then these intrusions should be taken very seriously. Stuxnet, the cyber weapon developed jointly by the United States and Israel to slow down Iranian nuclear centrifuges, used a zero-day exploit that falsified digital certificates, allowing it to run in Windows operating systems. If Legion has gained access to, say, a ‘Secure Socket Layer’ (SSL) certificate that an Indian bank’s website uses to validate its authenticity to a user’s computer or mobile phone, the group could easily retrieve confidential login information and cause unmitigated financial loss.
Trust in digital transactions
The group’s next target, ‘Legion’ claimed in an interview, would be mail servers hosted by the government. In comparison to what ‘Legion’ claims it can do, the hacking of popular Twitter accounts amounts to little more than acts of online vandalism, intended to popularise imminent leaks of data. In other words, the actual hacking of confidential information appears complete, and the public is left waiting for it to be divulged. Nothing could be more corrosive for the trust reposed in digital transactions as more Indian users switch to online payment gateways in the aftermath of demonetisation.
The ‘Legion’ hacks expose the dire state of cybersecurity in India. If the country’s digital assets are today vulnerable to espionage and disruptive attacks, there are institutional, economic and social factors fuelling their neglect. The Centre is yet to identify and implement measures to protect “critical information infrastructure” indispensable to the country’s governance. The National Informatics Centre (NIC), which hosts the government’s mail servers, has been compromised several times in the past: until a few months ago, its users did not rely on two-factor authentication (or 2FA, in which the user provides two means of identification) to access sensitive government communications. The welcome measure to appoint a National Cyber Security Coordinator in 2014 has not been supplemented by creating liaison officers in the States; the Computer Emergency Response Team (CERT-In) is woefully understaffed.
The private sector is equally culpable in its failure to report and respond to breaches in digital networks. Data made available by Interpol for 2015 suggest 1,11,083 security incidents were handled by CERT-In but less than 10 per cent of those were registered with law enforcement agencies. Electronic fraud is notoriously underreported in India, whether it is directed at the payment interface or the e-commerce website. There are neither voluntary, sector-specific standards for reporting data breaches nor industry backchannels for sharing confidential security information. Most Indian applications available on Android and iOS stores allow for automatic updates or patches, increasing the likelihood that an exploit or malware can be introduced without the user’s knowledge.
Perhaps the most important factor is attitudinal. The continued perception among Indian elites that cybersecurity is “optional” is evident in that ‘Legion’ has successfully targeted highly visible politicians, journalists and industrialists. Partisan commentary has chosen either to speculate on the identity of perpetrators or celebrate the embarrassment of their political opponents. NIC email servers are often blamed for their poor security, but most Indian companies that rely on Gmail for official communication also do not make 2FA mandatory for its employees.
Human element in cyberattacks
Cybersecurity in India is waved away as the remit of technical experts, while businesses and users believe their data can be protected through high-end devices or ‘air-gapped’ networks. However, most sophisticated cyberattacks have all involved a human element: Stuxnet needed the physical introduction of infected USB devices into Iran’s nuclear facilities; the 2016 cyber-heist of $950 million from Bangladesh involved gullible (or complicit) bankers handing over SWIFT codes to hackers. Similarly, ‘Legion’ has not targeted first-generation Internet users but tech-savvy public figures who presumably use secure phones for communication. This episode underscores the difficulty in protecting digital networks if human involvement continues to be the weakest link in the chain.
The government’s practiced apathy in the wake of cyberattacks has only encouraged their repetition. Post-demonetisation, the Centre has pushed the citizenry to go ‘cashless’, without building capacity and awareness on the security of devices or transactions. If anything, regulators have slid back on commitments needed from businesses to protect digital payments. The Reserve Bank of India’s recent decision to waive 2FA for transactions less than Rs.2,000 treats each individual transaction as a self-contained unit, without acknowledging that devices once infected will also compromise higher-value payments. Frequent data breaches will steadily erode the confidence of Internet users and deter them from using digital gateways. For a government which has staked its future heavily on the success of the Digital India programme, this is an outcome it can ill afford.