Cybersecurity framework needed

Post-pandemic, cyberattacks have increased globally and in India. There have been primarily three types of incursions. The first and most frequent has been ‘financial crime,’ which grew by 220 per cent annually. As physical cash movement became difficult with the global lockdown, money-laundering went digital. This is estimated to be a $4 trillion industry globally, with just around 1 per cent of the criminals operating in it convicted. Global banks and large economies have shown little interest to check financial crimes and money-laundering, as they profit from them through indirectly controlled tax-havens. Unlike the UK, the US, or Singapore, India is not a destination of laundered money but a large source of money outflow.

The second is ‘technology pilferage,’ which got global attention after the US accused China of industrial espionage and clamped down on Chinese companies, including Huawei and ZTE. Revelations of how Nortel, once a $220 billion Canadian telecom giant was infiltrated by hackers soon after Huawei became its hardware vendor and the subsequent rise of Huawei to become a $100 billion technology supplier of 5G infrastructure while Nortel went bankrupt, sent shockwaves across the technology world. Major Western nations banned Huawei and ZTE. Though India did not, it banned 59 popular Chinese apps, including TikTok, ShareIt, WeChat and UC Browser on charges of data pilferage amid the India-China border stand-off. In March, India initiated the criterion of ‘trusted procurement source’ under which telcos must inform the National Cyber Security Coordinator (NCSC) about the procurement of gear and services from vendors and take approval. The list excludes Huawei and ZTE.

The third area of concern is ‘cyberterrorism’ that has alarmed most global leaders, bringing about the possibility of serious international cooperation. This is because terrorism affects governance and political control. Hackers, including criminal gangs, State-backed threat actors, opportunistic cyber mercenaries and ‘black hat’ activist hackers have all attacked and exploited key vulnerabilities in over a dozen nations. They have demonstrated technological competence and attacked banks, healthcare, water and the energy sector, including many Microsoft Exchanges, Google and Facebook servers, and even demanded a $50-million ransom after attacking Taiwanese computer-maker Acer.

India has been subject to cyberattacks in at least three sectors since last summer. In June 2020, after the Galwan Valley clash, 24 of 101 servers of the J&K Power Board were hacked and their data deleted. Later in October, attacks on 10 power assets across India were carried out by Chinese State-backed hacker group ‘Red Echo’, including on the Load Dispatch Centres of Delhi, Telangana and the Eastern, North-Eastern and Western grids. The attack, which also disrupted Mumbai’s local trains, was a warning to India to back off in Ladakh, according to the New York Times. Attacks against power grids are done by hackers to demonstrate their capability to disrupt.

India’s healthcare sector also came under cyberattacks recently for ‘technology pilferage’. Infiltration attempts were reported at Serum Institute of India (SII), Bharat Biotech and Dr Reddy’s Lab, besides a fire at SII that damaged equipment worth Rs 1,000 crore, necessitating hardware procurement off-the-shelf.

Attacks on India made up 7 per cent of all global cyberattacks, reported IBM Security X-Force, with attacks on the finance and insurance sectors accounting for 60 per cent of them. In November 2020, HDFC Bank’s main datacentre suffered yet another power outage, reportedly due to a cyberattack. The RBI pulled the plug on new credit card acquisitions and digital initiatives in Artificial Intelligence and Machine Learning under HDFC 2.0, directing the bank to address security concerns first, and appointed a technology firm to audit the bank’s IT infrastructure. The suspension of NSE trading last month was reportedly due to cyberattacks. The SBI’s YONO app faced several customer complaints, and other banks that suffer frequent server outages are not reporting them due to fear of regulatory action and a crash in stock
prices.

Both the Government of India and the private sector are reluctant to disclose data breaches. Most believe that going offline is adequate protection against cyberattacks, but that is not so. Malware is being spread through USB ports, routers, computer and networking hardware and even firewalls. Future cyberattacks could be crippling. The Ukraine model used by the Russians shows that hackers keep bleeding the information network. The idea is not to shutdown networks completely but to keep them tripping and explore new vulnerabilities.

The US has a PPP model for cybersecurity. A noted cybersecurity expert of the Indian Army says that the situation is bad because most politicians and bureaucrats can’t assess the technology or defence mechanism needed.

“There is no expert technical lead in the field with adequate powers to device a defence framework. Initially, 16 infrastructure areas were identified to be protected, which was subsequently reduced to six. But not a single sector has an adequate defence strategy.”

(The writer is a Delhi-based journalist and author of three books on economic governance)