Threats in the cyberspace: Critical systems at risk

Day-to-day operations came to a screeching halt at the All India Institute of Medical Sciences (AIIMS), Delhi, in November last year, when the servers of the country’s premier medical college and hospital were infiltrated by hackers. Investigations that followed revealed that five servers, and approximately 1.3 terabytes of data, were affected, said a Rajya Sabha reply. The medical records and personal data of close to four crore patients were feared to be compromised in the attack.

Barely a week after this incident, hackers allegedly attempted to breach the website of the Indian Council of Medical Research (ICMR) 6,000 times within a span of 24 hours. However, these attacks were thwarted, as the ICMR website firewall remained secure.

Also Read | Cyber resilience requires cooperation

Back at AIIMS, it took more than two weeks for operations to return to normal following the cyber attack. Before the affected servers were identified and examined, the disruption to critical systems had already threatened the security, privacy and health of thousands of patients at the hospital.

Attempts to hack servers, websites and digital databases in India are on the rise. The AIIMS data breach was only one of over 13.9 lakh such attacks reported in the country in 2022. The numbers present a threefold increase from 2019, when 3.94 lakh such incidents were reported, according to a written reply in the Rajya Sabha.

Cyber attacks on critical healthcare infrastructure reveal just how much damage weak security systems can cause in people’s lives. Particularly in sectors like energy, banking, electric vehicles and government databases, the exploitation of vulnerabilities can cause devastating harm.

Public and private organisations have increasingly been at risk of data leakage due to weak passwords and encryption, unsecured Wi-Fi networks, ransomware, spyware attacks and phishing attacks, weak security from Internet of Things and connected devices.

The Rajya Sabha reply attributed the breach at AIIMS to ‘improper network segmentation’. Sound network segmentation protects systems from ransomware attacks as it can isolate the sensitive components within a network. In its absence, if a hacker was able to break into a system connected to the public internet, they could also gain access to other local systems connected to the network. “What happened at AIIMS was a misconfiguration of the system. It is very common, and very preventable,” says Karan Saini, security technologist at Centre for Internet and Society.

A 2022 study by CloudSEK, a global digital risk monitoring platform, indicated that India was the top target in the world for cyber attacks on government agencies.

The primary reason for the spike in attacks targeted at government databases was ‘hacktivism’ — breaking into a system to make a political or social statement.

“We observed that hackers started collaborating more frequently to target and deface websites of organisations with weak security. The methods they use to hack into systems are not very advanced, but are quite common,” says Hansika Saxena, senior cyber intelligence analyst at CloudSEK.

Also Read | Karnataka budget: Govt to create Rs 590 crore cloud-based state data centre

Researchers also note a spike in dark web interactions involving the sale and purchase of ransomware. “We are seeing the emergence of new actors, called ‘initial access brokers’. They gain initial access to systems and sell this to other actors who then deploy ransomware to attack the system,” explains Hansika.

The interest in breaching security systems and accessing personal data is, therefore, at an all-time high, and growing. This brings with it heavy costs. Beyond the monetary cost incurred due to a cyber attack, estimated at $3.6 million per incident according to a 2022 World Economic Forum report, the theft of personal data and the breach of critical systems are serious concerns.

Going digital

Tech experts attribute the exponential rise in cyber attacks, in part, to the rapid digitalisation forced by the pandemic and lockdown. “Unfortunately, this left no time for the proper development of an integrated cybersecurity posture for these companies which had to quickly pivot to an online form of work,” says Sundar Balasubramanian, managing director of India and SAARC at Check Point Software.

The three most heavily attacked sectors in India were healthcare, education/research, and government/military, which saw an 11% rise in the number of cyber attacks last year, according to researchers at Check Point.

Pointing to the adoption of digital services across sectors such as education, finance, healthcare, retail, and even agriculture, Balasubramanian adds, “Many of these sectors experience a host of issues from cloud vulnerability to weak access controls for security, allowing cyber criminals plenty of opportunities to steal data and compromise privacy.”

The problem begins right at the inception phase, says researcher Srinivas Kodali, likening the development of digital systems to construction. “As in the case of building bridges, when engineers design them to withstand accidents and natural disasters, software engineers too, have an obligation to build safe systems,” says Kodali, who works with the Free Software Movement of India.

However, in many cases, the volume of work and underfunding of projects cause such tasks to be contracted out to professionals who do not have sufficient expertise or experience to ensure necessary safeguards are in place.

This is exacerbated by the lack of consequences associated with developing unsafe systems. “While every mistake made during development is exploited by hackers, there is no means for accountability,” Kodali adds.

Also Read | Cyber criminals using ChatGPT to create malware, do phishing

In January, reports arose of a data leak from ‘Diksha’, a public education app managed by the Union Ministry of Education. The cloud server that stored personal details such as full names, e-mail addresses and schooling history was left unsecured, compromising the personal information of nearly six lakh students and teachers.

The case evidenced the ineffectiveness of reporting mechanisms, when attempts to flag the leak via the app support email yielded no results. It was only when the NGO supporting the app was contacted that the data was taken offline.

The absence of accountability is stark, as most often, the leak is patched and no one is held responsible, even though the data could already have been stolen and put on sale.

This is far from an isolated incident, according to several cyber security researchers. Saini, for instance, has uncovered user data leaks and vulnerabilities in the Unique Identification Authority of India (UIDAI)’s systems numerous times in the past five years. “I have tried to get in touch with UIDAI, but they never got back to me. However, the issue would be fixed soon after I publicly disclosed the issue,” he says.

Saini adds that security researchers are often discouraged from reporting the vulnerabilities to the Indian government because of the lack of a supportive, collaborative and safe environment.

The importance of collaborating with cyber security researchers is being overlooked, says Tejasi Panjiar of the Internet Freedom Foundation. “Breaches and vulnerabilities are either not discovered, or not disclosed, due to the lack of a robust and safe vulnerability reporting mechanism,” she explains.

Tackling attacks

As the incidence of cyber crime has sharply risen, the speed and capacity of police and investigative units, too, have significantly improved, says S D Sharanappa, Joint Commissioner of Police (Crime) Bengaluru. “There are designated teams of people manning the 24x7 helpline (112) for the Cybercrime Incident Report (CIR) facility. When an incident is reported, accounts can be traced and frozen within 15 minutes,” he says. He emphasises the need for immediate reporting to ensure cybercrime is tackled within the “golden hour” to prevent serious damages and loss.

In cases of most large-scale cyber attacks and data breaches, however, companies report to the Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology. This is the national nodal agency for responding to cyber security incidents. “Attacks of a critical nature, on financial institutions or public services, are handled by CERT-In. They look into such incidents and take corrective action,” explains Prashanth Sugathan, legal director of the Delhi-based Software Freedom Law Centre.

CERT-In has a round-the-clock helpline as well, with rapid response teams.

Its major shortcoming, however, lies in the absence of follow-up communication, Prashanth points out. “After a cyber attack, there is a need for a clear report on what went wrong and what action was taken to correct it. Even when positive steps are taken, we are not aware of how the data breach was resolved,” he says.

In its mandate, CERT-In is required to empanel information security auditing organisations for “vulnerability assessment and penetration testing of the computer systems, networks and applications involving public service delivery” according to a Lok Sabha reply.

However, whether these audits are a reality, and if they are regular, comprehensive or only perfunctory are questions yet to be answered. “There is no clear definition of how often or how extensive these audits are,” says Prashanth.

Policy

On the policy front, the recent Digital Personal Data Protection Bill requires companies to notify users in case of a breach. Cybersecurity rules were strengthened in 2022, with the release of guidelines under the IT Act, 2000. These rules require tech companies to report data breaches within six hours of discovery and to maintain IT and communications logs for six months.

While some have hailed this as an important step towards accountability, “the lack of consultation in developing the guidelines has resulted in a solution which does not have much nuance or practicality, ” says Tejasi. The fairly broad exemptions granted to government agencies, vague definitions, and ambiguity of provisions on data retention present more concerns, she adds.

“Many companies see the rules as a regulation hassle, rather than a means to secure customer data even when they have the resources to make these changes,” says Saini. Though these requirements are the bare minimum, companies meet these standards only to avoid the consequences of non-compliance.

A passive approach and failure and refusal to take ownership to build secure systems ails India’s cybersecurity space.

In a cybersecurity landscape where attacks are growing in number, threat actors are evolving and their techniques adapting, ambiguous policy and lack of accountability puts India’s vast array of systems at risk.