Indian app startups are vulnerable to international cyber-terrorism, says a Silicon Valley VC
Background:
Deepak Jeevan Kumar is a principal at General Catalyst Partners and invests in cloud computing, big data and cyberecurity. He recently wrote a post on forbes.com titled “The App Economy: A Ticking Cybersecurity Timebomb”. Here is a link to that article.
YourStorycatches up with him to discuss the impact of The App Economy for Indian startup ecosystem and users. Here are a few interesting excerpts from the conversation.
What do you think about the importance of cyber security for Indian startup companies who are linked to The App Economy?
Nehru once famously said, “Dams are the temples of Modern India”. In today’s context, I would say that apps are the temples of 21st century India. They are more important to our everyday lives than we think they are and they need to be secured extremely well.
Many recent security breaches are undertaken by international “cyber-terrorists”. There have been multiple instances of Chinese and Russian hackers attacking US tech startups and bigger companies. As India becomes an App Economy superpower, we can expect to see a few big attacks in the future from different internationalcyber-terrorists. Cyber security is at least as important, if not more, for Indian startups. For example, imagine an attack bringing down justdial.com or makemytrip.comor myntra.com even for a few hours. That incidentcould have a big impact in finding local businesses or booking air travel or ordering goods online.
The US and Indian startup ecosystem are very different in terms of cultural and local context among other factors. In today’s world, Indians use most of the apps developed in the US. What kind of security challenge it may raise forIndian users?
I think such over-reliance on US made apps causes availability problems and security issues for Indian users. Let’s assume that for some strange reason, Whatsapp is attacked and is not accessible in India. 20M Indian mobile users of Whatsapp will be in a communication limbo. More than 90% of services used by Indian users are probably not Indian apps. This is in stark contrast to Russia and China where the most common apps are made by local companies that store data in local data centers. Russia and China have their own versions of Facebook, Twitter etc., India does not. Most of India’s social networking data lies in servers outside India. I am not calling for a total change here but want to bring attention to simple diversification of risks. Let’s have a few local successful communication and social networking startups like in China and Russia. Indian VCs and entrepreneurs should recognize this empty “blue ocean”.
Let’s dig in to a few additional perspectives here. What points should Indian Internet user should keep in mind such as “data” being stored in other parts of the worldwhile using apps made in other countries?
First, your data is available to the whole world beyond your borders. This is especially relevant if you are communicating serious business dealings over social apps like Whatsapp. People in the government and the army should be most aware of the risks around sensitive communication being available to foreign intelligence agencies. Do not store sensitive photos on iCloud! If you are using cloud services like Dropbox or Salesforce, the risk of normal business disruption is high if any of the undersea submarine cables are cut due to shipping or other accidents. India has suffered by such disruptions in the past, but for basic Internet access.
The development of the Cloud Economy and the App Economy will make such disruptions life threatening to businesses dependent on foreign app & cloud services. Most of these services are multi-tenanted, which means that the same physical hardware can be shared between multiple customers including competitors. A security loophole there can expose your data to competitors.
Indian startups can also use services of new emerging set of companies within security audit services industry to develop robust applications.
There is a lot of discussion about data security and data privacy. What do you think Indian App developers should keep in mind while developing these apps?
Firstly, make sure you patch your code with the latest security patches that are available for nginx, mongo, MySQL and all other software you use in developing your apps. Most of the attacks occur against known unpatched vulnerabilities rather than against unknown vulnerabilities. If you are storing sensitive information such as physical addresses of customers, phone numbers, credit card information etc., hire penetration testers frequently. Make security audits a part of your app release cycles. Store only encrypted data where possible. If you are using Amazon cloud services, have your app running on multiple availability zones to minimize downtime. Also, read the data privacy policy of each country where your cloud service provider stores your data. If your audience is outside India, you will also be governed by data privacy laws of other countries. The terms of service of your app should be appropriately written to avoid costly legal battles.
Can you provide our users an example of cyber security challenges that project such as Aadhar (a unique identification project for every Indian, similar to Social Security Number in the US) need to address while implementing such large-scale projects?
National identification projects such as Aadhar always make life easy for the population but also create a few security challenges. Singapore’s NRIC system and the Social Security Number system in the US work in different ways. In the US, the social security number is almost like a password that controls your identity and financial abilities. It can be used to open credit card accounts, take a loan etc. It is advised that people do not give out their SSN to others. Singapore has restricted the use of the NRIC to mostly basic identification purposes. The security implications for end users will depend on the ‘power’ of the Aadhar ID. If one can just take out a loan by keying in the Aadhar number on a bank website, it would require a much sophisticated understanding on the part of the general population. We will have to see how this rolls out. Some basic precautions to take: do not post a photo of your Aadhar card on your Facebook profile or send it out on WhatsApp, do not leave photocopies lying around at your desk and guard it like you guard your house keys.