The Airbus A380 has reached its optimum height and the captain has turned off the seat belt sign. I am flying back to New York via Dubai after spending two weeks in India, first catching up with my family and friends in Northern India, followed by a visit to Bengaluru, the Silicon Valley of India. The city never ceases to amaze me. In the last two years, there have been a lot of changes, but the biggest one—demonetisation—had occurred just a couple of weeks before I landed in India.
People with polarised opinions argued it out with each other, debating the pros and cons of the move. Yet, what I found more perplexing was the near-sightedness of the debate and the utter lack of understanding of the real problem. People are only bothered about the lack of currency in the banks and ATM machines but completely silent over the cashless hurricane that awaits them. During my time in India, Twitter accounts of a few celebrities were hacked and the media portrayed it as if this was the worst cyber attack that could happen. My vast experience in cyber security tells me that it was certainly done by some local actor to create media buzz or political turbulence.
Although important, these are not the kind of attacks we need to be worried about. The people in India are yet to experience the worst of the cyber attacks. Consider a situation when people start losing their hard-earned money to lone wolf hackers targeting individual consumers, because they lack even basic knowledge to protect their online accounts, e-wallets, or debit cards from unsophisticated social engineering or phishing attacks. At the same time, imagine the chaos that would result from the breaches at major banks by the organised cyber crime groups.
These criminal gangs would exfiltrate customer data and possibly even transfer the real money from their high net worth customer accounts to the accounts outside the country. These groups could even bring the banks down to their knees thus collapsing financial infrastructure if immediate actions are not taken by the government, banking sector as a whole, and each individual bank. This is the reality that the West has already experienced and what now awaits India.
These are just two kinds of the threats which India is vulnerable to. In addition, it is also equally susceptible to other kinds of major cyber threats faced by other countries. First, the cyber espionage that involves unauthorised intrusions into government and corporate networks to steal sensitive information of strategic or commercial value from organisations like ISRO or DRDO. Second, the cyber attacks by the state and non-state actors aimed towards causing temporary disruptions of networks and services like Sensex or telecommunication systems. Third, cyber war, which is a systematic, large-scale assault carried out on critical infrastructures to render them dysfunctional, have a debilitating impact on dependent services like power systems in one or multiple metro cities. Or a large-scale attack on banking systems and ATMs, bringing them to a grinding halt, and leading to widespread panic and chaos. But, unlike other countries, the strategy for effective containment of cyber threats by India does not measure up to the challenges it faces. The National Cyber Security Policy 2013 falls short of what is required to develop an effective cyber security capabilities. In simple terms, the policy is “disjointed”.
The disjointedness of the National Cyber Security Policy 2013 is palpable from the stark contrast between the vision, objectives, and the strategy to achieve them. The policy does not lay out concrete measures that need to be undertaken to achieve the stated objectives. The first and foremost objective is to protect information infrastructure in cyberspace through reduction of vulnerabilities. Yet, the strategy does not lay out any concrete plan for CERT-In for real-time identification and patching up of vulnerabilities. The CERT-In maintains a database of the vulnerabilities, which in no means is real-time. The database is lagging by at least a week which makes it obsolete and archaic by global standards.
The policy calls for protection of 'National Critical Information Infrastructure' by creating a national and sectoral 24x7 mechanism through National Critical Information Infrastructure Protection Centre (NCIIPC). Three years have passed since the adoption of the policy and the NCIIPC is still in its infancy working under the aegis of National Technical Research Organisation (NTRO). The policy even fails to identify what sectors will come under critical infrastructure. While in the United States, the law has clearly identified 16 sectors under critical infrastructure, whereas in India none of the infrastructure has been identified as critical. The debit card breach that occurred in the month of October and affected 3.2 million consumers is a glaring example of the costs cyber crime can impose on financial institutions and the individual consumers. It should be a wakeup call for the government to designate important sectors like finance and banking, energy, telecommunication, defence and space as critical infrastructure. The cyber security policy calls for early threat warning and vulnerability management. However, it fails to talk about a centralised threat intelligence platform that would enable sharing of cyber threat information in real time among different organisations, thus empowering them through real-time cyber situational awareness. The policy talks about inculcating cyber awareness and building cyber security manpower of around 5,00,000 through education and training, yet neither a concrete plan has been outlined on how to build it, nor any action has been taken to build the cyber warriors pipeline. The policy also does not talk about promoting indigenous solutions to the cyber threats that India faces.
The cyber threat that India faces is not merely potential in nature but real with high risk. To catch up with the threat, India needs to undertake some essential steps:
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)