'Legion' Cyberattacks Put Spotlight on Security ShortcomingsWhat Does India Need to Do to Defend Against Emerging Threats?
The hacking group known as Legion recently took credit for hijacking the twitter accounts of the Indian Congress Party and its vice president, Rahul Gandhi; business tycoon Vijay Mallya; journalists Burkha Dutt and Ravish Kumar; and other high-profile Indians.
The group also claims to have accessed more than 40,000 servers in India, including servers of Apollo, the nation's leading private hospital chain, according to The Indian Express.
Government departments and ministries acknowledge that India's digital assets are vulnerable to espionage and disruptive attacks.
In correspondence with The Washington Post, a Legion representative claimed responsibility for the attacks and said the group intends to compromise the government's official email domain - sansad.nic.in. The group also is threatening to wage expansive cyberattacks on India's critical infrastructure, including banking technologies and healthcare.
Government departments and ministries acknowledge that India's digital assets are vulnerable to espionage and disruptive attacks. As a result, the Ministry of Electronics and IT, or MeitY, is beefing up CERT-In's capabilities, deploying ethical hackers and enhancing auditing capabilities of payment platforms. But is that enough?
The Legion attacks surfaced when India was undergoing demonetization and digital transformation of the economy, further exposing vulnerabilities in the nation's systems, says Delhi-based Dr. Govind, former CEO at National Internet Exchange of India and former senior director, Ministry of Electronics and IT.
"There's a dire need for all stakeholders to come together, build massive public awareness and install a robust system to ensure that cybersecurity is, and always will remain, a priority," Govind says.
A Call to Action?
Some security experts say Legion accessed a Secure Socket Layer certificate that an Indian bank's website uses to validate its authenticity to a user's computer or mobile phone. That, they claim, paved the way for the group to easily retrieve confidential login information and cause unmitigated financial loss.
Clearly, India's approach to data security comes up short. The central government has yet to identify and implement adequate measures to protect critical infrastructure and its efforts have always been haphazard.
The National Cyber Security Coordination Centre, set up in 2015, still does not have liaison officers in the states. And CERT-In is woefully understaffed.
Plus, the National Informatics Centre, which hosts the government's mail servers, has been compromised several times. Users did not use two-factor authentication to access sensitive government communications.
One thing is clear: It's time for India to ramp up its data security efforts.
Stepping Up Security
As Govind says, security vulnerabilities will lead to more hacking incidents if India goes digital without appropriate security controls.
Consider these statistics released by the central government that demonstrate digital growth in India:
- Internet users in India are expected to grow from today's 400 million to 720 million by 2020.
- Digital payments increased as much as 1,000 percent in the month after the demonetization effort was announced (not including Master and Visa card transactions);
- Transactions via e-Wallets increased from 17 lakh daily to 63 lakh daily, their value from Rs 52 crore to Rs 191 crore;
- The volume of transactions using Rupay cards increased from 3.85 lakh per day to 16 lakh per day and value from Rs 39.17 crore to Rs 236 crore in 2015.
Reacting to Legion's threats, Ravi Shankar Prasad, India's minister for electronics and IT, has pledged to strengthen central government's data security capabilities. For example, MeitY will boost CERT-In by deploying ethical hackers to conduct regular pen testing and discover vulnerabilities.
The IT ministry plans to hire 26 new infosec professionals in CERT-In and set up regional CERTs in five states. It also plans to propose amendments adding security measures to the Information Technology Act for tackling cybercrime.
Govind says the IT ministry should step up security measures, including policy, legal and R&D, and empower cyber wings of law enforcement agencies to take strict action against attackers.
How Much is Enough?
Many experts contend that CERT-In has made inadequate progress in achieving its goals. There's a clear need to move beyond formulation of policies and reporting of data to actually executing its policies and developing an effective incident response mechanism.
It's time for CERT-In to establish an effective intelligence gathering mechanism and develop pre-emptive threat intelligence. It should issue real-time alerts, guidelines and emergency measures.
The government is setting up a botnet centre provide alerts to consumers when their systems have been compromised, which is a good move.T he botnet centre's website enables consumers to download anti-virus software.
But MeitY has to devise a comprehensive, practical cybersecurity policy, especially considering factors like smart cities, Digital India and the rapid growth of the internet of things.