By Shivanand Pandit
Cyber security cases are skyrocketing in India, making India the third most wedged by network attacks in the world. According to the latest information, till June 2022, India has reported more than 6,74,000 cyber security cases—almost 3,700 cyber attacks a day! From banking and financial organizations to Covid-19 vaccine research centres to PSU major Oil India Limited—a variety of establishments came under cyber attack during the two years of the pandemic. Overall, health and banking were among the sectors that were hit the hardest. While these attacks were effectively thwarted, these have emphasized the necessity for a continuous vigil and global support or cooperation.
The Union Minister of State, Home Affairs, Ajay Kumar Mishra, in a written response to a question in the Lok Sabha, said that a total of 3,94,499, 11,58,208, 14,02,809 and 6,74,021 cyber security incidents were detected in 2019, 2020, 2021 and 2022 (till June), respectively, in India. He also said that the information was reported to and observed by the Indian Computer Emergency Response Team (CERT-in).
According to Mishra, the government has implemented several actions to improve cyber security and stop cyber attacks, including frequently releasing several warnings and advisories about the recent ongoing cyber threats and security faults and providing security actions to protect computers and networks. The minister also mentioned that the government manages an automated cyber threat exchange platform in order to proactively collect, examine and share personalized warnings with organizations across different sectors for them to take proactive risk mitigation activities. He added that the government has established rules for chief information security officers, specifying their key tasks and responsibilities for protecting apps and infrastructure and appointed 97 security auditing establishments to support and check the applications for information and best security practices.
There were numerous cyber attacks that happened in the previous two years. According to the report released by cyber security firm Acronis, one in every two Indian companies faced cyber attacks at least once a day during the pandemic and 16% were attacked each hour.
Razorpay, an online payment gateway, declared hackers stole Rs 7.3 crore worth of funds in 831 transactions over a term of three months. As per the report, unauthorized players with malicious intentions manipulated the approval procedure of the gateway to validate these transactions.
In 2021, as a result of the cyber attack on Juspay—a developer of an online platform designed to be used for mobile-based payments—data of more than 100 million client customers, including those of Amazon, Flipkart, Airtel and Jiomart was leaked and sold on the dark web for bitcoins worth $6,000.
The government-managed oil and gas abstraction entity, Oil India Limited, reported a few cases of cyber attacks between October 2021 and April 2022. The public sector company also traced a ransom note on one of the infected computers, insisting on approximately Rs 58 crore.
The attack on Oil India in Assam in April 2022 was one of the most severe events of ransomware attacks. There were more than 200 computers of Oil India that got encrypted during the attack and operations of the company came to a halt for almost seven days.
Tech Mahindra—an Indian IT company which administers the Smart City project for Pimpri Chinchwad municipal corporation—filed criminal information about a ransomware attack that caused a loss of around Rs 35 crore in March 2021.
The data of almost 10 crore users for Mobikwik, a mobile wallet and payments application, was on sale on a hacker assembly on the dark web in 2021. The data is said to have comprised KYC details for many of the users, such as Aadhaar cards, signatures, etc.
In February 2021, a complicated hacking attack on SITA-Air India’s passenger service system provider resulted in the theft of the personal data of nearly 4.5 million passengers. Regular flyer information and credit card data were affected due to the violation.
In May 2021, data linked to 18 crore orders of Domino’s was made public on the internet. Anyone could see who and how many customers ordered their pizzas on the internet.
In June 2022, SpiceJet cancelled a slew of flights after being targeted by a ransomware attack. An attempted ransomware attack compelled SpiceJet to halt all flights, triggering huge delays and cancellations.
India has to fight fire with fire. Currently, more than 3,800 government services in India are offered over the internet. At the present trend, the worth of digital disbursements in India will increase three-fold, close to 1 trillion dollars in the financial year 2026 and India will have 1 billion smartphone operators by 2026. Moreover, around 32% of India’s population is on social media! These are big numbers and indicate the immensity of cyberspace that India must secure. On the other hand, India is also witness to increasing cyber attacks and their growth of 200% year-on-year has been estimated. The government’s current Digital India drive and the Reserve Bank of India’s proposed Central Bank Digital Currency may only add to the list of vulnerabilities.
The question is: Is India prepared to safeguard its critical infrastructure from cyber attacks? The information available on government cyber security spending portrays a different picture. In the Budget 2022, the government mentioned it would spend Rs 515 crore on cyber security in 2022-2023. It represents a decrease from Rs 552.3 crore spent on cyber security according to the revised estimates for 2021-2022. Actual government spending on cyber security has constantly stayed less than the budgeted estimates. For instance, it had spent around 88% of its budgeted amount on cyber security in 2016-2017, and in 2020-2021, it was only able to spend 53% of the budgeted amount. This is not a healthy trend.
The use of cyber attacks during the war in Ukraine shows that India should review its cyber protection strategies. It also needs to give equal thought to constructing a deterrent cyber-offensive capability. It is unfortunate that the government is taking a long time in finalizing a National Cyber Security Strategy.
At present, the country’s policy is defensive and has a narrow focus. It targets to reinforce vulnerabilities only in civil, government and military properties. However, a considerable amount of critical infrastructure in India is erected and handled by the private sector. Private organizations also possess troves of delicate personal data. Therefore, any new strategy must guarantee that the private sector has adequate cyber security cover. The new strategy must also recognize that the capacity to counter attack is often the best defense in a cyberwarfare.
Compared to China’s cyberwarfare competencies, India has a lot of catching up to do, both on the aggressive and defensive fronts. India’s readiness is almost non-existent, even in defensive actions, leave alone offensive. To grow these abilities, India should invest in infrastructure, funds, cryptography capabilities, developing indigenous tools, and most notably, talent. All the talent that survives today lies with private hackers, with little or no skills outside the government.
China has been preparing its cyber security strategy for over two decades and India is still taking baby steps. India’s new cyber security instructions, published in April 2022 by CERT-In, have disturbed industry players as they challenge standards of user privacy. Though they were formerly supposed to be in effect from June 2022, the compliance deadline has now been postponed till September 25, 2022.
Many industry players have conveyed dissatisfaction and disappointment over the new instructions, pointing many loopholes in the practical use of the instructions. Firms like NordVPN, Surfshark, have said that they may not be able to observe the new rules, while some have gone to the extent of planning an India exit—quoting privacy concerns of their users. Also, several other issues, namely limited server availability, staff capacity constraints, increased financial burden, etc are being referred to as causes for the non-practicability of complying with these directives.
The Personal Data Protection Bill has been moving through Parliament since 2019. It preserves key principles of what personal data is, how it can be handled, and where it can be stored. Nevertheless, the Bill is probably being outdated by a Privacy Bill before it is even implemented, which could take more time still.
Although the government prides itself on introducing a number of plans for cyber security, such as the Cyber Surakshit Bharat initiative, Cyber Swachhta Kendra, online cybercrime reporting portal, Indian Cyber Crime Coordination Centre (I4C), and National Critical Information Infrastructure Protection Centre (NCIIPC), it has a long way to go in achieving credible cyber security.
—The writer is a financial and tax specialist, author and public speaker based in Margao, Goa