Is the cyber security threat real? I am sure most of us would answer affirmatively but do not realise the real danger especially in the context of government organisations. To put things into the right perspective here is a statement: “Water treatment plant hacked, chemical mix changed for tap supplies”. Is this really feasible? The answer is yes and why now after all we do have IT systems in a water treatment plant and where there is an IT system it is hackable. In fact, during one targeted ransom ware attack exercise, the researchers were able to shut down the valves, adjust chlorine levels and also falsify readings of a simulated water treatment plant.
Even if some people feel that this was a simulated exercise, those having a minimal knowledge of computers would appreciate that such a situation is not distant. And with respect to India, are we prepared for such a situation? While India embarks upon a new journey of Digital India with coming together of ‘Smart Cities’, Internet of Things (IOT), Artificial Intelligence, Big Data, smart mobiles, Cloud Computing, social media, the cyber threat is manifold. As compared to the scenario some 10 years ago, where we had a hacker or group of hackers bringing down a system, today we now hear incidents which are motivated or even sponsored by State actors.
A country like India which is among the fasted growing economies in the world readily catches the attention. And the threats are growing exponentially. Hon’ble Prime Minister of India has aptly termed it as a ‘bloodless war’ the threat of which looms over the whole globe. Keeping aside the hullabaloo around Aadhaar and privacy concerns, do we really feel that Aadhaar repository is agnostic to any cyber-attack. I am sure the Government of India would have accorded its highest priority and resources to securing the one billion plus biometric data. But we can never be fully confident and it will be an ongoing war between the hackers and the government – a war which the government cannot afford to lose even once.
And it is not only Aadhaar, we have a large bouquet of IT systems including our banking system, GST system, railways network, national grid all of which are critical. As governments are becoming more open and digital, it is imperative for them to fortify their IT systems. While it would be naïve if anyone in the government claims to be 100 percent secure, there is a clear indication that those in the government have started realizing the risk and know that this is something which cannot be avoided. The threat is real and can come at any time.
The Government of India has already started taking steps in the right direction. While the Cyber Security Policy 2013 outlined the broad roadmap including the strategies for not only preventing but responding to attacks, it is now agencies like Indian Computer Emergency Response Team (CERT-In), National Critical Information Infrastructure Protection Centre (NCIIPC) and Ministry of Electronics and IT (MeitY) which are spearheading India’s response to the looming threat. Needless to say, need of the hour is a more coordinated effort which should involve central ministries and state governments. Given the financial and reputational impact of a cyber event, organisations world over have started addressing security a strategic level. Organisation structures are being changed and presence of chief information officer who reports directly to a CEO has almost become a norm.
Taking a cue from this, and given government systems are no less important, Government of India has also asked all its organisations including PSUs to appoint chief information security officers (CISOs). The CISOs have already been appointed in a large number of organisations and playing a role of change agents towards building a digital resilient government. the world readily catches the attention. And the threats are growing exponentially. Hon’ble Prime Minister of India has aptly termed it as a ‘bloodless war’ the threat of which looms over the whole globe. Keeping aside the hullabaloo around Aadhaar and privacy concerns, do we really feel that Aadhaar repository is agnostic to any cyber-attack. I am sure the Government of India would have accorded its highest priority and resources to securing the one billion plus biometric data.
But we can never be fully confident and it will be an ongoing war between the hackers and the government – a war which the government cannot afford to The Government of India has already issued detailed guidelines with respect to roles and responsibilities of the CISOs and best practices also. Another crucial factor at handling cyber related incidents is the time of response. Sometimes it is a matter of minutes – a small window of vulnerability which the hacker is looking to exploit. Many a times we have witnessed that the original equipment manufacturer (OEM) has already released a security patch while the user department is unaware of the patch released or is still awaiting approval to apply the patch.
This obviously is not a technical issue but a management issue. Many people don’t know what to do when an event occurs. No process or no plan is in place. With the respect to the government organisations, MeitY has already proactively prepared a Cyber Crisis Management Plan (CCMP) for countering cyber-attacks and cyber terrorism which is to be implemented by all the key ministries/departments of Central Government, State Governments and Union Territories. This CCMP provides the strategic framework and guides actions to prepare for, respond to and coordinate recovery from a cyber-incident. The Cyber Crisis Management Plan is updated periodically to accommodate the changing scenario of cyber threat landscape.
Ironically many States, UTs and PSUs are still unaware of the plan or are only in the nascent stages of plan formulation. A Botnet Cleaning and Malware Analysis Centre – Cyber Swachhta Kendra has also been set-up by MeitY (and operated by CERT-In) with an aim to detect botnet infections in India and to notify, enable cleaning and securing systems of end users so as to prevent further infections. The Kendra works in close coordination and collaboration with ISPs and product/antivirus companies.
The web portal of the Centre, www. cyberswachhtakendra.gov, in is a host to some very useful information, best practices and security tools for ensuring end point security by the users including their mobile devices. Given the importance of creating secure government applications, Government of India is also strengthening the security auditing and testing of its software. Ten new STQC labs have started coming up in especially Tier-II cites.
Recognising the importance, MeitY has already directed all ministries, departments, State Governments, UTs and critical sectors like defence and power to earmark 10 percent of the annual IT budget to implement cyber security. This will give necessary push to the governments at various levels to better respond to the war against cybercrime while the capabilities of handling cyber related situations are limited in the government, MeitY has recognised this gap and recently launched the ‘Cyber Surakshit Bharat’ initiative under its Digital India programme. I
t is a unique and first of its kind PPP engagement which aims to pool in the rich expertise of Indian industry towards building capacities from within the governments and PSUs for managing cyber security. It’s three pillars are – awareness, education, and enablement. Leading technology companies like Microsoft, Intel, Dimension Data, Wipro and RedHat are its founding partners. MeitY has also roped in E&Y, Palo Alto Networks, FIDO Alliance, IBM, Dell EMC, CDAC, Cert-In, NeGD, and NIC as knowledge partners. While Government of India has taken a slew of steps towards cyber security, there is long journey ahead. Vulnerabilities not only exist in our data centres or networks, but in large number of end points like desktop computers, laptops, mobile etc. which are usually handled by employees who have little cyber-hygiene.
There is a lack of awareness but a little sensitization can work wonders. Government of India and many state governments have already started awareness generation and capacity building programmes. Simultaneously, we also need to be aware of our vendors. A vulnerable system of our partner can allow hackers to access to a connected government system.Although significant capital investment is required to secure our government systems, but I am not advocating government organisations to spend indiscriminately on cyber control, it would be appropriate that a risk-based approach to cyber security may be adopted.
We need to first identify, which systems are important to us or are critical information infrastructure (CII) and direct measures according to the risk profile of the resource. Some states and sectors are already undertaking a comprehensive exercise to classify their infrastructure on the basis of risk profile but this is something which a government at any level should do. There is also a need for more aggressive participation by the States and UTs without which true success would not be possible. Various government agencies at the central and state levels must shun silos and work in close coordination. The capacity building process has already started but we need to invigorate pace.
It would not be in-appropriate to say that India needs a well-equipped and informed ‘cyber-army’ especially in the government organisations. I would say that although the journey of making India truly Digital India has begun, we should endeavour to make it ‘Cyber Secure’ Digital India where government organisations not only utilise the technologies to the fullest for the betterment of the people of India but at the same time are digitally resilient so as to sustain any cyber attack be it external or internal.
ABOUT THE AUTHOR: The author has more than 14 years of experience in e-Governance consulting and IT program management. He has rich experience having been associated with more than 50 IT projects spanning both MNC and Government organisations. He is currently working as Sr. Consultant with National eGovernance Division (NeGD), MeitY, Government of India and is associated with Chandigarh Administration for undertaking various IT and e-Governance projects. He is an alumnus of the prestigious IIM, Lucknow and also holds a bachelor’s degree in engineering from PEC, Chandigarh. He has also been certified by PMI- USA, UNAPCICT and University of Cambridge