Author: Shivanand Pandit
Cyber security cases are on the rise in India, making India the third most cyber-attacked country in the world. According to the latest information, India has reported more than 6,74,000 cyber security incidents by June 2022 – almost 3,700 cyber attacks per day! From banking and financial organizations to Covid-19 vaccine research centers to the largest PSU Oil India Limited—various institutions have come under cyber attack during the two years of the pandemic. Overall, healthcare and banking were among the hardest hit sectors. Although these attacks were effectively thwarted, they underscored the necessity of continued vigilance and global support or cooperation.
Union Minister of State for Home Affairs, Ajay Kumar Mishra, in a written reply to a question in the Lok Sabha, said a total of 3,94,499, 11,58,208, 14,02,809 and 6,74,021 cyber security incidents were detected. 2019, 2020, 2021 and 2022 (by June), respectively, in India. He also said that the information was reported by the Indian Emergency Response Team (CERT-in) and it was noted.
According to Mishra, the government has implemented several actions to improve cyber security and stop cyber attacks, including frequently publishing several warnings and advisories about recent ongoing cyber threats and security flaws and providing security actions to protect computers and networks. The minister also noted that the Government operates an automated cyber threat exchange platform to proactively collect, review and share personalized alerts with organizations across sectors to take proactive risk mitigation activities. He added that the government established rules for chief information security officers, specifying their key tasks and responsibilities for protecting applications and infrastructure, and appointed 97 security audit institutions to support and verify information applications and best security practices.
There have been numerous cyber attacks that have occurred in the past two years. According to a report released by cybersecurity firm Acronis, one in two Indian companies faced cyberattacks at least once a day during the pandemic, with 16% being attacked every hour.
Razorpay, an online payment gateway, announced that hackers stole funds worth 7.3 billion rupees in 831 transactions over a three-month period. According to the report, unauthorized players with malicious intent manipulated the gateway’s approval procedure to validate these transactions.
In 2021, as a result of a cyber attack on Juspay – the developer of an online platform designed to be used for mobile payments – the data of more than 100 million customer customers, including Amazon, Flipkart, Airtel and Jiomart, was leaked. and sold on the dark web for $6,000 worth of bitcoins.
The government-run oil and gas extraction entity, Oil India Limited, reported several cases of cyber attacks between October 2021 and April 2022. The public sector company also traced a ransom note on one of the infected computers, insisting approximately 58 million Rs. .
The attack on Oil India in Assam in April 2022 was one of the most severe ransomware attack events. There were more than 200 Oil India computers that were encrypted during the attack and the company’s operations were halted for almost seven days.
Tech Mahindra—the Indian IT company managing the Smart City project for the Pimpri Chinchwad Municipal Corporation—filed a criminal complaint for a ransomware attack that caused a loss of around Rs 35 million in March 2021.
Data from nearly 10 million users for Mobikwik, a mobile wallet and payments app, was up for sale at a 2021 dark web hacker rally. The data is said to have contained KYC details for many users, such as Aadhaar cards, signatures, etc.
In February 2021, a sophisticated hacking attack on SITA-Air India’s passenger service system provider led to the theft of personal information of nearly 4.5 million passengers. The breach affected regular flyer information and credit card information.
In May 2021, data related to 18 million Domino’s orders was released online. Who and how many customers ordered their pizzas could be seen online.
In June 2022, SpiceJet canceled a number of flights after being targeted by a ransomware attack. An attempted ransomware attack forced SpiceJet to ground all flights, causing major delays and cancellations.
India must fight fire with fire. Currently, more than 3,800 government services in India are offered online. According to the current trend, the value of digital payments in India will triple to close to $1 trillion in FY2026, and India will have one billion smartphone operators by 2026. Moreover, around 32% of India’s population is on social media. the media! These are big numbers and indicate the immensity of the cyberspace that India has to secure. On the other hand, India is also witnessing an increase in cyber-attacks, with an estimated 200% year-on-year growth. The government’s current Digital India initiative and the Reserve Bank of India’s proposed Central Bank digital currency can only add to the list of vulnerabilities.
The question is: is India ready to protect its critical infrastructure from cyber attacks? Available information on government spending on cybersecurity paints a different picture. In Budget 2022, the government said it would spend 515 million rupees on cyber security in 2022-2023. This is a decrease from the Rs 552.3 crore spent on cyber security as per the revised estimates for 2021-2022. Actual government spending on cybersecurity is consistently lower than budgeted estimates. For example, it spent about 88% of its budget amount on cyber security in 2016-2017, and in 2020-2021, it was able to spend only 53% of the budget amount. This is not a healthy trend.
The use of cyber attacks during the war in Ukraine shows that India needs to rethink its cyber defense strategies. Equal consideration should also be given to building deterrence capabilities against cyber offensives. It is unfortunate that the government is taking a long time to finalize the National Cyber Security Strategy.
Currently, the country’s policy is defensive and has a narrow focus. The goal is to harden vulnerabilities in civilian, government, and military assets only. However, a significant amount of critical infrastructure in India is built and operated by the private sector. Private organizations also hold reams of sensitive personal data. Therefore, any new strategy must guarantee that the private sector has adequate cyber security coverage. The new strategy must also recognize that the ability to counter an attack is often the best defense in cyberwarfare.
Compared to China’s cyber-warfare capabilities, India has a lot to catch up on, both on the offensive and defensive fronts. Indian readiness is almost non-existent, even in defensive actions, if you leave the offensive. To augment these capabilities, India should invest in infrastructure, funds, cryptographic capabilities, development of indigenous tools, and most importantly, talent. All the talent that survives today lies with private hackers, with little or no skills outside of government.
China has been preparing its cyber security strategy for more than two decades, and India is still taking baby steps. India’s new cyber security guidelines, released by CERT-In in April 2022, have upset industry players as they challenge user privacy standards. Although they were previously due to be in force from June 2022, the deadline for compliance has now been extended to 25 September 2022.
Many industry players have expressed dissatisfaction and disappointment with the new guidelines, pointing to many loopholes in the practical use of the guidelines. Firms like NordVPN, Surfshark have said they may not be able to comply with the new rules, while some have gone as far as planning to exit India – citing concerns about the privacy of their users. Also, several other problems, namely limited server availability, staff capacity limitations, increased financial burden, etc. are called the causes of the impracticality of complying with these directives.
The draft law on the protection of personal data has been going through parliament since 2019. It sets out key principles about what personal data is, how it can be handled and where it can be stored. However, the Act is likely to be out-dated by the Privacy Act before it is implemented, which could take some time.
While the government prides itself on introducing a number of cyber security schemes such as the Cyber Surakshit Bharat initiative, Cyber Swachhta Kendra, cybercrime reporting portal, India’s Cybercrime Coordination Center (I4C) and National Center for Critical Information Infrastructure Protection (NCIIPC) ), there is a long way to go in achieving credible cyber security.
— The writer is a finance and tax expert, author and public speaker based in Margao, Goa
Comments are closed.