India Inc, the RBI and Parliament All Failed Indian Cyber Security in 2016

2017 will need to see less of the carrot and more of the stick in order to persuade India's institutions to prepare against an ever-increasing number of cyber security threats.

Looked at one way, 2016 was a normal year when it came to cyber security in India, with businesses and government carrying on as usual. Looked at differently, one could say that it was a banner year for cyber-breaches, from Twitter accounts being hacked, health data being stolen to debit cards being compromised. In either view, ask security experts and they say the situation is deeply concerning.

It was a normal year because despite growing threat levels, the government, regulators and private industry continued on with business as usual, and did not take any major steps to meet the threat. There was no new legislation on data breach disclosures or privacy protections, which many policy experts have long said is required. One could take a news article on cyber security from a year ago and aside from the one or two minor details, it would apply just as well now, whether it contained a litany of security failures by India Inc, the lack of disclosure of data breaches or the lack of spending on cyber security. 

So why isn’t anything changing? Quite simple, say security experts. There is no compelling reason to do so. Take banks, for example. “The financial industry is regulatory driven, if there is no stick and it is all carrot, it will not work,” says Sastry Tumuluri, former Chief Information Security Officer of Haryana.

The same goes for many other sectors, e-commerce among them. If an online retailer’s system is breached and credit or debit card information is taken, the retailer is not compelled to report it. Doing so may only hurt its brand. Of course, for an individual this means that if their card data is stolen and unauthorized charges are made, they have no way of knowing where the breach occurred. There are no clear liability laws for such cases, so depending on the individual’s bank, they may or may not be liable for any money that is stolen.

On the matter of limiting liability, it seemed as if the Reserve Bank of India was set to take action. A draft RBI measure to limit the liability of customers in case of data breaches, went through a public response phase in August, but by as of the end of December the RBI has yet to issue any regulation.

So it may not be entirely accurate to say that there was absolutely no progress made. The Reserve Bank of India did also put out a
notification titled “Cyber Security Framework in Banks” that specified several guidelines and best practices and imposed a reporting obligation on the banks. In response to a right-to-information request filed through YouRTI.in, the RBI reported that from June through October there were 19 incidents reported by banks, taking pains to clarify that only “unusual” incidents need to be reported. There are no criteria for defining “unusual,” which leaves a lot of discretion to the banks to not report incidents.

The 19 incidents including ransomware attacks, DDOS attacks and “skimming card attacks”. In the response the RBI also stated that it did not know how many customers were affected and refused to disclose which banks were affected since that “may undermine the economic interest of FIs (financial institutions).” In addition, there is no clarity on when, or if, the RBI will inform the public of breaches. Therefore, even if the RBI is informed, if you are a customer of one of these banks, you may be left in the dark as to whether your accounts are safe.

In October news reports surfaced of up to 3.2 million debit cards being at risk due to a breach of back-end systems connected to ATMS. The incident only came to light because the public received instructions to change their PINs from their banks. The RBI does not mention this in its RTI response, and if it was aware of it, did not inform the public.

Slowly awakening CERT-In

The agency charged with protecting India’s Internet, CERT-In, appears to be waking up to the threats. In October a request for proposals was issued for the “Supply, installation, implementation, integration & commissioning and operationalisation of Cyber Threat and Situational Awareness setup at CERT-In.” The proposal period closed in December and the entire timeline is supposed to take 365 days, which seems quite ambitious.

CERT-In also launched a “botnet cleaning and malware analysis centre”, where it essentially links to a private company that provides a free “botnet removal tool.” While the tool may have an effect if PC owners download and run the software periodically, the Mirai botnet which took down Dyn used mostly compromised non-PC devices, and desktop penetration in India is insignificant compared to many other countries.

The legislative arm of the government saw no need to take any action this year. Members of parliament raised about 50 questions on cyber security in the Lok Sabha and about 30 in the Rajya Sabha. When asked whether India needed new laws, the Finance and Information Technology ministries, who were asked the questions, gave the following standard response: “The Information Technology (IT) Act, 2000 provides a comprehensive legal framework to address the issues connected with cyber crime, cyber attacks and security breaches of information technology infrastructure”.  

Bear in mind that this law, the IT Act, 2000, was considered by some to be outdated even by 2004. Consider that 16 years ago in 2000 India was a nascent Internet society, with a minuscule number of Internet users and few connected devices. Those who drafted the law may not have considered the number of connected devices and amount of international traffic that could flow into India. The punishment laid out in the law means little to someone in another country mounting an attack to either penetrate a bank in India or to take down an e-commerce site.

While most cyber-threats could be classified under the offenses in the IT Act (2000), security experts and policy think tanks suggest additional laws and bodies to buttress India’s cyber-security.

Kaushal Dalal, the Managing Director of India for FireEye, a security consulting company, said in an interview that India needs a disclosure law, board level accountability for cyber security failures in private companies, comprehensive guidelines from the RBI and updated cyber security laws across the country.

Asked in December whether the government plans to introduce new laws on data protection and disclosure, the Ministry of Electronics & Information Technology responded that there were no such plans.

Individual states in India also have a responsibility to tackle crime, including cyber crime. At present a large fraction of cyber crimes are not investigated and the number of prosecutions is minuscule. News reports however paint a rosy picture of progress in a few states. It would indeed be progress if these efforts help raise the number of prosecutions.

Looking at the cyber security breaches in 2016, Dalal of Fire Eye says they may have raised awareness enough to provoke action. These include the compromise of several Twitter accounts, including Rahul Gandhi, the Indian National Congress, well-known news persons Barkha Dutt and Ravish Kumar, and Vijay Mallya.

Other incidents involved the breach of several web sites of Indian missions abroad, including the New York NY Consulate. Another incident was the “hack” of the Narendra Modi app, which was actually just an access of the server bypassing the app itself, but it highlighted the pitfalls of insufficient attention to data security.

Stacking up

Most of the incidents caused no real harm, either online or in the physical world. However, the threat of cyber attacks in the physical world concerns experts such as Tumuluri and Dalal. The threat to infrastructure has been widely reported and examples exist, such as the attack on Kiev’s power grid. Sometimes the damage is inadvertent, like when the central heating in a Finnish town was shut down in winter due to a DDOS attack causing the control servers to repeatedly reboot.

However, there are other ways that these attacks could play out. Those who took over Rahul Gandhi’s Twitter account went over the top in showing their hand. A more subtle actor bent on creating havoc could post messages that would rile up the opposition or followers into taking action. For example, an incident that exemplified the Internet meme “that escalated quickly” in a near farcical manner occurred on Christmas Eve when a fake news article prompted Pakistan’s defense minister Khawaja Asif to threaten nuclear retaliation towards Israel. A malicious tweet from a hacked account of a politician could lead to mob incidents such as the one where a man was killed on rumors that he had slaughtered a cow.

The threat posed by insecure IoT devices has been articulated before. However, in 2016 it was actualised on a fearsome level. One may be tempted to think that India is not affected by the IoT security risk because devices such as smart lights, thermostats and home security systems are more prevalent in wealthier countries. However, low-income countries have a higher concentration of the more inexpensive devices that don’t have strong security. In the recent Mirai-botnet attacks, the top country of origin was Vietnam, and India also ranked in the top 10.

The Mirai-botnet attack on Dyn used 150,000 devices to generate 500GB/s of data. Estimates are that ten times that number of devices are infected. Two weeks after the Dyn attack, another one that reportedly had twice the amount data traffic knocked Liberia’s Internet offline for brief periods. Security researchers speculate that whoever was responsible was testing out their capabilities. The worrying part is that anyone can carry out this type of attack. According to a post on Slashdot, renting around 50,000 bots costs between $3,000-$4,000 for 2 weeks.  This has significant implications for Indians. The average amount of Internet traffic in India at any time is near 55GB/s and peaks well below 100GB/s.

20k to sink India’s Internet

When Cyclone Vardah took out an international Internet link in Chennai, it significantly slowed Internet speeds all over the country. That means that for under $20,000 anyone could cripple India’s Internet for that time. If holding a single computer ransom can net a malefactor $200, what might an entire country be willing to pay? And if it didn’t pay, what would be the economic cost?

Testifying before a congressional committee on the Internet of Things (IoT), noted security experts said IoT manufacturers had no reason to improve the security of their devices because there is no gain in it for them. The same is true for Indian businesses. If an e-commerce site’s data is stolen they have nothing to gain by disclosing it to you or the government. And if subsequently your credit or debit card is charged in some far away land, or even in another city here, you would be caught unaware and have no way to trace the breach to the e-commerce site. The SMS based one-time-password is no failsafe either. The SS7 system is insecure and SIM swaps are a known vulnerability. Recently a security firm in the US found that some Android phones were sending the SMS messages in the phone to a server in China because of software that came pre-installed on the phone.

Although that was an accident, it’s conceivable that criminals could manage to implant such software surreptitiously. In a blog post, FireEye details how criminals have set up elaborate Web pages designed to look identical to the pages of several banks. Targets are lured through phishing emails.

When considering the security risk out there, a little imagination may not be a bad thing. Individual data breaches from here or there may appear to be minor nuisances, but consider what would happen if the data collected from multiple sources were put together. Your email address and password from here, your mobile number from there and your friends and family from a social networking site, which Indians are only too happy to share. Many of these data breaches come to light when the information shows up for sale on the DarkNet, a part of the Internet that isn’t included in Google searches but criminals know how to access.

By applying the same data mining tools that allow targeted marketing, could a criminal organization create a profile of you that would let them guess your password comprised of a loved one’s name and date of birth? Could they guess the answers to security questions to reset your passwords?

Security experts say we should not panic. However, that doesn’t mean urgent action is not necessary. It should not take a catastrophe to mobilise sensible precautions and new rules. It may be true that cyber theft is already covered in a 16-year old law, but that doesn’t mean we don’t need laws or rules for those organisations that handle our data.

From a larger national or societal level, someone emptying your bank account or locking up your computer may not be a significant threat. However, it would matter to you. And what has changed is that it is easier than ever for criminals to carry out cyber theft on a massive scale. Individual burglars robbing houses one at a time may not rise to the level of a national concern, but if criminal masterminds have a robot army that can hit hundreds of thousands of homes at once, that would require a response. In the cyber world, that is exactly what is happening.

Disclosure: The author is the founder of YouRTI.in