India needs a strong firewall

Shivanand Pandit, Goa

2022-05-19 15:54:55

Cybercrimes are increasing across the world. In particular, India has witnessed a tremendous jump in the number of cybercrimes. As per the information provided by the Ministry of electronics and information technology (Meity) to a parliamentary panel, between 2018 and 2021, there was an over five-fold increase in cybercrimes and cyber fraud incidents recorded by the Indian government. On the other hand, amidst an increase in cyberattacks, the Central government is yet to execute the National Cyber Security Strategy which has been happening ever since 2020.

The Meity has told the panel that India has experienced a noteworthy upsurge in cases of cyber fraud and various cyber-linked occurrences in the previous three years. An increase in phishing attacks, financial frauds, mail-spams, and ransomware attacks were reported during the Covid-19 lockdown, when people largely worked from home, as attackers personated brands and deceived employees and customers. As per the facts available with the Indian Computer Emergency Response Team (Cert-In) which is the government agency for computer security, the number of cybercrimes mounted from 208,456 in 2018 to 1,402,809 in 2021. That is approximately a 572% surge in 3 years! Also, 212,485 such incidents have been recorded in the first two months of 2022. Indian organizations have seen a 218% surge in ransomware attacks in 2021, making India the 10th most targeted nation worldwide and second after Australia in the Asia-Pacific region. India was graded amongst the leading 10 countries out of 193 countries in cyber security posture for the year 2020. India climbed from the 47th position in 2018 to the 10th position in 2020. According to the American cyber security organization Palo Alto Networks' 2021 report, Maharashtra was the most targeted state in India — facing 42% of all ransomware attacks. India is among the more reasonably lucrative areas for hacker groups and hence these hackers ask Indian firms to pay a ransom or money, usually using crypto-currencies, in order to regain access to the data. 25% of the Indian organizations suffered a ransomware attack in 2021. This is higher than the international average of 21%. Software and services (26%), capital goods (14%), and the public sector (9%) were among the most targeted zones. Also, according to the study done by CyberPeace Foundation (CPF), Autobot Infosec Private Limited, along with CyberPeace Center of Excellence (CCoE), cyberattacks on the Indian Petroleum Refinery network have been on the rise with massive attacks recorded between October 2021 to April 2022.

No action, only talks

The country's cyber security strategy recommends a distinct jurisdictive outline for cyberspace and the formation of an apex body to tackle threats, responses, and grievances. However, this has been pending with the central government for over two years. The strategy, conceptualized by the National Security Council Secretariat of India led by Lt General Rajesh Pant, has been in the works since 2020. Named the National Cyber Security Strategy 2021, the policy emphasizes the need for a judicial framework to address the evolving challenges in the technology zone. In the recent Budget session of Parliament, many MPs grilled the Meity on when the Centre intends to announce the policy. In response, the Centre explained that it has prepared a draft National Cyber Security Strategy 2021 which holistically looks at addressing the issues of security of national cyberspace. Without mentioning a deadline for its execution, the Centre added that it had no plans as of yet to coordinate with other countries to develop a global legal framework ion cyber terrorism. The Data Security Council of India (DSCI) has prepared a 22-page report focusing on 21 areas to ensure safe and vibrant cyberspace for India. Some of the focus areas are large-scale digitalization of public services, State-level cyber security, etc. The report recommends a national framework that should be set in collaboration with institutions like the National Skill Development Corporation and Information Security Education and Awareness to provide global professional certifications in security. The DSCI further recommended a creation of ‘cyber security services’ with a cadre chosen from the Indian Engineering Services. However, all these suggestions are only on paper as of now. The Ukraine-Russia war has confirmed that the cyberwar is in progress. Power and telephone networks are disturbed. Australia's policy, which was introduced in 2020, has expanded the sectors covered under the policy from the earlier 4 to 11. Likewise, the UK has designated 13 sectors as critical infrastructure. Although numerous industry specialists narrated the need for cyber security policy in India, the government is still not considering the issue on a priority basis. The current legal and regulatory frameworks do not address the evolving threat scenarios or methods to fight the same. Currently, there is no dedicated association to take care of cyber security. There is no one that you can hold responsible. The response to cyber security threats can be taken under the Information Technology Act and the Indian Penal Code. The Indian Computer Emergency Response Team (CERT-In) handles incident response and the National Critical Information Infrastructure Protection Centre (NCIIPC) was created in 2008 to look after critical infrastructure.

Booster dose required

The rise in cyberattacks and threats in India has brought to light the urgent need for strengthening India's cyber security. India should execute a strategy immediately and it needs its unique cyber security law and devoted authority expeditiously at par with global standards. Cyber security needs to be extended to safeguard many verticals of critical infrastructure. There should be consolidation, integration, reorientation, and realignment of the present mechanism to create the apex establishment. The strategy should target to configure a comprehensive system, with both state-owned and private companies having to obey cyber security yardsticks. It should stipulate a strict recurring cyber audit and suggest annual appraisals by the apex body that will be established. The framework of the policy should aim to label cyber security as a strategic sector. There will be an obligation upon all players to ensure cyber safety. However, this can only be done if Parliament passes a bill as soon as possible. The pandemic demonstrated severe warning for India's cyber security. Several Covid-19 test results were leaked and a cyberattack happened on systems of an airline service provider resulting in the leakage of personal data of 4.5 million passengers. As per the investigation by US cyber tech firm CrowdStrike, on average, companies across the world take seven days to respond to cyber security violations, in contrast, Indian companies take around nine days. India now has more than 1.15 billion phones and over 700 million internet users which make it a big lake of digitally vulnerable targets. The pandemic has only worsened this problem as it resulted in an even heavier dependence on digital technologies. From payments to e-shopping to working from home, the pandemic led to the greater adoption of interconnected devices and hybrid work networks. Consequently, this vast and rapid expansion of digital assets has increased the surface area for cyber-attacks. The above-mentioned facts and figures push India to the bottom of the list when it comes to dealing with cyber security threats and attacks. Undoubtedly, India is one of the fastest-developing markets for digital technologies. Therefore, the government should introduce and implement a robust cyber security strategy immediately.