Beware, Malware

2217
Illustration Created by Amitava Sen
Illustration Created by Amitava Sen

Cyber criminals are on the prowl in India’s sprawling digital landscape, hitting tech’s marquee names, while the government is yet to roll out a comprehensive national cybersecurity architectural framework

By Stephen David in Bengaluru

Imagine the cataclysmic catastrophe if hundreds of suicide bombers kept ramming explosive-loaded vans into moving convoys filled with people. And imagine the same in cyberspace, where zillions of data are cruising on the information autobahns, and explosive-laden cyber criminals ramming them with malware, destroying mountains of precious data. That is the kind of picture that top cybersecurity experts are painting even as new, unexpected cyber conflicts threaten to inflict damage on porous, not so well-guarded tech and digital ecosystems in emerging economies like India.

Security is not just physically walling borders with electric fences or electronic laser-guided go-karts. Nor is it about securing, with invisible lock and key, precious data in cyber space. And almost half of India, the world’s largest democracy of 1.3 billion, is exposed to digital literacy, and the country is the second most vulnerable state to cyber attacks, according to a report by a security company, Symantec.

Even as the centre takes aggressive measures in deploying Information and Communications Technology (ICT) in its services across the board and the Indian software development services industries witness exponential growth in numbers, a new cyber dragon is always on the prowl.

In April 2019, cybersecurity investigation website KrebsOnSecurity.com, run by cybersecurity expert Brian Kerbs, warned that India’s leading tech players may be under serious threat from cybersecurity criminals. Kerbs’ warning was based on a new fraud called the “gift card fraud” targeting companies that have loads of third-party company resources and/or companies that can be abused to conduct the alleged fraud.

India Legal sought responses from some marquee tech players in India on this threat. India’s software bellwether Infosys responded that it “would like to assure all our stakeholders that we have not observed any breach of our network based on our monitoring and threat intelligence. This has been ascertained through a thorough analysis of the indicators of compromise that we received from our threat intelligence partners”. The Bengaluru-headquartered software giant added, “We continue to strive to improve our security posture and have deployed an advanced threat protection solution to protect the company’s email gateways, endpoints and network. In addition, we are working with our threat intelligence partners to further strengthen our IT and cybersecurity controls.”

Another major player, Cognizant, told India Legal, “We are aware of reports that our company was among many other service providers and businesses whose email systems were targeted in an apparent criminal hacking scheme related to ‘gift card fraud’. Since the criminal activity first surfaced… Cognizant’s security experts took immediate and appropriate actions, including initiating a review. While the review remains ongoing, we have seen no indication to date that any client data was compromised. It is not unusual for a large company like Cognizant to be the target of spear phishing attempts such as this. The integrity of our systems and our clients’ systems is of paramount importance to Cognizant.”

In a statement issued to India Legal, Wipro admitted it was among the “targets of a coordinated and advanced phishing campaign…. As soon as we became aware of the campaign, we…identified the potentially affected users and took remedial steps to contain and mitigate any potential impact. In addition, as a responsible partner and in line with our standard protocol, we immediately and proactively informed a limited number of customers with whom these employees were engaged. The investigation to date suggests that our actions to isolate and contain the incident were successful.”

In a speech at a DRDO programme, its former chief and current member of NITI Aayog in the national capital, Dr VK Saraswat, had said that Indian cyberspace is becoming more complex and “India needs continuous innovation to keep the space secure and resilient to threats”. The scientist called for indigenous solutions to counter the threat. “India should work to reduce its dependency on foreign products and solutions for securing our critical infrastructure and defence installations,” he had noted.

India’s top government policy body, NITI Aayog, has released a cybersecurity document where it notes the enormity of cybersecurity challenges with innumerable entry points to the internet. India ranks third in terms of the number of internet users after the US and China. Indian users have grown six-fold between 2012 and 2017 and has the notoriety of being in the top 10 spam-shooting countries in the world.

In another public event, national cybersecurity coordinator Gulshan Rai flagged cybersecurity concerns in strategic areas, including artificial intelligence (AI) robotics, virtual reality and augmented reality, and the Internet of things (IoT). With cybersecurity getting top attention at the highest levels in India, including one of the key mandates for the newly created intel organisation, National Technical Research Organisation, a much more comprehensive National Cyber Security Policy is being worked upon on a war footing. It will be an improvement on a similar policy that was first drafted in 2013 in the Ministry of Electronics and Information Technology. But the ghost of cyber threats continues to haunt our critical tech infrastructure, assuming various dangerous avatars.

It is not just the Indian software services sector that faces threat from criminals in cyberspace. India is taking special precautions to protect its servers in the defence sector considering the sources of attacks from China. India-Pak clashes have also gone beyond Siachen Glacier or Kashmir border attacks. India’s special operations and counter operations by her neighbours have been conducted under names like Operation Hangover. Pakistan hit back with Operation Arachnophobia. Both were trying to obtain intelligence in the fast-changing world of net-centric geo­political calculus. For example, whether it is shooting a rocket into space or blasting a missile from an underwater platform somewhere in the ocean—both of which India has mastered with its complex, critical technology infrastructure—it just mandates the urgency of souped-up cybersecurity protocols.

The Modi government’s drive for cashless payments or digital payments means more security warnings from the Reserve Bank of India (RBI) as almost a billion Indians have access to cell phones and carry out billions of cashless transactions on a daily basis. The RBI, cosying up to a new word called “fintech”, for financial technology, has issued a red alert. It has ejected ICOs (Initial Coin Offerings) and crypto start-ups from its regulatory sandbox, which it had set up to facilitate innovation in the “fintech” industry while getting a hold on emerging technologies.

India’s billion-plus population—with nearly 200 million people having no bank accounts—is easy ground for cryptos to strike big. The RBI banning Indian banks from offering services to crypto start-ups is now a matter of dispute and is before the Supreme Court. As India goes down the digitised road, with digital currency milestones on its way, cyber thugs will continue to lurk around the corner. That calls for alert and strong cyber policing.

Worldwide, cyber crime damages are estimated in the range of six trillion dollars—that is, a whopping six thousand billion dollars—by 2021. Cyber criminal activity is one of the biggest challenges that humanity will face in the next two decades, according to the 2019 Official Annual Cybercrime Report, brought out by Herjavec Group, a leading global cybersecurity advisory firm. Today, it is not just skimming money from your bank account by accessing your passwords that you leave exposed through sheer carelessness. The cyber criminal can also hit where it hurts the most. What if it can send a signal to turn someone’s pacemaker off or create a virus havoc at a busy air traffic control tower?

Today, the internet has blanked the whole of earth with a different kind of net: in just 30 years, since the World Wide Web was invented and the first website went live in 1991, we are now at nearly two billion websites. That is the population of some continents put together. In 2018, there were four billion internet users for a population of 7.7 billion. Cybersecurity Ventures predicts that there will be six billion internet users by 2022. One report says that the world will need to cyber protect 300 billion passwords globally by 2020. There are more than 100 billion lines of new software code produced every year and with that the vulnerabilities are also higher. Even the world’s digital content is growing by the day: from four billion terabytes (four zettabytes) in 2016 to 96 zettabytes (one zettabyte is one trillion or one 1000,000,000,000 gigabytes) by 2020. Try figuring that out.