For the first time in 73 years of independence, cybersecurity found a mention in the Prime Minister’s Independence Day speech on 15 August. PM Modi announced that India will introduce a National Cyber Security Strategy (NCSS 2020) soon after cabinet approval.
The announcement comes hard on the heels of India’s recent geopolitical discord that led to Chinese hackers attempting to unleash 40,000 cyberattacks on India’s IT and BFSI sectors. Prior to that, the country’s cybersecurity watchdog, CERT-In had issued advisories warning phishing attempts on fake Aarogya Setu and PM Cares apps.
In a recent roundtable discussion, India’s National Cyber Security Coordinator, Lt Gen (Dr) Rajesh Pant discussed the country’s current state of cyber resilience and the biggest cybersecurity challenges amid the new normal.
India’s top 4 cybersecurity challenges in the new normal
While the sudden shift in the way India does business has exposed several fault lines and weak links in the existing cyberspace, the general zeroed down on three critical factors afflicting the country’s security posture.
1. A lack of cyberattack attribution; international legal system offers little help
Lt Gen Pant brought to light the inability to attribute cyberattacks. Simply put, cyber attribution is the process that helps security analysts backtrack a cyberattack to its origin based and identify its perpetrators based on cyber forensics and the evidence at hand.
The cyber chief minced no words when he called out the ineffectuality of the international legal system.
He emphasized that in order to attribute cyberattacks, India needs international collaboration.
The Mutual Legal Assistance Treaty, or MLAT as it’s commonly known, is an agreement between countries to exchange information to help bring offenders to justice.
2. UPI in the crosshairs
Pointing to the massive surge in internet traffic, Lt Gen Pant revealed that the National Informatics Centre (NIC) earlier handled around 2 crore emails a day. That number now stands at 7 crore emails per day – a 71 percent spike in a span of just six months. Online financial transactions saw a steep rise as well – March alone witnessed 50,000 new Unified Payments Interface (UPI) handles being created.
The point on misuse of UPI IDs was also brought up by Anyesh Roy, Deputy Commissioner of Police at the Cyber Crime Department, at an India Infrastructure roundtable: “In 2018, the facility of demanding money in payment apps was introduced. This has led to an increase in fraudulent activities.”
3. Attacks on critical infrastructure: why the current definition doesn’t hold good
What defines critical infrastructure and the sectors it comprises of varies across countries. The Netherlands, for instance, classifies the Heineken factory as critical infrastructure.
In India, the National Critical Information Infrastructure Protection Centre (NCIIPC) identified six critical sectors: Power & Energy, BFSI, Telecom, Transport, Government, and Strategic & Public Enterprises.
However, given the current situation, Pant believes that the identification of critical sectors needs to be looked at all over again. “The pandemic has shown us that with everything going online, the question now arises: What can you consider non-critical?”
4. The manpower crunch
“In order to meet the requirements posed by the pandemic, I need every sector to have a Security Operations Center (SOC), but where is the manpower?” said Pant.
He added saying the pandemic has compelled the government and enterprises to look at new types of security incident and event management structures as well as security orchestration and automation response structures.
– Gen Manjeet Singh, Joint Secretary, National Security Council of India
The challenge around manning SOCs with skilled resources was also addressed by Gen Manjeet Singh, Joint Secretary of the National Security Council at the India Infrastructure roundtable. Sharing his vision, Gen Singh added: “We need to become aatmanirbhar in cybersecurity as well.”
Why India needs a new type of cybersecurity architecture
Lt Gen Pant said that with a large faction of people working out of their homes, there are a lot of unknowns enterprises are not aware of – their identity, endpoint equipment, home network, VPN aggregator, cloud services, and the antivirus installed on their mobile devices. “With the entire system becoming distributed, there is a need for a new type of cybersecurity architecture,” he said.
The cyber chief opined that technology and user behaviour are both equally important. Elaborating this, he explained that the traditional 7-layer Open System Interconnection (OSI) model – basically a communication framework comprising of physical, data link, network, transport, session, presentation, and application layers – needs to factor in an 8th layer: the user.
Raising cybersecurity awareness
Underlining the importance of public messaging, Lt Gen Pant recounted how the country’s public broadcasters played a vital role in eradicating polio by promoting the pulse polio programme in between every TV show.
He believes a massive campaign of the same scale on cybersecurity awareness could make a big difference.
Copyright © 2020 IDG Communications, Inc.