Border Tensions Raise Security ConcernsIs India's Information Infrastructure at Risk from External Attacks?
Against the backdrop of the most recent border tensions between India and Pakistan, hacking groups in both countries have declared a proxy war of their own in cyberspace. While these incidents seem limited so far to defacement of websites and a clash of egos in online forums, Indian security and risk management experts underscore the urgency to strengthen India's existing information infrastructure.
In response to remarks made by the Pakistan People's Party Chairman Bilawal Bhutto on the long-standing Kashmir issue, the Indian hacker group "Black Dragon" defaced the PPP's website. Pakistani groups then attacked the website of the Press Club of India. Incidents snowballed over the past week into, by conservative estimates, more than 30 instances of websites being targeted by both sides, including the website of the Pakistan railway.
CERT-In says that it has not noticed any specific increase in cyber-activity, but other Indian security leaders share concerns about the potential for escalation.
"Typically, website defacements are cyber pranks that cause inconvenience, but no lasting damage, and they do not have the level of adverse impact that other cyber-attacks can have," says Felix Mohan, former CISO at Bharti Airtel. "However, a trend is emerging nowadays of website defacers also using it as a means to divert attention for carrying out other attacks, or using it to spread malware."
Escalating Cyber Vandalism
Samir Dhaga, vice president of IT and CIO at Videocon D2H, says there is nothing new about the current spate of defacements. "Historically, whenever there has been military or political tension between these two countries, hackers from both sides have actively engaged in defacing government websites, and this was not wholly unexpected."
Dinesh Bareja, a leading independent security analyst, adviser to the Indian government and founder of the Open Security Alliance, goes a step further. "India-Pakistan relations have always been strained, and passions run high whenever opportunity for one-upmanship presents itself," he says. He believes the cyber skirmishes are a manifestation of the patriotic zeal in the young hacker community and, while illegal under the IT Act, no government agency is reprimanding the vandals.
Mohan, former head of the Indian Navy's IT program, adds that since Web defacements garner wide media and public interest, they can be used as an effective means of gaining psychological advantage over an adversary by instilling fear about the vulnerability of information infrastructures and the inability of governments to protect them.
'Real and Present Danger?'
How vulnerable is India's cyber-infrastructure?
Security experts are concerned that government agency portals remain so easily susceptible to basic compromises, such as defacements.
The most frequently exploited vulnerabilities, according to Mohan: poor application coding practices, with no application testing (SAST or DAST); irregular system patching; a weak password policy and not deploying purpose-built Web application firewalls.
But Dhaga fears that similar vulnerabilities exist within critical information infrastructure assets hosted at the national level by NIC and other agencies. "There is real and present danger of loss of sensitive national information depending on what has been compromised," he says.
Dhaga was formerly head of IT security operations at IBM India and a former director of the Indian Army's Cyber Security Establishment. He says that although CERT-In has in many ways added tremendous value to the existing cybersecurity environment, much still needs to be done to address issues facing the national infrastructure.
"While the government is investing a lot in technology and to some extent in people," Dhaga says, "where the government needs to focus is in implementation of processes and in joining hands with the private sector, which has experts who have spent a lifetime on such implementations."
Government Action Needed
While the private sector has achieved a substantial level of information security maturity in the past few years, experts say government agencies lack basic processes, such as patch management, continuous vulnerability assessment, consistent audits and security dashboards - that are a norm in industry. While security awareness is rapidly increasing, the lack of coherent processes means that there is no effective implementation of security.
"We live in the crucible of ignorance with the thought that nothing bad will happen to us," says security analyst Bareja. The Indian information infrastructure suffers from the same inherent weaknesses as other countries across the globe, he says. But he believes those vulnerabilities are further exposed by India's lack of a cohesive cybersecurity policy at the national level, as well as the lack of a central cyber command or directive as in other more developed markets. Bareja believes that this manifestation is evident in the impotence of enforcement of the National Cyber Security Policy and other policies aimed at protection against emerging cyber threats.
Dhaga of Videocon D2H says changes are needed, with clearly defined key performance indicators and service level agreements on various security parameters to objectively measure through processes and metrics.
Going beyond the threat of mere cybervandalism, India needs a coherent cybersecurity policy and greater accountability, experts say. And there also must be greater public/private partnership to address vulnerabilities.
"A government/private handshake in this arena is highly recommended," Dhaga says. "Some of the best implementations worldwide are in government agencies who have partnered with the Industry."