Governance & Risk Management , Government , Incident & Breach Response
CERT-In Says Hacking Declining, But Critics Express Doubts
Do the Latest Statistics Reflect Reality?Although CERT-In says that the hacking of Indian websites declined dramatically this year, based on reports it has received, some security experts argue that many hacking and other cybercrime incidents are never reported.
See Also: Gartner Market Guide for DFIR Retainer Services
CERT-In reports there have been 15,779 Indian website hacking incidents reported through November of this year, compared with 30,067 in all of 2017 and 33,147 in 2016, according to Ravi Shankar Prasad, minister for IT and Electronics, Government of India in the Lok Sabha.
There also has been a reduction in cybercrime (including social media and social engineering attacks) and fraud involving ATM debit transactions, credit transactions and internet banking, the National Crime Records Bureau and CERT-In report.
Cybercrime incidents totaled 9,622 in 2014, 11,592 in 2015 and 12,317 in 2016, according National Crime Records Bureau. The bureau has not yet revealed the numbers for 2017 and 2018, which is says will so declines in incidents.
CERT-In says there were three cases of financial fraud incidents - affecting ATMs, point of sale systems and Unified Payment Interface - reported through November of this year, compared with six cases in all of 2017 and 14 cases in 2016.
Are Reductions Real?
Prasad attributes the reduction in the number of incidents to the government's cybersecurity initiatives and its widespread awareness programs.
But in a blog on data breach notification, Naavi Vijaya Shankar, a cyber law expert and CEO of Naavi Consultants, claims that many cybercrime incidents are never reported.
"As regards cybercrimes that occur within the banking fraternity, normally the need to maintain 'confidentiality' and 'prevention of erosion of public trust' has prevented public announcement of any cyber fraud statistics," he says.
And many security practitioners asserts that Indian organizations are not ready for data privacy and data breach disclosures because the nation does not have a strict regulatory enforcement mechanism.
Rakesh Goyal, a CERT-In empanelled auditor, claims that CERT-In does not have enough staff to accurately track all security incidents or take any action after an incident has been reported.
He says some companies do not report breaches because the regulatory bodies do not provide technical and operational support and also do not have a mechanism to establish and retain customer confidence and "ensure that organizations that report breaches do not lose their reputation."
Some security experts argue that the government needs to do more to help establish a culture of fostering the reporting breach incidents while India continues to await enactment of a national breach notification law.
"The government needs only revisit its existing IT Act 2008 and impress data protection obligations upon Indian companies and find a way to help them adhere to them," Naavi says.
Goyal argues that the government should empower CERT-In to penalize institutions for non-compliance of data breach notification requirements, which has been prescribed under the IT Act 2008, which will help them track incidents better.
Government's Cybersecurity Stand
Prasad claims that the reason for the decline in the incidents is that the government has been taking steps to enhance cybersecurity and prevent cyberattacks.
CERT-In issues alerts and advisories regarding the latest cyber threats and counter measures on a regular basis, he points out. And it conducts cybersecurity exercises regularly to enable assessment of the preparedness of organizations in the government and critical sectors.
Sanjay Bahl, director general of CERT-In, asserts that the government is not taking emerging threats lightly and has announced a number of initiatives to tackle the cybersecurity challenge.
In an interview with DataQuest, Bahl says CERT-In has empanelled 69 auditors after stringent tests. Besides helping organizations carry out cyber drills or exercise to prepare against cyberattacks, these auditors also conduct source code review, threat modelling, SDLC review, network and applications security assessments and security testing and assessments.
Prasad says the government has recently formulated a cyber crisis management plan to counter cyberattacks and cyber terrorism.
"It will be implemented by all ministries and both central and state departments in critical sectors," he notes.
The cyber crisis plan mandates that ministries and departments of central government, state governments and union territories:
- Draw up their own sectoral cyber crisis management plans in line with the Cyber Crisis Management Plan for Countering Cyberattacks and Cyber Terrorism;
- Equip themselves suitably for implementation of the plan and supervise implementation and ensure compliance among all organizational units (both public and private) within their domain;
- Follow a strategic framework and guidelines to prepare for, respond to and begin to coordinate recovery from a cyber incident;
- Build cyber resilience to anticipate, withstand, contain, recover and evolve from cyber incidents.