India witnessed a number of cyberattacks on its critical information infrastructure in 2017. There were 18 instances of data breaches that took place during the year, compromising 203.7 million records. According to the “Breach Level Index” released by digital security firm Gemalto, identity theft comprised about 61 per cent of data breach incidents.
This is just the tip of the iceberg. According to Muktesh Chander, director general of police, Goa, and former director, National Critical Information Infrastructure Protection Centre (NCIIPC), “In India, real attacks on critical infrastructure are not reported. As a result, attacks are going unnoticed, with the government and companies trying to deal with them on their own.” The threat depends on the nature of business, data and extent of social media influence. The nature of attacks varies from leaking credit card details to defacing websites and exposing elections to ransomware and malware – the new weapons of mass destruction.
As per Gemalto, the malicious attack on food delivery app Zomato that exposed 17 million records was the sixth biggest known data breach globally in the first half of 2017. Reportedly, many companies have faced cyberattacks and cyberthefts in the recent past. These include two of India’s top private banks, a leading telecom company and a top media company. In 2017, thousands of companies across the globe, including India, were hit by ransomware WannaCry and Petya. Globally, the Equifax breach exposed personal information of 145 million US customers. Since most companies do not report cybercrime incidents, the actual extent of impact is unknown. “The fact is that everyone will get attacked. The impact may not be clear but the action plan has to be strong,” says Sumit Puri, chief information officer and director, information technology (IT), Max Healthcare.
It is believed that about 80 per cent of cyberattacks are related to cybercrimes. These have been growing in intensity and complexity with increased adoption of the internet, smartphones, virtual currency, internet of things (IoT), big data, cloud, drones and robotics.
“Big data, which is the crown jewel of most organisations, cannot be kept in the locker; it has to be used by employees on a daily basis to improve organisational efficiencies. This makes it vulnerable to attacks,” says Siva Sivasubramanian, global chief of security, Bharti Airtel.
Moreover, as IoT gains traction, connecting phones with door openers, microwaves, etc., the question that arises is, who is responsible for data security?
Companies, typically, are not aware of the threats hovering in their systems. Interestingly, the stolen data is being put up for sale on the dark net and deep web. Seqrite, the enterprise arm of IT security firm Quick Heal, came across an advertisement on the dark net, which claimed to have access to data from over 6,000 Indian businesses including government organisations, internet service providers, banks and enterprises. According to Seqrite, information from the servers of these enterprises was put up for sale on the dark net in one of the biggest data breaches reported in the country.
However, the National Internet Exchange of India was quick to clarify that there had been no serious security 
breach of its database and that it had a robust security protocol in place. The Unique Identification Authority of India, which was also said to have been attacked, clarified that its databases or central repository had not been breached, nor were its activities affected in any way.
All this points to one thing – Indian enterprises are vulnerable. “Are we waiting for a disaster to happen before we realise that cybersecurity guidelines have to be enforced? We need to create awareness about cybercrime, make it mandatory to disclose each breach, especially if it is in critical infrastructure, and strengthen the mechanism for preventing, detecting, investigating and prosecuting a cybercrime,” says Chander. In India, only financial services are required to disclose a breach as per the Reserve Bank of India’s directive.
There is an urgent need for a well-crafted and national-level cybersecurity framework to deal with cyberthreats. The current cyber policy has multiple stakeholders, including the Ministry of Electronics and Information Technology, the NCIIPC, the Ministry of Home Affairs through investigative authorities, and the newly created National Cyber Coordination Centre. In addition, granular cybersecurity guidelines are needed for different sectors, regulated by their respective governing bodies.
Current laws such as the Information Technology Act, 2000 and the Information Technology (Amendment) Act, 2008 have various provisions for ensuring cybersecurity. Besides, a National Cyber Security Policy was formulated in 2013. In 2014, the Department of Information Technology created a special body for critical information infrastructure (CII), called the NCIIPC, under the technical intelligence agency The National Technical Research Organisation.
CII covers 12 sectors including power, aviation, banking, critical manufacturing, defence and space. While most of them are government or quasi-government bodies, sectors such as banking, aviation and power involve private sector participation. While guidelines were issued for CII protection, these have not been enforced. The 2013 policy outlined the broad principles of managing cybersecurity. However, the government now needs an updated policy to move beyond the statement of principles and outline how to operationalise cybersecurity.
The government has set up the National Informatics Centre-Computer Emergency Response Team (NICCERT), a dedicated unit that will monitor, detect and prevent cyberattacks on government networks. The NIC-CERT will operate in close coordination and collaboration with other sectoral CERTs, especially with CERT-In.
“What governments and companies have to understand is that security is a continuous journey, as the landscape is changing very fast,” says Pawas Agrawal, general manager and chief information security officer, Aircel Limited. More efforts should be made to formulate and implement a comprehensive security policy, he adds.
According to Puri, the impact of the WannaCry ransomware attack on the National Health Service in the UK, which infected data on computers, is still being assessed. This highlights the need for proper metrics for security preparedness.
Cybersecurity became a boardroom priority only after the ransomware attacks. “Cybersecurity is not a technology issue any more; it is a business risk,” says Atul Gupta, partner, advisory services, KPMG. However, Indian companies spend only 7-10 per cent of their IT budget on security. Many times, the macroeconomic business environment determines the amount to be invested in security. “The economics of security, especially where the macroeconomic environment is tough such as in telecom, has to be evaluated,” says Agrawal.
In India, the excessive use of unlicensed software, underpaid licences, and multiple levels of outsourcing in IT maintenance, operations and support make India Inc an easy target. The fact is that committing cybercrime is not difficult owing to the low costs, easy access to online tools and the cover of anonymity.
To combat cybercrime, both qualitative and quantitative measures are needed and sometimes a choice has to be made between the two. “There was a time when vulnerability assessments were done quarterly and then monthly; now, however, these need to be done on a real-time basis,” says Vikram Mehta, associate director, information security, MakeMyTrip. com. Another way of strengthening cybersecurity is to consider security solutions as a part of the technological design of the network rather than as an add-on. Organisations should also create awareness about the risks associated with attacks, and train employees accordingly.
Going forward, as cyber complexity increases, so will the incidence of ransomware, web compromises and spear phishing, along with attacks by more destructive worms and wipers. All this calls for the formulation of a regulatory framework and the enforcement of guidelines to cybercrime-proof India.
