WhatsApp snooping: Castro stresses need for good cybersecurity policies

He says the government needs to come up with good policies to encourage digital literacy and collaborate with research institutes to identify various vulnerabilities

At a time when the Israeli spyware Pegasus is in the news for having been used for hacking into Facebook-owned WhatsApp instant messenger and snooping on activists, lawyers and journalists in India, there is a “pressing need to improve the security of the mobile devices,” says Daniel Castro in an interview with Peerzada Abrar. Castro is vice-president of the Washington DC-based think-tank, Information Technology and Innovation Foundation (ITIF), and director of ITIF's Center for Data Innovation. Castro says the government needs to come up with good policies to encourage digital literacy and collaborate with research institutes to identify various vulnerabilities. He also says that players like Facebook and Google have a big responsibility to not only protect the information of users, but also to provide transparency and enable them to have control over the use of their data. Edited excerpts:

As services rapidly digitise in India, what kind of cybersecurity risks do you see in the country?

The risks around cybersecurity are increasing globally, as there are more devices being connected to networks, especially for Internet of Things (IoT) devices. Earlier, we were just trying to secure some servers and PCs or laptops, but now we have to secure all these smaller devices. So, it is important that cybersecurity be made a priority for the government as it develops (various) policies. I think there are opportunities for improvement in this space, but that has to be part of a digital transformation strategy. 

Right now, I don't think we are seeing that. But one way to get to that point is the prioritisation of emerging technologies. If the country is leading in the adoption of technologies like cloud computing and artificial intelligence, it can lead in the use of cybersecurity as well. I am hopeful as India becomes a leader in digital adoption, it can also be a leader in cybersecurity. 

Facebook’s security breach (Cambridge Analytica data scandal) exposed the accounts of millions of users. What is the responsibility of big tech firms towards users?

It is important that consumers have transparency on how their data are being used. And they should have control over how they are used. The Cambridge Analytica data breach was an example where unscrupulous third parties like Cambridge Analytica took the (consumer) data for purposes that they hadn't disclosed, and then used the data to hurt consumers. I think that's where we need really strong (law) enforcement. There is also a lot of need for cooperation among countries on these types of issues. Companies have a big responsibility of securing the information when people give it to them. One of the really important things to recognise is that a lot of data breaches that we see affecting consumers today are from small and medium businesses. That is why it is important to think about how we can scale up security for all these businesses. 

It was recently revealed that spyware Pegasus was used on Facebook-owned WhatsApp to hack and snoop on activists, lawyers and journalists in India. Your comments...

It is a huge problem for consumers when they have devices that can be broken into and all the information on the device can be accessed. The Pegasus software was developed by Israel-based NSO Group. It allows not only an access to a device but also encrypted messages and any data stored on the phone. They can even activate microphone and camera and eavesdrop on anyone at their homes or work. 

It is a significant vulnerability and there is nothing that any of the software makers could do to prevent it. I think the key takeaway is that the government shouldn't be breaking into the consumer’s phone without some kind of lawful authorisation to do so. It is not clear if it was so in this case. I think that's something most citizens in any country take very seriously. The second issue is how you resolve this in the long term. That is where the emphasis has to be on improving the security of mobile devices. Pegasus or some other type of software can do similar types of attacks. That's a significant vulnerability that can be exploited and will be exploited — if not by a domestic government or law enforcement agency, by a foreign one which has an interest in obtaining secrets or extracting information from individuals for security reasons or even for economic profit. 

What needs to be done at the government policy level to prevent such attacks?

There is a need for training in digital literacy or cyber hygiene — the ability to use devices without getting infected (by the malware). Some of the attacks on WhatsApp could be performed even against the savvy user because it had to do with the software vulnerability. A lot of these attacks are social engineering; they're tricking users into clicking on a link and downloading the malicious software. Some of that can be prevented through user education, and policy can help in that. 

Also, policies like data localisation are not a good idea. They force companies to start storing data locally within the country; that moves away from the most secure servers developed in the most secure operating environment to a domestic implementation that may not be on a par with global security standards. There is also a need for policies to support the development of research to identify vulnerabilities before they become problems for individuals. The idea is to empower some of the academic research centres and local companies doing research in this space. 

Democratic processes in the US and France faced cyberattacks and fake news was propagated on social media to affect elections. Should India be concerned about cybersecurity and fake news?

Misinformation online is a problem globally, and it's not something that social networks can address on their own; the scale is very high. I think the government needs to be an active partner in helping monitor what's happening on these networks in terms of developing partnerships with them. They can also work on some research & development needed in this space, whether to help with identifying deep fake or even some automated analysis of news articles or labelling of articles, to help identify which ones are more trustworthy than others. There's a huge role for government and policymakers in addressing this problem. The Nordic countries have been working on the problem of responding to propaganda and its influence on elections. They have been integrating media literacy deeply into the educational system so that students are well aware of the problem and how to approach it. As the issue of fake news has arisen, it is less of an issue in some of those countries because they have already trained individuals on how to recognise it.