Cyber safety

Increasing attacks on Indian networks are worrying

The ransomware attack targeting SpiceJet last week focused attention on one of India’s biggest cyber-vulnerabilities. Both government services as well as private sector businesses have moved en masse into the digital space and their efforts have been embraced enthusiastically by India’s 780 million broadband users. This means millions of Indian websites gather sensitive data with the Unified Payments Interface (UPI) processing close to 5 billion transactions per month. Many of those apps and websites, and the databases at their back-end, are insecure. All are juicy targets because they contain troves of sensitive personal data. Many are more vulnerable because they are customer-facing. Since anyone can access the front-end, a smart hacker can pry around to discover gaps in security.

Ransomware injects malicious code that encrypts the website and locks the owner out. Then the bad actor demands ransom payment to decrypt and allow the owner access again. During this process, the data available may also be copied, which creates new potential targets. The legal situation is complicated because India doesn’t have a private data protection law, which means redress for the victims may be moot. Moreover, no service provider, government or private, wishes to suffer the loss of credibility that’s involved in being publicly hacked, which means under-reporting. However, report after report by various global IT security providers confirms India is a favourite destination for digital bad actors. It is believed to be the third-largest nation in terms of being the target of attacks. Known victims include Air India, SpiceJet, sundry logistics and shipping services, power utilities, and banking and health care sites. According to the cybersecurity company Trellis, ransomware attacks targeting India jumped by 70 per cent year-on-year in the fourth quarter (January-March 2022). In a large majority of known cases, human error allowed initial entry and exploitation.

While there will always be soft digital targets in a cyber-environment as large and heterogeneous as India, there are many things organisations may do to make themselves less vulnerable. They must secure data, whether it’s stored on the cloud or on their own servers. They also need to identify and firewall the sensitive parts of their networks from the customer-facing bits. They need to ensure access to the sensitive parts is controlled by multi-factor authentication. They need ideally to ensure internal communications, and transactions with sensitive information, are end-to-end encrypted. Firms also need to actively probe their own networks for possible vulnerabilities. They need to build in redundancy, so that if their servers are attacked by ransomware, they can rapidly reload necessary systems and data. This is a normal recommendation for disaster recovery including that from physical disasters. But many organisations don’t allocate the extra IT budget for this.

Above all, the stakeholders in the Indian digital ecosystem need to educate users and employees about cybersecurity. This has to be a cooperative process involving many private and government organisations, and it should be led by the Indian Computer Emergency Response Team. One of the strengths of networks is simply that they are interconnected. However, this also means an infection in one network can easily lead to an infection in another apparently unrelated network. The power of the Digital India initiative lies in its ability to unify the delivery of transactions and services. If Indian networks continue to be soft targets, however, this could turn into a nightmare.