Given the use of legacy systems and software in government organisations is a big problem, the government would do well to run security audits of its organisations first,then mandate each body to run a security audit every year, and get certification for this.
Last week, another attack on a government body exposed how ill-prepared India still is on the cyber-security front. NHAI, after denying reports that its systems were hacked, later confirmed that it was indeed facing a ransomware attack. The hackers have released some details online, and claim to have access to more, including personal information of NHAI’s top brass. It is ironical that despite CERT-In warning private players of an impending threat, one of the government’s own organisations has fallen prey to an attack. While India may take comfort in the fact that its nuclear installations were not targeted—Iran is blaming Israel for a Stuxnet 2 virus infecting its nuclear plants—events from last year show that security defences at nuclear plants also are quite vulnerable; the Kudankulam plant suffered a cybersecurity breach in 2019.
While India was one of the first countries to adopt a cybersecurity strategy, and the government has since been pushing companies to adopt best practices, lack of coordination has meant frequent attacks on government bodies. A NITI Aayog report last year had stated that the multiplicity of bodies was one of the reasons for this failure. While most countries—the US, Singapore, among others—have one umbrella organisation, India, besides the nodal CERT-In, has 36 different cybersecurity units across ministries; that apart, each state has a CERT of its own. A 2015 BSA report on cybersecurity in the Asia Pacific shows India was far behind its peers. The country had done little in terms of public-private partnerships, and it had only a partial national incident management structure. Besides, the National Cyber Security Strategy 2020, which was to lay down the cyber-readiness roadmap for organisations and the government, is yet to be announced. CERT-In, too, has been slow in warning about hacking attempts. Last year, it announced details of WhatsApp hacking scandal only when reports surfaced in media.
Given the use of legacy systems and software in government organisations is a big problem, the government would do well to run security audits of its organisations first,then mandate each body to run a security audit every year, and get certification for this. More important, the government needs to improve its compensation policies for bug bounty programmes, so that hackers are encouaged to report vulnerabilities. A handsome reward will ensure more people come forward with such information; it announced, recently, a reward of upto `3 lakh for reporting vulnerabilities in Aarogya Setu app and upto Rs 1 lakh for suggestions to improve the source code. This model needs to be replicated for other organisations and government services.