Need a more pro-active regulator to keep citizens informed
While PayTM Mall has denied a report—by cybersecurity firm Cyble—that its data had been hacked, the reports should be a wake-up call for India’s cybersecurity agency CERT-IN. Defending its database is each company’s responsibility, but it is CERT-IN’s job to keep the public informed of the actual picture when there are reports/threats, and it is its job to conduct audits, even surprise checks, of a company’s security. In this context, however, several high-profile misses blot its record. Last year, CERT-IN only alerted WhatsApp users of their accounts being hacked, after media organisations had published reports of Israeli software Pegasus affecting phones across the world. The Kudankulam nuclear power plant attack also escaped its radar, and in 2017, CERT-IN was late in responding to Petya and Wannacry attacks.
Given how security threats are only going to increase, India needs more proactive regulation. More important, India also needs new regulation. While India was one of the first countries to enact a cybersecurity policy in 2013, it is yet to come out with new rules that mandate stricter data protection rules and regular security audits. An array of organisations has further complicated India’s cyber response. Unlike the US, Singapore, and the UK, which have a single umbrella organisation dealing in cybersecurity, India instead has 36 different central bodies, one for every ministry, to deal with cyber issues, and each has a different reporting structure. Moreover, every state has a CERT body of its own. India, thus, needs to create an umbrella organisation for better co-ordination. It also needs to start looking at cybersecurity as a necessity. First, the government will have to upgrade its systems. One reason for a high number of attacks on government bodies is the use of legacy systems and software. In 2018, a Telegraph report had found that hackers were able to bring down the national health service (NHS) network in the UK because some hospitals were still using legacy Windows XP systems.
The government also needs to foster a partnership between academia and industry to promote cyber-hygiene. Although it has plans to create a certification for cybersecurity professionals, it also needs to enrol the help of universities so that they can check apps for cybersecurity issues. The new national health database policy envisages regular audits for data operators; this has to be extended to other areas as well.