Assessing Government's War on CybercrimeCritics: More Emphasis Needed on Secure Coding, Education
Ravi Shankar Prasad, India's Minister for Communications and IT, recently told parliament that the country has witnessed 54,483 cybersecurity incidents such as phishing, spam and malicious code in this fiscal year. As per the report, the number of cybercrime incidents in India is nearly around 149,254, a cumulative data compiled from 2011, 2012, 2013 till 2014, and this number is likely to double or cross 300,000 by 2015. These incidents were reported to CERT-In by Indian enterprises, individuals and other international agencies.
Critics respond by saying it is not enough to just present statistics. They recommend that the Indian government step up its efforts to support new secure coding programs and practices to help detect cyber threats, while also taking up new awareness and education campaigns.
"End user education is key," says Mumbai-based L S Subramaniam, cyber expert and founder of NISE, a cyber and security consulting firm. "Awareness is the best deterrent to protect millions from cybercrime. We need to do this on a war footing to eradicate cybercrime in India."
Reasons for Increase in Incidents
The reason Prasad states for the increase in cyber incidents is the ubiquity of information technology and its inherent cybersecurity vulnerabilities.
"With every IT product introduced into the market, newer vulnerabilities are discovered, allowing scope for malicious actions," he said.
Reacting to the minister's statements, security critics say he has been talking about the increase in incidents for some time now, as observed during the last parliament session. But there's no mention by him of any progress made in the efforts to combat cybercrime, nor of statistics around newer forms of cyber threats. There also is no account of the financial losses incurred owing to the increase in the cybercrime, or any parameters laid out to measure losses.
In response, Prasad says that CERT-In does not maintain any separate data of the losses incurred by Indian companies due to cyber-attacks.
But Bangalore based J Prasanna, director and founder of Cyber Security and Privacy Foundation Pte. Ltd., argues that the statistics put forth by CERT-In don't reflect real-time data. He says the data has been extrapolated by the feedback provided by the consulting firms empanelled by the CERT. "Much more serious incidents, which don't get reported, exist at large enterprises which are beyond CERT-In or NIC's access," he says.
Most of the recent cyber-attacks can be characterized as advanced persistent threats that have been ongoing and undetected for nine months or more, Prasanna says.
"The attacks which are reported are usually the ones done by script kiddies on websites/firewalls (where rule blocks it)," Prasanna says. "These are not numbers really to worry about; one should be seriously concerned about APT attacks/ undetectable intrusions."
The reason for the boost in incidents, says Subramaniam, is the increase in the number of devices and online commercial transactions, including social media, e-commerce portals, payment gateways, online travel portals and online trading and banking.
"We have millions of transactions running daily on the internet by use of endpoint devices without adequate security built in," he says. "End users aren't educated enough to protect themselves from cyber criminals."
Many security practitioners believe lack of education and awareness about emerging threats is allowing individuals to fall victim to spams, viruses and phishing attacks.
Action Plan for Building Incident Response
So, how can the government get behind efforts to curb the number of cyber incidents?
Security experts don't deny that the government is actively participating in various industry forums and has been putting across its concerns, as reflected in the home minister's and defence minister's recent statements. The ministers have allocated budgets to respective departments in setting up cyber defense mechanisms and have called for a collaborative approach from ISP, cellular providers and IT companies, etc., to be proactive about securities on their individual platforms.
It is clearly stated that CERT-In can only give alerts and warnings, but strengthening and securing is the individual organisation's responsibility.
Bangalore-based Shashidhar CN, founder & CEO of SecuriT Consultancy Services LLP says the Government of India seems serious about responding to the threats. "They are establishing a botnet removal centre under the aegis of CERT-In, which should be functional within the next two months, and the other steps are not in the public domain," he says.
But what is missing, says Agra-based Rakshit Tandon, security adviser to UP Police, are changes in the cyber law coordination of centralized bodies such as CERT-In with law enforcement agencies to focus on developing strong cybercrime police stations in cities, rather than building cyber cells to spread awareness at user levels.
"Lack of co-ordination or a centralized system of reporting or tackling cybercrime is adding to the challenge, as law enforcement agencies across states are working in their own sphere of things and in silos," Tandon says.
Prasanna says since India is far behind most developed countries in cybersecurity, the country should make its programmers learn secure coding practice and make network security experts learn hacking technologies.
He says incident response should be to first detect intrusions such as APT attacks. And it should analyse the attacks, remediate them and make sure such attacks don't happen. "This attack information goes into a knowledge base which is used for securing the nation," he says.
Prasanna recommends having a database of hacker profiling, database of zero day exploits and a list of ethical hackers who could help the country.
Subramanian sees the need for a more focused approach to thwart these attacks, and hence he calls for a 360 degree approach to cyber protection since the enemy can attack from anywhere and is always one step ahead. "Sound cybersecurity engineering programs are required to be followed by both the government and enterprises," he says.
Tandon strongly recommends overhauling of the IT Act, and to sign pacts with major players such as Facebook, Google and Whatsapp to support law enforcement agencies in building an effective cyber incident response framework.
Shashidhar stresses the need to make disclosure of security incidents & customer protection mandatory for security breaches for listed entities, banks & financial institutions in India on the lines of the Sarbanes Oxley Act amd other U.S. regulations.
Prasanna emphasises, "While we have good regulations in place, CERT, government and corporate should be trained in advanced hacking techniques and secure coding practice by hackers (who understand the subject well), as followed by America."