Ministry of Home Affairs Needs to Go Beyond Security BasicsBest Practices Tips Helpful, But More Needs to Be Done
The Ministry of Home Affairs recently released a document on information security best practices for government officials.
The document discusses how to avoid social engineering attacks. It covers such topics as password management, general internet browsing and email communication.
But clearly, it's important to make sure that government officials follow basic cybersecurity principals as well as move on to more sophisticated steps.
Some critics are blasting MHA for focusing on very basic material. For example, it advises government officials to only click on links that have "https" in the browser. It also suggests avoiding sharing passwords or storing them in a readable format.
But clearly, it's important to make sure that government officials follow basic cybersecurity principals as well as move on to more sophisticated steps. And over the past five years, the MHA, under the leadership of Rajnath Singh, has been instrumental in setting up a number of cyber cells plus a cyber portal for women and children as well as a national cybersecurity coordination center.
Tackling the Vulnerabilities
As India pursues greater levels of digitization, many government websites continue to be vulnerable to hacking and cyberattacks because they have basic vulnerabilities.
Recently, the Uttar Pradesh State Road Transport Corporation based in Uttar Pradesh exposed a database of millions as it was built on weak and old framework. The application did not use a firewall, and there was no rate limiting to control the amount of incoming and outgoing traffic to or from a network.
Many government websites continue to suffer from SQL injection vulnerabilities. More often than not, data does not get stored in an encrypted format.
About 105 government websites were hacked during the first 11 months of 2018, CERT-In reported. Earlier this year, over 90 Indian government websites and critical systems were attacked by self-proclaimed Pakistani hackers within hours of the Pulwama suicide strike in which 40 soldiers of India's Central Reserve Police Force were killed.
All these incidents led French researcher Robert Baptiste to say that government websites in India are among the most vulnerable he's come across. "Usually, government websites in other countries are secure, but in India it is a different story," he says.
The Challenges Ahead
The challenge ahead for MHA is to ensure that its recommendations on cybersecurity basics are implemented - and that many other more sophisticated steps are taken to enhance the security of government websites and citizens' data.
MHA needs to make sure that CERT-In conducts regular checks and audits to ensure that the recommended practices are followed. Cyber education is the need of the hour, and the training must be conducted on a regular basis. The only way the recommendations will be carried out is through persistence.