When Barack Obama sought a rerun to the White House, many US citizens got phone calls from the President seeking their backing for a second term. While they were surprised, many did ask the then most powerful man on earth, how did he get hold of their phone number? Today, voters in India are used to getting similar recorded voice calls from MLA and MP hopefuls ahead of the polling day. Many may cut the call sans waiting for the message to finish but hardly ask the question, even to themselves, that US citizens did a decade ago. How did they find his/her personal number?
This, in a nutshell, illustrates the state of data security and awareness about it amongst Indians, Nandakishore Harikumar, CEO & Founder of cyber security firm Technisanct, explained.
Data breaches are happening in public limited companies that partner with the Government of India even in crucial sectors like defence. Thus, these internal loopholes within the public-owned companies become a matter of national security. Then there are the ransomware attacks targeting the pharma and health sector where India has made huge investments. Not just the personal data of patients but the intellectual property concerning ongoing research in the medical sector are leaked and put on sale online by phishing groups, he said.
It is high time India comes up with a data protection policy to safeguard India's innovations and intellectual property, he believes. It is not when the image of the Prime Minister or an opposition leader is tarnished online that a country should feel it has suffered a cyberattack. The growth potential and targets that a country is expecting to achieve in a certain period can be pulled down through data breaches, Nandakishore told THE WEEK during an interview. Excerpts...
Question: Technisanct has reported multiple ransomware attacks targeting the Indian pharma sector and hospitals recently. Is India's health sector being targeted? How big a threat is it?
Many leading Indian pharma companies have suffered ransomware attacks. Cyber attacks targeting the sector happen in large volumes. 10-15 firms reported ransomware attacks in the past 1 to one and a half years.
The point that interests me is the fact that it is not just the patient data that is leaked. Intellectual property -- the research they do in these institutions is compromised and made available to the public. The government and big Indian brands are unaware of this intellectual property aspect of phishing. Indigenous research that is happening in India is threatened as the pharma sector is continuously under attack.
Such attacks have become a trend and both public holding and private companies are threatened. It is important that we address this issue as it is as pharma is a sector that we boast about. The West is watching India's pharma innovations.
Q: This gives the impression that India is not serious about data breaches...
When I speak about data, I am not just speaking about data breaches. There is something called the right to data. An Indian citizen's data is collected across platforms. If an individual or a bank is collecting our data are they supposed to keep the data after the purpose is served? Is it deleted afterward or not? How are they processing the data? We don't have a framework to deal with all that in India. Even the proposed data protection bill is sans such a framework.
The growth potential and targets that a country is expecting to achieve in a certain period can be pulled down through data breaches. India should focus on data protection policy. In the long run, a lack of data protection guidelines can even cost us foreign investments. But we don't seem serious enough when it comes to addressing this aspect.
Q: Ransomware attacks have remained a sword of Damocles for some time now. Why are the agencies unable to get rid of this cyber threat for good?
Ransomware has become a service and phishing (scam emails that contain links to malicious websites) remains the popular model to breach targets. Anybody can hire these groups to launch an attack on anybody.
ALSO READ | 72 million users face personal data leak onto dark web, AT&T reveals
In 2023, around 2 TB of military data was leaked from Nagpur-based Solar Industries India Ltd by a group called BlackCat. The data was then put on sale in the public domain. Shockingly, the GoI is not auditing such companies frequently to ensure the data is safe in their hands. There is an audit at the physical level to prevent breaches at such centers. But why can't the same be done at the data level?
Q: Can you elaborate on more such instances of data breaches from the recent past in the public sector that can shed some light on the gravity of the situation?
Earlier this year, the Tamil Nadu Police Department suffered a data leak. Its Facial Recognition Portal (frs.tnpolice.gov.in) was breached and info including names of officers, phone numbers, and FIR details were compromised. About 1 GB of data was made available in the public domain for just 2 euros. What action did the government take afterward, were the vendors pulled up and held responsible? Was the company that designed and maintained the system booked or at least fined?
In 2021, Technisanct found that data of 5.2 million users, which included 49,19,668 Aadhaar numbers, was leaked from Tamil Nadu's public distribution system. Even VIPs' data were accessed from tnpds.gov.in by a group that goes by the name 1945VN.
According to the Aadhaar policy, if data is saved, it should be stored in an encrypted format. Even after the leak was reported, the Aadhaar authorities didn't pull the department responsible for not following the rules. Why?
Q: How are data breaches reported in India? Is there a nodal agency?
Usually, it is the Computer Emergency Response Team (CERT) or if it is critical infrastructure, you have the National Critical Information Infrastructure Protection Centre (NCIIPC). They do have a bug bounty program but the kind of reaction you receive depends on the mood of the people concerned.
We can't quantify data breaches in India as CERT has no investigation authority.
Brands are supposed to alert CERT instead of hiding data leaks. But if they do hide them from government agencies, then companies like ours may act as a watchdog and tip off CERT. But we do have limitations.
ALSO READ | Data Protection Bill is here, but it may not protect your data like you think
It surprises me that even large organisations with huge funding are not keeping their data safe. They should show a more civic sense, and if they are giving you no choice but to be taught with an iron fist, then the government should consider fining them and hold them responsible for leaks.
Unless we implement strict systems we can't expect far-reaching changes.
Q: Why is data security vulnerable in India?
If a data breach happens in the US, they can appoint an investigation agency or a private party to research and see what data has been leaked. Meanwhile, if a company here tells the government that one of our machines has been compromised, they are going to believe it and move on... They tend to close it fast instead of verifying if it was just one system afterall.
By reporting it to the government neither is it prevented nor a solution is found. This leads the brands to think -- why we should report it anyway? For them, it is a bad PR if the news breaks. So they want to hide it when a data breach happens.
Another major issue in India is that even if the data with the government is not secure, it is not questioned. The regular security audits remain applicable only to private players and government departments and their vendors get out easily. I am not differentiating between the central and state machineries, they are all least bothered about people's data at their disposal. Either they are unaware or not bothered. They just don't want to open another Pandora's box.
Q: What is the root cause of this lackluster approach?
We don't understand why data is important. There is no system in place in this country to understand about data leaks. People get a lot of hoax calls on a daily basis, have you ever wondered how they caught hold of our number in the first place? These guys are buying data. Research shows it is the digital footprints of Indians that are most easily available.
Unless it is an obvious scandalous cyber crime, nobody cares about it in this country.
Q: What can the government ideally do to ensure private players and public-funded organisations take data security seriously?
I have personal experience of having found a security loophole and flagging it to the Centre. They felt offended, Sadly. this attitude needs to go away.
The government's cybersecurity is always almost from a surveillance perspective. Crime prevention seems their sole objective. It should be understood that there is much to do beyond monitoring social media activities. In many cases, no initiative takes place even when a possible data breach or ransomware attack is pointed out.
Internet is very cheap in India, so we should have a strong data regulation policy. Secondly, state governments should venture and form their own policies, This can solve a part of the crisis. They should decide that the data they are holding is highly protected and must come out of the belief that since all their data is stored in the central government's Network Operations Center (NOC) server, it is New Delhi's responsibility to safeguard the same.
Q: In your opinion, how should the state governments approach data security?
Instead of taking part in blame games when a crisis emerges, state governments should decide to have a data protection law. The state governments should ensure that their third-party vendors run audits and their certifications should be verified before bringing them on board. Such technical auditing and policies can positively expand the data regulation umbrella.
I prefer to pick Kerala as an example because it already has something like Cyberdome (technological research and development centre of Kerala Police) in place. An active bug bounty program will ensure even private data breaches are reported. When you have resources at your disposal, why can't they use them?
Q: So, is there a model state in India that is getting the basics right when it comes to cyber data? A model to emulate amongst our ranks, maybe?
No. States with bigger industries face bigger cyber threats. No matter how we try to sugarcoat it, India's cybersecurity is, at the end of the day, weak.
We can't show a 100% safe or foolproof model anywhere in the world. Here, there is no regulatory machine that stands ultimately for the safety of data. Why can't we have a standalone ministry for cybersecurity?
Q: Where do you think India should look for a role model when it comes to data security?
Some European governments are very vocal about their initiatives surrounding data. Singapore also has a replicable example. When details of HIV patients got leaked, the Singapore govt fined its health department. Can we even think about a govt fining its branch here?
In these countries, governments pull up departments and launch investigations against them over data leaks. Here, when a leak happens, the government decides to hide it instead. It prefers to cover up while it should take responsibility. How can there be transparency when you are not owning up? This is the kind of data regulatory framework we need to build.
Q: How can cyber security firms and ''hacktivists'' contribute to making the data of Indians safer? What is your tribe doing to walk the talk in the Indian scenario?
Ethical hackers turn ''hacktivists'' when the state turns a blind eye towards them and offers no backing.
There is always scope for public-private partnerships in data protection and cyber security. For example, imagine the Kerala Police Cyberdome decides to join hands with cybersecurity experts who can run vulnerability monitoring programs across the Kerala government's infrastructure. These teams can do a thorough job and in return earn certifications from the department. Such players would love to have a certificate of collaboration with a state government or police force and feel their morale boosted. And such collabs are not going to cost the exchequer a bomb.
Q: In your experience, who/ which countries are behind attacks targeting Indian institutions?
Russia is home to most ransomware groups -- state-controlled or independent. Every government will try to acquire as much data as possible from the cyber world. There are no allies and foes in this world. Anybody can tie up with anyone because only data matters.
At least some of these groups would have started as cybersecurity professionals who would have tried to play the nice guy card and report cybersecurity issues to the government. they received no attention and they decided to go rogue.
ALSO READ | Shortage of skilled professionals policy gaps key challenges for cyber security Report
Q: Is it the spending part that is holding governments back from strengthening data security?
It is a misconception that cybersecurity is expensive. It is a set of policies plus strategies. A security audit is not going to cost a government department more than a few lakhs, it is no question of affordability.
In fact, the government is spending crores on cybersecurity products. However, after implementing such tools, they should be properly monitored. Analyzing the data from the tools, there need to be revisions of policies and strategies.
Gone are the days when government offices used pirated versions of operating systems. Our offices too have gradually started spending on paid VPNs, antivirus software, and the like. The complete adoption of such a culture might not be way ahead of us, but we are not moving fast enough either. By the time, we reach there most of our organisations would have faced a data breach already.
We are constantly under attack and it feels like we are unaware of it.