Just a few days back we all learned from the papers about how former Chief Justice of India RM Lodha was cheated of Rs 1 lakh in an online scam after the email account of his friend, also a retired judge, was hacked. Almost every day nowadays we read about how people are getting duped, cheated and scammed by cyber crooks. An immediacy is needed from the PM Narendra Modi 2.0 administration to take the issue of cyber-crime, cyber threats and cybersecurity very seriously.
One cybercrime is reported every 10 minutes in India, as per recent trends. According to the Indian Computer Emergency Response Team (CERT-In), 53,081 security incidents were handled by the team during 2017. Our exhaustive cyber-security survey report released last year revealed that 53% of Indian businesses don’t even know whom to contact in case they experience a data breach/cyber-attack. About 62% of organizations in the 2018 survey said they had faced an IT breach in the form of a virus attack, malware, phishing, or ransomware while only 32% said they did not suffer any breach in the past 12 months.
Threats can emanate from anywhere and can be in any form – Data Privacy, Health Info Privacy, Cloud-Based Attacks, Cyber Crime as a Service (CaaS) and Use of AI in Cybercrimes. The new government and the IT ministry must take up the above issues on priority.
Firstly, let’s talk about data privacy – the industry is watching out keenly as to how the implementation of data protection bill would change the way they operate. In July 2018, Justice BN Srikrishna committee submitted the Draft Data Protection and Privacy Bill – quite an ambitious policy that not only upholds the Supreme Court’s ruling that privacy is a fundamental right but also draws a line on how corporates can access and process customer data. If the policy gets into force consumers will have ultimate authority over how their data is being used or if it can be used at all.
IT minister Ravishankar Prasad has said that implementation of data protection will be one of the top priorities for the new government but it will be crucial to iron out differences on data localization issues. The draft bill states that all companies should ensure at least one copy of personal data is stored in India. In addition, the critical personal data can only be processed in the server located in India. This would mean that companies such as Google, Facebook, and captives such as IBM, for whom India is a major market, will have to store data here. This is where companies and the Indian government are not in sync.
The second big issue is the security of health information privacy that needs immediate attention. Last year the health ministry proposed a law to govern data security in the healthcare sector that would give individuals complete ownership of their health data. This big step will make Individuals the master of their data – they would have the absolute right to refuse or allow data to be generated, collected, accessed, transmitted or used. And data collectors such as hospitals would be prohibited from refusing treatment to those who do not want their data collected or used. The onus of ensuring data security and privacy would lie with the entity that has custody of the data and can be penalized for any breach. Presently, as per our laws, companies are not obligated to inform individuals of a data breach, with the exception of banks, which are required to inform the RBI within six hours of any such breach.
Thirdly, as companies continue to migrate important data and processes to the cloud, cybercriminals naturally see this as an opportunity. There is a big increase in hacks against cloud-based email servers using stolen credentials. As more and more information and data of any business, migrate to SaaS and IaaS based solutions, organizations just do not have the control that they had with their traditional enterprise security capabilities. This is a scary situation and needs to be taken care of by strong data security measures immediately. There is just so much of customer data that is being sold and traded in the dark web.
Another aspect is that of the use of AI in cyber-crimes. For instance, a recent report by Nokia reveals that AI-powered botnets look for vulnerabilities in Android devices, then load data-stealing malware that is only detected after the damage has been done. AI is also enabling cybercriminals to deploy self-learning attacks that can quickly assess vulnerabilities, adapt malware to those weaknesses and actively counter security efforts to stop them. When combined with emerging threats like swarmbots, AI will be able to break down an attack into functional elements, assign them to different members of a swarm and use interactive communications across the swarm to accelerate the rate at which a breach can occur. This is so difficult for even people with knowledge of IT to understand, forget about the general masses using android devices. PM Narendra Modi 2.0 administration must take this area too while planning its cybersecurity measures.
To sum it all there is always room for growth. Cybersecurity programs cannot advance alone. Indeed, barriers such as lack of cybersecurity awareness, skillful personnel, and financial resources persist. Accordingly, individuals and organizations using cyberspace need to take proactive steps by instilling positive change and making cybersecurity topmost priority. It is only then that we can move forward to avoid present as well as upcoming cyber-attacks.