by Nirmal John
There is a silver lining to be found in the success of Petya and WannaCry. It has brought the menace of ransomware to the public consciousness and made the word part of everyday lingo. Companies and individuals have woken up to the existence of the danger that such malware is designed to sow. Media coverage of WannaCry and Petya was extensive, so much so that even my seventy-five year old father, who started using the Internet just last year, inquired about the steps he should take to guard against it. That is certainly a start.
CHAPTER 7
POWER BREACH
Why the Government Needs More Hackers
Vulnerable India: A Government Website Was Hacked Every Other Day In 2016 Huffington Post India1 February 2017
Ministry of Home Affairs Website Hacked Times of India2 February 2017
Indian Government Website Hacked by Terrorist Group Al Qaeda Indian Express3 March 2016
IIT Delhi, Other University Websites Hacked by pro-Pakistan Group Livemint4 April 2017
NSG Website Hacked, Defaced with Abusive Message against PM Narendra Modi NDTV5 January 2017
TRAI Website Hacked after it Releases over 1 Million Email IDs; Anonymous India Claims Responsibility Firstpost6 July 2015
Indian Army Site Hacked: Does India Have the Right Attitude to Tackle Cyber-crime? Firstpost7 April 2015
Website of Antrix, ISRO’s Marketing Arm, Hacked Huffington Post8 July 2016
Headlines of this kind have been disturbingly regular fare in newspapers over the past few years. Hackers gaining access to websites and social media accounts of businesses and individuals and defacing them is one thing. The issue attains a completely different scale and dimension when governments and public institutions and entities are at the receiving end.
In each of the successive years from 2013 to 2016, 189, 165, 164 and 199 websites of Central ministries or departments and state governments were compromised, with many of their websites being defaced with politically charged and provocative messaging. These numbers came from the Hansraj Gangaram Ahir, minister of state for home affairs, when he announced it in the Parliament. Ahir mentioned the numbers were based on the data collected by the Computer Emergency Response Team (CERT-IN).9
However, problems arising from the hacking of government websites would run way deeper than a defaced website. The continued trickling of such news also makes one question the nature of data security at all levels of governance in the country. Do we take the security of our digital assets seriously? Even if the political, military and bureaucratic leadership understand the problems, does that knowledge and appreciation of the problem filter down the chain?
The defacing of websites or basic distributed denial of service (DDoS) attacks may embarrass the nation in the short term but are not as serious as more vicious attacks aimed at compromising both sensitive military and civilian installations. What the simpler attacks listed above bring to sharp focus are the obvious flaws in how the country is building its digital infrastructure.
It shows the need for the country to be proactive about cybersecurity in order to be prepared for possible attack vectors that malicious actors can use to cripple the country, economically, socially or even militarily. Today, there are questions being raised about the integrity of databases that may contain information on the entire population of a country or information on various critical governance infrastructure.
To be fair to the authorities in India, governments all over the world have always been leaky ships. India is not alone in facing the brunt of digital attacks—if anything, the scale of attacks on India has not been as bad as has been witnessed in some developed economies of the West. The mother of all data breaches had, of course, happened in one of the supposedly most secure government organizations in the world—the National Security Agency of the United States. Remember, Edward Snowden walked out with gigabytes of data from an agency and a country that is purportedly at the cutting edge of technology, both when it comes to attacking the digital assets of other countries and in defending against breaches to its systems.
At the highest levels, India has certainly been aware of the dangers of digital attacks, and that has resulted in some good work. India is ranked a creditable twenty-third in the world in the Global CyberSecurity Index 2017 published by the Geneva-based United Nations International Telecommunication Union. Even though India ranks below countries like Egypt, Latvia and Thailand, it is improving.10
The report classifies India in the second tier of countries; that means it is among maturing countries that have developed complex commitments and engaged in cybersecurity programmes but have not yet demonstrated high commitment, going by the parameters the study looked at. Some would say that ranking twenty-third on this global list is not such a bad showing, but the question to ask is if it is commensurate with India’s status as a country with one of the world’s largest talent pools in information technology and computer engineering.
The Global Cyber Security Index goes on to make an important distinction between a country that manages to digitalize itself and a country that does so with emphasis on cybersecurity. As the report says,
. . . the research also revealed that while increased Internet access and more mature technological development is correlated with improvement in cybersecurity at the global level, this is not necessarily true for countries with developing economies and lower levels of technological development. The data collection shows that developing countries lack well-trained cybersecurity experts as well as a thorough appreciation and the necessary education on cybersecurity issues for law enforcement, and continued challenges in the judiciary and legislative branches.
India is at a sensitive time in its march to digitalization and clearly needs to be a lot more proactive when it comes to cybersecurity. It is not as if the framework for debate is not yet ready. The Cyber Security Policy, released in 2013,11 is a good starting point. As a review by the Bengaluru-based Centre for Internet and Society of the Indian Cyber Security Policy of 2013 points out, while the policy gets a lot of things right as an aspirational document, it needs further fleshing out to really be an effective piece of legislation. ‘It certainly covers plenty of ground, mentioning everything from information sharing to procedures for risk assessment/risk management to supply chain security to capacity building. It is a sketch of what could be a very comprehensive national cyber security strategy, but without more specifics, it is unlikely to reach its full potential,’ says the review.
A sharper legislation can be achieved only through debates involving all stakeholders, and after many years that debate has started in the country, thanks to the hullabaloo around the unique identification number, Aadhaar.
* * *
There seems to be some confusion about what Aadhar really is. It is a popular misconception that it is a physical identity card, which it is not. It is, in essence, a unique number. The Unique Identification Authority of India (UIDAI), the nodal authority that issues these numbers, states on its website, ‘This number is intended to empower residents of India with a unique identity and a digital platform to authenticate anytime, anywhere.’
To expand on that, it is a central database with a number for each individual, against which every resident of India can be authenticated. All services that are to be delivered to residents can potentially be built on top of this database. What Aadhaar is has probably not been communicated well and that explains much of the confusion among the general public on what it really is. Billed as the world’s largest biometric identity programme, Aadhar has, over the last few years, managed to add nearly 1.1 billion individuals to its database—a remarkable number.
Today Aadhaar has ignited a complicated, multidimensional debate about its uses and its potential for abuse. There are definite benefits that can be tapped into by the residents through Aadhar—like direct disbursement of welfare and stemming of spillage—that can be fundamentally transformative in a developing country like India. It is a mechanism to make sure that the effects of government p
rogrammes reach those who are most in need of it. The UIDAI claimed in early 2017 that use of Aadhaar had resulted in ‘savings of over Rs 49,000 crore due to Aadhaar-based Direct Benefit Transfers during the last two-and-a-half years’.12 It also enables a more efficient governance structure across various government initiatives, as well as helps bring it all together, providing a framework to help unleash the power of big data analytics.
Equally, it has the potential to be abused by the state and by nefarious elements, should its centralized core database be breached. A government that is suspicious of civil liberties can use it to track its citizens closely. Everything an individual accesses through Aadhaar creates a unique data footprint. That includes finance and banking services, communications, travel services, tax transactions and more. With a biography of sorts being generated by the database against each number, the issue of misuse of the information, loss of privacy and possible surveillance of the population by an over-zealous government—or indeed by any unscrupulous entity that has access to the database—becomes a pertinent one.
Those who do not agree with the criticism that Aadhar could result in a nanny state say the large-scale collection and monetization of personal data of the sort done by Google and Facebook is no different. That argument doesn’t necessarily hold merit because joining Facebook and using Google are still optional. When the government compulsorily mandates the use of Aadhaar for crucial activities, such as those related to taxes or banking, citizens have no option but to get an Aadhaar number lest they miss out on essential services.
The debate is made complicated by the involvement of biometrics—the unique data of an individual in the form of fingerprints and retina scan that are used to authenticate and assign to each person a unique number. Every time there is a need for authentication—say, for a bank transaction or for issue of a new passport—devices at the delivery point scan a citizen’s retina and fingerprints. This data is then sent to the Central Information Data Repository (CIDR), which holds the information on all unique IDs, which would confirm the identity with a yes or deny with a no. Theoretically, it should work perfectly.
Unfortunately, that is not how the process has unfolded, and there have been more than a few glitches in the implementation of Aadhaar. Data has been compromised, mostly at the application and implementation levels. That is why the protocols involved in the use of Aadhaar need to be extremely well defined, with no room for any confusion or, for that matter, mischief. The breaches have been a result of the established protocols not being followed properly.
The government acknowledges that some of the data has been published by its departments. The minister of state for electronics and information technology, P.P. Chaudhary, said in a written reply13 to a question raised in the Lok Sabha: ‘There has been no leakage of Aadhaar data from UIDAI. However, it was found that around 210 websites of Central government, state government departments, including educational institutes, were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of general public. UIDAI has taken note of the same and is regularly monitoring the status to get the Aadhaar data removed from the said websites.’
In another instance where Aadhaar data was allegedly compromised, UIDAI filed a police complaint in mid-February14 against Axis Bank, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra, for allegedly storing biometric data of some customers in their servers, something specifically outlawed by UIDAI. In a statement, UIDAI said, ‘It is an isolated case of an employee working with a bank’s business correspondent’s company making an attempt to misuse his own biometrics, which was detected by UIDAI internal security system and subsequently actions under the Aadhaar Act have been initiated.’
Since this incident, UIDAI has beefed up security with respect to devices that are used to scan biometrics mandated to comply with new encryption norms for biometric authentication. Biometric information is incredibly valuable and is again something that can be misused if it falls into the wrong hands. UIDAI hopes that stronger encryption will go a long way in ensuring better security.
Then there is the case of Qarth Technologies, a Bengaluru-based firm that had allegedly accessed the Aadhaar database without permission from UIDAI.15 The authority filed a complaint in Bengaluru in July 2017 under the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act 2016 and Information Technology Act, 2000.
The Bengaluru-based Centre for Internet and Society conducted a study16 into the practices of four entities that use Aadhaar—the National Social Assistance Programme, Ministry of Rural Development, Government of India, National Rural Employment Guarantee Act (NREGA), Ministry of Rural Development, Government of India, Daily Online Payment Reports under NREGA, Government of Andhra Pradesh and the Chandranna Bima Scheme, Government of Andhra Pradesh, and what they found was less than ideal:
A review of the above-mentioned government schemes, dashboard and portals demonstrated to us the dangers of ill-conceived data-driven policies and transparency measures without proper consideration to data security measures and lapse statistical disclosure control. While initiatives such as the government open data portals may be laudable for providing easy access to government data condensed for easy digestion, however in the absence of proper controls exercised by the government departments populating the databases which inform the data on the dashboards, the results can be disastrous by divulging sensitive and adversely actionable information about the individuals who are responding units of such databases. Thus, while availability of aggregate information on the Dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are.
The lack of consistency of data masking and de-identification standard is an issue of great concern. As mentioned earlier, the masking of Aadhaar numbers does not follow a consistent pattern. In some instances, the first four digits were masked, while in others the middle digits were masked. Given the multitude of databases publicly available, someone with access to different databases could use tools for aggregation to reconstruct information hidden or masked in a particular database. Further, most of the databases we encountered were also available for download as spreadsheets. The availability of the information in datafied formats also facilitates the use of data analytics to aggregate information from various sources, thus increasing the risk of data points from different sources coming together to enable reconstruction of masked or undisclosed information.
Since the report, there has been an improvement, with government departments having taken steps to ensure de-identification, but the existence of these loopholes in the first place points to a disconnect between how Aadhaar was imagined and how it is being implemented. While standards have been established on how to use the database, there is still much left to be done to enforce them.
The government says it has instituted ‘ . . . several policy, legal and technical measures such as audit of the systems and networks, increasing awareness in area of cyber security, sharing threat-related information with stakeholders, issuing advisories on such threats through CERT-IN and National Critical Information Infrastructure Protection Centre (NCIIPC), and capacity development to address the issue of cyber hacking’.17 But to create a secure Indian cyberspace, it is important to go beyond institution building and educate people on handling of data.
Unfortunately, sensitizing government departments—as well as private Indian entities—on the sanctity of personal data, let alone the security of that data, is not an easy task in a country like India. Much of this is because of cultural reasons. There is public apathy towards the idea of privacy. Unlike in the West, where the concepts of privacy and personal space are appreciated at an early age, the idea of privacy of an individual is not second nature to
even adult Indians. As a top-ranking law enforcement officer in Bengaluru puts it: ‘We don’t understand data. That is why we don’t understand Aadhaar. Email address, mobile numbers, Aadhaar . . . are not seen as private property, and people give them out freely. The moment the idea of a property becomes fuzzy, Indians fail to grasp how to secure it.’
The question that many Indians end up asking is—how does it matter if some of the information is made public? People are still getting to understand how in the age of big data, every strand of information can be combined to paint a portrait of individuals, which can then potentially be used for nefarious purposes.
The need for more work in shoring up Aadhaar’s security parameters extends from India’s public infrastructure to its military infrastructure.
* * *
Countries like the United States, Russia, China and North Korea have been accused of making several cyberattacks. Stuxnet, the name given to the malicious worm that, in the latter half of the last decade, was released to make its way into the Iranian nuclear programme with the intention of crippling it, is widely acknowledged as the world’s first digital weapon.18 That attack is believed to have originated in the United States. More recently, the Russian hacking scandals dogged the democratic process in the United States. Then there is the apparent targeting of Ukrainian interests by Petya, a ransomware that some believed was the handiwork of Russians.19
Raghu Raman, former chief executive of NATGRID, points out in his book,20 Everyman’s War—Strategy, Security and Terrorism in India, that as the Indian information technology and telecommunication networks expand rapidly, and with the arrival of e-governance programmes, communication grids and the explosion in cellular and financial services, all sorts of electronic equipment are needed, but the cost-conscious public sector often goes for the cheapest possible supplier of these equipment. That, more often than not, is China. He writes: