What Do Data Breaches Reveal About The Status Of Cybersecurity In India?
Malicious actors, especially state actors who are considerably more organised than people understand, may and will collect significant volumes of data from each breach, accumulating databases that can be used for various illicit intentions.
It’s been just a few days since news surfaced about a Telegram bot spreading personal details of CoWIN. And now, the country is no closer to believing that the data collected from its residents by the government is secure. That is because the Indian government’s response has been far from doubtful.
- Rajeev Chandrasekhar, the country’s minister of state in the Ministry of Electronics and Information Technology, aka Meity, initially rushed to explain that the information shared by a Telegram bot came from earlier stolen databases and that the CoWIN database had not been directly breached.
- While declaring that the database is safe, the health ministry later stated that it had requested a report from Computer Emergency Response Team, i.e. CERT-In.
The two responses raise several concerns.
- Why are Meity and the health ministry going opposite, with one claiming the information came from past breaches and the other claiming it has contacted CERT-In to look into it?
- If it is the former, why has the government made no disclosures about earlier breaches?
- If it is the latter, how can the health ministry lead its statement with the heading “CoWIN portal of Health Ministry is Completely Safe with safeguards for Data Privacy” without first examining it?
Hence, the statements from governments raise more questions than it answers!
According to Vishwanath PB, founder of Cyber Lex Solutions, a cyber law business located in Bengaluru, the government is responsible for ensuring its citizens’ data. If data was stolen earlier, where is the FIR, and what is the study’s conclusion? What actions is the ministry/government taking to guarantee this does not happen again? The minister has shot himself in the foot by revealing formerly hidden information not in the public realm.
The issue is straightforward. What stops those in authority from stating that a probe is underway and that the findings will be made public after the investigation? Instead, the Indian public is offered various contradicting comments meant to manage the debate about the issue rather than get to the bottom.
And now, the straight line is twisted. Why is data leakage such a big problem?
To begin comprehending the depth of the situation, assume another story that broke out a few days ago. Earlier this week, officials in charge of GST compliance stated that tax evasion totalling INR30,000 crore was carried out using stolen identities, including 18,000 PAN and Aadhaar cards. According to the investigation, the names of PM Kisan and other social security plan recipients were reportedly exploited to operate 4,000 shell firms and 16,000 bogus GST registrations. This explains why one is in peril if the information held by the government is not secure. The accumulation of data from several breaches is a serious problem.
Malicious actors, especially state actors who are considerably more organised than people understand, may and will collect significant volumes of data from each breach, accumulating databases that can be used for various illicit intentions. This is the price of not having strong, legally enforced safeguards.
That proves cybersecurity concerns are more than just a minor public relations setback. Even officials secretly accept the perils of all of this. A former Meity official agreed that the government should make public disclosures. He said it didn’t matter if only a part of a more vast database was exposed. What should be important is whether or not a leak was confirmed!
At present, multiple signals indicate that there has been no compromise of the CoWIN database. According to sources, after speaking with the hacker behind the Telegram bot, the person verified that the results generated by the Telegram chatbot were obtained using an open vulnerability with another platform that caters to child health and is affiliated with the health ministry. This does not imply a clean slate. That is hardly the soothing concept that the authorities may think it is. This indicates a vulnerability that may be used to steal data from multiple health ministry databases.
According to Harshil Doshi, country director at Securonix, his stance on PII (personally identifiable information) breaches has been consistent for some time. As a country, India has to look at these breaches objectively in terms of the harm they may do rather than the leak itself.
Security vs. optics.
Rushing to conclusions to control impressions is nothing new in situations of breaches in India. When Pukhraj Singh, a former analyst at the National Technical Research Organisation NTRO, announced in 2019 that malware had been discovered in the IT infrastructure of the nuclear facilities at Kudankulam, the authorities initially denied it, only to retract and later admit to the presence of malware in the facilities’ computers. It was then revealed that the virus might have gone unnoticed in the nuclear facility’s systems for up to six months, which is a significant situation, to say the least.
Take another example, the AIIMS ransomware outbreak in late 2022. Without adequately investigating why India’s leading medical institution left the doors open for a hostile neighbour in the first place, the blame was quickly assigned to China.
Interestingly, even in June 2021, there were reports of the CoWIN site being hacked, leading to the selling of data about 150 million Indians. The Indian government denied that this occurred at the time. When similar claims of a data breach surfaced in January of last year, the National Health Authority’s chairman, RS Sharma, stated that the CoWIN database was safe and secure. Whether the incident occurred in 2021 or 2022, the Indian government should be held accountable for presenting the information to citizens about any data leak.
What a scene!
At the start of the week, as the CoWIN scandal was making headlines, Rajeev Chandrasekhar was in Pune speaking at the Global Digital Public Infrastructure (DPI) event. The move is intended to allow countries, impoverished and middle-income countries, to benefit from India’s experiences in using technology for better governance and social, economic, digital, and sustainable development during the previous five years. That is an admirable goal, but careless handling of cybersecurity concerns can lead to cognitive dissonance. While the concept of a digital public good creates the country’s digital infrastructure, it is evident that the model to emulate should be UPI rather than CoWIN.
The prolonged wait.
As we have repeatedly stated in recent years, and pretty much every time such breaches occur, the focus should return to the lack of a cybersecurity policy document for the world’s most populous country and greatest democracy. This does not include the absence of data protection regulations. A significant element of such a strategy document would be articulating what to do and by whom in the subject of a breach – effectively prescribing the obligations of investigating and managing the aftermath and taking actions to induce cyber resilience.
Since Rajesh Pant took over as national cybersecurity coordinator in 2019, the National Cyber Security Strategy 2021 has been in the works. It has been with the Cabinet Committee on Security (CCS) for about two years. In an address to the country on Independence Day in 2020, the Prime Minister vowed to deliver these vital documents quickly. That vow has still not been fulfilled 34 months later.
Conclusion.
We are continuously fighting for robust data protection legislation. Several attempts to implement the law were unsuccessful. It’s time to face the truth and address the challenges. The GOI should encounter problems. Transparency is preferable to polishing the surface. No one is ideal, and no system can always be perfect. Recognise flaws and strive towards constructing robust, resilient systems. People above pretence is the way to go.
Technology is developing so quickly around the world that you can never be number one. Obviously, the Indian government is working hard every day to keep current on cybersecurity. However, if the beach occurs, it should be equipped with the next action. As a result, Indians may rely on the government for statistics.
Proofread & Published By Naveenika Chauhan