Exposed: Understanding the breaches in India’s cybersecurity during Covid-19

2 0
Read Time:7 Minute, 35 Second

India’s current Cybersecurity Policy

The dominant cybersecurity strategy of India dates back to 2013, and since then, the world has made significant technological strides. The 2013 policy aims at creating safe and secure cyberspace for individuals, enterprises, and government agencies. 

“Cyber-Security is much more than a matter of IT.” ― Stephane Nappo
Picture Credits@ Jefferson Santos

The policy whitepaper states the following objective. Firstly for protecting information and information structures. In addition to preventing and responding to cyber threats and minimizing the damage from cyber incidents. Lastly, anticipating the growth in the IT industry and the resulting need for a cyberspace policy.

In a nutshell, the policy aims to construct a secure cyber environment by establishing a robust legislative framework for assurance and a method to monitor and respond to threats. Furthermore, this also requires establishing an indigenous cybersecurity workforce and developing indigenous security solutions.

Security used to be an inconvenience sometimes, but now it’s a necessity all the time.
Martina Navratilova
Picture Credits@ Adi Goldstein

Although the policy statement aims to reduce the risk of cyber-attacks by defining and covering various aspects of cybersecurity, such as 

1. Methods to minimize supply chain risk.

2. Raise cybersecurity awareness

3. promote private-public partnerships and 

4. Improve bilateral and multilateral collaboration at the national and international levels. 

Nevertheless, the reality is far distinct from the objectives it strives to achieve. The Covid-19 pandemic, which relied heavily on digital infrastructure and technology intervention for tracing, vaccination, distancing etc., exposed the flaws of this 8-year-old cybersecurity policy.

This article attempts to analyze the policy’s flaws based on the opinions of professionals in the field. Furthermore, this reading provides insight into how a large amount of data collected during the Covid-19 pandemic faces the threat of misappropriation.

Privacy is one of the very basic necessities required by human beings to survive.
Picture Credits@ Dan Nelson

Such instances highlight the flaws in the existing policy and the failure of the legislature to address these concerns.

Deficiencies in the existing cybersecurity policy:

According to expert opinions, there are various worries about the existing cybersecurity policy regarding coordination, regulation, and overall awareness. 

One of the fundamental problems is a lack of communication between governments and business groups, which exposes the cybersecurity ecosystem’s fault points. 

These faults also include the processes for disclosing security vulnerabilities in government bodies. Therefore, it is critical to mandate cybersecurity compliance and create procedures for dealing with data breaches to establish accountability. 

Digital Access is not equivalent to digital awareness.
Picture Credits@ Lars Kienle

Without these requirements, businesses are just investing in cybersecurity for the sake of ensuring compliance. The absence of regulation is also visible as institutions fail to employ most IT security strategies to secure data because of no personal data protection law.

Finally, there is a lack of information on this subject even among government officials who fail to comprehend the rising threats in cyberspace and our exposed vulnerabilities that require immediate attention.

Commencement of Covid-19 & Cyber Security becomes a Priority.

The beginning of COVID-19 highlighted the current cybersecurity policy’s defects even more. The requirement for everyone to work from home, rather than within their companies’ firewalls, has increased security problems. According to a poll of employees from various Indian companies, 66% have experienced one data breach.

Since March, when the lockdown began in June, security experts have seen a 500 per cent increase in cyber-attacks and security breaches, as well as 3 to 4 times increase in phishing attacks. 

In addition, according to a report by the Data Security Council of India, the number of financial transactions has increased, increasing fraudulent assault.

Data is a treasure, Code is the key, Breach is to claim this treasure.
Picture Credits@ Markus Spiske

In response to the increased number of attacks, India’s Home Ministry issued guidance on avoiding cyber theft, particularly for those who work from home. The Computer Emergency Response Team – India (CERT-In) also produced a list of potential cyber-attack sources and best practices for ensuring safety.

CERT-In also performed a successful ‘Black Swan – Cyber Security Breach Tabletop Exercise’ to deal with cyber crises and events that may arise due to the COVID-19 pandemic. Additionally, weakened security controls while more people started working from home, ensuring cybersecurity was a priority.

The government is also considering forming a Computer Emergency Response Team for the Financial Industry to account for fraudulent behaviour in the financial sector (CERT-Fin).

Finally, on Independence Day 2020, India’s Prime Minister recently launched a cybersecurity policy for safe and secure cyberspace.

In the digital era, privacy must be a priority. Is it just me, or is secret blanket surveillance obscenely outrageous?
Al Gore
Picture Credits@ Dayne Topkin

Shocking: Data breaches in 2020

India’s cyberattacks increased from 1.3 million in February to 3.3 million in March 2020. Monthly attacks never fell below 300 million from April 2020 onward, reaching a new record of 409 million attacks in November 2020.

India had the most significant number of attacks in July 2020, at 4.5 million. There were 377.5 million brute-force attacks in February 2021, about a year after the epidemic began, a far cry from the 93.1 million seen at the start of 2020. 

 In February 2021, there were 9.04 million attacks in India alone. The overall number of attacks in India during January and February 2021 was over 15 million. In India, data breaches have increased by a factor of ten, regardless of the method used.

However, in India, a troubling trend has been for companies to refuse to acknowledge a breach, leaving individual consumers to wonder if their data is secure at all.

Surveillance everywhere!
Picture Credits@ Maxim Hopman

The lack of clear regulatory frameworks and policy execution impacts our country’s overall cyber hygiene. In addition, cybersecurity researchers who uncover breaches urgently need policy reforms as many face threats of possible legal prosecution without legislative protection. 

Enacting cybersecurity legal policies will give all stakeholders a frame of reference and guide them towards building a more resilient digital economy. Incident reporting should also be made mandatory.

Reasons for data breaches and failure of the cybersecurity policy.

One of the reasons for many data breaches is that India’s burgeoning start-ups and powerhouses make it a particularly attractive market for cybercriminals.

Aside from the massive amounts of personal, financial, and user behavioural data that Indian businesses store, they also have to worry about their brand.

According to a recent analysis by Infosys- Interbrand, a data breach may result in a $223 billion loss in brand value for the world’s 100 most valuable brands. Therefore, the entire goal of ransomware attacks is now to name and shame the perpetrators.

Blockchain technology ensures financial security.
Picture Credits@ Ewan Kennedy

Before Covid, hackers would encrypt the data and demand a ransom for the decryption key. However, while encrypting data, they export it to further pressure and intimidate the company into paying money or risk having its customer data auctioned on the dark web.

This is one reason why cryptocurrencies appear to be the new preferred payment method: their excellent security and near-impossibility of tracking.

Read more about cryptocurrency here.

The new cybersecurity policy’s direction

Expert’s advocate focusing on local demands and increasing incentives for the private sector to participate in government contracts as India develops a new cybersecurity policy.

Furthermore, the government should undertake concrete steps to formulate precise data and privacy protection guidelines.

Forming committees and framing guidelines won’t be enough. People should also be made aware of the importance of their data and privacy. A good initiative can be learning from General Data Protection Regulation (GDPR) in the EU.

Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.
Edward Snowden
Picture Credits@ Dan Gold


It is still not too late to implement reform in the IT act, 2000, the sole authority governing cyber threats. However, a more comprehensive and robust approach covering all the dimensions, ranging from the current threats to those that might arise in the future, is required.

Therefore, more interaction should be between the information security community and the government. IN-CERT is a good step, but each nodal ministry and important department should also have its rapid response team.

Finally, the legislation should foster an environment that encourages cybersecurity innovation research. Involving Indian Tech institutions that are already world-renowned and increased spending will boost India’s cybersecurity.

By: Nishchal Verma

Nishchal Verma is a South India movie buff and a sports fanatic whose fascination for cricket never dies. Currently, he is pursuing his BBA-LLB from Dr Babasaheb Bhimrao Ambedkar University Central University, Lucknow. He has a core interest in Cyberlaw, AI, Blockchain and policies involving cybersecurity which he actively pursues from national and international perspectives.

He can be reached at Nishchal@theinternationalprism.com

Happy
Happy
60 %
Sad
Sad
0 %
Excited
Excited
20 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
20 %

Recommended Articles

Average Rating

5 Star
100%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

9 thoughts on “Exposed: Understanding the breaches in India’s cybersecurity during Covid-19

  1. The article is very well structured, ideas are clear and the writing is concise. Sharp thinking! and dedicated effort. Keep up the good work!

  2. Very informative research work makes me understand the current scenario of data breaches and the need of new strong policies regarding cyber security.

  3. The intricacies and widespread impact which the pandemic created is often sidelined. The article has successfully brought all of it under an umbrella making it easier to be understood. It highlights how swift policy and governance can play an important role even in fast paced progress of technology.
    A must read!

Leave a Reply

Your email address will not be published. Required fields are marked *

Verified by MonsterInsights