The omission of digital security as one of the nine pillars that underpin the Narendra Modi’s flagship Digital India program is perplexing.
Ransomware could, in all probability, be in the running for word-of-the-year by the end of 2017. On Friday, a new advisory was issued by India’s Computer Emergency Response Team (CERT-In), this time warning users to guard against newer variants of the Locky, an iteration of ransomware, which was first detected in 2016 and spread through emails.
Users have been advised not to click on emails with a host of subject lines including ‘please print’, ‘documents’, ‘photo’, ‘Images’, ‘scans’ and ‘pictures’. The advisory came after reports that as many as 23 million emails were sent out by the perpetrators of this latest wave of Locky attacks. It has only been a few months since Wannacry and Petya attacks made headlines, with India being one of the countries where these malwares spread in large numbers.
Much of that has to do with the fact that the growth in internet penetration has not been accompanied by a growth in awareness about how to be safe online. A connected populace is a great idea, but without a far larger emphasis on digital literacy, particularly in cyber security, we will be left with hundreds of millions of people who are sitting ducks for a number of cyberattacks.
Digital India is among the flagship programs of the Narendra Modi government, but the creation of a safer computing culture is crucial in determining if the program lives up to its promise and hype. It is in this context that the omission of digital security as one of the nine pillars that underpin the program becomes perplexing.
Demonetisation has triggered an uptick in adoption of digital transactions, but there are varying degrees of security standards that are applied to wallets as compared to the stricter regime for banks or credit card companies.
Unsavoury incidents that may result from this will only serve to dilute the trust of the general public in financial technology. Trust, after all, has been the bedrock of banking and any incident that creates a deficit of belief, will come back to bite the industry.
Among other issues, the criticism faced by Aadhaar has much to do with a lack of appreciation of the basic tenets of digital security, not necessarily at the server level, but at the application level. There is an ignorance of how data is to be handled.
The protocols that need to be followed on how the Aadhaar data is to be accessed and what part of it can be retained, if needed, is still not clear to many government departments and private entities who are using the database. This has resulted in some awkward instances like the government having to admit that, “around 210 websites of Central Government, State Government Departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of general public.”
Initiatives like Cyber Swachata Kendra issuing advisories is a step forward, but how long can the communication strategy stay reactive to threats? Its cyber security awareness programs need to be backed with far more purpose and resources. The first line of defence is always an alert and aware user. The good news is that the conversation on data security is not limited to tech circles any more.
In the aftermath of Petya and Wannacry, the menace of ransomware has entered public consciousness. Several entrepreneurs in the cyber security business have said that the number of enquires shot up after the major ransomware attacks of the past few months. Many of these enquiries, they say, are not coming from the bigger, but from small and medium-sized companies, who have until now maintained that these issues are relevant more to companies in the Fortune India 500 list.
Strains of ransomware like Wannacry and Petya spread around networks riding on what programmers call system exploits. Strains of malware — like Locky — that spread through emails, can be avoided only by being aware that on the internet, not all that you see is what they seem to be.
But awareness about the best practices in cyber security can come only when instances of breaches are disclosed in larger numbers. This has not been easy, because companies and institutions that have been breached by ransomware and other malware over the last few years have kept mum for fear of damage to their reputations. Restaurant listing company Zomato’s handling of a breach in May 2017, and their emphasis on communicating to their users, was exemplary. But Zomato is an exception.
The government needs to step in to create a regime that would penalise non-disclosure across sectors, particularly in finance and banking. Trust in the security of the system is a prerequisite for increasing penetration and usage.
The earliest known case in late 1989 infected computers across Europe, Africa and Australia through 5-1/4 inch floppy discs sent by post to various addresses, disguised as the AIDS Information kits. It has since been evolving through various guises, with crypto ransomware – where encrypting of data is the favoured method of locking with the decryption key released on payment of ransom – taking over as the dominant iteration from the early part of this decade. Incidentally, this coincided with the rise of crypto currencies which allowed for anonymity.
Nirmal John is the author of Breach, a forthcoming book on data theft to be published later this year by Penguin Randomhouse. He worked as Assistant Editor at Fortune India, and is now an independent commentator on the intersection of technology, culture and business. He studied at the Indian Institute of Mass Communication, New Delhi.