By Subhodeep Jash
As COVID-19 reshapes social interactions and transforms our work environments to more digital settings, the threat landscape on the cyberspace is also evolving with new vulnerabilities emerging. Whether its cyber criminals looking to sell the Statue of Unity for $4 billion or a fake UPI handle that dupes monetary donations to the PM CARES Fund, policy efforts to “flatten the curve” on cyber crime leave a lot to be desired. Security flaws in platforms such as the videoconferencing tool, Zoom highlight the need for adequate cybersecurity preparedness, both amid enterprises and individuals.
With the emergence of a new wave of internet users from rural and semi-urban India, digital financial inclusion initiatives are most susceptible to data breaches that involve consumer frauds such as phishing and skimming. This is aptly highlighted in a recent Netflix web series ‘Jamtara that delves into a phishing cottage industry set in Jharkhand wherein fake callers on the pretence of calling on behalf of a bank seek to gain access to private financial information.
The Governance Fault Line
Addressing some of the fault lines require a coordinated and robust institutional framework that may be drawn up with the upcoming National Cyber Security Strategy 2020, especially as the earlier 2013 policy had several implementation gaps.
The Indian Computer Emergency Response Team, known as CERT-In, is the nodal agency on responding to cybersecurity incidents and publishes annual reports that tracks various forms of malicious cyber incidents. The regulatory capacity of CERT-In has been questioned for the quality of its advisories or its periodic reports, and for its interaction with other sectoral regulators such as RBI or SEBI.
It hasn’t been evident, from the perspective of the security community, that CERT-In has a proactive channel of communication with its counterpart on protection of the critical information sectors — the National Critical Information Infrastructure Protection Centre (NCIIPC). In a recent parliamentary disclosure, the Ministry of Finance clarified that the securities regulator SEBI had not furnished an furnished any reports regarding cyber attacks on security markets during the last few years.
The new Cyber Security Strategy 2020 must place CERT-In on a stronger footing in order to equip a more contemporary agency that is dynamic and consistent in its response to cyber security threats, especially in matters concerning proactive security. The data breach reporting mechanisms can be a supporting bulwark for CERT-In that can be addressed via appropriate legal frameworks, in the data protection law and allied Information Technology Act provisions.
Healthcare as Critical Information Infrastructure
The government has identified six sectors as critical information infrastructure: transport, power and energy, telecom, government, financial services, and strategic and public enterprises. Typically, those infrastructure areas that are highly significant in ensuring important social functions, be it the power grid or our payment systems, are accorded this status. The failure or damage to such systems can have severe effects on the health, security and socio-economic well-being of a population.
As India recognises the role of leveraging technology in improving critical processes for healthcare delivery, especially in areas such as telemedicine, policymakers have begun coming to terms with the importance of governing data security in the healthcare sector. The Health Ministry in 2018 had proposed a draft Digital Information Security in Healthcare Act, which is still to be firmed up. Given the imperative of data networks woven around our hospitals, testing labs, scanning centers, we need to ensure that healthcare is designated as a critical information sector to ensure adequate business continuity and mandating breach notifications.
Silos of public private collaboration
Several essential parts of our critical information infrastructure, whether they be in banking, energy or telecom, are owned by the private sector. The WannaCry and NotPetya incidents showed that attacks targeting the digital elements of utility infrastructure such as power plants, assets such as banks or hospitals servers, and devices including mobiles and personal computers, have damaged critical national assets.
Be it a cloud computing architecture or a VPN server, the owners and operators of critical infrastructure need to have a stratified information sharing mechanism with the government given the varying degrees of maturity in security practices among different entities. The role of NCIIPC, which was set up with a fairly specific mandate, becomes imperative here, with enforcing supervision over the best practices and guidelines issued for these critical sectors.
The scope of this information sharing must be wide, encompassing threat information, incident reporting, best practices, vulnerability or audit notes along with other areas of coordination. Even, in the United States, a recently released Cyberspace Solarium Commission report observes that public and private sector cybersecurity remains inadequate thus far.
In India, the remit of public private collaboration has been fairly limited to just the context of education and awareness programs, such as the Cyber Shikshaa project for skilling women engineering graduates. This must be expanded towards creating self-governed coordinating sector councils known as Information Sharing and Analysis Centers (ISACs) that facilitate early warning systems and crisis management, not just within these sectors, but as cross-sectoral coordination.
Digital Immunity for the Future
The synapse between the COVID-19 pandemic and cybersecurity imperatives can be addressed with a call to action that the new Cyber Security Strategy on the anvil can address. New red lines that have emerged only draws to us the reality that it isn’t possible to hermetically seal our societies or the networks. The new policy must be in sync with these modern realities and look to adapt to future disruptions in reinvigorating trust and boosting our digital immunity.