Clueless Against Deadly Cyber Data Theft, Govt Still Bullies Citizens To Trust In Digital Payments

Raman Swamy

When a top bureaucrat of the rank of Additional Secretary issues a warning about a dangerous new cyber attack, it has to be taken seriously.   On September 2, Dr. Ajay Kumar, the Additional Secretary, Ministry of  Electronics and Information Technology sent out a Twitter message stating that India was under attack from a new spam-spreading “Locky Ramsonware” virus. 

He confirmed an alert already issued by the Indian Computer Emergency Response Team (ICERT).   Also known as Cyber Swachhta Kendra, the ICERT website carried a detailed description of what the Locky Ramsonware virus was all about and provided technical advice on precautions that should be taken for cyber security.

On Thursday, Dr. Ajay Kumar issued another advisory.  He said “reporting of breach is mandatory by law”.   What this means is that it is compulsory for Internet users, whether they are private individuals or large companies with vast online computer systems, to immediately inform the authorities the moment they discover that they have been attacked by the Ramsonware or any other malicious virus.  

Speaking at a digital conference organized by the Payment Council of India, the Additional Secretary said:  "Ransomware attack is a big issue these days.  We are looking at ways to tackle ransomware.  We are in the process of preparing a new regulation in this regard.  We hope to come out with a draft document soon, which will be circulated to cyber experts for comments and inputs”.

In other words, even though 20 days have elapsed since the first warning that India is under attack from a deadly cyber virus, the Ministry of Electronics and Information Technology (MeitY) is still wondering what to do.  

That in a nutshell the state of cyber security in India.  Nobody has a clue.  Except drafting a stringent new law threatening that anybody who fails to report a cyber attack shall be severely punished,  there is no actual protection from the attack itself.

This does not mean that Cyber Swachhta Kendra and MeitY are not doing their job sincerely and efficiently.   They are doing whatever is in their power to do - install the latest available security systems as fast as they can on government websites, issue alerts and advisories to private users.    

For instance, they have issued a long list of technical counter-measures, such as the following:
1.     Maintain updated Antivirus software on all systems.
2.     Don't open attachments in unsolicited e-mails, even if they come from people in your contact list.
3.     Follow safe practices when browsing the web.
4.     Establish an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
5.      Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.
6.     Disable remote Desktop Connections.
7.     Use strong authentication protocol.
8.     Enable personal firewalls on workstations.
9.     Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released.
10.  Report such instances of fraud to CERT-In and Law Enforcement agencies

Which is all very well except for the fact that nothing seems to prevent the Locky Ramsonware from hijacking a system. 

One of the first victims of the virus in India was a leading publishing house.  Every single file on more than 150 computers across their offices in Delhi, Mumbai and Bengaluru, connected to a common server, were hacked and locked by Locky. To decrypt the files, the malware demanded a huge ransom.

The publishing house just the first victim.  Over the next few days reports started pouring in of numerous other corporate computer systems falling prey. 

Globally,  Locky attacks are estimated to have forced many big companies, including FedEx the courier giant to pay the ransom demanded.  In fact FedEx issued a public statement admitting that it paid upto 300 million dollars to get its data decrypted. 

Meanwhile a new variant of Locky has made an appearance.  On Tuesday this week,  the highly reliable Barracuda Research Labs posted an international alert that it had discovered a new ransomware threat which had launched as many as 20 million attacks in a single day. 

The research showed that the new Locky variant was "more aggressive" and was targeting countries like India, Vietnam, Colombia, Turkey, and Greece.  The attacks were mainly coming through emails.
Experts say no system is safe from the Ransomware threat.  What is even more alarming is that Dr. Ajay Kumar has warned that mobile phones are particularly vulnerable. 

According to him:  "Mobile is a dangerous device and with the kind of data it is leaking, we are setting up two working groups including the RBI and Department of Telecom working on cyber security standards for mobile applications and devices. We hope to release it soon". 

The decision to set cyber security standards for mobile applications comes amid fresh reports of data leaks by Chinese phones.

Even more frightening is that there is growing concern about digital transactions and e-payments.  Very recently, there were multiple reports of cyber breach threats leading to leakage of financial and personal data.

This has cast a cloud of doubt over the entire campaign being aggressively carried out by the Modi government to force citizens to shift to e-payments and digital transactions instead of dealing in cash.    

Some cyber experts have sharply criticized that government’s insistence on cashless economy.  They say that it is clear that whereas the vast majority of Ministers and Bureaucrats themselves are virtually illiterate about digital technology, yet they are working with a “herd mentality”  to impose e-payment transactions in the form of debit cards, credit cards, digital wallets, etc. in a country where nearly 99% people are digitally challenged and digital infrastructure is unsafe.

The reality is that even government websites are still not properly developed and made secure despite Internet having come to India more than two decades ago in 1995.  How can anyone expect the government to ensure cyber security? They ask.

India is an underdeveloped country in terms of tech usage. According to The Global Information Technology Report released by the World Economic Forum, India’s rank is a poor 83 in the world. “That means India is still tottering in the Stone Age, while the world is galloping in the Information Age”, as one critic put it. 

Moreover, although the Indian government squanders public money worth billions of dollars in the name of technology introduction, their tech interfaces to provide citizen services and financial services are extremely raw and crude.

A report by PriceWaterhouseCoopers PWC –India puts the matter in perspective.  It says - “While on the one hand, the switch to cashless money signals the dawn of a new era in financial transactions, on the other there is an urgent need to address the increasing vulnerability to risks associated with online, credit/debit card frauds”.

It adds:  “Some of key reasons that can be attributed to the increase in fraud risks are: increase in the use of credit/debit cards post demonetization, lack of awareness of the right security measures in customers, the integration of various untested applications in payment channels, and the lack of efficient security products for monitoring of banking transactions”.

In short,  India is not ready for a cashless economy.  Cyber transactions on mobiles or desk-top computers or electronic cards are highly unsafe and susceptible to data theft and virus attacks. 

Until and unless a robust cyber security framework is built and the governance structure is made virus-protected, any talk of compulsory shift to digital payments economy is nothing more than a pipe-dream, a dangerous one at that.

Sep 27, 2017