Cybersecurity – Strategy, Protection and Awareness

The global cybersecurity threat landscape today is scary. As a nation, we are losing almost 2.5 per cent of our GDP to cybercrimes. This loss is almost equal to our defence budget of roughly Rs 200,000 crore.

I would like to share two recent incidents from the financial sector as examples to highlight this threat. These are as follows:

The first case is that of a bank in Chennai. It received a phishing email, which somebody put malware in an Internet facing computer and someone who was not cybersecurity aware clicked on that and the malware entered through an untrusted router and sat inside the core banking system. After that, every time the core banking system was used to check the balance of that account, the malware through the command and control and kept controlling it kept sending back the message that the balance is there. Meanwhile, the bank lost hundreds of crores of rupees. It went to China, Turkey, Dubai and at one place ultimately, we were able to stop it. In Turkey, they asked us to procure a Letter of Rogatory, which is required in order  to get your money back from an international bank. For the Letter of Rogatory, the procedure takes around four months. We had to first file an FIR, post which the police undertook investigation. Once the investigation was done, the matter went from the district to the state and ultimately to the Ministry of Home Affairs and this whole process actually took four months to complete. As soon as we received the letter, it was presented to the bank in Turkey and the bank said, ‘sorry the limit is 90 days’. On the 91^st day, that money was gone. 

The second case is that of a bank in Pune. The threat in this case was within a period of merely two hours, there were 20,000 ATM withdrawals, which were undertaken across thirteen different countries around the world. These are the kind of threats we face. This is the mafia we are up against! Even if Rs. 1 is taken from each of our accounts, I am sure we may not notice it, but when it is taken from over ten crore accounts then the perpetrator need not go to a University to receive a formal education. He could be sitting anywhere in the world with a laptop and become a millionaire. 

However, precautions against these kinds of attacks are fairly simple, which anyone can adopt. Lack of cybersecurity awareness at such a large scale is really scary. My first advice is that everyone must install an antivirus on your mobile phone because you are conducting banking and financial transactions on this device and a number of passwords across different websites are stored on this. 

However, it is not my intention to alarm the public but rather, I would like to assure everyone that the Government of India has a very good Cyber Security Policy and is taking appropriate measures to create a secure and safe cyber environment for individuals, businesses and the public sector. 

The previous Cyber Security Policy was released by MeitY in 2013 because initially there was a gradual progression from telephone to IT to computers and ultimately to cyber, it has been six years since then. But now since cyber is touching almost every ministry, it has to come out from the Prime Minister’s Office (PMO) under the National Security Advisor (NSA).

One of my first tasks as National Cyber Security Coordinator is to create a new Cyber Security Strategy 2020 for India. We will create a task force for this purpose which will address representations from all government departments and concerned stakeholders. We will subsequently open these for public consultation and comments. We hope that by either January or February next year the new Cyber Security Strategy will be released by my office.

The Privacy and Data Protection Bill (PDP) 2019 has been much discussed. It is something along the lines of the GDPR introduced in Europe last year, which is a very good initiative. 

In 2017, the Supreme Court of India had given a ruling on the subject. Then, in 2018 we had the Aadhaar judgement, where the Supreme Court said that a robust framework must be introduced. We subsequently had the Justice Srikrishna Committee, which prepared a white paper—an excellent piece of work on the Data Protection Draft Bill. This was put in the public domain and received about 224 public comments. We have taken efforts to incorporate whatever is possible and the red lines have been drawn. The Bill is now ready to be introduced in the Parliament. The Privacy and Data Protection Bill (PDP) 2019, therefore is in gradual progression.

Cyber Security Awareness is a significant area of concern, although we have an appropriate programme under, MeitY for this. This is an area, which needs to be addressed at the school and college level and across sectors. We have to become increasingly cyber aware and not wait to lose money or data. There is a tremendous amount of data and data localisation has become a serious issue. Every time we undertake any transaction, the servers are located somewhere outside the country. Therefore, what should be within the country and what can go across to other countries is another aspect we are working on from the purview of data protection and data localisation.