Experts say India is fast becoming a cyber crime hotbed. Image courtesy: Gerd Altmann/Pixabay
By Hari Kumar, on March 05, 2024
By Hari Kumar, on March 05, 2024
Cybersecurity lapses continue to surface in India with a predictable regularity now. The latest report came last month when researchers at cybersecurity firm CloudSEK said that they detected offers to sell the personal data of 750 million Indians by a hacker called CyboDevil.
The report said the data was taken from all major Indian telecom networks in the country and the total data was around a whopping 1.8 terabytes.
This comes soon after American cybersecurity firm, Resecurity, reported that the personal data of more than 800 million Aadhaar card holders was up for sale on the dark web.
Such large-scale breaches are becoming regular as most entities in India fail to put in place a robust cyber defence system. This is prevalent even in critical areas like the power grids and communication sectors, say security experts. With connectivity increasing, even medium-level businesses in India are becoming hacking targets.
Official reports have been warning about rising cyber attacks, and the government’s own Indian Computer Emergency Response Team (CERT-IN) said in 2022 that there was a 53 per cent jump in the number of ransomware attacks in the country. It also warned that even critical infrastructure facilities are now becoming targets.
In one well-reported instance, the power supply in Mumbai city was severely disrupted in 2021, and the New York Times reported that Chinese hacker groups were assumed to be behind the attack. It said state-backed hackers had done it as a “warning” as the two countries were engaged in border skirmishes during that time.
Such large-scale breaches are becoming regular as most entities in India fail to put in place a robust cyber defence system. This is prevalent even in critical areas like the power and communication sectors, say security experts.
Cyber defence experts say that while such visible cyber incidents get reported, most smaller incidents rarely get known as both public entities and private firms keep them away from public eyes.
They say that awareness about secure networks and database servers remains low despite a drive to digitise almost every sphere in the country. As digitisation and connectivity increase, many businesses are now coming into the line of attacks from hacker groups.
What is more worrying is that as hackers find easy pickings, even small and medium businesses are now facing data theft and ransomware attacks.
Those in the sector say that a prominent retail chain in Kerala had faced an attack from a hacker group that accessed their customer database.
“Indian industries which possess huge personal and customer identifiable information, such as telecommunication companies, online retailers, F&B, and financial institutions are attractive targets for hackers,” said a 2022 report by Singapore-based cybersecurity firm Cyfirma.
The report stated that only 24 percent of firms and organisations in India have the necessary capabilities to address their cybersecurity issues.
But things have started improving a little bit, says Deepa Sarath of Ciber Digita Consultants, a cybersecurity firm based in Trivandrum. Her firm was contracted by the Electronics Corporation of India Limited (ECIL) soon after the Mumbai attack, and since then, the power grid defence has become robust, she says.
It was a slow learning curve for the officials who were sceptical of the young analysts who were deployed by CDC. But over a period of time, senior management realised the need for precautions and now deploy key personnel to assist the security firm 24 hours a day.
People in the private cybersecurity domain say that the need for a security culture is absent from many key establishments, even in sensitive areas like defence.
Practices like using pen drives, taking official computers home, and allowing unauthorised people to access them, and connecting them to public networks are common.
Some of these establishments outsource their cybersecurity duties to firms with the right kind of connections and clout. These firms are often headed by people who are found wanting in their knowledge, as cybersecurity analysts need to be on their toes in this rapidly changing sector.
The increase in demand for cyber protection is also posing another problem: the lack of skilled analysts and programmers.
Forty per cent of Indian cybersecurity teams are understaffed, according to the State of Cybersecurity 2023 report by ISACA, an international professional association focused on IT governance. The report showed that 54 per cent of organisations have job openings for non-entry level roles, compared to 20 per cent with job openings for entry-level positions.
“Finding new talent is a tricky business in this field,” says Bhadran V K, Technical Director at Alibi Global, a Trivandrum-based cybersecurity firm that specialises in computer forensics and digital investigation.
Hackathons that focus on cybersecurity are held regularly, and winners are declared. However, there is no forum to accumulate these young talents and form a pool of such people. Moreover, most of these youngsters move on to other jobs as time passes, he says.
According to Shruti Sharma, a cybersecurity expert, the process of hiring someone for a job in this particular industry might take as long as six months. India was facing a deficit of around 3 million cybersecurity experts by the end of 2023.
“The scarcity is a significant obstacle for organisations in efficiently monitoring their cybersecurity position and swiftly addressing new threats,” she wrote in The Diplomat magazine.
Another major stumbling block that cybersecurity firms find is the implementation of security policies at lower levels, even when the top management approves a stricter security policy. This is a common refrain in government departments, which are spread across a wide area, and local officers are left with the task of implementing it.
The private sector is not immune to this either, as the work-from-home approach implemented during the Covid lockdown made it difficult to monitor all workers.
“Accessing the cloud from homes and other unmanaged locations due to hybrid work arrangements has further emphasized the necessity for security controls, leading to an increase in cloud security spending,” says Shailendra Upadhyay of Gartner, a global technological research and consulting firm based in the US.
Gartner predicts that companies in India are poised to spend 2.9 billion US dollars on cybersecurity this year, an increase of 12.4 percent from 2023.
As artificial intelligence (AI) gets adopted into different fields, more businesses will be prone to use cloud-based services, which will further increase their need for safety and security.
While AI is predicted to disrupt the traditional job sector vigorously, cybersecurity looks like one sector that will see a boost in jobs. However, colleges and universities have to move quickly if we are to tap into that potential.
According to the Cyfirma report, India faces an urgent need for cybersecurity talents and resources who can help fend off cyberattacks. The tertiary institutions have not included cybersecurity training, awareness, and education as part of their curriculum, and this could exacerbate the ongoing talent crunch problem, it says.
Krutrim chatbot fails to impress
Krutrim, an AI-powered chatbot developed by Ola CEO Bhavish Aggarwal's startup, rolled out its beta version last week and is now available to everyone. Unfortunately, the initial response to the chatbot is nothing to write home about. Many of the posts on social media spoke of hallucinations and the chatbot getting confused between Indian languages. As Analytics India Magazine (AIM) says, a lot of its problems are due to the limited datasets of these low-resource languages it was trained on.
Meanwhile, AI was the buzzword at the Barcelona Mobile World Congress 2024 which concluded last week. What piqued our interest was a phone unveiled by Deutsche Telekom. This gadget will have an AI-powered assistant that will replace all the apps. Just tell it what you want through voice or text, and it will do it for you. Using AI, it takes over the functions of a wide range of apps and does it. No need to tap the screen several times.
Innovative Indian drug gets US nod
In a notable milestone for the country, an Indian drug company's innovative drug has received clearance from US authorities. Chennai-based Orchid Pharma announced that its new drug, Enmetazobactam, has been approved by the United States Food and Drug Administration (USFDA) and European authorities for sale. First discovered in 2008, it has taken 16 years for approval. The company says it addresses the global need for affordable drugs to combat Anti-microbial Resistance (AMR).
Satellite kits that are ready for launch
With satellite launches becoming popular, a non-profit organisation in the US has launched a ready-made kit to assemble CubeSats. KSF's kit provides a flexible and cost-effective solution for launching small satellites into orbit, reports SatNews. The kit includes four PCB boards plus ample room for extra payloads, allowing for the customisation of a satellite to meet specific needs. The report says it can be used to conduct experiments, test technologies, or capture pictures of Earth. One wonders if this could be a blueprint for an Indian startup, given the rising interest in space tech here.
Honey, I tricked the market
Another blow for the work-from-home camp. Meet Tyler Loudon of Houston, Texas who tried to cash in on his wife’s WFH setup. He eavesdrops on her calls, scores insider info, and makes a fortune in stocks– 1.8 million dollars, to be exact. But his victory lap didn’t last long.When his wifey got wind of his scheme, she left him. On top of that he is now facing criminal charges for insider trading.
