Lessons from critical cyber security incidents

By Dr. Muktesh Chander, IPS (Retd.), Ex. DGP Goa, Ex. Special Commissioner Delhi Police, Ex Centre Director National Critical Information Infrastructure Centre, Chevening Cyber Security Fellow, UK 

Ransomware infection in AIIMS server as well as its backup server is a serious matter and for many days, the systems could not be restored seriously affecting the digital patient care services of the hospital. At this preliminary stage it is not possible to say who is behind the cyber-attack on AIIMS servers. Since it is an act of introduction of computer contaminant leading to harm to persons, a criminal case of cyber terrorism under section 66F of Information Technology Act and other sections of IPC has been registered by police.

In a ransomware attack, the attacker encrypts the files in a computer and demands a ransom in the form of crypto currency, to provide key to decrypt the locked files. Such attacks on computers have been happening all over the world and this is one of the most serious threats the cyber world is facing today. In 2017, National Health Services of UK, were crippled for almost 15 days by “WannaCry” ransomware attack. In the same year global shipping giant Maersk faced similar attack in which more than 45000 of its computers and 4000 servers were infected worldwide crippling the entire operation of the company. The company suffered a loss of about $300 million. Some of their computers in JLNPT in India were also infected.

It was never a question that ransomware attack, on important Indian IT systems, would happen or not. The real question was when and where. In the year 2021, Indian Computer Emergency Response Team (CERT-In) handled 1402809 cyber incidents of various kinds, registering a rise of over 21% from the previous year. India reported 52,974 cases of cybercrime in 2021 with an increase of over 5 per cent from previous year. Ransomware cases were also reported but on a low scale. The inevitable was bound to happen sooner or later. During the second wave of Covid 19 spread, we had already seen several countries facing serious crisis before the wave hit India. Taking lessons from the happenings around the world, we had prepared ourselves very well to handle the second wave.

Did we learn similar lessons by the global ransomware incidents in the last few years? AIIMS incident has revealed that much more needs to be done before we can answer this question in affirmative. The National Cyber Security Policy was released in 2013. A lot has changed in the cyber world in these 9 years and it is time for us to move on from policy to strategy. A well-defined and articulated cyber security strategy for next 5 years, with provisions for sufficient financial commitment to achieve quantifiable and tangible outputs and goals, is the need of the hour. The strategy must have components related to defending our cyber space, deterring the cyber adversary and developing cyber security products for our use as well as export. In recent past several measures such as creation of Computer Emergency Response Team, National Critical Information Infrastructure Protection Centre, Indian Cyber Crime Coordination Centre, National Cyber Security Coordinator etc. have strengthened the cyber security framework of India.

As a result, from a rank of 43rd position in 2017, in Global Cyber Security Index prepared by ITU, India has gained a very respectful 10th position in 2020. But let us not forget “Stuxnet”, the first cyber weapon deployed against critical infrastructure of a nation, first cyber war of sort faced by Estonia and the parallel cyber war going on between Russia and Ukraine since the war started between them. After land, sea, air and space, cyber has emerged as fifth domain of warfare and our cyber defence must be ready to face any challenge on this front too. The conventional model of deterrence, which emerged during cold war and has continued in the nuclear era, is taking shape in cyberspace also. The concept of cyber deterrence depends the strategy of incorporating both the ability to retaliate and the will to retaliate against the cyber adversary.

The much-awaited Digital Personal Data Security Bill is likely to be passed in the budget session of the Parliament next year, with the provision of financial penalties up to Rs.500 crores in case of breach of personal digital data. The companies and organisations dealing with such data will have to take serious measures to strength their cyber security posture. Every organisation, dependent on ICT systems, must now take cyber security as a board level activity to show the top management’s commitment towards it and provide sufficient resources and budgetary support for cyber security function. They must have a chief information security officer or a data protection officer, if dealing with digital personal data. It is now well known that technology alone cannot fight the cyber challenges and the man behind the machine is equally important. Therefore, in order to create an organisation-wide culture of cyber safety, training and awareness in cyber hygiene in the entire organisation is important. The organisations must also be ready to brace a cyber security disaster by following risk management approach. For this a proper incident response and business continuity plan will be required to minimise losses and damage and also to make the organisation resilient.

Every cyber security breach incident has lessons to be learnt. International ATM Heist, involving a loss of $45 million happened with banks of UAE and Oman in 2012 followed by Japan ATM heist in 2016. There was enough time to learn from these incidents and strengthen cyber security in banks, but unfortunately in 2018 a similar crime took place with Cosmos Bank in Pune, involving Rs. 94 crores. We need to follow a more proactive approach in cyber security.

The critical information infrastructure, both in private and government sectors such as those in energy, transportation, banking & finance telecommunication, defence, space, law enforcement, security & intelligence, public health etc., must have robust cyber security plan, since any incapacitation in them would cause a debilitating impact on national security, governance, economy of our country. At the launch of Digital India Week in 2015 our honourable Prime Minister Shri Narendra Modi had dreamed of a Digital India, where cyber security becomes an integral part of our national security. Every individual, organisation, company and government machinery in India must work continuously to realise this dream.

Dr Muktesh Chandere-Governance ServicesIPSransomware
Comments (0)
Add Comment