Lack of cyber attribution a major challenge for India: Lt Gen Pant

For the first time in 73 years of independence, cybersecurity found a mention in the Prime Minister’s Independence Day speech on 15 August. PM Modi announced that India will introduce a National Cyber Security Strategy (NCSS 2020) soon after cabinet approval.

The strategy is needed to counter some real threats: In recent months, amid geopolitical tensions and concerns about COVID-19, hackers have attacked users of government email systems and of the AarogyaSetu mobile health app, according to advisories from CERT-IN.

In a recent roundtable discussion, India’s National Cyber Security Coordinator, Lt Gen (Dr) Rajesh Pant discussed the country’s current state of cyber resilience and the biggest cybersecurity challenges it faces.

India’s top 4 cybersecurity challenges

While the sudden shift in the way India does business has exposed several fault lines and weak links in the existing cyberspace, the general zeroed in on four critical factors afflicting the country’s security posture.  

1. A lack of cyberattack attribution; international legal system offers little help

Lt Gen Pant brought to light the inability to attribute cyberattacks. Simply put, cyber attribution is the process that helps security analysts backtrack a cyberattack to its origin and identify its perpetrators based on cyber forensics and the evidence at hand.

The cyber chief minced no words when he called out the ineffectiveness of the international legal system.

He emphasized that in order to attribute cyberattacks, India needs international collaboration.

The Mutual Legal Assistance Treaty, or MLAT as it’s commonly known, is an agreement between countries to exchange information to help bring offenders to justice.

2. UPI in the crosshairs

Pointing to the massive surge in internet traffic, Lt Gen Pant revealed that the National Informatics Centre (NIC) earlier handled around 2 crore emails a day. That number now stands at 7 crore emails per day – a 71 percent spike in a span of just six months. Online financial transactions saw a steep rise as well – March alone witnessed 50,000 new Unified Payments Interface (UPI) handles being created.

The point on misuse of UPI IDs was also brought up by Anyesh Roy, Deputy Commissioner of Police at the Cyber Crime Department, at an India Infrastructure roundtable: “In 2018, the facility of demanding money in payment apps was introduced. This has led to an increase in fraudulent activities.”

3. Attacks on critical infrastructure: why the current definition doesn’t hold good

What defines critical infrastructure and the sectors it comprises varies across countries. The Netherlands, for instance, classifies the Heineken factory as critical infrastructure. 

In India, the National Critical Information Infrastructure Protection Centre (NCIIPC) identified six critical sectors: Power & Energy, BFSI, Telecom, Transport, Government, and Strategic & Public Enterprises.

However, given the current situation, Pant believes that the identification of critical sectors needs to be looked at all over again. “The pandemic has shown us that with everything going online, the question now arises: What can you consider non-critical?”

4. The manpower crunch

“In order to meet the requirements posed by the pandemic, I need every sector to have a Security Operations Center (SOC), but where is the manpower?” said Pant.

He added that the pandemic has compelled the government and enterprises to look at new types of security incident and event management structures as well as security orchestration and automation response structures.

– Gen Manjeet Singh, Joint Secretary, National Security Council of India

The challenge around manning SOCs with skilled resources was also addressed by Gen Manjeet Singh, Joint Secretary of the National Security Council at the India Infrastructure roundtable. Sharing his vision, Gen Singh added: “We need to become aatmanirbhar in cybersecurity as well.”

Why India needs a new type of cybersecurity architecture

Lt Gen Pant said that with a large faction of people working out of their homes, enterprises face a lot of unknowns – including their identity, endpoint equipment, home network, VPN aggregator, cloud services, and the antivirus installed on their mobile devices. “With the entire system becoming distributed, there is a need for a new type of cybersecurity architecture,” he said.

The cyber chief opined that technology and user behaviour are both equally important. Elaborating on this, he explained that the traditional 7-layer Open System Interconnection (OSI) model – a communication framework comprising of physical, data link, network, transport, session, presentation, and application layers – needs to factor in an 8^th layer: the user.

Raising cybersecurity awareness

Underlining the importance of public messaging, Lt Gen Pant recounted how the country’s public broadcasters played a vital role in eradicating polio by promoting the pulse polio programme in between every TV show. 

He believes a massive campaign of the same scale on cybersecurity awareness could make a big difference.