Dream Digital India? Let's secure our banking from cyberattacks first

A few weeks ago, all India could talk about was demonetisation, until hacker group Legion stole PM Modi’s thunder by hacking the email and twitter accounts of Rahul Gandhi, Vijay Mallya and Barkha Dutt. Then the Legion warned us that India’s banking system could be easily hacked (while adding it wouldn’t do it), sending the Indian government scurrying to rope in white hat hackers to up its cybersecurity.

The Legion attacks, and its claims about our banking vulnerabilities, raise critical concerns about how prepared India is for cyberattacks, especially if we are to move towards digitisation. Let’s delve into that and also see how we can make our banking system resilient.

The threat landscape

In 2015 alone, the Indian Computer Emergency Response Team (ICERT) reported over 49,000 cyber incidents, including web intrusion, malware propagation, phishing, distributed denial of service (DDOS) attacks, web defacement etc.
This number barely indicates the actual threat level, as companies and individuals are often negligent about security and reluctant to report cyberattacks. Individually, such attacks can’t cause massive damage to the banking system. But, a coordinated approach with multiple attack tactics, which involve breaching and infecting systems with malware for information theft, poses a real threat.

In early 2016, Symantec discovered a cyber espionage group, Suckfly, which for two years had targeted the technology vendor of the NSE, two government organizations, a top IT firm and a leading e-commerce company, among others. The attacks were highly coordinated and clearly aimed at stealing information.
The fact is that financially motivated hacking companies such as Suckfly and state actors such as China pose a larger cyber threat to our banking system than hacktivist groups like the Legion.
The robustness of our banking infrastructure security entirely depends on each of the participants’ preparedness and the systems they have in place.

Loopholes in the security net

The negligent attitude of businesses towards cybersecurity poses a major threat to the banking system. In the cashless economy and digitisation scramble, many companies are enabling digital transactions without proper security measures in place. They’re also reluctant to report cyberattacks, not only in the interest of brand equity, but also because our cybercrime policing measures are not really efficient.

Also, security measures and cyberattack resiliency vary across banks. Larger, well-funded banks are usually connected for real-time monitoring of cyber threats while smaller ones may not have the resources to maintain such systems.
The other weak link is us, the users. Most of us are not aware of the level of threats we face, and so we don’t take adequate measures. The increasing usage of mobile phones for digital transactions poses a major threat. With Google’s relaxed oversight on games and applications, mobiles provide an excellent environment for malware and botnet infections to proliferate. According to ICERT, over four million computer and mobiles were infected with botnet malware by June 2013.

The government’s response

In order to strengthen the country’s cybersecurity, the Indian government in 2013 launched the National Cyber Security Policy with an aim to obtain strategic information on threats to critical information infrastructure (CII) and to enhance its protection and resilience. Since then, there’s been an increase in cybercrime reporting and related arrests.
In June 2016, the RBI issued the Cyber Security Framework for Banks, mandating them to take a proactive approach to strengthen their cybersecurity protocols. According to the framework, it is banks’ responsibility to take an ad-hoc approach to secure their systems, and have a cyber crisis management plan in place.

India also has multiple security departments to deal with cyber security issues. The ICERT acts as the immediate reaction team that coordinates response activities including defense, data collection, analysis and dissemination of information on cyber incidents. The Digital Swachhata Kendra (DSK) is focused on tackling the proliferated botnet and malware problem. The National Critical Information Infrastructure Protection Centre is focused on strengthening the CII through risk management and ensuring stakeholders’ compliance with guidelines and policies.

Policy implementation lag

The resilience of our banking infrastructure against cyberattacks depends on the state of preparedness of not one but all stakeholders.
While the government has a decent cyber security architecture in place, it has failed to implement it sufficiently. The recent Hitachi ATM hacks that compromised over three million debit cards in India, and the Kerala government site breach mark the lag between policymaking and implementation.

The government needs to adopt additional measures to ensure a robust cybersecurity infrastructure. Firstly, it should enforce strict cyber security guidelines for public banks and hold them accountable for the same, setting an example for other banking stakeholders. It can also offer incentives to both public and private organisations for reporting cyberattacks, along with an assurance of confidentiality.
It must also stay on top of new threats and attack methods, and strengthen its real-time sharing of cyberattacks intelligence, coordination of defence and response protocols. Lastly, it should increase awareness among consumers.
There is no way we can become a digital India anchored in a cashless economy until we safeguard our banking system from cyberattacks.