While addressing a hall full of information security geeks and researchers, many who wear their irreverence on their loose-hanging tees and split jeans, the director of Indian computer emergency response team (CERT-In) Sanjay Bahl could have been mistaken for sounding quaint. He implored the gathering of around 500 people who attended his keynote address at the annual information security conference Nullcon early last month to come forward and work with the government. “Do it for your motherland,” he told the researchers, many of who were white hat hackers and had participated in various generously-paying bug bounty programmes.
India has the largest pool of white hat hackers in the world and is home to a closely knit information security community with hackers and researchers working closely and organising meet-ups to exchange notes. What the community, however, has not been able to achieve is to create enough awareness about the perils of information security attacks among the common public or to get attention from authorities in power.
But in the last weeks, they have a new actor in the ecosystem. French security white-hat hacker who goes by the alias Elliot Alderson and the Twitter handle fs0c131y has created enough of a scare not limited to his nearly 43,000 followers. The hacker has been flagging vulnerabilities in platforms such as UIDAI, short for Unique Identification Authority of India, companies such as Bharat Sanchar Nigam Ltd, Bharti Airtel, Apollo Hospitals, among others, and even Prime Minister Narendra Modi’s app. One outcome has been heightened public focus on information security issues.
In an interview with FactorDaily, Bahl says that while incidents like these do create awareness in what is an oft-neglected area, the approach of posting vulnerabilities on social media and using public pressure to get them resolved is not a sustainable one.
In multiple conversations, in person, over phone and through email, Bahl, an IIT Delhi alumnus who previously served as the chief security officer at Tata Consultancy Services and Microsoft India in his three-decade-long career, says that Indian researchers must work with government bodies like CERT-In and that his institution has various programmes and protocols in place to get security vulnerabilities and incidents resolved. Edited excerpts:
In your talk at Nullcon, you implored security researchers to work with CERT-In. How many bugs or incidents are reported at CERT-In every year and what percentage of these are reported by security researchers?
There is a mandate that requires organisations and enterprises to report every incident at CERT-In. We help a lot of these organisations to successfully deal with these incidents and minimize the impact. But there is a large disconnect between the Indian security researcher community and organisations like CERT-In.
In 2017, around 53,000 incidents have been reported at CERT-In and out of these, less than 1% incidents have been reported by security researchers. The rest were reported by individual companies who had been affected. India has a large pool of security talent and we need to bridge this gap. I partly take that blame that probably CERT has not reached out to researchers earlier, though we did give out large newspaper ads last year. But we are now reaching out. We have extended our hand we hope they (the security researchers) will also extend their hand back.
Many of these researchers and white hat hackers have been a part of the large bug bounty programmes. What sort of incentive does CERT-In or other such bodies plan to have for these researchers?
Bug bounty is a whole different thing. If you are doing it willingly with a spirit to work for your motherland, you should not think of bounties. If you extend this correctly and if you are thinking of protecting and safeguarding the motherland, bug bounty and that spirit does not go together.
If you say this is a bloodless war and security guys are cyber security soldiers, then as defence personnel, you can’t say I need money to safeguard the country. If the country does not exist, what are you going to safeguard! If you are keen to do this, come forward. If you are looking at bug bounty, you are looking at an economic mechanism which does not always work. It does not guarantee what you are saying is correct or not, whether you are a trusted person to be provided with sensitive information, or whether what you are saying is correct or if you are hiding a certain part of it. I don’t think the factor of trust is coming in if you are only doing it for money.
But wouldn’t most researchers opt for bug bounty programmes some of which are in the thousands of dollars?
The western bug bounty programme folks are getting cheap labour in India. They throw peanuts and people are happy. About 60% bugs in large global products are found by Indians. Also finding bugs in products like Facebook and a platform like UIDAI require very different skill sets.
What kind of initiatives is CERT-In taking to invite more researchers and create awareness about information security in Indian companies?
CERT-In conducts regular training programmes for network administrators and Chief Information Security Officers (CISOs) of the government and critical sector organisations. Twenty-two training programs covering 610 participants were conducted in 2017 as compared to 14 training programs covering 431 participants during 2016. We also carried out a training program specifically only for women security professionals in 2016 as well as in 2017. In addition, CERT-In issues alerts and advisories regarding latest cyber threats and countermeasures on regular basis. We issued 19 security alerts, 66 advisories and 191 Vulnerability Notes during the year 2017. There are also regular workshops that are conducted for critical organisations to sensitise them about the cyber security threat landscape; 14 such workshops were conducted in 2017.
For researchers, we have a protocol in place to report vulnerabilities confidentially. In case researchers report vulnerabilities to concerned entities directly, they are advised to send a copy of the same to CERT-In for necessary action. We also invite experts to conduct cyber security training programs for network administrators and CISO.
What are the top challenges at CERT-in and how is the organisation handling them?
Some of the top challenges include ensuring that organisations remain resilient… We have put in place a cyber crisis management plan to solve that. We are working on setting up of the National Cyber Coordination Centre and an automated threat information sharing platform to solve this to some extent. There is also a challenge of continuing to build trust of citizens in the secure usage of ICT and the internet. CERT-In has in place a Cyber Swachhta Kendra, that conducts training and awareness programs and empanelment of technical IT security auditors.
Some say there is a wave of hacktivism in India that has come about in the last one month with the French security researcher who goes by the alias Elliot Alderson discovering bugs in various Indian platforms and applications, including Aadhaar, BSNL, Apollo Hospitals, the Narendra Modi app, among others. Do you see this as a positive development in the realm of Indian cyber security?
If someone is reporting a bug, there is a formal mechanism of reporting to CERT. Not a single person in the last one month has reported any incident to CERT, including your French guy.
We also find things on Aadhaar and tell the Aadhaar guys, but we don’t necessarily announce it.
I think a lot of people just do it for the sake of getting fame and I don’t think that’s the right way of doing things when there is already a process and mechanism.
But there’s a strong argument that he’s getting fixed bugs that were reported as early as two years ago fixed. Like the BSNL vulnerability that was reported by an Indian researcher two years ago, but BSNL never paid attention to it until the French hacker created noise about it.
In that case, I am happy that awareness is increasing. But you have to understand that though this (publicly disclosing vulnerabilities) might look like a faster approach, is it sustainable?These are not scalable approaches and they are not long-term either.
On our own, we are doing a lot of stuff that we don’t go publicizing about. If he (Elliot) has done five things, I have done 25 things. Do I sit down and start talking about it?