THE BLOG

The Collective Incompetence Of India's Cybersecurity Leadership

01/08/2016 2:46 PM IST | Updated 02/08/2016 12:56 PM IST
NEW! HIGHLIGHT AND SHARE
Highlight text to share via Facebook and Twitter
Getty Images/iStockphoto

Just around a year ago, a cybersecurity vendor disclosed the presence of an implant -- a benign term for a backdoor installed by the National Security Agency (NSA) -- on specific models of routers manufactured by the American networking behemoth Cisco. The crafty handiwork altered the operation system of the devices in a way that made it almost impossible to detect its presence. The reckless tinkerers at the NSA had to merely utter the magic words – i.e. send a specially crafted network packet -- and Sesame opened its doors for them.

The news came at an interesting confluence of perspectives on the fading autonomy of cyberspace.

For a connected nation, it had now become an existential threat. For a dominant adversary, a battlefield that excited the unchecked violence of information warfare. For spy agencies, a theatre of deception so ripe that they would rather own all of it. The story of globalization was also being upturned as technology companies became the instruments of this online accession.

A crisis of sorts gripped the cybersecurity industry, as affiliations with parent governments became obvious. It turned out that this extremely lucrative sector had done something completely opposite to what it was meant to -- it had made the world an even more volatile place and the societies less sovereign.

Shadowserver Foundation performed a global scan of the internet and found roughly 200 of the infected public-facing nodes... The second highest tally was from India.

The NSA revelled in simplicity. It knew that the farther its listening post from the target, the less noisy and more persistent it would be. Commercial security products limited their focus to the software boundaries of the enterprise -- a flawed approach that has failed to deter motivated actors. When passive surveillance of the key internet links didn't help, the NSA carefully crawled closer to the next attack surface. Routers are a perfect sweet spot, not really falling under the security purview of the enterprise, but still facilitating access to it. It's literally no man's land of cyberspace. And the companies that manufacture the equipment are infamous for their pathetic security posture – and this ineptitude could be deliberate.

So, the disclosure I mentioned earlier generated considerable curiosity. Finally, someone proved the hypothesis of hacked routers. Yet there was something amiss. FireEye is a revolutionary product in the advanced cyber-threat detection space. Much to its credit, it found the implanted devices. Only a tiny fraction of routers from Cisco's expansive portfolio was affected. An American company finding an NSA backdoor in American equipment is like, to borrow the words of spymaster James Jesus Angleton, stepping into a wilderness of mirrors. Both these firms know very well the games governments play. It was probably something that they could give away -- a coordinated exposé to prove their reputations in a global market marred by geopolitics. In any case, it was nothing but a puny little weapon in the NSA's armoury. Ironically, this wouldn't have happened in the first place if Snowden hadn't spilled the beans.

The volunteer body Shadowserver Foundation performed a global scan of the internet then, and found roughly 200 of the infected public-facing nodes. A number so insignificant that it would have been ignored if the vulnerability hadn't been so high profile. The second highest tally was from India. It garnered national media attention.

Between the excess of talk and the absence of action of India's Cybersecurity leaders, lies the periled future of a nation that proudly blows the bugle of "Digital India".

Shadowserver regularly emails lists of their periodic scans to the Indian Computer Emergency Response Team (ICERT). A year down the line, the count -- appallingly -- remains the same and herein lies our institutional incompetence.

My hacking experiment

So peeved was I by the lack of mitigation that I took it upon myself to probe the national cyberspace. The process to look for no more than a dozen hosts in a giant pool of three crore (30 million) was painful to say the least. As far as hackers go, I'm too old for this but the work was so engrossing that I managed to ruin an entire weekend for my wife.

But there they were -- blipping on the monitor one-by-one. A majority of them operated by service providers owned by the government, possibly routing for the networks of vital organizations. Someone was accessing them in an unauthorized manner.

Here's how the response of Indian cybersecurity agencies should have panned out: This was one rare instance of a complex backdoor of a very competent actor, howsoever dated. All the equipment from the network should have been immediately confiscated and analysed. Each and every incursion of the attacker should have been re-enacted. The mounds of intelligence generated would have allowed the investigators to look for deviations in other communication systems.

I would have spared myself the anguish had I not witnessed first-hand the dereliction by competent authorities. The majority of the cyber-espionage cases we had profiled at the National Technical Research Organisation (NTRO) have still not been neutralized. The theft of sensitive information is happening right under our noses. More than that, the impact of numerous product backdoors and state-sponsored attacks coming to light in recent years haven't even been locally accounted for. Once the vulnerability is known, it's only a matter of time others exploit it. So it's criminal to leave it unaddressed.

The pallor of a nation haemorrhaged from within has inspired me and a few likeminded individuals to look for solutions covering the broader scope of digital homeland security.

The less said of the bureaucratic morass of stakeholders like ICERT, NTRO, National Critical Information Infrastructure Protection Centre and Nasscom, the better. You often see our national cybersecurity leaders in conferences -- sponsored by the same complicit foreign vendors -- hobnobbing with the corporates and waxing eloquent about the emerging threats and challenges. Between the excess of talk and the absence of action of these people, lies the periled future of a nation that proudly blows the bugle of "Digital India".

Indian Wedding Shot Using Only An iPhone

More On This Topic