VIJAYAWADA, Andhra Pradesh — A swarm of red and yellow dots, displaying each one of over 30,000 daily cyberthreats, animate a live heat map projected on a wall-sized display in a nondescript government building that houses the Andhra Pradesh Security Operations Centre (APCSOC) .
Nearly a third of these attacks, those monitoring the display say, come from servers and computers based in India, but the second most significant source is China; a nation that has invested heavily in its cyberwarfare capabilities in recent years.
As state and central government departments across the country rush to digitise, consolidate and merge the vast stores of citizen data collected over decades; bureaucrats are finally waking up the security implications of centralising and networking this sensitive, often personal, information.
Nowhere is this more evident than in AP; a state that sits on one of the most extensive collections of citizen data in India. At last count, AP had digitised the personal records of nearly 44 million residents (33 million of which had been inter-linked and seeded with Aadhaar numbers) as part of the extensive Praja Sadhikara Survey that harvested the personal information of the state's residents.
APCSOC became operational only April this year — years after AP began amassing its stockpile of data — and its role is to oversee the security of this enormous collection data.
"It is not going to be an easy task," said V Premchand, Managing Director Andhra Pradesh Technology Services, which has overview of the whole security setup. "Until now, the concept of cyber security wasn't something that the government departments had to think about, but it is now dawning."
Inside the APCSOC
The APCSOC office is on the third floor of a plain-looking boxy building in the busy neighborhood of Labbipet, in Vijayawada. The new AP secretariat, no longer housed in Hyderabad, sits about half an hour from Vijaywada on the way to nearby Amravati, the upcoming capital of Andhra Pradesh.
The reception was empty when I visited, but to get past the small room, visitors must scan their fingerprints into a wall-mounted scanner. Inside, the security centre is a large room with dark walls and bright neon lights. A row of desks face a wall of screens displaying the different types of threats (termed security events), the threat heat map, details of each security events, and an inbox of requests — called tickets — raised by different departments.
"Each time a ticket is raised, one person will first check it here," one of the team members explained, pointing to the wall, "and then a second person has to clear the ticket, by testing the issue and finding a solution, and it's all being tracked live on the wall so anyone can see."
A lot of the attacks, the engineer said, are botnets: computers infected with a virus that allows them to be used to attack others when online, without the person using the computer being aware of what's going on.
"Most of it is not very serious," the engineer said. "But we have to remain cautious because if there is a targeted activity we will be the first to see what's coming."
A leaky wall
APCSOC is a high tech line of defence meant to protect AP's infrastructure from being hacked, and the state has not had any publicly disclosed attacks thus far.
It has, however, had a problem with a lot of leakage of personal data of citizens. Given that most of the data is inter-linked, this has resulted in rather spectacular breaches of privacy. In April, HuffPost reported how one public website allowed users to search and geo-locate homes on the basis of caste and religion and then in June we found another website broadcast the names, phone numbers and medical purchases — like generic Viagra and HIV medication — of anyone who buys medicines from the state's Anna Sanjivni stores.
"It's the data sharing that's the problem," said Srinivas Kodali, an independent security researcher who has been reporting data leaks from AP for years now. "As long as it is being shared with so many people and services and companies, without knowing who has what data, it will always be an issue. They can't protect it until they encrypt it and stop sharing data."
Kodali is one of many security experts questioning the wisdom of gathering and consolidating so much citizen data in one place.
"Everyone has been saying for a long time that the state needs to minimise data collection," Kodali added. "Sadly AP already did it, now they are facing all the problems."
Premchand, from AP Technology Services, said the state's networks ran on many different platforms, which made it hard to secure the system as a whole.
"There are a lot of different departments, and their systems were developed at different points of time. There are some which may even be running on Cobol or Basic," Premchand said. "Now, for those departments the thinking is obviously, if this thing is working and it's not my core function, shouldn't I try and improve the core function as much as possible first? It's understandable but now things are starting to change."
As of now, he added, the state is using a variety of products from a number of vendors.
"There is no cohesive single network for us to secure," he explained. "Some are on-premises, some are using Azure or AWS, there is a lot to be done, and we are steadily working towards it. If we were to wait until we were 100 percent ready, nothing would be done in the meantime, so we are building up momentum."
The Human Factor
There is a dearth of qualified people who are interested in working in Vijaywada on a government project. When the APTS advertised for positions, and even said that salaries are negotiable — which is not the norm for government — it got zero responses. The department even tried advertising through LinkedIn, with limited success.
The other problem is that most people simply don't understand cybersecurity.
"You have to understand that not every department has the same training when it comes to security, and a lot of the work we have to do is just basic hygiene," he added. "If you could get everyone to just install the patches that Microsoft sends for Windows, that would instantly make a big impact. But can you ensure that everyone in every department will stop whatever he's doing whenever that message from Microsoft comes?"
To that end, APTS has been instituting standard operating procedures department by department - from everything like the USB policy to how offices should deploy Wi-Fi, to yes, security patches, apart from doing code reviews and making sure that live apps are working at industry standards.
Subhashis Banerjee, Professor, Department of Computer Science and Engineering, IIT Delhi agreed that the issue is one of culture rather than security.
"This is not hacking, it is an awareness problem. On the plus side, that is easy to plug. But it's serious because it looks like people aren't seeing the weight of the issue."
"Data leaks are an inevitable result of digitisation - but digitisation is also becoming inevitable for governance. The problem is that all of this is happening too fast, before the culture can change," he added.
Other state governments are slowly realising that their data is under threat. Telangana announced work on its own SOC last year, while Kerala is the third state to start its own SOC, which it announced this week.
Each of these is a multi-crore project, which is meant to protect state IT infrastructure from hackers, though like with AP, the question of protecting citizen's private data from leakages remains. However, even the issue of protection from hacking is reaching critical levels.
As per a report of Indian Computer Emergency Response Team (CERT-In), 22,207 Indian websites, including 114 government portals were hacked between April 2017 and January 2018. The National Informatics Centre (NIC) also reported that 74 and government websites hosted on NICNET were hacked in 2017, and six more by February 2018.
Symantec's Internet Security Threat Report for 2017 also stated that India continues to be second most impacted by spam and bots, third most impacted by network attacks, and fourth most impacted by ransomware.
Each state will likely go through AP's painful evolution of leaks and mistakes before arriving at a solution.
"The Government of AP realised the importance of this," said Premchand. "But when you actually start working on it, that's when you see the scope of the problem."