Just weeks after a hacker crew called The Shadow Brokers leaked National Security Agency’s hacking tools along with a host of zero-day exploits, a global attack has been unleashed using WannaCry, a ransomware that exploits a vulnerability disclosed from the NSA leak.
India is one of the countries most affected by the ransomware attack. While the entire nation is scourging for ways to patch software and systems to defend against the WannaCry worm, let’s introspect on what we have lost sight of in our rush for digitisation.
The question is, have we underestimated the complexity of developing a digital India? Are we prepared for the challenges that digital interconnectedness brings about?Amorphous landscape
The threat landscape today is in a very fluid state due to several factors — the influx of millions of Internet of Things (IoT) devices which is allowing interconnectedness and digitisation at the miniscule level, the emergence of a mobile-first market in India, and the movement of data from desktops to the cloud.
To add to this, more than 80-90 per cent of the software running on these devices is either open source or supplied by foreign sources.
This opens up a huge attack surface, one that is difficult to contain, even with incessant patching.
After analysing several thousand malware and Trojans at Amrita University’s Centre for Cybersecurity Systems and Networks, we have discovered that many of the commonly used systems and software in India come pre-installed with malware, including backdoors.
These exist even at the firmware level, which makes them difficult to audit. In fact, hardware backdoors are very common in low-cost devices made in China and Taiwan. The communication between IoT devices is often in the clear which makes data tampering and man-in-the-middle attacks easier.Loose on security
While many industry control systems use formal verification techniques to verify the correctness of their application, their security properties are seldom assessed. An analysis of several financial commonly used financial applications reveal several trivial vulnerabilities that allow third parties to sniff out sensitive user information, thus empowering them to launch a man-in-the-middle attack later. Two-factor authentication has also been demonstrated to fail to secure user accounts.
Even official app markets such as Google Play host malicious content, and devices purchased from untrusted vendors and resellers may already be infected with malware.
What this proves is that it is not just desktop systems or mobile phones that can be attacked. A pacemaker donned by a patient, the flight plan of an aircraft or the power grid of an entire nation can be remotely manoeuvred to launch an attack.
There are criminal groups that employ several reconnaissance techniques to target industry and government tycoons, big corporations and common man alike. Integrating 1.3 billion Indians into Digital India is in fact exposing every citizen to an attack.
What everyone must know is that there is a huge underground criminal market that is actively operating to weaponise systems and devices, and each one of us is a target. Software and systems cannot be implicitly trusted — their trustworthiness has to be proven.
Self-reliance at the grassroots is the way to go, if we don’t ‘WannaCry’.Towards self-reliance
There are three challenges that need to be addressed for a self-reliant and secure Digital India. First, we must become self-reliant in developing indigenous, world-class software and systems which must be adequately validated and hardened through secure development techniques.
Second, we must evolve three determiners for digital security: how we ensure software authenticity and integrity, how we assess risk in an increasingly interconnected network, and how we disseminate software updates.
Third, we must launch initiatives for cyber literacy, safety and law enforcement policies to educate and integrate the common man into Digital India.
All said and done, humans are the weakest link in the cyber security chain. The majority of cyber attacks rely on tricking the user to perform an action on behalf of a criminal. In almost all breaches, a user was compromised through spam messages or phishing emails.
At the same time, the lack of secure operating practices by system administrators and device operators can jeopardise the entire infrastructure of an organisation. Enterprises need to make prudent investments in order to secure their infrastructure.
The Government must scale up its initiatives to educate the common man on the perils of going digital. Security education must be introduced in schools at an early age so that the youth can make educated decisions.
We need to expand the efforts of Cyber Incident Response Centres which aid in public dissemination of such information and offer help-line service to people.
A provision for the people to report offenders or suspected offenders, along with strong e-policing, can prevent such malicious software from infiltrating into the grassroots.
The writer is the director of the Centre for Cybersecurity Systems and Networks, Amrita University