How to prevent a digital armageddon

Krishnashree Achuthan | Updated on January 11, 2018 Published on May 21, 2017

The netherworld of cyberspace It’s scary out there   -  Benoit Daoust/shutterstock.com

There’s a huge underground criminal market actively operating to subvert and weaponise computer systems

Just weeks after a hacker crew called The Shadow Brokers leaked National Security Agency’s hacking tools along with a host of zero-day exploits, a global attack has been unleashed using WannaCry, a ransomware that exploits a vulnerability disclosed from the NSA leak.

India is one of the countries most affected by the ransomware attack. While the entire nation is scourging for ways to patch software and systems to defend against the WannaCry worm, let’s introspect on what we have lost sight of in our rush for digitisation.

The question is, have we underestimated the complexity of developing a digital India? Are we prepared for the challenges that digital interconnectedness brings about?

Amorphous landscape

The threat landscape today is in a very fluid state due to several factors — the influx of millions of Internet of Things (IoT) devices which is allowing interconnectedness and digitisation at the miniscule level, the emergence of a mobile-first market in India, and the movement of data from desktops to the cloud.

To add to this, more than 80-90 per cent of the software running on these devices is either open source or supplied by foreign sources.

This opens up a huge attack surface, one that is difficult to contain, even with incessant patching.

After analysing several thousand malware and Trojans at Amrita University’s Centre for Cybersecurity Systems and Networks, we have discovered that many of the commonly used systems and software in India come pre-installed with malware, including backdoors.

These exist even at the firmware level, which makes them difficult to audit. In fact, hardware backdoors are very common in low-cost devices made in China and Taiwan. The communication between IoT devices is often in the clear which makes data tampering and man-in-the-middle attacks easier.

Loose on security

While many industry control systems use formal verification techniques to verify the correctness of their application, their security properties are seldom assessed. An analysis of several financial commonly used financial applications reveal several trivial vulnerabilities that allow third parties to sniff out sensitive user information, thus empowering them to launch a man-in-the-middle attack later. Two-factor authentication has also been demonstrated to fail to secure user accounts.

Even official app markets such as Google Play host malicious content, and devices purchased from untrusted vendors and resellers may already be infected with malware.

What this proves is that it is not just desktop systems or mobile phones that can be attacked. A pacemaker donned by a patient, the flight plan of an aircraft or the power grid of an entire nation can be remotely manoeuvred to launch an attack.

There are criminal groups that employ several reconnaissance techniques to target industry and government tycoons, big corporations and common man alike. Integrating 1.3 billion Indians into Digital India is in fact exposing every citizen to an attack.

What everyone must know is that there is a huge underground criminal market that is actively operating to weaponise systems and devices, and each one of us is a target. Software and systems cannot be implicitly trusted — their trustworthiness has to be proven.

Self-reliance at the grassroots is the way to go, if we don’t ‘WannaCry’.

Towards self-reliance

There are three challenges that need to be addressed for a self-reliant and secure Digital India. First, we must become self-reliant in developing indigenous, world-class software and systems which must be adequately validated and hardened through secure development techniques.

Second, we must evolve three determiners for digital security: how we ensure software authenticity and integrity, how we assess risk in an increasingly interconnected network, and how we disseminate software updates.

Third, we must launch initiatives for cyber literacy, safety and law enforcement policies to educate and integrate the common man into Digital India.

All said and done, humans are the weakest link in the cyber security chain. The majority of cyber attacks rely on tricking the user to perform an action on behalf of a criminal. In almost all breaches, a user was compromised through spam messages or phishing emails.

At the same time, the lack of secure operating practices by system administrators and device operators can jeopardise the entire infrastructure of an organisation. Enterprises need to make prudent investments in order to secure their infrastructure.

The Government must scale up its initiatives to educate the common man on the perils of going digital. Security education must be introduced in schools at an early age so that the youth can make educated decisions.

We need to expand the efforts of Cyber Incident Response Centres which aid in public dissemination of such information and offer help-line service to people.

A provision for the people to report offenders or suspected offenders, along with strong e-policing, can prevent such malicious software from infiltrating into the grassroots.

The writer is the director of the Centre for Cybersecurity Systems and Networks, Amrita University

Published on May 21, 2017

A letter from the Editor

Dear Readers,

The coronavirus crisis has changed the world completely in the last few months. All of us have been locked into our homes, economic activity has come to a near standstill. Everyone has been impacted.

Including your favourite business and financial newspaper. Our printing and distribution chains have been severely disrupted across the country, leaving readers without access to newspapers. Newspaper delivery agents have also been unable to service their customers because of multiple restrictions.

In these difficult times, we, at BusinessLine have been working continuously every day so that you are informed about all the developments – whether on the pandemic, on policy responses, or the impact on the world of business and finance. Our team has been working round the clock to keep track of developments so that you – the reader – gets accurate information and actionable insights so that you can protect your jobs, businesses, finances and investments.

We are trying our best to ensure the newspaper reaches your hands every day. We have also ensured that even if your paper is not delivered, you can access BusinessLine in the e-paper format – just as it appears in print. Our website and apps too, are updated every minute, so that you can access the information you want anywhere, anytime.

But all this comes at a heavy cost. As you are aware, the lockdowns have wiped out almost all our entire revenue stream. Sustaining our quality journalism has become extremely challenging. That we have managed so far is thanks to your support. I thank all our subscribers – print and digital – for your support.

I appeal to all or readers to help us navigate these challenging times and help sustain one of the truly independent and credible voices in the world of Indian journalism. Doing so is easy. You can help us enormously simply by subscribing to our digital or e-paper editions. We offer several affordable subscription plans for our website, which includes Portfolio, our investment advisory section that offers rich investment advice from our highly qualified, in-house Research Bureau, the only such team in the Indian newspaper industry.

A little help from you can make a huge difference to the cause of quality journalism!

Support Quality Journalism
This article is closed for comments.
Please Email the Editor
You have read 1 out of 3 free articles for this week. For full access, please subscribe and get unlimited access to all sections.