The accelerated pace of cyberattacks the world over is a cause for grave concern. Vigilance is the need of the hour as the cyberthreat landscape witnesses an exponential increase in threat actors with different motivations and varied skill levels.
According to our June 2022 Global Risk Survey - India highlights, nearly 80% of India leaders agree that keeping up with digital and other transformations is a major risk management challenge.1 Data from the Indian Computer Emergency Response Team (CERT-IN) corroborates this as it underlines that in CY 2021, CERT-IN handled about 14 lakh attacks on various Indian entities.2
The rise in the cases of unauthorised network scanning/probing over the past three years has been exponential, with a 280% increase in the number of reported incidents in CY21 over the CY19 numbers. CY 2021 also shows a near doubling of website intrusion and malware propagation/phishing incidents compared to CY 2019.
Source: CERT-In Annual Report 2021
Ransomware too continues to be a potent threat. PwC’s report Cyber Threats 2021: A Year in Retrospect3 indicates that ransomware will continue to be the most potent threat for organisations across the world, with attacks on supply chains becoming the new normal. The emergence of commercial digital quartermasters – who could be both state sponsored or those driven by pure monetary considerations – compounds the menace, by equipping cyberattackers with high-end tools and capabilities. All these developments have resulted in an increased focus on zero-day vulnerabilities. As the below exhibit indicates, 2,435 ransomware victims were exposed on leaked sites in CY 2021, about double the number for the previous year.
Concerns around cybersecurity prompted a joint press conference by the heads of the Federal Bureau of Investigation (FBI), USA, and Military Intelligence, Section 5 (MI5),4 on 6 July 2022. The joint press conference served to underscore the potency of cyberthreats to which nations are exposed. It brought to the fore the issue of a state actor undertaking a coordinated campaign on a grand scale to attain significant advantage over its enemies. The steps that a state actor can take, include:
Cyberattacks, it emphasised, are also a key element of the strategy to inflict damage on other countries.
With geopolitical conflicts and subtle changes in the Power Blocs, India too needs to contend with increasing cyberthreats from various quarters, as cyberwar is now the asymmetric weapon of choice for all threat actors. It is a low-cost-high-yield vector capable of inflicting targeted damage across sectors while enabling easy deniability.
Given this context, it is important to revisit the broad spectrum of cyberthreats, the reasons behind these threats, and the strategies that India needs to adopt in the near and long term to safeguard its interests and those of its citizens. The country’s sheer diversity and complexity demand that a bespoke approach be adopted instead of a one-size-fits-all approach while devising solutions for the Indian ecosystem.
In the Indian context, the broad spectrum of cyberthreats may be classified into those impacting critical infrastructure, businesses and citizens.
Past cyberattacks on critical Indian infrastructure have included attempts on India’s ports, nuclear facilities and power utilities. These attacks have a severe impact given that the critical infrastructure serves large populations. In a recent attack in April 2022, cybersecurity researchers observed hackers penetrating the networks of at least seven Indian State Load Dispatch Centres (SLDCs)5 which are critical for maintaining grid frequency and stability, and access to supervisory control and data acquisition (SCADA) systems across the respective states for grid control and electricity dispatch.
While these attacks were countered, they had the potential to severely disrupt the power system. In the same month, hackers also attacked the headquarters of a large state-owned Indian hydrocarbon company and compromised some of its servers. Similarly, in July 2022, a prominent Indian regulator reported that e-mail accounts of its officials were hacked, and mails were sent from them; however, no loss of data was reported. As regulators possess extremely sensitive data, a data breach can prove very costly.
The Indian corporate sector has faced a slew of cyberattacks. The bulk of the attacks on corporate houses have been related primarily to ransomware and data theft. Some of the recent attacks include those on Indian companies in varied sectors, including pharmaceuticals, heavy engineering, online groceries, quick service restaurants, diagnostic labs, start-ups and finance portals. The ambit of the cyberattacks includes various types of incidents such as denial of service attacks, lost and stolen assets, basic web application attacks, privilege misuse, system intrusion, social engineering.
Data from International Data Corporation’s (IDC’s) India Ransomware Survey 20216 indicates that ransomware attacks can have a debilitating impact on companies and a third of the victims take a week or more to recover from such an attack.
A personal data breach can be broadly defined as a security incident that compromises the confidentiality, integrity or availability of personal data. The hackers deploy a range of techniques and tools to extract data from unsuspecting victims. These techniques include use of a fake website, phishing, collection of username and passwords, subscriber identity module (SIM) cloning, extraction of one-time-password (OTP), capturing of biometric data through fake apps, and collection of fake donations.
The data being targeted by hackers is primarily of two types:
While users have some awareness of financial fraud, PII-related data and its potential for misuse is not fully understood by the masses, as there is limited awareness of data privacy as a concept. This results in a fair amount of PII, including biometric information such as fingerprints, iris scans and facial images, being shared without adequate precautions. This information, if compromised, can impede the privacy of citizens all through their lifetime. This serves to underscore the point that while significant investments are being made in Digital India initiatives, proportionate investments are needed to create user awareness and educate the masses.
The cyber vulnerabilities in the Indian context primarily arise from inadequate investments in cybersecurity, be it in terms of investments in technology, building cybersecurity awareness or investing in strategic initiatives. As per the graph showing the trajectory of the Government of India’s (GoI’s) budget for cybersecurity, it is evident that there is an increasing trend in the budgeted amount. Incidentally, FY22 has been the first year when the actual amount exceeded the budgeted amount.7
This earmarked amount also needs to be viewed in relation to the spending by larger economies like the US, where the Government’s budget for civilian cybersecurity for FY22 was about USD 9.8 billion.
Source: Business Standard
For many Indian businesses cybersecurity remains a non-productive cost centre as investments in cyber defence become rapidly obsolete, as cyberattacks improve in complexity and sophistication. Moreover, many organisations still follow a compliance-oriented approach to cybersecurity that is more of a tick in the box, rather than a risk-based approach. Coupled with the direct and indirect impact of a cyberattack, organisations often hesitate to divulge information related to cyberattacks and share the same with regulators and other institutions or even organisations in the same sector for fear of backlash and negative publicity.
Inadequate investments in cybersecurity and the above approach of businesses to this imminent threat serve to amplify the existing fault lines in the Indian cybersecurity landscape. The following are a few factors that need to be considered: