NEW DELHI: Not far from Mumbai, terror struck on June 27. Unlike 26/11, the terror attack at the Taj Palace six years ago, neither gunshots nor bomb blasts were heard. Nor were terror-struck people seen running for cover. Quietly, this terror attack crippled India’s largest container port—the Navi-Mumbai based Jawaharlal Nehru Port Trust, or JNPT. The terminal, with a capacity to handle 1.8 million standard container units, ground to a halt.
The attacker was a malware called Petya. Its handlers were faceless hackers operating from an unknown location that could be as far off as thousands of kilometres away in Russia or as close as Mumbai.
The damage at JNPT was contained, and it did not create panic among the masses. But imagine a similar attack at the Indira Gandhi International Airport, Delhi Metro, an electricity grid or a nuclear station. A shadowy hacker working a cheap laptop sitting in a remote den can bring the country’s vital public utilities to a halt, creating chaos that even a mega terror strike cannot. Unlike Hurricane Irma, you won’t even see it coming.
The vulnerability of our cyber systems is a ticking time bomb. It can explode anytime, anywhere. Even in your hands, as your smartphone too is on target. From restaurant-search service Zomato to Reliance Jio, from your Aadhaar to your ATM card, nothing is impregnable.
There was a time when surfing was a harmless hobby. But today, it is an apt metaphor for the dangers lurking beneath your screen. Google, Amazon or YouTube only skim the surface of the World Wide Web. Below that surface lies the Dark Web, the depths from where criminals plot to steal your money and your identity, and lay siege to banks and public services. Last year in India, cyber attacks compromised more than 3 million ATM and debit cards. Next door in Bangladesh, hackers infiltrated a central bank official’s computer and made off with over $80 million in one of the biggest cyber heists ever.
How did the internet become so dangerous? Hint: look at your smartphone
Here’s the internet’s greatest paradox: The more connected the world gets, the more vulnerable it becomes. A few years ago, only computers could be hooked to the internet; now you can even get a connected toaster. In India, where millions of new users come online every month with less-than-basic understanding of the internet, the risk is even bigger. Add to that inadequate laws and the ignorance of big companies and even educated users who spend the better part of their day online—working, chatting and dealing in money.
The rise of e-commerce and the exponential spread of the digital economy via the smartphone make the average Indian—you—highly vulnerable to cyber threats. The union home secretary, no less, has admitted that your smartphone has become a dangerous device. Rajiv Mehrishi told a parliamentary panel last month that 40 per cent of smartphone users stand the risk of getting their data leaked to the entire world, including the US’ Central Intelligence Agency (CIA).
Not only your passwords, even your fingerprints and biometrics are being stolen from your smartphone. According to a recent study by Spain’s IMDEA Networks Institute, more than 70 per cent of smartphone apps are reporting personal data to third-party companies.
For all you know, your Chinese smartphone could be transferring your data to its servers back in China. After reports of data theft, the Ministry of Electronics and IT recently directed 30 smartphone makers to inform it about the protocols they follow.
According to international cyber security and research firm Kaspersky Lab, the number of virus attacks on mobile phones in India doubled within 2016, starting from 2.5 million in January to around 5 million by end of the year. In India, 34% of Kaspersky Lab’s mobile-security software customers have been attacked at least once in 2016.
“India is one of the countries being largely targeted by cyber criminals. Countries like India are developing so fast that it opens the doors for more cyber attacks. While India’s economy is growing fast, more people are getting access to the internet. In large cities, 4G and Android devices are becoming popular,” says a Kaspersky Lab report.
India expects a six-fold growth in digital transactions to 25 billion in the year to March 2018, up from 4 billion in 2015-16, according to the World Payments Report 2017.
The makings of a corporate crisis
Not just individuals, Indian companies too are sitting ducks in the face of cyber threats. In KPMG’s Global CEO Outlook 2017, 53 per cent of Indian CEOs agreed that their organisations weren’t fully prepared for a “cyber event”.
Here’s another piece of data that points to a shocking lack of caution: More than 60 per cent of the software used by companies in India is unregulated, meaning they don’t have access to the latest defences against cyber threats, according to business practices firm EY. “Many organisations secure their hardware. However, they do not pay attention to the software used, which could be unregulated,” says Maya Ramachandran, Partner, KPMG Advisory Services Practice.
According to a recent EY survey, 49 per cent of chief information officers identified security threats from malware as a major threat posed by unlicensed software, while 26 per cent employees admitted to installing outside software on work computers.
“Cyber criminals are exploiting the fact that companies have very limited visibility behind their firewalls,” says Sahir Hidayatullah, CEO of Smokescreen Technologies, a cybersecurity company. “Coupled with the fact that ransomware attacks are easier to monetise, they are becoming the weapon of choice for the modern attacker. Of even greater concern is the growing number of highly-targeted ransomware campaigns that are significantly more damaging than mass spread attacks.”
Blame the lax cyber security standards of India Inc for hundreds of Indian firms being locked out by different ransomware in the last six months. To make matters worse, few incidents of cyber attack on big companies become known for fear of losing credibility and business, even though information sharing is one effective way to ward off future cyber attacks.
In the US, the law requires a cyber breach to be reported, but not in India.
India was the third worst-hit country in the recent WannaCry ransomware attacks. More than 40,000 computers were affected, but no major corporate or bank reported any disruption to their activities, raising doubts whether they are disclosing attacks at all.
“In our research we found that a large percentage of attacks globally by WannaCry happened in India and the country was third on the total number of attacks,” says Altaf Halde, Managing Director, Kaspersky Lab, South Asia. “Most of the Indian organisations are still vulnerable to the attacks since the sophistication of these cyber threats is going up, and many Indian organisations [in both the] private and public sector still use outdated operating systems.”
No room for complacency
Our government and private companies are grossly underprepared against growing cyber threats—and so are you and your kids whom you gift smartphones without realising that they could drive them straight into the arms of the Dark Web.
If data from cutting-edge Scorpene submarines and heavily protected episodes of Game of Thrones are not safe from hackers, neither are you. Remember that the next time you press ‘agree’ to the terms and condition while downloading an app, transfer money on your phone or bring home a smart TV.
(This article is the first in a series on ‘Dangers of a connected world‘)