The Honourable Prime Minister of India, Shri Narendra Modi, launched the Digital India project yesterday, an ambitious undertaking to interconnect and deliver government services to India’s 1.25 billion citizens.
Fortunately, the challenge of securing the vast cyber space for netizens has been keenly recognised by the Government of India as the Prime Minister stated the following in his speech:
“I dream of a Digital India where cyber security becomes an integral part of national security”
The Prime Minister made unambiguous references to the potential vulnerability of India’s current and future critical infrastructure and services to cyber-attack. The plethora of international spying, hacking, and Denial-of-Service attacks, which have made the headlines in recent times, allows one to put things in perspective. India has its own share of inimical nation states, along with non-state actors, both beyond as well as within the country’s borders.
The Prime Minister also recognised the dangers posed to an average netizen at a personal level. He related how common theft has progressed from stealing somebody’s wallet on a bus, in the past, to the current ability of criminals situated thousands of miles away to wipe out a bank account within the time it takes to click one’s fingers.
Indeed, as highlighted previously on our blog, there exists legislation to aid the protection of netizens from common cybercrime, as well as provisions to safeguard national cyber security. However we believe there is lot more to be done. In this blog we wish to highlight certain problem areas which need to be taken into account to boost cyber security for the netizen, and thus, for the nation.
There is a lot of emphasis on the use of online social media and sharing of data “securely”. Of course netizens are only too keen to share Personally Identifiable Information (PII) on public sites, which may not even be hosted in one’s home country. Apart from its general nuisance value, leakage of PII allows the mounting of sophisticated targeted attacks. We recommend thinking several times before posting private information on public sites.
Plans to provide many services online, including secure private document storage, will require netizens to be made aware of basic security hygiene, at least vis-à-vis the use of strong passwords which must be difficult to crack. However, for ease of remembering, it is likely that many, if not most, netizens would employ the same credentials across multiple portals. The compromise of just one password could leave your data exposed on several other sites. In addition, the secure storage of digital certificates, used to authenticate the source and ownership of documents, is a cause for concern as a stolen certificate could lead to complete identity theft.
The exploitation of vulnerabilities on both the client and server side poses a real and present danger to all users. On the client side, software installed on a user’s computing device can and do have hidden weakness that can be taken advantage of during attacks. Vulnerabilities on the server side, especially web servers, have the potential to compromise thousands, and with the advent of Digital India, perhaps millions. A huge proportion of websites, including many with ‘gov.in’ in the domain name, are not necessarily implemented and managed with security in mind, leaving netizens vulnerable. Several trusted Indian state and central government sites have been hacked and defaced in the recent (and not-so-recent) past. We have blogged previously about website hacking, and remediation techniques with which webmasters ought to be familiar. We hope that the government portals which deliver services will be made robust to any form of attack, particularly intrusion and Denial-of-Service.
Mobile devices are set to play a crucial role in the Digital India project. Android is likely to be the most common mobile platform used to communicate with government portals, given the relatively low cost of Android devices. It must be noted that despite Google’s assertions to the contrary, Android devices are certainly not invulnerable to malware attacks. Mobile devices must also be secured, with the user being made aware of the do’s and don’ts of app installation.
The above list of issues is far from exhaustive. We have touched merely the tip of the iceberg. Covering other potential issues is beyond the scope of this particular blog.
An interconnected, inclusive Bharat via the Digital India campaign is an exciting prospect. We wish the campaign all the very best, and we, as IT security professionals, hope to contribute significantly to its success. We would simply like to reiterate the cyber security threat potential to netizens and the Government of India so that robust security hygiene is maintained with discipline, allowing the freedom of a safe online service experience. Jai Hind!
Some images (adapted to suit the article) are courtesy of several sites.
Senior Manager, K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed