22 May 2017

** WannaCry cyber attack: It's bad India is crying, but even more scary is govt response


If you haven’t noticed, the world wide web is under attack. Experts, and not just the experts with private cyber security firms but also the ones employed by the likes of Interpol, call it probably the single biggest and most serious cyber attack ever. Yes, this is WannaCry we are talking about. Starting from Saturday, lakhs of computers connected to the web has been attacked and taken over by WannaCry worm, which is a ransomware. Many services and companies have been affected as the people behind the WannaCry have taken over the computers and have demanded ransom in bit coins.

It’s scary to see how WannaCry has affected some of the vital service. It has apparently popped up on networks run by airports, train authorities, hospitals, police departments, municipal services and others across the world. But the sad part is that India is a country that has been affected worst. In terms of absolute number of computers affected by WannaCry, India is actually on top pf the list. Why, how and what can be done now? These are a lot of questions but the scariest part of the whole WannaCry story in India is that the government doesn’t even acknowledge the severity of the issue.

All, in good time though. Before I talk of why India has been affected so badly by WannaCry and what can be done, a quick look at how India has been affected.
WannaCry in Kolkata

Given how things are in India when int comes to cyber security, we may never get a full report of how WannaCry affected computers in India. But some information is coming. A quick preliminary assessment by QuickHeal, a company that offers cyber security solutions, notes that in India 48000 WannaCry attempts have been detected positively. It also notes that over 60 per cent of these attacks targeted enterprise sector while 40 per cent of the WannaCry infections have happened to computers owned by individuals. The firm notes that worst affected states are West Bengal, Maharashtra, Gujarat, Delhi NCR and Odisha. And among the cities the worst affected is Kolkata.

But this not the full picture. We also know that Andhra Pradesh Police department has been affected. At the same time, there might be other government departments and private companies, including banks, that may have been affected but we will never know because in India no one talks about these things.

The question of WHY

One big problem in India, and the one that WannaCry lays bare, is that cyber security here is a joke. This is not the first time that a ransomware has struck in India. For years now Indian companies, especially small and medium business enterprises, are facing ransomware and attacks from cyber criminals. Cyber criminals taking control of computers inside a company and then demanding ransom in bitcoins is not new in India. It has happened earlier. Again and again.

A worm affecting Indian computers, including computers managed by government departments, too is not new. It has happened in the past. Earlier the US and Israeli cyber hackers targeted Iranian nuclear facilities with a worm, which was then modified by cyber criminals into Stuxnet. This Stuxnet then went onto affect thousands of computers across the world and at that time too India was among the worst affected countries.

So, why does it happen with India so often? Some reasons:

1- Did I say that cyber security in India is a joke? Yes, I did. Not only the “cyber security experts” inside Indian companies are ignorant, they also don’t make any effort to arm themselves against the new cyber security challenges. In most companies, It security is handled by some guys who have diploma or two in something IT. Most of the time, there are hardware guys and not exactly the software or network specialists. And even if they are specialists, chances are that most of their IT knowledge is bookish, just the way out of the education in India is. They just can’t deal with the worms and viruses that change on daily basis. Actually, they can’t even deal with some smart users in their offices who can bypass the office firewall or IT rules wth a few tweaks here and there.

But the blame doesn’t entirely lie with the people or IT admins. Cyber security is also mostly an afterthought in most companies. For example, in a hospital no one cares about cyber security. Or at a hotel, no one gives a damn to cyber security. Companies don’t invest in right gear,m and right people because they believe that something like WannaCry won’t happen to them. And because painting cyber security hygiene is not really easy, they also don’t try.

2- Also blame clueless government exerts for something like WannaCry. Just the way IT admins in most Indian companies are hapless in front of something like WannaCry, so are the “experts” in India’s cyber security agencies like CERT-IN. this is an agency that sends security advisories months after something has hit the web. It is also an agency that is mostly full of people who have no clue about what is going on the world wide web.

In fact, the problem goes much beyond CERT. Almost everywhere in Indian government departments, there is lack of people who really understand tech and cyber security. Police departments believe that someone who can access Facebook with a proxy is a hacker. Or someone who can install and file recovery program like Recuva is an IT wizard. This is the reason why the government believes in people like Ankit Fadia. Well, when your cyber security expert is someone like Fadia be ready to face catastrophe when something like WannaCry hits you.

3- Another big problem is that no one updates computers in India. Banks don’t do it. Government bodies don’t do it. People don’t do it. The WannaCry mostly affects the computers and servers running older versions of Windows, including Windows XP. Incidentally, Windows XP, after support for it has ended, is still run by millions of computers in India. The real scary part is that many of these computers running Windows XP in India are actually the ATM machines. These ATM’s don’t get updated, and neither the Windows XP machines in many banks and sensitive government departments.

The same problem is also there with Android phones. Most consumers in India don’t care about the latest Android. They use phones on which the Android is never updated. For now Wanna cry is limited to Windows computers. But imagine the chaos if something like this hits unpacked, unsecured old Android phones in India in future.

Blame government

For me the worst part of the WannaCry has been the response of the Indian government. There is an advisory on it from CERT-IN. But just like other CERT-IN advisories this one too comes after the damage has been done. Then there is a statement from IT Minister Ravi Shankar Prasad that there is no serious impact in India from WannaCry. He apparently said, “There is no major impact in India unlike other countries. We are keeping a close watch. As per the information received so far, there have been isolated incidents in limited areas in Kerala and Andhra Pradesh.”

Wow!

India is still living in denial: the indian commuter users and the Indian government. And that is the worst way to deal with a cyber attack. Across the world, it is unestablished norm now that to deal wth the cyber attack you have bring in a system that is more transparent. The idea is unless you don’t acknowledge the problem, it can’t be fixed. And given the fact that cyber attacks, viruses, bugs, worms are part of digital life, the best way to deal with them is by ensuring that people know about them. Also transparency has a way of forcing the government departments, banks, private companies and others to take the cyber security seriously. But here we have the government clearly saying that it doesn’t believe WannaCry has affected India much (it’s a lie at worst and understatement at best).

Instead, to ensure something like WannaCry is not repeated the government should be looking at two things here:

1- Bring in the data protection law: India doesn’t have any data protection law. This is a serious handicap in fighting cyber crime in India. Here is how it works. In many countries, companies and organisations are held responsible for the data that they store. This means if they lose this data or if cyber criminals breach their system, then they are held responsible for it. In some cases they can even be fined in case they are lax in their cyber security practices. But not in India. This allows our companies and organisations to be careless about something like WannaCry. After all, even if a bank loses private data of consumers, and then there are banking frauds, it can chill because it won’t be held accountable for it.

2- Force organisations and companies to be transparent: The other component of the cyber security is transparency. Given enough eyeballs, all bugs are shallow. Or so goes the saying among the cyber security researchers. By ensuring open systems and by reporting data breach pr cyber attacks, companies allow third-party cyber security researchers to find chinks in their armour. Once these chinks are found they can be fixed. This is the reason why in many countries across the world, companies and organisations have to be mandatorily report any cyber security incidents. But not in India because government doesn’t demand anything like it. The result is that when something like WannaCry happens, there is this hush-hush. And then once the news goes away, it’s back to business with the same shoddy cyber practices and unmatched system. That is until the WannaCry 2.0 or something like that hits back.

No comments: