When Rajeev and wife Anjali checked into the high-end resort on the Caribbean Coast, an affiliate of the Starwood Hospitality chain, in the sunny summer days of 2015, they were eager to savor every moment of the hard- earned holiday. They had indeed worked so hard for over two years to take the ed-tech product to the launch that the boss granted them this much longed holiday, fully paid for by the company. They went through the check in formalities hurriedly, sharing their personal and credit card details rather casually, as yet another routine to be done with. They were in for a surprise when they received an alert from their bank in November 2018, a full two years later, that their personal details could have been compromised.
They were asked to get a new credit card forthwith and to change their password. They were lucky that no damage did actually happen in their case. But thousands were not so fortunate like them. The cyber security breach that continued for over four years during 2014-2018 came to light only because of a routine security audit undertaken much after Starwood was taken over by the Marriot Group. The breach was eventually attributed to a Chinese intelligence group, according to a New York Times article. If true, this would be one of the largest known breaches of personal data at the behest of a nation-state. In India several cases of suspected privacy breaches have come to light, some of them involving Aadhaar data leaked from utility or financial services providers.
In the connected and heavily data-driven world of today, the risks to cyber security involving data scooping, fraud, and financial irregularities are spreading like cancer. Cyber criminals ranging from lone wolves to habitual hackers to terrorists and nation-state agencies lurch in the twists and turns of the cyberworld.
The networks of super-bandwidth terrestrial, under-sea, microwave and satellite communication links make it possible to exchange sensitive financial and commercial data across the globe. However, known and unknown predators, both state-owned and non-state players, can snoop down and create havoc damaging data integrity and compromising strategic interests.
Cyberspace has evolved as a fifth potential theatre of war along with land, sea, air and space in the global Defence strategies. The world has had a relatively calm period over the past few decades with subdued strategic threats since the collapse of Soviet Union and the fizzling out of cold war tensions. But an assertive China is bent upon leveraging its way to be the principal challenger to the US hegemony; a new cold war is gathering storm quicker than the world had anticipated. It is manifesting as tactical moves in trade, power diplomacy and stealthy manoeuvers of digital technologies. The security of the physical IT and communication infrastructure like fiber optic cables, microwave and satellite links, telecom equipment as sell as the operating systems, platforms and applications present a critical challenge in the emerging global scenario.
There is an increasing danger of clandestinely acquiring and sharing vulnerable data and staging proxy cyberattacks by both overambitious nation states and non-state players. At the level of business entities, predatory infringements by cyber criminals are burgeoning by the day.
India is one of the preferred outsourcing destinations globally and many global brands have set up their development and delivery centers and shared services in India. The Indian digital landscape has grown substantially over a relatively short period. This obviously creates vulnerabilities that state and non-state actors could potentially exploit.
India currently has the dubious distinction of being home to the second highest number of security incursions (next only to the US) with over 1.2 billion cases in 2018. India is also the fifth highest in terms of source of cyber attacks, according to recent studies. Cyber Security hotspots are attracting both the conscientious professionals engaged in ethical hacking and cyber security research as well as predators with criminal intent. With massive digitalization of banking and financial services and the expansion of the e-governance menu, the risks to privacy and data security in India are set to increase tremendously.
The spread of social media has added a new dimension to the cyber-crime scenario. Criminals ranging from paedophiles, stalkers and fake-news peddlers are crowding the cyberspace. The presence of surfers with malafide intentions is a reality that the world should live with. Cyber policing competence has become critical in the digital society. In India, Bengaluru predictably has emerged the cybercrime capital with a significant percentage of cyber-crimes and hackings originating from there. Upgrading of cyber security expertise of the police force in the states is a strategic priority for India.
Information Technology spending in India is projected to touch nearly USD 90 billion in 2019, according to global IT research firm, Gartner. With it comes the risks of cyber security. According to the National Association of Software and Services Companies (NASSCOM), India is one of the most vulnerable nations in the world when it comes to cyber-attacks.
A recent survey by UK-based Sophos has found that 76 per cent businesses in India were hit by cyber-attacks in 2018. India was the country with the third highest number of cyber-attacks in 2018, after Mexico and France. The Survey found that most attacks came from servers (40%) and networks (35%) followed by devices (8%). No wonder cyber security is a USD 5 Billion business in India and is set to grow to the size of USD 35 Billion by 2025. The increasing incidents of cyber-attacks and data protection challenges would create demand for over a million professionals in India by 2025.
The scope and priorities of cyber security are evolving fast, trying to catch up with ever mutating threat scenario. The evolution is currently in phase-3 having moved from phase 1 defined by VIRUS protection (Anti-VIRUS software to be purchased and installed in individual computer systems) to phase 2 that focuses on protecting the network, devices and the information assets by installing firewalls and network security software. The current phase 3 involves a holistic and strategic approach to cyber security covering physical, software and other intellectual assets.
A whole new functional specialization has come to be established around cyber security. Standards, policies and benchmarks are being set raising professionalism and compliance obligations to higher levels. A mention is required to be made here about General Data Protection Regulation (GDPR), the European Union standards on protecting customer data. Companies that collect data on citizens of European Union (EU) countries need to comply with the guidelines on the accountability for the security and use of data. The penalties are stiff and governance very strict.
In the years to come, Indian cyber security scene is expected to grow in both spread and depth. Cyber forensics, cyber security audit and adoption of globally aligned cyber security governance are critical in the maturing of the cyber security domain in India. These pillars are bound to get stronger in the coming days.
In India, the key IT infrastructure is owned by the Government/Public Sector and the Private sector, each operating with own norms and protocols for protecting their infrastructure from cyber-attacks. The Defence services have their own security protocol. There is need for harmonizing and evolving the national security architecture that unifies the detection and rectification of threats in a coordinated and proactive manner. This area is today, work in progress.
Though India is a global force in providing IT and IT- enabled services, there is a dearth of talent when it comes to specific niches, such as Cyber Security. The demand for talented workforce outstrips demand in the foreseeable future with the burgeoning of cyber security threats and opportunities. The Indian IT industry giants have realised the importance of cyber security in the value chain and are planning to boost investment to upgrade this domain as a pillar of their growth strategies. Just the other day, Azim Premji while addressing his last Wipro AGM as Chairman has highlighted the company’s plan to scale up its cyber security offerings.
There is a worrying lack of awareness about cyber laws and regulations at both corporate and individual levels. With the spread of Internet-of-Things (IoT), Big Data Analytics and Artificial Intelligence (AI), the security implications of devices, networks, software and their interfaces have become more complex. There is a need to spread awareness, define standards and lay down governance protocols covering all aspects of the network. Slack governance and the propensity of the population to use pirated and unlicensed software act as catalysts to the spread of malware.
Lack of uniformity in internet access devices in India is a serious challenge. Less than 1% of mobile phone users have access to devices with robust security norms. The widening gap between the security offered by the high-end mobile phones and lower cost ones in the market makes it difficult to set legal and technical standards for data protection by the regulators.
The cyber security domain in India is now at the cusp of transformation from the casual manner in which this critical aspect has been dealt with till recently. With Personal Data Protection Bill set to become law and the Aadhaar ruling by the Supreme Court limiting the use of personal information, the focus on data privacy would become a cornerstone in the security protocol. The passing of the amended NIA (National Investigation Agency) Act with enhanced powers for the agency to pursue cross-border cyber-crimes adds teeth to India’s fight against the nexus between cyber-incursions and the global terrorist-criminal network.
Cyber Security is indeed a mega challenge and a goldmine of opportunities for India. Over the next decade this field is likely to see massive investments, professionalization, innovations and governance upgrade.
*Ravi Kumar Pillai is CEO and Principal Consultant of Cherrypick India Consulting & Business Solutions Private Limited, Trivandrum and can be contacted at firstname.lastname@example.org