Secure digital environment for all: Govt’s efforts to enhance cyber preparedness

Fully aware of the growing cyber threats and attacks on the country’s digital infrastructure and systems, the Government of India has taken several measures for ensuring safe and trusted and secure cyberspace for users.
Anoop Verma
  • Updated On May 9, 2024 at 10:42 AM IST
<p>"The cyber attacks on critical infrastructure are a serious concern. Such attack Such attacks are happening worldwide," Dr. Saurabh Gupta, Advisor, Ministry of Home Affairs, NATGRID.</p>
"The cyber attacks on critical infrastructure are a serious concern. Such attack Such attacks are happening worldwide," Dr. Saurabh Gupta, Advisor, Ministry of Home Affairs, NATGRID.
With over 800 million Indians (Digital Nagriks) active on the Internet and cyberspace, India ranks among the world’s most digitally connected nations. Government departments and businesses are increasingly relying on digital solutions to provide education, finance, healthcare and other governance related services to the people.

The growth of Internet and digital systems in the country has brought a lot of economic and social benefits, but it has also led to a vast increase in the surface area which the cyber criminals can target. Fully aware of the growing cyber threats and attacks on the country’s digital infrastructure and systems, the Government of India has taken several measures for ensuring safe and trusted and secure cyberspace for users.

Advt
Dr. Saurabh Gupta, Advisor, Ministry of Home Affairs, NATGRID, Government of India, in conversation with Anoop Verma, Editor (Desk), ETGovernment, sheds light on the steps that government departments and agencies are taking to enhance the nation’s cyber security.

Edited excerpts:

There have been several reports which claim that India is among the world’s most hacked countries. What steps is the government taking to improve the state of cyber security in the country?
The internet user base in India has seen phenomenal growth–at present, we have over 800 million internet users. This large penetration of the internet has a huge economic and social benefits but it also makes the country a target for cyber attacks. It is not only the ordinary users who are becoming victims of cyber attacks, even the government departments and large enterprises are being targeted. In 2023, there was a 63% spike in cyber attacks between the first quarter and last quarter. The healthcare websites continue to face bot attacks.

The Government of India is cognisant of the gravity of the situation and a number of initiatives have been taken to enhance the nation’s cyber security. The honorable Prime Minister has said that the government is determined to develop a safe and resilient cyber space for the people. Dedicated cyber security departments have been established by the Ministry of Home Affairs (MHA) and the Ministry of Electronics and Information Technology (MeitY). These departments are working to strengthen cyber security and quickly respond to any incident.

In the MHA, there is the Cyber and Information Security Division (C&IS), which deals with cyber crimes and enforcement of the nation’s IT laws. In MeitY, there is CERT-In, which is dedicated to quickly responding to cyber crime and hacking incidents. MeitY has also established the Cyber Swachta kendra, a Botnet Cleaning and Malware Analysis Centre.

Advt
In the USA, Japan, Australia and several other countries there have been reports of critical infrastructure being hacked. Is there a risk of something like this happening in India?
The cyber attacks on critical infrastructure are a serious concern. Such attacks are happening worldwide. In the past, attempts have been made by hackers to target critical infrastructure in India, including the power grid, the financial systems and the healthcare systems. The cyber attacks that are orchestrated by state level adversaries can be highly complex and merit an equally complex response.

There is a need to upgrade the software and hardware systems of agencies which manage critical infrastructure. If these agencies are using legacy systems, they will be vulnerable to cyber attacks. There is also the need to upgrade the cyber skills of the workforce. The workforce must exercise cyber hygiene and be vigilant. The Government of India has taken a number of initiatives for skill development in digital technologies.

The cyber criminals do not recognize or respect international boundaries, so global cooperation is necessary for dealing with them. We are now living in a global village, and all the nations have to cooperate to keep this global village safe.

What steps is the government taking to prevent such attacks on critical infrastructure from happening in India?
The government has established the National Critical Information Infrastructure Protection Centre (NCIIPC), a unit of NTRO, to serve as the nodal agency for protection of Critical Information Infrastructure from attacks. The government has also developed regulations for management of information related to critical infrastructure. There is a lot of inter-agency collaboration and coordination happening to ensure the safety and resilience of the country’s critical infrastructure.

NIC is providing critical digital services to the government. Many of the national data centres are owned and managed by NIC. What kind of cyber security measures are being taken to safeguard the critical digital services of NIC?
I have served in NIC for more than 36 years. NIC has strived to implement the best in class cyber security systems for government departments. NIC has taken a multilayered approach to guard its critical digital services. This multilayered approach consists of technical measures, organizational measures and other kinds of cyber security initiatives.

In case of the technical measures, cyber security is deployed at the user end, the network end, the data centre end and in the application also. NIC has regular security audits of its websites and infrastructure. The thrust is on detecting vulnerabilities before attackers can exploit them. NIC also does penetration testing, which simulates real world attacks. This exercise is continuously done by NIC on its website.

The overall security architecture at NIC is very strong. It uses various firewalls, intrusion detection systems (IDS), VLAN networks and other security tools to detect and block malicious activity in real time.

How is NIC protecting the sensitive government data?
If the data is very sensitive, then it is kept in encrypted form at rest and while it is in transit. This is to prevent unauthorized access. Even if a hacker intercepts sensitive data, he cannot access the critical information. The multifactor authentication system called KAVACH is also being used by NIC to add an extra layer of security to sensitive data. In NIC, there are a set of clear protocols for proper use of systems, password management and incident reporting. All the concerned personnel follow these protocols.

Many times hackers are successful in orchestrating their attacks because someone in the organization failed to follow the best practices. What steps is NIC taking to train its personnel in the best practices for improving cyber security?
To upgrade the skillsets of the officials, NIC is running training programmes. In these programmes, the security specialists learn the latest techniques for identifying and countering various types of cyber attacks, including the social engineering attacks and phishing attacks which have become very common in our day and time. NIC has entered into a collaboration with Rashtriya Raksha University (RRU) for skill development of its officers on a continuous basis. NIC has also established a division called NIC-CERT, which is the nodal agency for managing cyber security incidents in NIC.

A significant part of the electronics systems being used by various government departments are imported from other countries. China is a big source for electronics systems. Do we have a system in place to audit the software and hardware of these systems to ensure that they cannot be hijacked by outside agencies?
Auditing electronics systems for hardware and software issues is a complex but critical task. The first complexity we face is that of the supply chain. In the present scenario, modern electronic systems often incorporate components and subcomponents from multiple countries. This makes it a very challenging task to trace the origin of the overall product and assess its vulnerabilities.

The other challenge is that the core components of the electronics systems are the chips, which are built at a nano-scale. The auditing of these systems can be time consuming. The auditing of the software installed in the electronics systems has its own set of complications.

The Ministry of Electronics and Information Technology (MeitY) has come up with guidelines which encourage the use of ‘trusted sources’ for electronic procurements in the government. MeitY is also promoting security certification programmes for IT products to encourage secure design and development practices.

The problem of security auditing of software and hardware would to a large extent be mitigated if the electronics products were being manufactured by manufacturers in India. Are we making enough efforts to achieve self-sufficiency in critical electronics systems?
When the government led by Honorable Prime Minister Narendra Modi came to power in 2014, it launched the initiative of “Make In India.” The Make in India initiative is encouraging the production of electronics in the country and improving the supply chain. Work has already started for setting up of world class semiconductor manufacturing facilities in places like Gujarat, Hyderabad and Assam. In a few years, it is possible that India can become a major hub for electronics production not only for domestic consumption but also for exports.

What are your recommendations for ensuring the trustworthiness of the electronics items that we are importing from other countries?
We should do the diversification of the suppliers. We should reduce the reliance on a single source for critical components. This can help us mitigate some risk. The security agencies like CERT, have to continuously monitor vulnerabilities and issue advisories. This is something that they are already doing. We should focus on secure coding practices to reduce vulnerabilities.

Since the attackers are constantly developing new methods, technologies and tools, the law enforcement agencies have no alternative except to keep upgrading their systems and skill sets. As I said earlier, we have to collaborate with other countries and establish global cyber security standards. There should be global security standards for hardware and software.
  • Published On May 9, 2024 at 10:42 AM IST
Be the first one to comment.
Comment Now

Join the community of 2M+ industry professionals

Subscribe to our newsletter to get latest insights & analysis.

Download ETCISO App

  • Get Realtime updates
  • Save your favourite articles
Scan to download App