Securing State’s digital assets
The government’s plans to beef up cybersecurity with private sector help is encouraging. But decisions and interventions must move fast, and the cybersecurity police is now key
The government is looking to hire private cybersecurity contractors, this paper reported last week. The plan is to ultimately improve the cyber defences of the government at a time when many of its digital utilities, services and databases have been cracked open by attackers of diverse nature and motives. Last winter, India’s premier government hospital and medical research agency, the All India Institute of Medical Sciences, was hit by ransomware and over a terabyte of data — possibly amounting to millions of patient records — was lost. The National Informatics Centre (NIC), the government’s information technology service provider, runs and maintains that network service. NIC has been at the centre of multiple cyberattack incidents recently. In 2020, its email service, allowing @gov.in addresses, was used as a springboard for further attacks.
That incident was not entirely surprising because governments around the world discover every year, the new lengths cyber adversaries will go to. In 2022, virtually all of the American administration, for instance, was found to have been compromised in what is now known as the SolarWinds hack. The most dangerous attackers are geopolitical adversaries, whose cyber soldiers can inflict substantial harm, which often comes to light only years later. But apart from them, cybercriminals are looking to make quick money — and what better target for them than repositories and services hundreds of millions of people rely on? Against this backdrop, NIC, with large deficits in funding, personnel, and technology, seems out of its depth.
Globally, such threats have far outpaced the lumbering response of bureaucracies. The above incidents prove this is just as true for India. Cybersecurity is a niche domain where agencies and organisations that can push the envelope of offence and defence are those that are nimble with skill and technology. The economics of the field is also often at odds with government pay grades, which are revised after long intervals. So, it is no surprise that many countries work with the industry to secure their public sector digital assets. In this regard, such a move by India will be helpful. The administration must also move on the long-pending cybersecurity policy, which will establish how the government will protect its digital assets and what cybersecurity standards must be followed by all.