Centre plans to rope in private companies to help secure govt servers, websites
The government’s IT services are managed by the National Informatics Centre (NIC), which hosts 3.3 million email accounts and maintains more than 10,000 websites and services
The Union government is planning to hire private contractors to improve the cybersecurity of its digital assets and services, officials directly responsible for managing these said, citing what they described as the rapidly evolving nature of threats.
The decision, discussed within the ministry of electronics and technology (Meity) last month, comes in the wake of a spree of breaches of government servers and websites that were hacked in phishing and ransomware campaigns that are feared to have compromised sensitive information.
“The procurement procedures of the government cannot keep pace with the changing technologies and sophistication of cyberattacks,” one of these officials part of the government’s cybersecurity establishment said on Thursday, asking not to be named.
To initiate the process, a request-for-proposal (RFP) will be issued soon, this person added. An RFP is the first step in a bidding process.
The government’s IT services are managed by the National Informatics Centre (NIC), which hosts 3.3 million email accounts and maintains more than 10,000 websites and services.
The move assumes significance after the past three years recorded a slew of high-profile cybersecurity breaches. The latest among these was a ransomware attack at the All India Institute of Medical Sciences (AIIMS), where five servers -- maintained by NIC -- were compromised and 1.3 terrabyte (TB) of data , including patient records, was encrypted, effectively making them useless.
According to the government’s submissions in parliament in the past, the number of cyberattacks involving government as well as private targets recorded by the Computer Emergency Response Team (Cert-IN) surged from under 400,000 in 2019 to over 1.1 million in 2020, when the pandemic triggered a shift to remote working that experts have said made establishments more vulnerable.
In 2021, the number of reported incidents was 1.4 million, followed by 1.3 million in 2022.
“The government cannot keep pace with providing you defensive measures since technology is changing very rapidly. It is better to take advantage of companies,” said the person cited above.
A second person aware of the discussions said that the collaboration is likely to involve some organisations dealing with non-sensitive matters at first.
Officials from NIC and the Meity did not respond to requests for a comment.
Experts welcomed the decision, pointing out pay differences between private and public sector companies. “This is not surprising. Recruitment of cybersecurity talent is difficult in the private sector, and even more so for the government. The field is extremely niche and the best talent is typically picked up by top-end companies,” said Anand Venkatanarayanan, cybersecurity expert and co-founder of think-tank Deepstrat.
“Conceptually, the decision marks a significant progress but how it is implemented will need to be seen,” he added, cautioning against following the old “L-1” method of selecting successful bidders that was based on the lowest cost.
A second industry expert, asking not to be named, said the plan involves hiring what are known as managed security service providers (MSSP), which deploy hardware, software and personnel to clients for security services.
India will not be the first country to get the private sector to assist with cybersecurity of government assets. The US Cybersecurity and Infrastructure Security Agency (CISA) works with industry and academia for “security and resilience” of critical infrastructure.
In 2020, several Indian government email accounts were compromised to launch phishing attacks, some of which were successful since many of the targets clicked on malicious links, taking them to be legitimate since they from a gov.in email address.
A similar phishing campaign was launched in December, 2022, when NIC issued an alert after defence ministry officials reported they had received suspicious emails from someone claiming to be from NIC.
There have also been reports have critical infrastructure being targeted, including the Kudankulam nuclear power plant in 2019, and the national power grid in 2022.