The rising proliferation of digital payments in India — with cumulative growth of electronic transactions among various instruments ranging between 95 per cent and 4,025 per cent from November 8 till December 27 — the concomitant dangers on the cybersecurity front have potentially opened up.
The Centre, after its announcement of withdrawing high-value currency notes, has also come out with a slew of precautionary measures for any untoward event that might affect the country’s online financial systems.
On the one hand, the rollout of the first phase of the multi-stakeholder National Cyber Coordination Centre (NCCC) involving the creation of a ‘Threat and Situational Awareness Test Bed’ to generate triggers on existing and potential cybersecurity threats, is being expedited. On the other hand, CERT-In — the Indian Computer Emergency Response Team that acts as a nodal agency in dealing with cyber threats — is also setting up a Botnet Cleaning and Malware Analysis Centre for detection of computer systems infected by malware and to notify, enable cleaning and securing systems of end users to prevent further malware infections. A digital payments division has also been set up under CERT-In to monitor any potentially harmful activity that occurs on any of the channels on which electronic payments are taking place in the country.
The Reserve Bank of India (RBI), too, is learnt to have issued circulars to all commercial banks on phishing attacks and preventive measures to tackle phishing attacks, alongside advisories relating to fictitious offers of funds transfer, remittance towards participation in lottery, money circulation schemes and other fictitious offers of cheap funds.
On December 14, at a high-level meeting at the Ministry of Electronics and Information Technology’s headquarters in New Delhi, which was attended by senior executives of most banks in the country and officials from RBI, and the National Payments Corporation of India (NPCI), the lenders were urged to cooperate with CERT-In for carrying out audit and take measures to further strengthen their systems.
“The banks were suggested to increase their capacities to handle the growing electronic payments and at the same time, they were also asked to report all cyber-security related incidents to CERT-In immediately to evolve an adequate response to any attack in time,” a senior government official said.
With every new digital product and service introduced into the market, newer vulnerabilities are discovered, leaving scope for malicious actions. In November 2016, CERT-In is learnt to have issued alerts to key organisations, including banks regarding possible attempts of attacks by hacker groups with advice to monitor network activities, strengthen security of systems/website and reporting of anomalies. Similar alerts were also sent in July, August 2016 and October asking for measures to prevent cyber-attacks on websites and mitigation of malware infections.
Even before the November 8 announcement by the Centre, which has pushed citizens to adopt tools of digital payments, the government had taken several measures concerning cyber-security in the backdrop of growing internet services in the country. Last year, the Cabinet Committee on Security approved the government’s proposal to set up a Rs 1,000-crore fund, which would be administered by a high-powered committee under the chairmanship of National Security Advisor Ajit Doval. This fund would be used in areas of research and development of cyber-security products and systems, and the primary focus area would be indigenisation of cyber-security products and systems, and a special emphasis would be laid on developing strategic technological tools that are used by defence and law enforcement agencies.
Furthermore, the government had approved the project to set up the NCCC in April 2015 for implementation by Computer Emergency Response Team (CERT-In) with an outlay of Rs 985 crores for a period of five years. The main focus of the Centre was to continuously scan the cyberspace in the country at metadata level and generate near real time situational awareness for macroscopic views of the cyber security threats in the country. NCCC is a multi-stakeholder body with phases of implementation. “The first phase for creation of Threat and Situational Awareness Test bed is under implementation,” an official said.
This came at a time when cyber security incidents were showing a steady increase, with a total number of 39,730 incidents reported the first 10 months of 2016, as against 44,679 and 49,455 observed during the year 2014 and 2015 respectively, according to the information reported to and tracked by CERT-In. The types of cyber security incidents include phishing, scanning, website intrusions and defacements, virus code and denial of service attacks. After the demonetisation announcement in November, the subsequent digital push has precipitated the need for ramping up cyber safety and online transactions.
Alongside these two firewalls, an experts committee under the Chairmanship of former law secretary, TK Viswanathan, and members from NSCS, the Department of Legislative Affairs, the Department of Justice and the Central Bureau of Investigation, is readying a list of possible amendments in the existing domestic cyber laws to strengthen security and consumer rights, officials involved in the exercise said. With the increased onus on digital banking transactions, the RBI has also set up a Cyber Crisis Management Group to address any major incidents and the central bank has set up an IT subsidiary, which would focus, among other things, on cyber security within RBI as well as in regulated entities.
Notwithstanding the plethora of measures taken by the authorities before and after its increased push to digital payments, cybersecurity experts have spoken of a potential threat called breach blindness. “Someone may have hacked your system and been there for as long as eight-nine months before he decides to make a move. We call this breach-blindness. Now because of demonetisation, a lot of people and organisations may not get affected immediately but nine months later,” Amit Nath, cybersecurity firm F-Secure’s head of Asia-Pacific (corporate business) had said.