The Indian government has adopted the importance of cyber safety in the digital world and supported Cybersecurity Awareness Month — October, along with the cyber safety community globally. In the US, the Cybersecurity Awareness Month-October campaign was launched in 2004, and global security communities accepted it. The main aim of this campaign is to create awareness and spread scientific temper among individuals and organisations to disseminate the globally adopted best practices to the common public and entities.
Data and the internet are becoming an essential part of human life. As with a physical universe, the digital universe also coexists. The new cyberspace ecosystem has grown with advanced technological enhancement. As per the July 2023 Statista data, for the 8 billion people, globally 16.7 billion smart devices are present and active in the digital world. It is expected that in 2030, there will be 29.42 billion smart electronic devices will be interconnected. Among 141 crore of the Indian population, 69.2 crore people use the internet through smart devices. India is the second largest internet user after China in the world. In India, every person has started creating a digital trace before birth and after their existence.
Internet: A Basic Need
Nowadays, the internet is also added after the food, water, air, and shelter in the list of basic needs. In the global village, every technology and new innovative products are easily spread across the globe in a short span. With the help of science, technology, and industries, humans started consuming more advanced technologies daily. To top it, internet is the primary source to all kind of communication. In the past ten years, internet has changed the human life drastically and is able to connect with all electronic devices. Human digital trace was marked on every smart device. In the 20th century, all the gadgets were merged into a single device in the form of smartphone. Almost all modern technologies — Internet of Things (IoT), Artificial Intelligence (AI), Machine Learning (ML), Cloud computing, Natural Language Processing (NLP), and Biometric Technologies are already interconnected. However, these modern technologies have more significant challenges and threats from cyber attackers.
Our daily life majorly depends on the internet. Online shopping, mobile banking, streat vegetable purchases, travel bookings, hotel bookings, food orderings, fund transfers, bill payments, social media gathering, movie watching, TV watching, online gaming and official work-from-home activities are migrated into online platforms.
Collateral Damage
When more positive things happen around, the same platform brings more negative things also. Cybercriminals play a crucial role in attacking cyberspace to steal valuable data and money. Phishing, Spam SMS, Ransomware attacks, Denial of service, SIM swap scams, Viruses, Worms, Trojan horses, online job fraud, cyberbullying, cyberstalking, cyber grooming, Automated Teller Machine (ATM) fraud, card/debit card fraud, website hacking, online drug trafficking are widespread cybercriminal activities happening in India. As per the State Application Security Q2 report, 97.1 crore cyberattacks have taken place in India compared to 110 crore cyberattacks globally.
Since the range of internet users varies from six-month-old children to 80-plus-year-old elderly persons, criminals get more chances to use human weaknesses (technically called vulnerability) and easily attack with different methodologies. Online attacks, offline attacks, bot attacks, network attacks, and defame attacks on business organisations are very common in the internet world. Like trained armies, cybercriminals are also well-trained to strike an attack on the masses and organization to damage social life. Those trained cyber professonals work ethically and unethically.
Unethical hackers are also professionally trained in cyber skills but attack against the government, networks, and individuals to damage society, organisations, and individuals. Ethical hackers work for goodness to find the weaknesses in existing networks and regular behaviour and try to strengthen and increase cyberspace security.
What is Cybersecurity?
Cybersecurity is the process of detecting and protecting the digital environment by implementing up-to-date safety measures for digital devices and digital users. It has different nomenclatures like cybersecurity, cyber awareness, and cyber hygiene.
Science Behind Cybersecurity
Cybersecurity is a multidisciplinary domain that includes different scientific disciplines, frameworks, networks, geopolitical policies, national and international laws, and scientific temperaments. Cybersecurity involves preventing and protecting computers, mobile phones, personal information, and organisation data from cyber attackers. Technologically, it is inclusive of computer science, cryptography, network security, information security, operating systems, machine learning, artificial intelligence, cyber threat intelligence, cyber physical systems, ethical hacking, digital forensics, security standards, and enforcement agencies. This cyber ecosystem is interconnected with different industries like healthcare, financial, industrial, telecommunication, transportation, education, media, hospitality, retail, and public sectors.
State of Cybersecurity in India
India is the second largest internet consumer in the world. As Prime Minister Narendra Modi mentioned, in Digital India, cybersecurity becomes an integral part of the nation. The Indian government has built several strategies to protect the country’s cyberspace ecosystem, including establishing a National Critical Information Infrastructure Protection Centre (NCIIPC), a Indian Computer Emergency Response Team (CERT-in), a National Cyber Coordination Centre (NCCC), a central cybercrime portal https://cybercrime.gov.in, incluing a financial fraud toll-free helpline ‘1930’. Protecting and creating awareness for 70 crore users from cyber attacks is a big challenging task for the Indian government.
Cybersecurity is not a seasonal affair like the Indian monsoon. It is an ongoing continuous task to be performed on a daily basis. As Home Minister Amit Shah said, on priority mode, India is creating an effective framework and ecosystem for the prevention, detection, investigation, and prosecution of cybercrime. To develop a sustainable cyberspace ecosystem, different stakeholders like government departments, public/ private organisations, domain experts, industrial experts, individuals, and research and development organisations are very important. It needs continuous learning and adaptation to address new challenges in the digital world.
Online cybercrime
Online cyberattacks are happening in the virtual world, where the internet is the primary medium to target the victims. Since mobile phones and laptops significantly influence our daily lives, most cyberattacks happen on these platforms. Fraudlers approach masses using different methodologies such as phishing, Malware attack, online job fraud, website hacking, Ransomware attacks, viruses, worms, Trojan horse, Denial of Service (DoS), and social engineering.
In June 2023, there was Malware attack at All India Institute of Medical Sciences (AIIMS), New Delhi, by the suspected China or Hong Kong cyber hackers. This threat was successfully neutralised by the deployed cyber-security systems.
In October 2023, Indian Space Research Organisation (ISRO) chairman S Somanth mentioned at a cybersecurity conference that the country’s space agency was facing more than 100 cyber-attacks daily. He also mentioned that Indian satellites, which help the common people on a daily basis, are controlled by different types of software. In this context, cybersecurity systems play an important role to protect all these activites controlled by ISRO command and control centre.
Offline cybercrime
Offline cybercrime is happening in the physical world or has real-world consequences, in which attacks do not happen in the network or the internet. These types of crimes often exploit the human psychology weakness in security systems. Cybercriminals may initiate online financial fraud schemes, such as card skimming, where they capture card information from ATMs by faking the extra devices in card-swiping devices. Identity theft begins online by collecting personal information and ends in the physical world by using identities of others, opening bank accounts, applying for bank loans, and buying SIM cards in the names of others. In the name of the banker, cybercriminals call older adults (this is called vishing) who do not have exposure to the digital world and try to get One Time Password (OTP) pins for fraudulent financial transactions.
Types of Cybersecurity Threats in India
Along with many countries, India also faces multiple cybersecurity threats. These directly attack government organisations, businesses, healthcare centres, essential service centres, and individuals. Different types of cyberattacks are highlighted here.
Phishing attacks are most common in India, targeting individuals and organisations by sending deceptive emails with malicious software links to steal valuable data, like credit card information, Card Verification Value (CVV) numbers, date of birth, and net banking passwords.
Vishing attacks are through telephonic calls; attackers personally talk with the individuals by aiming to collect banking-related information like credit card numbers, ATM PINs, transaction passwords like one-time password (OTP) numbers, and CVVs.
A ransomware attack is hacking personal computers and organisation data centres and encrypting all the data the user cannot open. To access the data, a considerable amount (ransom) is demanded to decrypt the data.
Smishing is a fraud that uses mobile phone text messages to tempt victims to call back on a fraudulent phone number, visit fraudulent websites, or download malicious content via phone or the web.
Spamming is a type of fraud in which cybercriminals send unsolicited commercial messages via email, SMS, MMS, and other hyperlinks. They may try to impress the recipient to buy a product from the website where hackers can track all online translation data and credentials.
Credit/Debit card fraud involves an unauthorised use of another’s credit or debit card information to purchase or withdraw funds from it.
Website Defacement is an attack intended to change the visual appearance of a website and/or make it dysfunctional. The attacker may post indecent, hostile, and obscene images, messages, and videos to spoil the organisation or individual fame.
Cybersecurity Challenges in India
Is India’s cybersecurity law strong enough to deal with the threats? Cybersecurity laws and regulations have been evolving as cyberspace technologies grow in India and across the globe. In the year 2000, the first Information Technology Act (IT Act 2000) was framed in India to address security issues in electronic communication and transactions. In 2008, additional sections were added to deal with unauthorised access, hacking-related offences, stolen devices, identity theft, and publishing and transmitting sexually explicit content online.
Previously, the IT Rules 2011 dealt with data protection standards and requirements for organisations that handle sensitive personal data or information. In 2013, the National Cyber Security Policy was established to promote research and development activists and create a workforce to meet the skilled cybersecurity professional requirements. Indian Computer Emergency Response Team (CERT-In) is the national agency responsible for responding to cybersecurity incidents and coordinating efforts to enhance cybersecurity in India. The Reserve Bank of India (RBI) has issued cybersecurity guidelines for banks and financial institutions to ensure the security of financial systems and customer data. Various sectors, such as telecommunications, space, healthcare, and critical infrastructure, have specific cybersecurity regulations and guidelines.
In August 2023, the government framed the enhanced Personal Data Protection bill in the Parliament session and published the Digital Personal Data Protection Act, 2023 (DPDP) in the Gazette of India notification. This new act ‘provides for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.’
Indian government collaborates with various stakeholders, including state and central government agencies, law enforcement, industry associations, and international cybersecurity organisations, to strengthen cybersecurity in India.
As like cybercriminals, general public may also knowingly or unknowingly get involved in cybercrime activities. Like cyberbullying, sharing copyright contents in social media, message against religion and government; defacement against any individual in social media also comes under cybercrime. In this context, general public also needs to remain aware about cyberspace rules and regulations. If common public is reluctant to learn cyberspace ethics, it may lead to enforcement of the IT Acts, which include hefty penalties and imprisonement.
Need for Public Awareness
Since organisations are aware of cyberattacks, they are in a better position to prevent and fight against cybercriminals. However, in the case of an individual, they are the easy prey for cyberattackers. Smartphones are distributed across all age groups. Among them spreading cybersecurity awareness, threats, precautions, and mitigations, training sessions, media publicity and seeding the scientific temper are great challenges. At last, the end users who directly uses the internet and online platforms, have more responsibility for enriching their cybersecurity awareness and make others aware of the dos and don’ts in the cyber world.
A few critical dos for cybersecurity:
- Strong passwords with a minimum of 8 characters with upper case, lower case, number, and special characters (ULNS)
- User Multifactor Authentication (MFA)
- Keep updated with anti-virus software
- Keep offline backup data
- Use secured website links that start with “https://”
- Keep checking with mobile app permissions and give the permission when the app is in use mode only.
- Privacy settings to be controlled by who can see your posts and profile information
- Use the ‘lock’ option to protect your electronic devices
- Use biometric authentications wherever possible
- One can meet personal friends online but never attempt to meet online friends in the physical world.
A few critical don’ts for cybersecurity:
- Don’t use free Wi-Fi internet; there is a chance for hackers present in network and waiting to steal your personal credentials and data.
- Don’t share time-to-time updates on social media, which can be valuable information for criminals.
- Don’t open emails from unknown sources, which were randomly distributed.
- Don’t use unsecured websites starting with www or http:// for online transactions.
- Don’t share One Time Password (OTP) with anybody unknown via calls, chat, or emails.
- Don’t share mobile numbers in commercial establishments and malls.
Conclusion
Cybersecurity is not a product to fix at one-time. It is a process that needs to be adopted and practised on a daily basis in the digital world. In the case of organisations, several safety measures are taken care of and regular audit and mitigation activites performed against cyberattacks. But in case of public, they have to protect their digital world on their own. Digital world is common to all the age groups of people, professionals, and criminals. Here, cybercriminals are well-trained compared with the common public. So, cybercriminals are easily creating traps and victimising individuals and organisations.
Physical world investigating system for criminal activity vs digital world investigating system
In the physical world, the triangle of public-police-criminals system is well established in society. If any offence happens in the physical world, everyone knows where to complaint and how to deal with it. However, in the digital world, the imaginary triangle connection is not yet established. In general, the public may not have proper knowledge and guidance to deal with cyberattack incidents. The lack of cybersecurity awareness makes them victims of cyberattacks. In India, trained cybersecurity professionals are small in number to deal with modernised cyberattacks and cyber criminals. It is essential to increase the skilled workforce to prevent and protect the cyberspace environment from cyberattacks.
In the meantime, cybercriminals have a clear agenda and sophisticated tools and advanced technologies to carry out cyberattacks. In this situation, adopting the ‘prevention is better than cure’ strategy will help, even in the digital world. Any cyber incident has two parts: before and after. Following safety measurements before an incident is much easier than adopting the same after a cyberattack has already taken place. The public will be in a safety shield when they follow cybersecurity best practices.
Cybersecurity is a process which has to be adopted in our daily lifestyle to be safe at all times in the digital world.
*Karthikeyan Subramanian is IT head at the Indian National Science Academy, New Delhi. He is also a PhD research scholar at the Council of Scientific and Industrial Research-National Institute of Science Communication and Policy Research (CSIR-NIScPR). Dr Meher Wan is a scientist at CSIR-NIScPR.