Cyber insecurity Human vulnerabilities are exploited for IT crimes
by Roopinder Singh
Security, or rather the lack of it in the cyber world, has come into focus again. National secrets have been leaking out at an appalling rate and supposedly secure computers have become more of cyber sieves than repositories of data.
There has been a major leak of electronic data from the National Security Council Secretariat in New Delhi. Mukesh Saini, a former Navy Commander who served as the information security specialist at the NSC, is now being sought for questioning, while S. S. Paul, a systems analyst, has been arrested. Ujjwal Dasgupta, Director of Computers in RAW, is also under a cloud, as is the high-profile Indo-US Cyber Security Forum.
The NSC leak comes at a time when the CBI charge sheet in the Naval war-room leak case states that no less than 7,000 pages of classified information were compromised between 2002 and 2005 when three now dismissed naval officers simply downloaded the data from the computers and took it out from a room that was supposed to have maximum security. The data compromised by this leak included operational plans and communications data from all the three armed services.
While not comparable to the national security implications of these two cases, there have been two incidents on the business side, too, that have exposed the Achilles’ heel of Indian IT operations-security. With huge stakes for both national security and business process outsourcing (BPO) industry, India can ill-afford the publicity and the resultant perception of the nation as a insecure destination.
In Bangalore, recently, Nadeem Kashmiri, an employee of an offshore unit of Hong Kong and Shanghai Banking Corporation (HSBC), allegedly colluded with criminals and supplied them with confidential consumer information that allowed them to steal nearly Rs 1.95 crore from account holders of the bank in the UK.
On the other hand, Ankit Srivastava, downloaded call details of some very important public figures and officials who are Airtel customers and apparently attempted blackmail thereafter. Like others, these two persons, too, have been identified, arrested and will now face the law.
The HSBC case is the third BPO fraud reported in India. Last year, five employees of Msource were arrested in Pune for allegedly siphoning $ 4,25,000 from Citibank in April. A sting operation by a British paper in June that year exposed how an employee of Infinity E-search, Gurgaon, was willing to sell confidential consumer information to the newspaper’s reporter.
Nasscom’s quick reaction and the ability of the Indian police to arrest and prosecute the accused in all these cases augur well for the nation, since the world is learning to deal with cyber crime, which affects very real lives. The industry response to cyber leaks has been more responsive than the answers from the officialdom in cases involving breach of national security.
The companies where the crime took place have played a major role in detecting the security breaches and seeking professional help to catch the criminals. This contrasts with a “brush under the carpet” mentality that seems to dominate bureaucracy, uniformed or not.
No doubt, security breaches are not unique to India, but India is vulnerable because of a “chalta hai” attitude, even towards security.
There is no earthly reason why anyone would be allowed to bring pen drives inside high-security areas and use Web-based e-mail at these offices. There is no justification for allowing computers to have USB ports that allow, among other things, data to be uploaded and downloaded. Secure networked computers should not have any floppy drives, CD writers or USB ports, unless strictly required for operational reasons, in which case these should be watched even more closely than the other computers.
If you look hard enough at a security breach, you will find casualness, carelessness and complacence that allowed the perpetrators of the crime to commit it. It is human vulnerabilities that are exploited for cyber crimes.
Unauthorised contacts with foreign nationals should have been spotted by the security services before the damage was done in the NSCS case. Also, $ 50,000 was promised, and $ 20,000 delivered for the data. In the Naval war-room leak case, old-boy ties coupled with pecuniary promises seem to have done the trick; in the HSBC case, the youngster was told he would get a job in the UK, and the Airtel hacker was just plain greedy.
With computerisation, the volume of data available to individuals who have access to it is tremendous; thus, the need for more security. It should not be of any comfort for India that as compared with the developed world, it has fewer cyber crimes.
No doubt, the Indian legal system has been effective in apprehending the suspects and the independent judiciary ensures that the guilty have the book thrown on them, but much more needs to be done. The Mumbai police is to be lauded for seeking the assistance of KPMG Advisory Services to equip its policemen better to deal with BPO fraud cases and other offences in the Cyber Crime Act.
Anyone working in a high-security environment is aware that he or she is subject to much more checks that an ordinary person. While one does not know the specifics of the government’s working, often BPOs use measures that would be considered intrusive in the developed world to keep a tab on their employees.
These include closed-circuit cameras, firewalls and ban on camera cell phones. In theory, the antecedents of all employees are checked thoroughly before they are recruited. There are checks on employees while they are on the rolls of the companies, too. Presumably, the government uses these measures and more, yet there are breaches, which underlines the fact that cyber security needs to be taken seriously. Computer centres that contain data are like Fort Knox, and the data is the gold that must be secured with the same diligence and industry.
The Tribune, OpEd Thursday, July 6, 2006