Hacked and shamed
The website of the National Security Guards (NSG) was successfully attacked on July 2, 2011. Some reports mention that the mail system of the organisation was also breached. Two days later, the website of India’s National Investigation Agency (NIA) was taken down to “tighten security mechanisms in order to prevent hacking.” More than two weeks later, the NIA website was still offline. These Government of India online assets are maintained by their own internal technical wings, in consultation with the National Informatics Centre (NIC).
Defacement of websites is a routine occurrence and usually not a cause of major concern, apart from the embarrassment caused by the negative publicity. However, unauthorised access to the email system is a different matter altogether. Depending upon the practices being followed, this could either have leaked encrypted digital communication between various officials in NSG and beyond, which would be of no practical use to the attacker, or could have revealed unencrypted emails discussing sensitive topics. The details have been sketchy but at least one media report states that the computer system used by an arm major-general had been ‘hacked’ into, as it was discovered that a number of “letters” were sent on the behalf of the general officer.
The NSG downplayed the event. However, it’s explanation was bizarre: “The problem was detected on Friday… and we have ordered upgradation of security features on our site. There was no loss of crucial data. It was done by government agencies of India to check vulnerability of our site” (emphasis added).
This should mark a low point in attribution with the NSG pointing fingers at another government agency for publicly defacing its website. If true, this was a rather unusual public “hack-and-shame” process, unprecedented in the Indian government’s history.
More likely, however, is the possibility that the NSG was caught unaware and is taking creative liberties in coming up with a reason that does not implicate its officials for lack of competence. If this is indeed true, the Indian government must warn all agencies that such public accusation cannot be made in order to avoid tough questions from the media. Accusing a “foreign power” is one matter, but accusing another agency amounts to serious allegations that will have repercussions for various parties involved, depending on the validity of the accusation.
This episode brings to mind the incident in 1998 involving the Bhabha Atomic Research Centre (BARC) in which the group “milw0rm” broke into the BARC network and accessed sensitive emails related to the Indian atomic programme. It can be reasonably hoped that the NSG incident is not as grievous as the BARC one.
However, irrespective of the effects of the break-in, the incident highlights the need for better security measures to safeguard the sensitive communication exchanged among government agencies that perform a crucial role in national security. The old saying, “a chain is only as strong as its weakest link”, while hackneyed, still rings true, especially in the fast-paced world of digital security.
The government must invest in a rigorous vulnerability management programme, more so for Internet-facing infrastructure.This must necessarily include not only Internet-facing content, but also their supporting infrastructure—network devices, web & mail servers, databases and terminals. Over the years, think tanks and non-governmental organisations have articulated the need for such a programme; indeed, many governmental bodies at various points of time have made representations that such a program will be instituted along with “security hardening” mechanisms. However, while we are not fully aware of the nature of security exploits that caused the above breaches, it is clear that there is a substantial gap between policy statements made to assuage public fears, and ground realities about the state of security of NIC’s Internet-facing infrastructure.
More troubling are the questions about the manner in which NIC’s security experts are going to address these issues. The long downtime of NIA’s website is an indication of a lack of resilience. While the need to balance security imperatives and information dissemination is understandable, there has been no communication on the nature of the attack and steps being taken by government’s security experts to remedy these vulnerabilities. There has been a distinct paucity of probing questions in India’s mainstream media on issues related to security breaches. Nowhere is this paucity of probing questions more apparent than in the NSG spokesperson’s response to the compromise of the email account of a serving general officer of the armed forces, where the spokesperson confidently indicated that “there was no loss of crucial data.” The media ought to have done a better job in challenging incredulous statements made by spokespersons.
Given the NSG spokesperson’s representation, it is not clear whether the government truly understands the need to take very concrete steps in implementing its own policy statements on security hardening and vulnerability management in line with best practices. With due apologies to the English sitcom, Yes Prime Minister, the time for “something must be said. This is something. Therefore we must say it,” is over.