'They (the ransomware attackers) are not after any VVIP data.'
'Had that been the case, they would have quietly installed a different malware.'
As servers at the All India Institute of Medical Sciences, India's premier medical facility, remain out of service seven days after coming under duress from a cyberattack came reports of a service outage at Mumbai airport's Terminal 2 on Thursday, December 1, 2022, evening.
While Thursday's snag at T2 terminal was due to an Internet server outage, Mumbai witnessed power outages on October 12, 2020 as India and China engaged in a military faceoff in Ladakh and yet again on March 6, 2021 due to a possible breach into the power distribution network that supplied electricity to Bhiwandi, Mumbra and Kalwa in Mumbai's adjoining Thane district.
A report published by Recorded Future, a US-based company that studies use of cyberattacks by State actors pointed fingers towards China's RedEcho group for both the power outages, one of which on October 12, crippled the functioning of India's premier stock exchange the National Stock Exchange that reports daily turnover of more than Rs 50,000 crore (Rs 500 billion).
The cyberattack on AIIMS should be looked into very seriously, asserts Dr Gulshan Rai, former National Cyber Security Coordinator at the prime minister's office.
Dr Rai, former Director General of CERT-In (Indian Computer Emergency Response Team) discussed at length with Rediff.com's Prasanna D Zore and Ashish Narsale the implications of such attacks, the measures India needs to adopt to match up to State and non-State actors who could target the nation's critical cyber infrastructure.
How do you look at the breach of servers at the All India Institute of Medical Sciences? The Delhi police has registered a case under provisions of Section 66 (F) of the IT Amendment Act 2008 which makes it an instance of cyber terrorism.
Ransomware attacks and registering a case under Section 66 (F) are two different aspects. It's a fact that some servers of the AIIMS were attacked for ransom.
Ransomware basically (involves) some sort of software which is sent to the computing system, cyber infrastructure, which when someone clicks on it, it encrypts the entire data and then the keys (to decrypt this data) are not available.
In case of ransomware, the adversary who sends the link normally sends a message that they will decrypt the data and make it public or sell it to someone interested and then demand money to not execute their threats. The number of ransomware attacks in the country have gone up significantly by order of magnitude.
With AIIMS being a premier public health institution -- with deep research and treatment capabilities in the medical field -- catering to whole lot of patients not only in Delhi but all over the country.
In the present digital age things are getting deeply and widely connected to one another.
All the imaging devices (at premier medical facilities), the backup systems are getting more and more interconnected via digital networks.
And any kind of ransomware attack not only impacts the servers storing patients' data, operation services there, it can also damage costly imaging devices.
Devices like the ultra sound machines, CAT scan machines, gamma ray scans, and MRI machines are all interconnected. So, ransomware attacks on such medical facilities can have a huge impact on lakhs of people.
While I am not aware how deep and wide the impact of the ransomware attack on AIIMS has been, what I see from the media reports and from what my sources tell me, so far no imaging device has been impacted; but yet such attacks can have a deep impact on imaging devices.
By God's blessings, none of the imaging devices have so far been reported to have suffered any damage, but the MIS, the data (of patients) could have been impacted.
But it is a serious attack; a lot of patients have been impacted. It could have been an issue of life and death of the patients.
Such attacks have the potential to cause loss of lives also. And whenever there is a potential of loss of life there is some element of terrorism there.
The Geneva Convention restricts State or non-State actors from attacking hospitals (either physically or through cyberattacks). AIIMS is a humanitarian facility; so such attacks fall under the ambit of terrorist attack. It is an act of terrorism and so the Delhi Police has registered a case under Section 66 (F) of the IT Amendment Act 2008.
Could sensitive medical data of India's VVIPs have been compromised in the AIIMS cyber terrorism attack? What could be the implications of such data leak on privacy of India's top political leadership?
These are all rumoUrs yet that there's so and so data leak. We have to wait till the investigation is over. I doubt if there were any VVIP data on the servers (at AIIMS that were compromised).
As per protocol, lot many precautions are observed when VVIP patients are admitted; the data is preserved in a slightly different manner there.
Nevertheless, this is a serious matter even if the VVIP data is kept behind many firewalls where it is not easy (for hackers) to access it.
In your expert assessment, were the cyber attackers after ransom money or was medical data of India's VVIPs their principal target?
No, they (the ransomware attackers) are creating a sensation here. They are not after any VVIP data. Had that been the case they would have quietly installed a different malware.
Their main intention seems to be attracting attention here.
This looks more like a terror attack than an attack intended to steal sensitive medical data.
We will know how much data has been damaged or stolen only after decryption takes place. I think AIIMS certainly would have back up data which can always be restored.
But issue of physical damage to equipment is real.
Ransomware attacks are meant to damage the systems more than target medical thefts. There are much better techniques to collect data.
I completely rule out that the intention could have been data theft. If that were so, it would have been a different kind of attack.
Their aim was to seek attention by damaging the system; by exposing that such an attack could be launched and entire data could be deleted.
VVIP data is secured somewhere else.
But the security and safety of the entire cyber ecosystem needs to be strengthened.
What kind of cyber security audits and preparedness can one expect of India's critical infrastructure after AIIMS attack?
See, Section 43 of the Information Technology Amendment Act mandates, that the IT infrastructure, cyber infrastructure should be audited every year or as and when significant changes are made to such infrastructure.
ISO27001 should be implemented there. The institutions must spend about one per cent of their entire IT budget for securing their cyber infrastructure in various parts of India.
There have been some recent guidelines that have been issued and notified and are in public domain and in the context of the AIIMS attack as per these guidelines gaps will be plugged in, weaknesses identified and strengthened.
What measures can Indian corporates and public sector utilities adopt to prevent such cyberattacks of the critical online as well as physical infrastructures?
The cyber space is becoming a very important part of any economy; today the cyber space controls a significant chunk of an economy's productivity and efficiency.
Every corporate is aware of it and they must look into it seriously; they should get their systems audited, enhance the resiliency of their systems by using technology upgrades to secure their cyber ecosystems; more importantly is the training, cyber skills, of the staff should be enhanced significantly; there should be regular audits and the India Counter Emergency Response Team (i-CERT) has notified a panel of more than fifty auditors.
Every corporate serious about protecting their cyber infrastructure must take one of the empaneled auditors or they may go on their own also and get their systems audited regularly; not only audit, but they must follow the reports (submitted by auditors) in letter and spirit and quickly upgrade and enhance the resiliency of their cyber systems.
What capabilities does India possess in countering cyber espionage and cyber terrorism attacks on its critical online infrastructure?
India has a good capability; we are quite aware of such issues. We have necessary skills, necessary tools, but the challenges are bigger because the technological innovations in this field.
This is a field where everyone has to stand on their feet all the time; be vigilant and keep on enhancing the resiliency of systems and try to check the adversaries and perpetrators (of such acts) and must respond accordingly to counter them as are the norms with other countries which do that.
How active are State actors when it comes to cyber espionage?
They are very active. 50 per cent of cyber intrusions into our country are from China and Pakistan and other countries (adversarial to India) out there.
On August 15, 2020 Prime Minister Modi, while delivering his address to the nation from the Red Fort had proposed to revive India's cybersecurity strategy. Has the process begun?
I also heard the honourable Prime Minister Narendra Modi make an announcement from the Red Fort on the Independence Day that we will revive our cybersecurity strategy.
I believe they must have started over (the process of reviving cybersecurity strategy). So far, I have not seen any document in the public domain or have not seen any document notified on any government website or anywhere else.
A lot of industry people have also been asking about it, but to the best of my knowledge the revised cybersecurity strategy has not come, but I stand to be corrected.
Our cybersecurity strategy today needs to be upgraded. Since 2013 lot many things have changed.
Digital transformation has undergone a sea change; every day we are using emerging technologies like artificial intelligence and the IOTs as well as cloud computing.
Technological transformation today has changed the country. India's digital economy is now almost 25 per cent of the total economy.
Keeping pace with this rapid adaptation of technology, the cyberattacks have changed. We are in a more distributed kind of system and structure; computerisation has seen deep penetration and acceptance.
The speed of innovation itself is a challenge to come out with a (cybersecurity) strategy; in my view, any strategy which will be announced today or tomorrow or any time, needs to undergo a regular, periodical upgradation.
