Even as the number of internet users continues to rise and the government increasingly seeks to offer citizen-centric services through the internet, data show about half the government departments and ministries in India are vulnerable to data theft, hacking and cyber terrorism.
According to government sources, of about 7,000 government websites, only 3,192 have been audited for information technology (IT) security, while 3,556 others are being audited.
Most government sites are hosted by the National Informatics Centre (NIC). Before being hosted, these websites have to be given a security certificate. The government has empanelled auditors to certify the security of such websites. “According to our data, about half the government websites are vulnerable to cyber attacks. Most of the government websites do not have proper security checks in place,” said Yash Kadakia, head of Security Brigade, a government-empanelled security auditor.
IT Secretary J Satyanarayana said, “We have made it mandatory for all government websites to produce a security certificate before being hosted by NIC. We have been following this policy for the last two years.” Though he agreed the number of cyber attacks on government websites had risen, he denied most government websites were vulnerable to such threats. “We are working on a comprehensive cyber security policy to make the cyber space secure,” he said.
According to government data, 774 government websites have reportedly been hacked in the last five years. These attacks appear to have emanated from countries such as Australia, Bahrain, Brazil, Egypt, Germany, Indonesia, Lebanon, Libya, Morocco, Pakistan, Saudi Arabia, Spain, Turkey, the UAE, the UK and the US.
In 2009, 201 websites of various ministries and government departments were hacked. This number rose to 303 in 2010, 308 in 2011 and 294 in 2012 (till October). According to data with Indian Computer Emergency Response Team (CERT-In), the cyber security arm of the government, the defacement of Indian websites has almost tripled, compared to 2007.
The defacement and hacking of government websites have not only brought to the fore security lapses, but also resulted in financial losses to the exchequer. According to the Reserve Bank of India, between 2009 and 2011, 489 e-fraud cases were registered, and these led to a loss of about Rs 28.46 crore. Separately, the Central Bureau of Investigation’s economic offences unit registered nine financial fraud cases between 2009 and 2012 (February). These led to a loss of Rs 43.92 crore.
This is despite the huge sums the government spends to tighten security loopholes every year. In 2012-13, the Department of Electronics and Information Technology allocated Rs 45.2 crore towards cyber security.
A major reason why NIC-hosted websites are vulnerable to cyber attacks is it faces a shortage of manpower. NIC outsources security audit works, as it doesn’t have the manpower required to deal with such huge traffic.
Recently, the government had appointed a committee under the chairmanship of Unique Identification Authority of India Chairman Nandan Nilekani to examine NIC’s requirement for additional workforce. It is expected the committee would submit a report within three months.
There is a shortage of IT security auditors in India. Currently, their number stands at 60.
A senior government official said the government had taken various steps to improve cyber security. These include the implementation of best practices on security, based on ISO 27001, the establishment of the National Watch & Warning System in the form of CERT-In.
Till now, ISO-27001 standard has been implemented by only 527 government organisations.