Hacking the sarkar

The price of e-governance is careful oversight of cyber security. How is the govt securing its networks?

Municipal corporations around India have traditionally been plagued by ghost employees that exist only on paper and yet somehow draw salaries and pensions. Now, scamsters with the same mindset have discovered ingenious ways to exploit cyber-enabled governance systems. Fake names were reportedly entered in the computerised births and deaths register of the Pune Municipal Corporation by a hacker with the username “Jahangir”. The ghosts qualified for a slum rehabilitation scheme, wherein they would receive 350 square feet each, in lieu of relinquishing (in their case, non-existent) dwellings. This has even more serious implications. If a hacker penetrates a municipal system to set up a credible identity, he can then obtain a passport, permanent account number or a PAN card — even if he cannot directly penetrate the institutions that hand out these documents. If he can penetrate a land registry, he can tamper with real estate records.

Every level of government is increasing its use of information technology (IT). Smart systems massively improve efficiency of governance; they speed things up, they reduce the scope for petty corruption and harassment. But, as IT-enabling grows, so does networking. If a traffic policeman in Pune enters a car registration number and swipes the driver’s licence on his smart reader, he gets an instant update on vehicle status, as well as criminal cases outstanding against the driver. The smart readers reduce corruption, speed up traffic enforcement, and help nail criminals, recover stolen vehicles, etc. The reader connects to the databases of the National Crime Records Bureau, sundry Motor Vehicles Departments, the Pune traffic police, and magistrates’ courts. And if any of those systems are vulnerable, they all could get hacked. On a different scale altogether, regional power grids connect to each other. They balance electricity supply and demand from various plants, states and regions, monitoring voltage and downtime. This must be done via computer — no human can handle it. A Stuxnet-style worm could bring the power grids down, just as Stuxnet crippled Iranian nuclear plants. Airports, railways, and ports are similarly networked and vulnerable. So too are the citizen-facing systems that vastly reduce the pain of filing income-tax returns, receiving tax refunds and passport applications. Other, non-citizen-interfacing, databases are run by the National Crime Records Bureau, the Reserve Bank of India, the finance ministry and the ministries for roads, shipping, defence, etc. All carry information that could be utilised either for competitive gain or to breach national security. All can be compromised.

In networks of networks, the security is only as good, or as poor, as the least secure node. There needs to be a coherent plan to secure every node and comprehensive disaster recovery and mitigation plans. The Pune Municipal Corporation may just be the tip of the iceberg. There is anecdotal evidence that various government websites have been hacked and defaced. There is no evidence that much has been done to prevent deeper penetration.