Centre for Internet & Society

Most banks do not follow Reserve bank of India’s standard 64/128-bit encryption policy due to laxity and unavailability of funds.

The article by Koustav Das was published in the Deccan Chronicle on August 9, 2016. Sunil Abraham was quoted.

A recent report by security software firm Sophos highlighted the increasing number of online attacks on Indian businesses, suggesting strong encryption policies can change the existing scenario.

As per a SophosLab research, India’s threat exposure rate has been pegged at 16.7 per cent, ranking fifth in terms of highest percentage of endpoints exposed to malware attack.

The research said cyber-criminals have developed a keen sense of luring organisations on the basis of location, language and disguise, leading to an acute increase in the number of targeted attacks.

Global Experts have explained that digital attackers have taken the aid of advanced malware including deadly ransomwares, which involve locking or capturing an organisation’s valued data and demanding money to unlock it.

In future, ransomware have been predicted to become deadlier, allowing hackers to take control of an organisation’s entire network security.

Not only financial and IT companies but Government websites also face similar obstructions due to lack of updated security tools.

Mohit Puri, Head of Pre-sales, Sophos India and SAARC, said, "India faces increased risk from cyber-criminals due to its high economic growth, which has left several companies to re-think their security strategy."

Reactive to attacks, not proactive

Though Puri mentioned that Indian enterprises have been trying to prevent such attacks, large fissures in network security have made the task easier for online criminals.

One of the major reasons for companies failing to prevent advanced cyber-attacks can be attributed to the lack of pragmatic solutions, albeit their awareness about the situation.

Puri said, “While companies are aware about security threats to our systems, we are still not there in terms of how we are trying to mitigate these threats.”

According to Sunil Abraham, Director of The Centre For Internet and Society (CIS), there are manifold issues that have led to the scenario of India’s poor online security.

He said that Indian businesses and financial organisations recognize the situation but do not want to allocate budget for updating their security infrastructure.

“The problem with cyber-security is just like smoking; people are aware of it but they do not care about the warnings. Companies know about the looming threats but need an episode to make a move towards updating their network infrastructure,” Abraham added.

Enterprises also struggle due to the absence of sufficient cyber-security professionals in the country. Abraham said, “There are uncountable software professionals in India but the story is totally opposite when it boils down to cyber-security professionals.”

Weak encryption adoption

According to technology enthusiast Blaise Crowly, Co-Founder & Head Of Security Design Gladius & Schild, "Cryptography—a broader form of encryption—can be defined as a branch of mathematical algorithms that can be used to securely protect data."

Crowly added, “It is the one of the strongest form of all defence mechanisms against cyber attacks.”

However, a Sophos assessment—State of Encryption Today—where 1,700 Indian IT managers were surveyed, showed the ignorance of companies towards integrating strong encryption tools.

Out of the total number of participants, 61 per cent felt encryption holds significant importance in protecting a company’s proprietary data.

Others had peculiar reasons—18 per cent felt that encryption would help avoid incurring additional costs after a breach and 23 per cent just wanted to avoid negative publicity of the company.

Even in case of banks, reports suggested that most banks do not follow Reserve bank of India’s (RBI) standard 64/128 bit encryption policy due to laxity and unavailability of funds.

“Indian organisations need to take a second look at their security posture and deploy up-to-date synchronized security solutions that are able to combat today’s threats as well as tomorrows,” said Puri.

Government’s role

A 2015 CIS study, titled “How India Regulates Encryption” mentioned that under section 84A of the IT Act, the government has the sole authority to prescribe modes and methods of encryption.

Though the government has not yet issued any rules in exercise of these powers, it had released earlier released a draft encryption policy on September 21, 2015. However, it failed to pass it due to wide-spread criticism regarding certain mandates in the draft.

In addition, the Internet Service Providers (ISP) License Agreement, between the Department of Telecommunication (DoT) and Internet Service Providers (ISP),  limit the use of encryption up to 40-bit key length in symmetric algorithms—an extremely weak standard.

Although it cannot be enforced if organisations employ third-party encryption systems, it becomes extremely expensive for them. In such a scenario, companies hesitate in using better encryption standards.

CIS Director Sunil Abraham said, “To solve the issue, the government should work towards incentivising and enforcing strong security infrastructure which will help companies get these features at a lower price.”

Adding to the aforementioned statement, Crowly highlighted that current security standards set by the government cannot adeptly counter advanced threats.

“OpenSSL, LibNaCl and similar protocols provide free implementation of encryption schemes that companies can use. The only issue is that companies and government agencies should show proper diligence in hiring experts in this field,” Crowly concluded.