Responding to Antrix HackHow Must Government Agencies Improve Security, Response?
The website of Antrix, the commercial arm of the Indian Space Research Organization, was defaced by unknown hackers on July 12. According to multiple media reports, ISRO officials have confirmed the defacement, but maintain that no security breach has taken place, as the Antrix website only contains public information.
The compromised URL for the Antrix website led to a web page for buying sports merchandise. No conclusive attribution has been possible, although media has suggested Chinese involvement. Some experts have discounted this, however.
Antrix, a Rs.1,700-crore public sector unit, is part of the Indian space agency and sells commercial satellite services to foreign government and private customers, including launch services. The defacement comes immediately in the wake of the successful launch of five satellites for the UK by ISRO the week before.
According to a report by India Today, on July 14, ISRO Chairman Dr. A S Kiran Kumar confirmed that no sensitive information was compromised. The chairman said that the website was under construction at the time of the alleged hack and in the process of being moved to ISRO's servers, which made it vulnerable to compromise. The site is under the management of an unidentified Mumbai-based service provider.
The hack is one of numerous recent defacements and compromises, with 155 .GOV and .NIC domains having been compromised in the past year alone, according to a report by web app security vendor IndusFace. [See: Indusface on the Web App Security Gap ] While website defacements are typically cyber pranks that cause inconvenience, there are concerns being voiced over the state of information security in India's government agencies.
"But while we keep castigating the government agencies for poor security, no one comments on the product being delivered by the third-party vendor - Vendors need to be held accountable too," says security expert Dinesh Bareja, founder of the Open Security Alliance. Website developers and vendors are not following secure development practices and are cutting too many corners, he says.
Government departments may talk big in RFPs, but don't deliver in substance, Bareja says. Their security requirements are written in such a way that compliance is easy to meet and vendors take advantage of this. Accepting a low cost government contract does not absolve a vendor for not delivering a secure product.
Yet, these same vendors delivering substandard product are being cleared by CERT-certified auditors, says Bareja. As this is a government agency, the audits need to be conducted by CERT-In approved auditors, he informs. "CERT-In can help here by bringing in a system that penalizes auditors when they do shabby work for ridiculously low quotations."
Coherent Incident Response
With potential to go beyond cyber-vandalism, such compromises represent a real and present danger to the country's critical information assets. With such incidents becoming commonplace, it would be prudent for government agencies to take stock of the situation and, most importantly, get a coherent incident response in place, experts advise. Among their recommendations:
- Reduce Site Downtime - ISRO has responded to this latest incident by putting up an 'under construction' placeholder within hours of the defacement, says Bareja. While he hopes that this was not a major breach, the first response in the event of a hacking or defacement incident needs to be getting the site back online. The less the downtime, the less the vacuum where speculation thrives, he says.
- Bring in Expertise - With a large number of government agencies dependent on third-party support, personal relationships and complacency usually score over professional competence when it comes to incident response, experts say. "In the event of a security compromise, do not call the same guy who built your site and security," advises Bareja. Call a third party for incident response, and make sure the developer and security vendor are kept informed of the issues first hand.
- Have a Communications Plan - Crisis communication is very important, Bareja says. "Consider ISRO's weak statement against statements released by mature corporates like Reliance when the Jio vulnerability was announced recently. Then compare the incident when the Indian CBI forgot their website was hacked and let it be for three months." Government agencies are notoriously ill-prepared when it comes to communication, and this is not acceptable or responsible behavior, Bareja says.
Once you have the basics covered, there is a need to investigate the incident thoroughly and plough back the learning into your environment by updating systems and controls, Bareja advises. A strong, well-defined incident response, containment and management policy and procedure are important, especially for government agencies, as they are a big target. Generally, organizations may have a one-page incident management plan, which doesn't hold water in a 'wartime' scenario, he says.
Legal Mandate for Cybersecurity
Pavan Duggal, advocate, Supreme Court of India and president of Cyberlaws.net, points out that cybersecurity is not a significant national priority. India lacks distinct legislation on cybersecurity and has instead chosen to adopt a cosmetic approach. While the IT Act 2000 was amended in 2008, a large number of cybersecurity legal, policy, and regulatory issues remain unaddressed.
"The National Cyber Security Policy of 2013 has remained a mere paper tiger inasmuch as there is not much information available in the public domain in terms of effective enforcement," he says. There is a need to rapidly evolve legal paradigms in cyberspace and a legal mandate for cybersecurity. [See: Why India's Cyberlaw Must Rapidly Evolve] Indian Cyberlaw does talk of the concept of protected system but large number of governmental networks have not been so designated as protected systems, he informs.
Duggal says cybersecurity is both a technical and also a legal issue, and he believes that the significance of the Antrix hack is immense. "India needs to wake up from its complacency and treat an attack on its space agency with the utmost seriousness," he says. While the government has announced the Digital India campaign with much fanfare, its success will be dependent on a secure cyberspace, and there is a clear need for a distinct legislation which incorporates cybersecurity as part of national security, he says. "For instance, China has come up with just such a legislation in the last fortnight."