Uttarakhand’s Cyber Security Cloud Burst: Opinion Edition

Cyberattacks on the government and significant business websites are as much a reality as physical insurgency and terrorist attacks. The latest cyber ransomware in Uttarakhand on 2nd October, 2024, brought the State Government machinery virtually on a halt. More than 90 major websites of the Uttarakhand Government inter-alia CM Helpline, 'Apni Sarkar', 'E-Office', 'E-Ravanna portal, Chardham registration, and Land Registry were compromised. Uttarakhand Government’s data centre was hacked, crippling the State’s entire Information Technology infrastructure. This attack, apparently, captured the State’s Information Technology Development Agency (ITDA) server, holding the critical data of crores of people and sensitive government departments, including the office of the Chief Minister, and demanded a ransom. It is no short of paralysing the State Government. One week later, on 10th October 2024, the Uttarakhand Government announced that there had been no data loss. However, several critical questions loom large.

Cyber experts view it from multiple lenses rather than mere ransomware attacks and data recovery.? The government’s preparedness to combat such a massive cyberattack is under question and accountability is at stake. The data of the last three years, curated by various State and non-State agencies further reflect a vulnerability of the Indian cyber system. For instance, till date in 2024, India witnessed 388 data breaches, 107 data leaks, 39 ransomware activities, and 59 cases of access sales or leaks. We also sustained nearly 5 billion cyberattacks in 2023. Approximately, 50 government websites were hacked, and there were around 8 incidents of data breaches in 2022-2023. In an alarming case, India’s weak cyber security architectural plan and IT infrastructure was exposed two years ago, when in 2022, AIIMS Delhi succumbed to a similar ransomware attack, compromising critical healthcare services for almost two weeks.This was probably one of the worst set-backs for Indian cyber security infrastructure in recent times. It was clearly a bold? RED signal for governments to envision a clear roadmap to prevent such mishaps in future. However, it seems Uttarakhand overlooked it for want of vision. There seems no plausible answer why the Uttarakhand Government does not have a proper cyber crisis management plan. More so, two years ago the same Government of Uttarakhand, tasked ITI Limited, in Bengaluru to craft a disaster recovery plan.? But it seems the matter has been in cold storage since then. It never saw the light of the day. Probably the government has so far treated cyber security as another welfare scheme which is announced during elections and forgotten until the next term. If this is the case, then we are heading for a bigger aftermath of a disaster after the data breach. A prudent cyber expert’s mind may ask, what prevented the State Government from implementing a plan in the last two years? Given the escalating number of global cyber-attacks, the State Government urgently needs more specific regulations, guidelines, procedures, or standard operating procedures (SOPs) to combat these crimes. Immediate policy changes and the implementation of effective measures to counter cyber threats are not just necessary but crucial. The more we probe this disaster, almost a pandora’s box of questions seems to open up. How could the state government overlook recruiting more subject matter experts for the Information Technology Development Agency (ITDA), in contrast to the existing team of three members, who are not even subject matter experts? As it appears, Data backup, a fundamental practice in cybersecurity, was not previously implemented, raising serious concerns about the State's risk management strategies. There also seems to be a callous approach of the Government of Uttarakhand in firmly conducting a timely security audit of the ‘State Date Centre’. Non-establishment of the cyber security task force till date calls for another alarm in this scenario. While now the State Government has filed a FIR under section 308(4)(extortion) of the Bharatiya Nyaya Sahinta, 2023 and 65/66/66C of the IT Act, 2000, there is a dire need for an overhaul of the Uttarakhand’s cyber security basic architectural design, recruitment of subject matter experts, inviting consultants on boards, setting up cyber security nodal officers in every department, rigorous and continuous training and constant engagement for evolving cyber security plan because such attacks may happen again, only precaution is the best cure. The half-baked cyber security plan cannot ensure the safety and security of the residents of Uttarakhand. Uttarakhand is known for cloud burst disasters, the 2nd October, perhaps will be remembered as the Uttarakhand’s Cyber Security Cloud Burst, till robust plan is placed on the table.

It is quite evident that the Uttarakhand Government could not smell or see this coming despite enough reportage of cybercrimes across the country. It was knocking on our doors, and we opened our door wide open, then shooting the ransomware to mitigate the damage. A healthy dialogue between cyber experts and the Government is now warranted for a future roadmap that may not only help rebuild Uttarakhand from the crisis and may even serve as a model for other States to borrow from.

_______________________________________________________________

Authored by: Ms. Pakhi G. (Co-Founder, World Cyber Security Forum) and Dr. Nachiketa Mittal (Professor of Law and Registrar, NLU Tripura)

(Both the authors are natives of Uttrakhand)