15 March 2017

Data-theft entrepreneurs, a new breed of cybercriminals

Puru Naidu

Information leaks during the 2016 US elections increased the market value of stolen information, giving rise to data-theft entrepreneurs. Is our national security capabilities up to par?

The year 2016 saw major information leaks that drastically influenced the world and our information security outlook.

I bet you just flashed back to Clinton’s email leaks and Trump’s “grabbing by the…” remark.

Justifiably so, the US elections were scandalous in that both sides were leaking dirt about the other along with Russian interference, but those weren’t the only ones. Yahoo, LinkedIn, the FBI, Department of Homeland Security, Oracle, and Verizon also experienced major information leaks last year.

For instance, a hacker supposedly working for a nation-state stole information on 500 million Yahoo accounts. In another instance, a hacker attempted to sell 167 million LinkedIn accounts’ information on the dark web.

These breaches and leaks have colossal implications towards the security industry and political systems. Information breaches have mostly been for financial gain, and some for public shaming of corporations by hacktivists.

But, the 2016 US election soap opera drastically changed the game, and enhanced the market value of stolen information. Going forth, nation-states and political parties will be willing to pay top-dollar for information that could strengthen their position. Not just from a political angle, but also for a better economic bargaining power. Consequently, as the value and demand for stolen information increases, so will the supply. More individuals and non-state actors will rise to make a quick buck. Attacks won’t be limited to external threats but will also include threat from insiders. Confidential information will be sold to the highest bidder.

What does this mean to our nation?

I’ll spare you the typical ‘India doesn’t have an adequate data theft protection policy’ or ‘the law enforcement is incompetent’ comment. Not saying that it isn’t important, but Indian laws don’t scare foreign state or non-state actors. And, forget about the political skirmish, it’s inevitable.

My bigger concern is that as India emerges as a global economic player and increasingly going digital, now, more than ever before, our economic infrastructure will be under constant threat. Threat as in espionage and interference from other nation-states or corporations. One example of such non-state actor is Suckfly, a cyber-espionage group that targeted government and commercial organizations in India for two years between 2014 and 2016. Targets included a top five Indian IT firm, two government organizations, one of the largest financial organizations, and an e-commerce company along with its shipping vendor. There hasn’t been any updates since the group was outed by Symantec last year.

How much will your aadhar data go for? Source: Courtesy of CCA

So, my question is two-fold; do we have proper intelligence architecture to deal with such threats? If so, are our operational capabilities up to par?

The basic ‘raising awareness among all stakeholders’, ‘initiating better security culture’, or ‘increased threat information sharing’ is not going to be enough. We need to setup a proper Human Intelligence (HUMINT) network that understands the data theft market, that knows who the key nodes are, and how to properly handle information that pertains to our national security and economic prosperity.

No comments: