India Needs A National Digital Security Architecture, And Needs It Now 

The recent hijacking of the Twitter accounts of the Congress Party and its vice president Rahul Gandhi made much headlines. The subsequent hijacking of the Twitter accounts of prominent journalists from NDTV, alongside a public dump of emails belonging to one of them, has been the subject of much public and political debate. Lost in the tit for tat political exchanges is the real import of the underlying hacking that seems to have happened where the political and media personalities were merely collateral damage.

It is in the Mashable interview though that we get a specific insight into what might have motivated the larger hack in the first place.

In what appears to be a case of reality inspiring fiction to inspire back reality, we get a glimpse into the hacktivist moorings of this group. In recent times, a popular American TV series Mr. Robot has propelled into popular debate the shadowy world of hacktivist cults. But the roots of this hacktivism go all the way back to the late 1990s and early 2000s, to what is known as the “anti-security” movement or the Anti-sec movement. The motivation of this movement was a backlash against security professionals and the security industry for full disclosure of vulnerabilities. The protagonists of this movement believed that some vulnerabilities had to be kept private and secret to allow for hacktivists to compromise these systems through publicly unknown methods.

According to an article published in the SecurityWeek some time back, the hacktivist groups like Lulz and Anonymous that made news in the West a couple of years back, trace their affinities directly or indirectly to the Anti-sec movement of the early 2000s and to what is known as “Project Mayhem”, that is more specifically written as “pr0jekt m4yh3m”.

Another article that appeared in Phrack.org sheds light on the audacity of the latest crop of hackers. While past incarnations of Anti-sec have humiliated many well-known sellouts in the computer security industry, today's blackhats are not scared to hit higher profile figures in law enforcement, military, and governments.

To what degree The Legion is directly linked to these other Western groups is unclear, but the specific references to the originators of the Anti-sec movement, like el8 and the reference to “project mayhem”, is a pointer to take this as something far bigger than the political colour that has been given to the incidents, thanks largely to the choice of Twitter accounts used to make a public statement. In June 2016, on one of the forums frequented by individuals associated with this movement, we read of a speech on the anti-security movement delivered in an internet relay chatroom. The post on the forum defines “blackhats” as those who hack for hobby, as those who do not post their exploits publically and most importantly do not work for security companies. What is of interest in this speech is the question and answer session that followed. During the Q&A it was confirmed that “project mayhem” was still active thus making Legion’s reference to “project mayhem” in the Mashable interview significant.

While much of the media focus is on the likely next targets of Legion and the political controversies to follow, it is important to underscore the need for India to evolve a coherent national digital security architecture. It is a shame that the public debate has either been reduced to a lament on privacy laws by some or to one of alarmism on digital cashless banking by others.

A coherent national digital security architecture also becomes imperative to address the current mishmash of agencies with overlapping jurisdictions and archaic capabilities that are several generations behind the hacktivists.

The Legion incidents are a wakeup call for Digital India, though for reasons vastly different from the political spin being advanced by the Congress party and the affected journalists.