India Needs A National Digital Security Architecture, And Needs It Now 

The recent hijacking of the Twitter accounts of the Congress Party and its vice president Rahul Gandhi made much headlines. The subsequent hijacking of the Twitter accounts of prominent journalists from NDTV, alongside a public dump of emails belonging to one of them, has been the subject of much public and political debate. Lost in the tit for tat political exchanges is the real import of the underlying hacking that seems to have happened where the political and media personalities were merely collateral damage.

Since the hacking incidents of the past couple of weeks, a few interviews have surfaced that claim to report a conversation with the alleged hacker(s), part of a group that refers to itself as “The Legion”. While the interview that appeared in the Washington Post and FactorDaily are light on the technical details and heavy on the politics, it is the interview that appeared in the Mashable that is more interesting. In both the other interviews, we get a sense that the group has no overt political agenda, and the data collected by them was much larger spanning multiple infrastructure providers with mail servers of several corporates compromised. The FactorDaily interview also sheds light on a couple of the specific infrastructure providers that were hosting the mail servers of the corporates that were compromised.

It is in the Mashable interview though that we get a specific insight into what might have motivated the larger hack in the first place.

In what appears to be a case of reality inspiring fiction to inspire back reality, we get a glimpse into the hacktivist moorings of this group. In recent times, a popular American TV series Mr. Robot has propelled into popular debate the shadowy world of hacktivist cults. But the roots of this hacktivism go all the way back to the late 1990s and early 2000s, to what is known as the “anti-security” movement or the Anti-sec movement. The motivation of this movement was a backlash against security professionals and the security industry for full disclosure of vulnerabilities. The protagonists of this movement believed that some vulnerabilities had to be kept private and secret to allow for hacktivists to compromise these systems through publicly unknown methods.

This is exactly what seems to have happened here, with the infrastructure providers and the corporates being completely unaware of the large scale data breach till the hackers chose to make themselves known publicly by exploiting the PR value of a few twitter accounts.

According to an article published in the SecurityWeek some time back, the hacktivist groups like Lulz and Anonymous that made news in the West a couple of years back, trace their affinities directly or indirectly to the Anti-sec movement of the early 2000s and to what is known as “Project Mayhem”, that is more specifically written as “pr0jekt m4yh3m”.

Another article that appeared in Phrack.org sheds light on the audacity of the latest crop of hackers. While past incarnations of Anti-sec have humiliated many well-known sellouts in the computer security industry, today's blackhats are not scared to hit higher profile figures in law enforcement, military, and governments.

To what degree The Legion is directly linked to these other Western groups is unclear, but the specific references to the originators of the Anti-sec movement, like el8 and the reference to “project mayhem”, is a pointer to take this as something far bigger than the political colour that has been given to the incidents, thanks largely to the choice of Twitter accounts used to make a public statement. In June 2016, on one of the forums frequented by individuals associated with this movement, we read of a speech on the anti-security movement delivered in an internet relay chatroom. The post on the forum defines “blackhats” as those who hack for hobby, as those who do not post their exploits publically and most importantly do not work for security companies. What is of interest in this speech is the question and answer session that followed. During the Q&A it was confirmed that “project mayhem” was still active thus making Legion’s reference to “project mayhem” in the Mashable interview significant.

While much of the media focus is on the likely next targets of Legion and the political controversies to follow, it is important to underscore the need for India to evolve a coherent national digital security architecture. It is a shame that the public debate has either been reduced to a lament on privacy laws by some or to one of alarmism on digital cashless banking by others.

While India needs a robust privacy framework with legally enforceable protections, reducing the debate to any one aspect of digital security would be missing the bigger picture on the need for an overarching national digital security architecture that is able to anticipate, detect and respond to threats and address vulnerabilities on the scale and complexity that we are only now beginning to discover. When incidents of the recent kind occur, it is unclear which agency of rapid response and what standard operating procedures are to be triggered, to limit the impact of mass scale disinformation that is likely when politically significant twitter accounts with millions of followers get compromised.

A coherent national digital security architecture also becomes imperative to address the current mishmash of agencies with overlapping jurisdictions and archaic capabilities that are several generations behind the hacktivists.

The Legion incidents are a wakeup call for Digital India, though for reasons vastly different from the political spin being advanced by the Congress party and the affected journalists.