Despite the DoT sending reminders, most establishments haven’t done a security audit.
New Delhi: Three reminders on the same subject of possible data theft and related cyber security, spread over a period of one year, have not been able to elicit a response from the different establishments under the Department of Telecommunication (DoT), Ministry of Information Technology and Telecommunication.
The DoT, after receiving inputs that data ex-filtration (data-theft) was taking place from the websites of establishments that are under the DoT, had asked these establishments to do a security audit of their websites and submit a security audit certificate. However, despite the first such notice being shared in the first week of October 2019, till date, most of these establishments have neither done a security audit nor submitted a certificate, despite the DoT sharing multiple reminders, the last of which was sent on 17 July 2020.
The establishments that are sitting on DoT’s request and have refused to take the issue of cyber attack and data theft seriously include important bodies such as the Telecom Regulatory Authority of India (TRAI), Telecom Disputes Settlement and Appellate Tribunal (TDSAT), National Institute of Communication Finance (NICF), National Telecommunications Institute (NTIPRIT), BSNL, MTNL, ITI Bharat Broadband Network Limited (BBNL), Telecommunication Engineering Centre (TEC), Centre for Development of Telematics (C-DOT) and others.
In its latest order that the DoT sent on 17 July to 20 establishments, it has again requested them to urgently submit a security audit report of their websites. “The requisite information is still awaited although eight months have passed. Accordingly, the custodians of all websites and portals under the ambit of DoT are once again requested to provide the valid security audit certificate. In case a valid security certificate is not available, immediate necessary action may be taken to get the security audit of the portals concerned to be done on a priority,” the order reads.
The Union government, in June, had issued advisory warning about a large-scale cyber attack against individuals and businesses, where attackers were likely to use Covid-19 as a bait to steal personal and financial information.
It is not that Indian organisations have not seen mass-scale organised cyber attacks before. In 2012, hackers had hijacked the websites of the Supreme Court, the Ministry of Communications and Information Technology, the Department of Telecommunications, the Bharatiya Janata Party and the Indian National Congress in coordinated distributed denial-of-service (DDoS) strikes.
As per a response given by the Ministry of Electronics and Technology to the Rajya Sabha in March this year, in the last five years, as many as 129,747 Indian websites have been hacked.