The biggest lesson emerging from the recent recall of 3.2 million debit cards by various Indian banks is that most of the systems that the government and the country’s financial sector put in place to deal with a major cyber attack failed to detect the data breach that necessitated this recall.

As banks scramble to put together a root cause analysis of the events that led to the malware (malicious software) attack that led to one of the biggest security breaches in banks in India in September and October, there is a realisation that institutions failed to share information with each other, leading to cascading failures that permitted the breach to continue undetected for a while.

A little over three years ago, the financial sector set up an Information Sharing and Analysis Centre hosted by the Hyderabad-based Institute for Development and Research in Banking Technology – a body under the Reserve Bank of India. This Centre was tasked with connecting with as many banks as possible to share information about threats to their systems and attacks in real time. However, people working in the banking sector, who are closely involved in dealing with the current crisis, pointed out that there was no alert from the Information Sharing and Analysis Centre about the massive debit card data breach.

There is a credible explanation for this. “Currently, ISAC [Information Sharing and Analysis Centre] is configured to deal with cyber attacks and threats,” an official at the Institute for Development and Research in Banking technology, who wished to remain anonymous, told “However, when a credit or debit card alarm is raised, it is ticketed as a fraud.”

This led to a situation where each bank started tracking individual complaints of debit cards being swiped in China, but no one figured out that this fraud was systematic, and was taking place across banks.

Similarly, banks have Security Operations Centres that are tasked with anticipating and tackling threats to their security systems, which they are then supposed to share with the Information Sharing and Analysis Centre. But none of the Security Operations Centres picked up the debit card data breach. As a result, most banks treated complaints about debit and credit card fraud as isolated incidents. By the time they realised that there was a common point of failure, the data of thousands of bank customers had been compromised.

In many ways, this was the first major successful cyber attack on a critical information infrastructure in India. Even though the consequences of the malware attack on the systems of a company that manages ATMs and point-of-sale services were spreading for weeks, no one managed to connect the proverbial dots.

Inadequate systems

The Information Sharing and Analysis Centre was set up a little over three years ago, following a set of recommendations from a Joint Working Group set up by the National Security Council Secretariat in 2012.

The committee, headed by Dr Kamlesh Bajaj, who was the Chief Executive Officer of the Data Security Council of India at the time, recommended that “the private sector will set up Information Sharing & Analysis Centres in various sectors and cooperate with the sectoral CERTs [Computer Emergency Response Team] at the operational level.”

Following the recommendation, the Institute for Development and Research in Banking Technology, set up the first Information Sharing and Analysis Centre. Currently, the Centre has 62 banks and financial institutions as members, among whom information is shared anonymously and distributed.

“While we use the internal network of the banking sector to disseminate information, it is still a manual reporting system,” said a Reserve Bank of India official who did not wish to be identified. “Most banks are to create meaningful SOCs [Security Operations Centres] that can anticipate and proactively combat such threats.”

But several officials in the government, who are tasked with cybersecurity, point out that Security Operations Centres in banks are not adequate either.

“The SOCs [Security Operations Centres] are either non-existent, or severely understaffed,” a senior government cybersecurity official said, “and don’t employ automated systems for detection and reporting threats”.

Automated systems are exactly what was recommended by the Gopalakrishna Committee – which was set up in 2011 by the Reserve Bank of India – as part of a slew of measures meant to address cyber threats to financial institutions. The committee drew upon a panel of eminent experts to come up with a list of recommendations to strengthen the IT networks of banks and make them resilient to cyber threats.

One of the key recommendations of the Gopalakrishna Committee was as follows:

“A bank needs to have clear accountability mechanisms and communication plans (for escalation and reporting to the Board and senior management and customer communication where appropriate) to limit the impact of information security incidents. Institutions would also need to pro-actively notify CERT-In [Computer Emergency Response Team-India]/IDRBT [Institute for Development and Research in Banking Technology]/RBI [Reserve Bank of India] regarding major cyber security incidents.”

However, many of these recommendations remained on paper.

Blissfully unaware

Similarly, after the Information Technology Act was amended in 2008, it was made clear that India had to prepare a detailed road map for cyber security by earmarking the landscape into critical and non-critical sectors.

The Computer Emergency Response Team, or CERT-In, is the national nodal agency for responding to computer security incidents in the country in the non-critical sector.

For critical sectors such as the financial sector, India set up a dedicated organisation called the National Critical Information Infrastructure Protection Centre. As per the rules of the notification issued in January 2014 to set this body up, it was mandated that this Centre would be the “nodal body” that would coordinate and set the standards for protecting these critical sectors.

The rules also mandated that any information on any attack on critical sectors must be shared with CERT-IN [Computer Emergency Response Team-India], which in turn, would share it with National Critical Information Infrastructure Protection Centre. However, as the malware attack progressed, no such information was received by either body.

As banks remained blissfully unaware about the concerted attack, the many organisations set up to monitor and protect them, in turn, also failed to spot the breach. Clearly, this has to change if banks and other critical sectors are to prepare themselves for the future.