Govt bans foreign firms from conducting IT security audits of critical sectors for fear of sensitive data being leaked

New Delhi: In the wake of the cyber attack on Kudankulam Nuclear Power Plant, the government has directed the ministries and departments handling India’s critical infrastructure to avoid hiring foreign firms to conduct IT security audits of its systems and networks. Even, Indian firms empanelled for auditing will require clearance from domestic spy agency, Intelligence Bureau (IB) to rule out any foreign links. Security audits in all the ministries and critical sectors are carried out to ensure that country’s information infrastructure is not vulnerable to attacks by hackers and that all the systems have a secure government firewall. According to the documents reviewed by Firstpost, Computer Emergency Response Team (CERT-IN) — under the purview of the Ministry of Electronics and Information Technology — has prepared a list of auditing firms in consultation with the IB. In case any government department is planning to hire firms outside of the list, security vetting by the IB has also been made mandatory. “Since engaging non-Indian firms for auditing requirements by the government organisations and critical sectors may involve exposing sensitive information to non-Indian persons/entities or having foreign links, the concerned government ministries and organisations should obtain no-objection certificates from IB/Ministry of Home Affairs before engaging any non-Indian firms,” the documents said. [caption id=“attachment_5397041” align=“alignleft” width=“380”] Representational image. Reuters.[/caption] It has been further observed that critical sectors are facing threats from multiple sources and increasing attacks on the systems are organised and targeted with the help of criminals and State actors to reap immense benefits out of information compromise or espionage. The cyber criminals may carry out fraud, conduct espionage to steal state and military secrets and disrupt critical infrastructures by exploiting the vulnerabilities in any system. Worse yet, hackers can cover their tracks so that they cannot be traced and in a post-attack situation, is extremely difficult to prove whether the cyber criminal is an individual, a gang or a group of State actors. “The public sector, although increasingly relying on information technology, has not fully awakened to the challenges of security. Economic stability depends on uninterrupted operations of banking, finance, critical infrastructure such as power generation and distribution, transport systems of rail, road, air and sea which are critically reliant on information technology. Even though the focus has been on improving systems and providing e-governance services by various institutions, the IT networks and business processes have not placed the desired emphasis on information security,” the government documents said. There are three other directives which have been issued for critical sectors for protective monitoring of sensitive data and threat emanating from terrorist groups or enemy State. First, these sectors need to have adequate measures for grouping, formation and arrangement of counter measures for security of information infrastructure. Second, efforts are to be made to integrate security measures with information technology architecture to address contemporary and changing threats to critical database stored on government computers. Third, there will be mandatory disclosure of all attacks to the IB, so that any data breach can be resolved in a timely manner. Employees handling sensitive servers will be required to disclose the mobile device they are carrying, its serial number, model number along with details like security capabilities and vulnerabilities. The critical sectors will reserve the right to control official data on the employee’s mobile, including the right to back up, retrieve, modify, determine access or delete the organisation’s data without prior notice. The government documents said since mobile devices possess network connection capabilities, they can be exploited to connect to the organisation’s internal networks and can become a point to breach security. Also, individuals or experts hired for security audits of government systems will have to sign a non-disclosure agreement to prevent leakage of sensitive data. “Every auditing firm and its auditors (trained personnel) engaged should sign non-disclosure agreements before being allowed to commence the cyber security auditing work. To the extent feasible, it may be ensured that any data collected during the auditing work and report prepared thereof is not allowed to be taken out of the government premises by such auditors/firms,” government documents further added.