DGCA losing critical aviation data due to an NIC server crash, brings forth our weak cybersecurity infrastructure

The recent revelation that DGCA lost critical data about pilots in 2015 due to a server crash at the NIC brings to the again to the fore the weak cybersecurity infrastructure of India

Recent reports that the Directorate General of Civil Aviation or DGCA (the national aviation regulator) lost its entire data set concerned with safety and security of pilots and planes in 2015, due to a National Informatics Centre (NIC) server crash brings to the fore (yet again) our weak cybersecurity infrastructure.

NIC is a repository of all the major digital data which pertains to the government. According to the NIC Data centre website, it hosts around 4,000 plus government websites, over 3 lakh email accounts, in addition to e-governance applications. That is a lot of official data.

According to Daily Mail, this loss of DGCA data occurred in August 2015, and the details were released thanks to a Right To Information (RTI) query filed by RTI activist Anil Sood.

The data lost in August 2015 was never recovered. "The servers crashed in August 2015 and all information regarding the list of commercial pilot licence holders registered with the DGCA and type rating test (TRT) certified pilots registered with the DGCA got destroyed," said DGCA in response to the RTI query.

According to aviation experts, this loss of data at such a scale is quite shocking as it not only affects passenger safety, but can also have implications on national security. This becomes specially pertinent when you take into consideration the amount of terror attacks that have happened at airports in the recent past. Airports are treated as high-security zones.

Data centres are mandated to have disaster-recovery centres

According to DGCA, the data that was lost was hosted on the NIC servers, which crashed in August 2015. What is surprising to note is that there was no provision for a disaster recovery centre, which would safeguard data in case of one server in one centre crashing. DGCA claims that NIC could not recover the data, although the DGCA does have some of the data in physical form.

"Normally, all the data stored on their servers has a backup in place. No data centre can work without a backup data centre. There has to be a mirrored data centre to prevent loss of data in one location due to a disaster. At NIXI we had disaster recovery centres in Mumbai and Chennai, whereby all the data stored in one place was replicated in another place. As per norms of a data centre, a disaster recovery centre is a must depending on the criticality of the data. In this particular DGCA case, I don't really know what exactly happened and how data was lost," said Dr Govind, ex CEO of National Internet Exchange of India (NIXI).

Advocate Prashant Mali, cyber security lawyer from Cyber Law Consulting says that ideally in sensitive areas, data should have an incremental backup strategy and an online backup strategy, so that data is never lost.

The central information commission has called this loss of data, 'an appalling state of affairs in respect to record-keeping by a public authority' and has asked the DGCA to be more vigilant with its maintenance of sensitive data.

NIC is a storehouse of all the major govt data

NIC has national level data centres which are located in Delhi, Hyderabad and Pune and there are plans to add more at Bhubaneshwar and more areas in the future. NIC handles the emails of all senior government officials as well as websites of all central govt departments. According to the NIC website, "All major government projects are hosted in these centres including - NIC National Cloud, Messaging and SMS Gateway services, eProcurement, ePanchayat, eOffice, IVFRT, eCourts, Transport, eHospital, Government Websites, Exam Results, eDistrict, OCI, Agriculture, Land Records, Stamps and Registration, Commercial Tax, Treasuries, MNREGA, PFMS, eLekha, eCounselling, CGHS."

DGCA losing critical aviation data due to an NIC server crash, brings forth our weak cybersecurity infrastructure

Security breaches at NIC...

This isn't this first case of NIC data being lost. In August 2014, there was a security breach at NIC, which let hackers issue fraudulent digital certificates. Hackers were able to access its root directory, which holds sensitive data. Several fake digital certificates were issued which went undetected for many days. Digital certificates lets you authenticate users and allow one to safely log in to services as well as make payments. If these are spoofed, it could lead to huge financial frauds if left undetected. Microsoft and Google, who pointed out a lot of fake certificates issued through NIC, were disappointed with the Indian government's investigation.

NIC India website had also been hacked by Anonymous in 2011 and according to the defaced page, it took them just 3 minutes to hack the site. Around 15 government websites of various government departments including the Assam Police we hacked by unknown entities in October 2015 - all of which were hosted by the NIC.

Back in 2015, it was mandated that all the private browsing data on bureaucrats would be monitored and email services provided by the NIC would be used. The government does not allow the use of Gmail, Yahoo and other private email services. But recently there had been threats from Legion to release data on emails hosted on Sansad.nic.in which has a lot of official email IDs of central and state government employees.

There are many more instances of websites hosted on NIC servers being hacked. This report for instance states that around 155 nic.in websites were hacked in 2014. And over 700 government websites have been hacked since 2012.

...Could lead to disasters

According to Mali cyber attacks by hackers can lead to disastrous consequences. "There may be sensitive data theft. NIC as a Certifying Authority earlier was found to be giving false certificates, and they had to close shop as none of the browsers wanted to accept their certificates. Email data loss means loss of National Data. If a mole successfully impersonates a pilot, then he or she could use the plane as a weapon to carry out an attack similar to the World Trade Centre attack which happened in the US in 2011."

We have reached out to NIC spokesperson, and will update the story when we hear back.


Cyberwarfare is a reality and we need to be prepared

Clearly, NIC has a lot to do on the cyber security front to tackle these issues, which keep cropping up time and again. At a time when there is a concerted push towards going digital, there is clearly a lot at stake if NIC managed sites and servers are getting hacked or lose data. Cyberwarfare is real.

At a time when state-sponsored cyber terrorism is a reality, we really need to have a focussed efforts to ensure that hacking of websites and crashing of servers handled by NIC is not a routine occurence.

Earlier this year, the NSG's website was also hacked and it was brought to the notice of NIC which promised remedial action. Last year, a Pakistani hacker group calling itself ‘D4RK 4NG31’ waltzed into the National Green Tribunal (NGT) website and posted this: “We are unbeatable. You… kill innocent people in Kashmir and call yourself defenders of your country. You…violate the ceasefire on border and call it ‘surgical strikes’. Now kiss the burn of cyber war.” We are well aware of Russian, North Korean and Chinese state-sponsored hacking programs which have been making news over the years.

As R Swaminathan had noted earlier on tech2, "India is transforming itself from an analogue society to a digital nation: everything from financial, utilities, governance and civic services, home security to entertainment and, why, even one’s own identity is digital. In such a scenario, national security cannot be divorced from cyber security, cyber attacks and cyber warfare. It should perforce include the security of digital assets, networks and smart systems."

Find our entire collection of stories, in-depth analysis, live updates, videos & more on Chandrayaan 2 Moon Mission on our dedicated #Chandrayaan2TheMoon domain.