With attacks soaring, India races to regulate cryptocurrencies
(Bloomberg) -- A giant cyberattack that crippled India’s largest container port in June provided a costly wake up call for a country determined to digitize its mostly-informal $2 trillion economy.
As the scale of the attack became clear, Finance Minister Arun Jaitley called an urgent meeting. Those invited included top officials from the home, technology and finance ministries as well as the central bank governor, financial markets regulator and the country’s top planner, according to the letter of invitation seen by Bloomberg.
On the agenda was bitcoin -- the virtual currency demanded by extortionists who had held to ransom the Jawaharlal Nehru Port Trust, along with nuclear power stations and oil companies across Europe, America and Asia.
Policy makers in Asia’s third-largest economy, still reeling from a self-inflicted ban on high denomination notes last November, wanted to weigh their options to regulate virtual money. A presentation to the meeting -- also seen by Bloomberg -- flagged concerns about rising, unregulated exchanges trading bitcoins. Anonymity of ownership and surging value, the presentation noted, had made it the favorite currency of cyber criminals increasingly targeting Indian systems.
Bitcoin last week soared past $4,000 for the first time on growing optimism that faster transaction times will hasten its spread.
Meanwhile, demands for ransom payments in cryptocurrency in India surged 300 percent in 2016 compared to the previous year, said Bengaluru-based SISA Information Security, which investigated India’s biggest data breach of about 3.2 million debit cards last October. The company this month launched a security operations center to monitor cyberattacks on governments and private sector, said Nitin Bhatnagar, head of business development at SISA, which audits online payment systems.
“It’s an alarming situation’’ said Bhatnagar. “But the expertise in Indian industry is still missing.’’
The government’s Computer Emergency Response Team -- India (CERT-In) reported more than 50,000 attacks on companies last year.
With more than 27,000 reported attacks so far this year -- from phishing and viruses to intrusive malware that cripples systems -- India is trying to keep pace with securing data at companies and banks. The July roll out of a nationwide tax that seeks to digitize every monetary transaction in the nation of 1.3 billion people, a fourth of whom are illiterate, has only added to the urgency at a time when cyberattacks like Wannacry and Petya fuel cyberwar worries.
“What’s reported in CERT is a minuscule percentage. It’s the tip of the iceberg,’’ said Sandeep Sudan, head global corporate security at Reliance Industries Ltd., India’s biggest company, which launched the country’s fourth generation mobile service last year, said. “You needn’t be an IT guy even. Today anybody can do it.’’
Reliance had to investigate an alleged leak of personal data of more than 100 million users by a little-known website, Reuters reported last month. According to CERT, 34 Indian companies were affected by ransomware attacks in May and June alone.
Digital currencies have proliferated as money managers invested in blockchain -- the technology used to verify and record cryptocurrency transactions -- and set up funds to speculate on currencies in the markets. But India is still to catch up with digital currency regulation.
In Russia, the US and Japan, regulators have classified cryptocurrencies as either property or legal payment methods to co-opt them in a bid to stop money laundering. China and the UAE have strong firewalls, while India is still studying regulatory options, the government presentation shows.
By contrast, policy makers in the southern Indian state of Andhra Pradesh, which last month joined the non-profit Enterprise Ethereum Alliance, are exploring ways to use blockchain technology. The state is looking to build a digital ledger to create a permanent audit trail for land registries. J.A. Chowdary, chief secretary and adviser to the state’s chief minister, did not respond to calls or emailed questions.
Fourteen months ago, the RBI asked banks to "immediately" put in place a cyber-security policy, coinciding with Prime Minister Narendra Modi’s emphasis on the use of the Aadhaar biometric database to transfer subsidies to bank accounts of beneficiaries of state programs. It is not clear what progress has been made.
"We are now storing more and more citizens’ data,” said Neeta Verma, director general at National Informatics Centre, responsible for encryption and data security for all government welfare programs and offices. “As volumes of data grow, we have also increased the encryption we provide,” Verma said, noting plans to hire an extra 355 people to boost her data security team.
India expects a six-fold growth in digital transactions to 25 billion in the year to March 2018, up from 4 billion in 2015-16, according to the World Payments Report 2017. A chunk of this would come from online filings by 8 million tax payers every month under the goods and services tax and increased compliance on income tax.
The June presentation made to the finance minister lists a number of concerns about virtual currencies. It explored banning trade in cryptocurrencies, regulating and taxing it or treating it as a digital asset similar to gold. Still, some of these strategies may not be the most effective way forward, said Amit Jaju, executive director at Ernst & Young Ltd.’s fraud investigation and dispute services.
“It would be like banning a bank because a kidnapper used cash as ransom,’’ Jaju said over phone from Mumbai.
--With assistance from Dhwani Pandya