Kaveri 2.0, a web portal that was launched in 2023 to streamline property registrations in Karnataka, came under a distributed denial of service (DDoS) attack carried out through Artificial Intelligence (AI)-powered bots recently. A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor, while a DDoS attack occurs when multiple machines are operating together to attack one target. The DDoS attack crippled the portal, bringing property registrations across Karnataka almost to a halt for many days in January and February, possibly causing huge revenue losses to the State exchequer.
This is not the first time that the State’s critical information infrastructure has come under attack. In 2017, the Karnataka State Data Centre fell victim to the WannaCry ransomware attack, which spreads by exploiting vulnerabilities in the Windows operating system. In 2019, the State’s e-procurement portal was hacked leading to a theft of ₹11.5 crore. In 2022, the systems of the National Institute of Mental Health and Neurosciences were attacked. However, as the DDoS attack shows, no lessons seem to have been learned from earlier attacks and the gaps identified in the State’s response have still not been filled.
Most government portals, including Kaveri 2.0, are designed and run by the State’s e-Governance Department and hosted by the Karnataka State Data Centre.
The attack on Kaveri 2.0 began in December 2024 and brought the portal to a virtual halt in the last week of January and the first week of February. During this period, the e-Governance Department was on firefighting mode. On February 6, the Revenue Department claimed that the issues had been “fixed”. Surprisingly, throughout this process, the State cyber crime police were not kept in the loop. The Inspector General of Registrations and Commissioner of Stamps lodged a complaint with the cyber crime police only on February 7.
Earlier too, the State’s response to cyber attacks was marred by a lack of coordination between the e-Governance Department and the State police. So far, the e-Governance Department has identified a few IP addresses from which the attack originated. Involving the cyber crime police much earlier could have helped combat the problem in real time, police officials said. However, sources said that there was resistance within the departments to go to the police.
According to the Karnataka Cyber Security Policy, 2023, the State has a Cyber Security Committee, led by the Chief Secretary. This is filled with bureaucrats and not a single representative from the State police. Compare this to the national level, where the cyber security architecture — the Indian Cyber Crime Coordination Centre (I4C), which is affiliated to the Home Ministry and is the nodal point to curb cyber crimes, and the National Critical Information Infrastructure Protection Centre (NCIIPC), which protects the country’s critical infrastructure — have evolved.
Many experts feel that a similar cyber security architecture with clearly defined standard operating procedures to deal with such attacks should be put in place in Karnataka as well. The State immediately needs a control room set-up involving both technical experts and the cyber crime police to handle crises so that it can respond to such attacks in a coordinated manner in real time.
In his last Budget, presented in February 2023, former Chief Minister Basavaraj Bommai had proposed to set up a Cyber Security Operation Centre at a cost of ₹20 crore, on the lines of I4C and NCIIPC. However, when the Congress came to power in the State in May 2023, a revised Budget was presented and the proposal was dropped.
Bengaluru is known as the Silicon Valley of India. It is also an emerging cyber crime hotspot, according to a 2023 report titled ‘A Deep Dive into Cybercrime Trends Impacting India’, by the Future Crime Research Foundation, an IIT Kanpur incubated start-up. Karnataka has among the highest number of cyber crime cases in the country. Yet, the State does not have proper infrastructure. In contrast, Maharashtra and Odisha have robust cyber security infrastructure in place.
It is time for the Karnataka government to act to protect critical data.
Published – February 12, 2025 01:02 am IST
Source:https://www.thehindu.com/opinion/op-ed/struggling-with-poor-cyber-security/article69205723.ece