The National Informatics Centre, which provides ICT and e-governance support to the government, has decided to make mandatory additional security measures for ‘gov.in’ emails in a bid to plug the danger of sensitive government communication from being compromised, The Quint has learnt.
The move comes after repeated incidents of government officers’ official email passwords being compromised due to negligence in basic security practices emerged. The negligence ranges from routinely falling for phishing emails to writing down passwords on scraps of paper, senior NIC officials said.
The Quint had reported on 25 January that over 3,000 emails and passwords of various government and public-sector enterprises were found in databases of leaked IDs on the deep web and the dark web. The NIC, however, has denied any evidence of passwords having been compromised.
A senior official at NIC said they checked the usernames and passwords and the same do not appear to be compromised.
NIC has confirmed that existing measures such as 2-Factor Authentication (2FA) and geo-fencing of emails, which till now were voluntary will be made mandatory to prevent unauthorised access to highly sensitive government emails.
“Government email accounts contain highly sensitive information as well as confidential documents like tenders,” said a senior official at NIC.
“Despite several cautionary instructions, we have often seen negligence among officials. The last mile, which is the ‘gov.in’ email user, is often the weakest in the security chain,” the officer added.
“We are moving towards making existing voluntary measures like 2-Factor Authentication mandatory to log in to emails. This will hopefully also spur a change in mindset towards basic security.”Senior Scientist, NIC
How Passwords Are Compromised
The National Informatics Centre operates and maintains three National Data Centers –in New Delhi, Pune and Hyderabad – and 31 State Data Centers. A total of 1, 076 virtual domains, all gov.in email IDs, are hosted on servers maintained by NIC.
Officials say despite the measures that have been taken, the last mile security, ie, security practiced by those with gov.in emails, has often proved to be the chink in the security armour.
Passwords Kept in the Open/Shared with Staff
NIC officials say that among the most common forms of negligence they have observed is gov.in email passwords being shared with staff members or even being noted down on sticky notes which are openly displayed. “This appears to be a common practice for designation based email IDs,” the official said.
Falling for Dubious Links
Clicking on phishing links disguised as genuine emails has led to several passwords of official email IDs being compromised.
The Quint had reported in October 2018 that prior to the cyber attack on Kudankulam Nuclear Power Plant, several senior nuclear scientists had been sent emails with phishing links by suspected North Korean actors looking to extract information about India’s nuclear technology.
Indiscriminate Downloading
A downside of good download speed in government offices is the indiscriminate downloading of files and attachments even if they appear suspicious, say NIC officials. “Since there is no network latency and files download easily, it has been observed that many, especially mid-level employees download everything, including malicious files,” an official explained.
Outdated Operating System
A major reason for passwords being compromised is the vulnerability of systems running on outdated operating systems. In May 2017, in one of the largest ransomware attacks in history, millions of computers across 150 countries were affected by WannaCry ransomware. It targeted computers running on outdated versions of Microsoft operating systems. The ransomware encrypted files and asked for payment in bitcoin to decrypt the same.
2-Factor Authentication to Be Mandatory
Senior officials at NIC told The Quint that in view of the negligent practices seen among public-sector and government officials, previously voluntary provisions like 2-Factor Authentication will be made mandatory for all in order to log in.
“We have raised the issue in writing with the Ministry of Electronics & IT. While common best practices like 2-Factor Authentication are already available and voluntary for those using gov.in emails, we are now moving to make it mandatory to log into accounts,” said a senior official.
A Government ‘KAVACH’
Kavach, available as an app, is a secure 2-Factor Authentication platform, implemented for government email service, including gov.in email IDs. It’s similar to 2-Factor Authentication in Gmail – when a user attempts to log in to their email account using the correct credentials, they receive an alert in the Kavach app.
The alert contains information of the IP address (from which login was attempted), timestamp, geo-location (from where the login was attempted). The user can review these details and then either allow or deny the login attempt by clicking the appropriate button.
NIC officials added that the E-mail Policy of Government of India, drafted in 2014, will be updated to reflect the changes in security protocol.
Moreover, the Ministry had also published a ‘Password Policy’ which clearly specifies measures to create strong passwords. However, leaked emails on the deep web showed that most of them were too simple to be effective. Instructions in the policy include:
- The password shall not be a word found in a dictionary (English or foreign).
- The password shall not be a derivative of the user ID, eg 123.
- The password shall not be a common usage word such as names of family, pets, friends, co-workers, fantasy characters, etc.
Geo-Fencing
Users can allow or block access to their email accounts from any specific country through a self-service portal. In simple words, an employee will be able to log in only from a location identified as the base. When they travel, employees will need to inform the NIC about the duration of the same so that geo-fencing can be disabled for that period.
Centralisation of Security Needed
A senior officer told The Quint that larger systemic issues need to be addressed to ensure sustained security of government communications. Identifying disciplinary issues as a core aspect of improving security, the officer listed three reasons for poor security.
“Computer systems across government and public-sector offices have been bought at different times, many of them outdated and vulnerable. This is either due to ignorance, or budget issues or because despite availability of budget, departments are not bothered,” he said
“All departments are allotted an IT budget but seriousness is an issue. Centralisation of security of all government departments will not only ensure better implementation and monitoring but also bring down costs significantly,” he added.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)