On 23rd November 2022, AIIMS made a formal announcement that its servers (and therefore online services) were down due to ransomware attack. Assistant Security Officer of AIIMS made a complaint to the police and an FIR under IPC Section 385 (putting a person in fear of injury in order to commit extortion), 66 (hacking) and 66-F (cyber-Terrorism) of the Information Technology Act. Various organisations swooped down including Ministry of Home Affairs (MHA), Ministry of Health and Family Welfare (MHFW), Ministry of Electronics and Information Technology (MeITy), Defence Research and Development Organisation (DRDO), Indian Computer Emergency Response Team (CERT-In), National Cyber Security Coordinator (NCSC), National Technical Research Organisation (NTRO), Central Bureau of Investigation (CBI), National Investigation Agency (NIA), State Forensics laboratory (Delhi), National Forensics Science University (NFSU), Bharat Electronics Limited (BEL) and several Intelligence Agencies.

The issue is not only the loss of health records up to 4 crore patients of AIIMS but also almost complete health records of top echelons of India – the President, All Ministers (including the Prime Minister), Parliamentarians, top Judiciary and top bureaucrats. World over health records is considered as one of the most sensitive personal information. It is a known fact that once enemy knows the leader’s health issues, these can be exploited in number of ways. Several nation states are in advanced stage of bioweapons and possibility of using such knowledge to eliminate or dysfunction a leader exploiting underlying health is within the existing realms. That’s the reason of swarming of so many agencies and ministries.

Source: Hindustan Times

To add to the fear is the fact that at least one Virtual Private Net (VPN) a secure tunnelling protocol was detected with its far end terminating in China. Just remember China has highest number of Advanced Persistence Threat groups in the world also very advanced bio-labs (Remember China’s Wuhan Virus). China may deny any wrongdoing under alibi that it was a TOR-VPN but isn’t China law bans TOR-VPN?

There has been lots of confusion over ransom amount. Some said it is Rs 200 Crores while other report indicates about a demand of 30 bitcoins, while hackers were ready to demonstrate decryption of up to 3 encrypted files by 05 December 2022. (30 Bitcoins is about Rs 4 crores). However, Delhi Police as well as NCSC have said no ransom has been demanded. If no ransom has been demanded then either the attack was incomplete, and it got detected prematurely or it was by nation state attack. CBI is investigating two pronto emails suspected to be of the hackers who were seeking ransom.

With passage of time, there will be a lot which will come out in the public domain, but all these indicators are tactical in nature. Let’s look at the issue from some distance to get the sense of challenges and identify the root cause to prevent future similar attacks.

Progress of Attack

According to the latest publicly available annual report and website of AIIMS, Delhi indicates that the computer staff consists of 34 persons of which only 18 personnel are hand-on in IT, while rest all are non-operational duties. The senior most operational staff are two/three System Analysts (not SYSTEM ADMINISTRATORS) while rest 16 are programmers involved in maintenance and developing functionality in e-hospital. There is one Deputy Director who acts like a CIO. Here is the structure of AIIMS IT Team.

The core application is e-hospital, which is developed by (MeITy) in 2011-12 and for the purpose of resilience later hot back up was created on government own cloud Meghraj. There have been attempts to get private vendors for Hospital Mangement System (HMS) but no offer was accepted. There has been no serious problem in e-hospital HMS by itself.

There have been reports that some personal data from AIIMS has found its way in dark web in 2018 but neither cause was identified nor there was any clarity on the step that were taken by AIIMS to prevent any future breach. In the present incident, about two months back the AIIMS systems were infected by probably someone clicking a link knowingly or unknowingly. There is also no clarity if e-hospital was upgraded to defend log4j vulnerabilities or not (Blog link). According to one media report an insider has revealed that firewall and network devices of AIIMS were in default mode, hence it can be presumed that they had Log4j vulnerability. In that case no phishing email or clicking on any link is also not required, hackers can just enter the network and have free run. Unsecure network of AIIMS had no V-LAN; concept of Multi-Factor Authentication (MFA) was unheard; there were switches in place routers (a very serious lapse), thus the hackers had no restriction of lateral movements within the network. There is also no clarity about settings of logging mechanism but in all likelihood, there won’t be many. It appears obvious that CERT-In directions dated 28th April 2022 were not implemented. Interestingly, only Linux servers are encrypted and changed the extension of file after encryption to .bak9, Windows systems were infected but were not encrypted (as yet). Therefore, moot question is who should be accountable for this unacceptable situation? AIIMS, NIC, MHFW, MeITy, CERT-In, NCSC or NSCS? Suspending two lowly paid system analysts only speaks poor of leadership.

What positively gets established is that there are systemic issues and hence the breakdown. As per the records available in public domain, AIIMS in its various letters have raised the concerns about improper cyber security situation including lack of manpower. AIIMS in 2016 had brought to the notice of the MHFW about their concern on cyber security, poor support by NIC and not up to the mark performance of the government’s cloud Meghraj. Several rounds of meetings were called between MHFW and MeITy. Many things were discussed, except cybersecurity. In one of the meeting the concern of AIIMS was recorded in one sentence, that’s all – no discussion. These meetings were attended by several officers of NIC & MeITy. However, neither they bothered about the concerns raised by AIIMS in letters, nor they transferred the issue to CERT-In. CERT-In was oblivious of the problem. Neither MHFW mor MeITY bothered to raise the issue with the National Cyber Security Coordinator. The sad truth is that AIIMS, Delhi was repeatedly raising the issue of non-availability of Database Administrator, System Administrator and Security Administrator for the country biggest deployment e-Hospital deployment and point out lack of effective support by NIC and MeITy. But shockingly none of the publicly available minutes of meetings or annual reports show that there was any discussion on the subject. Here is one such letter:

If the issue of national cybersecurity is looked from a higher altitude, then emerges various serious governance lapses. Government is pushing Digital India on steroids but paying only lip service to the cyber security. Some of area of serious concerns are following:

• Auditors must be held accountable because they know the challenges much more clearly. Question is, had they made appropriate recommendations over years? Doesn’t appear so, as it shows in the use of switches in place of routers and non-availability of V-LAN, which is like an open invitation to hackers. Did Auditors conducted VAPT? Who closed the reported vulnerabilities? Was any test done for Log4j vulnerability? Was risk assessment and gap assessment of AIIMS IT system submitted? There are far too many questions. If the auditors have not done so, then simply they need to black listed and removed from empanelled list of CERT-In. If auditors had pointed out then who is at fault for not implementing it and what was the Borad of Directors of AIIMS doing about it? But this is a tactical issue.

• It is strategically incorrect to give serious role of Cyber Security to MeITy. If MeITy controls most of the action of Cyber Security then it is like giving taxation department under the Ministry of Commerce. There is an inbuilt conflict of interest. The primary role of MeITy (and also Digital India) is to expand the horizon of information technology and proliferate it. Cyber Security creates checks on it, hence the conflict of interest. Like NIC main objective was enhance usage and functionality of HMS of AIIMS, security was a side business and not a serious one. Officers of MeITy knew fully well that if they bring in CERT-IN or NCSC the pace of proliferation and usage of eHospital will reduce, hence they avoided. By the way, is eHospital getting application vulnerability test and all functionalities developed by AIIMS in-house were tested against security. Of course, most of the programmers on strength of AIIMS may not even have heard of DevOps, DevSecOps and SecDevOps, let alone using any of them. Their pay scale indicates so.

• Though there is National Cyber Security Coordinator (NCSC) but practically everyone bypasses his office and tries reach directly to NSCS/NSA/PMO. CERT-In, NTRO, NCIIPC, I4C and all such cybersecurity structures should be under common control of NCSC. If it is considered that NCSC is structurally too small for governance which is headed by Additional Secretary / Special Secretary rank officer, in that case government should raise the level and create Cyber Security Commision on the lines of Atomic Energy Commision.

• Though the National Cyber Security Strategy is ready since last few years but it is being stalled on some pretext or other. The Technolgy is moving target, India should not wait for perfect and all-encompassing strategy but should close urgent and well-defined issues quickly and thereafter keep updating it through version control. (New challenge new approach)

• Coordination amongst ministries is necessary for effective cyber security. More ministries should be included in National Information Board and NIB should meet more frequently till National Cyber Security Commision is established. For any specific issue Committees and sub-committees should be formed under NIB.

• CERT-In by its name is a ‘Response Team’, therefore it necessarily responding to emerging situation rather than take proactive approach. Therefore, either CERT-In should be renamed as Cyber Security Support Team (CSST) or create a new organisation by the same or similar proactive name.

• Initial plan (in year 2004) was to create CERTs for each big state and also create sectoral CERTs for critical sectors (18 such sectors were identified). And then join them through web of information flow. However, we have failed to even create 5 Sectoral CERTs in last 18 years. Therefore, assertion is required by NIB or future Cyber Security Commision to create structures and processes.

• The cyber space is a steep technology area where every battle is in bits and bytes. It manually impossible to stop hacker by making corrections to the ever-increasing complex networks and applications. As on today, there is no analytics being undertaken by most of the government-controlled networks. The concepts like Security Operation Centre (SOC), Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Managed Detection and Response (MDR) and User and Entity Behaviour Analytics (UEBA) etc. are not even there in visible horizon of implementation. CERT-In or a new organisation should create Managed Security Services for all NIC served systems.

• The questions related to connected devices and intelligent devices used by AIIMS has not yet been raised, but it will be foolish to overlook it. The threat in cyber-physical arena of OT security is going to increase, and someone needs to sanitise these devices too. There exist no policy and processes for ot and iOT used by AIIMS is in place.

• Finally whole thing comes down to finances. The parliamentary standing committee in its report has observed that there has been consistent increase in cyber incident and breaches, therefore it is considered imperative to enhance the cyber resilience of the country. The committee feels that the funds should not be the reason of limitation of cyber security activities. The ground reality is that less than 50% of the budgeted funds are being utilised by CERT-In and National Cyber Security Coordination Centre. The government has not shown any hesitancy in spending money on cyber security but what is required is envisioning, planning and then execution of the plan. It is understood the technologies are complex and ever changing thus reaching an appropriate decision without being accused of possibility of corruption is really challenging. That is why a fast pace process needs to be established with appropriate financial powers to execute grand size cyber security projects. This takes us back to the point that the country needs Cyber Security Commission under the Prime Minister Office like it is for space and Atomic Energy.

In the end question remains who should be held accountable for this incident. The fact is that there is a need of National Cyber Security Strategy statement and whosoever is blocking it is the first entity to be held accountable for what happened at AIIMS, Delhi. The government needs to restructure and consolidate if wants to fight future threats to the national security. Therefore, responsibility of this attack is on the government and not two system analysts. AIIMS took paper action, NIC and MeITy ignored it, CERT-In and NCSC were in dark. Therefore NO ONE is responsible, it is governance failure not of lowly paid System Analysts. Tactically it is Borad of Directors of AIIMS and strategically there is need for governance restructuring at largescale.

(Note: The author was privileged to be the first head of national information security coordination cell at NSCS/PMO in 2002-2006, the precursor of NCSC. Many cyber security structures and initial policies (including that of RBI &SEBI) were created during his tenure. Though during his tenure, there were not many subject matter experts to distract him, whereas today there are many experts real and fake. Thus, the author has written the article based on the information available in public domain and his personal experience at the helm of national cyber security)