The AIIMS attack shows the importance of a robust cybersecurity framework
By virtue of its size and importance, AIIMS is sitting on a trove of sensitive and targeted health data, and any compromise can have major national security implications.
At the turn of the decade, the prevailing narrative was “data is the new oil” — a landscape where data, which was seen as an infinite resource, could be extracted cheaply due to falling prices of storage and computing, potentially transforming entire sectors and even uplifting people from poverty. Therefore, the government was expected to remove all impediments to “data flows”. But these notions failed to take into account basic economics. If a resource is infinite, its price continues to fall and there is no point in trying to protect it from stealing, as the cost to protect it will always exceed the value of the resource. The narrative created an industry where many paid lip service to data protection, but did not put in the serious money to do it.
There was, however, one class of actors who worked tirelessly to burst this bubble of data protection — ransomware operators. They clearly understood that the value of data is dependent upon the access to it, and created access controls, using (sometimes) state-of-the-art encryption technologies. Further, they also became a market maker in discovering the cost of implementing real data protection.
Given this background, let us examine the All India Institute of Medical Sciences AIIMS) hospital ransomware attack in depth. The hospital — India’s largest health facility, where doctors attend to 35,000 patients a day, including senior members of the government — not only lost access to the main servers, but also the backups; even after 10 days, access has not been fully restored. While there were initial reports of a demand ₹200 crore as ransom, this was strenuously denied by Delhi Police. If a ransom payout is not the end goal, then what could be the aim of the operators?
Given the nature of data and who it belongs to, this is not hard to surmise. By virtue of its size and importance, AIIMS is sitting on a trove of sensitive and targeted health data, and any compromise can have major national security implications. Any hostile foreign intelligence agency can always find creative uses for health data records of cabinet ministers, high-level bureaucrats and the head of State.
For instance, it is easy to surmise the impact of a difficult meeting that a Cabinet minister had with a nation-State delegation and then correlate their mental and physical health by timeline analysis and figure out the best possible strategy that puts them under pressure before similar meetings in the future.
Full-read access is just one of the risk vectors. Given that the attackers gained control not just on the hospital network, but also on the backup systems, there is simply no guarantee that health records were not tampered with even in the secondary backup systems. For example, it is much easier to alter the dosage of a blood-thinning drug to induce severe side effects, which could create a domino effect on trade negotiation and barely anyone would understand that it was not a care-provider error, but the long-tail effect of a cyber attack.
Let there be no doubt that the AIIMS breach was not an isolated event, but a progression of a long sequence of similar incidents that occurred in the past and were ignored. For instance, the 2017 Hitachi data breach became a trailer for the 2019 attack on the Kudankulam nuclear reactor, which was then followed by the detection of cobalt strike malware. The lack of response may have signalled to hostile agents that they would suffer little consequences for such acts. There were no efforts to create a national cyber security doctrine or even a workable policy. Instead, existing institutions were engaged in turf wars over budgetary allocations. This must be urgently reversed, and findings from the AIIMS breach investigation used to craft a robust and transparent cybersecurity policy.
The magnitude of the cybersecurity debt incurred by the State has grown so much in the last decade that the prevalent reality today is: Data is the new ransom. Suspending some low-level analysts is not even putting a band-aid on a gaping wound. It is spraying holy water and chanting “law, terrorism, foreign power” on a breach tsunami and hoping it will stop on its own.
Anand V is co-founder of Deepstrat, a think tank and strategic consultancy
The views expressed are personal