Print This Post
9 April 2020, Gateway House

Cybersecurity and privacy in the COVID-19 era

COVID-19 and remote working have resulted in a surge in demand for digital intermediaries, such as Zoom. Most of these are U.S.-based, with some having servers in China, which has aggravated privacy concerns. IT companies have responded quickly by fortifying themselves internally through a range of measures, but it is now time for India’s highly accomplished tech industry to devise secure, scalable platforms with India-based servers

Senior Researcher, International Law Studies Programme

post image

COVID-19 has changed the way the world operates – the way we communicate, the mode of doing business and the functioning of governments. Businesses have moved online – from board meetings to team meetings to client calls. So have governments.

This has led to a sudden surge in demand for online and digital intermediaries like Zoom, Microsoft Teams,Microsoft Skype, Cisco WebEx, G-Suite, Slack and Adobe Connect, which provide services such as video conferencing, screen sharing, remote access, file sharing, cloud services, and audio calls. The immediate beneficiary has been Zoom Video Communications, Inc.which saw revenues grow 88% in the last fiscal year to $662.7 million.[1]

Name of Company Headquarters Investor(s)
Zoom U.S. Sequoia Capital, Horizon Ventures, Qualcomm Ventures, amongst others
Skype U.S. Microsoft, Threshold, Silverlake Partners, amongst others
Teams U.S. TPG, Goldman Sachs, amongst others
Cisco WebEx U.S. China Development Industrial Bank, International Capital Partners, amongst others
Slack U.S. Social Capital, Thrive Capital. Comcast Ventures, amongst others
Zoho India and U.S. Minority stakes: AmerindoInvestment Advisors, Caesars Entertainment. Also, has a group company in Beijing, China (and therefore, likely to have data servers in China)

However, digital companies are now struggling to successfully address privacy concerns that come with the unexpected rise in demand for their platforms. End-to-end encryption, usage and retention of data of consumers are the key issues,especially with the cyber security challenges of hacking and phishing accompanying increased demand

Zoom, the most popular platform, is widely used by educational institutions, business, and even governments. Various governments have put it under the scanner for its weak security systems, including routeing its services through China-based servers[2],effectively giving China access to stored data. Zoom has since revised its privacy policy,[3] but users,particularly leading global companies, continue to be wary. The Indian government, for its part, has a robust digital service provider in the National Informatics Centre (NIC), which inter-alia provides the video-conferencing facility, used by the government for meetings and judicial bodies for hearing urgent matters, besides other requirements.

The table above shows that most popular digital platforms are based in the U.S., with their data servers. Therefore,the data of Indian companies, which use the platform, is being stored in a foreign server. Microsoft stores data on different servers in the U.S.depending on the type of data: files are stored in SharePoint and backed by SharePoint encryption, Notes are stored in OneNote and backed by OneNote encryption.[4]This reflects the passage of a user’s data through multiple mediums, making it important to have end-to-end encryption of data at every level.

Therefore, it is paramount that privacy and retention policies provide adequate security details to a user. For example, whether end-to-end encryption includes user-to-user encryption i.e.,the data which is shared directly between two users of a platform;the limitation on the period for storage of data; details about the location of servers where data will be stored; and user consent for sharing data for advertisements.

Equally, users too need to fully understand privacy policies as responsibility is often placed on them. For example, applications have default settings, including retention of data forever[5]that the user can change. This is especially critical now, when sensitive information, such as medical data,is being shared digitally. Malicious actors can exploit a crisis. Several major global cyber organisations, such as the U.S.’ Homeland Security[6] and India’s Computer Emergency Response Team-In[7] have issued advisories in this regard.

Meanwhile, businesses are stepping up their security as company systems and machines move from a secure private network to public ones. To enable a secure infrastructure away from office premises, companies, especially those in the information technology business, are undertaking three critical measures:

a) Use of enterprise Virtual Private Network (VPN)

A VPN provides an anonymous passage to a user and the website that the user intends to visit by encrypting data to prevent malicious actors from accessing and/or misusing it. India’s CERT-In,[8], the U.S. CERT,[9] and the UK’s National Cyber Security Centre[10]have prescribed VPN as one of the secure solutions for remote working. CERT-In also advises VPN be used along with a multi-factor authentication feature to ensure that the right user has access to a company’s internal system.

Corporates use enterprise VPNs with VPN servers, located worldwide, offering scalability and flexibility to employees. The U.S.’ Cisco and Juniper Networks are market leaders in providing VPN services.[11]Companies operating in countries with restrictive internet access can use only those VPNs approved by the particular country’s government. For instance, China does not allow all VPN service providers to operate freely,only those which allow backdoor access to Beijing are permitted to operate.

b) Encrypt disks

A high degree of disk encryption ensures all data saved in the computer is unreadable/ difficult to break if accessed by unknown entities.With employees working from home on office computers/ laptops, there is a risk of computers being stolen or lost. Disk encryptions are provided by either the Operating System such as Windows[12] or computer manufacturers like IBM or security software providers such as McAfee.[13]Unencrypted drives do not guarantee security. For instance, in December 2019, Facebook lost unencrypted hard drives containing the data of 29,000 of its employees. In December 2017, Coplin Health Systems, U.S. a primary healthcare service provider in the states of West Virginia and Ohio, lost an unencrypted laptop which contained the data of 43,000 patients.[14]

c) Disable output ports

This is a simple and easy measure that provides an additional layer of security. Disabling USB ports and CD/DVD drives prevents employees from stealing data and stops other malicious actors from implanting viruses or invading a secure system. An invasion by an external drive can jeopardise the entire company’s network. A good example is that of Edward Snowden, who had allegedly used USB thumb drives to extract data from the U.S. National Security Agency.

These concerns should not be taken lightly, especially now. It is time for the Indian technology industry, globally known for its skills, to use its valuable knowledge to mitigate the challenges faced by users in today’s COVID-19 era worldwide,and to leap to the next level – beyond being outsourcers and software developers for multinational companies.The Indian private sector should indigenously develop secure and reliable platforms which are scalable and whose data is stored on servers in India.

On the policy front, non-binding policies and state regulations to govern cybersecurity do exist in India. But it is vital to draft and pass a uniform cybersecurity legislation that governs the current digital environment, one which is vulnerable to cyber security risks that impact the Indian economy.

Ambika Khanna is Senior Researcher, International Law Studies Programme, Gateway House

Sagnik Chakraborty is Researcher, Cybersecurity Studies, Gateway House.

This article was exclusively written by Gateway House: Indian Council on Global Relations. You can read exclusive content here.

For interview requests with the author, please contact outreach@gatewayhouse.in.

© Copyright 2020 Gateway House: Indian Council on Global Relations. All rights reserved. Any unauthorized copying or reproduction is strictly prohibited.

References

[1]Zoom, “Zoom Video Communications Reports Fourth Quarter and Fiscal Year 2020 Financial Results”, 4 March 2020. <https://investors.zoom.us/news-releases/news-release-details/zoom-video-communications-reports-fourth-quarter-and-fiscal-year>

[2]Yuan, Eric, “Response to Research from University of Toronto’s Citizen Lab”, Zoom Blog Post, 3 April 2020. <https://blog.zoom.us/wordpress/2020/04/03/response-to-research-from-university-of-torontos-citizen-lab/>

[3] Zoom,“Privacy Policy”, 29 March 2020. <https://zoom.us/privacy>

[4]Microsoft, “Security and Compliance in Microsoft Teams”, 7 April 2020. <https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview>

[5] Microsoft, “Retention Policies in Microsoft Teams”, 1 April 2020. <https://docs.microsoft.com/en-us/microsoftteams/retention-policies>

[6]U.S. Department of Homeland Security, “COVID-19 Exploited by Malicious Cyber Actors

”, 8 April 2020. <https://www.us-cert.gov/ncas/alerts/aa20-099a>

[7]Indian Computer Emergency Response Team, “Cyber security during covid-19 outbreak”, 30 March 2020. <https://www.cert-in.org.in CERT-In Advisory CIAD-2020-0008>

[8]Indian Computer Emergency Response Team, “Cyber security during covid-19 outbreak”, 30 March 2020. <https://www.cert-in.org.in CERT-In Advisory CIAD-2020-0008>

[9] U.S. Department of Homeland Security, “Enterprise VPN Security”, 13 March 2020. <https://www.us-cert.gov/ncas/alerts/aa20-073a>

[10]National Cyber Security Centre, “Home working: preparing your organisation and staff”, 17 March 2020. <https://www.ncsc.gov.uk/guidance/home-working>

[11]Gartner, “Enterprise Infrastructure VPNs”. <https://www.gartner.com/reviews/market/enterprise-infrastructure-vpns>

[12]Microsoft, “Encrypted Hard Drive”, 2 April 2019. <https://docs.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive>

[13]McAfee, “McAfee Drive Encryption”. <https://www.mcafee.com/enterprise/en-in/products/technologies/drive-encryption.html>

[14]Coplin Health Systems, “Press Release”, 29 December 2017.  <http://www.coplinhealthsystems.com/downloads/Breach_Notification.pdf>

 

TAGGED UNDER: , , , , , , , ,