All websites and portals that come within the ambit of the Department of Telecommunications must submit a valid security audit certificate for their website, the DoT said in a circular issued on July 17. If a security audit certificate is not available, the websites have to immediately carry out a security audit. This includes websites run by NIC, all websites run by agencies and units within the DoT including MTNL, BSNL, TCIL, ITI Limited and BBNL. The circular has also been sent to TRAI and TDSAT.
The DoT had asked for this certificate to be submitted by October 31, 2019 in October 2019 but even more than eight months after the deadline passed, and seven months after a reminder was sent, “the requisite information is still awaited”. The memo was issued in 2019 after data was exfiltrated from one of the web portals of the Department that did not have a valid security audit certificate.
DoT had issued a circular about best practices for cybersecurity on July 8. As per that, the most common tactic, techniques and procedures (TTPs) used to compromise computers are spear-phishing emails, distributed denial of service (DDoS) attacks, evading traffic analysis, exploiting web application vulnerabilities, and creating dubious apps.
Citing unnamed government officials, the Indian Express reported that attacks on Indian websites have increased significantly since the clash between Indian and Chinese troops on June 15 and the subsequent ban on 59 China-linked apps. Quoting an official, the report said that most of the command and control servers for these attacks and malware are located in China, and right after the border clashes, officials had observed up to 10,000 attacks per day, a number that has since decreased.
The DoT has reportedly submitted a report to the Indian Computer Emergency Response Team (CERT-In) on possible cyber-attacks and security aspects of sensitive government websites and portals. It has also reportedly asked all other ministries and departments to migrate their websites and web portals to the gov.in domain by August 31.