Cyber-attacks on the government and significant business websites are as much a reality as physical insurgency and terrorist attacks. The latest cyber ransomware attack in Uttarakhand on 2 October 2024 brought the State Government machinery virtually to a halt. More than 90 major websites of the Uttarakhand Government, inter alia CM Helpline, ‘Apni Sarkar’, ‘E-Office’, ‘E-Ravanna portal, Chardham registration, and Land Registry were compromised.

The Uttarakhand Government’s data centre was hacked, crippling the State’s entire Information Technology infrastructure. This attack, apparently, captured the State’s Information Technology Development Agency (ITDA) server, holding the critical data of crores of people and sensitive government departments, including the office of the Chief Minister, and demanded a ransom. It was no less than paralysing the State Government. One week later, on 10 October 2024, the Uttarakhand Government announced that there had been no data loss. However, several critical questions loom large.

Cyber experts view it from multiple lenses rather than as mere ransomware attacks or from the perspective of data recovery. The government’s preparedness to combat such a massive cyberattack is under question and accountability is at stake. The data of the last three years, curated by various State and non-State agencies further reflect a vulnerability of the Indian cyber system. For instance, till date in 2024, India has witnessed 388 data breaches, 107 data leaks, 39 ransomware activities, and 59 cases of access sales or leaks. We also sustained nearly 5 billion cyberattacks in 2023.

Approximately, 50 government websites were hacked, and there were around eight incidents of data breaches in 2022-2023. In an alarming case, India’s weak cyber security architectural plan and IT infrastructure was exposed two years ago, when in 2022, AIIMS Delhi succumbed to a ransomware attack, compromising critical healthcare services for almost two weeks. This was probably one of the worst setbacks for Indian cyber security infrastructure in recent times.

It was clearly a clear signal for governments to envision a clear roadmap to prevent such mishaps in future. However, it seems Uttarakhand overlooked it for want of vision. There seems no plausible answer why the Uttarakhand Government does not have a proper cyber crisis management plan. More so because two years ago, the same Government of Uttarakhand, tasked ITI Limited, in Bengaluru to craft a disaster recovery plan. But it seems the matter has been in cold storage since then. It never saw the light of the day. Probably the government has so far treated cyber security as another welfare scheme which is announced during elections and forgotten until the next term. If this is the case, then we are heading for a bigger aftermath of a disaster after the data breach.

A prudent cyber expert’s mind may ask what prevented the State Government from implementing a plan in the last two years? Given the escalating number of global cyberattacks, the State Government urgently needs more specific regulations, guidelines, procedures, or standard operating procedures (SOPs) to combat these crimes. Immediate policy changes and the implementation of effective measures to counter cyber threats are not just necessary but crucial. As we probe this disaster, a Pandora’s box of questions seems to open up. How could the state government overlook recruiting more subject matter experts for the Information Technology Development Agency (ITDA), in contrast to the existing team of three members, who are not even subject matter experts? As it appears, Data backup, a fundamental practice in cybersecurity, was not previously implemented, raising serious concerns about the State’s risk management strategies.

There also seems to be a callous approach of the Government of Uttarakhand in firmly conducting a timely security audit of the ‘State Date Centre’. Non-establishment of the cyber security task force till date calls for another alarm in this scenario. While now the State Government has filed an FIR under section 308(4)(extortion) of the Bharatiya Nyaya Sahinta, 2023 and 65/66/66C of the IT Act, 2000, there is a dire need for an overhaul of Uttarakhand’s cyber security basic architectural design, recruitment of subject matter experts, inviting consultants on board, setting up cyber security nodal officers in every department, rigorous and continuous training and constant engagement for evolving a cyber-security plan because such attacks may happen again.

Precaution is the best cure. A half-baked cyber security plan cannot ensure the safety and security of the residents of Uttarakhand. Uttarakhand is known for cloud burst disasters and 2 October perhaps will be remembered as the Uttarakhand’s Cyber Security Cloud Burst, till a robust plan is placed on the table. It is quite evident that the Uttarakhand Government could not smell or see this coming despite enough reportage of cybercrimes across the country.

It was knocking on our doors, and we opened our door wide open, then shooting the ransomware to mitigate the damage. A healthy dialogue between cyber experts and the Government is now warranted for a future roadmap that may not only help rebuild Uttarakhand from the crisis and may even serve as a model for other States to borrow from.

(The writers are, respectively, an Uttarakhand based cyber security expert and Co-Founder, World Cyber Security Forum, and Professor of Law and Registrar, NLU Tripura.)