No 'concrete courses' to uplift online security in India: ethical hackers
There are very few universities in India which offer courses on cyber security and majority of them offer it on post-graduation level.
Mumbai: In the wake of increased online criminal activities, individuals are well-acquainted with terms such as ‘cyber-security’ and ‘hackers’. Although hacking, in general, is negatively portrayed; there exists another large community of cyber-watchdogs who regularly track and prevent large numbers of looming cyber-threats.
While professional white hat hacking is a prominent profession in most western countries, individuals in India are still reluctant to take up cyber-security as a career.
Several ‘white-hats’ and cyber-professionals pointed out that the cyber-security courses offered in India are shallow and ‘dreadfully expensive’.
In a conversation with Deccan Chronicle, Arnav Georgian, a nascent entrepreneur and a certified ethical hacker from Bangalore, explained that the cyber-security courses available in India provide an elementary outlook, ignoring the broader aspects related to cyber-security.
“There are quite a few ethical hacking courses to my knowledge but those which I am aware of need to broaden the curriculum and get into the depth of practical aspects of security over just the basics being taught,” said the 22-year old.
According to Symantec’s India Managing Director Shrikant Shitole, cyber security is one of the most important, albeit ignored issue, among most modern-day small or large-scale enterprises in the country.
Agreeing that there is an acute deficiency of cyber professionals in India, he said, “Taking into consideration the dearth of trained cyber security professionals in India, a report by NASSCOM states that the country needs at least one million skilled people by 2020.”
Citing awareness as a major predicament for the country’s ethical hackers, Shitole said, “The reason behind this lack of skilled professionals is largely the absence of awareness, effective training, and preparation.”
Bangaluru-based angel investor and start-up mentor Om Thoke testified that government agencies lack good hackers; they heavily rely on external agencies to investigate complex cases unlike western countries who take cyber-security ‘seriously’.
“Ethical hacking isn't really considered to be a booming field by IT professionals, due to lack of opportunities and only the brightest of those hackers get good opportunities, and more than half of them never make enough money to survive in this line of business, and eventually give up,” he added.
Shallow and expensive courses
A 26-year-old degree student and an ethical hobby-hacker, Prashanth Bhola, explained that the country lacks good cyber-security professionals. “The country isn’t lacking hackers, it's lacking good hackers,” he said.
He further pointed out that the ethical hacking courses available in India are shallow and expensive, as most institutes demand at least Rs 1.5 lakhs for a measly diploma.
However, the problem does not end there; majority of these institutes often breeze through the introductory concepts of hacking, ignoring the salient facets and practical experience required to be a good hacker.
“There are very few universities in India which offer courses on cyber security and majority of them offer it on post-graduation level. In Bangalore Jain university offers a PG course in M.Sc. in cyber security and it would cost a whopping 3-4 lacs,” Bhola added.
According to him, the only way to reduce the dearth of “good cyber professionals” in India is by though recognised and well-structured courses.
When asked if the government is doing enough to uphold cyber-security, Bhola said, “The government does lack in approaching and creating a job market for cyber security professionals, and the country faces a shortage of cyber security professionals to the tune of 4-7 lacs and it would keep on growing with the user base of online market.”
Founder at Limitinfinity Softwares and an active member of Microsoft’s bug bounty programme, Pratik Mohapatra, said that the main reason for the shortage of white hat hackers in the country is due to lack of ‘concrete’ hacking courses.
He said, “The ethical hacking courses are very expensive in India and they are not enough schools and even if there are schools, they charge a bomb. The government also doesn’t do much in these cases as it does not even have a subsidised course where interested individuals could go and learn something.”
A certified ethical hacker with 16 years of experience and co-founder at Indian School of Anti-Hacking (ISOAH) Sandeep Sengupta affirmed that there are very few universities in India, who are providing post-grad degree with a specialization in security.
Hackers are not always criminals
After speaking with several ethical hackers in the country, it was also revealed that the general perception concerning hacking among most people in India is pessimistic—often hacking is conceived as an unlawful activity.
On the contrary, white-hat hackers help in discovering diverse security vulnerabilities faced by several private and government sector organisations, which goes unsung on most occasions.
“There could be future to ethical hackers in India provided it’s institutionally encouraged and promoted. At the first place the negative perception of being a hacker in India should be eliminated,” said Bangaluru-based Georgian.
Citing a mixed perception among the masses, he said, “People need technology today, and also want to complain about the fear of using technology. Then who do you think will solve this problem of your fear?”
Moonlighting on the issue, Bhola pointed out that initially he was tentative to report the bugs to a concerned authority in fear of legal prosecution.
He too agreed to the fact that people in India often deem ethical hackers as criminals as they do not understand the difference between white, grey, and black hat hackers.
When asked if there is lack of awareness regarding the subject among the masses, he said, “There is also lack of awareness among masses or even the media regarding hacking.”
Even Mohapatra agreed that the scope of ethical hacking is ‘limited’ as there is a general lack of awareness regarding the role of a hacker in the country.
He said that currently in India, a lot of people do not clearly understand the meaning of the word white-hat hacking and end up fusing it with criminal activities.
‘Indian companies are ignorant’
In comparison to foreign organisations, the bug bounty programmes offered in India are very less and most large enterprises turn a blind eye to all their security vulnerabilities.
Moreover, there is a tendency among all large Indian firms to term ethical/white hat hackers as criminals; something that is fuelled by the country's weak cyber laws.
Bhola said that the scope for bug hunting in India is very less and only companies like PayTM have started following the footsteps of foreign companies such as Facebook.
He further pointed out that even if hackers succeed in finding any security vulnerability on a particular Indian website, they hesitate to report it fearing 'legal prosecution'.
Highlighting the lack of interest among Indian firms to uphold online security, he said, “Majority of Indian companies do not give much preference to online security, they often outsource that to a third party whose job would be to maintain the website." "The companies won't realise until they get hacked"
According to him, small companies simply ignore online security due to cost escalation and they feel it’s a waste of money. Regarding bigger companies, Bhola said that there are many legal barriers which prevent bug-hunters to approach them in the first place.
He said," If you are reporting a bug or loophole, there is a chance that you will be termed as a cyber-criminal. Many hackers simply do not report loopholes for just the fear of getting into legal troubles."
Commenting on the attitude of Indian businesses towards ethical hackers, young Mohapatra said that Indian businesses should be open to ethical hackers/ bug hunters who can help them spot serious issues in their security infrastructure.
Narrowing down on the subject, Georgian said, “Western companies have realized the importance of security while most of the Indian companies still don’t.”
“Enterprises are still coming to terms with the fact that a simple hack could cost them millions including their reputation, and most often they do not possess the expertise and resources to combat IT vulnerabilities,” said Symantec’s Shitole.
The outcome
A report by Symantec highlighted the fact that financial institutions in the India have the third most infections only to be preceded by USA and Germany.
While there has been an acute increase in the number of cyber-attacks on private Indian institutions, government websites in the country are also outdated and can be easily hacked, according to the hackers.
Read: Vigilance needed against online radicalisation, says Rajnath Singh
According to Intel Security Vice President and General Manager of the Network Security Business Shishir Singh, the level of cyber-attacks in the country has increased tremendously with more aimed at lucrative targets like financial services and IT organizations.
"On the business/enterprise front, I think attackers have already developed a level of sophistication that is well beyond the hobby-hacker of the past. We’re clearly seeing a streak of organized and targeted crime as was also evident from some of the high-profile security incidents from 2015 in India and globally," he added.
Read: NASSCOM teams up with Symantec to uplift cyber-security standards in India
While organisations such as NASSCOM and Symantec try to meet the security requisites of the country, it’s high time the Government also steps up it's effort to uplift cyber-security standards in the country.