Cyber security during Covid-19 as govt issues advisory for Zoom users

COVID-19 has changed the way the world operates – the way we communicate, the mode of doing business and the functioning of governments. Businesses have moved online – from board meetings to team meetings to client calls. So have governments.

Little doubt that it has resulted in a surge in demand for digital intermediaries as such as Zoom. This has led to concerns pertaining to cyber security. What India needs is secure platforms and India-based servers to fortify privacy with a solid range of regulatory measures.

Controversy-ridden video conferencing platform Zoom has ‘eventually’ come under the radar of the Government of India. The Ministry of Home Affairs has put out a detailed two-page long advisory for Zoom users in India, to safeguard their ‘virtual’ meetings from prying eyes, deeming the video conferencing platform ‘unsafe.’  Zoom has been in the eye of the storm lately, as surge in usage and growing popularity have also brought to light, ‘major’ privacy and security issues around the world. The video conferencing platform that has seemingly become an overnight sensation during the ongoing Coronavirus crisis has been quick to bounce back with solutions to some of these issues, but, somehow, newer, more concerning issues keep piling up every other day.

Of late, there has been a sudden surge in demand for online and digital intermediaries like Zoom, Microsoft Teams, Microsoft Skype, Cisco WebEx, G-Suite, Slack and Adobe Connect, which provide services such as video conferencing, screen sharing, remote access, file sharing, cloud services, and audio calls. In a write-up written by Gateway House: Indian Council on Global Relations by Ambika Khanna, Senior Researcher, International Law Studies Programme and Sagnik Chakrabaorty, Resercher, Cyber Security Studies observed that the immediate beneficiary has been Zoom Video Communications, Inc. which saw revenues grow 88% in the last fiscal year to $662.7 million.

Name of Company Headquarters Investor(s)
Zoom U.S. Sequoia Capital, Horizon Ventures, Qualcomm Ventures, amongst others
Skype U.S. Microsoft, Threshold, Silverlake Partners, amongst others
Teams U.S. TPG, Goldman Sachs, amongst others
Cisco WebEx U.S. China Development Industrial Bank, International Capital Partners, amongst others
Slack U.S. Social Capital, Thrive Capital. Comcast Ventures, amongst others
Zoho India and U.S. Minority stakes: AmerindoInvestment Advisors, Caesars Entertainment. Also, has a group company in Beijing, China (and therefore, likely to have data servers in China)

However, digital companies are now struggling to successfully address privacy concerns that come with the unexpected rise in demand for their platforms. End-to-end encryption, usage and retention of data of consumers are the key issues,especially with the cyber security challenges of hacking and phishing accompanying increased demand

Zoom, the most popular platform, is widely used by educational institutions, business, and even governments. Various governments have put it under the scanner for its weak security systems, including routing its services through China-based servers, effectively giving China access to stored data. Zoom has since revised its privacy policy, but users, particularly leading global companies, continue to be wary. The Indian government, for its part, has a robust digital service provider in the National Informatics Centre (NIC), which inter-alia provides the video-conferencing facility, used by the government for meetings and judicial bodies for hearing urgent matters, besides other requirements.

Most popular digital platforms are based overseas  with their data servers. Therefore, the data of Indian companies, which use the platform, is being stored in a foreign server. Files are stored in SharePoint and backed by SharePoint encryption, Notes are stored in OneNote and backed by OneNote encryption. This reflects the passage of a user’s data through multiple mediums, making it important to have end-to-end encryption of data at every level.

Therefore, it is paramount that privacy and retention policies provide adequate security details to a user. For example, whether end-to-end encryption includes user-to-user encryption i.e. the data which is shared directly between two users of a platform;the limitation on the period for storage of data; details about the location of servers where data will be stored; and user consent for sharing data for advertisements.

Equally, users too need to fully understand privacy policies as responsibility is often placed on them. For example, applications have default settings, including retention of data forever that the user can change. This is especially critical now, when sensitive information, such as medical data, is being shared digitally. Malicious actors can exploit a crisis. Several major global cyber organisations, such as the U.S.’ Homeland Securityand India’s Computer Emergency Response Team-In have issued advisories in this regard.

Meanwhile, businesses are stepping up their security as company systems and machines move from a secure private network to public ones. To enable a secure infrastructure away from office premises, companies, especially those in the information technology business, are undertaking three critical measures:

a) Use of enterprise Virtual Private Network (VPN)

A VPN provides an anonymous passage to a user and the website that the user intends to visit by encrypting data to prevent malicious actors from accessing and/or misusing it. India’s CERT-In, the U.S. CERT, and the UK’s National Cyber Security Centre have prescribed VPN as one of the secure solutions for remote working. CERT-In also advises VPN be used along with a multi-factor authentication feature to ensure that the right user has access to a company’s internal system.

Corporates use enterprise VPNs with VPN servers, located worldwide, offering scalability and flexibility to employees. The U.S.’ Cisco and Juniper Networks are market leaders in providing VPN services. Companies operating in countries with restrictive internet access can use only those VPNs approved by the particular country’s government. For instance, China does not allow all VPN service providers to operate freely, only those which allow backdoor access to Beijing are permitted to operate.

b) Encrypt disks

A high degree of disk encryption ensures all data saved in the computer is unreadable/ difficult to break if accessed by unknown entities. With employees working from home on office computers/ laptops, there is a risk of computers being stolen or lost. Disk encryptions are provided by either the Operating System such as Windows or computer manufacturers like IBM or security software providers such as McAfee. Unencrypted drives do not guarantee security. For instance, in December 2019, Facebook lost unencrypted hard drives containing the data of 29,000 of its employees. In December 2017, Coplin Health Systems, U.S. a primary healthcare service provider in the states of West Virginia and Ohio, lost an unencrypted laptop which contained the data of 43,000 patients.

c)Disable output ports

This is a simple and easy measure that provides an additional layer of security. Disabling USB ports and CD/DVD drives prevents employees from stealing data and stops other malicious actors from implanting viruses or invading a secure system. An invasion by an external drive can jeopardize the entire company’s network. A good example is that of Edward Snowden, who had allegedly used USB thumb drives to extract data from the U.S. National Security Agency.

These concerns should not be taken lightly, especially now. It is time for the Indian technology industry, globally known for its skills, to use its valuable knowledge to mitigate the challenges faced by users in today’s COVID-19 era world wide, and to leap to the next level – beyond being outsourcers and software developers for multinational companies. The Indian private sector should indigenously develop secure and reliable platforms which are scalable and whose data is stored on servers in India.

On the policy front, non-binding policies and state regulations to govern cyber security do exist in India. But it is vital to draft and pass a uniform cyber security legislation that governs the current digital environment, one which is vulnerable to cyber security risks that impact the Indian economy.