The current episode of WhatsApp surveillance has been more than a wakeup call for nations and stakeholders across the world. As much of cyber issues are being sought to be dealt from a multi-stakeholder approach, it is imperative for each of them to be able to pull up their socks and work towards a safe cyberspace
Last week the popular social media messaging platform WhatsApp owned by Facebook filed a case in a US federal court against an Israeli technology company—the NSO group—that sells the Pegasus spyware. This legal action was undertaken after WhatsApp announced in May this year about a new form of cyber attack where a vulnerability in its video calling feature was detected and blocked. They investigated thoroughly and could attribute these attacks to the NSO group. About 1400 WhatsApp users were targeted and breached by Pegasus across the globe. Out of them, 121 were from India that include journalists, academics, human rights and Dalit activists. Most of these surveillance attacks happened for two weeks from late April to mid May 2019.
Clearly this has caused a lot of worry among the 40 crore WhatsApp users in the country and fear if such spywares had compromised the platform that promised and took pride in its ‘end-to-end’ encryption. People started speculating about the perpetrators and motives behind those attacks and a few opposition leaders and their cohorts went to the extent of blaming the government and its agencies behind the move. However as soon as the news emerged, the government through the ministry of electronics and information technology (MEITY) in India had issued a notice to WhatsApp and its parent company Facebook to explain in details. Some media reports had also come out about WhatsApp informing the government in May and September this year about these attacks, but nothing was specifically mentioned about the specific targets. On the other hand in May, CERT-IN had issued an advisory about the exploit as it does for all such malwares and vulnerabilities and they often remain in the realm of the technical community only. Also in July this year, the global head of WhatsApp had met and reiterated the integrity of their platform to IT & Law Minister Ravi Shankar Prasad even as the latter and MEITY have been following up with WhatsApp for an optimal access for law enforcement requirements for more than a year.
The pertinent point is who is behind this surveillance and spyware-based hacking episode and where does attribution technology remain to nab the perpetrators accurately. Today with technology available, networks can be intruded from any geography provided the payload of the exploit is designed as such. In the current case, since this attacks involved the users from many countries, there is a greater need to understand the whole network that participated in the attacks. Much has moved forward from ordinary bots based attacks where computers remotely from various parts of the globe was involved. Pegasus is a very costly spyware tool that NSO has clarified that it has sold only to governments and under the Israeli export licence and so the question that arises is if the various government agencies that bought them participated in those concerted and coordinated attacks. Practically this might seem difficult to believe as most governments have well defined cyber monitoring procedures and used to their specific needs and not to any venture of rouge elements as it seems here. Since WhatsApp in its court complaint has mentioned about the attackers used servers and internet hosting servers that previously belonged to NSO and also many of the Whatsapp accounts used in the attacks related to NSO, it is a much serious issue of gross misuse and unregulated activity that has been undertaken. Clearly the offering of such products as Pegasus and its misuse or proliferation today qualifies as an act similar to clandestine nuclear proliferation that was peddled by rogues elements in Pakistan and North Korea. The role of both state and non state actors has to be examined in this current case where nations need to cooperate together to do this cyber investigation. While attribution tools still remain away from its optimal positioning, digital footprints still provide a much better avenue to trace the perpetrators. Clearly this episode is also a serious issue for the US regulators to address and assure the world as most of these social media platforms headquartered in their country are vulnerable to similar attacks that Whatsapp faced here. It must play a major role to ensure that such platforms remain safe for usage by individuals across the world.
Very interestingly, the opposition in India and many of their armchair commentators were quick to blame the Modi Government for the spyware attacks. Some even went to the extent of mentioning that the government didn’t get into the act directly but instead got its snooping agencies to do the job without realising the fact that all cyber monitoring have to undertaken under clearly defined orders. Both the MEITY and Ministry of Home Affairs (MHA) have clearly mentioned that they never instructed any form of cyber surveillance on anybody leave aside the Indians who have been the targets of the Pegasus attack. Also any form of online interception, monitoring and decryption are very well defined in India as per section 69 of the Information technology Act 2008 (IT Act) and the concomitant rules Set there in relation to the provisions as gazetted on the 27 October 2009 and then further elaborated on 20 December 2018. These provisions define clearly the procedures and the ten agencies that can undertake such actions and the competent authority is the union home secretary who can authorise such an action. Even authorised surveillance actions have to be reviewed by a committee headed by the cabinet secretary which meets at least once in two months. Likewise for states, the respective home secretary is the competent authority and chief secretary heads the review committee. No such authorisations have been there from any of the competent authorities for the monitoring of these individuals in India for the period in reference.
On the other hand, these attacks clearly qualify as cyber terrorism under the provisions of section 66 (F) of the IT Act and the effort should be to nab the perpetrators and support the government to take action on them. At the same time, the role of the social media has also to be more closely scrutinised by the government. Most of them have a wide open market in India and yet fail to address concerns raised by law enforcement and government agencies on a regular basis. Much of homework has to be done by WhastApp and also many of the other popular social media platforms to regain the public confidence. That will always be an ongoing game and an ecosystem of technical oversight and improvements and safe processes.
The current episode has been more than a wakeup call for nations and stakeholders across the world. As much of cyber issues are being sought to be dealt from a multistakeholder approach, it is imperative for each of them to be able to pull up their socks and work towards a safe cyberspace. A global regime to deal with cyber surveillance in the absence of geographical constraints and weak laws as also missing cooperation is the need of the hour. Hope this comes sooner rather than the blame games around.
(The writer is former country head of General Dynamics and writes on technology and policy issues)