SolarWinds hack

SolarWinds hack: CISOs need to revisit cyber resilience?

by | Dec 23, 2020 | IT Security

The SolarWinds hack has highlighted the threats caused by third-party vendors and challenges the cyber resilience position of enterprises.
Share to lead the transformation

What many organizations feared came true! The year 2020 brought another shock to the business community last week with discovering a new cyber-attack, SolarWinds hack’ in the United States. The attack is an opportunity for enterprises and CISOs to reflect on their cyber resilience strategies. (See: Top enterprise cybersecurity trends of 2020)

For the unversed, California-based cybersecurity company FireEye uncovered the SolarWinds hack last week and estimated that the cyberattack campaign might have started as early as Spring 2020 and remained undetected for months.

The cyberattack emerged as one of the largest ever targeted against the U.S. Government and several other global companies, threatening organizations’ cyber resilience levels. To date, dozens of emails from the U.S. Treasury Department have been confirmed as compromised.

The attack was hurled by cybercriminals who hacked the infrastructure of an American I.T. Software company, SolarWinds, and then used illegitimate access to insert malicious code in the software updates that the company sends out to its 30,000 plus clients that also includes several departments of the U.S. Government. SolarWinds stated that the updates issued between March and June 2020 were contaminated.

Several industry onlookers have also slammed SolarWind’s lackluster approach to conquer its shortcomings. For instance, the Chief Information Security Officer’s (CISO) longstanding vacant position from its board and notifications issued to customers around deactivating antivirus tools before installing SolarWinds software.

Far-reaching effects

While the timelines of the SolarWinds hack are still unfolding, the SolarWinds breach is disturbing to the whole of the I.T. industry as it can have a far-reaching effect on many big organizations’ networks, questioning their cyber resilience levels.

The SolarWinds breach reflects that most organizations are appallingly unqualified to detect and prevent such kinds of software supply chain attacks. SolarWinds boast that it has been working with 425 of the U.S. Fortune 500 companies and hundreds of universities and colleges globally. This means that the severity of the attack can be severe in the coming days.

Top tech companies, Intel, Microsoft, Cisco, and NVIDIA, have all confirmed their exposure to the malicious software and undertaking necessary investigations to gauge the impact.

In a column published in the New York Times, Thomas P. Bossert, a former domestic security adviser to President Trump, notes that supply chain attacks of such magnitude require significant resources and sometimes years of execution.

Bossart also opined that a foreign state might have launched SolarWinds hack in a well-orchestrated way. These evaluations, if proved correct, can be more hazardous. For instance, in war-like situations, confidential data of governments can be modified or erased by hackers instantly to cause financial loss or take undue strategic advantage.

Stresses lack of preparation of organizations

As we move into 2021, the Solar Winds hack event has once again reiterated nothing is completely secure in this ever-evolving threat landscape. Indeed, no vendor or solution can fully guarantee to protect the networks of an enterprise. Perfect information security is a myth, but the key is resilience. (See: How COVID-19 has changed cybersecurity focus for 2021)

The last few weeks must have been more strenuous for CIOs and CISOs who would need to spend long-hours evaluating the impact on their networks, systems, and data from the SolarWinds cyber-attack. It’s time for enterprises to seek responses to some of the key questions more vehemently:

  • Do you have a contingency plan to combat accidental breaches and unknown threats?
  • Do you depend upon a single security vendor (say, for VPN, network monitoring, and network slicing) or want to onboard different security vendors to safeguard our networks?
  • Can you change our defense approach to strengthen our cyber resilience levels?
  • Are you regularly testing our multiple endpoints and operating systems and keeping them secure?
  • Have you evaluated the risks of third-party software vendors and analyzed their ability to combat sophisticated threats?
  • Is your service-level-agreement updated?

The SolarWinds hack event could be a catalyst for technology leaders to rethink and analyze all their security solutions and potential gates of network vulnerabilities in the context of modern-day technologies. There might be many undisclosed portions, and more details around the impairment from the breach is likely to continue to come out in the next few weeks.





VIL joins Apple Watch Cellular club for select circles

VIL joins Apple Watch Cellular club for select circles

Vodafone Idea Limited (VIL) has finally launched the Apple Watch Cellular (GPS + Cellular) service. According to a company release, this service is available for Vodafone Postpaid customers, including Enterprise Postpaid, in select circles of Mumbai, Delhi, and Gujarat beginning 12 June 2020. Services will continue to be expanded to additional circles in the coming weeks.

Before VIL, only Bharti Airtel and Reliance Jio were providing the cellular service to Apple Watch users in India.

The announcement comes as a bonus for many postpaid enterprise subscribers of VIL who have been using Apple Watch for a variety of different enterprise implementations. Starting today, they have the freedom to leave their phones behind and stay connected with just their Apple Watch, helping them make calls, use wide range of productivity apps and stream Apple Music, even without having the iPhone nearby.

Speaking about the development, Avneesh Khosla, Director–Marketing, Vodafone Idea Ltd, said, “Consumers today are increasingly moving towards having connected products in their lives. With the launch of cellular support for Apple Watch we are enabling our customers to connect their Apple Watch to their iPhone using the same / existing mobile number and enjoy the freedom of using their Apple Watch independently to stay connected.”

How to set up the service:

  1. Update iPhone to latest iOS
  2. Open the Watch app on your iPhone
  3. Start the pairing process of Apple Watch and iPhone
  4. Sign in with your Apple ID and password to continue
  5. Tap “Setup Mobile Data” to share your Postpaid number and plan with Apple Watch
  6. Enter your Vodafone postpaid number and self-care password
  7. (Note: If not registered then tap on register to login to register your phone number)
  8. Tap confirm once login is successful
  9. On second confirmation the service will get activated within 30 minutes

It is important to note that enterprise postpaid customers will need prior confirmation from their authorized signatory to set up the service.

Tech M joins UNGC club on climate action

Tech M joins UNGC club on climate action

Digital transformation, consulting and business re-engineering services provider Tech Mahindra has signed a joint declaration with UN Global Compact (UNGC), urging governments to align their Covid-19 recovery efforts with latest climate science. Incidentally, Tech M joins UNGC club on climate action on World Environment Day.

The UN Global Compact provides a universal language for corporate responsibility and provides a framework to guide all businesses regardless of size, complexity or location.

Tech Mahindra has joined 155 global companies in calling for policies that will build resilience against future shocks by supporting efforts to hold global temperature rise to within 1.5°C above pre-industrial levels, in line with reaching net-zero emissions well before 2050. The statement comes as governments around the world are preparing trillions of dollars’ worth of stimulus packages to help economies recover from the impacts of the coronavirus pandemic, and as they prepare to submit enhanced national climate plans under the Paris Agreement.

Tech Mahindra said that this declaration was an effort to reinforce its commitment toward reducing carbon footprints, emission and will conserve energy using new-age technologies such as internet of things, artificial intelligence and blockchain. The company has also claimed to implement an internal Carbon Price of $10/ton CO2 to boost green investments and have also adopted a low emission technology path to increase the use of renewable energy from 1.7% in 2016 to 18% in 2020. Moreover, it has also taken targets to increase the renewable source of energy to 50% by 2025.

CP Gurnani, MD & CEO, Tech Mahindra, said, “Covid-19 has allowed all of us to reconfigure our priorities and understand the importance of building a sustainable world – by focusing on healthcare and leveraging technology to enable new ways of working. At Tech Mahindra, we are committed towards building a sustainable business with responsibility and by creating value for our stakeholders, while also keeping in mind the long-term impacts on the environment. It’s time to focus on and implement technology-led solutions that will help us reboot.”

The United Nations Global Compact has stated that the 155 signatories span across 34 sectors and have a combined market capitalization of more than $2.4 trillion, representing 5 million employees. The business voices are convened by the Science Based Targets initiative (SBTi) and its Business Ambition for 1.5°C campaign partners, the UN Global Compact and the We Mean Business coalition.

Sandeep Chandna, Chief Sustainability Officer, Tech Mahindra, said, “Covid-19 has made businesses realize the importance of adopting strategies which will deliver innovative solutions without adversely affecting the environment. Our commitment towards going carbon neutral, conserving, and deploying resources efficiently will enable helps us to accelerate our transition to a low carbon economy while creating sustainable value for our stakeholders. As part of our TechMNxt charter, we have incorporated reduction of emissions as a key aspect to every function’s mandate and our overall business strategy.”

Tech Mahindra also works closely with partners and customers to help them increase energy savings, digitize and automate operations and create collaborative work environments addressing the need for sustainable practices. This includes solutions like micro grid as a service, smart city solutions, smart grid, smart data hubs, smart street light, smart bin, smart energy management, smart metering and analytics, intelligent electric vehicle charging system (IEVCS), and community action platform for energy (CAPE).

Abu Dhabi fund Mubadala invests in Jio for 1.85% stake

Abu Dhabi fund Mubadala invests in Jio for 1.85% stake

Reliance Industries Limited and Jio Platforms Limited have announced that Abu Dhabi-based sovereign investor Mubadala Investment Company, will invest ₹ 9,093.60 crore in Jio Platforms. As Mubadala invests in Jio Platforms, the total investment in Jio goes up to ₹ 87,655.35 crore from leading global technology and growth investors including Facebook, Silver Lake, Vista Equity Partners, General Atlantic, KKR, and Mubadala in less than six weeks (See: Telecom deals will transform mobile payments in India.)

Mubadala’s investment will translate into a 1.85% equity stake in Jio Platforms on a fully diluted basis. The deal comprises an equity value of ₹ 4.91 lakh crore and an enterprise value of ₹ 5.16 lakh crore.

Mukesh Ambani, Chairman and Managing Director of Reliance Industries, said, “I am delighted that Mubadala, one of the most astute and transformational global growth investors has decided to partner us in our journey to propel India’s digital growth towards becoming a leading DIGITAL NATION in the world. Through my longstanding ties with Abu Dhabi, I have personally seen the impact of Mubadala’s work in diversifying and globally connecting the UAE’s knowledge-based economy. We look forward to benefitting from Mubadala’s experience and insights from supporting growth journeys across the world.”

Khaldoon Al Mubarak, Managing Director and Group CEO, Mubadala Investment Company, said: “We are committed to investing in, and actively working with, high growth companies which are pioneering technologies to address critical challenges and unlock new opportunities. We have seen how Jio has already transformed communications and connectivity in India, and as an investor and partner, we are committed to supporting India’s digital growth journey. With Jio’s network of investors and partners, we believe that the platform company will further the development of the digital economy.”

Mubadala invests and partners to advance Abu Dhabi’s diversified, globally integrated economy across sectors that are driving global growth and addressing critical challenges. A significant aspect of this mandate is transformative information and communications technology investments which include cognitive computing, ICT infrastructure, telecoms, and satellite operations.

The transaction is subject to regulatory and other customary approvals.

Morgan Stanley acted as financial advisor to Reliance Industries and AZB & Partners, and Davis Polk & Wardwell acted as legal counsel.

Jio Platforms Limited is a wholly-owned subsidiary of Reliance Industries Limited, and is the parent company to Reliance Jio Infocomm Limited.

Telecom deals will transform mobile payments in India

Telecom deals will transform mobile payments in India

Ahead of monsoon’s arrival, the Indian telecom sector is pepping up for an enthralling deals season. While the spotlight is on Jio Platforms, investment speculations are abuzz for Vodafone Idea and Airtel too. These strategic investments (between global internet giants and Indian telcos) have the potential to transform mobile payments in India.

While the Facebook-Jio deal announced on 22 April continues to be a towering one, other significant deals involving Jio Platforms have also taken place. Abu Dhabi-based Mubadala Investment Company has announced to invest ₹ 9,093.60 crore for a 1.85% equity stake in Jio Platforms on a fully diluted basis.

More such investments in Jio Platforms are understood to be brewing.

The Jio Platforms deals have stoked similar developments for other telecom players as well. Earlier, there was a buzz around Google mulling a stake in Vodafone Idea Limited (VIL) and now a likely investment by Amazon in Bharti Airtel is the talk of the industry.

The landfall

It all started with Facebook buying a stake of 9.9% in Jio Platforms, which is a parent to RJio, India’s biggest telco by subscribers as well as revenues. The deal was valued at Rs 43,574 crore.

Four other significant stake purchases in Jio Platforms followed within a month’s time by various global majors, mostly investors. These were: Silver Lake (1.15% stake for Rs 5,656 crore), Vista Equity Partners (2.32% stake for ₹11,367 crore), General Atlantic (1.34% for ₹6,598 crore), KKR (2.32% for ₹11,367 crore), and Mubadala Investment (1.85% for ₹ 9,093.60 crore).

Thus, in a span of just six weeks, a total of ₹87,655.35 crore has flown into Jio Platforms’ coffers for a stake sale of 18.97%. It is understood that the amount would be used by super parent Reliance Industries Limited (RIL) to pare a sizable chunk of the debt it took for the RJio telecom services subsidiary.

Why so bullish on Indian telcos?

With India’s telecom average revenue per user (ARPU) being among the lowest worldwide and the telcos being neck-deep in debts, the enthusiasm of foreign investors seems mystifying at first sight.

In the last few years, several consolidations and shakeouts have brought down the number of private-sector telecom players from around 15 to just three. A number of foreign investors have lost their monies in the process. There even have been speculations that the sector could end up being a duopoly in the long run.

It is also a well-acknowledged fact that not only voice but even data is now commoditized. This means that investments made into pure-play voice or data networks could take very long periods to recoup. In fact, given the high cost of assets (including spectrum and licenses) and the consistently low ARPUs, it is even likely that those investments may never find a profitable return.

This newfound enthusiasm and rush of foreign investors then can’t imply confidence in India’s telecom story. It has to be something much more promising and bigger.

It’s the mobile payments story

A look at the investments made in Jio Platforms shows that the mobile-payments factor has played a driving role. If Google and Amazon decide to invest in VIL or Airtel, that too would be driven by a mobile payments consideration.

As noted in another Better World story (See: Will FB–Jio deal create magic?), while Reliance Jio already has a UPI license for its Jio Money payments platform, WhatsApp is yet to receive a license for rolling out a payment service for all its users in India.

A 9.9% stake in Jio Platforms opens the possibility for Facebook to process mobile payments over WhatsApp using Jio Money as an enabling platform. This could mean a world of difference for Facebook, which has silently watched Google Pay and Amazon Pay amass significant user base and gross transaction values.

According to the National Payments Corporation of India (NPCI), the UPI payments market, including mobile payments, stood at Rs 2.18 trillion for the month of May 2020 alone. Also, Google Pay is understood to be having more than 65 million active monthly users.

Facebook is eyeing a big slice of the UPI pie in India, which as per Better World estimates, will be more than Rs 25 trillion in FY2020-21.

Clash of titans awaited

Despite a strong foothold in India, Google can’t risk undermining Facebook’s capabilities. It will certainly like to bolster its position further in the mobile payments market. Amazon too would like to protect and grow its market share.

So if Facebook has taken a stake in RJio’s parent Jio Platforms, it may be logical for Google and Amazon to identify strategic investment opportunities with other pan-India telcos. The obvious choices would be VIL and Airtel. However, while Airtel hold a UPI license, VIL doesn’t have one (it surrendered the M-pesa license last year). Nevertheless, VIL continues to be the second-largest telco by number of subscribers.

On the BSE, stocks of VIL and Airtel rose 6.41% and 3.89%, respectively, on 4 June, while the Sensex closed marginally lower by 0.38%.

It is another matter that while a 5% stake sale could get Airtel cash worth USD2 billion, a similar stake sale would get VIL just around USD110 million at current valuations. So while a stake sale would enable Airtel to pare a significant part of its debt, for VIL it would only amount to a short lease of life.

This also means that for a VIL deal to be strategically meaningful, a larger stake sale would be required. It remains to be seen if VIL would embrace such an idea, especially at a time when the telco has witnessed some green shoots in the recent months.

That consideration apart, there is a high potential that telecom deals will transform mobile payments in India. This will also change the dynamics between telcos and over-the-top (OTT) companies at large. More about that later.

India gears up for AI leap in post-Covid-19 era

India gears up for AI leap in post-Covid-19 era

Emerging technologies such as artificial intelligence (AI) and robotic process automation (RPA) are swiftly disrupting almost every aspect of our lives. It is about time that India gears up for AI leap too.

The capabilities of AI, in particular, are being widely tested by global organizations for automating tedious tasks, improving decision-making skills, and providing exceptional experience to their users. AI enables processing of data to provide intelligent insights and identify various prediction models. (See Accenture fortifies AI know-how with Byte Prophecy buy)

With the technology expected to transform several mundane jobs in future, the Indian government too seems to have woken up to the benefits of AI. It is making strong efforts to develop a robust ecosystem around AI, which is also touted to be a technology to watch for in the post-Covid-19 world. The technology has already been leveraged by many countries, including India, to fight the Covid-19 crisis and expediting the search for its treatment or prevention.

A new AI portal is born

Taking a cue from the global governing bodies, India has recently launched a National Artificial Intelligence Portal ( to promote and showcase the local AI-related advancements. The website has been developed by the National Association of Software and Service Companies (Nasscom) in consultation with the National e-Governance Division of the Ministry of Electronics and Communications Technology (MeitY).

This digital platform is part of the Indian government’s extensive focus on AI. It is expected to bring all the stakeholders—MeitY, NITI Aayog, Nasscom, and Department of Telecom (DoT), among others, on a single platform. It’s a much-needed initiative that could enable a regular dialogue with businesses and state departments around AI’s potential. This would also encourage private firms to develop innovative applications and new modules.

“India must be a leading country in the development of Artificial Intelligence in the world, leveraging upon its vast Internet-savvy population and data it is creating. India’s AI approach should be of inclusion and empowerment of human beings by supplementing growth and development rather than making human beings less relevant,” Ravi Shankar Prasad, Minister for Electronics & IT, Law & Justice, said, while addressing the delegates at the launch event of website.

India had earlier announced to launch the AI task force to develop strategies around AI. The government had also committed a significant proportion of Rs 3,063 crore Digital India budget toward AI advancement in the country.

Notably, India is not the first country to have launched a state-sponsored AI platform. In 2019, the USA had launched its website to highlight AI initiatives taken by the Donald Trump government and federal US agencies. Similarly, countries like Singapore and Australia have already established nationwide programs in their respective countries to harness the potential of AI.

Embracing the new world

In the post-Covid-19 world, the adoption of AI-based solutions is expected to be pervasive. Not only could AI help meet new services demand, but also enable enterprises and governments to be ready for any such future crisis and ensure employee safety.

For instance, AI technology can apprise farmers and respective authorities in advance about crop anomalies by interpreting various algorithms through satellite images or sensors in advance. This can help streamline supply chains and enable farmers to take timely actions to protect their yields, especially during unprecedented times like today. Similarly, by using AI-driven predictive models, the government can also gauge the number of hospital beds required in case of the second or third wave of pandemic outbreaks in the future.

There are many enterprises that are ahead of the curve and scaling-up their conversational chat-bot capabilities to address customer queries efficiently and provide a customized experience. An example is Grofers, a leading e-commerce company in India, which has been able to deliver essential goods to its customers and record their complaints efficiently, even during the lockdown period, by investing heavily in machine learning.

Similarly, Apollo, one of the largest healthcare group in India, took some revolutionary AI measures last year that is helping them address diagnosing Covid-19 patients. It has collaborated with Israel-based company Zebra Medical Vision to integrate a machine-learning solution that evaluates computed tomography (CT) of suspected Covid-19 patients and recommends a necessary course of medical care.

In an interesting development, Reliance Industries Limited (RIL) recently unveiled the country’s first AI-enabled chatbot on WhatsApp. The chatbot address queries of stakeholders regarding RIL’s Rs 53,125-crore rights issue, through which the company plans to make its balance sheet debt-free by March 2021.

As social distancing measures and remote working are likely to remain in practice for a long enough time, technology leaders would be keenly looking at AI-based innovations to monitor the health of their employees and adapt their HR strategies in case there are increased risk to lives.

Looks like the AI technology is on an accelerated path to becoming mainstream in India. Let’s hope it helps transform our world into a safer and more prolific.

Aarogya Setu needs to overcome more privacy issues

Aarogya Setu needs to overcome more privacy issues

Aarogya Setu

Dr. Pavan Duggal

Many governments across the globe have launched contact-tracing apps as part of their several measures to contain the Covid-19 spread. These apps use Bluetooth and location-based technologies to identify people who may have been exposed to the pandemic and raises awareness among others. On 2 April 2020, India too launched a homegrown contact tracing app, Aarogya Setu, to fight the Covid-19 spread. While experts agree that the intention behind Covid-19 is good, there has also been criticism around issues related to privacy. Some have even termed the healthcare app as a sophisticated surveillance system.

In an exclusive interaction with Better World’s Jatinder Singh, Dr. Pavan Duggal, one of the top cyber law experts in the country, throws light on the overall issue and explains how the new guidelines around Aarogya Setu are a start in the right direction.

Excerpts from the interview:

Better World: The Government of India has recently made Aarogya Setu app for Android open source. Does this make Aarogya Setu less intrusive and quell the concerns being raised over privacy?

Dr. Duggal: I think making this app open source is a first step towards transparency. However, that alone doesn’t mean that it is now completely secure and transparent. I’ve yet not seen any privacy terms in the privacy module of the app describing how it (Aarogya Setu app) complies with the requirements on cyber security under the Indian IT law. Users are still not sure whether the government is putting the reasonable security practices and procedures in place with respect to their data.

It is also not clear how the app complies with ISO 27001, an information security standard that systematically examines an organization’s information security risks, threat possibilities, vulnerabilities, and impacts. So, still, a lot needs to be done.

Better World: So, in the hindsight, is it that the app was launched hurriedly and the government is now trying to play catch-up?

Dr. Duggal: I think it’s [Aarogya Setu app] a work in progress. The intention of the government is noble. In fact, everyone’s intention is wise and revolves around defeating Corona. However, the earlier approach adopted by the government was neither prudent nor feasible. It was trying to compel smartphone users to download an app, which was insecure and had little attention to privacy. Now, by taking these steps, the government has become sensitive to the criticism it has received and is constructively trying to identify ways to better the Aarogya Setu app.

Better World: The government has also announced the launch of ‘Bug Bounty’ program, which states that anyone who identifies and submits a bug or suggests improvements in the Aarogya Setu app will be rewarded. How will this make the app more secure in future?

Dr. Duggal: Well, this is an implicit diversion from the earlier stand that Aarogya Setu was completely safe and secure. Realistically, no computer system across the world is completely and comprehensively secure. The announcement of the Bug Bounty program is an attempt by the government to track and identify the loopholes in the Aarogya Setu app, which are many. Once the program provides cues to more vulnerabilities, the government will potentially work on addressing those loopholes.

It is important to note that the bug bounty program has no connection with the intrinsic architecture of the Aarogya Setu app. The program just says that here is my program and here is an open source code, please attack and let me know the vulnerabilities. It doesn’t say how I can alter my architecture.

Better World: From a cybersecurity perspective, what should be the next steps that the government should take to make Aarogya Setu truly reliable?

Dr. Duggal: Right now, the challenge is that this app is speaking less and hiding more. When you read those terms and conditions before downloading the app, you know that the app is capturing data every 15 minutes. However, it says that the data will be submitted to the server only when you will be identified as distinct Covid-19 positive. Let’s suppose, you download the app today and you become Covid-19 positive after 18 days. From today, till the next 18 days, the app is collecting data every 15 minutes. But where is the data going? Where will it be stored? Who is accessing it? Nobody has an answer to these questions.

Moreover, if you look at the Aarogya Setu app, it has no end date. That means it is going to continue for a long, long time. Also, it is logical to expect that the government will keep the app active even after winning the first phase of corona. So, I believe that the privacy related issues need to be dealt with separately and independently, specifically in connection with the architecture of the Aarogya Setu.


Submit a Comment

Your email address will not be published. Required fields are marked *