CBSE website lesson: Indian digital infra is not ready for AI tools like Mythos
The fiasco with CBSE website and its On Screen Marking (OSM) system has jeopardised the future of thousands of Class 12 students. Yet, it can also teach a lesson to the country if our government is willing to learn. It is a lesson that may come handy in the AI era when tools like Mythos arrive.
For a country that calls itself an IT powerhouse, it is a matter of shame, utter and plain shame, that we cannot secure one of our most important websites. Not even days after a couple of teenagers breached it, pawned it, played around with it. It’s the CBSE website. So shoddy is its security that it deserves nothing but contempt. And contempt is what it is getting from a few teenagers, who have repeatedly hacked it in the last one week.
To give you an idea of what I am talking about, India Today Tech asked a digital security expert to rate CBSE website on a scale 1 to 10. He rated it zero!
No doubt as sad and pathetic is this saga that has impacted hundreds of thousands Class 12 students, an even more alarming aspect of the story is that CBSE website is not an exception. Indian organisations, both government and private, are, for various reasons, terribly poor at digital security. Every website, every piece of digital infrastructure is suspect.
Call it poetical given that we are talking about CBSE, an agency that is supposed to teach our children the right lessons, but there is a lesson to be learnt from the organisation’s incompetency. It is an important lesson and I wish our government and policy-makers are paying attention. It is a lesson that is also timely, because if we don’t fix our digital security now, in the AI world with tools like Mythos available easily, India’s digital infrastructure will crash and burn. I am certain of that.
Like many other issues that plague our country, digital security — or the lack of it — too is self-inflicted. India indeed is an IT powerhouse. As a country we have some of the best IT security people. There are Bug Bounty Programs run by companies like Google and Apple, where Indian hackers and security researchers often win thousands of dollars. But all these skilled people mostly work with big tech companies. Or independently, again for big tech companies.
Lack of skilled engineers is not a problem, not when it is about something as elementary as website security. Instead, the problem is the policy and the mindset that govern our digital hygiene and security. And, of course, there is corruption.
Take the example of CBSE website and its OSM system. All signs indicate that it is managed by starkly incompetent people who happen to be in the position of managing such important digital systems because they know someone who knows someone and who knows someone very important. They are not the best people for the job. And the best people are not on the job because somewhere someone, along with a bunch of some more, is making some money from this incompetence in the system. This money can only be made by creating a system full of incompetent people, something on the lines of peanuts, salaries and monkeys.
It is the same for the entire digital infrastructure in India. It is our culture to cut corners, and when corners are cut in digital security, it creates systems that leak like chai ka channi.
CERT-In is supposed to be the premier cyber security organisation India. My first brush with the organisation was around 15 years ago. One meeting with its staff and I realised, despite my lack of any technical knowhow, that I was dealing with people who are not very keen on cyber security. Over the years, I have seen Indian CERT mostly do one thing — issue advisories. These advisories are almost always based on news pieces or security bulletins published by tech companies. For example, Apple will release an update to iOS and highlight that it has patched ABC vulnerability. Next day CERT-In will take the details of that update and push out an advisory saying everyone must update their iPhones to this version of iOS because it patches the ABC vulnerability. At least outwardly, there seems to be no original work or research that CERT carries out. Similarly, we never hear of any publicly transparent audits of the government systems.
At the same time, almost all government departments follow archaic security methods. And they practice zero digital hygiene. They all use third-party emails, such as Gmail. Almost all of them have leaky servers, from which people keep stealing data and then keep selling them on the open web.
One area where CERT-IN has fallen short is in creating the best digital practices in the country, and bringing about a policy change that makes digital security and privacy a central tenet of our websites and systems. Instead, with no policy framework available, digital security is an afterthought in India. After all, even companies that are part of critical sectors such as telecom and finance, are never punished or made accountable for poor security or data breaches.
The result of willing or unwilling lack of giving digital security a priority has turned Indian digital infrastructure into a joke that even 17 and 19 year old boys can crack. It is not WWW in India. It is the Wild Wild West. God forbid one day India faces a truly catastrophic challenge, say a war with a tech-savvy country like China. In such a moment, the country would likely lose access to its CCTVs, critical infrastructure like airports and railway stations, its most important websites within days.
Anything that is connected to the internet would be at risk because of how poorly we seem to have secured everything. Most of the custom software we have in our systems has holes. A lot of it is rarely updated and patched. Most of our hardware runs on outdated firmware and unsafe components.
Equally alarming is the fact that a hostile country is not the only danger now. There is adversarial AI as well. Just months ago, Anthropic announced Mythos, an AI system created specifically to breach digital infrastructure. Its role is supposed to be that of a white-hat hacker. In other words, it is supposed to test the digital security of websites, apps, servers, and find vulnerabilities that can be patched. It is extremely good at its job. But a knife cuts both ways. Once people have access to something like Mythos, it is bound to be used not just for defence but also for offence.
In general, I find the digital infrastructure in India so shoddily secured that a tool like Mythos will burn it down within days, like the storied dragons of Daenerys Targaryen scorching King’s Landing. But Mythos, and similar tools, are not yet out in the open. It will take a while for them to become publicly available. At least a few months. Or possibly a year or two. That is also the time the Indian government, organisations and companies have to secure their digital systems.
India needs an iron-clad policy around cyber security and privacy, particularly in critical systems. It needs it now. A policy that has no ifs and buts, no exceptions on this account or that, a policy that penalises lethargy and incompetence through regulatory and monetary fines. It also needs a serious audit and overhaul of government digital infrastructure, without corruption and with a serious intent. Failure to do so will make the CBSE fiasco look like a blip in the AI era where even the tiniest of vulnerabilities will be exploited.
For a country that calls itself an IT powerhouse, it is a matter of shame, utter and plain shame, that we cannot secure one of our most important websites. Not even days after a couple of teenagers breached it, pawned it, played around with it. It’s the CBSE website. So shoddy is its security that it deserves nothing but contempt. And contempt is what it is getting from a few teenagers, who have repeatedly hacked it in the last one week.
To give you an idea of what I am talking about, India Today Tech asked a digital security expert to rate CBSE website on a scale 1 to 10. He rated it zero!
No doubt as sad and pathetic is this saga that has impacted hundreds of thousands Class 12 students, an even more alarming aspect of the story is that CBSE website is not an exception. Indian organisations, both government and private, are, for various reasons, terribly poor at digital security. Every website, every piece of digital infrastructure is suspect.
Call it poetical given that we are talking about CBSE, an agency that is supposed to teach our children the right lessons, but there is a lesson to be learnt from the organisation’s incompetency. It is an important lesson and I wish our government and policy-makers are paying attention. It is a lesson that is also timely, because if we don’t fix our digital security now, in the AI world with tools like Mythos available easily, India’s digital infrastructure will crash and burn. I am certain of that.
Like many other issues that plague our country, digital security — or the lack of it — too is self-inflicted. India indeed is an IT powerhouse. As a country we have some of the best IT security people. There are Bug Bounty Programs run by companies like Google and Apple, where Indian hackers and security researchers often win thousands of dollars. But all these skilled people mostly work with big tech companies. Or independently, again for big tech companies.
Lack of skilled engineers is not a problem, not when it is about something as elementary as website security. Instead, the problem is the policy and the mindset that govern our digital hygiene and security. And, of course, there is corruption.
Take the example of CBSE website and its OSM system. All signs indicate that it is managed by starkly incompetent people who happen to be in the position of managing such important digital systems because they know someone who knows someone and who knows someone very important. They are not the best people for the job. And the best people are not on the job because somewhere someone, along with a bunch of some more, is making some money from this incompetence in the system. This money can only be made by creating a system full of incompetent people, something on the lines of peanuts, salaries and monkeys.
It is the same for the entire digital infrastructure in India. It is our culture to cut corners, and when corners are cut in digital security, it creates systems that leak like chai ka channi.
CERT-In is supposed to be the premier cyber security organisation India. My first brush with the organisation was around 15 years ago. One meeting with its staff and I realised, despite my lack of any technical knowhow, that I was dealing with people who are not very keen on cyber security. Over the years, I have seen Indian CERT mostly do one thing — issue advisories. These advisories are almost always based on news pieces or security bulletins published by tech companies. For example, Apple will release an update to iOS and highlight that it has patched ABC vulnerability. Next day CERT-In will take the details of that update and push out an advisory saying everyone must update their iPhones to this version of iOS because it patches the ABC vulnerability. At least outwardly, there seems to be no original work or research that CERT carries out. Similarly, we never hear of any publicly transparent audits of the government systems.
At the same time, almost all government departments follow archaic security methods. And they practice zero digital hygiene. They all use third-party emails, such as Gmail. Almost all of them have leaky servers, from which people keep stealing data and then keep selling them on the open web.
One area where CERT-IN has fallen short is in creating the best digital practices in the country, and bringing about a policy change that makes digital security and privacy a central tenet of our websites and systems. Instead, with no policy framework available, digital security is an afterthought in India. After all, even companies that are part of critical sectors such as telecom and finance, are never punished or made accountable for poor security or data breaches.
The result of willing or unwilling lack of giving digital security a priority has turned Indian digital infrastructure into a joke that even 17 and 19 year old boys can crack. It is not WWW in India. It is the Wild Wild West. God forbid one day India faces a truly catastrophic challenge, say a war with a tech-savvy country like China. In such a moment, the country would likely lose access to its CCTVs, critical infrastructure like airports and railway stations, its most important websites within days.
Anything that is connected to the internet would be at risk because of how poorly we seem to have secured everything. Most of the custom software we have in our systems has holes. A lot of it is rarely updated and patched. Most of our hardware runs on outdated firmware and unsafe components.
Equally alarming is the fact that a hostile country is not the only danger now. There is adversarial AI as well. Just months ago, Anthropic announced Mythos, an AI system created specifically to breach digital infrastructure. Its role is supposed to be that of a white-hat hacker. In other words, it is supposed to test the digital security of websites, apps, servers, and find vulnerabilities that can be patched. It is extremely good at its job. But a knife cuts both ways. Once people have access to something like Mythos, it is bound to be used not just for defence but also for offence.
In general, I find the digital infrastructure in India so shoddily secured that a tool like Mythos will burn it down within days, like the storied dragons of Daenerys Targaryen scorching King’s Landing. But Mythos, and similar tools, are not yet out in the open. It will take a while for them to become publicly available. At least a few months. Or possibly a year or two. That is also the time the Indian government, organisations and companies have to secure their digital systems.
India needs an iron-clad policy around cyber security and privacy, particularly in critical systems. It needs it now. A policy that has no ifs and buts, no exceptions on this account or that, a policy that penalises lethargy and incompetence through regulatory and monetary fines. It also needs a serious audit and overhaul of government digital infrastructure, without corruption and with a serious intent. Failure to do so will make the CBSE fiasco look like a blip in the AI era where even the tiniest of vulnerabilities will be exploited.
