Why did WhatsApp keep quiet for a year?

Gulshan Rai/ former national cyber security coordinator

Gulshan Rai Gulshan Rai

Dr Gulshan Rai, India’s first national cyber security coordinator, served a four-year stint as Prime Minister Narendra Modi’s cyber security adviser before leaving office on April 30. While he has no doubt that India must set its own house in order to deal with cyber threats, he wants companies like WhatsApp and Facebook to be more responsible. Excerpts from an interview:

Q/ There are allegations that government agencies are behind the breach of the phones of some hundred people.

A/ The government has denied the allegations and there is no reason to disbelieve it. On the other hand, the fact is that the government has been trying to enforce the law by asking WhatsApp to set up a server here. The government is trying to obtain the data related to crime and terror incidents in accordance with the law and has never tried to take undue advantage of any companies. There has been a problem of late with WhatsApp Pay seeking permission to operate in India. The Reserve Bank of India has asked them to comply with its data localisation norms which mandate it to house the data in the country. The fact is that the laws are in place and the intention is right. The issue is what steps the government needs to take to enforce the law and make these companies abide by the rules and regulations.

Q/ Why do you think the foreign companies have not been reined in?

A/ It is understood that WhatsApp CEO Chris Daniels had met government officials and he was conveyed the concerns. The hard stand of the government had been made clear. However, I feel that the India teams of platforms like WhatsApp and Facebook are not conveying the gravity of the issue to the social media giants. They have not displayed enough seriousness. The fact that data is being sold and companies are going scot-free is becoming a matter of concern worldwide. If these companies do not correct themselves in time and bring professionalism in their approach, they will lose out in the long run. Any company that wants to survive has to comply with the social needs of the people and respect the sovereignty of the nation. It has to be accountable to both the government and the people.

Q/ Is not the breach a lapse on the part of the cyber security set up in the country?

A/ The information available in the public domain shows that WhatsApp became aware of the data breach in September 2018. The incidents were taking place in several countries. Why did WhatsApp take almost a year to inform the Central Emergency Response Team in India (CERT-In), the national nodal agency for responding to cyber security incidents, and file a suit against NSO in a US court? The first information to CERT came only in May 2019, and then in September WhatsApp filed the lawsuit. Why did WhatsApp wait for nearly a year to raise the issue? Why did it not change the software or change the app itself? It is a much deeper issue and we are examining the matter to reach to the bottom of it.

Q/ What about NSO, the Israeli spyware firm, which is facing a lawsuit in the US for sending the Pegasus malware to target devices?

A/ NSO is running a business. Just like the companies that are selling arms and ammunition, NSO is selling its products. Can we blame the companies which are selling arms and ammunition or should we question those who collaborate to misuse these arms and ammunition? An independent investigation should be carried out to find out the truth.

Q/ Does not the incident raise questions about the capabilities of the government’s digital security agencies?

A/ Yes, it is high time we focused on our digital payment systems and foreign companies operating here. We need to take some hard steps to regulate business and make them accountable and answerable. The rules can be enforced by doing regular audits and inspections. We need to regulate the systems in such a way that it is a win-win situation where business can increase, more employment can be generated and the government can make companies answerable to it.

Q/ Do we need new laws?

A/ The proposed data protection law seeks to set up a Data Protection Authority of India to prevent any misuse of personal information. It calls for localisation of critical data and prescribes penalties and compensations. I believe the ministry of information and technology is also modifying the rules. It is a fact that the offenders are more advanced and sometimes the laws are slow to address the crime. But all laws evolve with time and keep pace with innovation and technology.

Q/ It is a fact that government agencies use cyber tools to gather intelligence. Do you think there could have been an overreach by some agency?

A/ The government agencies can look at traffic on the internet as per guidelines laid down under the law to tackle crime and terror for national security purposes. It does not allow agencies to procure spyware and the government has already denied the charges.

Q/ The breach at India’s largest nuclear facility, the Kudankulam nuclear power plant in Tamil Nadu, has once again exposed the vulnerability of vital installations to cyber attacks.

A/ The Kudankulam incident is a case of carelessness. Sometimes, cyber breach episodes happen due to carelessness of people. If people follow the rules and regulations and take precautions, the gravity will come down drastically.

Q/ The government’s first centralised cyber security architecture was created under your charge.

A/ I had tried to integrate all the agencies and institutions tackling cyber crime to cooperate with each other and we have been successful to a large extent. But we need to look ahead and plan what more needs to be done, what mid-term corrections need to be made, and how to prepare for the future. The focus has to be on strengthening and empowering the National Cyber Coordination Centre and other agencies to speed up the response time. The focus needs to be on procuring advanced equipment and building resources.