14 March 2017 10:41:40 IST

A management and technology professional with 17 years of experience at Big-4 business consulting firms, and seven years of experience in high-technology manufacturing, Rajkamal Rao is a results-driven strategy expert. A US citizen with OCI (Overseas Citizen of India) privileges that allow him to live and work in India, he divides his time between the two countries. Rao heads Rao Advisors, a firm that counsels students aspiring to study in the United States on ways to maximise their return on investment. He lives with his wife and son in Texas. Rao has been a columnist for from the year the website was launched, in 2015, and writes regularly for BusinessLine as well. Twitter: @rajkamalrao

India unlikely to suffer from a Russia hack

Pic credit: Reuters

Thanks to controls imposed on India’s IT companies, most employees are obsessed with security

The Election Commission of India has, for the umpteenth time, pulled off its usual, unbelievable feat. Democracy was honoured yet again when assembly elections in multiple states went by smoothly with no reported untoward incidents.

Many countries look at India’s election machinery with awe and respect. The state of Uttar Pradesh alone, with over 200 million people, would be the world’s sixth largest country, had it been its own republic.

Polling hack

Meanwhile, one of the biggest news stories around the world since the election of Donald Trump has also been related to polling. The US government, backed by its intelligence agencies, issued a report in December which concluded that Russian intelligence, some directed by President Putin, attempted to hack the Democratic National Committee (DNC, also secretary Hillary Clinton’s party) for months with a clear goal: to defeat Clinton and catapult Trump to power.

To be clear, Russia’s interference did not touch the administrative process of voting. For example, the Russians did not inject malware into voting machines that somehow undercounted Clinton votes and over-counted Trump’s. The US government was confident about this because national elections in the US, unlike in India, are State’s responsibility, and different States use voting machines from different companies.

The vote counting process is also different from State to State. Some tabulate electronically, while others do so after verifying with paper ballots that are printed when someone votes. In the US, for security, not a single voting machine is connected to the internet, so the Russians would have needed to infiltrate each voting machine individually — a near impossibility.

Accusatory reinforcements

But what the Russians did was reinforce the narrative that Clinton was corrupt through pay-for-play accusations at her family’s foundation. The Russians simply hacked into DNC staff’s emails and the personal email of John Podesta, chairman of the Clinton campaign. It is alleged that Russia released these emails en masse to Wikileaks which revealed blocks of emails in a drip-by-drip fashion, leading up to the election.

So, could the Russians do mischief in Indian elections too? Anything is possible but the likelihood is really low.

Is India safe?

First of all, India is not yet a superpower and is still proud of its non-aligned foreign policy approach. The country might not rise to the level of importance as a China or a US, to warrant a Russian hack.

But could the Russians hack into emails of Indian politicians? Yes, but to most Indians, an email serves more as an identifier than as a communication tool. Indians don’t give out an email address — they give out their ‘mail ID’. Culturally, this contradicts with the American practice of using emails extensively as a tool to communicate and even gossip.

Most Indians prefer communicating via phone. Email communication, if it happens at all, is extremely brief because there is a certain cultural fear when it comes to committing to things in writing. Meeting minutes of meaningful interaction with colleagues — unless they involve a client — are rarely documented.

Even India Inc emails with foreign clients display a certain discomfort with the medium. Message bodies are rarely long, and standard one-liners are common: “PFA” — for please find attached — “documents for our weekly status call. Thanks.”

US Shakespearean play

There is little danger of Russians hacking into Indian emails if there’s nothing juicy in them to begin with. In contrast, the Podesta emails were like a full-blown Shakespearean play with unveiling plots, infighting, insults, and gossip! In India, such information would be exchanged over a cup of coffee.

Then there is the issue of lax security. Podesta had provided some of his staff members access to his personal email account. His Gmail password was “password”. He never used two-factor authentication, something the RBI has trained Indians so well on because India is an OTP (one-time password) nation.

And Podesta fell for the easiest trick in the hacker’s playbook — he (or one of his staff members) responded to a phishing email to change his password and he keyed in his password right within the email!

The IT controls

Thanks to the controls imposed on India’s IT companies by the US and other western clients, most employees in the sector have been trained to be obsessed with security. The demarcation lines between office and personal email in India are clearly drawn.

In many Indian companies, the ability to copy and paste is deactivated, and the ‘print screen’ button is disabled. Most employees are forbidden from accessing their private email accounts when they are at work.

At Indian banks, screens time out every five minutes — sometimes even when a customer is being served — requiring clerks to use fingerprint scanners to regain access. And access controls — limiting permission to features on a ‘need-to-know’ basis only — are strong.

Many of the young guns who worked as senior IT staff members on the campaigns of PM Modi and Congress candidate Rahul Gandhi had prior experience in India’s IT industry. And they would never have allowed a foreign entity to hack into their party’s systems.

Lax security

The average American workplace, in contrast, is a much more lax place to serve in. In many companies, employees routinely violate IT security policies by shopping online using office systems. I know of American friends who only have one email address — their office address — which they use even for personal transactions.

In many ways, it is no surprise that these lax policies were extended to the staff at the US Democratic National Committee. For a campaign that was adamant in defending the Hillary Clinton’s candidacy, no matter what story broke in the media, the organisation paid little heed to basic IT security.

Indeed, when the FBI warned the DNC that its systems were being hacked into and that the FBI wanted to inspect the DNC’s IT infrastructure, the FBI was told to not bother them! The DNC was paranoid about letting the FBI officials discover skeletons that could ultimately be leaked to the media.

The world looks forward to a much-awaited intelligence report about Russia’s hacking, that is currently being investigated by the US Senate. But during the next four years, we know one thing for sure — Trump’s emails will never be hacked, because Trump does not use email.