The government is upgrading its electronic messaging service to a more secure network. The national informatics centre (NIC), its information technology arm, will migrate all services on ‘mail.nic.in’ and ‘mail.gov.in’ to ‘email.gov.in’. So in a few months all official email accounts and data will migrate to gov.in domain.
The new domain, among other things, would ensure “robust security mechanism for government data”. The government email system, which is used by all officials, right from the prime minister’s office to three defence services to security and intelligence agencies, has been criticised for lack of adequate security. Hackers have relentlessly targeted the NIC network.
A major expose on the loopholes in the NIC email network came to light in 2012 when the government’s technical snooping wing, national technical research organisation (NTRO), revealed that over 10,000 email accounts including those of top bureaucrats were compromised.
At present, there are 1.6 million NIC email users. “This solution is proposed for two million users with a plan to grow to five million over the next five years,” says Neeta Verma, director general, NIC.
The revamp of the email network, however, was envisaged way back in 2014 when the ministry of communications and IT, now called ministry of electronics and IT (MeitY) – the parent body of NIC – had notified a policy for the same. The policy was formulated following an order of the Delhi high court, which took serious note of senior government officials using private email services.
The policy mandated NIC’s email as the de-facto messaging service of the government at all levels: centre, state and district. It is another thing that it was never enforced. And several high-ranking officials continue to use private email services for official purpose. The policy remained on paper for three years for lack of funds and directives from the ministry, the department of administrative reforms or the PMO.
“The network would have enhanced security authentication mechanisms for users with geo-fencing and device mapping… a centralised e-mail architecture would ensure a robust security mechanism for government data,” says a note from MeitY.
Verma says that the 2014 policy states that every government employee should have an email address at gov.in. “Initially, we didn’t have the capacity [that is, infrastructure], so we didn’t force too much for compliance,” she says.
Email is an integral part of communications in the government. “It was pertinent to make it secure. We have deployed the best technology available,” she adds.
“As the government sites also moved from nic.in to gov.in, it’s better to do all communication using the latter domain. Moreover, over time threats have increased, so there was a need for increasing the level of security framework,” Verma says.
With geo-fencing, all the government mail accounts by default will only be accessible through internet protocols (IPs) originating in India and not abroad.
Normally, hackers infiltrate an email network by multiple attempts through ‘scripts’ (a software programme), or punching possible passwords. “Now that will not be possible, because a hacker can’t access account from outside,” claims the NIC chief.
“Someone will have to physically infiltrate the office premises to hack,” she adds.
The new system is flexible. One can restrict the access based on the country’s geography too – by selecting places or states from where one can access email.
The NIC would also map all devices that would access the email network. What it means is that users will have to register their devices first on ‘email.gov.in’ and then only those would be authorised for access.
“We will generate a QR code for each device, which will depend on a number of parameters related to the device,” Verma says. The QR code contains certain attributes of the device and the user’s account.
The users, says Verma, can download mails on registered devices only with an agent (software) configured in them that initiates connection to the authentication server. “In addition to token, access will be given with a correct combination of login and password,” she says.
Normally, officials access emails from the office computer, laptop or a mobile device. They will have to register all these three devices. In case a user wants to access email from a non-registered device, she or he will get a prior notification on the primary device, seeking approval for access.
In Google, you get an email alert after the login [from a new device]. Here, the user will have to authorise the access.
“The authorisation will happen after a two-factor authentication, meaning that along with a login-id and a password, a user will have to give a challenge response ,” she adds.
It is important to note that the NIC would not be using SMS-based OTP. “Out-of-band OTP is being deployed [which requires two communication channels instead of one as in the case of SMS-based OTP],” explains Verma.
In case of a registered device, a user may choose to login using only password and not OTP. “It’s a matter of convenience – how secured a system you want to use,” she says. If it is a non-registered device then the user will have to use OTP too.
The officials may use digital signatures/ encryption while sending restricted and classified documents, as stated in the policy.
The whole email eco-system anyway works on an encrypted channel, says Verma.
But experts believe that additional security measures taken by the NIC may not be sufficient for highly sensitive government offices. Alok Gupta, founder and CEO, Pyramid Cyber Security and Forensics, says that the authentication should be multi-factor and not two-factor. The NIC should have a biometric-based authentication. “Two-factor is not safe enough,” says Gupta.
The offices of the prime minister, defence and home ministries and three defence services, for example, would require more stringent security. NIC can have granularity in their approach to security in such places, says Gupta.
Agrees Jiten Jain of the India Infosec Consortium and recommends a multi-layered security approach.
The NIC email system should have provisions to check email spoofing. At times, mail IDs are spoofed and used illegally. “I don’t look at the ‘header’ of the email. I only look at the email address and the mail. This [spoofing] happened with ONGC,” says Gupta.
The messaging system should have an ‘information rights management’ to protect sensitive information from unauthorised access. Within the mailing system, one can define, with help of rights management, who all can view certain emails, for how long, and whether they can print or reproduce it. “This is not planned to be configured in the first phase. However, moving forward it would be offered as an add-on service,” says Verma.
This means that although NIC is securing the ‘access’, it is not doing enough to ensure security of the information, which would flow on the email network, says Gupta.
Equally important is the inculcation of cyber security culture in the government machinery. “See, the policy has been there for several years, but no one has been mandating it with vigour. For stricter compliance, first we have to put that infrastructure in place and simultaneously reinforcement will also increase,” says Verma.
Security apart, the new email service is feature rich. Not all government officials appreciate the existing NIC email for it lacks features and has a slower search system. The new messaging system will have features for better search and categorisation.
It will have a feature pertaining to ‘conversation emails’, wherein mails from different users follow a common thread and can be read together.
“We will have to procure the hardware. The entire data has to be migrated from existing email account to new email account. The process of migration shall take time,” says Verma.
The software is open-source, with multi-layer architecture and security. On the backend the system has malware and virus cleaning facility.
“The storage is in petabytes. A large number of email accounts have gigabytes of data . There is no storage limitation for users currently,” Verma says.
In the meantime, the NIC has rolled out a pilot wherein it has migrated email accounts of a group of 400 officials from various central ministries and organisations. The feedback from the pilot is shared with the software development team working on the new email system, says Verma.
“In days to come we intend to bring sarkar.bharat -- Hindi domain. Today you can send email in Hindi, but you have to type email address in English,” says Verma. In the Hindi domain, the email address too can be written in Hindi..
(The article appears in the September 16-30, 2017 issue of Governance Now)