July 19 (Bloomberg) -- After a triple bombing in Mumbai killed 21 people last week, Prime Minister Manmohan Singh’s office issued a statement condemning the terrorist attacks -- from a Microsoft Corp. Hotmail address.
Singh’s staff’s use of a free e-mail account is typical of most government workers, who log into Hotmail, Google Inc.’s Gmail and Yahoo! Inc.’s e-mail to conduct official business. They also list those addresses on agency websites and business cards.
Bureaucrats avoid the government system because it covers only 10 percent of federal employees, doesn’t include the latest security patches and can’t be accessed via India’s 840 million mobile-phone connections. That preference for free e-mail accounts threatens the safety and veracity of government information because the data is moving through computer servers outside India, cybersecurity experts said.
“It’s a recipe for disaster,” said Pawan Duggal, a New Delhi lawyer who argues information-technology cases before India’s Supreme Court. “It’s really quite amazing that, as a nation, we haven’t yet woken up to the idea that sensitive government information should be shared through secure channels, not Hotmail or Yahoo.”
Tata Consultancy, Infosys
The Ministry of Commerce sends market-moving inflation data via a Gmail account, and the Indian Air Force uses another to send media updates on competitive bidding for an $11 billion combat-jet program. After a July 6 interview with Bloomberg News, Attorney General Goolam Vahanvati handed out Hotmail and Gmail addresses as the best ways to contact him.
Public servants shun an e-mail system in a nation with an $88.1 billion IT industry employing 2.5 million workers, making India the world’s largest outsourcing destination. The nation’s three biggest IT companies -- Tata Consultancy Services Ltd., Infosys Ltd. and Wipro Ltd. -- count Deutsche Bank AG and Citigroup Inc. among their clients.
The government system created by the New Delhi-based National Informatics Center usually requires an Internet-connected computer, and the World Bank said last year that fewer than 5 percent of Indians have ever used the Internet. Indians typically use smartphones to access e-mail.
Only senior government officials have smartphone access to federal e-mail, and a security precaution prevents them from sending messages to other NIC addresses, according to the NIC website.
B. K. Gairola, the director general of the NIC, did not respond to several phone calls and an e-mail seeking comment.
“It certainly makes sense that lots of people around India use Hotmail for all sorts of e-mail, both official and personal,” Microsoft’s India unit said in an e-mail. “Hotmail is convenient, secure and easily accessible.”
Google’s Gurgaon-based spokeswoman, Paroma Chowdhury, declined to comment.
A week before the terrorist attacks, Singh’s office used Hotmail to send condolences to the families of 65 people killed in a train derailment.
Singh’s spokesman, Harish Khare, did not respond to an e-mail sent to his government account seeking comment.
Using the government system requires going through NIC’s website. During the past decade, NIC created about 300,000 e-mail accounts for India’s 3.1 million federal employees to access through secure servers, said Siba Charan Pradhan, who is in charge of the messaging systems and anti-virus unit at NIC.
India’s domestic Intelligence Bureau issued a directive saying government workers must use official e-mail accounts, Pradhan said.
Accessing NIC’s website is complicated for those in remote parts of India, where Internet access is spotty and slow. Ministry of Environment and Forests employees list their Hotmail and Gmail addresses on the website because even basic mobile phones can receive e-mails, said Eknath Muley, a former director who retired last year.
“It’s quite alarming and sad that this is the situation in a country where the private sector IT companies are so advanced,” said Rakshit Tandon, a consultant with the Internet and Mobile Association of India, an industry group. “The use of private e-mail accounts needs to be stopped, once and for all.”
The government also is creating potential legal troubles for itself by using Hotmail and Gmail accounts, Duggal said. The host servers often are outside India, making jurisdiction complicated during instances of cyberfraud or hacking.
The Supreme Court has said in several cases that it doesn’t trust government statements or data sent through a free e-mail account, so it requested information through official accounts instead.
“When an official is defending himself by presenting information or exchanges from a free account, it produces the question of authenticity and veracity of information,” Duggal said. “And that starts giving the opposite end the opportunity to stand and challenge it.”
Before the government depends on its own e-mails, the system has to be upgraded to fix flaws, and users have to be taught to be more sophisticated, Tandon said. Official websites often don’t have the latest security patches, and employees share or use common passwords.
“There is a massive amount of proliferation and leakage in the government sector,” said Tandon, whose group has held workshops on cybersecurity with about 5,000 government officials.
The website of the Central Bureau of Investigation, India’s equivalent of the FBI, was defaced with anti-Indian messages in December. The government denied July 6 reports in local media that the website for the National Security Guards, the elite counter-terrorism unit, had been hacked.
In April 2010, hackers traced back to China accessed documents from India’s missile programs, security assessments of states bordering China and files from embassies worldwide, including two marked “secret,” according to a report by Information Warfare Monitor, a research group associated with the University of Toronto.
The Indian government was unaware of the attack until informed by researchers, the group said.
To contact the reporter on this story: Mehul Srivastava in New Delhi at firstname.lastname@example.org.
To contact the editor responsible for this story: Bret Okeson at email@example.com