Srinagar: With cyber security emerging as a major concern in Jammu and Kashmir after ‘Operation Sindoor’, the Union territory government on August 25 banned the use of external memory devices for official communication to “uphold data sovereignty and prevent security breaches”.

The ban to “protect sensitive government information” comes more than three months after Jammu and Kashmir’s online infrastructure and public service systems were affected by hundreds of cyber attacks, reportedly emerging from Pakistan and some other countries, in the aftermath of ‘Operation Sindoor’ in May this year.

The cyber attacks had prompted the UT government to order a comprehensive audit of J&K’s digital infrastructure following which all the departments were ordered on May 21 to shift their websites from private domains such as ‘.com’, ‘org’ and ‘.net’ to the government-approved ‘.gov.in' or ‘.jk.gov.in’ for a “secure, standardised and policy-compliant digital and IT environment”.

In November last year, the government had banned the use of WhatsApp, Gmail and other private applications for transmission of sensitive official documents.

In its latest order, the government has “decided to prohibit the use of Pen drives on official devices across all Administrative Government Departments in Civil Secretariat Jammu and Srinagar, Deputy Commissioner Offices in all districts” in order to “minimize the risks of data breaches, malware infections, and unauthorized access”.

No pendrives

A circular issued by M Raju, Commissioner Secretary, J&K’s General Administration Department (GAD) on Monday states that the restrictions are aimed to “enhance the cyber security posture” of J&K and their implementation will ensure “secure and safe e-Governance”.

The circular instructs the affected government departments to classify as “confidential” all the sensitive technical information, including “ICT architecture diagrams, system configurations, vulnerability assessments, IP addressing schemes, and strategic technology plans."

ICT or Information and Communication Technology architecture is a detailed plan of any organization's or government’s online systems, including hardware, software, networks and data.

The circular instructs the departments to store such information exclusively on cloud platforms approved by the government for “enhanced security” and compliance.

It states that sensitive information should be “handled exclusively through approved secure channels in accordance with Information Security Best Practices by MHA, CERT-In directives, and departmental data classification policies”.

The circular, however, allows the use of external memory and other USB devices during official presentations and meetings on standalone desktops and laptops which are not connected to any network. “No USB Devices are allowed on network connected desktops/laptops,” it states.

“It is advisable that before using USB to any Internet systems, it should be formatted with a trusted DATA wipe Software….. (and) official USB drives are not connected to unofficial or non-compliant endpoints,” the circular adds.

The government has warned of “disciplinary action under relevant rules governing official conduct, IT usage and administrative responsibility” against the non-complaint officers.

The circular also allows the use of “two to three pen drives” for each department in “exceptional cases” after “reconfiguration, authorization, and ownership registration prior to use” of the devices by the information technology department.

No WhatsApp or iLovePDF

It reiterates that using online messaging platforms such as WhatsApp or “unsecured online services” including iLovePDF for “processing, sharing, or storing official or confidential materials” was “strictly prohibited to uphold data sovereignty and prevent security breaches”.

The circular urges the affected offices to adopt GovDrive, a cloud-based storage platform, for storing official information and documents. “Any data needed from any external Pen Drive will be first sanitized in a designated standalone system and copied to a whitelisted pen drive,” the circular states.

After the Pahalgam terrorist attack, more than 10 lakh cyber attacks were reported on Indian systems by the Maharashtra police which reportedly originated from Pakistan, the Middle East, Turkey, Malaysia, Morocco and Indonesia.

SOCRadar, a US based cyber security platform, reported a significant escalation of cyber confrontation in the aftermath of ‘Operation Sindoor’ in which at least two government-run websites – one run by the Indian army and another by the government of Rajasthan – were hit while ‘threat actor’ DieNet claimed to have stolen more than 247 GB of data from the NIC servers.

Several hacker groups based in Pakistan and other countries targeted websites of defence PSUs and their MSME vendors, ports, airports, power grids, airlines and railways, digital money transaction platforms, several state governments and some major Indian conglomerates.

In Jammu and Kashmir, several government-run websites were downed by DDoS (Distributed Denial of Service) attacks where the hackers bring down a website by overwhelming it with traffic. This had affected the government’s collection of daily revenue in the form of power bills, land registration charges, fees for building permits and more.

The Wire is now on WhatsApp. Follow our channel for sharp analysis and opinions on the latest developments.