Anatomy of paper leaks: Decoding how cyber threats can compromise exams and how this can be avoided

Can an exam conducted via pen and paper method be prone to cyber threat? How can that happen? Should the exam conducting bodies become more aware of its flaws, and will this be a lesson well learnt? Read on to find the answers to these questions here
Cyber crimes and Paper Leaks
Cyber crimes and Paper Leaks(Source: EdexLive Desk)

On June 19, 2024, the Ministry of Education declared the nullification of the University Grants Commission - National Eligibility Test (UGC-NET), 2024, June cycle.

"The Ministry of Education has decided that the UGC-NET June 2024 Examination be cancelled based on inputs from Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs, prima-facie indicating that the integrity of the examination may have been compromised," read the press release.

A system that was already dwindling, with allegations of paper leaks and scams against the National Eligibility and Entrance Test - Undergraduate (NEET-UG), bore a final brunt with the dissolution of the UGC-NET exam.

Taken by over 9,00,000 candidates across 317 cities and serving as the qualifying exam for admission to PhD programmes and for applying to entry-level teaching positions at Indian universities, the news left students highly inconvenienced.

Perils of cybercrime
It cannot be said that government bodies have been immune to severe data breaches. In 2023, the personal details of over 815 million Indians were leaked from the online repository of the Indian Council of Medical Research. Later that year, the Hindustan Times reported a malware attack on the cybersecurity systems of the All-India Institute of Medical Sciences (AIIMS) in New Delhi, compromising various information and personal details of patients.

With technological advancements, cybercrime has gained momentum, leading to more severe security breaches over time. Professor Aman Gupta, an Assistant Professor at the National University of Juridical Sciences (NUJS), Kolkata, told EdexLive that when technology goes unchecked and untethered, the process of gaining access to these domains of information can be performed surreptitiously. Prof Gupta says that access can be gained through various ways, such as bugs, vulnerabilities in software, or via viruses, spyware, or malware, as it happened with the previous cyber attacks.

"One possible way is data breach due to unauthorised access to the computer, website, or networks on which the sensitive examination data, such as the question papers, answer keys or results, are stored. The criminals can then download, modify, and/or delete the information," said Gupta.

Not only this, he suggests that there are ways in which the exam process can be tampered with.

Cybercriminals have various malicious methods to interfere with an examinee's process. According to Gupta, denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks are more likely to occur during an examination, which can disrupt the services of the website host by sending unnecessary requests or invalid data, which can indelibly lead to stunted performance of the service provider's server. This might mean that the answers chosen by the aspirants may not get recorded on the server within time.

Easy to get access?
The National Testing Agency (NTA) has established itself as a premier autonomous body conducting several significant examinations such as the Joint Entrance Examinations (JEE), Common University Entrance Test (CUET), NEET, UGC NET and others.

Set up in 2017, the agenda was to centralise these entrance exams, under the ambit of the National Education Policy (NEP) 2020, with the goal of a 'One Nation-One Test'.

Given NTA's vast functional machinery, to what extent can it be held accountable for its mismanagement?

Founder of Cyber Jagrithi, Rupesh Mittal says that there are ways in which NTA can be held accountable for such negligence but it should be known that the body does not itself conduct examinations. "NTA relegates the duties to third parties like TCS iON who conducts these online examinations for the NTA," he said.

However, he adds that the NTA could be held accountable for failing to ensure security posturing, which encompasses performing a check into the security status of software and hardware assets, networks, services, and other information.

"When such duties are outsourced, sometimes due to negligence, lax measures or outdated software, the system becomes vulnerable to cyber attacks," said Mittal.

He further told EdexLive, that apart from security posturing, there should be checks on how the data is moving from one source to another. "There must be prevention systems, where one can identify whether the information is channelled through trusted systems or going to an unknown external destination," explained the cyber security expert.

Applications such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) serve as barriers that detect and exterminate such external attacks. The absence of stringent checks such as IDS and IPS may result in a major server breach, resulting in data leaks. Hence, maintaining cyber hygiene and updating systems are quite important, he said.

Rupesh Mittal further laid emphasis on the importance of system configuration and software upgradation as such practices maintain overall cyber hygiene. For that, he says, updating the software is of paramount importance.

"One must have seen that we receive software updates on our phones. Why does it ask us to do so? To protect our phone's system from new vulnerabilities. Developing software is not a day's job, it takes time. Systems need to be configured accordingly and versions need to be upgraded or else, these systems will fall victim to such threats," asserts Mittal.

He expressed that this may become a greater threat if the criminal has information about the loophole, further making it easier for them to weaponise their source.

Pen and paper method, a solution to such cyber leaks?
According to a report by EdexLive, the case of the NEET-UG paper leak, which is now being investigated by a Special Investigation Team (SIT) of the Bihar Economic Offences Unit (EOU), there were suggestive pieces of evidence of the leak, being orchestrated by an organised gang.

Although the online exam is considered to be a safer mode, cyber expert Rupesh Mittal suggests that it can also be prone to leaks, like that of the UGC-NET examination. He told EdexLive that, even if an exam is conducted offline, with strict vigilance, the blueprint of the original paper(s) will certainly be reproduced in a digital format as well.

To this, he adds, "We do not live in the typewriter age anymore. These question papers, even if highly confidential, ultimately are stored or transferred via software or digital platforms, and are available digitally. Technology can have its benefits but even if there is negligence in security, leaks can happen. How? One cannot estimate unless the matter is investigated."

Mittal also stated that because students' identities and roll numbers are stored digitally and results are published online, a cybercriminal with access could potentially alter or tamper with this information. He emphasised that while this is a possibility, it is not a certain answer to the successive leaks that took place.

Can this be avoided?
While information security practices are vigorously publicised by the government, cyber law expert Aman Gupta is of the notion that the National Testing Agency (NTA) must also be practising it as well. "The Indian Computer Emergency Response Team, (CERT-iN) has published the guidelines on information security practices for government entities, which provide best practices to be followed, to prevent cyber threats. Examination conducting bodies should be aware of this and implement the same," he commented.

Rupesh Mittal says that it is imperative for these government bodies and their associated agencies to organise routine Information Technology (IT) audits to ensure data integrity and a security check on the systems, through Vulnerability Penetration and Assessment Testing (VAPT). Via this method, it would be revealed whether a system is prone to breach and if attacks can be prevented in the future.

Although the Public Examinations (Prevention of Unfair Means) Act, of 2024, criminalises unfair means in examinations, the NUJS professor says that crime will no longer remain localised as information can be accessed from anywhere.

Hence, he suggests that significant coordination is needed between testing bodies, investigative and enforcement agencies, and Central and state governments to prevent such incidents before the examination, rather than responding afterwards.

Adarsh Sudhindra, Vice-President of Growth and Strategy at Excelsoft Technologies, similarly emphasised that robust security measures should be implemented to ensure all staff and administrator activities are logged and audited regularly. Additionally, staff must be educated to recognise potential cyber threats, such as phishing.

How to assuage students?
The turbulence that students faced when the integrity of two major examinations was compromised led to a decline in faith within the system. What can the National Testing Agency or any other government body do to instil the trust?

Prof Gupta is supportive of the fact that certain untoward situations can be avoided when there is purported news of intrusion. "Canceling the exam at an early stage is a better outcome for the candidates. It allows for clarity and removes concerns that the examination's validity may be challenged later and reduces the impact on individuals who had relied on the results for admissions or jobs," said he.

According to a report by NDTV Education, in the year 2015, the All India Pre-Medical Test (AIPMT), the former national-level medical entrance test conducted by the Central Board of Secondary Education (CBSE) was cancelled due to an alleged paper leak. A verdict by the Supreme Court followed that incident, where CBSE was directed to re-conduct the exam and declare the results in four weeks.

Apart from this, Dr Lovi Raj Gupta, Pro Vice-Chancellor of Lovely Professional University purports that these examination conducting bodies can provide regular updates and maintain transparent communication about the actions being taken to address the cybercrime incidents.

He cited an example of the Australian Tertiary Admissions Centre (ATAR) which regularly communicates with students and public officials through statements, press releases and social media updates, further providing transparent information about any security incidents, actions taken and improvements made to enhance the integrity of exams, and stressed that the National Testing Agency, or any other government body, to maintain its accountability, can do so henceforth.

Related Stories

No stories found.