Is India ready for a CyberWar?

“We worried for decades about WMDs – Weapons of Mass Destruction. Now it is time to worry about a new kind of WMDs – Weapons of Mass Disruption.”― John Mariotti

The cyberspace is a domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures. In effect, cyberspace can be thought of as the interconnection of human beings through computers and telecommunication, without regard to physical geography. That is, the cyberspace is a complex combination of both hardware and software, without any geographical boundaries.

The central law which governs the Cyberspace in India is the Information Technology Act of 2000 (Hereinafter to be referred to as “IT Act, 2000”). The IT Act, 2000 is based on the Model Law of E Commerce adopted by UNCITRAL in 1996. The preamble to the IT Act, 2000 points out a threefold objective , firstly, to provide legal recognition for transactions carried out through electronic means, secondly, to facilitate the electronic filing of documents with Government agencies, and thirdly to amend certain Acts, inter alia, the Indian Penal Code,1860, Indian Evidence Act, 1872. The IT Act, 2000 gave legal validity and recognition to electronic documents and digital signatures and enabled conclusion of legally valid & enforceable e-contracts. It also provided a regulatory regime to supervise the Certifying Authorities issuing digital signature certificates and created civil and criminal liabilities for contravention of the provisions of the IT Act, 2000. Pursuant to this law, the Ministry of Electronics & Information Technology had released the National Cyber Security Policy, 2013 with the mission to “protect information and information infrastructure in cyberspace, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation.”

Despite the current Government’s praise worthy Digital India initiatives and campaigns, Indian Cyber Security regime is extremely weak. There have been no new National Cyber Policies released since the first one at 2013. In 2014, the PMO created the position of the National Cyber Security Coordinator (NCSC) and appointed Mr. Gulsan Rai as the NCSC to head the National Cyber Security Coordination Centre (NCSCC). But unfortunately the NCSCC hasn’t started working yet. The NCSCC is intended to screen communication metadata and co-ordinate the intelligence gathering activities of other agencies. Some of the components of NCCC include a cyber crime prevention strategy, cybercrime investigation training, review of outdated laws, etc. As per the National Cyber Strategy, the NCSCC should be functional earliest by 2020.

An Expert Group was also constituted by the Ministry of Home Affairs which was directed to prepare a roadmap for effectively tackling cyber crimes in the country had recommended setting up of an Indian Cyber Crime Coordination Centre (I4C) to fight against cyber crimes in the country. But this has still stayed in a proposal stage as such and no further governmental action has taken place. It came to such that the Supreme Court, while hearing a PIL filed by a NGO Prajwala, on the 21st of November, 2016 demanded that the Central Government immediately inform the Court as to the status of the Indian Cyber Crime Coordination Centre[1].

It would be wrong to say that India completely lacks any legislative framework to safe guard its corporate as the Information Technology Act, 2000 (as Amended in 2008) prescribes adoption of adequate cyber security practices and cyber law due diligence by Indian companies and individuals. Even technology companies, financial institutions and e-commerce websites are required to observe cyber due diligence in India and this requirement cannot be ignored anymore. A special attention must be given to the Information Technology (Intermediaries Guidelines) Rules, 2011 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 by those engaged in technology related business in India.

Regulatory compliance requirements under the Indian Companies Act, 2013 have also added many legal obligations on the part of Indian companies and their directors. These include the liability of directors for cyber law and cyber security breaches and a liability for not following cyber law and cyber security legal obligations while conducting the functions of their respective companies.

But despite such guidelines, checks and measures, the Indian law and technological capabilities remains woefully inadequate to prevent cyber attacks such as Petrya, Wanna Cry and #NotPetrya.

The sheer number of unsupported pirated operating systems and outdated computers across the country makes, India a happy hunting ground for cyber criminals. While the Central Government sells the dreams of a “Digital Desh”, it is important to note that viruses like Wanna Cry and #NotPetrya have easily brought down Government departments including AP Police Department and Ministry of Electronics and Information Technology, Andhra Pradesh, over 120-odd computers connected with GSWAN (Gujarat State Wide Area Network), and departments in other states such as West Bengal, Kerala, Tamil Nadu etc in recent months.

Surprisingly, though never in this scale, ransomware attacks are not completely uncommon in India. Recently, when the managing director of a popular ice cream manufacturing company in Hyderabad turned on his computer to access his company’s database, was startled to read – “Pay $1,000 to get your data back and do the payment in Bitcoins[2].”

Cyber attacks hava cyber attack on its systems, resulting in possible leakagee also targeted an Indian cyber security firm, Cyberoam, which had confirmed of its database that contained personal details of its customers and partners[3].

According to the KPMG Cybercrime survey report nearly 72% of Indian companies faced cyberattack in 2015. More than 250 respondents from the likes of CIOs, CISOs, CAEs, CROs, COOs and related professionals from across India participated in the survey[4].

KPMG in India Cybercrime Survey Report stated that 94% respondents indicated that cybercrime is a major threat faced by organizations, but surprisingly only 41% indicated that it forms part of the board agenda. 74% respondents believe that the BFSI sector is a top target for cybercrime with 63% indicating these crimes more often than not amount to gross financial loss. Another important revelation was that 54% of the respondents indicated that spend on cyber defences is less than 5% of IT spend with only 2% organizations spent more than 20% of their IT budget on information security and cyber defences.

According to a survey by global consultancy firm PwC along with CIO and CSO, the average number of information security incidents detected by respondents increased by 117% from 2014, up from 2,895 to 6,284 in 2016. Further, the losses as a result of incidents of cybersecurity surged by 135% from 2014, and the average cost per incident increased by close to 8%, added the report[5].

According to a 2014, Cost of Data Breach Study by IBM that was done in association with Ponemon Institute, India is one of the countries/regions that have the highest number of average data breaches, but its cost per capita is low. This study was conducted using qualitative questionnaires in 314 major companies across 10 countries[6].

Coming to current day, as on July 2017, India stands at a cusp of a new age, with the introduction Aadhaar and the aggressive Digital dreams of the Government, the Court would be a sitting duck for Ransomware of Distributed Denial of Service (DDOS) attacks . . The Aadhaar Act is especially important in this context as it mandates creation of an online depository of the personal data of all citizens including the fingerprints, biometric scan and other biological attributes of the citizens, with the Government. Such a treasure trove of data, if not properly secured can be easily exploited and it’s high time the Government realizes the same and buckles up.

It is clear as daylight now that the next World War may be fought without a single bullet being fired. Governments may tell you that you are safe behind massive armies, but the truth is that in the current age, for less than the price of an helicopter, an entire country can be brought to its knees by sufficiently talented individuals with laptops and an internet connection.

Hence before charging ahead to become a global superpower, and attempting to create a cashless economy and a digitized country, India needs to make certain that it can protect itself and its citizens in this new global arena where attacks are far more common, and attackers far more difficult to trace.

 

 

 

 

[1] Sunitha Krishnan representing Prajwala (NGO) vs Union of India

[2] http://www.gadgetsnow.com/tech-news/Cyber-extortion-New-crime-on-the-block/articleshow/49038656.cms

[3] Supra

[4]http://www.thehindubusinessline.com/info-tech/security-firm-cyberoam-turns-victim-in-cyber-attack/article8054964.ece

[5]https://www.kpmg.com/IN/en/IssuesAndInsights/ArticlesPublications/Documents/Cyber-Crime-Survey-2015-30Nov15.pdf

[6]http://www.newindianexpress.com/business/news/Incidents-of-Cybersecurity-Breach-Shoot-up-117-Percent-in-India-PwC/2015/10/14/article3079825.ece

 

Leave a Reply