Cyber security is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. With the development of cyber technology and its overwhelming use for scientific research, delivery of services (financial and other services like e-commerce and payment to public utilities, education and e-medicine and communication among various departments and organs of government through a network, including defense has made it important to save the cyber space from attacks. Computer security is part of cyber security. Computer security, also known as cyber security or IT security is the protection of computer systems from the theft or damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
Cyber technology is defined as a field of technology that deals with the development of artificial devices or machines that can be surgically implanted into a humanoid form to improve or otherwise augment their physical or mental abilities. Cybertechnological products are known as “Cyberware”. Cyber defense is a computer network defense mechanism which includes response to actions and critical infrastructure protection and information assurance for organizations, government entities and other possible networks.
Cyber terrorism is the use of the Internet to conduct violent acts that result in, or threaten, loss of life or significant bodily harm, in order to achieve political gains through intimidation. It is also sometimes considered an act of Internet terrorism where terrorist activities, including acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet by means of tools such as computer viruses, computer worms or other malicious scripts are used.There is some difference between cyber crimes and cyber terrorism.
Terrorism online should be considered cyberterrorism when there has been fear inflicted on a group of people, whereas cybercrime is the act of committing a felony or crime online, typically without the use of fear, e.g. financial. By these narrow and broad definitions, it is difficult to distinguish which instances of online acclivities are cyberterrorism or cybercrime.
Cyber terrorism can be also defined as the intentional use of computers, networks, and public internet to cause destruction and harm for personal objectives. Experienced cyber terrorists, who are very skilled in terms of hacking can cause massive damage to government systems, hospital records, and national security programs, which might leave a country, community or organization in turmoil and in fear of further attacks. The objectives of such terrorists may be political or ideological since this can be considered a form of terror.
In recent years, with the massive growth of Muslim extremist activities, there has been a significant rise in exploitation of internet technologies for committing terror and cyber terror attacks against western targets. There have been several major and minor instances of cyber terrorism. Al-Qaeda utilized the internet to communicate with supporters and even to recruit new members. Estonia, a Baltic country which is constantly evolving in terms of technology, became a battleground for cyber terror in April, 2007 after disputes regarding the removal of a WWII soviet statue located in Estonia’s capital Tallinn.
Types and forms of Cyber Attacks
Social networking over the Internet has boomed in recent years because it allows networks of like-minded individuals to collaborate and connect, regardless of their respective geographies or physical location. Cyber terrorism as mentioned is a very serious issue and it covers vide range of attacks.
Some of the major tools of cyber crime may be- Botnets, Estonia, 2007, Malicious Code Hosted on Websites, Cyber Espionage etc. It is pertinent to mark here that there are other forms which could be covered under the heading of Cyber Crime & simultaneously is also an important tools for terrorist activities. Here I’m going to discuss these criminal activities one by one:
Attacks via Internet: Unauthorized access & Hacking:
one of the criminal activities is unauthorized access that would therefore mean any kind of access without the permission of either the rightful owner or the person in charge of a computer, computer system or computer network
Every act committed towards breaking into a computer and/or network is hacking. Hackers write or use ready-made computer programs to attack the target computer. They possess the desire to destruct and they get the kick out of such destruction.
Trojan is a program that acts like something useful but do the things that are quiet damping. The programs of this kind are called as Trojans.
Trojans come in two parts, a Client part and a Server part. When the victim (unknowingly) runs the server on its machine, the attacker will then use the Client to connect to the Server and start using the trojan.
Virus and Worm attack:
A program that has capability to infect other programs and make copies of itself and spread into other programs is called virus.
Programs that multiply like viruses but spread from computer to computer are called as worms.
E-mail related crimes:
- Email spoofing: Email spoofing refers to email that appears to have been originated from one source when it was actually sent from another source.
- Email Spamming: Email “spamming” refers to sending email to thousands and thousands of users – similar to a chain letter.
- Sending malicious codes through email:E-mails are used to send viruses, Trojans etc through emails as an attachment or by sending a link of website which on visiting downloads malicious code.
Threat to large banks
One of the most popular forms of Cyber terrorism is to threaten a large bank. The terrorists hack into the system and then leave an encrypted message for senior directors, which threaten the bank. What adds to the difficulty to catch the criminals is that the criminals may be in another country. A second difficulty is that most banks would rather pay the money than have the public know how vulnerable they are.
Major components of cyber security
All the measures that lead to protect the data, data machine and the data systems and networks form cyber security framework. It is about both- hardware and software. It is also about regulations, laws and policies. The following are the major components of Cyber security:
- Application Security
- Information Security
- Disaster recovery
- Network Security
Application security– encompasses measures or counter-measures that are taken during the development life-cycle to protect applications from threats that can come through flaws in the application design, development, deployment, upgrade or maintenance. Some basic techniques used for application security are: a) Input parameter validation, b)User/Role Authentication & Authorization, c) Session management, parameter manipulation & exception management, and d) Auditing and logging.
Information security– protects information from unauthorized access to avoid identity theft and to protect privacy. Major techniques used to cover this are: a) Identification, authentication & authorization of user, b) Cryptography.
Disaster recovery– planning is a process that includes performing risk assessment, establishing priorities, developing recovery strategies in case of a disaster. Any business should have a concrete plan for disaster recovery to resume normal business operations as quickly as possible after a disaster.
Network security– includes activities to protect the usability, reliability, integrity and safety of the network. Effective network security targets a variety of threats and stops them from entering or spreading on the network. Network security components include: a) Anti-virus and anti-spyware, b)Firewall, to block unauthorized access to your network, c)Intrusion prevention systems (IPS), to identify fast-spreading threats, such as zero-day or zero-hour attacks, and d) Virtual Private Networks (VPNs), to provide secure remote access.
Cyber Security and India
According to , Julie Gommes, cybersecurity expert and member of the Computer Emergency Response Team, India may not be a major target like some of the European countries of Jihadi cyberterrorism, but the country remains as vulnerable to cyberterrorism as any other Jihadi-targeted country. Ms. Gommes, who led a technical session on cyberterrorism at the 9th edition of the International Cybersecurity and Policing Conference which concluded in August 2016 in Kollam, said India should be alert to such acts of terrorism. All countries remain technically vulnerable to cyberterrorism though socially India may appear to be less vulnerable. She said that websites at large continue to remain vulnerable to all kinds of cyberattacks. There is not much thrust on the security aspect of websites when they are launched. This aspect is given some thought only after an attack. But in most post-attack cases, the web page is simply cleaned and is back in minutes. Yet, no serious thought is given to cyberterrorism.
India’s vulnerability could be seen in the following threats:
- Privacy violation
- Data theft
- Appropriation of government records
- DOS/ Distributed denial of services attacks (DDOS)
- Network damage and distruction
- Provisions of cyber security
Laws and regulations in India against cyber crimes and terror
Information technology act
The Information Technology Act, 2000 is an Act of the Indian Parliament (No 21 of 2000) notified on 17 October 2000. Both cyber crimes and cyber terrorism are addressed by the same law.It is the primary law in India dealing with cyber crime and electronic commerce. It is based on the United Nations Model Law on Electronic Commerce 1996 (UNCITRAL Model) recommended by the General Assembly of United Nations by a resolution dated 30 January 1997. The bill was passed in the budget session of 2000 and signed by President K. R. Narayanan on 9 May 2000. The bill was finalised by group of officials headed by then Minister of Information Technology Pramod Mahajan. The original Act contained 94 sections, divided in 13 chapters and 4 schedules. The laws apply to the whole of India. Persons of other nationalities can also be indicted under the law, if the crime involves a computer or network located in India.
The Act provides legal framework for electronic governance by giving recognition to electronic records and digital signatures. The formations of Controller of Certifying Authorities was directed by the Act, to regulate issuing of digital signatures. It also defines cyber crimes and prescribed penalties for them. It also established a Cyber Appellate Tribunal to resolve disputes rising from this new law. The Act also amended various sections of Indian Penal Code, 1860, Indian Evidence Act, 1872, Banker’s Book Evidence Act, 1891, and Reserve Bank of India Act, 1934 to make them compliant with new technologies. A major amendment was made in 2008. It introduced the Section 66A which penalized sending of “offensive messages”. It also introduced the Section 69, which gave authorities the power of “interception or monitoring or decryption of any information through any computer resource”. It also introduced penalties for child porn, cyber terrorism and voyeurism. It was passed on 22 December 2008 without any debate in Lok Sabha. The next day it was passed by the Rajya Sabha. It was signed by the then President (Pratibha Patil) on 5 February 2009.
Offences under the IT Act
List of offences and the corresponding penalties:
- Section 65– Tampering with computer source documents- If a person knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force—– Imprisonment up to three years, or/and with fine up to Rs. 200,000
- Section 66– Hacking with computer system–If a person with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hack—— Imprisonment up to three years, or/and with fine up to Rs. 500,000
- Section 66 B-– Receiving stolen computer or communication device—- A person receives or retains a computer resource or communication device which is known to be stolen or the person has reason to believe is stolen—- Imprisonment up to three years, or/and with fine up to Rs. 100,000
- Section 66 C–Using password of another person— A person fradulently uses the password, digital signature or other unique identification of another person—- Imprisonment up to three years, or/and with fine up to Rs.100,000
- Section 66 D— Cheating using computer resource—- If a person cheats someone using a computer resource or communication—– Imprisonment up to three years, or/and with fine up to Rs.100,000
- Section 66 E— Publishing private images of others—- If a person captures, transmits or publishes images of a person’s private parts without his/her consent or knowledge—- Imprisonment up to three years, or/and with fine up to Rs.200,000
- Section 66 F— Acts 66F of cyber terrorism—If a person denies access to an authorised personnel to a computer resource, accesses a protected system or introduces contaminant into a system, with the intention of threatening the unity, integrity, sovereignty or security of India, then he commits cyber terrorism—– Imprisonment up to life
- Section 67— Publishing information which is obscene in electronic form—- Publishing information which is obscene in electronic form—- If a person publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it—– Imprisonment up to five years, or/and with fine up to Rs. 1,000,000
- Section 67 A— Publishing images containing sexual acts—- Persons deemed as intermediatary (such as an ISP) must maintain required records for stipulated time. Failure is an offence— Imprisonment up to three years, or/and with fine
- Section 67 B— Publishing child porn or predating children online— If a person captures, publishes or transmits images of a child in a sexually explicit act or conduct. If a person induces a child into a sexual act. A child is defined as anyone under 18—– Imprisonment up to five years, or/and with fine up to Rs.1,000,000 on first conviction. Imprisonment up to seven years, or/and with fine up to Rs. 1,000,000 on second conviction.
- Section 67 C — Failure to maintain records— Persons deemed as intermediatary (such as an ISP) must maintain required records for stipulated time. Failure is an offence.—– Imprisonment up to three years, or/and with fine
- Section 68— Failure/refusal to comply with orders—- The Controller may, by order, direct a Certifying Authority or any employee of such Authority to take such measures or cease carrying on such activities as specified in the order if those are necessary to ensure compliance with the provisions of this Act, rules or any regulations made thereunder. Any person who fails to comply with any such order shall be guilty of an offence—- Imprisonment up to three years, or/and with fine up to Rs. 200,000
- Section 69— Failure/refusal to decrypt data—- If the Controller is satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, the security of the State, friendly relations with foreign Stales or public order or for preventing incitement to the commission of any cognizable offence, for reasons to be recorded in writing, by order, direct any agency of the Government to intercept any information transmitted through any computer resource. The subscriber or any person in charge of the computer resource shall, when called upon by any agency which has been directed, must extend all facilities and technical assistance to decrypt the information. The subscriber or any person who fails to assist the agency referred is deemed to have committed a crime.—- Imprisonment up to seven years and possible fine.
- Section 70-— Securing access or attempting to secure access to a protected system—— The appropriate Government may, by notification in the Official Gazette, declare that any computer, computer system or computer network to be a protected system. The appropriate Government may, by order in writing, authorise the persons who are authorised to access protected systems. If a person who secures access or attempts to secure access to a protected system, then he is committing an offence.—– Imprisonment up to ten years, or/and with fine
- Section 71-—Misrepresentation—— If anyone makes any misrepresentation to, or suppresses any material fact from, the Controller or the Certifying Authority for obtaining any license or Digital Signature Certificate—–Imprisonment up to three years, or/and with fine up to Rs. 100,000
Application of the IT Act
Some of the section s of the IT Act of India were on and off applied in certain cases. For example Section 66 was applied in case in February 2001, in one of the first cases, the Delhi police arrested two men running a web-hosting company. The company had shut down a website over non-payment of dues. The owner of the site had claimed that he had already paid and complained to the police. But the most used and criticized for abusive use was section 66A. It was used in September 2012, in case of a freelance cartoonist Aseem Trivedi who was arrested under Section 66A of the IT Act, Section 2 of Prevention of Insults to National Honour Act, 1971 and for sedition under the Section 124 of the Indian Penal Code. His cartoons depicting widespread corruption in India were considered offensive. Again on 12 April 2012, a Chemistry professor from Jadavpur University, Ambikesh Mahapatra, was arrested for sharing a cartoon of West Bengal Chief Minister Mamata Banerjee and then Railway Minister Mukul Roy.
On 30 October 2012, a Puducherry businessman Ravi Srinivasan was arrested under Section 66A. He had sent tweet accusing Karti Chidambaram, son of then Finance Minister P. Chidambaram, of corruption. Karti Chidambaram had complained to the police. On 19 November 2012, a 21-year-old girl was arrested from Palghar for posting a message on Facebook criticising the shutdown in Mumbai for the funeral of Bal Thackeray. On 18 March 2015, a teenaged boy was arrested from Bareilly, Uttar Pradesh, for making a post on Facebook insulting politician Azam Khan. The post allegedly contained hate speech against a community and was falsely attributed to Azam Khan by the boy.
Controversy on Section 66A
From the above examples we see how powerful people influenced police to use section 66 A of the IT Act to gaga people and snatch their freedom of speech and opinion. Therefore, in December 2012, P Rajeev, a Rajya Sabha member from Kerala, tried to pass a resolution seeking to amend the Section 66A. He was supported by D. Bandyopadhyay, Gyan Prakash Pilania, Basavaraj Patil Sedam, Narendra Kumar Kashyap, Rama Chandra Khuntia and Baishnab Charan Parida. P Rajeev pointed that cartoons and editorials allowed in traditional media, were being censored in the new media. He also said that law was barely debated before being passed in December 2008. In November 2012, IPS officer Amitabh Thakur and his wife social activist Nutan Thakur, filed a petition in the Lucknow bench of the Allahabad High Court claiming that the Section 66A violated the freedom of speech guaranteed in the Article 19(1)(a) of the Constitution of India. They said that the section was vague and frequently misused.
Also in November 2012, a Delhi-based law student, Shreya Singhal, filed a Public Interest Litigation (PIL) in the Supreme Court of India. She argued that the Section 66A was vaguely phrased, as result it violated Article 14, 19 (1)(a) and Article 21 of the Constitution. The PIL was accepted on 29 November 2012. A similar petition was also filed by the founder of MouthShut.com, Faisal Farooqui, and NGO Common Cause represented by Prashant Bhushan. In August 2014, the Supreme Court asked the central government to respond to petitions filed by Mouthshut.com and later petition filed by the Internet and Mobile Association of India (IAMAI) which claimed that the IT Act gave the government power to arbitrarily remove user-generated content
On 24 March 2015, the Supreme Court of India, gave the verdict that Section 66A is unconstitutional in entirety. The court said that Section 66A of IT Act 2000 is “arbitrarily, excessively and disproportionately invades the right of free speech” provided under Article 19(1) of the Constitution of India. But the Court turned down a plea to strike down sections 69A and 79 of the Act, which deal with the procedure and safeguards for blocking certain websites.
Threat to banks
Wanna Decryptor or WannaCry, a ransomeware attacked banks and individual high net worth people in the first half of 2017. The countries affected by a global cyber attack that took down, among others, health services in the UK, a telecom network in Spain and government computer systems in Russia in May 2017. In the same minth, as many as 102 computer systems of Andhra Pradesh police were hacked . The malware reportedly halted production at a Nissan-Renault Alliance plant on the outskirts of Chennai, but the company did not comment on the issue. National Cyber Security Adviser in the Prime Minister’s Office Gulshan Rai however halted the panic by saying that about 100 systems were attacked but after mid-may there were no more threats. The international cyber attack was carried out using a malware called Wanna Decryptor or WannaCry. This is a “ransomware“, a digital extortion system that locks down systems by encrypting the data on it, only to decrypt and release it back for a ransom amount. What was more worrying about the global cyber attack was the fact that the outdated Windows XP version that turned out to be the weak link, crippling information systems around the world, is used by 70% of Indian ATMs. According to a Microsoft spokesperson, Their complete control rests with vendors who provide banks with these systems. Microsoft stopped providing support -security patches and other tools -for Windows XP in 2014. However, on Saturday, Microsoft said it had released updates for older systems. “Given the potential impact to customers and their businesses, we have also released updates for Windows XP, Windows 8, and Windows Server 2003.
The threat of cybercrime on the global banking and financial services industry is apparent with a tectonic increase in cases over the past few years. The disruptive force of technology has proved to be a double-edged sword, with the quantum of cyber-attacks intensifying with time in the banking sector. For instance, ‘Zeus Trojan’, a type of malware wreaked havoc on the internet about a decade back, stealing the banking credentials of users. ‘Cryptolocker’, a type of ransomware was then discovered which could encrypt critical files on the system and demand a ransom (typically in Bitcoins) in exchange for the decryption key. More recently, a lethal ransomware known as ‘Mamba’ has caused panic across the world. This is because instead of the just encrypting critical files, ‘Mamba’ encrypts the entire hard disk drive, including the bootloader.
Phishing, another form of attack led by social engineering, is targeting consumers who may fall prey to a fake but ‘genuine-looking’ bank website, and eventually offer credentials to a hacker. The hacker would then use the credentials to log into the original bank account and transfer funds fraudulently. Distributed denial of service (DDoS) attacks using devices connected to internet such as CCTV cameras and mobile phones have also enabled them to potentially deny internet access to an entire country.
Historically, telex (also known as TT or Telegraphic Transfer) has been the legacy electronic method used to send overseas payment instructions taking place between financial institutions. While it was a popular means, there were loopholes in the security systems. The need to have an easier as well as a secure system emerged, which would be simple and safe and maintain integrity of the data exchanged. Telex was eventually replaced by a newer and more reliable method, created by non-profit organizations known as Society for Worldwide Interbank Financial Telecommunication (SWIFT) in 1977. SWIFT gained instant popularity and by 1979, it was already handling more than 1.2 lakh messages per day. Today, SWIFT’s messaging services are used extensively by more than 11,000 financial institutions in over 200 countries.
In recent times, cyber criminals have shifted their focus to targeting critical banking infrastructure. Created with the intent to provide security and reliability to banks, the repercussions of successfully breaching SWIFT systems could be hazardous. Unlike banking Trojans and ransomware, where each hack would yield thousands of dollars, each SWIFT hack could potentially cost banks millions of dollars. Media reports have suggested such cases in Asia as well as Europe. Keeping aside the reported cases, there is a fair probability that more attacks may have occurred but would have gone unreported due to possible reputational damage feared by the institutions. Typically, hackers would send fraudulent payment instructions impersonating the operator of a financial institution. They would then manipulate or wipe off some data to mask any trail so the hack becomes untraceable.
To proactively manage the vulnerabilities that could be exploited by hackers, patches and updates have been rolled out by SWIFT. However, as the compromise often involves internal systems, such steps may not necessarily solve all the problems for an organization.
Additionally, the Reserve Bank of India (RBI) has released a set of guidelines to manage the risks associated with such attacks. RBI’s circular last year covered several notable suggestions, ranging from arrangements for continuous surveillance, creation of a cyber security policy that is distinct from the broader IT policy and an immediate assessment of gaps in preparedness to be reported to the regulator. To diminish future risks and fortify safety mechanisms, institutions using global payment services should conduct a complete security review of their IT infrastructure. Lastly, a proactive forensic analysis of all the systems may be beneficial to ascertain if there has already been a breach or compromise.