Excellent study material for all civil services aspirants - begin learning - Kar ke dikhayenge!
Cyber crime and cyber laws in India
1.0 INTRODUCTION
With the increased worldwide use of information technology and the internet, the risk of misuse of the internet and computer networks has grown tremendously. cyber terrorism has increased manifold. Generally speaking, computer crime refers to any crime that involves a computer and a network. The computer may have been used do the crime, or it may be the target of the crime. Netcrime refers to criminal exploitation of the internet. The term cyberterrorism refers to the use of internet based attacks in terrorist activities, including acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the internet, by the means of many tools such as computer viruses.
Cyberterrorism is also defined as relating to deployments, by known terrorist organizations, of disruption attacks against information systems for the primary purpose of creating alarm and panic. According to the U.S. Federal Bureau of Investigation (FBI), cyberterrorism is any "premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents."
The present-day problem of international and national cybercrime and terrorism issues a challenge to society, authority, and peace services all over the world.
While computer crime in itself has a wide range of issues, terrorism also has already reached the internet for propaganda, recruitment, and other communications. It has also become a way to directly commit their offenses. Terrorists, in many cases, use the internet for strategic and practical purposes. They use it professionally and are also also highly aware of its weak spots as well.
In this lecture, we will look at various aspects of cybercrime including cyberterrorism.
2.0 DEFINITIONS OF CYBERTERRORISM
Cyber terrorism is basically defined as a deliberate, disruptive and threatening activity, with the intention to cause harm or further social, ideological, religious, political or similar objectives on government's computers and networks. This definition however is not determined or universally valid.
To be more precise one have to think of cyber terrorism more differentiated and from different points of view. If cyber terrorism is treated similarly to conventional terrorism, then it would only include attacks that threaten property or lives, and can be defined as the leveraging of target's computers and information, particularly via the Internet, to cause physical harm or endanger the infrastructure.
At variance with this opinion there is also a definition of cyber terrorism as the use of information technology by terrorist groups and individuals to further their agenda. This can include use of information technology to organize and execute attacks against networks etc. or for exchanging information and organizing the terroristic activities. When actions as mentioned above are done for economic reasons instead of ideological, it is regarded as cybercrime.
Regarding the capabilities of cyber terrorism however, there is a more unerring description separated in three levels:
Simple-Unstructured: The capability of an act to realize basic hacks against individual systems using tools created by someone else. Little target analysis, command and control, or learning capabilities are necessary.
Advanced-Structured: The capability of a cyber terrorist group to conduct more sophisticated attacks against multiple systems or networks and possibly, to modify or create basic hacking tools. An elementary target analysis, command, control and learning capabilities are necessary.
Complex-Coordinated: The capability of an organisation for coordinated attacks which causes mass disruption against integrated, heterogeneous defenses (including cryptography). Ability to create sophisticated hacking tools. Highly capable target analysis, command, control and organization learning capability are a must for these attacks to be successful.
3.0 FORMS OF CYBER CRIME
3.1 Privacy violation
My personal space is not to be invaded. That is the simple concept of ‘privacy’. The advent of IT has put to a great risk the recognition of the individual's right to be let alone and to have his inviolate personal. The right to privacy as an independent and distinctive concept originated in the field of Tort law, under which a new cause of action for damages resulting from unlawful invasion of privacy was recognized. In recent times, this right has acquired a constitutional status, the violation of which attracts both civil as well as criminal consequences under the respective laws.
The intensity and complexity of life have rendered necessary some retreat from the world. Man under the refining influence of culture, has become sensitive to publicity, so that solitude and privacy have become essential to the individual.
Modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury. Right to privacy is a part of the right to life and personal liberty enshrined under Article 21 of the Constitution of India. With the advent of information technology the traditional concept of right to privacy has taken new dimensions, which require a different legal outlook. To meet this challenge, we refer to the Information Technology Act, 2000 (I.T. Act 2000).
The various provisions of the Act aptly protect the online privacy rights of the citizens. Certain acts have been categorized as offences and contraventions, which have tendency to intrude with the privacy rights of the citizens.
3.2 Secret information appropriation and data theft
Today in every business organization and government department, paper based data is losing its relevance, or is backed up electronically. All data is stored on computer networks. Information technology can be misused for appropriating the valuable Government secrets and data of private individuals and the Government and its agencies. A computer network owned by the Government may contain valuable information concerning defence and other top secrets, which the Government will not wish to share otherwise. The same can be targeted by the cyber criminals or cyber terrorists to facilitate their activities, including destruction of property.
In R.K. Dalmia v/s Delhi Administration, 1962 the Supreme Court held that the word "property" is used in the I.P.C in a much wider sense than the expression "movable property". There is no good reason to restrict the meaning of the word "property" to moveable property only, when it is used without any qualification. Whether the offence defined in a particular section of IPC can be committed in respect of any particular kind of property, will depend not on the interpretation of the word "property" but on the fact whether that particular kind of property can be subject to the acts covered by that section.
3.3 Demolition of e-governance base
In order to serve the people better, e-governance initiatives have been launched by governments the world over, including in India. The objective of e-governance is to make the interaction of the citizens with the government offices hassle-free and to share information in a free and transparent manner. It further makes the right to information a meaningful reality. However implementation of e-governance without proper online security measures creates a huge risk to all the parties involved, as cybercriminals can take such systems down.
3.4 Distributed denial of services attack (DDOS)
The cyber criminals may also use the method of distributed denial of services (DDOS) to overburden the government ‘s electronic bases. This is made possible by first infecting several unprotected computers by way of virus attacks and then taking control of them. Once control is obtained, they can be manipulated from any locality by the criminals/terrorists. These infected computers are then made to send information or demand in such a large number that the server of the victim collapses. Further, due to this unnecessary internet traffic, the legitimate traffic is prohibited from reaching the government or its agencies computers. This results in immense pecuniary and strategic loss to the government and its agencies.
It must be noted that thousands of compromised computers can be used to simultaneously attack a single host, thus making its electronic existence invisible to the genuine and legitimate citizens and end users. The law in this regard is crystal clear.
3.5 Network damage and disruptions
The main aim of activities of cyber criminals is to cause networks damage and their disruptions. This activity may divert the attention of the security agencies for the time being thus giving the terrorists extra time and makes their task comparatively easier. This process may involve a combination of computer tampering, virus attacks, hacking, etc
4.0 CYBERLAWS IN INDIA
Surprisingly, for a long time, the issue of cyber security was not given much importance in India. There was no statute in India for governing Cyber Laws involving privacy issues, jurisdiction issues, intellectual property rights issues and a number of other legal questions. With the tendency of misusing of technology, there arose a need for strict statutory laws to regulate the criminal activities in the cyber world and to protect citizens from the ravages of such crimes. The "INFORMATION TECHNOLOGY ACT, 2000" [ITA- 2000] was enacted by the parliament of India to protect the field of e-commerce, e-governance, e-banking as well as penalties and punishments in the field of cyber crimes. The above Act was further amended in the form of IT Amendment Act, 2008 [ITAA-2008].
4.1 The IT Act, 2000
An Act to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto.
The following are the main objectives and scope of the Act:
- To give legal recognition to any transaction which is done by electronic way or use of internet
- To give legal recognition to digital signature for accepting any agreement via computer
- To provide facility of filling document online relating to school admission or registration in employment exchange
- According to I.T. Act 2000, any company can store their data in electronic storage
- To stop computer crime and protect privacy of internet users
- To give legal recognition for keeping books of accounts by bankers and other companies in electronic form
- To appropriately amend the Indian Evidence Act 1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934
Scope: Every electronic information is under the scope of I.T. Act 2000, except the following:
- Information Technology Act, 2000 is not applicable on the attestation for creating trust via the electronic way. Physical attestation is must.
- I.T. Act 2000 is not applicable on the attestation for making the ‘will’ of a person. Physical attestation by two witnesses is compulsory.
- A contract of sale of any immovable property
- Attestation for giving power of attorney of property is not possible via electronic record.
Significant provisions of the Act are (listed with sub-headings):
- Chapter II: Authentication of electronic records - Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his digital signature. The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record.
- Chapter III: ELECTRONIC GOVERNANCE - Legal recognition of electronic records, Legal recognition of digital signatures, Use of electronic records and digital signatures in Government and its agencies, Retention of electronic records, Publication of rule, regulation, etc., in Electronic Gazette., Power to make rules by Central Government in respect of digital signature.
- Chapter IV: ATTRIBUTION, ACKNOWLEDGMENT AND DESPATCH OF ELECTRONIC RECORDS - Attribution of electronic records, Acknowledgment of receipt, Time and place of despatch and receipt of electronic record
- Chapter V: SECURE ELECTRONIC RECORDS AND SECURE DIGITAL SIGNATURES - Secure electronic record, Secure digital signature, Security procedure
- Chapter VI: REGULATION OF CERTIFYING AUTHORITIES - Appointment of Controller and other officers, Functions of Controller, Recognition of foreign Certifying Authorities, Controller to act as repository, Licence to issue Digital Signature Certificates, Application for licence, Renewal of licence, Procedure for grant or rejection of licence, Suspension of licence, Notice of suspension or revocation of licence, Power to delegate, Power to investigate contraventions, Access to computers and data, Certifying Authority to follow certain procedures, Certifying Authority to ensure compliance of the Act, etc, Display of licence, Surrender of licence, Disclosure
- Chapter VII: DIGITAL SIGNATURE - Certifying Authority to issue Digital Signature Certificate, Representations upon issuance of Digital Signature Certificate, Suspension of Digital Signature Certificate, Revocation of Digital Signature Certificate, Notice of suspension or revocation
- Chapter VIII: DUTIES OF SUBSCRIBERS - Generating key pair, Acceptance of Digital Signature Certificate, Control of private key
- Chapter IX: PENALTIES AND ADJUDICATION - Penalty for damage to computer, computer system, etc., Penalty for failure to furnish information return, etc., Residuary penalty, Power to adjudicate, Factors to be taken into account by the adjudicating officer
- Chapter X: THE CYBER REGULATIONS APPELLATE TRIBUNAL - Establishment of Cyber Appellate Tribunal, Composition of Cyber Appellate Tribunal, Qualifications for appointment as Presiding Officer of the Cyber Appellate Tribunal, Orders constituting Appellate Tribunal to be final and not to invalidate its proceedings, Appeal to Cyber Appellate Tribunal, Procedure and powers of the Cyber Appellate Tribunal, Right to legal representation, Civil court not to have jurisdiction, Appeal to High Court, Compounding of contraventions, Recovery of penalty
- Chapter XI: OFFENCES - Tampering with computer source documents, Hacking with computer system, Publishing of information which is obscene in electronic form, Power of Controller to give directions, Directions of Controller to a subscriber to extend facilities to decrypt information, Protected system, Penalty for misrepresentation, Penalty for breach of confidentiality and privacy, Penalty for publishing Digital Signature Certificate false in certain particulars, Publication for fraudulent purpose, Act to apply for offence or contravention commited outside India, Confiscation, Penalties or confiscation not to interfere with other punishments, Power to investigate offences
- Chapter XII: NETWORK SERVICE PROVIDERS NOT TO BE LIABLE IN CERTAIN CASES - Network service providers not to be liable in certain cases, Power of police officer and other officers to enter, search, etc., Act to have overriding effect, Controller, Deputy Controller and Assistant Controllers to be public servants, Power to give directions, Protection of action taken in good faith, Offences by companies, Removal of difficulties, Power of Central Government to make rules etc.
[Chapter XI is interesting from our lecture’s perspective. Here is an extract from the bare Act:
(Source http://www.dot.gov.in/sites/default/files/itbill2000_0.pdf)
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer
source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be
kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend
up to two lakh rupees, or with both.
Explanation: For the purposes of this section, "computer source code" means the listing of programmes, computer commands, design and layout
and programme analysis of computer resource in any form.]
Quick list of advantages of I.T. Act 2000
- Helpful in promoting e-commerce in India - confidence in key in electronic transactions
- Email is valid - it will create confidence and ease of operations for merchants and buyers
- Digital signature is valid- a big step forward in formalising transactions for contracts, tax payments etc.
- Payment via credit card is valid - will push business volumes across India, including remote regions
- Online contract is valid - thereby broadening the boundaries of traditional businesses
Above all, validity in the eye of Indian law was very necessary, which the IT Act 2000 has accorded.
Boost for corporate businesses: After issuing digital signature certificate by the Certifying authority, Indian corporates can enhance business in ways unimaginable earlier.
High penalty for cyber crime: Law has power to penalize cyber crimes heavily. It is expected to rein in the proliferating tendency of people to commit such crimes as there was no fear of (cyber) law earlier.
Shortcomings of I.T. Act 2000
- Infringement of copyright has not been included in this law. It’s a big issue in India.
- No protection for domain names. So squatters may have a field day.
- The act is not applicable on the power of attorney, trusts and will.
- Act is silent on taxation.
- No provision of payment of stamp duty on electronic documents.
4.1.1 The Information Technology Amendment Act, 2008 (IT Act 2008)
It is a substantial addition to India's Information Technology Act (ITA-2000). The IT Amendment Act was passed by the Indian Parliament in October 2008 and came into force a year later. The Act is administered by the Indian Computer Emergency Response Team (CERT-In). The original Act was developed to promote the IT industry, regulate e-commerce, facilitate
e-governance and prevent cybercrime. The Act also sought to foster security practices within India that would serve the country in a global context. The Amendment was created to address issues that the original bill failed to cover and to accommodate further development of IT and related security concerns since the original law was passed.
Changes in the Amendment include: redefining terms such as "communication device" to reflect current use; validating electronic signatures and contracts; making the owner of a given IP address responsible for content accessed or distributed through it; and making corporations responsible for implementing effective data security practices and liable for breaches.
4.2 The Indian Penal Code, 1860 (IPC, 1860)
The Indian Penal Code was amended by inserting the word 'electronic' thereby treating electronic records and documents at par with physical records and documents. The sections dealing with false entry in a record or false document etc (e.g. 192, 204, 463, 464, 464, 468 to 470, 471, 474, 476 etc) have since been amended as 'electronic record and electronic document' thereby bringing within the ambit of IPC. Now, electronic record and electronic documents has been treated just like physical records and documents during commission of acts of forgery or falsification of physical records in a crime. After the above amendment, the investigating agencies file the cases/ charge-sheet quoting the relevant sections from IPC under section 463,464, 468 and 469 read with the ITA/ITAA under Sections 43 and 66 in like offences to ensure the evidence and/or punishment can be covered and proved under either of these or under both legislation.
4.3 The Indian Evidence Act 1872
Prior to enactment of ITA, all evidences in a court were in the physical form only. After ITA, electronic records and documents are now recognized. The definition part of Indian Evidence Act was amended and "all documents including electronic records" was substituted. Other words e.g. 'digital signature', 'electronic form', 'secure electronic record' 'information' as used in the ITA, were also inserted to make them part of the evidentiary importance under the Act. The important amendment was seen by recognition of admissibility of electronic records as evidence as enshrined in Section 65B of the Act.
4.4 The Bankers' Books Evidence (BBE) Act 1891
Before passing of ITA, a bank was supposed to produce the original ledger or other physical register or document during evidence before a Court. After enactment of ITA, the definitions part of the BBE Act stood amended as: "bankers' books include ledgers, day-books, cashbooks, account-books and all other books used in the ordinary business of a bank whether kept in the written form or as printouts of data stored in a floppy, disc, tape or any other form of electro-magnetic data storage device". When the books consist of printouts of data stored in a floppy, disc, tape etc, a printout of such entry ...certified in accordance with the provisions ...to the effect that it is a printout of such entry or a copy of such printout by the principal accountant or branch manager; and (b) a certificate by a person in-charge of computer system containing a brief description of the computer system and the particulars of the safeguards adopted by the system to ensure that data is entered or any other operation performed only by authorized persons; the safeguards adopted to prevent and detect unauthorized change of data ...to retrieve data that is lost due to systemic failure or ...
The above amendment in the provisions in Bankers Books Evidence Act recognized the printout from a computer system and other electronic document as a valid document during course of evidence, provided, such print-out or electronic document is accompanied by a certificate in terms as mentioned above.
Issues not covered under ITA: ITA and ITAA are a landmark first step and milestone in the technological growth of the nation; however the existing law is insufficient. Many issues in cybercrime are still left untouched.
Territorial jurisdiction is a major issue which is not satisfactorily addressed in the ITA or ITAA. Jurisdiction has been mentioned in Sections 46, 48, 57 and 61 in the context of adjudication process and the appellate procedure connected with and again in Section 80 and as part of the police officers' powers to enter, search a public place for a cyber crime etc. Since cyber crimes are basically computer based crimes and therefore if the mail of someone is hacked in one place by accused sitting far away in another state, determination of concerned police station which will take cognizance is difficult. It is seen that the investigators generally try to avoid accepting such complaints on the grounds of jurisdiction. Since cybercrimes are geography-agnostic, borderless, territory-free and generally spread over territories of several jurisdiction, proper training needs to be given to all concerned players in the field.
Preservation of evidence is also big issue. It is obvious that while filing cases under IT Act, very often, the chances that necessary evidences get destroyed are high as evidences may lie in some system like the intermediaries' computers or sometimes in the opponent's computer system too.
However, most of the cyber crimes in the nation are still brought under the relevant sections of IPC read with the comparative sections of ITA or the ITAA which gives a comfort factor to the investigating agencies that even if the ITA part of the case is lost, the accused cannot escape from the IPC part.
India has also formulated the cyber security policy, 2013 to assert its seriousness about cyber security. However, cyber security in India is still in a bad shape despite all these efforts of Indian government.
5.0 INSTANCES OF CYBERCRIME IN INDIA
5.1 Cyberstalking
Facts: One Mrs. R K complained to the police against the a person who was using her identity to chat over the Internet at the website www.mirc.com, mostly in the Delhi channel for four consecutive days.
Mrs. R K further complained that the person was chatting on the Net, using her name and giving her address and was talking obscene language. The same person was also deliberately giving her telephone number to other chatters encouraging them to call Ritu Kohli at odd hours.
Consequently, Mrs R K received almost 40 calls in three days mostly at odd hours from as far away as Kuwait, Cochin, Bombay and Ahmedabad. The said calls created havoc in the personal life and mental peace of Mrs. R K who decided to report the matter.
The investigations were handled by Delhi Police. The IP addresses were traced and the police investigated the entire matter and ultimately arrested Manish Kathuria on the said complaint. Manish apparently pleaded guilty and was arrested.
Actions: A case was registered under section 509, of the Indian Penal Code (IPC). Nothing in IT Act.
5.2 Blackmailing
Facts: A Dubai based NRI was lured by an anonymous woman on internet who after winning his confidence and love, started blackmailing him under the guise that the first woman with whom the NRI got befriended had committed suicide and police is investigating the case and seeking NRI's details. The accused also sent fake copies of the letters from CBI, High Court of Calcutta, New York police and Punjab University etc. The NRI by that time had paid about Rs. 1.25 crore to the accused.
The investigations were done by Maharashtra Police. Thankfully, the NRI had saved all the emails which he received from the strangers he had been communicating with. The I.P. addresses embedded in all e-mails received by complainant revealed the origin of the emails. The man assuming these various identities turned out to be a single person.
Actions: Charges framed u/s292, 389, 420, 465, 467, 468, 469, 471, 474 IPC read with Section 67 of IT Act.
Facts: Two BPO employees gained illegal access to their company's computer system by hacking with the passwords. They conspired with son of a credit card holder and illegally increased the credit limit of the card and changed the communication address so that credit card statement never reached the original cardholder. The credit card company was cheated about Rs. 7.2 lakhs.
Investigations were conducted by Chennai police. The computer system of the BPO company was examined along with the computer logs showing the access to the computer systems by the accused. The presence of accused was also verified with the attendance register.
Actions: Charges framed u/s 120(B), 420, 467, 468, 471 IPC and Section 66 of IT Act.
5.4 Phishing
Facts: The defendants were operating a placement agency involved in 'head-hunting' and recruitment. In order to obtain personal data which they could use for head-hunting, the defendants composed and sent emails to third parties in NASSCOM's name.
Actions: Injunction (Anton Piller Order) and Rs. 16 lakhs damages - Nothing in IT Act
Case Law: National Association of Software and Service Companies vs. Ajay Sood & Others, Decided by Delhi High Court in 2005
5.5 Obscenity - Hosting obscene profiles
Facts: Some unknown person had created an email ID using the name of a lady and had used this email ID to post messages on five web pages describing her as a call girl along with her contact numbers.
Investigations were conducted by Chennai police:The IP address and log details were obtained from ISP which were traced to two cyber cafes in Mumbai. Complainant revealed that she had refused a former college-mate who had proposed to marry her. Police arrested this person and examined his SIM card which contained the complainant's number, and the cyber café owner also identified this man.
Actions: Chargesheet was filed U/S 67 of IT Act 2000, 469 and 509 IPC - Accused is sentenced for the offence to undergo RI for 2 years {State of Tamil Nadu Vs SuhasKatti, CMM, Egmore, Chennai in 2004}.
5.6 Cyber defamation
Facts: A company's employee started sending derogatory, defamatory and obscene emails about company's Managing Director. The emails were anonymous and frequent and were sent to many company's business associates to tarnish the image and goodwill of the company.
Investigation: The accused was identified by the company by the private computer expert.
Actions: Delhi High Court granted an injunction and restrained the employee from sending, publishing and transmitting emails which are defamatoryor derogatory to the plaintiffs {SMC Pneumatics (India) Private Limited v. Jogesh Kwatra}.
5.7 Credit Card Frauds - Air Tickets
Facts: More than 15000 credit cards were fraudulently used to book Air ticket through the Internet. Total damage about Rs. 17 crores.
The fraud came to light after some of the creditcard holders approached the card issuing Bank saying they had never booked the said tickets. The airline had charged the amount to the bank, which in turn, had passed on the tab to its customers.
Investigation: The gang had booked tickets online using credit card numbers obtained from restaurants, hotels, shopping malls and other retail outlets. The tickets were booked from cyber cafes in Mumbai, Delhi, Chennai, Kolkata and Bangalore.
Actions: Charges framed under IPC.
5.8 Data theft
Facts: An employee of HSBC BPO allegedly accessed personal information, security information and debit card information of some customers and these details were passed on to the fraudsters who diverted £233,000 (approx Rs. 2 crores) from the clients' accounts.
Actions: A case has been registered under Sections 66 and 72 of the IT Act and 408, 468 and 420 of the Indian Penal Code.
5.9 Tampering with computer source code (also a Copyright Infringement)
Syed Asifuddin & Ors. v State of Andhra Pradesh & another -2005 CrLJ 4314 (AP): A big mobile services company launched a famous scheme wherein this company was giving an expensive hand-set at a very low cost but with a lock-in period of 3 years in which the mobile subscriber has to pay a fixed monthly rental and a premium call charge to such mobile services company. A special computer program / technology was used by this mobile services company wherein the hand-set can only be used with this mobile services and not with other mobile services. Employees of a completing mobile services company lured the customers of the above company to alter / tamper with the special (locking) computer program / technology so that the hand-set can be used with the competing mobile services.
Held: Such tampering is an offence u/s 65 of IT Act as well as Copyright infringement u/s63 of Copyrights Act.
The journey to rein in cybercrime is technical, long and often difficult for the common man to understand. The government of India as taken the first strong steps by legislating in the right direction. Still, miles to go before a very robust justice delivery system can be created that is foolproof and dependable.
6.0 CYBERCRIME IN INDIA
The cybercrime statistics released by the Nation Crime Records Bureau (NCRB) for the year 2013 shows a rapid increase in cyber crime by 50% on year to year basis from 2012 to 2013. The maximum offenders came from the 18-30 age group. Among states, the highest incidents of cyber crime took place in Maharashtra (907) followed by Uttar Pradesh (682) and Andhra Pradesh (651).
The maximum cyber crime arrests of four hundred twenty six (426) under the IT Act took place in Maharashtra and Andhra Pradesh was a distant second with 296 arrests, followed by Uttar Pradesh with 283 arrests.
In percentage terms, the state that saw the most dramatic increase in cases registered under the IT Act was Uttarakhand at 475% (from 4 cases to 23); Assam a close second with 450% (from 28 cases to 154). Interestingly, the picture postcard union territory, Andaman and Nicobar islands, registered an eye-popping increase of 800% (two cases in 2012 to 18 in 2013) in the same category.
The Delhi city has registered 131 cases of cyber crime cases which is an increase of 72.4 percent as compared to last year 2012. Whereas Lakshadweep, Dadar and Nagar Haveli reported no cyber crime cases for the year 2013. Also Cyber Crime activities seem to rare in the northeastern states. In 2013, only one case each was registered in Nagaland and Mizoram.
6.1 The problem of extradition
In tackling cybercrimes in India it has been observed that even if the investigating officer is successful in establishing geographical identity of an accused of a cyber crime, he is rarely brought to justice. As the accused may fall beyond the jurisdictional powers, the officer has to face many other disparities in pursuing his investigation. Jurisdiction plays a vital role for undertaking a successful criminal procedure. In the cyber world where speed is of essence, any attempt to acquire such consent of courts or cooperation will thwart any chance of identifying the culprits and collecting evidence.
About 1,800 cases of internet fraud were reported in 2011, a drop from 2,234 cases reported in 2010. But the CBI's Economic Offences Wing registered only three cases in 2011. Most of the cases relate to payment and e-commerce fraud by way of stolen credit cards. In March 2012 the Central Government reported that About 112 government websites, including those of Bharat Sanchar Nigam Ltd, Planning Commission and Ministry of Finance were hacked in three months. More recent data is given below.
In cyberspace, criminal activities have overcome the physical boundaries of state. Effective international co-operation therefore is a must to bring the culprits to book. Efforts were initiated at the global level by organizations like OCED, UN, Council of Europe etc. Whereas the convention adopted by the European council institutionalizes the international co-operation with its provisions for establishing 24*7 networks etc.. amongst member countries for the exclusive purpose of providing timely assistance to member countries in preventing and detecting cyber crimes. However India is not a part of such treaties.
7.0 ADVANCED PERSISTENT THREAT (APT)
APT - An advanced persistent threat (APT) is a hidden computer network attack in which a group gains unauthorized access and remains undetected for a long period. Such actors are usually state actors, but over the last few years there have been multiple examples of non-state sponsored groups conducting large-scale targeted intrusions. Such APT processes require a high degree of covertness over a long period of time. The "advanced" process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The "persistent" process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The "threat" process indicates human involvement in orchestrating the attack.
Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal.
Persistent – Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain.
Threat – APTs are a threat because they have both capability and intent.
7.1 Origin country Russia | Group name APT29
A.K.A. - Cozy Bear, The Dukes, Iron Hemlock, Group 100 and CozyDuke
Overview - APT 29 is a cyber-espionage group that has been working for the Russian government since 2008, to collect intelligence related to foreign and security policy decision-making. According to reports, the group engaged in biannual large-scale campaigns against thousands of targets, most of whom belong to the governmental sector or are affiliated to governments.
Targeted sectors - Western European governments, foreign policy groups and other similar organizations
7.2 Origin country China | Group name APT1
A.K.A. - Comment Panda, PLA Unit 61398, Group 3, BrownFox and Byzantine Candor
Overview - APT1 is a Chinese espionage group that conducted a cyber campaign against a wide range of targets starting in 2006. It is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known as Unit 61398. APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations and is able to steal from dozens of them simultaneously. It focuses on compromising organizations from over 20 industries, 87% of whom are in English-speaking countries.
APT1 controls thousands of systems to support their computer intrusion activities. They established at least 937 Command and Control (C2) servers, hosted on 849 distinct IP addresses in 13 countries. The group targets organizations simultaneously. Once they establish access to a target’s network, they continue to access it periodically over periods of time, ranging from months to years, stealing large volumes of intellectual property including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists from the victim organization‘s leadership. Generally, APT1 uses IP addresses registered in Shanghai and systems set to use the Simplified Chinese language. The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds, of human operators and a current attack infrastructure that includes over 1,000 servers.
Targeted sectors - Information Technology, Aerospace, Public Administration, Satellites and Telecommunications, Scientific Research and Consulting, Energy, Transportation, Construction and Manufacturing, Engineering Services, High-tech Electronics, International Organizations, Legal Services, Media, Advertising and Entertainment, Navigation, Chemicals, Financial Services, Food and Agriculture, Healthcare, Metals and Mining, Education
7.3 Origin country North Korea | Group Name Lazarus
AKA - Hidden Cobra, Labyrinth Chollima, Group 77, Bureau 121 and NewRomanic
Overview - Lazarus Group is a North Korean espionage APT group. Their attacks were originally detected in 2009, during a cyber-espionage campaign against South Korea. They are considered to be the most dominant APT group in 2017, as they manage to execute several major cyber-attacks against the financial industry, especially via the secured transactions platform SWIFT. The group’s TTPs are considered highly sophisticated and they reached their pinnacle in November 2014 when they released internal and confidential information from the Sony Pictures servers after being inside their network for over a year. This attack, known as Operation Blockbuster, is one of the biggest corporate breaches in recent history. Since then the group has been more focused on hacking banks including major attack on the SWIFT payment system of the Bank of Bangladesh, when they successfully stole about $80 million.
The group is also said to be responsible for a campaign against worldwide financial institutions in February 2017. This was done by exploiting infected websites to redirect victims to a customized exploit kit.
The group is also responsible for the WannaCry ransomware attack which managed to infect millions of computers all over the world.
Targeted sectors - Governments, Information Technology, Aerospace, Media, Advertising and Entertainment, Financial Services and Healthcare.
8.0 DRAFT DATA PROTECTION BILL - JUSTICE SRI KRISHNA COMMITTEE
Justice Sri Krishna Committee released the first draft of the Personal Data Protection Bill, 2018, in July 2018. Following a structure which combines Europe’s General Data Protection Regulation (GDPR) and India’s Information Technology Act, 2000, the Bill runs into 112 sections.
These include positive features like broader definitions, horizontal application, extra-territorial jurisdiction and steep penalties for violations, as well as negative features like data localization requirements, many exceptions to state related processing. Amendments are proposed to the Right to Information Act and Information Technology Act, though no amendments are proposed at present to the Aadhaar Act.
- Horizontal application and extra-territorial jurisdiction - The jurisdiction of the Bill under Section 2 is vast, including both territorial and extra-territorial provisions along the lines of the GDPR. Further, it has horizontal application, applying to both governmental and private actors. It applies to any processing within India, as well as to any processing by the State, Indian companies or Indian citizens. In its extraterritorial application, it applies to any entities providing goods and services in India, and also to any activity involving the profiling of persons in India.
- Data mirroring, data localization requirements imposed - One of the related implications of this vast jurisdiction are the data localization rules to be imposed under Section 40, which confirm the data localization reports that arose some time ago. Under these, one copy of all personal data to which the law applies are to be kept in a server within India. Further, certain categories of data, which are to be specified by the government as critical personal data are to be stored in India alone. Additionally, requirements for cross-border transfer of data are also imposed.
- New definitions of personal and sensitive personal data - The Bill introduces new definitions of personal data and sensitive personal data. Personal data refers to any data on a natural person which allows direct or indirect identifiability. Sensitive personal data (SPD) also contains welcome additions such as religious and political beliefs, caste, intersex/transgender status and official government identifiers (like the PAN number). Financial data as SPD is also included, which has also been defined to specifically include data like financial status and credit history. Biometric data as SPD also now specifically includes facial images or photographs, but only when processed so as to allow unique identification of the person (such as facial recognition techniques). Section 106 further allows the Government to bar the processing of certain types of biometric data, except as permitted under law. The Bill will not apply to anonymous or non-personal data.
- Data ‘fiduciary’ and data ‘principal’ - The Bill replaces the traditional concepts of data controller and data subject with data ‘fiduciary’ and data ‘principal’ (the natural person whose data is being collected). The aim seems to be an attempt to create a trust-based relationship between the two. It also introduces the concept of ‘significant’ data fiduciaries, such as data fiduciaries who process huge volumes of data. A valid contract will be necessary to allow processing by a processor.
- Data Processing Principles - Turning to data processing principles, the Bill incorporates several of these in Chapter II, including many principles recommended by the Justice A.P. Shah Committee. These include purpose and collection limitation, detailed notice requirements, storage limitation, data quality requirements, and the principle of accountability.
- Consent - the Primary ground of processing - Consent will be the primary ground of processing available to most entities, as per Section 12 (Chapter III). This consent is required to be free, informed, specific, clear and, in an important addition, capable of being withdrawn. One concern is with Clause (5) of this section, which states that when a data principal withdraws his consent for the processing of his personal data which is necessary for the performance of a contract, then all legal consequences for the effects of the withdrawal will be borne by him (the data principal).
- Special conditions for SPD and children’s data - For SPD, explicit consent and other special conditions have been specified under Chapter IV. For children, parental consent and use of age verification mechanisms by data fiduciaries will be required under Section 23. One issue that may be a concern is that the exception created for parental consent for child counselling services and child protection services is very limited.
- State processing allowed for ‘provision of services’ - Bill creates several exceptions and exemptions for processing by the State. An additional ground of processing under Section 13 (Chapter III) includes the processing of data required for the function of the State (authorized by law), parliament or legislature. This includes processing for the provision of any service or benefit to the data principal to the State. Aadhaar related activities would fall under this. It is to be noted that consent, which is an important argument being made against the Aadhaar related processing of personal data, has not been mandated here.
- A broad list of exemptions have also been included under Chapter IX - including for the security of the state and for prevention, detection and investigation of crimes. Other exemptions include for legal proceedings. research, domestic purposes, journalistic purposes, and manual processing.
- Processing for emergencies, employment - Other grounds of processing under Chapter III include that for compliance with a law or judicial order and processing necessary for an emergency like a medical emergency, safety, etc. Processing for employment purposes such as recruitment, attendance, or ‘any activity’ needed for employee assessment has also been permitted. The extent of the processing allowed is a concern considering issues like workplace surveillance.
- Permitting processing for ‘reasonable purposes’ like whistleblowing - Another ground created is for processing on other ‘reasonable purposes’ under Section 17. This is an ambiguous ground which allows the Data Protection Authority of India (DPA), which is to be established under the Bill, to specify the purposes. This includes a broad and vague range of activities including whistleblowing, preventing unlawful activities, debt recovery and processing of publicly available data.
- Rights of the Data Principals - Chapter VI provides some basic rights to data principals. These include the right to access and correction, the right to data portability and right to be forgotten. The right to be forgotten, it is to be noted, is not a right to erasure or deletion as granted under the GDPR. Instead, it is like the commonly understood notion of the right to be forgotten – a right to prevent or restrict disclosure of personal data by a fiduciary. This would be applicable to the known cases such as removal of search links by Google. The Bill, in fact, does not provide a right to erasure. Rights against automated decision making and profiling are also missing.
- Privacy by Design, DPIA and other security requirements - Chapter VII imposes privacy by design requirements. This also includes transparency obligations, such as with regards to the categories of data collected and the purposes of processing, and security safeguards like de-identification and encryption. Requirements of conducting Data Protection Impact Assessments, audits and appointing a Data Protection Officer are also specified.
- Assessing ‘harm’ for data breach notifications - Section 32 on data breach notifications requires these to be made to the DPA only. Notifications to the data principals and notices on websites, etc., are to be made only when required by the DPA. Further, the notifications to the DPA are to be made only if the breach is likely to cause ‘harm’ to the data principal.
- The Bill introduces a broad, but closed definition of ‘harm’. It specifies 10 factors, including mental or physical injury, loss of property or reputation, identity theft, discrimination, any denial of service, restriction of the right to freedom of speech, and any observation or surveillance that is not reasonably expected. Leaving the discretion to the data fiduciary to judge if the data breach causes harm to the data principal is a concern. Consider Cambridge Analytica, where the data breach was not disclosed.
- RTI amendments to include the ‘harm’ concept - Further, this concept of harm is also to be introduced via an amendment to Section 8(1)(j) of the Right to Information Act, 2005. The new section will allow any information which is likely to cause ‘harm’ to be exempted from disclosure under the Act. This may greatly increase the scope of refusals on this basis.
- Central govt to appoint DPA members - Many concerns were raised as to whether a DPA in India would ensure equal representation of different stakeholders, in order to ensure its independence. These concerns remain unaddressed, as the Bill makes no specifications as to equal representation.
- The Bill establishes a Data Protection Authority of India, consisting of one chairperson and 6 whole time members. The DPA members are to be appointed by the Central Government, based on the recommendations of a body that will consist of the Chief Justice of India, the Cabinet secretary and one CJI nominated expert. The Bill specifies the qualifications and expertise of the persons to be appointed.
- Steep penalties of 4% of the turnover - The Bill prescribes steep penalties along the lines of the GDPR. This includes penalties of the higher of Rs. 5 Crores or 2% of annual global turnover for violations like failing to conduct a DPA. The higher of Rs. 15 crores or 4% of the annual global turnover are prescribed for violations like processing personal data in contravention of the Bill. Complaints can be filed by an aggrieved data principal before Adjudicating Officers appointed under the Bill. Appeal from their orders lies to an Appellate Tribunal and thereafter to the Supreme Court.
- Non-bailable criminal offences and applicability to State authorities - The Act also prescribes a list of non-bailable and cognizable criminal offences. This includes a maximum fine of 2 lakhs or imprisonment of 3 years for obtaining, transferring, or selling personal data in violation of the law. If the data is SPD, then this goes upto 5 years or 3 lakhs. Similar provisions apply to re-identification of data.
- Central of state government departments, any authority of the State as well as companies can be proceeded against for commission of these offences. This would also include the UIDAI, as an authority of the State.
- Act replaces Section 43A - Lastly, Section 43A of the Information Technology Act, 2000, on compensation for failure to protect data, is to be omitted. Section 72A of the IT Act (Punishment for disclosure of information in breach of lawful contract) has been retained.
Despite containing both positive and negative features, the Bill is a welcome first step towards a comprehensive data protection law.
Cybersecurity in the era of blockchain
Distributed Ledger System (DLS) or Blockchain technologies (as they are commonly known) have arrived and are here to stay. DLS has greater potential to revolutionize the way governments, institutions and enterprises work than ever before. It can help governments in collecting the tax, issuance of documents, licenses and disbursement of social security benefits as well as voting procedures.
The technology has disrupted industries such as finance, media, precious assets, supply chains of various commodities and much more.
Blockchain for security - As many security practitioners observe, there is a tremendous potential for blockchain for security use cases in the future. Organizations are exploring the use of permissioned blockchain environments for management of identity assertions within an industry consortium or group of companies, leveraging the loose coupling of a distributed ledger and yet having required boundaries of trust. Another interesting use case to be explored is the notification of validated platform vulnerabilities in the public domain.
A platform vulnerability reporting blockchain can make the known vulnerabilities data transparently validated and accessible as and when they are detected and reported. Fixes can be validated on various platforms and reported by users, making the entire process of rolling out security patches a lot more transparent and reliable.
Blockchain security - Blockchain as a technology is still in a Catch 22 situation. We say this because, though there are excellent opportunities and well-defined use cases, security concerns continue to foreshadow
gloom around blockchain. The distributed ledger technology is running in production mode as it is still in its early stages for many of the blockchain frameworks that are available today. Blockchain security is an area that needs to keep pace with the introduction of faster consensus protocols and highly scalable blockchain frameworks.
While blockchain could potentially change how we operate, the technology is accessible to both consumers and malicious attackers. It is important to factor in the need to do real-time blockchain network analytics and implement built-in validation checks to safeguard blockchain networks.
9.0 GENERAL DATA PROTECTION REGULATION - EU
GDPR stands for General Data Protection Regulation. It’s a game-changing data privacy law set out by the EU, and was enforced from May 25th, 2018.
- A company may be based in the US or elsewhere, but would be covered by GDPR when dealing with EU citizen data!
- GDPR consists of a long list of regulations for the handling of consumer data. The goal of this new legislation is to help align existing data protection protocols all while increasing the levels of protection for individuals. It’s been in negotiation for over four years, but the actual regulations came into effect starting May 25th, 2018.
- All of the reforms going into effect are designed to help customers gain a greater level of control over their data, while offering more transparency throughout the data collection and use process. These new laws will help to bring existing legislation up to par with the connected digital age we live in. Since data collection is such a normal and integral aspect of our lives both on a personal and business level it helps to set the standard for data-related laws moving forward.
- Put simply, GDPR is a regulation that you’ll want to take seriously. Below we dive into what this regulation is, the demands of the legislation and how it could impact your day-to-day business.
9.1 How to be GDPR compliant
It is a 7-steps process
- Obtaining consent - Your terms of consent must be clear. This means that you can’t stuff your terms and conditions with complex language designed to confuse your users. Consent must be easily given and freely withdrawn at any time.
- Timely breach notification - If a security breach occurs, you have 72 hours to report the data breach to both your customers and any data controllers, if your company is large enough to require a GDPR data controller. Failure to report breaches within this timeframe will lead to fines.
- Right to data access - If your users request their existing data profile, you must be able to serve them with a fully detailed and free electronic copy of the data you’ve collected about them. This report must also include the various ways you’re using their information.
- Right to be forgotten - Also known as the right to data deletion, once the original purpose or use of the customer data has been realized, your customers have the right to request that you totally erase their personal data.
- Data portability - This gives users rights to their own data. They must be able to obtain their data from you and reuse that same data in different environments outside of your company.
- Privacy by design - This section of GDPR requires companies to design their systems with the proper security protocols in place from the start. Failure to design your systems of data collection the right way will result in a fine.
- Potential data protection officers - In some cases, your company may need to appoint a data protection officer (DPO). Whether or not you need an officer depends upon the size of your company and at what level you currently process and collect data.
FINES : Failure to comply with GDPR can result in hefty fines. The fines will range from €20million, or up to 4 percent of the offending organization’s annual revenue — whichever is greater. Now that’s a serious fine. The higher level fines will be reserved for cases in which data infringement occurs, procedures for handling data aren’t in place, an unauthorized transfer of data occurs, or requests are ignored for customer data access.
The lower level fines still apply to the misuse of data, but on a minor scale. For example, failing to report a data breach, failing to notify your customers about the recent breach, or failing to administer the correct data protection protocols.
LATEST 2018 and 2019 THREATS
CYBER ATTACK #1: RANSOMWARE
Ransomware is, essentially, the digital version of kidnapping. A hacker manages to get a ransomware file onto your servers. Typically, hackers will use some form of phishing, in which a user in your system receives an email with a malicious file attached. Of course, this file doesn’t look malicious. It looks completely legitimate, like something they receive every day. When the user opens the file, the ransomware file is deployed, encrypting and locking specific, highly sensitive files on the user’s computer or your servers. When the user attempts to open the files, they are confronted with a message stating that their files have been locked, and that they will only receive the encryption key if they pay a specified amount to the hacker, usually through an untraceable Bitcoin payment. This type of attack is massively on the rise, with ransomware attacks growing 2,502% in 2017.
Example : On 26 July 2017, Arkansas Oral & Facial Surgery Center suffered an attack at the hands of an unknown ransomware. The incident didn’t affect its patient database. However, it did affect imaging files like X-rays along with other documents such as email attachments. It also rendered patient data pertaining to appointments that occurred three weeks prior to the attack inaccessible. At the time of discovery in September 2017, Arkansas Oral & Facial Surgery could not determine whether the ransomware attackers accessed any patients’ personal or medical data. It therefore decided to notify 128,000 customers of the attack and set them up with a year of free credit-monitoring services. Unfortunately, a ransomware attack places an organization between a rock and a really, really hard place. They can pay the ransom to release their files, but that will mean instant bad publicity for them and the widespread knowledge that they’re willing to pay for locked files. If they refuse to pay, they may lose business-critical files, which can also cost them enormous sums of money.
CYBER ATTACK #2: INTERNET OF THINGS
The Internet of Things is made up of all the digitally connected items that, in the past, have never been able to connect to the internet. We’re talking appliances, thermostats, cars, and thousands of other things. And while these smart home innovations can certainly make life easier, they also make your company much more vulnerable to attack. The unfortunate reality is that many IoT devices are riddled with security holes which smart hackers can slip through, usually without notice. And if hundreds of IoT devices can be coordinated for an attack, it can create chaos and catastrophe on an enormous scale.
Example : In 2016, a coordinated IoT attack was launched that resulted in huge portions of the internet simply being inaccessible. Sites from HBO to Etsy to Fox News and PayPal were affected, and eventually led to an investigation by the Department of Homeland Security. This problem isn’t going anywhere and presents a significant threat to your company, especially as more IoT devices are incorporated into your network.
The average number of IoT devices in the workplace is expected to increase by nearly 9,000 to an average of 24,762 devices.
CYBER ATTACK #3: SOCIAL ENGINEERING AND PHISHING
These hacker methods sound as old school as they are, but they likely aren’t going anywhere. Why do they still work? Because they rely solely on people. Social engineering and phishing involve hackers posing as legitimate institutions in order to trick people into entering sensitive information.
Example : A hacker may email employees at your company, posing as a system administrator, asking them to reset their password. A link is included in the email that directs the employees to a page that looks like one of your legitimate password reset pages, including fields for the username and old password. When the employee enters their old password, the hacker gets access to what is actually their current password. They can then immediately log into your system without any detection. These types of attacks are getting increasingly sophisticated. For example, hackers often launch these attacks in the wake of legitimate security breaches. People who would normally never fall for such a scam are much more liable because they know there was a security breach and that password resets are standard protocol following a breach.
These types of attacks will continue simply because humans don’t change. There will always be ways to deceive people into giving up sensitive information, no matter how many measures are put into place.
CYBER ATTACK #4: CRACKING
Cracking is when hackers use high-powered computer programs to systematically enter millions of potential passwords in the hope of “cracking” some of the easier ones. And we all know that millions of people still use laughably simple passwords, including the ones they use to log in to your system. We’re talking passwords like: “Password”, “Abc123”, “111111”, Their own name, Their birthday, etc.
A recent study showed that a staggering 35% of people have what are considered to be “weak” passwords. These are easily crackable passwords. And most of the other 65% use passwords that can be cracked, given enough time. As computers grow increasingly powerful, cracking programs can quickly generate billions of potential passwords to try. If passwords aren’t sophisticated enough (i.e. they don’t contain enough random characters), they can still be somewhat easily cracked. And while system administrators are increasingly forcing users to devise more complicated passcodes, cracking attacks will always be a danger until users are forced to create completely unique passcodes that are very difficult to crack.
CYBER ATTACK #5: MAN IN THE MIDDLE
Man in the middle attacks happen when one of your employees conducts company business on an unsecured wireless network. For example, let’s say an employee is traveling and they stop in a coffee shop to catch up on a bit of work. If the wifi in the coffeeshop is unsecured, a hacker may be able to intercept any information being sent from the employee’s computer. This could include passwords, sensitive emails, contact information, and anything else they might transmit over the network. While there are certainly precautions that can be taken against this, such as installing VPN software on employee computers, there’s still the risk of information being captured from personal devices, such as tablets and mobile phones.
CYBER ATTACK #6: WORDPRESS SPECIFIC ATTACKS
Given that WordPress powers approximately 30% of the internet, it should come as no surprise that WordPress security attacks are increasing in number. WordPress is generally secure out of the box, but as a site gains more traffic and notoriety, hackers will resort to increasingly sophisticated methods to take down WordPress sites.
One area of particular vulnerability is third-party plugins. If these aren’t updated on a regular basis, they can introduce risks to your system. A recent study by Securi noted that 25% of hacked WordPress sites were exploited because of out-of-date plugins. Additionally, WordPress sites that don’t use SSL certificates are vulnerable when being accessed through unsecured networks. Hackers on the networks can use Man In The Middle attacks to sniff out login details, then login into the site and deface it. Finally, failing to disable pingbacks can put your site squarely in the middle of a DDoS botnet.
As WordPress continues to expand its reach, it will be increasingly important to lock down sites against attacks directed specifically at the platform.
Strides in quantum computing
Data is the new currency for most organizations and data volumes are continuing to grow at an explosive rate. While the advantage of collecting such large volumes of data is obvious, protecting it from cybercriminals and malicious actors is becoming increasingly difficult.
Conventional security mechanisms are failing and large-scale security breaches, despite increasing security spends, are becoming commonplace. This, along with growing regulatory requirements and privacy laws have brought ‘Data Security’ – protection of the data itself whether in motion, in use or in transit – into strong focus.
Encryption has been one of the pillars which enterprises and governments have traditionally relied upon to secure sensitive data. This field has evolved over centuries to its current robust state where it is considered practically unbreakable. Several standards have evolved and modern encryption technologies have withstood the test of time to scale and protect our most sensitive data – from banking transactions to the sensitive governmental secrets.
What if this ‘status-quo” is flipped on its head and there is a new development that dents the very assumptions that modern cryptographic algorithms derive their strength from? This has been a topic of intense discussion amongst the academia and research community and ‘quantum computing’ has been identified as a potential candidate for triggering this disruption.
This section examines the basis of modern cryptography, the challenges that quantum computing poses, the current state of quantum computing and what enterprises need to do, if at all, to ensure that their most critical assets continue to be protected.
How traditional cryptography works, and what exactly are the challenges posed by Quantum computers? Modern cryptography can be classified as Symmetric/Asymmetric, with their secrecy essentially being based on certain mathematical or trap-door functions that these algorithms are based on.
The strength of these algorithms is derived from a set of hard problems and the inability to solve these hard problems using currently available technology. Quantum computing, through the use of special algorithms, can potentially offer the means to solve these hard problems in much shorter time frames and therefore compromise the security of these encryption systems. Quantum computers are good at solving certain problems and have a substantial advantage over conventional ones. Some of these problems happen to map to current cryptographic algorithms and therein lies the challenge!
There is a race amongst technology giants like Google and IBM to build a practical Quantum computer. While it is estimated that it would take at least 15 years before practical quantum computers can break current crypto algorithms like RSA, there is a large body of work which is working on developing algorithms that are ‘quantum resistant’.
Quantum computing has the potential to upset the current state of cryptography, significantly diminishing the security of many currently used public key algorithms. Although it is estimated that we are still some way away from building practical quantum computers of scale, it is a problem that CISOs as well as CIOs need to be aware of. This is a rapidly evolving field with new breakthroughs being announced frequently. The fact that NIST is in the process of evaluating possible candidates for achieving quantum-resistant algorithms itself signifies that developments in this area need careful monitoring and could impact future spend decisions.
One thing that is certain, however, is that there is going to be a significant impact on current applications and products which rely on existing algorithms as swapping them with new standards is going to be expensive and messy.
COMMENTS