Cybercrime: Citizens are at risk

“Crucial data pertaining to accounts and finance of State Forest Department of Kerala, India was ‘locked’ by unidentified hackers in mid-March “ Reported by The New Indian Express in September 2016

“Reports show that Indian organizations are the third most attacked in the Asia Pacific region. While ransomware attacks declined this year, the attacks are becoming more targeted”  Reported by CISO Magazine eccouncil.org on September 8, 2021

“Tamil Nadu Government Hit By Cyber Attack For Second Time This Year “ Reported on SEPTEMBER 18, 2021, by The Hindu, The New Indian Express, and many other news agencies.

What is a Ransomware attack?
Ransomware is a cyberattack on individual systems or computer servers that uses malicious software to encrypt the entire data. Once affected, the attacker asks for a fee to decrypt the data back to its original state. The below picture is an actual screenshot of such an attack where the computer screen shows a banner to pay money in cryptocurrency (Bitcoin). A deadline will also be mentioned in the banner else the files will be lost forever.

The picture above shows an example of a computer after affecting the ransomware attack. All you get is this banner while login in to the system. Only after the ransom payment, the files will be back to you after decryption.

Why common man should be worried?
More and more departments in governments are moving in the ‘Digitization ‘direction. This makes things easy for citizens as well as employees in government services to serve citizens faster, transparently and try to avoid the so-called ‘red-tapism ‘to a certain extend.

Cyber attacks are not only targeted at large corporations. It can also aim at individuals as well as the government sector equally. Here lies the real threat to citizens. What if data related to the land registration department is hacked and tampered with, encrypted, or destroyed? What if a government employee’s employment history details are hacked? What if my electricity, vehicle registration, any personal identity information stored are all gone one day due to a cyber-attack? The outcome will be disastrous beyond what we think and imagine.

Most of the cyber-attacks mentioned at the beginning of this article happened due to poor management of the computer systems. Old and vulnerable versions of operating systems, obsolete technologies, poor infrastructure and governance, weak and shared passwords, the autonomy of employees to use any software in the personal computers inside the organization like WhatsApp for Desktop, freeware tools, and mails. Lack of awareness of government employees on cyber threats including phishing attacks and many more. Despite Private organizations spending millions of dollars every year to secure their internal systems, there are threats and data breaches happening across the world. A recent cyber-attack happened in the largest fuel pipeline company – Colonial Pipeline in the US on 29th April 2021. The cybercriminals gained entry to their networks via VPN. It was a Ransomware attack, the company has reportedly paid 4.4 million dollars to get back the data stolen by the Russian hacker group – DarkSide. How many local government departments can afford such an amount to cybercriminals in case of similar incidents happening in this country?

Can IT policies and privacy laws help to protect our data?
We have the National Cyber Security Policy – 2013 which very comprehensively covers all aspects of cyber security from an implementation perspective. But how many government organizations within central and state governments diligently follow and implement these guidelines mentioned in this policy?

We also have The Information Technology ACT, 2000 (amended in 2006 and again in 2008), which clearly defines the cybercrimes and punishments viz civil ( penalty ) and criminal ( penalty and imprisonment)  under various sections. This is a primary law dealing with cybercrimes that applies to India and Indian citizens engaged in any cybercrimes.

Will these laws prevent the occurrence of cybercrimes in India? The answer is NO. For example, Section 378 in The Indian Penal Code defines theft as “taking of a person’s property without the consent of the owner” and it is a criminal offense. Will this law alone in IPC prevents theft in the country? If the ‘owner ‘provides ‘opportunities’ and it will be easy for the thief to barge into the property. The same applies to cyber laws as well. With proper governance and frameworks, government organizations can prevent cyberattacks to a larger extend. But the cyber breaches that happened recently show that these systems are critically vulnerable and there should be mandatory enforcement of the available National Cyber Security Policies for all state and central government agencies, those storing and processing critical citizen-related information.

Conclusion
Cybercrimes can happen at any point in time. It can also be targeted and organized by threat groups from other countries. Our local laws will not help to punish such criminals who are from other countries. Even an expert cybercriminal from India can use tools to hide the identity which will be difficult to trace.

The only thing government can do is enforcement of the available policy which is the National Cyber Security Policy. Implementation of the framework is one part of it. Periodic auditing by certified cyber security auditors and reporting to the higher-ups for implementing corrective actions is another aspect of good governance.

Employees bring considerable risks to the organization – if they are not being educated on cyber threats and consequences. Password sharing, using common passwords, installing social media applications on desktops, clicking unknown links, downloading unapproved applications are some of the common issues in every organization. Government employees should be sensitized periodically on these topics.

The recent Tamil Nadu government ransomware attack was due to the usage of older versions of Windows operating systems. If government organizations are least bothered about software version management, cyber-attacks are going to be an everyday affair. Prevention is better than cure.

The National Cyber Security Policy – 2013,  clearly articulates the need for a national nodal agency, Chief Info Security Officer for private and public organizations in India, and even certifications and best practices like ISO 27001 ISMS certifications, Security testing, and vulnerability assessments. Execution and enforcement are the areas that India needs to focus on to protect citizens’ as well as the government’s critical data.
CT Bureau