28 June 2019

Digital India's response readiness against cyber attacks is frail, lack of online security awareness biggest weakness


News of USA mounting targeted cyber war against Iran was widely reported last week. While results of this attack are yet unknown, attack on systems of Riviera Beach, a suburb of PalmBeach County, in Florida, USA, has had a devastating effect. Almost all municipal systems of the city council and emergency response systems were rendered inoperative due to the attack. Ransom amount was demanded by the hackers. And the unfortunate news is, Riviera Beach city council, last week, agreed to pay almost $600,000 ransom to the cyber-criminals.

This incident follows a similar attack and subsequent pay-out of $400,000 by Jackson County, Georgia this March. Such payouts by cities of the world’s most technologically advanced country are indeed worrisome for any country making major use of digital resources. India can be no exception.

Digital India needs response readiness for cyber attacks

With a major push towards digital economy in India, its time our response readiness regarding cyber attacks is looked into. The real-world response to terrorist attacks is on familiar lines. Terrorists are confronted and in most cases eliminated by trained commandos.

India has been aggressive in responding to such attacks. Ransom demands though made are rarely acceded to. However, in case of cyber attacks, internationally the response in most cases has been one of abject surrender. In India too, such cases have been reported in private companies. Ransom, if paid, has been a closely guarded secret.

One of the excuses cited for such a meek response is that reconstructing systems is far more costly than getting them back to life by paying the ransom. Since upfront reaction may not be a possibility in cyber-world as data has already been compromised, most responses have to be preventive rather than reactive.

Lack of cyber security awareness is the biggest weakness

One of the main weaknesses in preventive measures has been the lack of awareness about cyber-security among the users. In the case of Riviera Beach, it was an accidental opening of an attachment in an email which led to spreading of the attack. While the ransom was paid there is no news yet about possible action against the person who opened the infected email attachment.

Contrast this with a real-world case of accidental mishandling of firearms or ammunition. Such acts in most parts of the world are defined in the country's penal code and the culprit is punished for such rash and negligent acts. This, however, is yet to happen for negligent acts in the cyber world. In absence of any chance of punitive action, most people are casual about handling electronic media and software. This will change once these acts are covered with a suitable amendment in the penal code.

Ransomware.
The need to regulate roles of software developers

Besides lack of awareness among users, another area where preventive measures will be of great help is in regulating the role of developers of software and software product companies.

Quite a few of these companies have been pushing software with glaring vulnerabilities ready to be exploited by cyber-criminals. These loopholes have been helping cyber-criminals in furthering their activities and demanding ransoms.

In a real world scenario, if a car manufacturer provided a car, which had a mechanical defect and it caused injuries to several people, such car manufacturer will surely be brought to book under existing laws. Unfortunately, this doesn’t happen in the cyber world. If the software developers and the companies releasing such exploitable software were to be held criminally accountable, such wanton development and distribution of vulnerable software will stop. This will act as a preventive response in controlling future acts of cyber criminals.

But the irony is, alongside unaware users, irresponsible developers and software product companies, even nation states have been found wanting in protecting their cyber weapons. As per news reports, tools developed by NSA to gain access to remote computers have inadvertently landed in cyberspace. These have been used by cyber-criminals. There is, however, no news regarding punitive action having been taken for such leakages.
Mishandling of software tools must have stricter consequences

To address this issue, making and leaking of such tools needs to be regulated. These regulatory controls have to be on similar lines as those for manufacturing or mishandling of firearm or ammunition. This measure should not surprise anyone. If it is a financial loss now, very soon these cyber attacks will lead to human loss, through exploding power stations and gas turbines. But for bringing in such regulatory controls, curbing such crimes may be near impossible.

In India, IT act section 66F defines cyber terrorism. It covers offences against the state as well as against individual or a community. These acts are punishable with life imprisonment. Robust as these provisions are, they only cover dishonest and fraudulent acts. Acts of negligence, which have been the main cause of either opening an infected email or producing vulnerable software, also need to be deterred with stringent punitive measures. Similarly, strict regulatory controls on making software tools which could be exploited against the state or individuals need to be added to existing measures.

Any delay in implementing these is surely going to be catastrophic. Absence of such measures have led to a flourishing cybercrime economy. A 2018 study commissioned by Bromium pegged the cyber economy close to $1.5 trillion. Out of this $1 .5 Trillion, ransomware accounted for $1 Billion.

With the current payouts by the cities in the USA, these figures are bound to rise in 2019. If this has to be stemmed, punitive and regulatory measures both for individuals as well as corporate entities appear to be the only solution. In absence of these measures, while cyber attacks by countries against one another will continue to make international news, ransom payouts to cyber-criminals will continue to silently eat away major portions of tax payer’s money.

No comments: