Securing the Indian corporate world

SUBRAMANYAM RAGHUNATH

back to issue

BLOOMBERG news reported that the sales of George Orwell’s novel 1984, featuring a futurist totalitarian state, jumped on the Amazon.com website following the Snowden storm. From the point of view of privacy, the world has changed dramatically. It wasn’t too long ago that cellphone numbers were zealously guarded. Now people lay out their life on Facebook without fear.

It is no surprise that from airport lounges to theme parks to movie theatres, tracking technologies, embedded and overhead, are everywhere, in your face and behind your back. Data – tons of it – is coming from computers, microphones, radio frequency identification readers, remote sensing equipment, and other modes. Data relating to commerce has us so agitated today because of its potential misuse. Naturally, there is a rising crescendo of suspicion and disquiet.

Researchers at IDC have determined that the quantum of global digital information from emails, Twitter posts and digital photos, has risen from about 500 billion gigabytes in 2008 to almost four trillion gigabytes this year. By 2015, IDC estimates, there will be eight trillion gigabytes of material to go through, much of it from fast-growing countries with young populations like India, China and Indonesia. And, the global market for cyber security solutions may grow to $870 million by 2017, IDC adds.

The dreamers, brains and cranks who initially built the Internet hoped it would be a tool of liberation and knowledge. But most of the people who invest in the Internet are today bothered by the way it is being misused. They worry about those who may find ways to tap in. For instance, taking down vital banking systems could trigger a financial crisis. Impacting the supply of clean water or the functioning of hospitals could spark a public health emergency and the loss of electricity has the potential to bring businesses, cities and entire regions to a standstill.

Cyber criminals use bypass methods to avoid traditional sandbox detection, since more organizations are utilizing virtual machine defences to test for malware and threats, attackers are taking new steps to avoid detection by recognizing virtual machine environments. Organizations and security providers find that they need to evolve toward more proactive real-time defences that can stop advanced threats and data theft.

 

The world may acknowledge India as an information technology superpower, but its very own official cyber security workforce comprises merely 556 experts deployed in various government agencies. Just how ‘grossly inadequate’ India’s cyber security man-power is can be gauged by the fact that China has 1.25 lakh experts, the US 91,080 and Russia 7,300. ‘The existing combined strength of cyber security experts in all organizations in the government domain is 556, which is grossly inadequate to handle cyber security activities in a meaningful and effective manner,’ says a secret note prepared by the National Security Council Secretariat (NSCS), which is engaged in creating an elaborate cyber security architecture.

Cyber security software firms in India have warned that with the increasing use of mobile communication devices and an overlap of work related and personal data will present a serious threat of data theft and other malware attacks in the coming years.

 

Bangalore is the IT capital and the most networked city in India. These proud tags that the city wears perhaps makes it an obvious choice for the dubious distinction of also topping the national charts when it comes to cyber crime. The detailed crime statistics for 2012, published by the National Crime Records Bureau (NCRB) in its report, Crime in India – 2012, reveal that Bangalore alone accounts for 24.4 per cent of cyber crimes booked under the IT Act among 53 ‘mega-cities’ across India. With 342 cases booked in 2012, up from 117 in 2011, the city outstrips Visakhapatnam (153), which is in second place. Interestingly, the numbers are more modest when it comes to cyber crimes booked under provisions of the IPC – only seven compared to 72 in Mumbai.

The NCRB city-wise list includes crimes recorded in our megacities (with a population of over 10 lakh). State-wise, Karnataka stands second, behind Andhra Pradesh. However, Bangalore accounted for a majority of the cases with around 83 per cent cases being booked here. But, while the number of cases booked reveals high awareness levels in the tech city, as the police are quick to point out, the statistics on the number of arrests paint a much subdued picture on law enforcement.

For, while Karnataka lags behind at least five states in terms of the number of arrests in cyber crime cases – Bangalore city records just above half the number of arrests made in Vishakhapatnam. More detailed figures provided show that 22 of the total 38 arrests made in Bangalore over the year involved people aged between 18 and 35. The detailed break-up on the types of cyber crimes booked here is also revealing. While ‘greed/money’ and ‘fraud/illegal gain’ mainly account for the motives listed, a majority of offences recorded come under the hacking category. In fact, 323 of the 412 crimes recorded under the IT Act or the Indian Penal Code in Bangalore fall under two heads: ‘loss/damage to computer resource’ and ‘hacking’.

 

Despite the country’s reputation of being an IT and software powerhouse, India had reported 13,301 cyber security breaches in 2011. One of the biggest cyber attacks that the country faced occurred on 12 July 2012 when hackers penetrated the email accounts of 12,000 people, including high officials from the Defence Research and Development Organization (DRDO), the Indo-Tibetan Border Police (ITBP), the Ministry of Home Affairs, and the Ministry of External Affairs.

India’s cyber security defences are not strong. In January 2012, for instance, National Technical Research Organization officials alerted the Airports Authority of India (AAI) to serious vulnerabilities in its cargo management system at Chennai, Coimbatore, Kolkata, Amritsar, Lucknow and Guwahati airports. Weak passwords and outdated operating systems were the main problems. These six airports handled 311,000 metric tons of international cargo in 2010/11. A single day’s disruption would have sent 853 tons of cargo to the wrong destination. The economic impact would have been immense had the systems been penetrated by unscrupulous elements.

Companies such as the Kolkata-based ITC have suffered cyber attacks. According to a July 2012 report by Bloomberg, Chinese hackers possibly had access to ITC’s network for a year. It also said cyber thieves hacked into the computer of ITC Chairman Y.C. Deveshwar’s personal assistant and stole several documents, including tax filings.

 

In 2007, the IT team of a Chennai-based drug maker detected heavy traffic on servers connected to its research lab. The company was developing an anti-asthma molecule, and it suspected that a hacker was stealing research data. Unable to trace the hacker, the company approached Mahindra Special Services Group (MSSG), a security consulting firm, part of the Mahindra and Mahindra group. MSSG experts placed a dummy file containing a virus on the company’s R&D folder that appeared to contain research data. When the hacker returned, he went straight for the dummy file and he was traced using the virus. The hacker turned out to be a 29 year-old Chandigarh resident who was hired by a rival drug maker. Experts say India remains highly vulnerable to cyber attacks on its critical infrastructure.

In India, we’ve seen high profile cases, such as the one involving Ashokintegrix IP address case, India’s first John Doe case in IT litigation; Arif Azim case, India’s first cybercrime conviction; or Bazee.com, Karan Baharee and Mphasis, which demonstrated the utter inadequacy of existing cyber laws to deal with data theft.

A perusal of the Information Technology Act 2000 (see box) shows that it is not a data protection law; it is merely an e-commerce enabling law, which also addresses a couple of other issues. White collar crimes and financial frauds are on the increase in India. By their very nature these high profile crimes affect the corporate sector. Indian companies also face increased levels of corporate, financial and technological fraud.

 

With a growing dependence on information and communication technology (ICT) for various corporate functions, corporate systems and corporate assets are exposed to diverse forms of cyber attacks. They face a growing threat from malware attacks, phishing attacks, ATM frauds, online banking threats, trading fraud, among others.

In the coming years, private companies will matter greatly in India’s critical infrastructure as they control more and more assets in telecom, transport, energy, and banking and finance.

As data becomes the largest corporate asset, its theft or siphoning has assumed epidemic proportions in India. Advocate Prashant Mali, a cyber law expert, lists some cases in an article in the magazine PC Quest.

 

Case 1: Purchase manager of textile company arrested for stealing customer contacts. Two employees of a textile shop were arrested for stealing important data. One of them was the purchase manager who downloaded customers’ contacts and other important data from his shop computer to his mobile phone and sent it to his friend. The shop management accused the manager’s friend, an employee of a rival textile business, of sending offer messages to lure customers. The textile shop claimed that this fraud had adversely affected their business.

Case 2: BU head steals 1.5 lakh customer records. In Mumbai, the business head of a pharmaceutical call centre was arrested for stealing confidential electronic data of 1.5 lakh clients and selling it to a rival firm online for Rs 50,000. He, along with his customer care executive, committed the crime to earn quick money because they were dissatisfied with their salary.

Case 3: An ex-director and two others charged with cheating and data theft. The top three former officials of a pharma firm in Mumbai stole data that belonged to their previous employer. They were arrested by the police and charged with cheating and data theft under the Information Technology Act. The three arrested were an ex-director, a former general manager and an ex-manager.

Cyber crime is not defined in the Information Technology Act 2000, the IT Amendment Act 2008 or in any other legislation in India. Offence or crime has been dealt with elaborately listing various acts and the punishment for each, under the Indian Penal Code, 1860 and quite a few other legislations too.

The Information Technology Act 2000, was made effective from 17 October 2000. The act essentially deals with the following issues: legal recognition of electronic documents; legal recognition of digital signatures; offenses and contraventions; justice dispensation systems for cyber crimes.

Being the first legislation in the nation on technology, computers and e-commerce and e-communication, the act was the subject of extensive debate, elaborate review and detailed criticism, with one arm of the industry criticizing some sections of the act to be draconian and the other stating it to be too diluted and lenient. Thus, in 2003-04, a need to amend it was expressed. The consolidated amendment called the Information Technology Amendment Act 2008 was placed in Parliament and passed without much debate towards the end of 2008 (by which time the Mumbai terrorist attack of 26 November 2008 had taken place). This amended act got the President assent on 5 February 2009 and was made effective from 27 October 2009. Some of the notable features of the ITAA are as follows: A focus on data privacy; focus on information security; defining cyber café; making digital signature technology neutral; defining reasonable security practices to be followed by corporates; redefining the role of intermediaries; recognizing the role of Indian Computer Emergency Response Team; inclusion of some additional cyber crimes like child pornography and cyber terrorism; and authorizing an inspector to investigate cyber offences (as against a Deputy Superintendent of Police earlier).

 

Case 4: Travel portal charges rival’s CEO for stealing data. Two CEOs, from different travel portals, were arrested after being questioned by Gurgaon police. The charges of data theft were levelled against them by a rival online travel company. This company accused the CEOs of conniving with senior executives to pilfer data, which the company alleged had led to huge business losses.

Case 5: Hospital fires business development manager for diverting customers to rivals. A reputed multi-speciality hospital in Gujarat was offering attractive packages to foreign patients. The main link was the hospital’s website that generates a majority of the business as the hospital staff handle queries, offer and negotiate hospitalization expenses and also provides round-the-clock online services. One day the hospital authorities realized that the traffic to their site had suddenly dropped. Apart from routine patients, others were just not turning up. This actually started happening after the hospital fired its business development manager. Apparently, he had access to emails from patients, and was diverting them to other hospitals. He even offered them competitive packages from these hospitals using the existing database of inquiries.

 

Data is a corporate asset. It is an important raw material for brick and mortar companies, BPOs, technology and IT companies. Data has also become an important tool and weapon for corporates to capture a larger market share. Due to the importance of data in this new era, its security has become a major issue with industry. The theft and piracy of data is a threat faced by IT players, who spend millions to compile or buy data from the market. Their profits depend on the security of their data.

The Reserve Bank of India (RBI) had earlier constituted a working group on information security. On its recommendations, RBI directed all banks to create a position of chief information officer (CIO) as well as steering committees on information security at the board level. But the recommendations of the RBI have still not been implemented and there is no sign that cyber security of banks has been streamlined. ATM fraud, credit card fraud, phishing frauds, and Internet banking frauds are increasing. In fact, the RBI ombudsman office is flooded with ATM fraud related complaints.

Banks need to adopt technolegal measures to prevent ATM and other similar frauds. Further, cyber due diligence training for bank employees would be beneficial. Mobile banking cyber security in India needs to be analyzed in depth. As of date we have no implementable mobile governance policy in India.

India has embarked on a massive biometric identification project to provide people with access to services of the state. But a major problem with Indian security initiatives is that India has launched various projects and initiatives without considering their cyber security aspect. This could turn out to be a bad policy decision.

Cloud adoption remains stifled by security concerns. Cloud computing uptake in the market increased 20.9 per cent from the 2011 figure to 33 per cent last year. Of these, large enterprises took up 53 per cent while SMBs made up the remaining 47 per cent, according to figures from a 2012 survey from the Hong Kong Productivity Council. But 50 per cent of companies not using cloud, identified security as the main reason for their inaction. Businesses view cloud offerings as unsafe. Business leaders also have a culture of wanting to own their IT systems and not procuring from third-party vendors on demand, the survey noted.

 

Cyber criminals use thousands of networked computers (botnets) to ‘jam’ a website by directing excessive traffic to it, causing it to crash. Such attacks are often termed as Distributed Denial of Service (DDoS). The expansion of cloud services and mobile networks could create additional targets for DDoS attacks. While firewalls, intrusion protection and other devices can mitigate low level attacks, large volumetric attacks can be an issue as they may not be able to separate legitimate from illegitimate traffic.

According to cyber law experts, it’s also important to look at data vis-à-vis the new era of cloud computing. Thanks to this new paradigm, data theft has added an international character. For example, systems may be accessed in USA, their data manipulated in China and consequences felt in India. The result of this ability is that different countries, jurisdictions, laws and rules will come into play which becomes an issue in itself.

Further, the collection of evidence in such circumstances becomes another issue as investigation will have to be conducted in three different countries, all of whom may not be on talking terms, and poor technical know-how of the cops will only add to the woes. Also, a lack of coordination amongst different investigating agencies and a not-so-sure extradition process would be another headache. However, the biggest of all these issues remains a lack of specific laws in the country dealing with this crime. So even if the culprit is caught, he can easily get away by picking and choosing any of the various loopholes in our law.

 

According to some estimates, by 2015 India will require about 5,00,000 cyber security experts to cater to the growing need of securing cyberspace. While China is estimated to have 25 million cyber commandos, the number of cyber soldiers in North Korea is pegged at 15,000.

India is said to be the eighth most vulnerable country in the world with regard to cyber crime. According to government data, in just the last five years, as many as 774 government websites were hacked. The attacks appeared to have emanated from Australia, Bahrain, Brazil, Egypt, Germany, Indonesia, Lebanon, Libya, Morocco, Pakistan, Saudi Arabia, among others. According to data available with the Indian Computer Emergency Response Team, the defacement of Indian websites has almost tripled compared to 2007.

We need to understand the fact that the dependence of the economy and governance on e-banking, e-commerce, travel booking, electric transfers and payment systems, is growing. The moment we talk about growth in these areas, our first concern is whether the transactions are secure. The trust level in these systems is critical and that can only come from enhanced security.

We need a techno-legal cyber security policy in India to tackle the challenges of present cyber attacks and cyber crimes. Such a cyber security policy must consider all the aspects mentioned above in detail and ensure both offensive and defensive cyber security capabilities for India.

Although the constitution does not contain any explicit reference to a right to privacy, this right has just been read into the Supreme Court as a component of two fundamental rights: the right to freedom under Article 19, and the right to life and personal liberty under Article 21. India is taking its first steps towards privacy regulation through a draft law based on former Justice A.P. Shah’s expert group report on privacy and data protection.

What India needs is more collaboration between private companies and educational institutions to develop talent. We need more cyber warriors and better preparation for a cyber war.

 

In a world where everyone from established behemoths to new start-ups are bubbling with plans to collect the most intimate data, cyber security may well be replaced by zero privacy. The law cannot keep pace with technology. Talented engineers will constantly be working to find new ways to scoop up massive amounts of information which companies may previously have regarded as private and confidential. The future policy and debate needs to be about how, and whether, the legal framework relates to technology; how authority is granted; who has access to material; and how scrutiny can be meaningful. It will also need to ask about the outsourcing of highly sensitive intelligence to corporations. There is much to discuss. The policy requires wisdom and a willingness to tread a unique Indian path.

top