Insights into Editorial: Reporting cyber attacks – INSIGHTSIAS

by

[ad_1]

 

Context:

The Ministry of Electronics and Information Technology is likely to come out with new cyber security regulations, as indicated by Minister of State at a recent cyber security event.

The essence of this regulation will be to put the onus on organisations to report any cyber crime that may have happened against them, including data leaks.

Clause 25 in the Data Protection Bill 2021 says that data fiduciaries should report any personal and non-personal data breach incident within 72 hours of becoming aware of a breach.

Even the golden standard for data protection, namely the European Union General Data Protection Regulation (EU GDPR), has a clause for reporting data breach incidents within a stringent timeline.

 

Security breaches, why are there continuing breach incidents every minute:

  1. According to Cybercrime Magazine, if it were measured as a country, then cyber crime — which is predicted to inflict damages totalling $6 trillion globally in 2021 would be the world’s third-largest economy after the U.S. and China.
  2. Apart from private firms, government services, especially critical utilities, are prone to cyber attacks and breach incidents.
  3. The ransomware attack against the nationwide gas pipeline in 2021 in the U.S. virtually brought down the transportation of about 45% of all petrol and diesel consumed on the east coast.
  4. Hence it is important that even cyber attacks on government and state-owned enterprises be reported so that corrective actions can be taken on the security of critical infrastructure of the nation.

 

Concerns regarding Cyber-attacks:

Cybersecurity is a complex issue that cuts across multiple domains and calls for multi-dimensional, multilayered initiatives and responses.

It has proved a challenge for government because:

  1. Different domains are typically administered through siloed ministries and departments.
  2. Inchoate and diffuse nature of the threats and the inability to frame an adequate response in the absence of tangible perpetrators make policy formulation a difficult task.
  3. Private companies and banks do not report regularly about the cyber attack to the government organizations.
  4. There is a lack of awareness among the common people about cybersecurity, hence they fall prey to the attempts of the hackers.
  5. Frequent cyberattacks erode the trust of customers on digital platforms and hamper India’s dreams of becoming a cashless economy.
  6. Growth in online radicalization is another area of concern. Cyberspace has no physical boundaries for extremists and terrorists, unlike traditional warfare.

 

Regions prone to recent cyber-attacks:

  1. Asia has become the most targeted region for the cyber-attacks and in fact it is the first time Asia Pacific has featured in the top of the list.
  2. India, Australia and Japan emerged as most attacked geographies with ransomware as the dominant attack in India. We have a responsibility to respond and act now.
  3. In India, too, attacks have been happening with increasing frequency.
  4. India’s national airline Air India has said a cyber-attack on its data servers affected about 4.5 million customers around the world. The breach was first reported to the company in February 2021.
  5. Nearly 1.16 million cases of cyberattacks were reported in 2020, up nearly three times from 2019 and more than 20 times compared to 2016, according to government data.
  6. On an average, 3,137 cyber security-related issues were reported every day in 2020.

 

Cyber-attacks affect adversely Critical infrastructure:

  1. Critical infrastructure is the body of systems, networks and assets that are so essential that their continued operation is required to ensure the security of a given nation, its economy, and the public’s health and/or safety.
  2. In recent years, attacks targeting critical infrastructure and businesses have surged.
  3. These include the 2017 WannaCry and NotPetya ransomware attacks, the 2015 attack on Ukrainian power grids and 2010 Stuxnet attack on Iranian nuclear reactor.
  4. Most recently, in 2020, a China-linked hacker group RedEcho targeted India’s power sector, ports and parts of the railway infrastructure.
  5. Recently, Russia appears to have officially declared cyberwar on the US, taking what’s been described as preliminary steps at crippling its banking system and possibly other major industries.

 

Solutions:

Measures that can address the menace of cyberattacks can be as follows:

  1. The Cyber Coordination Centre should be established at the operational level.
  2. This centre would serve as a clearing-house, assessing information arriving in real-time and assigning responsibilities to the agencies concerned, as and when required.
  3. The government should initiate a special drive of implementing best practices in the field of cybersecurity in the critical infrastructure sectors and provide necessary budgetary support for such implementation.
  4. The government should establish a mechanism for measuring the preparedness of critical sectors against potential cyberattacks such as a security index, which captures preparedness of the sector and assigns a value to it.
  5. Awareness with regard to the threat to Information and Communication Technology (ICT) infrastructure needs to be created and the necessary legal provisions to ensure cyber safety must be developed, regularly updated and effectively implemented.
  6. Cybersecurity should be regarded as an integral component of national security.
  7. Urgent attention should be given to the issues of cybercrime, cyberterrorism, cyber warfare etc.

 

Possible solutions apart from enacting rules:

  1. The first is that the government empanel third party cyber security auditors for the conduct of periodical cyber security impact assessments, primarily amongst all the government departments, both at the national and State level, so that security threats and incidents can be detected proactively and incidents averted.
  2. The government can also mandate that periodic security audit reports be published by private firms and arrange to conduct surprise security audits towards enforcements.
  3. The Ministry, as part of cyber security assurance initiatives of the Government of India, to evaluate and certify IT security products and protection profiles, has set up Common Criteria Testing Laboratories and certification bodies across the country.
  4. These schemes can be extended towards cyber security audits and assessments as well.
  5. Much like IBM, which set up a large cyber security command centre in Bengaluru, other large firms can also be encouraged to set up such centres for protection of their firms’ assets.
  6. Such measures will also pass the muster of the EU GDPR, thereby moving India closer to the set of countries that have the same level of cyber security and data protection as that of EU, for seamless cross-border data flow.

 

Coming policy: What is the logic behind incidence reporting?

  1. If incidences are reported, the Indian Computer Emergency Response Team and others can alert organisations about the associated security vulnerabilities.
  2. Firms not yet affected can also take precautionary measures such as deploying security patches and improving their cyber security infrastructure.
  3. But firms are reluctant to notify the breach incidents to the regulators. This is because any security or privacy breach has a negative impact on the reputation of the associated firms.
  4. An empirical study by Comparitech indicates that the share prices for firms generally fall around 3.5% on average over three months following the breach. In the long term, breached companies underperformed in the market.
  5. After one year, share price of breached firms fell 8.6% on average, resulting in a poor performance in the stock market.
  6. So, firms weigh the penalties they face for not disclosing the incidents versus the potential reputational harm due to disclosure, and decide accordingly.
  7. The other important aspect is enforcement of the regulation and associated rules.
  8. It can be done only through periodic cyber security audits. These audits should be comprehensive enough to identify such incidents that might not have been reported by the firm.
  9. Unfortunately, the regulators in most countries including India do not have such capacity to conduct security audits frequently and completely.

 

Conclusion:

Given the future of technology under Industrial Revolution 4.0, only an integrated, whole-of-the-ecosystem approach for securing critical infrastructure will be successful.

[ad_2]

Leave a Comment