Coping with online threats
Aparna Viswanathan
| The Information Technology Act needs to make a paradigm shift, in tune with new developments in the field, in order to protect national interests. |
India, as an international IT hub, needs to focus on combating the dramatic rise of virus attacks and other cyber crimes
While the IT Act legislates against crimes such as identity theft and phishing, it does not contemplate the tools of modern cyber crime
In one of the most shocking and sophisticated cyber attacks to date, hackers reportedly stole at least £675,000 from 3,000 online bank accounts in the United Kingdom recently, using a “Trojan” virus that is to be considered one of the most sophisticated types of malware programs created. In an attack that is reportedly in progress, the computer virus, known as Zeus v.3, swiped the online banking identity of victims as they accessed their accounts, and robbed accounts with a balance of at least £800 while the victims viewed fake statements online. The Zeus v.3 virus renders the two-step authentication procedure of banks consisting of one-time passcodes and ID tokens useless because the malware, once downloaded from an advertisement on a website or an email, lies dormant on the victim's system and records the account number and password each time the victim logs on to his or her banking website. Reportedly, more than 100,000 personal computers in Britain have been infected with various forms of the Trojan virus. The recent acquisition of McAfee by Intel highlights that security is now a fundamental component of online computing. India, as an international IT hub, needs to focus on the issue of cyber security and combating the dramatic rise of virus attacks and other cyber crimes.
According to the latest Monthly Security Bulletin for June 2010 published by the Indian Computer Emergency Response Team (CERT-IN), the cyber security agency of the Department of Technology, Ministry of Communications and Information Technology, 690 Indian websites were defaced during the month, and CERT-IN tracked 39,600 computers that were BOT-infected. In May 2010, websites numbering 831 were defaced, and CERT-IN tracked 2,116,482 BOT-infected computers in India (as per its bulletins for May and June 2010, http://www.cert-in.org.in.) BOTNETS is a parasitic program that hijacks a network and makes other computers act on its instructions. The computers that are thus controlled are known as “zombies” and are key tools in cyber warfare. In other words, as of May 2010, over two million computers in India have been taken over by an external controller and are available to carry out attacks, including acts of cyber-terrorism.
As per CERT-IN monthly bulletins, during the first six months of 2010 a total of 768 security incidents were reported to CERT-IN by national and international agencies. Of these, 259 related to phishing, which is the criminally fraudulent process of masquerading as a trustworthy entity in an electronic communication in order to acquire sensitive information such as usernames, passwords and credit card details. Approximately 141 incidents involved a virus or worm under the malicious code category (malware such as Zeux v.3). The rest involved unauthorised scanning, spam and so on.
While these figures provide evidence the menace of cyber crime, a report titled “Shadows in the Cloud: Investigating Cyber Espionage 2.0” published by two Canadian researchers at the Munk School of Global Affairs at the University of Toronto, in April 2010, has revealed a sustained campaign of cyber attacks waged against India. The report, by John Markoff and David Barboza, exposes how an India-focussed spy-ring based in Chengdu, People's Republic of China, made extensive use of Internet services such as Twitter, Google Groups, Blogspot, blog.com, Baidu Blogs and Yahoo! Mail to automate the control of computers in India once they were infected. The revelation of the Shadows report is that a vast majority of the compromised computers are in India (see “Shadows in the Cloud: Investigating Cyber Espionage 2.0” Joint Report: Information Warfare Monitor, Shadowserver Foundation, April 6, 2010, Page 30.) The report analyses how attackers leveraged multiple redundant cloud computing systems, social networking platforms and free web-hosting services in order to maintain persistent control while operating the core servers located in China.
The Canadian investigators found that the Internet spies had stolen classified documents from the Indian government and reports from Indian military analysts and corporations, as well as documents from agencies of the United Nations and governments. The documents stolen were marked “Secret,” “Restricted” and “Confidential.” These included encrypted diplomatic correspondence. Two of the documents were marked “Secret,” six as “Restricted” and five as “Confidential.” According to the ‘Shadows' report, the documents contained sensitive information taken from a member of the National Security Council Secretariat concerning assessments of the security situation in Assam, Manipur, Nagaland and Tripura, as well as concerning Naxalites and Maoists. The documents contained confidential information taken from Indian embassies regarding India's international relations with, and assessments of, activities in West Africa, Russia/Commonwealth of Independent States and West Asia, as well as visa applications, passport office circulars and diplomatic correspondence.
Outdated Act
However, despite evidence of increasing cyber crime in India, the Information Technology Act, 2000, even as amended in February 2009, remains an outdated and insufficient tool to effectively protect the nation from a cyber onslaught. The offences introduced in the 2009 amendments involve sending offensive messages through a communication service; dishonestly receiving stolen computer resources; identity theft; impersonation — phishing, and violation of privacy.
While, laudably, the amended Act legislates against the growing menace of identity theft, phishing and violation of privacy, it does not even contemplate the tools of modern cyber crime. For example, the 2009 amendments to the Act introduced two provisions concerning offences listed in Section 43. One of these (‘i') concerns destroying, deleting or altering any information residing in a computer resource or diminishing its value or utility or affecting it injuriously by any means. Another (‘j') concerns stealing, concealing, destroying or altering or causing any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage.
However, modern means of cyber warfare such as BOTNETS or key-loggers are not intended to destroy, delete or alter information residing in a computer resource or to steal computer source code. Instead, BOTNETS takes over a computer so that it can be used by an external controller. Modern cyber crime is not focussed on stealing source code or information in a computer but using the computer itself as the instrument to commit a crime.
Another major tool of cyber warfare is key-loggers, which is a software program or device designed to monitor and log all keystrokes. The key-logger software/device scans computers and their processes and data the moment a person strikes a key on the keyboard. This information is carried over to an external controller. Key-loggers are intended not to steal source code or information but to record the data input into a computer, to be used for financial fraud.
The IT Act defines “computer network” in Section 2(j) as the “interconnection of one or more computers or computer systems or communications device through the use of satellite, microwave, terrestrial line, wire, wireless or other communication media, and terminals or a complex consisting of two or more interconnected computers or communication device whether or not the interconnection is continuously maintained.” The 2009 amendments added the specific reference to “wire and wireless.”
Section 43 of the IT Act prohibits the introduction of a virus into a computer, computer system or computer network. However, it is unclear whether the posting of a virus on a website would attract this provision as the IT Act is still framed in the language of computer resources, based on the thinking of the 1970s and 1980s. Since the turn of the century, the Internet has become the space to be regulated, not computers. The IT Act does not even mention the Internet.
The IT Act needs to make a paradigm shift from earlier concerns regarding hacking of computers to steal source code and information to not only the modern Internet age but Web 2.0 where the weapons of cyber crime are intended to elicit information such as online banking passwords, PINs and other confidential information from consumers as and when users access their online accounts, and a Chinese cyber war against India that is already under way.
