At the crossroads

The computer servers of India's premier medical institute — All-India Institute of Medical Sciences (AIIMS) — were hacked for the first time on November 23. The hackers had targeted five servers of AIIMS out of 100. The data from these five servers have been retrieved, the hospital said. A case of extortion and cyber terrorism was registered by the Intelligence Fusion and Strategic Operations (IFSO) unit of the Delhi Police two days later. However, police denied any ransom demand being made to the hospital. Delhi Police in a statement had said that "no such demand has been brought to the notice of AIIMS administration", reported News 18.

Government's analysis has traced the source of the cyberattack to Chinese hackers. On December 16, the government informed the Parliament that nearly 1.3 terabytes (TB) of data were encrypted in the recent attack, and a cyber-crisis management plan was put in place to prevent public institutions from being targeted, reported Economic Times.

It is reported that the initial probe has found that the IP addresses of two emails — 'dog2398' and 'mouse63209' — which were identified from the headers of files that were encrypted by the hackers, originated from Hong Kong and China's Henan province. Multiple agencies, including the Indian Computer Emergency Response Team (CERT-In), are investigating the cyberattack that is feared to have compromised the records of nearly 3-4 crore patients, including high-profile political personalities. The targeted servers were infected with three ransomwares: Wammacry, Mimikatz, and Trojan. According to a report by Indian Express, CERT-In and DRDO's Centre for Artificial Intelligence and Robotics (CAIR) found that five servers of the National Informatics Centre (NIC) had been infected with ransomware while seven servers of the computer facility in AIIMS were also infected. In 2020, approximately 82 per cent of Indian companies suffered ransomware attacks. In 2021, the impact of ransomware activity in India drove the cost of recovery from approximately USD 1.1 million in 2020 to USD 3.38 million in 2021. According to official estimates, in 2021, ransomware attacks increased by 120 percent.

Increasing cyberattacks

The number of successful cyberattacks in India has been growing almost on a monthly basis. In 2021, India recorded well over 3,000 victims of cybercrimes, right behind the United States, the United Kingdom, and Canada, which rank first, second, and third, respectively.

In 2019, the total number of cybersecurity incidents tracked by the Indian Computer Emergency Response Team (CERT-In) was 3,94,499. The number spiked to 11,58,208 in the year 2020, and further increased to 14,02,809 in 2021. This year, as many as 6,74,021 cybersecurity incidents were reported till June 2022. As per a report by Tribune India, on December 1, cyberattackers briefly hacked the Ministry of Jal Shakti's Twitter handle.

In February 2022, Air India experienced a major cyberattack that compromised approximately 4.5 million customer records. Passport, ticket, and some credit card information was compromised. The breach involved all information registered between August 26, 2011, and February 20, 2021.

It is also reported that a high-profile India-based payment company, Juspay, suffered a data breach impacting 35 million customers. This breach was reported in early 2021 but had happened approximately five months earlier, in 2020. In 2021, the personally identifiable information (PII) — names, mobile phone numbers, emails, dates of birth, and more — of over five lakh Indian police personnel went up for sale on the dark web. In 2018, 1.1 billion Indian Aadhaar card details were leaked, and this is one of the massive data breaches that happened in India. UIDAI released the official notification about this data breach and mentioned that around 210 Indian government's websites were hacked.

Unfortunately, it is suspected that the Indian state itself used the surveillance software Pegasus, allegedly bought in 2017, to spy illegally on journalists, activists, and political opponents. Pegasus is an Israeli cyber weapon capable of hacking a target's smartphone, extracting its contents, and turning on the device's microphone and camera. In response to cases lodged by several Indian journalists and activists, India's Supreme Court has ordered an independent inquiry into whether the government used the surveillance software Pegasus to spy illegally on journalists, activists, and political opponents, reported The Guardian.

Legal framework

Newspaper reports state that after receiving a complaint from AIIMS, the IFSO unit of Delhi Police has registered an FIR under IPC section 385 (putting a person in fear of injury in order to commit extortion), and sections 66 and 66-F of the IT Act. The Delhi Police has written a letter to the Central Bureau of Investigation (CBI), seeking details on Chinese hackers through Interpol.

There are various definitions of cyberterrorism. For example, Black's Law Dictionary defines cyberterrorism as the act of "making new viruses to hack websites, computers, and networks" and the US Federal Bureau of Investigation defines cyberterrorism as a premeditated attack against a computer system, computer data, programmes, and other information with the sole aim of violence against clandestine agents and sub-national groups. In India, section 66F of the IT Act defines 'cyberterrorism' as all those acts by any person with an intent to create a threat to the unity, integrity, sovereignty and security of the nation or create terror in minds of people or section of people by way of disrupting the authorized access to a computer resource or getting access to a computer resource through unauthorized means or causing damage to a computer network.

The Information Technology Act, 2000, also known as IT Act, was enacted by the Indian Parliament. It is the most important law in India dealing with cybercrime and e-commerce. This Act is based on the United Nations Model Law on Electronic Commerce, 1996 (UNCITRAL Model), which was suggested by the General Assembly of the United Nations by a resolution dated January 30, 1997. The main objective of this act is to carry lawful and trustworthy electronic, digital and online transactions and alleviate or reduce cybercrimes. Furthermore, the Information Technology Amendment Act, 2008, was passed by the Indian Parliament in October 2008 and came into force a year later. The Act is administered by the Indian Computer Emergency Response Team (CERT-In), the national nodal agency established in January 2004 for responding to computer security incidents as and when they occur.

The Information Technology Amendment Act, 2008, sought to foster security practices within India that would serve the country in a global context. In addition, the Act established the office of the Cyber Appellate Tribunal to hear appeals from any person aggrieved by an order made under the act. The 2008 act includes, among others, provisions for the following: tightening cybersecurity measures; establishing a legal framework for digital signatures; recognizing and regulating intermediaries; regulating interception, monitoring, and decryption of electronic records, cyber forensics; cyberterrorism.

Section 43 of the IPC and Section 66 of the IT Act penalize a number of activities, ranging from hacking into a computer network, data theft, introducing and spreading viruses through computer networks, damaging computers or computer networks or computer programs, disrupting any computer or computer system or

computer network, denying authorized personnel access to a computer or computer network, damaging or destroying information residing in a computer etc. The maximum punishment for the above offenses is imprisonment of up to three years or a fine of rupees five lakh, or both.

Section 66A of the IT Act deals with the punishment for sending offensive messages through communication services. Any person who sends, by means of a computer resource or a communication device, (a) any information that is grossly offensive or has a menacing character; or (b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device; or (c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages, shall be punishable with imprisonment for a term which may extend to three years and with fine.

Legal experts are of the opinion that there exists an uneasy co-existence of cybercrimes under the IPC and IT Act. According to Vinod Joseph and Deeya Ray (2020), the term 'cybercrime' is not defined in any statute or rulebook. The word "cyber" is slang for anything relating to computers, information technology, the Internet, and virtual reality. The Information Technology Act, 2000, and the Indian Penal Code, 1860, penalize a number of cybercrimes and, unsurprisingly, there are many provisions in the IPC and the IT Act that overlap with each other. Many of the cybercrimes penalized by the IPC and the IT Act have the same ingredients and even nomenclature.

India's vulnerability

Dated cybersecurity laws: The Indian cybersecurity law is dated and it lacks teeth to combat aggressive cyberterrorists. Moreover, the country does not have a proper regulatory structure to combat sophisticated cyberattacks. This has made the country vulnerable to repeated cyberattacks. Cybersecurity laws are governed by the Information Technology Act of 2000, which was last updated in 2008. Unlike other laws which can be updated in their own time, Cybersecurity Laws are obligated to keep up with the rapid changes in the industry. In India, these laws haven't been updated for a long time.

In a recent interview, the Indian IT minister said that the government was creating a regulatory structure that is built around the country's realities, and is in tune with the times. "We are creating three horizontals — telecom bill, digital India bill, and digital data protection. There will be modular regulations for specific sectors. These will be completed in 14-16 months," he added.

Spread of workspace to remote places: the driver for much of the cyberattacks in India is the ongoing digital transformation, the growth in the use of mobile and IT devices, and the increase in remote work associated with the COVID-19 pandemic. These factors have increased the available attack surface across all of the Internet of Things (IoT). Since the beginning of the pandemic, organizations in India have seen a 4,000-per cent increase in the number of phishing emails. Approximately two-thirds of these same organizations have fallen victim to cyberattacks since shifting to a remote work model.

Improper cyber–hygiene: In a recent interview, Royal Hansen, VP of Engineering for Privacy, Safety, and Security, at Google, said that users should be aware of the source of their software and stressed on the need for adopting Supply Chain Levels for Software Artifacts, an end-to-end framework for ensuring supply-chain integrity. Terming the AIIMS incident as "worrisome", Royal Hansen, said such incidents would continue if proper cyber hygiene is not taken up. According to him, In the last 20-30 years, IT work has built up a lot of legacy infrastructure, including basic programmes like Fortran, COBOL and so on. These areas would have a simple vulnerability, which hackers like to exploit with ransom-ware, he said. "Instead of getting in and having to steal something, the hacker will just encrypt the disk and ask for ransom. It's like a very simple monetization strategy for poor hygiene in software," Hansen said. He also said that Google has been working on making algorithms ready for quantum computers, which are often used for decrypting.

Lack of serious efforts by the government: Notwithstanding cyberattacks in India tripling in the last three years, security funds have remained underutilized, reflecting the lackadaisical attitude of the concerned government agencies. According to reports, the funds meant for cybersecurity have been underutilized, with only Rs 98.31 crore used out of the total Rs 213 crore sanctioned. The Parliamentary Standing Committee observed that an amount of Rs 216 crore had been allocated in BE (Budget Estimate) stage during 2021-22, which was reduced to Rs 213 crore at RE (Revised Estimate) stage, and actual utilization till January 2022 had been 98.31 crores only. The committee, therefore, recommended that funds for cybersecurity may be increased on a year-on-basis to forestall any failures in this domain for sheer lack of funds, reported Tribune India.

As cybersecurity is a national protection issue, a particular amount of funds allocated during the yearly defence budget may be earmarked for the same.

Cyber-security industry

Globally, the cybersecurity industry (software, hardware, and solutions) is growing at a rapid pace. The market is projected to grow at a CAGR of 8.9 per cent during 2022-2027 to reach USD 226 billion by 2027, from an estimated USD 173.5 billion in 2022.

Rapid growth in cybercrime has given rise to a new global industry to combat this activity. A study suggests that this created an Indian market for cyber security services and products to a total of USD 9.85 billion in 2021. Cybersecurity services industry grew from USD 4.3 billion in 2019 to USD 8.48 billion in 2021, a cumulative average growth rate of 40.33 per cent. The cybersecurity products industry grew from just USD 740 million in 2019 to USD 1.37 billion in 2021 — a very high cumulative average growth rate of 36.49 per cent. During the same period, India's cybersecurity workforce grew from approximately 1,10,000 employees in 2019 to over 2,18,000 in 2021.

Compared to India, China's cybersecurity market is huge. In 2021, the scale of China's cybersecurity market reached USD 8.64 billion, an increase of USD 1.3 billion, or 17 per cent, compared to 2020. It is believed that China's cybersecurity market has entered a period of rapid development, mainly driven by two factors — policy compliance and industrial upgrading. In 2022, China's cybersecurity market revenue is expected to reach USD 14.05 billion, with cyber solutions representing the largest market segment with a total volume of USD 9.42 billion. In a 2021 draft of its most comprehensive policy plan for the cybersecurity industry in China, the Ministry of Industry and Information Technology (MIIT) mandated that significant industries like telecommunications allocate 10 per cent of their IT upgrade budget to cybersecurity by 2023. The Chinese government anticipates the cybersecurity industry to be valued at more than USD 38.6 billion by 2023.

Conclusion

Cybersecurity is both a challenge and an opportunity for India. If properly planned, and armed with the largest pool of software professionals, India can lead the cybersecurity solution market. Nevertheless, to take advantage of this prospect, India will have to frame a comprehensive cybersecurity strategy, formulate appropriate laws and ensure the privacy and data security of its citizens. The government should also encourage the 'body shopper' Indian IT firms to develop indigenous cybersecurity software to reduce dependence on foreign suppliers for this critical component of national security.

Furthermore, the Indian government should refrain from involving global information technology companies to provide cybersecurity in the country. Unless these are done on top priority, the nation will be shattered, as the trend shows, by repeated attacks on its financial, medical, and other strategic data servers.

Views expressed are personal