Recently, Microsoft released its Security Endpoint Threat Report 2019 that covered statistics on cyber threats and resilience around the Asia-Pacific (‘APAC’) territory. It captured data from developed and developing countries, with results showing that developing nations are more vulnerable to threats despite a fall in their overall encounter rates. APAC has a more-than-average encounter rate for ransomware and malware, that is, 1.7 and 1.6 respectively compared to the rest of the world.
In terms of cryptocurrencies and malware attacks, India recorded a cryptocurrency-mining attack encounter rate that was 4.6 times higher than the APAC and global average. Although there is a 35% (thirty percent) decrease in attacks in comparison to the 2018 report, India recorded the second-highest encounter rate in the region after Sri Lanka. India has registered the seventh-highest malware encounter rate across the region, at 5.89 percent in 2019. This was 1.1 times higher than the APAC average. The report also found that India recorded the third-highest ransomware encounter rate across the region, which was two times higher than the APAC average.
In terms of legislation, India has the Information Technology Act 2000 (‘IT Act’) under which, cybersecurity crimes that are specifically envisaged and punishable are hacking, denial-of-service attacks, phishing, malware attacks, electronic theft, and identity fraud.
There exists a set of Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 (‘CERT Rules’), that establishes the Computer Emergency Response Team (‘CERT-In’) as the nodal agency responsible for the accumulation, examination, and dissemination of information on cyber incidents. Furthermore, they take emergency measures and remedies to contain such threats and attacks. Failure to adhere to CERT-In compliances may attract a fine and imprisonment under sections 45 and 70B of the IT Act. Apart from this, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (‘SPDI Rules’), which prescribe reasonable security practices and procedures to be implemented for accumulation and the dissemination of personal or sensitive personal data. There also exists the Information Technology (Information Security Practices and Procedures for Protected System) Rules 2018 (‘Protected System Rules’), which require specific information security measures to be implemented by organisations that have protected systems, as per the guidelines prescribed under the IT Act. Moreover, India also has the Companies (Management and Administration) Rules, 2014 (‘CMA Rules’) that govern the security compliances for companies and entities against their employees, clients, and service providers. To raise criminal action against a party for an attack of ransomware or malware, one can rely on Section 43 and Section 66 of the IT Act, which defines the various categories and methods of ‘hacking’ and related activities, and its criminal liabilities respectively.
It shall be noted that India does not have any specific law that governs the usage of blockchain technologies and cryptocurrencies unlike countries such as Gibraltar. Therefore, to raise liabilities against cryptocurrencies mining attacks, one can only rely on the above laws.
Although India does have a framework in place to combat online malware, ransomware, phishing, and related threats and attacks, the numbers presented in Microsoft’s report clearly show the imminent need to identify such threats and incorporate necessary measures. This can also be seen through the recent reporting of critical cybersecurity concerns in the National Payments Corporation of India (NPCI) framework. According to a Reuters Report, government audits indicate over 40 (forty) critical security vulnerabilities in the NPCI framework. This gives way to concerns around the governance of a government-backed platform as Reuters has classified NPCI to have a “lack of awareness of risks and risk culture in the institution”.
As much as the government authorities are prepared with remedies, the users need to educate and make themselves aware of their responsible usage of the internet and its resources. Microsoft has provided guidelines for individuals and organisations to prepare ourselves against such combats and attacks.
Comments