- What are these two cases of cyber thefts?
- What is Cybercrime?
- In detail: The Kudankulam and ‘Pegasus’ case
- Issues that are highlighted by these two cases of cyber attacks
- What are the issues these two cases point out?
- Surveillance laws in India
- Who can order surveillance under the above acts?
- Surveillance laws of other countries
- Individual Privacy and Surveillance
Increasing cases of Cybercrimes in India and Surveillance issues
For IASToppers Mains Articles Archive, Click Here
The two cases of cyber-attacks cast a serious doubt on the Indian state’s claims to being a legitimate power in cyberspace, both due to the vulnerability of its critical information infrastructure as well as blatant disregard for the fundamental rights of its citizens online.
In essence, the government has signalled that it has no qualms about weakening the security of civilian digital platforms, even as it fails to secure its strategic infrastructure from sophisticated cyberattacks.
What are these two cases of cyber thefts?
- On October 28, a user on VirusTotal identified a DTrack data dump linked with the Kudankulam Nuclear Power Plant, indicating that a system (or more) in the plant had been breached by malware. The Nuclear Power Corporation of India Ltd (NPCIL) confirmed the breach.
- Separately, WhatsApp sued the Israel-based NSO Group for the use of its ‘Pegasus’ spyware on thousands of WhatsApp users in the lead-up to the general elections.
What is Cybercrime?
- Cybercrime includes unauthorized access of information and break security like privacy, password, etc. of any person with the use of internet.
- Cyber theft is a part of cybercrime which means theft carried out by means of computers or the Internet.
The most common types of cyber theft include identity theft, password theft, theft of information, internet time thefts etc.
- Identity theft pertains to illegally obtaining of someone’s personal information which defines one’s identity for economic benefit. It is the commonest form of cyber theft. Identity theft can take place whether the fraud victim is alive or deceased.
There are various techniques through which data theft could be committed and personal information could be procured from electronic devices. These are as follows: –
- Hacking: The persons known as hackers unscrupulously break into the information contained in any other computer system. It is a method wherein viruses or worms like malware divert information from another computer system by decrypting it to the hacker who after obtaining the information either use it themselves or give it to others to commit fraud using such information.
- Phishing: It uses fake email-ids or messages containing viruses affected websites. These infected websites urge people to enter their personal information such as login information, account’s information.
- E-Mail/SMS Spoofing: The spoofed e-mail is one which shows its origin to be different from where it actually originated. In SMS spoofing, the offender steals identity of another person in the form of phone number and sending SMS via internet and the receiver gets the SMS from the mobile number of the victim.
- Carding: The cyber criminals makes unauthorized use of the ATM debit and credit cards to withdraw money from the bank accounts of the individual.
- Vishing: The cyber-criminal calls the victim by posing to be a bank representative or call center employee, thereby fooling them to disclose crucial information about their personal identity.
Internet time theft
- It refers to the theft in a manner where the unauthorized person uses internet hours paid by another person. The authorized person gets access to another person’s ISP user ID and password, either by hacking or by illegal means without that person’s knowledge.
Intellectual property Theft
- Intellectual property (IP) theft is defined as theft of material that is copyrighted, the theft of trade secrets, and trademark violations etc. One of the most commonly and dangerously known consequence of IP theft is counterfeit goods and piracy.
Kudankulam Nuclear Power Plant Case
- An independent cybersecurity expert informed the National Security Council secretariat about a potential malware attack on the Kudankulam Plant on September 4, 2019.
- The malware used was identified as DTrack, a signature of the North Korean hacker group,
- The Nuclear Power Corporation of IndiaLtd (NPCIL) claimed that the malware hit a non-critical “administrative computer” thatwas connected to the Internet, but not to the Nuclear Power Plant Control System.
- However, there is no clear indication what the said system contained, and whether valuable information stored in it could be harvested for more complex spear-phishing attacks against the NPCIL in the future.
The ‘Pegasus’ spyware Case in India
- On October 30, many publications reported that phones of several dozen Indian journalists, lawyers and human rights activists had been compromised using an invasive Israeli-developed malware called Pegasus.
- A lawsuit was filed against Israeli cyber intelligence firm NSO by WhatsApp and its parent company Facebook in a U.S. court in California on October 29.
- The NSO Group (Israeli company which created the spyware) released a statement claiming that it licenses its product “only to vetted and legitimate government agencies”. It means it only sells the software to governments.
- There are handful of agencies in India that are authorised under the Information Technology Act, 2000 to intercept, monitor and decrypt data. It brings the National Technical Research Organisation which is the country’s foremost TECHINT gathering agency into question.
- The Indian government has denied purchasing it and has asked WhatsApp to explain the security breach.
Issues that are highlighted by these two cases of cyber attacks
There are three glaring issues highlighted by these cases.
- Contrary to what the NPCIL may claim, air-gapped systems are not invulnerable. Stuxnet crossed an air gap, crippled Iran’s nuclear centrifuges and even spread across the world to computers in India’s critical infrastructure facilities. It is also not enough to suggest that some systems are less important or critical than others — a distributed and closed network is only as strong as its weakest link.
- With the Indian military announcing that it will modernise its nuclear forces, which may include the incorporation of Artificial Intelligence and other cyber capabilities, the apparent absence of robust cybersecurity capability is a serious cause for concern. If it cannot secure even the outer layer of networks linking its nuclear plants the there is no hope that the government have of inducting advanced technologies into managing their security.
- The surveillance of Indian citizens through WhatsApp spyware in the lead-up to the general elections highlights once again the government’s disregard for cybersecurity. It is in line with the government’s ceaseless attempts at enforcing the “traceability” of end-to-end encrypted messages on WhatsApp. A backdoor when once opened will be available to any actor whether good or bad.
What are the issues these two cases point out?
- Ironically, these instances point out to a weakening of India’s cyber sovereignty.
- The government comes across as incapable of protecting its most critical installations and, by rendering digital platforms susceptible to spyware, it is limiting its own agency to prosecute and investigate cybercrime.
- These incidents also in complete opposition to country’s claims to being a responsible power as a member of export control regimes such as the Wassenaar Arrangement.
- The possibility of such misuse of intrusion technologies is a frequent argument deployed by advanced economies to keep developing countries out of elite clubs.
Surveillance laws in India
- The surveillance as in the ‘Pegasus’ case is illegal in India.
- There are legal routes to surveillance that can be conducted by the government.
- The laws governing this are the Indian Telegraph Act, 1885, which deals with interception of calls, and the Information Technology (IT) Act, 2000, which deals with interception of data.
- Under both laws, only the government, under certain circumstances, is permitted to conduct surveillance, and not private actors.
- Moreover, hacking is expressly prohibited under the IT Act. Section 43 and Section 66 of the IT Act cover the civil and criminal offences of data theft and hacking respectively. Section 66B covers punishment for dishonestly receiving stolen computer resource or communication. The punishment includes imprisonment for a term which may extend to three years.
- In December 2018, the Central government created a furore when it authorised 10 Central agencies to conduct surveillance such as the Intelligence Bureau (IB) the Central Bureau of Investigation (CBI), the National Investigation Agency (NIA), the Research & Analysis Wing (RAW), Delhi Police Commissioner etc.
- In the face of criticism that it was building a ‘surveillance state’, the government countered that it was building upon the rules laid down in 2009 and the agencies would still need approval from a competent authority, usually the Union Home Secretary.
- The 2018 action of the Union government has been challenged in the Supreme Court.
Who can order surveillance under the above acts?
- Under the IT Act, 2000, the rules state that only the competent authority can issue an order for the interception, monitoring or decryption of any information generated, transmitted, received or stored in any computer resource (mobile phones would count).
- The competent authority is once again the Union Home Secretary or State Secretaries in charge of the Home Departments.
Surveillance laws of other countries
- In US, the government has to obtain a warrant from a court in each case and crucially, establish probable cause to believe an electronic search is justified.
- After the 9/11 attacks in 2001, the USA PATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) Act was passed. Under this Act, the U.S. government used phone companies to collect information on millions of citizens and these were part of revelations made by the whistleblower Edward Snowden in 2013.
- In October 2019, the U.K.-based security firm Comparitech did a survey of 47 countries to see where governments are failing to protect privacy or are creating surveillance states. They found that only five countries had “adequate safeguards” and most are actively conducting surveillance on citizens and sharing information about them.
- China and Russia featured as the top two worst offenders on the list.
- India is the number three worst offender because its data protection Bill is yet to take effect and there isn’t a data protection authority in place.
Individual privacy and Surveillance
- The Supreme Court in a landmark decision in August, 2017 (Justice K. S. Puttaswamy vs Union of India and Others) unanimously upheld right to privacy as a fundamental right under Articles 14, 19 and 21 of the Constitution.
- It is a building block and an important component of the legal battles that are to come over the state’s ability to conduct surveillance. But still a grey area remains between privacy and the state’s requirements for security.
- In the same year, the government also constituted a Data Protection Committee under retired Justice B.N. Srikrishna.
- It held public hearings across India and submitted a draft data protection law in 2018 which Parliament is yet to enact.
- Experts have pointed out, however, that the draft law does not deal adequately with surveillance reform.
- If the Indian state plans to leverage offensive and defensive cyber capabilities then it needs to get serious about cybersecurity, both for its own narrow, political interests as well as those of its citizenry.
- There cannot be piecemeal, horses-for-courses approach: “security by obscurity” for India’s nuclear power plants and cutting-edge malware reserved for spying on citizens.
- The security of a billion hand-held devices are of equal strategic value to the country’s nuclear assets. Only in this case, the government has been found wanting on the security of both.