Technology
Reporting ransomware, other cyber threats - your legal obligations
The Wannacry ransomware outbreak that continues to unravel across the globe is the latest in a long line of prominent cyber security threats. With time, these attacks are only likely to become more frequent, sophisticated and widespread.
 
The Indian IT Secretary recently stated that the impact of ransomware in India is currently limited to six incidents. In sharp contrast, other estimates peg attempts at over 48,000 and counting, with over 700 successful infections.
 
If the government figures belie (as they often do) the true impact of attacks such as Wannacry, this creates big problems for everyone.
 
For one, it delays the time specialised first-responders like the government's Computer Emergency Response Team (CERT-In) take to kick into high gear and take the necessary steps to prevent an online pandemic. It also creates a false sense of security in users who may not take critical steps at their level to prevent a much larger network attack.
 
An important step in ensuring the government is on the ball, is reporting such incidents to the authorities -- something that may not strike most people, but is the law, and non-reporting is punishable.
 
So what qualifies as a report-worthy "incident" under law?
 
Rules relating to CERT-In's functioning classify the following instances as those which are required to be mandatorily reported as soon as possible: (i) targeted scanning/probing of critical networks/systems (ii) Compromise of critical systems/information (iii) Unauthorised access of IT systems/data (iv) Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites, etc. (v) Malicious code attacks such as spreading of virus/worm/Trojan/botnets/spyware; (vi) Attacks on servers such as database, mail, and DNS and network devices such as routers (vii) Identity theft, spoofing and phishing attacks (viii) Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks (ix) Attacks on critical infrastructure, SCADA systems and wireless networks and (x) Attacks on applications such as e-governance, e-commerce, etc.
 
Most of these instances are self-explanatory, and the current ransomware attack falls within several of these categories -- (ii), (iii), (v), (vi) (vii) and (viii) all have elements of a ransomware attack.
 
If you find that you fall within one of the instances above, the next question that arises is who needs to report them and how.
 
Under the CERT-In Rules, the reporting requirement lies on "any individual, organisation or corporate entity affected by cyber security incidents" (which include the mandatory reportable incidents set out above, although the definition itself is wider). Reporting incidents to CERT-In can be through several channels (email [email protected], call the helpdesk at 1800-11-4949, or fax 1800-11-6969).
 
The website http://www.cert-in.org.in/ also provides an incident reporting form to be filled in, which must cover details such as the timing of the incident, affected systems, symptoms observed and relevant technical information.
 
If you are an enterprise user and have system administrators, the best person to carry out the reporting exercise would be the head of the team. Remember that the reporting is required as soon as possible, and a general yard-stick (though not specifically set) would be within 24 hours of the incident.
 
Although a direct penalty is not provided for under the CERT-In Rules, its umbrella legislation does, and non-reporting could attract one of several potential penalties (currently open to interpretation), ranging from Rs 5,000 a day or Rs 150,000 per failure, to Rs 100,000, imprisonment (yes) of up to one year, or a combination of the two.
 
Additional reporting requirements apply to "intermediaries" under the IT Act, banks are mandatorily required to specifically report cyber security incidents to the Reserve Bank of India (RBI) within 2-6 hours (see https://tinyurl.com/moca57f and https://tinyurl.com/l5ajkqq), and telecom operators have a similar obligation under the Unified License Agreement where a breach of a license term (such as reporting) carries a hefty fine of Rs 50 crore for each breach.
 
Finally, if you're affected by ransomware and are being asked to pay a ransom in Bitcoin to decrypt your data, beware that virtual currencies such as Bitcoin and the wallets and exchanges that enable Bitcoin transactions in India continue to function in a legal grey area, although some form of regulation is on the anvil.
 
Thus, beyond the practical problem of paying a ransom in Bitcoin and the attacker rescinding on his promise to decrypt your files, making such payments, especially overseas, could result in the RBI coming knocking at your door.
 
As a long-term strategy, individuals and organisations alike would do well to adapt industry best-practices relating to cyber security (whether or not they are mandated to do so by law), ensure that policies adopted in this regard are in sync with legal reporting requirements, and that all relevant stakeholders are made aware of what those requirements are and how to address them in a crisis situation.
 
Disclaimer: Information, facts or opinions expressed in this news article are presented as sourced from IANS and do not reflect views of Moneylife and hence Moneylife is not responsible or liable for the same. As a source and news provider, IANS is responsible for accuracy, completeness, suitability and validity of any information in this article.

User

No report yet of global cryptocurrency attack in India: CERT-In
Allaying fears that after "WannaCrypt" ransomware, India will be targeted by a cryptocurrency malware attack that quietly but swiftly generates digital cash from machines it has infected, the country's cyber security unit on Thursday said India is safe from the "Adylkuzz" malware.
 
"There are no reports of this 'Adylkuzz' malware from the Indian establishments yet. Users are advised to maintain updated anti-virus software and apply patches to operating systems and applications on regular basis," Sanjay Bahl, Director General of the Computer Emergency Response Team (CERT-In), told IANS.
 
After facing a massive ransomware attack that exploited a vulnerability in a Microsoft software and hit 150 countries, the same Windows vulnerability (MS17-010) was also exploited to spread "Adylkuzz" by another group of hackers.
 
According to a report in The Registrar, tens of thousands of computers globally have been affected by the "Adylkuzz attack" that targets machines, lets them operate and only slows them down to generate digital cash or "Monero" cryptocurrency in the background. 
 
"Monero" -- being popularised by North Korea-linked hackers -- is an open-source cryptocurrency created in April 2014 that focuses on privacy, decentralisation and scalability. 
 
It is an alternative to Bitcoin and is being used for trading in drugs, stolen credit cards and counterfeit goods.
 
"There is no need to panic as "CERT-In publishes regular advisories and vulnerability notes on its website as well as some on Cyber Swachhta Kendra website", Bahl added.
 
Disclaimer: Information, facts or opinions expressed in this news article are presented as sourced from IANS and do not reflect views of Moneylife and hence Moneylife is not responsible or liable for the same. As a source and news provider, IANS is responsible for accuracy, completeness, suitability and validity of any information in this article.

User

Digital India must be accessible to people with disabilities
The increasing focus on digital governance and the availability of assistive technologies have proven to be both empowering and frustrating for persons with disabilities, who would number around 150 million in India. Government initiatives like Digital India are increasingly delivering basic government functions through information technologies, but many of these are still inaccessible for users with visual or other disabilities.
 
"Research has revealed that many Indian government websites, Indian government apps, and privately owned apps are completely or partially inaccessible to persons with disabilities, resulting in their exclusion. With app usage growing over 40% every year, Indians with disabilities are at risk of being excluded from society as everyday activities such as managing their finances, keeping in touch with friends, or staying in touch with their government representatives becomes impossible," says a press release from the Centre for Internet and Society (CIS).
 
"Digital technologies have the potential to empower every person in the world and make it a better place to live in," said Nirmita Narasimhan, of the CIS. "We just need to ensure that we put accessibility standards and universal design at the core of all technology development and use."
 
For instance, consider EPathshala. This app, created by the National Council of Educational Research and Training (NCERT), lets students, educators and parents access educational e-books and other content from their mobile phones. However, the app is completely unusable for persons with disabilities. The first screen that allows language selection is not labelled properly - only the Hindi and English buttons are correctly announced. Many of the options that are available on the screen are not labelled with text, only graphics, which a screen reader cannot parse. Furthermore, the books themselves are PDF or JPEG images, which cannot be read using a screen reader, and the reading mode available for the books is also inaccessible. 
 
Other widely used apps, such as BHIM, Ola and Swiggy, also have similar problems, effectively locking out a significant section of people from enjoying the country's digital revolution.
 
With the passage of the Rights of Persons with Disabilities Act in December 2016, India granted new rights and protections to citizens with disabilities. These include equal access to education, employment, social welfare and participation in everyday society.
 
While previous legislation such as the Guidelines on Indian Government Websites (2009) or the National Policy on Universal Electronic Accessibility (2013) also mandated equal digital access for persons with disabilities, the implementation of these policies leaves much to be desired.
 
To raise awareness around these issues, Prakat Solutions, in partnership with CIS and the Mitra Jyothi Trust, have organised the Global Accessibility Awareness Day (GAAD) on 18th May. 
 
"GAAD is a wonderful initiative to foster thought provoking conversations and drive initiatives to build Inclusive software and workforce to provide equal opportunities to people from all walks of life, including the differently abled," said Anuradha Biswas, founder and CEO of Prakat Solutions. "The event focuses on bringing eminent speakers and achievers in this field and share their success stories and thoughts for making this a bigger reality."

User

COMMENTS

V Ramesh

6 months ago

It is not just people with disabilities who have problems coping with the digitization. There was a recent directive that PAN and Aadhar must be linked. My 91 year old mother in law does not have Aadhar. After a lot of effort, we found somebody who came home and enrolled her for Aadhar (on payment, of course). It was a big effort to get her finger prints (I understand that the finger prints are blurry for the aged). Npow, after we went to all this trouble, they exempted people over 80 years from this Aadhar-PAN linkage. The government does not think of the implications and inconvenience while passing rules.

Dinesh

6 months ago

Poor accessibility due to lack of focussed information and political will has led to social exclusion of people with disabilities, exacerbating the negative impact of the existing digital divide.
http://www.thehindu.com/opinion/op-ed/digital-push-must-be-disability-inclusive/article17763248.ece

Aditya G

6 months ago

We have a long, long, long, long, long way to go when it comes to general accessibility, nevermind digital accessibility. I'm embarassed to say this, but Indian lawmakers don't care.

For example, in America, accessibility solutions are ENFORCED by the American Disabilities Act. Every building HAS TO have a ramp to get regulatory approval. Netflix has voiceover for the blind. CNN has closed captioning in its broadcast, et al.

In India, it's very very very rare to see accessibility solutions discussed or even enforced. It's a joke. Really. Take an example of ramps -- these are easy to build but you don't even seen them in railway stations for some reason. Digital accessibility is even harder to design & build. I don't harbour much hope of any tangible progress or outcome. Sure, people do talk about accessibility issues and try to raise "awareness" by using buzzwords like "inclusivity", "differently-abled" (and other cringe-worthy adjectives), but I only gawk and smell a waft of condescension. Soon everything will be forgotten, and we'd move on.

On the plus side, at least some people are talking about it. Ten years ago, no one talked about it. For the rest of us, it's just an uphill battle everyday. Something is better than nothing. So, that's some progress.

Good luck on digital accessibility. The only corporate, IMHO, serious about digital accessibility is Apple. They just realeased this: http://mashable.com/2017/05/17/apple-accessibility-videos-disability/#H18gmMzOxiqC

(and not everyone can afford an Apple product, so there...)

We are listening!

Solve the equation and enter in the Captcha field.
  Loading...
Close

To continue


Please
Sign Up or Sign In
with

Email
Close

To continue


Please
Sign Up or Sign In
with

Email

BUY NOW

The Scam
24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
Moneylife Online Magazine
Fiercely independent and pro-consumer information on personal finance
Stockletters in 3 Flavours
Outstanding research that beats mutual funds year after year
MAS: Complete Online Financial Advisory
(Includes Moneylife Online Magazine)