Supplement to the 2012/3 South African Cyber Threat Barometer
India Case Study Report
Foreword Africa is considered to be the cradle of mankind. There is evidence that some of the earliest people lived in southern Africa. The hunter-gatherer San roamed widely over the area and the pastoral KhoiKhoi wandered in the wellwatered parts where grazing was available. Tribes from central Africa moved southwards into the eastern and central parts of the area known today as South Africa. Milestones in South African history: 1652 - Dutch Settlers arrive under the leadership of Jan van Riebeeck 1795 - British occupation of the Cape 1800 onwards - the Zulu kingdom under King Shaka rises to power 1835 - The Great Trek - Dutch and other settlers leave the Cape colony 1879 - Anglo-Zulu war 1880 - First Anglo-Boer war 1899 - Second Anglo-Boer War I am referring to the scourge of 1912 - The African National Congress (ANC) is founded cybercriminal activity that is rapidly 1961 - South Africa becomes a republic becoming a global concern and one 1990 - Mandela is freed after 27 years in prison and that we as Africans need to prioritise. opposition groups are unbanned We hope this project and proposed 1994 - South Africa's first democratic election initiatives will go a long way towards "rallying the troops" to urgently address the growing cyber threat facing South Africa has journeyed through many great obstacles our country. to become a nation whose dream of unity and common purpose is within grasp of all its people. We must not I wish to offer my sincere appreciation lose sight of this dream. As proud stakeholders of this to the British High Commission for great country we are now called upon to join hands in their funding and support to complete the fight against a new threat that is targeting all areas this vital research project. of our society - no organisation, community or child is immune to its impact. I also wish to convey my warmest thanks to all participating companies and teams for their input and For a copy of the full 2012/3 South African independent review of this report. Your Cyber Threat Barometer report and other country passion to make a positive impact in supplements please visit the research section this country has been amazing to of our website. witness. I would finally like to acknowledge the Wolfpack team for their dedication shown in the research, analysis, layout and distribution of this report. I am very proud of what we have achieved.
Corporate contact details: Building 1 Prism Office Park Ruby Close, Fourways Johannesburg, 2055 Telephone: +27 11 367 0613 Email: info@wolfpackrisk.com Website: www.wolfpackrisk.com
Craig Rosewarne Managing Director Wolfpack Information Risk (Pty) Ltd
1
India History of Cyber Laws and organisations tasked to combat cybercrime in India Bill / Act
Description
Information Technology Act
• An Act to provide legal recognition for transactions carried out by means of electronic information interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies and further to amend the:o Indian Penal Code - penalizes several cyber crimes. These include forgery of electronic records, cyber frauds, destroying electronic evidence etc. o the Indian Evidence Act, 1872 - the IT Act Digital evidence is to be collected and proven in court o the Bankers' Books Evidence Act, 1891 - the provisions of bank records o and the Reserve Bank of India Act, 1934
Information Technology (Certifying Authorities) Rules
• These rules prescribe the eligibility, appointment and working of Certifying Authorities. • These rules also lay down the technical standards, procedures and security methods to be used by a Certifying Authority.
Information Technology Cyber Regulations Appellate Tribunal (Procedure) Rules
• These rules prescribe the appointment and working of the Cyber Regulations Appellate Tribunal whose primary role is to hear appeals against orders of the Adjudicating Officers
2001 2002
Information Technology (Certifying Authority) Regulations
• They provide further technical standards and procedures to be used by a Certifying Authority. Two important guidelines relating to Certifying Authorities were issued:o The first are the Guidelines for submission of application for license to operate as a Certifying Authority under the Information Technology Act. o Next were the Guidelines for submission of certificates and certification revocation lists to the Controller of Certifying Authorities for publishing in National Repository of Digital Certificates. • Amended and updated again in 2003, 2006 and 2009.
2003
Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules
• These rules prescribe the qualifications required for Adjudicating Officers. • Adjudicate cases such as unauthorized access, unauthorized copying of information, spread of viruses, denial of service attacks, disruption of computers, computer manipulation etc. • These rules also prescribe the manner and mode of inquiry and adjudication by these officers.
Year 2000
2
Bill / Act
Description
Public Interest Litigation (PIL)
• Asian School of Cyber Laws (ASCL) students filed a Public Interest Litigation (PIL) in the Bombay High Court asking for the speedy appointment of adjudicating officers.. • Following this, the Central Government passed an order dated 23rd March 2003 appointing the “Secretary of Department of Information Technology of each of the States or of Union Territories” of India as the adjudicating officers.
Information Technology (Other Standards) Rules
• An important order relating to blocking of websites was passed in 2003 allowing the Computer Emergency Response Team (CERT-IN) powers to instruct the Department of Telecommunications (DOT) to block unwanted websites.
Information Technology (Use of Electronic Records and Digital Signatures) Rules
• Provided the necessary legal framework for filing of documents with the Government as well as issue of licenses by the Government. It also provides for payment and receipt of fees in relation to Government bodies.
Information Technology (Security Procedure) Rules
• Prescribe provisions relating to secure digital signatures and secure electronic records.
Computer Emergency Response Team (CERTIN)
• CERT-In was established. The constituency of CERT-In is the Indian cyber community. Designated to serve as the national agency in the area of cyber security.
2010
Inter Departmental Information Security Task Force (ISTF)
• India’s Government had set up an ISTF with National Security Council as the nodal agency.
2011
Information Technology (Electronic Service Delivery) Rules
• Some public services can be delivered electronically, and agencies authorised by the government (central, state or union territory) to help provide such services will have to follow a set of norms. The norms will talk of which services can be delivered electronically, how, through what mechanisms, the fee to be collected for such service delivery,
Information Technology (Intermediaries guidelines) Rules
• The rules talk about how intermediaries should deal with content, specially objectionable content. It asks them to publish rules and privacy policies that shall inform the users of computer resource not to host, display, upload, modify, publish, transmit, update or share any information
Information Technology (Reasonable security practices and procedures and sensitive personal information or information) Rules
• Security practices and procedures to be followed by an agency, company, or person while collecting sensitive information of a personal nature. It also refers to how such information may be collected, used, shared, stored, and destroyed.
Information Technology (Guidelines for Cyber Cafe) Rules
• Deals with security processes and identity of users at cyber cafes
Year
2004
3
Comparison of Punishments of Computer Offences listed in the present IT ACT 2000 with those proposed in the New Bill Imprisonment / Fine
Section Section 70
Coverage
Present Act
Proposed Bill
Protection of critical information Infrastructure (covers cyber terrorism)
Up to 10 years + fine
Up to 10 years + fine
To safeguard national interest, non-cooperation with designated Government agencies to intercept or monitor or decrypt any information through any computer resource.
Up to 7 years
Up to 7 years
Tampering with computer source documents
Up to 3 years and/or fine
Up to 3 years and/or fine up to Rs. 2 Lakh
Intentional or knowing non-compliance with the provisions of IT Act, rules or regulations made there under
Up to 3 years and/or fine
Up to 2 years and/or fine up to Rs. 2 Lakh
Cheating using digital signature of other person
Does not exist
Up to 3 years + fine
Impersonation using communication network or computer resource
Does not exist
Up to 5 years + fine
Accesses or secure access to a computer resource without the permission of the owner-(covers offenses like unauthorized access, hacking amongst others).
3 Yrs + Rs. 2 Lakh as part of Section 66
Up to 2 years and/or fine up to Rs. 5 lakh
Downloads, copies or extract any information, informationbase from computer, computer system or computer network including information held on removable storage media- (covers offenses like privacy, IPR violation, privacy violation, informationbase and other thefts, amongst others).
Does not exist
Up to 2 years and/or fine up to Rs. 5 lakh
Introduces or causes to be introduced any computer contaminant or computer virus (covers Malware or malicious program like viruses, worms, Trojans, spywares/adwares amongst others).
Does not exist
Up to 2 years and/or fine up to Rs. 5 lakh
Damages or causes to be damaged, any computer system or computer network, information, computer informationbase or other programs residing therein (cover offences like virus infected damages, hacking amongst others).
3 Yrs + 2 lakh as pert of Section 66
Up to 2 years and/or fine up to Rs. 5 lakh
Disrupts or causes disruption or impairment of any computer resource, (covers offenses like instances leading to denial-of-services(DoS), network attacks amongst other network disruptions)
3 Yrs + 2 lakh as pert of Section 66
Up to 2 years and/or fine up to Rs. 5 lakh
Denies or causes the denial of access to person authorized to access any computer resource. (covers offenses like instances leading to distributed denial-of-services(DDoS) amongst others).
3 Yrs + 2 lakh as pert of Section 66
Up to 2 years and/or fine up to Rs. 5 lakh
Provides any assistance to any person to facilitate access to a computer resource in contravention with the provision of IT Act, Rules or Regulations etc. (covers instances like illegal access, phishing, identity theft)
Does not exist
Up to 2 years and/or fine up to Rs. 5 lakh
Charges the services availed of by a person to the account of another person by tampering with or manipulating any computer resource.(covers offenses like Online frauds, Internet auction frauds amongst others).
Does not exist
Up to 2 years and/or fine up to Rs. 5 lakh
Breach of confidentiality and Privacy by any person empowered by IT Act, Rules or Regulations
2 Yrs + Rs. 1 Lakh
2 years plus Rs.5 lakh
Abetment ( New)
Does not exit
Punishment as applicable to offence
Penalty for misrepresentation
1 Yr. + fine of Rs 1 lakh
1 Yr + fine of Rs. 1 lakh
Penalty for publishing electronic signature
2 Yrs . + Rs 1 lakh
2 Yrs + Rs. 1 lakh
Publication for fraudulent purpose
2 Yrs. + Rs. 1 lakh
2 Yrs. + Rs. 1 lakh
4
Industry Collaboration, Partnership Developments and Initiatives in Cybersecurity Organisation / initiative
Description
Bureau of Police Research and Development (BPR&D)
• Organises courses regularly for police officers at various levels on Information Technology and cybercrime. • Training of police personnel is primarily the responsibility of State Government. As a part of the process of capacity building of the police, the efforts of the State Governments and Union Territories are supplemented by the Central Government. Courses on Cyber Crime are conducted at Central Detective Training Schools (CDTSs) every year for state police officers and CAPF personnel. National Police Academy, North- Eastern • The Central Bureau of Investigation also conducts cybercrime training.
Computer Emergency Response Team India (CERT-IN)
• Responsible for the protection of India’s cyber space. • Facilitates creation of sector CERTs in order to respond quickly to protect power distribution networks, air traffic controls, traffic networks and other areas that heavily dependent on networked systems.
Crisis Management Plan
• Formulated by the Government for countering cyber attacks and cyber terrorism for implementation by all Ministries/Departments of Central Government, State Governments and their organizations and critical sectors.
Information Security Council of India (DSCI)
• A focal body on information protection in India, setup as an independent SelfRegulatory Organization (SRO) by NASSCOM®, to promote information protection, develop security and privacy best practices & standards and encourage the Indian industries to implement the same • Focused on capacity building of Law Enforcement Agencies for combating cyber crimes in the country and towards this; it operates several Cyber labs across India to train police officers, prosecutors and judicial officers in cyber forensics.
The National Association of Software and Services Companies (NASSCOM)
• As part of its initiatives towards creating more awareness on cybercrime, NASSCOM has planned to introduce advanced training programmes with due stress on recent trends in usages of cyber forensic tools and methodologies at its Cyber Labs. These law enforcement officials will be able carry out various activities such as analysing and scrutinizing information on hard disks, email tracking, extracting evidence using Internet and mobile phones and cybercrime-related legislation.
National Critical Information Infrastructure Protection Center (NCIPC)
• The National Technical Research Organisation (NTRO) would be tasked to protect the critical infrastructure such as important government networks. NTRO would be tasked to create a command-and-control centre for monitoring the critical infrastructure. It would be a round-the-clock centre, providing real time response to cyber security breaches. • NTRO and Intelligence Bureau (IB) would primarily be responsible for security of various government networks. While NTRO would operate through NCIPC, IB would be mainly looking at the physical security of networks. State polices, CBI, NIA etc would be tasked to do follow up action, if any intrusions are detected.
National Informatics Centre (NIC)
• Provides services to Ministries/Departments to continuously strengthen the security of the network operated by them and its services by enforcing security policies, conducting regular security audits and deploying various technologies at different levels of the network to defend against the newer techniques being adopted by the hackers from time to time. • Has been directed not to host web sites, which are not audited with respect to cyber security. • Has installed a state-of-art Cyber Security system, which monitors events on the network for detection and prevention of malicious traffic.
Offensive Cyber Operations
• National Security Council (NSC) would soon designate the Defense Intelligence Agency (DIA) and National Technical Research Organization (NTRO) as agencies for carrying out offensive cyber operations, if necessary. All other intelligence agencies would be authorized to carry out intelligence gathering abroad, but not offensive operations.
5
Organisation / initiative
Description
PKI infrastructure
• PKI infrastructure set up to support implementation of Information Technology Act and promote use of Digital Signatures.
Security Auditors
• Security Auditors have been empanelled for auditing, including vulnerability assessment and penetration testing of computer systems and networks of various organizations of the government, critical infrastructure organizations and those in other sectors of the Indian economy.
Security Incident - Early Warning and Response
• Creation of National Cyber Alert System for rapid identification and response to security incidents and information exchange to reduce the risk of cyber threat and resultant effects. • Cyber Security and Information Assurance Technology to prevent, protect against, detecting, responding, and recovering from cyber attacks in critical information infrastructure that may have large-scale consequences. • Collaboration for training personnel in implementing and monitoring secure government intranets and cyber space • Joint R&D projects in the area of Steganography, water marking of documents, security of next generation networks and Cyber Forensics • Coordination in early warning, threat and vulnerability analysis and incident tracking • Cyber security drills/exercises to test the vulnerability and preparedness of critical sectors
Security Policy, Compliance and Assurance
• Creation, establishment and operation of the Cyber Security Assurance Framework aimed at enabling Government and the Critical Infrastructure Organisations. • In respect of compliance to international standards and best practices on security and privacy, the Government has mandated implementation of Security Policy in accordance with the Information Security Standard ISO 27001. Currently in India 246 organisations have obtained certification against the Information Security Standard ISO 27001 as against total number of 2814 ISMS certificates issued worldwide. Majority of ISMS certificates issued in India belong to IT/ITES/BPO sectors.
Security R&D
• Securing the Infrastructure, meeting the domain specific needs and enabling technologies facilitating basic research, technology demonstration and proofof concept and R&D test bed projects. • Security promotion and publicity.
Security training
• Nationwide Information Security Education and Awareness Program has been launched for skills/competence development and user end awareness to meet the specific needs of Law Enforcement, Judiciary and other users such as EGovernance project owners catering for: • A baseline for IT Security awareness • Skill and Competence development • Advanced Manpower Certification programs • Promote a comprehensive national awareness program • Foster adequate training and education programs to support the Nation's cyber security needs • Increase the efficiency of existing cyber security training programs and devise domain specific training programs (ex: Law Enforcement, Judiciary, E-Governance etc) • Promote private-sector support for well-coordinated, widely recognized professional cyber security certifications.
State Police Departments
• Have set up separate cyber police stations in many states and union territories which handle all the cybercrime cases including cyber-attacks.
6
Cost of Cyber Crime in India Description
Globally (24 Countries)
India
Total net cost of cybercrime
US $388bn
Rs 341.1bn (US$7.6bn)
Victims’ value of the time lost to cybercrime
US $274bn
Rs 162.6bn (US$3.6bn)
CYBERCRIME COSTS*
Direct cash cost (money stolen/cost of resolving cybercrime)
US $114bn
Rs 178.5bn (US$4bn)
CYBERCRIME EXPERIENCES
Online adults who have experienced cybercrime in their lifetime
69%
80%
Victims who experienced cybercrime in the past 12 months
65%
81%
Adults who have experienced mobile related cybercrime
10%
17%
LOST TIME
Days taken to resolve cybercrime in the past year (average)
10 days
15 days
TOP CYBERCRIME
Most common types of cybercrime in past 12 months (% of all cybercrime)
1. Computer viruses/malware (54% overall, of which 58% occurred in the past 12 months) 2. Online scams (11% overall, of which 52% occurred in the past 12 months) 3. Phishing (10% overall, of which 53% occurred in the past 12 months)
1. Computer viruses/malware (60% overall, of which 75% occurred in the past 12 months) 2. Online scams (20% overall, of which 48% occurred in the past 12 months) 3. Phishing (19% overall, of which 59% occurred in the past 12 months)
(Survey available at http://norton.com/cybercrimereport)
7
India Case Studies Nigerians arrested for e-fraud in India By BiztechAfrica - July 27, 2012. Four Nigerian nationals have been arrested on fraud charges in two separate cases in India. In one case, a Nigerian man has been arrested in New Delhi, India, for defrauding a woman in a cellphone scam. The man, Ufondu Anthony Chukwuzubelu, allegedly sent out thousands of text messages telling people they had won an e-lottery. He then asked his victims to transfer money into an account to receive their winnings. One woman did so, and notified the police when she realized she had been scammed. On the other case, three Nigerians were arrested in Bangalore for defrauding a student in an e-mailed lottery scam. The accused, Osrogiagbon Austine, Ikeifun Moses and Maduforo Amaechi Frank, were arrested, and mobile phones, laptops and internet data cards were seized. Indian navy computers stormed by malware-ridden USBs, Indian Express, By Phil Muncaster, http://www.theregister.co.uk/2012/07/03/indian_navy_hacked_usbs/. The Indian navy has been left licking its wounds after suspected Chinese hackers managed to lift classified information from maximum security, non-internet connected PCs via malware hidden on USB drives. The Indian Eastern Naval Command was the target of the attacks, which were first discovered at the start of the year,. The Indian Eastern Naval Command is also charged with overseeing operations in the South China Sea, a region which is highly sensitive politically for China and one which has recently seen an escalation in tensions over its territorial claims. The report claims six officers are awaiting strict disciplinary action after the incident, although there is no mention that any of them may have been acting maliciously. Microsoft India’s online store was offline after being targeted by alleged Chinese hackers. Despite reassuring customers that their information was safe, Microsoft was later forced to admit that actually the hackers may well have nabbed credit card details from what is thought to have been an unencrypted informationbase. ®, http://www.theregister.co.uk/2012/03/16/indian_government_sites_hacked/ Over 100 of India’s web sites had been hacked in just three months at the beginning of the year, including that of a state-owned telecoms company. Minister for communications and IT, Sachin Pilot, revealed in a written reply in parliament that a total of 112 sites had been compromised from December 2011 to February 2012. Many of the sites hacked appeared to be those of government agencies in various regions of the sprawling country including Madhya Pradesh, Rajasthan and Kerala. Also singled out was state-run telco Bharat Sachar Nigam Limited (BSNL), which was hacked and defaced in December allegedly by hackers belonging to the ‘H4tr!ck’ group. BSNL in particular came under attack from Pakistani hackers several times last year, most notably from a group calling themselves the Pakistan Cyber Army, and many of the hacks of government sites mentioned by Pilot could be blamed on mischief makers from India’s fierce rival across the border. There were 834 defacements of .in web sites in India during January this year, with the figure rising to 1,425 for all sites. http://www.theregister.co.uk/2012/03/16/indian_government_sites_hacked/ Punjab National Bank in India was cheated to the tune of Rs. 13.9 million through false debits and credits in computerized accounts. The CEO of a software company in Pune (India) was arrested for sending highly obscene emails to a former employee. In March 2007, the Pune rural police cracked down on an illegal rave party and arrested hundreds of illegal drug users. The social networking site Orkut.com is believed to be one of the modes of communication for gathering people for the illegal “drug” party. A software professional from Bangalore (India) was booked for stealing the source code of a product being developed by his employers. He started his own company and allegedly used the stolen source code to launch a new software product. (A survey paper on Cyber crimes, Cyber Laws in India, International Journal of Advances in Computing and Information Researches ISSN: 2277-4068, Volume 1– No.2, April 2012) November 2011, 113 security incidents were reported from National / International agencies in November 2011. 1651 Indian websites were defaced during November 2011. According to CERT-In Monthly Computer Security Bulletin January 2012, 77 security incidents were reported from National / International agencies. In January 2012, 1425 Indian websites were defaced & 39% incidents related to Phishing, 09 % spamming, 04 % unauthorized scanning, 48 % incidents related to technical help under the Others category reported. This is the reason, we need to learn & understand cyber crime, their types, the laws & punishments against such crimes and how an individual or organization should safeguard from cyber crimes using some basic steps, According to CERT-In Monthly Computer Security Bulletin, A survey paper on Cyber crimes, Cyber Laws in India, International Journal of Advances in Computing and Information Researches ISSN: 2277-4068, Volume 1– No.2, April 2012) http://www.scribd.com/Silendo/d/80154379-SDA-Cyber-Security-The-Vexed-Question-of-Global-Rules http://mit.gov.in/content/cyber-security-strategy/ http://www.mit.gov.in/sites/upload_files/dit/files/RNUS_CyberLaw_15411.pdf http://www.asianlaws.org/brochures/cyber-law-police-brochure.pdf 8