This year has seen a lot of cyber security compromises as far as renowned companies are concerned. At the start of the year, the Target retail store was hacked and 40 million customers’ credit card details were revealed. This was followed by eBay, United States Postal Service (US) to even Gmail accounts being hacked. The latest in the series is the attack on the Sony Pictures Entertainment by hacker group Guardians of Peace (GOP) – which is being called as the largest hack attack.
In the case of Sony Pictures Entertainment, the hackers are not just leaking out unreleased Sony movies and email conversations between top Sony Pictures executives and so on. There have been reports where Sony employees have got mails from hackers warning them to pressure Sony to meet their demands and if they do not comply, their family members will be harmed. It is not sure if the source of the emails is the Guardians of Peace hacker group.
Sony Entertainment Pictures was hacked by the hacker group Guardians Of Peace. (Image: AFP)
There is a lot of speculation which tends to point the needle of suspicion towards the North Korea, after their supreme leader Kim Jong un called Sony’s decision to release a comedy movie, “The Interview” (whose central plot is the assassination of the leader of North Korea), an act of war. FBI has even gone so far as to outright blame North Korea for the cyber attack based on findings by cyber forensic experts. There have been reports about an elite government-backed hacking organisation in North Korea – Bureau 121 – which is speculated to be behind the attacks. Another aspect which makes one believe that North Korea has a hand in the attacks is the fact that GOP has stated that Sony should stop the release of the movie “The Interview,” which can disturb regional peace and cause war.
North Korea has officially denied any hand in the attacks, but it’s calling the attack a ‘righteous deed’.
Rise of Cyberwarfare
Towards the end of last month, Symantec also discovered a malware called Regin, which according to Symantec, “displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals”.
If you have been following the cyber-security space, the name Stuxnet will surely ring a bell. It was a virus created by the United States and Israel, to attack Iranian nuclear facilities. State-funded hackers in China have been allegedly involved in hacking activities targetting the New York Times as well as hacking Apple’s iCloud.
Long story short, cyber attacks are not just limited to hacker groups looking at making money or hactivitsts such as Anonymous, who have a purpose behind hacking – which may or may not be to everyone’s liking. The idea behind a hacking group being backed by a legit government completely changes the dynamics. It is no longer about economic gains, but gaining access to valuable information or state secrets – which the perpetrator state can use to its advantage. Also state-sponsored hack attacks will make use of complicated tools as they are infiltrating systems which have robust security arrangements in place. Whereas an individual hacker who has to infiltrate regular machines will use simpler techniques.
If countries are hacking into nuclear facilities, then cyber warfare is as good as actual warfare.
According to Cyber Law and Cyber Security expert, Prashant Mali, “Cyber-warfare has already become a strategic warfare. All countries are getting ready with their Cyber command as 5th command after Air, Land, Navy and Space.” In fact, the United States in 2011 has actually stated in a document, called International Strategy for Cyberspace, that it will resort to military action in case of a major cyber attack. In the Sony Pictures Entertainment case, US President Barack Obama said that the United States will respond to North Korea’s cyber attack “proportionally, and we’ll respond in a place and time and manner that we choose.”
Situation in India
India, on the other hand, despite being an IT super power had under 600 cyber security experts till 2013. According to Cisco, India needs at least 4 lakh cyber security experts.
“It is not only the Government but also the Private Organisations which have to get serious about IT Security. Security has always been secondary when it comes to IT. We need to be proactive in identifying the threats and patching them up, instead of waiting for a hacker to knock you off,” says Rakshit Tandon, Cyber Security Expert associated with the Internet and Mobile Association of India.
Kaspersky real-time Cyberthreat map
The government organisations in India have seen an increase by 136% in terms of cyber attacks and threats. According to Indian Computer Emergency Response Team (CERT-In), the number of cyber attacks have increased exponentially in the last 10 years. From a mere 23 cases reported in 2009 to around 96,383 cases reported till September this year.
The Indian government had come out with a National Cyber Security Policy in 2013, but according to experts the policy is quite broad-based and implementing it along with the 5 lakh skilled professionals in the next five years is a big challenge. According to Tandon there needs to be a concerted effort in spotting talent. “Indian firms and the government need to give an authorised platform to our young Cyber Security Profressionals where they can do research and protect our IT Infrastructure,” he says.
The rise of cyber-security complaints over the years according to CERT-In
According to Mali, Indian firms that have faced cyber-espionage in the past and which have suffered huge losses have become more resilient. “Government agencies are now in full-throttle mode towards Cyber Security with new initiatives. But yet, we have a long way to go,” said Mali. He is of the opinion that Cyber Security should be taught in schools and colleges. He also feels that the government should organise boot camps for citizens to spread awareness about cyber-security.
Kaspersky has come up with this great interactive real-time map of cyber threats which places India is within the top 5 most-threatened countries.
As was seen in the case of eBay, Target as well as Sony, while it is the organisations that are hacked, critical details of regular people are getting compromised. With the prevalence of mobile phone usage, the cyber attacks are just going to increase. Both Tandon and Mali agree that the mobile phone platform is going to see a lot of cyber attacks in the coming years, thanks to the amount of time spent on smartphones. Over the last couple of years we have seen a lot of banking apps and e-commerce apps being available on smartphones. With the increase in mobile-commerce transactions, the mobile platform will be seeing a lot more attacks say experts.
According to Mali, organisations have to comply with certain security practices as mandated by Section 43A of the IT Act 2000. “If a client loses his password which is classified as per The IT Act, 2000 as Sensitive Personal Data. He can file a case with Adjudicating Officer and can claim compensation till 5 crores and for above 5 crores he can go to civil court. He can also file a criminal complaint for abetment and gross negligence against the site,” says Mali.
As seen from the chart above, the number of complaints will keep on piling till we have a steady IT security infrastructure. Globally many countries are training elite hackers, to not just protect their own assets, but to also infiltrate security systems in other countries. Now that we have a National Cyber Security Policy in place, let us hope the implementation is on a fast track.