Simply defined, ‘ransomware’ is a kind of malicious software which infects an electronic system and creates a block, limitation, or restriction to a user’s/organization's access to their own data until a ransom amount is paid. The malware employs encryption to hold a victim’s information at ransom and the user’s critical data is encrypted so that they cannot access files, databases, or applications. The encryption is asymmetric in nature, i.e., the attacker creates a unique public-private key pair. On attachment to its target (most often by click-baits), the private key decrypts the victim’s data which includes documents, images, databases, etc., and the access to this key is only provided to the victim on payment of ransom. Ransomware has become a grave concern in recent times. Attacks include those affecting randomized and untargeted consumers, as well as high-profile corporate targets. Moreover, the increased usage of Bitcoin and other cryptocurrencies, which are difficult to track, is understood to be driving the proliferation of ransomware attacks.
The concern is aggravated on account of the fact that while the ideal manner to confront ransomware is to not pay the amount demanded and tackle the attack with cyber-security measures. However, most persons, especially corporate bodies, (understandably) assign more value to their endangered data, thereby participating in the illicit transaction. As per a global survey by cybersecurity firm Sophos called ‘The State of Ransomware 2021 (“Survey”), the average total cost of recovery from a ransomware attack has increased from $7,61,106 in 2020 to $1.85 million in 2021 globally, while in India, the approximate recovery cost tripled from $1.1 million in 2020, to $3.38 in 2021. Moreover, there is no guarantee of return of data even on payment and in a majority of circumstances, victims do not receive their entire data despite it. The wishful relief is therefore temporary at best, and such payments only go on to encourage the actions of the attacker-community.
In light of the above, this article, by highlighting India’s position vis-à-vis ransomware attacks, elucidates on the deficits presented by current provisions and elaborates on the measures which can be taken to strengthen cyber security efforts.
While 2021 saw a surge in ransomware attacks globally, it was a particularly infamous year for India. According to the Survey, India was the most affected country, with 68% of its surveyed organizations having been hit by ransomware. Notable breaches during the year include the attack on Air-India’s data which affected more than 4.5 million passengers, the attack on the power utility systems of Telangana, and the attack on Pimpri-Chinchwad Municipal Corporation – the Smart City project in Pune district, managed by Tech Mahindra. The threat is thus immediate and incessant, and it is imperative to revisit and reinvent the approach to cyber security from all fronts – legal, as well as otherwise.
RE-EVALUATING THE LEGAL-RESPONSE SYSTEM: WHY AND HOW
While the Computer Emergency Response Team (CERT-In) was setup with the best of intentions, its efficacy remains questionable on various accounts. One of the chief downsides of the current framework is the delayed reporting or non-reporting of breaches, both, to CERT-In as well as to sector-specific authorities. Presently, under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013, Rule 12(a) states that organizations or corporate entities affected by cyber security incidents may report to CERT-In within a reasonable time of occurrence or noticing the incident. It is (vehemently) suggested that reporting should be a mandate and that the period of doing so must be specified, and must not be greater than 48 hours from notice of breach. This is necessary since citizens should be able to rely on the updates liaised through the website. Such dependability is a distant-dream as various large-scale breaches that have occurred in the past remain un-notified till date. For instance, the website still does not mention the Backdoor.Nidoran or CVE-2015-2545 exploitations.
Moreover, simultaneous communication (to CERT-In and the sector-specific authority) of attacks will allow the respective bodies to expeditiously share expertise over the matter and seek resolution in a calculated manner. However, with no uniform regulations in place, the scattered requirements to report render the entire process desultory. For instance, while RBI requires financial institutions to report breaches within 6 hours of detection, SEBI only requires quarterly reports. A blanket reporting period across all sectors, which would ideally coincide with the CERT-In period, would increase efficiency and ease the burden of compliances for an organization which may fall within two or more sectoral authorities. Thus, a coordinated, comprehensive and unified policy that applies to financial institutions, government organizations, stock exchanges and private companies is a need of the hour.
Further, no law in India requires stakeholders, including consumers, of victim-corporations/companies to be notified of an attack which is likely to affect or misuse their data. Since the right to privacy is fundamental, it is only justified that all concerned parties be notified of the situation. Even if the intention is to prevent creating an alarm among citizens, the requirement can be diluted so as to mandate corporations to inform stakeholders if the ransomware attack extends beyond a period of 72-hours. For instance, in UK, if the breach involves a high risk of adversely affecting the rights of individuals then organizations are required to inform those individuals without any undue delay. Even in Germany, under Article 34 of its GDPR, data subjects need to be informed without undue delay if it is likely that the data breach resulted in a high risk to the rights and freedoms of natural persons.
PREVENTION IS BETTER: THE NEED TO HARMONISE LAW & TECHNOLOGY
It is advised that individuals/organizations should be assiduously equipped to efficiently recognize, resist and react to ransomware attacks. Measures to this effect include large-scale optimization of technology as well as operations on an individual level. In respect of the former, data localization should become the fundamental focus. When servers are installed within the country, rather than outside, the feasibility and control aver access and monitoring of real-time data inputs increases for the government and cybersecurity personnel involved. As an extension to this long-term goal, it is also pertinent that active efforts are made to advance India’s Public-Private Partnerships. This will allow IT industries to work in tandem with the government sector and result in exchanging best practices available in the cyber-field.
As for independent action, preparation in the form of training should be at the cornerstone of all efforts. Personal system users and employees across sectors should seek/receive training so as to be able to identify and report possible ransomware attacks. One of the best ways to induce a cautious response is via simulation exercises. These exercises test persons by sending invented emails, pop-up links, etc. akin to those received in ransomware-attacks, thereby inculcating suspicion, incident reporting and technical measures such as isolating infected devices, etc. Cyber-attack simulators and awareness tools, such as ThreatCop and Knowbe4, are readily available in the market today and will undoubtedly be a constructive investment. Additionally, technologies such as Microsoft’s Azure Sentinel and SpinOne software tools, which use AI to detect ransomware encryption patterns and block suspicious sources, should also be strongly considered.
It is equally crucial to ensure that the incorporation and implementation of the above-stated preventative mechanisms should not become financially burdensome. Immoderate expenses will only dissuade efforts in this regard. The Insurance Regulatory and development Authority of India (IRDAI) recently, in September 2021, issued a circular on ‘Product Structure for Cyber Insurance’ containing a Guidance Document. In acknowledging the role of comprehensive cyber insurance, IRDAI exemplified how such schemes have been successful in developing nations such as USA. The recommended coverage included first and third party liability, regulatory actions and crisis management – which expressly includes security consultation and ransomware cover. It is a hope that this structure permeates the strategy of all stakeholders.
Ransomware attacks are drastically becoming more sophisticated and a simultaneous, if not increased, advancement of response and remedy is simply ineluctable. Legal rigor and precision are key to instigating cyber-security efforts by way of creating regulatory obligations. Concurrently, additional preventative steps become significant in achieving the end goal. As elucidated above, a holistic approach is necessary to successfully navigate through the realm of ransomware attacks.