Reading time: 6-8 minutes.
The Indian Institute of Technology-Madras (IIT-M) initiated an investigation into the hacking of one of its servers, which resulted in the temporary suspension of its e-mail services last month. Confirming that one of its e-mail servers was temporarily down, the institution said that the problem had been resolved and normality had been restored. “All e-mails on the server have been backed up and no e-mails have been lost. E-mail backup is underway and will be finished shortly.
The cause is being investigated”, said the IIT-M Director’s Office on the incident. Responding to a question as to whether ransomware was targeted and accessed the research work of students, scholars and academics, the institution said that “no other systems have been affected.” The Public Relations Department has opted not to comment about whether a criminal complaint has been filed with any law-enforcement agency. The problem emerged after the researcher posted a screenshot of the message he received after logging in to the IIT-M server on social media.
The suspected ransomware message stated that all files had been encrypted and, in order to retrieve them, the data had to be decrypted. The user was asked to send an e-mail to a different account for the decrypted file that would be made available for payment. Recognizing that there was a “significant attack” on campus computers, IIT-M sent a letter to students / staff that the virus appeared to hit computers running on a specific operating system and asked them to urgently back up their work.
The root and type of ransomware are under investigation by in-house experts. The Tamil Nadu police denied that they had received any complaint from IIT-M regarding the incident.
Significance of this development
It is important that companies collaborate to build cyber-threat detection and response teams and processes. We know cybercrimes are going to affect even the most trained organizations. As members of our organizations and our sectors, we need to ensure that we are prepared to recognise where these crimes are committed and react appropriately. CFR will help you do that. CyberSec First Responder (CFR) Logical Operations is the ideal credential for a company to use to verify that their staffs have the expertise required to conduct essential information security job functions.
Importance of cyber security
We often equate cyber security with computers, but they really have a far broader application than just that. The first instance of a cyber assault was in 1903, when magician Nevil Maskelyne interrupted John Ambrose Fleming’s demonstration by transmitting derogatory Morse code messages on the auditorium screen! Modern-day hackers had 114 years to update and develop information security infrastructure. Hacking techniques and methods have increased as the Internet has expanded, and it is now much easier to target a company or a person in this way.
These tools have become known as “Manipulate Kits” and are designed to manipulate human vulnerability or weaknesses in your Computer or server; those who use these devices have been dubbed “Script Kiddies.” Good cyber protection is not simply about defending a network, because most hackers do not attempt to penetrate a network, but will rather target a website or a server.
Accessing networks is more challenging for hackers, because most individuals and companies have a firewall in place that is impossible for hackers to penetrate. Minimum cyber security requirements for a network should be as follows: Endpoint Protection, Firewall, Intrusion Detection System / Intrusion Prevention System, Web Filtering Software, Radius Server, Logging Software, Encryption.
Provisions regarding anti-hacking in India
Sections 43 and 66 of the IT Act cover fraud or manipulation of data on civil and criminal offences. Pursuant to Section 43, a simple civil offence, where a person without the owner’s consent accesses the device and removes any data or harm to the data stored therein, shall be liable to civil liability and shall be liable to pay compensation to the individuals concerned. Under the IT Act 2000, the overall pay-out limit was fine for Rs. one crore. However, this limit was removed in the change made in 2008.
Section 43A was introduced in the 2008 amendment to include the business shed where workers stole information from the company’s confidential files. Section 66B refers to fines for obtaining stolen computer resources or information. The penalty requires one year’s imprisonment or a fine of one lakh rupee or both. Mens rea is an essential element of Section 66A.
The purpose or information to inflict unjust harm to others, i.e. the presence of criminal intent and evil mind, i.e. the principle of men’s rea, degradation, deletion, modification or loss of value or use of data, are all main ingredients for bringing any act under this Act.
Development of cyber laws
Throughout the early 1970s, countries started to introduce broad legislation to protect individual privacy. Many of these regulations are based on the frameworks put in place by the Organization for Economic Cooperation and Development and the Council of Europe. The origins of current legislation in this field can be traced back to the first data protection law in the world introduced in the Land of Hesse in Germany in 1970.
This was followed by regional legislation in Sweden (1973), the United States (1974), Germany (1977) and France (1978). The first federal computer fraud legislation in the U.S.A. was the Computer Fraud and Abuse Act, 1984. The fact that only one arrest had ever been made under the Act before it was revised in 1986 demonstrates how difficult it is to draw up successful laws on computer crime.
The Information Communication Technology Revolution in India began in 1975, when the Government of India strategically agreed to take proactive steps towards the development of information systems and the use of computer resources. The National Information Technology Centre under the Electronic Commission / Department of Electronics was the result of this view and was supported by the United Nations Development Program (UNDP).
The establishment of the National Association of Software Services Companies at the beginning of the 1990s reflects the power of India in this field. The Internet came to India in 1995 and, after nearly five years, India was getting ready to legislate on its first cyber law. The Information Technology Act, 2000 heralded a new cyber law regime in the country. India became the 12th nation in the world to enact cyber laws.
There is no question that hacking is a major threat to the virtual world. Not many people in the country are aware of the theft. There needs to be more understanding of hacking and cracking in the world. The laws of the government are stringent, but there is a lack of enforceability and knowledge in society. Most of the minor hacking cases go unnoticed as people are abstaining from filing cases for petty offences even though it is seriously punished.
Also, it is very difficult to track down a virtual hacker due to lack of equipment. Since hacking can happen anywhere in the world, it is hard for the police to track the culprit down and arrest him in another country. These issues need to be resolved for effective implementation. Punishment can also be made a little more strenuous to discourage citizens from committing these crimes.
Author: Harneet Singh from Presidency University, Bengaluru.
Editor: Ismat Hena from Faculty of Law, Jamia Millia Islamia.