An Era of Cyber Security: A Distant Dream
Assistant Professor , Law College Dehradun, Uttaranchal University, India
In the twentieth century our country saw a magnificent and enormous growth in Information Technology and e-commerce which involves electronic and commercial transactions. With the enhancement in technology and rapid applied sciences based development of a country safeguarding the negative impacts with certain stringent and effective laws became the need of an hour. Unfortunately India had no legislative framework or policies to protect the evil outcomes of technology and rampant usage of e-commerce.In the year 2000 the Information Technology Act was introduced to safeguard the security concerns and to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication. Implementing effective cyber security provisions to monitor and protect information became necessity. Cyber Security means a body of technologies, processes, and practices designed and worked to protect networks, devices, programs and data from attack, unauthorized or illegal access or damage. Cyber security is a practice to be protected from cyber-attacks which involves series of cyber security threats to the systems, networks, and programs. Along with the legislation in the year 2013 National Cyber Security Policy came from the Department of Electronics and Information Technology which aimed at protecting public and private individual or infrastructure from cyber-attacks. This paper highlights the issues relating to cyber security, types of cyber security threats prevailing, the legislative framework, the objectives of national cyber security policy, and the ways to ensure a secure and resilient cyberspace.
Keywords: e-commerce, electronic transactions, cyber security, cyber threats.
Cyber space is a virtual space in which all of IT- mediated communication and actions take place. Information Technology (IT) has made life easier, but it has also made crime easier. IT obliterates the need for actual physical contact to commit a crime. IT has also given birth to new kind of criminal activities like embezzlement, cheating, theft etc. Misuse of IT has given rise to various risks to individuals, organizations and government. It involves financial risks, individual risk, IPR violations, Risk to computer, Risk to information, and Risk to online illegal activity. In the twentieth century our country saw a magnificent and enormous growth in Information Technology and e-commerce which involves electronic and commercial transactions. With the enhancement in technology and rapid applied sciences based development of a country safeguarding the negative impacts with certain stringent and effective laws became the need of an hour.
Cyber security also known as information technology security refers to the body of technologies, processes and practices designed to protect networks, devices programs and data from attack, damage, or unauthorized access. Cyber security is crucial because military, financial, corporate and medical organizations store large amount of data on technological devices specifically computers. Organizations like these store sensitive and confidential data across networks and to other devices in the course and routine of the business which is crucial for the business.
Cyber-crime can be defined as” An illegal act fostered or facilitated by a computer, whether the computer is an object of a crime, an instrument used to commit a crime or a repository of evidence related to a crime.”
Cyber security as the term suggests provides protection from cyber-crimeand is important because organizations such asgovernmental, military, corporate, financial, and medical collect, process, and store unprecedented amounts of data on computers and other devices. A significant and major portion of that data can be and is in the most of the cases sensitive in nature, whether that is intellectual property, financial data, personal information, or other types of data for which unauthorized or illegal access or exposure could have negative consequences on these organizations. Sensitive data is transmitted across networks and to other devices in the course of doing businesses, and cyber security describe the discipline dedicated to protecting that information from multiple cyber threats and the systems used to process or store it. As the nature, modes and sophistication of cyber-attacks grow, companies and organizations, especially those that are tasked with safeguarding information relating to national security, health, or financial records, need to take preventing steps to protect their sensitive business and personnel information. The nation’s top intelligence officials in March, 2013 cautioned and announced that cyber-attacks and digital spying are the top threat to national security, eclipsing even terrorism which results as a threat to the entire nation.
II. ELEMENTS OF CYBER SECURITY
- Network security
- Application security
- Endpoint security
- Data security
- Identity management
- Database and infrastructure security
- Cloud security
- Mobile security
- Disaster recovery/business continuity planning
- End-user education
The most difficult challenge in cyber security is the ever-evolving nature of security risks themselves. Traditionally, organizations and the government have focused most of their cyber security resources on perimeter security to protect only their most crucial system components and defend against known treats. Today, this approach is insufficient, as the threats advance and change more quickly than organizations can keep up with.
Managing Cyber Security
The National Cyber Security Alliance, through the way SafeOnline.org, recommends a top-down approach to cyber security in which corporate management leads the charge in prioritizing cyber security management across all business practices.National Cyber Security Alliance advises that companies must be prepared to “respond to the inevitable cyber incident, restore normal operations, and ensure that company assets and the company’s reputation are protected.” NCSA’s guidelines for conducting cyber risk assessments focus on three key areas: identifying your organization’s “crown jewels,” or your most valuable information requiring protection; identifying the threats and risks facing that information; and outlining the damage your organization would incur should that data be lost or wrongfully exposed. This plan should encompass both the processes and technologies required to build a mature cyber security program. An ever-evolving field, cyber security best practices must evolve to accommodate the increasingly sophisticated attacks carried out by attackers. Combining sound cyber security measures with an educated and security-minded employee base provides the best defense against cyber criminals attempting to gain access to your company’s sensitive data. While it may seem like a daunting task, start small and focus on your most sensitive data, scaling your efforts as your cyber program matures.
III. TYPES OF CYBER SECURITY ATTACKS
If you’ve ever seen an antivirus alert pop up on your screen, or if you’ve mistakenly clicked a malicious email attachment, then you’ve had a close call with malware. Attackers love to use malware to gain a foothold in users’ computers—and, consequently, the offices they work in—because it can be so effective.
“Malware” refers to various forms of harmful software, such as viruses andransom ware. Once malware is in your computer, it can wreak all sorts of havoc, from taking control of your machine, to monitoring your actions and keystrokes, to silently sending all sorts of confidential data from your computer or network to the attacker’s home base.
Attackers will use a variety of methods to get malware into your computer, but at some stage it often requires the user to take an action to install the malware. This can include clicking a link to download a file, or opening an attachment that may look harmless (like a Word document or PDF attachment), but actually has a malware installer hidden within.
Of course, chances are you wouldn’t just open a random attachment or click on a link in any email that comes your way—there has to be a compelling reason for you to take action. Attackers know this, too. When an attacker wants you to install malware or divulge sensitive information, they often turn to phishing tactics, or pretending to be someone or something else to get you to take an action you normally wouldn’t. Since they rely on human curiosity and impulses, phishing attacks can be difficult to stop.
In a phishing attack, an attacker may send you an email that appears to be from someone you trust, like your boss or a company you do business with. The email will seem legitimate, and it will have some urgency to it (e.g. fraudulent activity has been detected on your account). In the email, there will be an attachment to open or a link to click. Upon opening the malicious attachment, you’ll thereby install malware in your computer. If you click the link, it may send you to a legitimate-looking website that asks for you to log in to access an important file—except the website are actually a trap used to capture your credentials when you try to log in.
In order to combat phishing attempts, understanding the importance of verifying email senders and attachments/links is essential.
SQL Injection Attack
SQL (pronounced “sequel”) stands for structured query language; it’s a programming language used to communicate with databases. Many of the servers that store critical data for websites and services use SQL to manage the data in their databases. A SQL injection attack specifically targets this kind of server, using malicious code to get the server to divulge information it normally wouldn’t. This is especially problematic if the server stores private customer information from the website, such as credit card numbers, usernames and passwords (credentials), or other personally identifiable information, which are tempting and lucrative targets for an attacker.
An SQL injection attack works by exploiting any one of the known SQL vulnerabilities that allow the SQL server to run malicious code. For example, if a SQL server is vulnerable to an injection attack, it may be possible for an attacker to go to a website’s search box and type in code that would force the site’s SQL server to dump all of its stored usernames and passwords for the site.
Cross-Site Scripting (XSS)
In an SQL injection attack, an attacker goes after a vulnerable website to target its stored data, such as user credentials or sensitive financial data. But if the attacker would rather directly target a website’s users, they may opt for a cross-site scripting attack. Similar to an SQL injection attack, this attack also involves injecting malicious code into a website, but in this case the website itself is not being attacked. Instead, the malicious code the attacker has injected only runs in the user’s browser when they visit the attacked website, and it goes after the visitor directly, not the website.
Cross-site scripting attacks can significantly damage a website’s reputation by placing the users’ information at risk without any indication that anything malicious even occurred. Any sensitive information a user sends to the site—such as their credentials, credit card information, or other private data—can be hijacked via cross-site scripting without the website owners realizing there was even a problem in the first place.
Imagine you’re sitting in traffic on a one-lane country road, with cars backed up as far as the eye can see. Normally this road never sees more than a car or two, but a county fair and a major sporting event have ended around the same time, and this road is the only way for visitors to leave town. The road can’t handle the massive amount of traffic, and as a result it gets so backed up that pretty much no one can leave.
That’s essentially what happens to a website during a denial-of-service(DoS) attack. If you flood a website with more traffic than it was built to handle, you’ll overload the website’s server and it’ll be nigh-impossible for the website to serve up its content to visitors who are trying to access it.
This can happen for innocuous reasons of course, say if a massive news story breaks and a newspaper’s website gets overloaded with traffic from people trying to find out more. But often, this kind of traffic overload is malicious, as an attacker floods a website with an overwhelming amount of traffic to essentially shut it down for all users.
IV. LEGISLATIVE FRAMEWORK
India’s First Cyber Law: The Information Technology Act, 2000
In the view of the international recognition of electronic transactions and its growing use within India, the Indian legislature felt the need for providing a legal framework for e-commerce and digital signatures. It led to enactment of India’s first cyber legislation: The Information Technology Act, 2000 (the IT Act, 2000)
The main objectives of this, as laid down in its Preamble are the following:
- To give effect to the U.N. General Assembly’s Resolution on the Model Law.
- To provide legal recognition to e-commerce
- To facilitate electronic filings of documents with government agencies.
- To amend various laws as the Indian Penal Code, Indian Evidence Act, 1872, and the Reserve Bank of India Act, 1934.
National Cyber Security Policy, 2013
The National Cyber Security Policy 2013 aims at-
(1) Facilitating the creation of secure computing environment
(2) Adequate trust and confidence should be enabled in electronic transactions and;
(3) Providing guidelines to the stakeholder’s actions for the protection of cyber space.
National Cyber Security Policy 2013 should be seen as about protecting of information, such as personal information, financial/banking information, sovereign data etc.
Information and knowledge empowers, and in order to empower people with information specifically, we need to secure and safeguard the information data. There is a need to differentiate between data which can freely flow between the devices and parties and data which needs to be protected.The National Cyber Security Policy of 2013 has been drafted in consultation and on the recommendation with all important and intellectual stakeholders, user entities and public in general who understands the arena of cyber security and the threat coming in the future happenings.This policy aims at facilitating the creation of secure computing environment and enabling adequate trust and confidence in electronic transactions and also guiding stakeholders’ actions for the protection of cyberspace.
The National Cyber Security Policy document outlines a roadmap and gives a blue print to create a framework for comprehensive, collaborative and collective response to deal with the issue of cyber security at all levels within the country.The policy recognizes and addresses the need and demands for objectives and strategies that have to be adopted both at the national level as well as international front.
The objectives and strategies indicated in the National Cyber Security Policy–
- Articulate our concerns, understanding, and priorities for action as well as directed efforts.
- Provide confidence and reasonable assurance to all stakeholders in the country (Government, business, industry and the general public) and global community, about the safety, resiliency and security of cyberspace.
- Adopt a suitable posturing that can signal our resolve to make determined efforts to effectively monitor, deter and deal with cyber-crime and cyber-attacks.
Salient features of the 2013 National Cyber Security Policy-
In brief, the National Cyber Security Policy covers the following aspects:
A vision and mission statement aimed at building a secure and resilience cyberspace for citizens, businesses and Government.
- Enabling goals aimed at reducing national vulnerability to cyber-attacks, preventing cyber-attacks & cyber-crimes, minimizing respo88nse & recovery time and effective cybercrime investigation and prosecution.
- Focused actions at the level of Government, Public-Private-Partnership (PPP) arrangements,
- Cyber security related technology actions, protection of critical information infrastructure and national alerts and advice mechanism, awareness & capacity building and promoting information sharing and cooperation.
- Enhancing cooperation and coordination among all the stakeholder entities within the country.
- Objectives and strategies in support of the National Cybersecurity vision and mission.
- Facilitating monitoring key trends at the national or domestic level such as trends in cyber security compliance, cyber-attacks, cyber threats, and cyber-crime.
V. CONCLUSION & SUGGESTIONS
Cyber security is essential to protect various classified important information in different devices, it also has to safeguard the reputation of an organization, brand name, an approach to detect threats like phishing, malware, denial of service, etc.
Cyber security can never be completely achieved but maximum control and prevention can be implemented to detect and prevent the threats occurring. There are certain points to ensure protection and prevention from cyber threats-
- Network security
- Malware protection
- Incident management
- Secure configuration
- User education and awareness.
- Government to ensure Internet Service Providers (ISPs) operating in the state
- Government shall deploy cybersecurity plans in line with State cyber security policy.
- Internet Security (IS) Policies & practices shall be mandated at govt. functionaries & its service providers.
- International standards applicable for all the governmental websites.
- Hosting and publishing.
- State Cybersecurity Framework shall be envisaged in P-P-P (Public-Private-Partnership)Model.
- Government shall partner with the private sector and the academia to strengthen cyber security posture of the state.
- State cyber security framework to support strategy and implementation mechanisms to prevent digital impersonation and identity theft and the security incidents.
- Stringent penalties for fraudulent apps and unauthorized In-App purchases.
 ‘Cyber space’ is referred to as a mere virtual space where computer-mediated communication takes place but which may not be spatially located. Prof. Andreas Zimmermann, University of Potsdam: International Law and Cyber Space, Vol 3, Issue 1, European Society of International Law.
 Available at https://digitalguardian.com/blog/what-cyber-security.
 Definition by Royal Canadian Mounted Police in 2000, as quoted in Sameer Hinduj: Computer Crime Investigations in the United States: Leveraging knowledge from the past to address the Future, International Journal of Cyber Criminology, Vol.I, Issue 1, January, 2007.
 Available at https://staysafeonline.org/about/
 Available at https://digitalguardian.com/blog/what-cyber-security
 Available at https://blog.netwrix.com/2018/05/15/top-10-most-common-types-of-cyber-attacks/
 Available at https://www.rapid7.com/fundamentals/types-of-attacks/
 Available at https://www.rapid7.com/fundamentals/types-of-attacks/
 Available at https://www.rapid7.com/fundamentals/types-of-attacks/
 Available at http://nciipc.gov.in/documents/National_Cyber_Security_Policy-2013.pdf
Cite as: Aradhya Singh, An Era of Cyber Security: A Distant Dream, 1 Int’l J. of Legal Sci. and Inno. 2 (2019)