Cyber attack - where to go and what to do?

In a hall full of Chief Information Security Officers (CISOs) of key Indian private companies during the 8th Annual CSO summit organized by CSO Forum in Chandigarh, many CISOs present did not know which authority in government needs to be approached in case of a cyber attack. A few mentioned that they would approach Indian Computer Emergency Team (CERT-In) under the department of electronics and information technology (DeitY). Another few mentioned that  they will go to National Critical Information Infrastructure Protection Centre (NCIIPC). A few mentioned that they will go to the cyber police station in their city while a few were of the opinion that they will go to the local police station. There was another case of data theft which was discussed where the local police station demanded a photograph of data which was stolen. 

The CISOs claimed that there was little to no response from CERT-In when incidents were reported to it . The 24*7 toll free number 1800-11-4949  was not reachable beyond office hours. The consistent view was that Government of India had limited consultations with private sector CISOs. Though there were some organizations having their own regulators like telecom companies reporting to Department of Telecom; banks reporting to Reserve Bank of India (RBI); insurance companies reporting to Insurance Regulatory and Development Authority (IRDA) who mentioned that their regulators include cyber security audits in overall auditing. 

 There are multiple critical sectors like energy; transportation which includes roads, railways, water and air transport; banking & finance; telecom; defence and space; law enforcement & intelligence;  public health;  water supply and e-governance which may be hit if a cyber attack happens. The section 70 of IT Act 2000 defines, “Critical Information Infrastructure (CII)" as the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.

The threats to CII may be internal threats where in an insider betrayals cause losses due to IT sabotage, fraud, theft of confidential information. There can also be external threats which may from hackers, terrorists, foreign government agents, non state actors, hostile states, rivals. Espionage, cyber warfare, cyber terrorism can happen through malware attacks, email attachments, smart phones, removable media, web application, social networks, social engineering attacks, wireless attacks, denial of service attack (DoS), distributed denial of service (DDoS) attack, BotNet, supply chain contamination and many more ways. 

There had been many attacks where the nations have been shaken. Stuxnet attack on nuclear programme of Iran. Duqu virus (2011) affected Iran, France, UK, Hungary, Australia and Indonesia. Flame malware affected over 1000 machines in Iran, Egypt, Sudan, Lebanon, Saudi Arabia and Israel. Shamoon Malware  affected the energy sector and affected functioning of Saudi Aramco and Qatar RAsGas.  GhostNet was the cyber spying operation which compromised systems of embassies, foreign ministers and other government officials; offices of Dalai Lama in India, London and New York were also affected. Shadow in  Cloud is another cyber espionage where theft of classified and sensitive data was reported. The Visa applications were specifically stolen under this attack. 

In 2007 Estonia became victim of DoS, DDoS, website defacement, attack on DNS servers, mass e-mail and comment spam. Servers of institutions responsible for Estonian internet infrastructure were attacked along with cyber attacks on websites of President, ministers, state agents, e-banking and news organizations were affected. 

Georgia 2008 cyber conflict targeted President, Parliament, local government of Abkhazia, news and media sites, online discussions and financial institutions. Lithuanian, 2008 cyber conflict lead to defacement of pro-soviet and communist symbols, over 300 private sector (95%) and government (5%) sites were affected. 

In India there is a strong legislation in form of IT Act wherein section 66A, 66B, 66C, 66D, 66E, 66F, 67A, 67B, 67C, 66F provide for punishment for cyber terrorism. The section 70A defines NCIIPC as the nodal agency to deal with cyber attacks. However, this was fact was known to limited CISOs who participated. 

The CISOs claimed that they did not receive any reply from CERT-In on reporting incidents. Their main grievance was that the government has not reached out to private corporate educating them what needs to be done in case of a cyber attack w.r.t. reporting the incident to government. 

There exist many international standards like ISO/ IEC 29000; ISO 31000, ISO 22301, Federal Information Processing Standards (FIPS), Control Objective for Information and related technology (COBIT), Information Technology Infrastructure Library (ITIL), Payment Card Industry Information Security Standards (PCIDSS). In India also we have DSCI Security Framework(DSF). Many organizations in India have adopted these standards as they are working for international clients who ensure data security before outsourcing work to India. 

There are so far no legislations for data protection and privacy in India which needs to be implemented. Despite that, the IT Act 2000 is one of the best-drafted legislation but as always the Act is not being implemented properly. CERT-In and NCIIPC have to educate not only the CISOs in government but in private sector also. The CISOs of private organizations need to be aware of what needs to be done in case of a cyber attack.