India: Cyber War

Introduction:

Cyber war in simple term means the use of computer technology to disrupt the activities of a state or organization by disabling financial and organizational systems through stealing or altering classified data to undermine networks, websites and services via the Internet through computer viruses, Denial-of-Service attacks, etc. Cyber war is a virtual conflict initiated as a political attack on the enemy's computer and information system and also known as 'Cyber Warfare'.

Cyber war is often confused with the term "Cyber Crime". There is no doubt indeed that all acts of cyber war are cyber crimes, but not all acts of cyber crime can be termed as cyber war. In order to understand what Cyber War exactly means, let's take an example, when a person from country A conducts a targeted attack against several companies in country B, does it count as cyber war, or cybercrime? The answer depends on "intent". If the attack is politically motivated, an act that may destroy data or even cause physical damage to infrastructure of a specific country, it may be considered an act of cyber war.

For a cyber attack to be called Cyber War there must be a use of force and disruption to physical life and when a person perform these activities with "political aims" then they are popularly known as "hacktivists"

Methods of attacks

There a various methods to attack a computer or network of computers. The method depends upon the attacker's goal, i.e. what he wants to target. Methods of attacks are classified on the basis of the intent. Various methods of attack are as follows:

1. Espionage and National Security Breaches

Espionage is the act of obtaining secrets, sensitive or classified information from rival groups, competitors, government or enemies for military, political or economic advantages by illegal methods of exploitation on internet, software and network of computers. In simple terms it is a method of spying on other nations and their organizations in order to gather data and information about the enemy.

2. Malwares

Malwares are malicious software which refers to viruses, spywares, worms etc. It is software designed to disrupt the system, gather sensitive information or gain access to private computer systems.

3. Denial of Service Attacks (DoS)

Denial of Service Attacks or Distributed Denial of service attacks are the type of activities that makes the network unavailable to its intended users. The main targets of DoS are sites or services hosted on high profile servers like, banks, credit card payment gateways, and even root name servers. DoS attacks makes it difficult for the user to use the machine or network resource and consume up all the resources and it no longer provide its intended service or obstructs the communication media between the intended users and the victim so that they can no longer communicate adequately.

Legal framework to check the Cyber Attack:

With an expansion in the growth of technology and increase in the crimes in the cyber space, there was an urgent need of strict statutory laws to regulate the criminal activities in the cyber world and to protect technological advancement system. In the virtual world known as Cyberspace, the criminal activities are not easy identified and require specific skill with state of the art technology. In addition to specific skill of the law enforcement agencies, an up to date law is also required to deal with the cases related to cyber attack. We now look into the law of different countries related to cyber attack:

INDIA

In India the IT Act 2000, as amended by the IT(Amendment) Act 2008 is known as the Cyber Law. The IT (Amendment) Act 2008 has a separate chapter entitled as "Offences". Though there are many shortcomings and it is not a very effective law to monitor cyber war, various cyber crimes have been mentioned as penal offences with punishment in the said chapter. Some of the offences as per the IT (Amendment) Act 2008 are as follows-

1. Hacking2

Hacking may refer to computer hacking, including the following types of activity:

  • An activity within the computer programmer Subculture
  • an act to gain access to computer networks, legally or otherwise
  • Computer crime

Section 43(a) read with section 66 of the Act3 is applicable and Section 379 & 406 of Indian Penal Code, 1860 are also applicable under the Information Technology (Amendment) Act 2008. Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.

2. Spreading Virus or Worms

Viruses or worms are the kind of cyber weapon that can do any amount of damage the creator intends them to do. It can send data to a third party and then delete the data from the computer. It can also ruin/ mess up the system and render it unusable without a re-installation of the operating system. The viruses usually install files on the system and then change the system so that virus program is run every time the system is started. It will then attempt to replicate itself by sending itself to other potential victims.

Under Information Technology (Amendment) Act, 2008, Section 43(c) & 43(e) read with Section 66 is applicable and under Section 268 of Indian Penal Code, 1860 is also applicable. Spreading of Virus offence is cognizable and bailable.

On July 23rd, 2013 a new and deadly variant of computer virus called 'Beebone'4was detected in Indian cyberspace. 'Beebone' belongs to the notorious family of Trojan malwares which get a "privileged access" into a user's computer by faking its identity and deploying smart and corrupt techniques to attack vulnerable computers.

3. Email Spoofing

E-mail spoofing is an e-mail activity in which the address of the sender and other parts of the e-mail appear as though the e-mail originated from a different source. In this an e-mail is sent to another person in such a way that it appears that the e-mail was sent by someone else. It appears to originate from one source but actually has been sent from another source. Spoofing is the act of electronically disguising one computer as another for gaining as the password system.

Under Information Technology (Amendment) Act, 2008, Section 66-D and Section417, 419 & 465 of Indian Penal Code, 1860 are also applicable. Email spoofing offence is cognizable, bailable, compoundable with permission of the court before which the prosecution of such offence is pending and triable by any magistrate.

UNITED KINGDOM

Cyber crime losses vary depending on the nature of threat and attack. Unlike India, UK has different sets of rules and laws which govern Cyber attacks. Steps have been taken in the UK to help combat with the problem of Cyber War. The UK government has revealed new plans to enhance its National Cyber Security Strategy, announcing a new British Computer Emergency Response Team (CERT), National Cyber Crime Unit (NCCU) and a Cyber Reserves Force. These teams will help to monitor and report on instances of cyber attacks leading to cyber war.

In addition to 'traditional' criminal legislation against theft and fraud, which can apply to cybercrime, legislation specifically targeted at cyber attacks includes-

1. Computer Misuse Act 1990

The Computer Misuse Act 1990 was established in the aftermath of "R v Gold & Schifreen"5. Robert Schifreen and Stephen Gold, gained unauthorized access to British Telecom's Prestel interactive view data service using conventional home computers and modems in late 1984 and early 1985. The pair was charged under section 1 of the Forgery and Counterfeiting Act 1981 with defrauding BT by manufacturing a "false instrument", namely the internal condition of BT's equipment after it had processed Gold's eavesdropped password. Tried at Southwark Crown Court, they were convicted on specimen charges (five against Schifreen, four against Gold) and fined, respectively, £750 and £600.

2. The Data Protection Act 1998

It includes basic rules of registration for users of data and rights to access that data. It controls how the personal information of an individual or an organization is used by other organization, businesses and government.

The act contains eight "Data Protection Principles"6. These specify that personal data must be:

1.Processed fairly and lawfully.

2.Obtained for specified and lawful purposes.

3.Adequate, relevant and not excessive.

4.Accurate and up to date.

5.Not kept any longer than necessary.

6. Processed in accordance with the "data subject's" (the individual's) rights.

7.Securely kept.

8. Not transferred to any other country without adequate protection in situ.

Offences under these acts can result in fines or imprisonment for up to 10 years. There are also sections related to cybercrime in the Regulatory and Investigatory Powers Act 2000 and the Terrorism Act 2000.

Law enforcement agencies who deal with cyber attacks include:

  • e-crime divisions of local police
  • the National Crime Agency
  • GCHQ/the intelligence services (depending on the nature of the offence).

THE UNITED STATES

The United States is one of the biggest perpetrators as well as the victim of cyber war. With the US being one of the biggest economies it is one of the targets of being a victim of a cyber attack. The United States federal government has invested heavily in the development of the cyber regime and also for technologies to protect them from being a victim of cyber attack.

In 2011, The White House published an "International Strategy for Cyberspace" that reserved the right to use military force in response to a cyber attack7. The strategy of US is based on jus ad bellum, which means a set of criteria needs to be consulted before engaging in war. If the cyber war results into death and significant loss to property then a country has a right to engage into conventional means of war.

The US government created United States Cyber Command (USCYBERCOM), a division of United States Strategic Command (USSTRATCOM)8to prevent and counter attacks on military network. According to the US government the Law of armed conflict applies to cyber warfare. The United States and many other nations are adopting advanced cyber capabilities to respond to the threats of the emerging cyberspace warfare. The International Committee of the Red Cross (ICRC) has steadfastly argued that many of the same principles that regulate battlefield combat also apply in cyberspace9.

TALLINN MANUAL ON CYBERWAR

Tallinn manual, originally known as "Tallinn Manual on the International Law Applicable to Cyber Warfare"10The manual is not an official NATO document. It was drawn up by NATO's Co-Operative Cyber Defence Centre of Excellence. It was launched in 2008 after hackers from Russia caused damage to infrastructure of Estonia11. It is an academic, non- binding study on how international law is applicable to cyber conflicts. The book includes 95 "black letter rules" detailing how states can carry out and responds to cyber attacks within the boundaries of international law.

It is based on jus ad bellum and international humanitarian law. The Tallinn manual advises that cyber attacks must not be targeted at hospitals, dams and nuclear power stations. It includes a provision that allows states to respond with conventional weapons to cyber attack by another state that causes death or significant damage to property.

It defines the term "Hacktivist" as:

"A private citizen who on his or her own initiative engages in hacking for, inter alia, ideological, political, religious, or patriotic reasons"

CASE STUDY

1. STUXNET

Stuxnet was the computer worm which disrupted Iranian nuclear enrichment in 2010. It came to be known as the first instance of cyber attack to cause physical damage across international boundaries. Unlike a typical worm which is used to steal credit card details and personal and sensitive information, Stuxnet was aimed to cause physical destruction against the industrial systems. It was created to sabotage Iran's nuclear industry.

2. SONY HACK

On November 24th 2014, Sony Pictures faced an unauthorized security breach. The hackers which go by the name of #GOP aka the Guardians of Peace downloaded copies of data from Sony Pictures computers which included personal data of the employees including executive salaries, performance reviews screenplays, and have leaked some unreleased movies.

The malware used to harm Sony Pictures, known as "Destover", acts as a backdoor and is capable of wiping disk drives and any Master Boot Record disk -- in other words, it can sneak into a system, completely take over and give access to the data saved within. It is believed that North Korea is behind this cyber attack as the security was breached right before the release of "The Interview", an upcoming comedy about two journalists who attempt to assassinate the Supreme Leader of North Korea, Kim Jong Un.

As a result of this attack a large amount of confidential Sony Pictures Entertainment data has been stolen by the cyber attackers, including personnel information and business documents and also all the system of Sony Pictures are still shut down.

On December 15, 2014, lawyers filed a class action complaint against Sony in federal court in California. The complaint puts companies on notice as to the types of claims that they might face if their systems are hacked, and steps they can take now to protect themselves. Possible legal claims could include: negligence; violation of medical privacy laws; violations of regulatory rules, if applicable; and failure to comply with post-breach laws.

3. ATTACK ON ESTONIA

On April 26, 2007 cyber warfare attack began to appear in Estonia. Estonia is an extremely wired country, and its people are addicted to the Internet for all the administrative workings of government, like, economic life, communications, financial transactions, bill paying, etc. The denial of service (DoS) attack swamped websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters.

On 2 May 2007, a criminal investigation was opened into the attacks under a section of the Estonian Penal Code criminalizing computer sabotage and interference with the working of a computer network, felonies punishable by imprisonment of up to three years.

On 24 January 2008, Dmitri Galushkevich, a student living in Tallinn, was found guilty of participating in the attacks12. He was fined 17,500 kroons (approximately US$1,640) for attacking the website of the Estonian Reform Party.

CONCLUSION

With the massive expansion of the use of technology in the world there is an urgent need to come up with better provisions to protect a country from cyber war. USA tops the chart in being the most attacked countries in the cyber space. Even though US is a super power, it is also most vulnerable to a cyber attack and is not well prepared for a cyber warfare as shown by the recent Sony hacking case. India being a upcoming cyber market is also vulnerable to the cyber attack hence require a better law and trained personnel to deal with the crime related to cyber world.

The problem with cyber attack is that the threat can be found but the individual remains invisible which makes it difficult to stop the attack from further disrupting the systems. A cyber attack can't be stopped completely, but with efficient technology and software the damage can be minimized. Cyber threats are more far dangerous than what we imagine as most of the basic amenities these days are run through internet and any attack on these basic necessities can lead to a complete disaster. It can completely bring a system or a government down resulting into huge financial as well as physical loss in some cases. There is an urgent need to reinforce the security systems and better training and funding for the counterintelligence.

Footnotes

1.IVth Year BA. LLb student from New Law College, Bharti Vidyapeeth University, Pune] 2. http://en.wikipedia.org/wiki/Hacking

3. Act here stands for "Information Technology (Amendment) Act 2008

4. Source: The Economic Times, http://articles.economictimes. indiatimes.com/2013-07-23/news/40749343_1_computervirus- computer-security-security-features

5. http://en.wikipedia.org/wiki/Hacking

Cited in http://www.dataprotectionact.org/1.html

7. "International Strategy for Cyberspace" (PDF). The White House. 2011

8. United States Strategic Command, US Cyber Command, Dec. 2011, available at http://www.stratcom.mil/fCyber_ Command.

9. See International Committee of the Red Cross, Cyber Warfare, Oct. 10, 2010 available at http://www.icrc.org/eng/war-and-law/conduct-hostilities/information-warfare/overview-information-warfare.htm ; See also International Committee of the Red Cross, No Legal Vacuum in Cyber Space, Aug. 16, 2011 available at http://www.icrc.org/eng/resources/documents/interview/2011/cyber-warfareinterview-2011-08-16.htm .

10. Tallinn Manual on the International Law Applicable to Cyber Warfare http://www.knowledgecommons.in/wp-content/uploads/2014/03/Tallinn-Manual-on-the-International-Law-Applicable-to-Cyber-Warfare-Draft-.pdf

11. Source: New Atlanticist. http://www.atlanticcouncil.org/ blogs/new-atlanticist/reason-finally-gets-a-voice-thetallinn-manual-on-cyber-war-and-international-law

12. Postimees, supra note 70.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions