Reporting Ransomware, Other Cyber Threats Your Legal Obligations
The Wannacry ransomware outbreak that continues to unravel across the globe is the latest in a long line of prominent cyber security threats. With time, these attacks are only likely to become more frequent, sophisticated and widespread.
The Indian IT Secretary recently stated that the impact of ransomware in India is currently limited to six incidents. In sharp contrast, other estimates peg attempts at over 48,000 and counting, with over 700 successful infections.
If the government figures belie (as they often do) the true impact of attacks such as Wannacry, this creates big problems for everyone.
For one, it delays the time specialised first-responders like the government's Computer Emergency Response Team (CERT-In) take to kick into high gear and take the necessary steps to prevent an online pandemic. It also creates a false sense of security in users who may not take critical steps at their level to prevent a much larger network attack.
An important step in ensuring the government is on the ball, is reporting such incidents to the authorities -- something that may not strike most people, but is the law, and non-reporting is punishable.
So what qualifies as a report-worthy "incident" under law?
Rules relating to CERT-In's functioning classify the following instances as those which are required to be mandatorily reported as soon as possible:
(i) Targeted scanning/probing of critical networks/systems
(ii) Compromise of critical systems/information
(iii) Unauthorised access of IT systems/data
(iv) Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites, etc.
(v) Malicious code attacks such as spreading of virus/worm/Trojan/botnets/spyware;
(vi) Attacks on servers such as database, mail, and DNS and network devices such as routers
(vii) Identity theft, spoofing and phishing attacks
(viii) Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
(ix) Attacks on critical infrastructure, SCADA systems and wireless networks and
(x) Attacks on applications such as e-governance, e-commerce, etc.
Most of these instances are self-explanatory, and the current ransomware attack falls within several of these categories (ii), (iii), (v), (vi) (vii) and (viii) all have elements of a ransomware attack.
If you find that you fall within one of the instances above, the next question that arises is who needs to report them and how.
Under the CERT-In Rules, the reporting requirement lies on "any individual, organisation or corporate entity affected by cyber security incidents" (which include the mandatory reportable incidents set out above, although the definition itself is wider). Reporting incidents to CERT-In can be through several channels (email firstname.lastname@example.org, call the helpdesk at 1800-11-4949, or fax 1800-11-6969).
The website http://www.cert-in.org.in/ also provides an incident reporting form to be filled in, which must cover details such as the timing of the incident, affected systems, symptoms observed and relevant technical information.
If you are an enterprise user and have system administrators, the best person to carry out the reporting exercise would be the head of the team. Remember that the reporting is required as soon as possible, and a general yard-stick (though not specifically set) would be within 24 hours of the incident.
Although a direct penalty is not provided for under the CERT-In Rules, its umbrella legislation does, and non-reporting could attract one of several potential penalties (currently open to interpretation), ranging from Rs 5,000 a day or Rs 150,000 per failure, to Rs 100,000, imprisonment (yes) of up to one year, or a combination of the two.
Additional reporting requirements apply to "intermediaries" under the IT Act, banks are mandatorily required to specifically report cyber security incidents to the Reserve Bank of India (RBI) within 2-6 hours (see https://tinyurl.com/moca57f and https://tinyurl.com/l5ajkqq), and telecom operators have a similar obligation under the Unified License Agreement where a breach of a license term (such as reporting) carries a hefty fine of Rs 50 crore for each breach.
Finally, if you're affected by ransomware and are being asked to pay a ransom in Bitcoin to decrypt your data, beware that virtual currencies such as Bitcoin and the wallets and exchanges that enable Bitcoin transactions in India continue to function in a legal grey area, although some form of regulation is on the anvil.
Thus, beyond the practical problem of paying a ransom in Bitcoin and the attacker rescinding on his promise to decrypt your files, making such payments, especially overseas, could result in the RBI coming knocking at your door.
As a long-term strategy, individuals and organisations alike would do well to adapt industry best-practices relating to cyber security (whether or not they are mandated to do so by law), ensure that policies adopted in this regard are in sync with legal reporting requirements, and that all relevant stakeholders are made aware of what those requirements are and how to address them in a crisis situation.