Reporting cyber-attacks

Reporting cyber-attacks

By V Sridhar, Professor, IIIT Bangalore

The Ministry of Electronics and Information Technology (MeitY) is likely to come out with new cyber security regulations, as indicated by the MoS for Electronics and IT, Shri Rajiv Chandrasekhar in a recent cyber security event. The essence of this regulation will be to put onus on organisations to report any cybercrime that may have happened against them, including data leaks. There is a corresponding clause (25) in the Data Protection Bill 2021 that data fiduciaries should report any personal and non-personal data breach incident within 72 hours of becoming aware of a breach. Even the golden standard for data protection, namely the European Union General Data Protection Regulation (EU GDPR) also has a clause for reporting data breach incidents within a stringent timeline.

While this, in principle is likely to improve cyber security and reduce attacks and breaches, why are there continuing breach incidents every minute as we speak? According to Cybercrime magazine (cybersecurityventures.com), If it were measured as a country, then cybercrime — which is predicted to inflict damages totaling $6 trillion globally in 2021 — would be the world’s third-largest economy after the U.S. and China!

More than private firms, government services, especially critical utilities, are also prone to cyber-attacks and breach incidents. The ransomware attack against the nationwide gas pipeline of a private firm in July 2021 in the U.S. virtually brought down the transportation of about 45 per cent of all petrol and diesel consumed on the east coast. Hence it is important that even cyber-attacks on government and State Owned Enterprises should also be reported so that corrective actions can be taken on the critical infrastructure of the nation.

What is the logic behind incidence reporting? If incidences are reported, organizations such as Computer Emergency Response Team (CERT) IN (India) can alert organizations about the associated security vulnerabilities. Hence firms, not yet affected, can also take precautionary measure such as deploying security patches and improving their cyber security infrastructure, so that cyber security across all sectors will in general improve.

However, why are the firms reluctant to notify the breach incidents to the regulators? Any security or privacy breach has a negative impact on the reputation of the associated firms. An empirical study by Comparitech (comparitech.com) indicates that share prices for firms generally fall around 3.5 percent on the average over 3 months following the breach incidence. In the long term, breached companies underperformed the market. After one year, share price of breached firms fell 8.6 percent on average, thereby resulting in poor performance in the stock market. Hence firms weigh the penalties they face for not disclosing the incidents versus the potential reputational harm due to disclosure and decide accordingly. Unless the penalties for non-disclosures are high enough for the firms not to deviate, there are incentives for the firms not to disclose despite the regulations.

The other important aspect is enforcement of the regulation and associated rules. How will the regulator come to know when a firm does not disclose a security breach? It can be done only through periodic cyber security audits. These audits should be comprehensive enough to identify such incidents that might not have been reported by the firm. Unfortunately, the regulators in most countries including India do not have such capacity to conduct security audits frequently and completely. If either the probability of such audits is low or the probability of finding breach incidents during such audits is low, there is incentive for the firms not to disclose security attacks.

Given the above complex nature of disclosure, what could be the possible solutions apart from enacting rules? First, the Government shall empanel third party cyber security auditors for the conduct of periodical cyber security impact assessments, primarily amongst all the government departments both at the national and state level so that security threats and incidents over the government information infrastructure can be detected proactively and incidents averted. The government shall also mandate periodic security audit report be published by the private firms and arrange to conduct surprise security audits towards enforcements.

Along these lines, the MeitY as part of Cyber Security Assurance initiatives of the Government of India to evaluate and certify IT security products and protection profiles has set up Common Criterion Test Labs and certification bodies across the country.  These schemes can be extended towards cyber security audits and assessments as well. Much like IBM that set up a large Cyber Security Command Centre in Bengaluru, other large firms shall also be encouraged to set up such centres for protection of their firms’ assets. Such measures will also pass the muster of the EU GDPR, thereby moving India closer to the set of countries that have the same level of cyber security and data protection as that of EU, for seamless cross border data flow.

(This article first appeared in The Hindu. 1 March 2022)