Tuesday, April 16, 2024

Mumbai cyberattacks: Power Play

Recent statements by persons in authority suggest that power outages in major cities like Mumbai can be the result of malware planted by hackers. What legal options exist?

By Sujit Bhar

There was a major power outage in Mumbai on October 12, 2020 that lasted two hours and threw the unsleeping city into chaos. The stock market went on the blink and many people lost a lot of money. Such incidents were once supposed to be the residual stink of civilisation, but just the other day the state’s home minister, Anil Deshmukh, told the media that “preliminary finding of an investigation by the cyber cell” found that it was probably the misdeed of Chinese hackers. He said that the hackers had planted some malware that invaded the overall system. Politics quickly took over, and Union energy minister Raj Kumar Singh categorically denied any Chinese hand, saying it was just “human error”.

One can cling to clues, such as one comment that yes, there was possibly some malware doing its mala fide job in some extremity of the power grid, but it did not manage to climb back into the main fold of the grid. So, aall is well now. Deciding who is right is a completely obtuse exercise, but one does need to look inwards and inspect what happened to India’s cyber security laws, and how protected we are, legally. Before that, we need to understand how the power sector can be affected remotely through malware. As the Indian power sector grew at a rapid pace, there was a huge need for intelligent control units for complex national grid interfaces. Of course, the retarded practice of L1 selection even in a global contract/tender meant that contracts went to Chinese companies.

Believe it or not, Chinese companies have gained immense access into this strategic sector of the country. As per available data, Chinese companies won bids to install such intelligent control systems, not only across large parts of the national power grid, but also within 46 city networks, at the least, between August 2016 and March last. And, believe it or not, Dongfang Electric Corporation, based in Chengdu and directly controlled by Beijing (which means the Chinese Communist Party), also considered a “backbone enterprise” of that country, had won supervisory control and data acquisition contracts for as many as 23 cities in five states and Union Territories. Mumbai is just one of them. These “intelligent” units are intelligent enough to report back to their bosses and take orders. It has been said that such malware is dormant now, and can be activated at any time through orders from Beijing.

Also Read: Sale of PSUs can boomerang if not well thought out

The Mumbai malware probably did just that. That is not science fiction stuff. It pretty much is within current technical capabilities of the world.

This has been found and confirmed by a Somerville, Massachusetts based company called Recorded Future, which had pieced together data to show the flow of malware. This company studies the use of the internet by state actors. The scary part of this study is that it found that most of the malware were never activated, they lie dormant, waiting.

Replacing all such hardware and aligned software that run it would be a matter of time, new global tenders and several billions of dollars. Meanwhile, we could be at the mercy of some foreign hand. That, simply, has to be done, but the immediate necessity is to review our cyber laws. One has to remember that laws must not only be for things on the Internet, but for Internet of Things (IoT) applications, such as these intelligent control units. Many of these units can also adapt with the help of AI algorithms. As India’s internet user base increases 2021 predictions are of 600 million users, which is a shade under the total combined population of the US and Indonesia, the third and fourth most populated nations on earth the use of IoT also keeps pace. In both cases cyber security becomes an immediate and essential requirement.

What are the Indian laws that govern stuff on the Internet? Basically, the initiator of such laws was the United Nations Commission on International Trade Law, which, in 1996, adopted a model law on e-commerce that was to be a universal legal model. This was endorsed by the UN General Assembly which suggested that this model be the backbone of the cyber laws of different countries. India was the 12th country to legitimise cyber regulations. The Ministry of Commerce created the eCommerce Act in 1998 and formulated and passed the Information Technology Bill in May 2000. It was notified as an Act that October.

The Act is detailed, dealing with several aspects of the cyber world and legal implication and penalties were penned down. The Indian Penal Code 1860 was amended, as were the Bankers’ Books Evidence Act, 1891, the Indian Evidence Act, 1872 and the Reserve Bank of India Act, 1934. Through those we now have easy access to electronic transactions, and digital signatures have had legal sanction. Biometrics was soon accommodated, and the introduction of Aadhaar added further security layers.

However, one has to remember that a law which has 1996 or even 2000 as base reference years, will have to completely reinvent itself quickly, every time massive changes in technology remodel the cyber landscape. More importantly, the nature of cyber crime has evolved through time and their scope has been international. If there was a hacking in Mumbai, it should have international ramifications. If Russia did interfere in the US elections that brought in Donald Trump, that would need to have international ramifications. When British consulting firm Cambridge Analytica illegally dealt with data of millions of Facebook users, that was an international crime.

The IT Act of 2000 is very e-commerce oriented, and one can understand that this should be there. What were the basic amendments incorporated in this? The scope of this Act has been enlarged from e-governance, e-banking and e-commerce to all the latest communication devices. Small things have been taken care of, such as Section 43, which defines punishment for accessing computer systems without permission from the owner. A compensation claim is possible. And if that has been an act of fraud, then Section 66 is applicable. There are similar punishments in Section 66B (receiving stolen communication devices or computers), or Section 66C (forgery in digital signatures, hacking passwords or other distinctive identification features). Section 66D is for cheating through impersonation on the web (social media issues), etc. Then there is identity theft, which will be dealt with in collaboration with the IPC.

Even the Companies Act 2013 has vested powers in the hands of the Serious Frauds Investigation Office to prosecute Indian companies and their directors. Then there are the Companies (Management and Administration) Rules, 2014: These prescribe action on cyber security obligations, responsibilities and compliance. It adheres to National Institute of Standards and Technology’s Compliance of the Cybersecurity Framework and provides guidelines, standards, and best practices to manage the cyber-related risks responsibly. These are the focused legal reference points. However, when a situation such as the alleged Mumbai hacking happens, what law will be used to create a charge sheet? Would one fall back on usual cyber crime laws, or should there be a further amendment?

Also Read: Sale of PSUs can boomerang if not well thought out

What this shows is that there cannot be a one-size-fits-all approach in law as far as “crimes” of this nature happen. Can a dormant malware be assumed to be a threat? Can it be assumed, without a proper study, that this supposed dormant malware is capable of wreaking havoc on national assets and pose a threat to national security? This may have been answered by Recorded Future, but it did not have access to the Indian network. Would allowing Recorded Future into India’s strategic installation network result in another crime in itself?

Consider Mumbai, again. The central Power Ministry has clarified that “no data breach/data loss” had happened, and there was no effect on the overall functions of the Power System Operation Corporation Ltd (POSOCO), the main agency that oversees the power-sharing/transfer and integration within the grid. Hence, layman logic says, there has been no sign of any “crime” being committed. How would a judiciary handle this? Tricky questions, those.

In the background, still in the womb is the Data Protection Bill, 2019. The Joint Committee (headed by Meenakshi Lekhi) has already reviewed it and it could soon be tabled in Parliament. But, the landscape has changed again. So, maybe that, too, needs an “amendment”, even before it becomes an act.


News Update