Ransom-payers are also the cause of ransomware proliferation: Prashant Mali
The ransom to retrieve files was reportedly $300, to be paid in virtual currency bitcoins
To date, financial cyber crime has only grown and it is yet to peak, so I would say it’s written on the wall that many more such attacks are expected in the near future. Such threats loom large as the ransom is paid in bitcoins, so the criminals aren’t caught. One thing the police and the government can do is to ensure that citizens make compulsory declarations of purchase of bitcoins and other cryptocurrencies (like ethereum) when they file their income tax returns. This can help the government see who pays and how much because, I feel, ransom-payers are also the cause of ransomware proliferation.
Security experts confirm that the malware isn't really a ransomware, but a wiper designed to destroy data. Reportedly, because of “ its aggressive features,” the malware makes it impossible to retrieve certain files leading many to believe that this attack may not have been for money. Can this be seen as an attempt to test how far companies will go to protect data?
Even if cyber attacks don’t cause financial damage, they definitely throw open defences. Identifying fortresses that have holes in their system can be of interest to the state and non-state actors. This data of the number of loopholes is in demand and is sold at a premium price. There are different types of people involved in the dark world: many a time those who look for such holes, those who attack, and those who intend to get ransoms are all different.
Companies are often wary of making such attacks public. Security firm Symantec has said that India is the worst hit in Asia, but we have confirmation only from Mumbai’sJawaharlal Nehru Port Trust. Do you think information sharing could actually help build a better defence against such attacks?
By not reporting such attacks, companies are depriving the nation of a knowledge database that can help other companies develop better defences. Symantec and other (security) vendors also cannot be fully relied upon because fear is what they harp on. The more fear they put in Indians, the more they sell security products. The Insurance Regulatory and Development Authority of India and insurance companies should make it compulsory for clients to file a First Information Report (FIR) before claiming cyber insurance. Once reporting to some government agency becomes mandatory to claim insurance, companies would be motivated.
What are the security measures that one must take to avoid such attacks?
No one can be immune in cyber space and that's the reality. Only cyber awareness in organisations can bring in cyber resilience. I would advise organisations to have multi-prong policies to establish a cyber security culture. I feel the highest level of cyber safety can be achieved by establishing a cyber security culture in the company, and a country can be cyber resilient by cultivating a culture of cyber security in society. Government should quadruple its budget for digital literacy programmes. For the government to be ahead of hackers, we need cyber spies: our law and enforcement agencies should implant cyber spies among cyber criminals. The chatter within their group helps the state to be ready for what is coming: we need cyber intelligence.
Do you think companies should have ethical hackers on their pay rolls?
I have an issue with the term “ethical hackers” because legally this isn’t right: those are two contradictory terms put together. People who use these terms are either doing it for branding purpose or are students. Companies should opt for services by cyber security researchers.
Are India’s cyber laws equipped to handle such large-scale attacks?
No. Laws can be invoked when prima facie evidence is found against criminals and investigation can be completed if attribution to a criminal is possible. The legal framework to help enforcement agencies in India has serious flaws. Large-scale cyber attacks need multiple law and enforcement agencies to work together along with CERT-In (Indian Computer Emergency Response Team), but the protocol for this is yet to be developed.
In the future, cyber attacks are going to affect government facilities meant for citizens: like centres for health, water etcetera. Even municipalities should coordinate with the aforementioned agencies to avoid mass scale civil disruption from cyber attacks.