The Editorial Analysis: Reporting Cyber Attacks

Cyber Crimes UPSC: Relevance

• GS 3 Awareness in the fields of IT, Space, Computers, robotics, Nano-technology, bio-technology.

Cyber crimes in India: Context

• In a recently held cyber security event, the Ministry of State indicated that Ministry of Electronics and Information Technology (MeitY) is likely to come out with new cyber security regulations.

Reporting cyber-crime: Key points

• The essence of the cyber security regulation will be to put the onus on organisations to report any cyber-crime that may have happened against them, including data leaks.
• Even Data Protection Bill 2021 says that data fiduciaries should report any personal and non-personal data breach incident within 72 hours of becoming aware of a breach.
• Even the golden standard for data protection, namely the European Union General Data Protection Regulation (EU GDPR), speaks about reporting data breach incidents within a stringent timeline.

संपादकीय विश्लेषण: साइबर हमलों की रिपोर्टिंग 

Cyber-crime around the world

• It was predicted that Cyber-crime would inflict damages totalling $6 trillion globally in 2021.
• If cyber-crime would have a country, it would be the world’s third-largest economy after the U.S. and China.
• The ransomware attack against the nationwide gas pipeline in 2021 in the U.S. virtually brought down the transportation of about 45% of all petrol and diesel consumed on the east coast.
• Hence, it is important that government and state-owned enterprises should also report cyber-crime so that corrective actions can be taken on the security of critical infrastructure of the nation.

Importance of cyber-crime reporting

• If incidences are reported, the Indian Computer Emergency Response Team (CERT-In) and others can alert organisations about the associated security vulnerabilities.
• Also, firms not yet affected can also take precautionary measures such as deploying security patches and improving their cyber security infrastructure.

Reasons for not reporting cyber-crime

• Firms are generally reluctant to notify the breach incidents to the regulators because any security or privacy breach has a negative impact on the reputation of the associated firms.
• According to a study conducted by Comparitech, the share prices for firms generally fall around 3.5% on average over three months following the breach.
• Moreover, in the long term, breached companies underperformed in the market.
• After one year, share price of breached firms fell 8.6% on average, resulting in a poor performance in the stock market.
• So, firms weigh the penalties they face for not disclosing the incidents versus the potential reputational harm due to disclosure, and decide accordingly.

Reporting cyber crime: Solutions

• Data laws: The data laws should deal with reporting of cyber-crime in a more comprehensive manner.
• Cyber security audits: Third party periodic security audits should be conducted in the firms. These audits should be comprehensive enough to identify such incidents that might not have been reported by the firm, or even by the state-agencies.
• Common Criteria Testing Laboratories: These bodies can be extended towards cyber security audits and assessments as well.
  • Common Criteria Testing Laboratories are the bodies set up by the MeitY to evaluate and certify IT security products and protection profiles as part of cyber security assurance initiatives.
• Cyber security command centre: Alike IBM in Bengaluru, other large firms can also be encouraged to set up such centres for protection of their firms’ assets.

Read current affairs for UPSC

Sharing is caring!