Karnal Singh, the Former Director of Enforcement Directorate opens up with the Sachin Gaur, Executive Editor, InnoHEALTH Magazine about his opinion on trends of cybercrime and threats in 2019.
He is a 1984 batch IPS officer and Engineer from Delhi College of Engineering (DCE) and Indian Institute of Technology (IIT), has over 34 years of experience in the investigation of corruption, terrorism, money laundering, and cyber-crime cases. He is a recipient of President’s medal for distinguished service and Police medal for meritorious service.
Q. Given your important assignments for the Government of India in the past, share with us the big picture. What are the trends you see in terms of cybercrime and threats for 2019?
The world is getting more connected and technology has seeped into every aspect of our lives. On one hand, these advancements make our lives easier and on the other bring a lot of vulnerabilities with them if security isn’t strong enough to tackle cyber criminals. Hackers today are well-educated and have the capabilities to develop new methods and tools to exploit the vulnerabilities on the computer systems and networks. Few do it for their academic interest and thrill and inform the person concerned about the vulnerabilities so that the same can be plugged. They are known as white hat hackers. While the others do it with malice and self-gain and are known as Black hat hackers.
To gain access to the computer systems, the cybercriminals and hackers will continue to deploy already existing tools (called as exploits) with enhanced capabilities. More advanced tools will be also be developed in the coming years. Some of the important ones are enumerated below:
1. Chatbots: There will be extensive use of machine learning techniques (Artificial intelligence) in the near future. A Chatbot can be injected into the important website (for example, a banking site). Chatbot in the form of a man or woman would pop up on the screen and will start interacting with the user (like what we see the google assistant doing). Then it may misdirect the customer to a nefarious link similar to an actual banking site, thereby fetching important information from the customer and compromising his banking information.
2. Bot and botnet: The hackers have been successful in remotely taking control of the hacked computer systems. Such a system is known as a bot. The hacker can remotely misuse a machine (using computing time or other resources) without the actual user being aware of it. If there is more than one compromised device, then it is called a botnet. Botnets can be put to perform some distributed function viz, crypto jacking (mining bitcoins) or distributed denial of service attack.
3. Discover and target organizations outside the firewall: Most of the commercial organizations deploy firewalls, intrusion detection systems, and intrusion protection systems; thereby making hacking difficult. But they use the third-party software, which may be having vulnerabilities. Hackers can attack the third-party systems used by commercial websites.
4. Injection Attack: Protective systems installed on computers look for malicious files to detect cyber-attack. The injection attack is filed less; the hacker directly inserts the malicious code in the memory, thereby compromising the machine, without ever dropping a file onto the infected system. One such example is British Airways site hack in 2018, resulting in identity theft of around 3,80,000 users.
5. Biometric Hacking: Cybercriminals use brute force attack, dictionary attack or social engineering, etc., to crack the passwords. Many people have shifted to biometrics. The academic research suggests that a number of officers print authentication systems could be spoofed, even highly sophisticated facial recognition system has been proven vulnerable to more advanced hacking efforts.
6. Application of artificial intelligence: Artificial intelligence techniques will be used more and more to avoid detection by intrusion detection tools. For example, Waterminer, a cryptocurrency mining tool injected as malware, stops mining when task manager or antimalware scan is run.
7. Rouge AP(access point) and Evil Twin: Rouge AP is an access point installed on the network without the knowledge of the administrator, while the evil twin is identical network.
The above-mentioned techniques will be sharpened to attack numerous utility services (some of which are listed below) by the black hat hackers for malicious purposes:
A. Internet of things(IoT): the Considerable number of smart gadgets (such as TV, plugs, IP cameras, smartphones, tablets, network video recorders, heaters, refrigerators) are used at homes and industries. When these gadgets are connected to the Internet, they are termed as the Internet of Things. The hackers will increase their attacks on IoT using a vulnerability in cloud infrastructure and hardware to threaten the users physically or mentally.
B. Attack on identity platforms: Identity platforms offer centralized secure authentication of users, devices, and services across the IT environment. It could be a database of banks, hospitals, social media sites, etc. Identities of a large number of persons would be attempted to be stolen for extortion, impersonation or proving the inadequacy of the commercial organization in securing the important data (so as to blackmail).
C. Real world damages: There will be more and more attacks on services providing community services viz, municipality, health sector, electricity supply, water supply, and sewer systems. Besides the cybercriminals, who would use such hacking for ransom, terrorists and even nations can use it against public or adversaries.
D. Social media content compromise: There will be increased use of Botnets to compromise social media to influence public opinion.
Q. Being a healthcare publication, our readers would be interested in healthcare-specific cyber threats. What is your opinion on the health sector threats?
The health sector offers life critical services. It maintains the identity and clinical records of a large number of patients. The following factors make the health sector more vulnerable as compared to the other sectors.
- IoT (Internet of Things) devices are used extensively for the treatment of the patients viz. smart continuous glucose monitoring, connected inhalers for asthma, apple watch Identity platforms offer centralized secure authentication of users, devices and services across IT environment. It could be a database of banks, hospitals, social media sites, etc. PERSONA THEME TRENDS WELL-BEING ISSUES RESEARCH NEWSCOPE app that monitors depression, etc.
- The doctors and patients can connect external storage devices and even mobile phones to the hospital database system.
- Third-party software and hardware are deployed which makes it vulnerable to supply chain poisoning.
- Most of the services provided by the hospital are connected through the Internet or the cloud services.
Clinical data is of immense use for cybercriminals and cyber terrorists. They can use vulnerabilities in cybersecurity in the following ways:
- Identity theft: Medical identity record is very useful for the cybercriminals as it can be used to impersonate people in the digital world and gain access to financial systems as well as to commit fraud by claiming treatment or insurance at the cost of insurance agencies and the patients. Therefore, this data is sold at a higher rate in the darknet as compared to identity records of other sectors.
- The clinical records of the patients may sometimes contain their psychological disorders or conditions, or a person may be suffering from concealed diseases (sexually transmitted disease, etc). The hacker may make use of such information by blackmailing or harassing the patients. It would cause hardship to the patients and would put the reputation of the healthcare service provider/hospital at stake which failed to protect the patients’ identity and clinical records.
- Ransomware attacks on hospitals will be on rising. The information of the patients is mostly time critical. If the cybercriminal denies the access of data to the hospital even for a short span of time, it may lead to lack of timely treatment to critical patients and therefore, hospital administration is not in a position to delay the ransom payment.
- Prescription change: In India, the majority of renowned hospitals in metro cities are computerized. Doctors give online prescriptions which immediately become available to the concerned medical staff, such as a nurse who administers the drug to the patient. Cybercriminal scan tampers the prescription which may harm or even cause the death of the patient. They can cause an obstruction in the oxygen supply line or failure of electricity. They would be able to change the medical records of the patients, which will lead to wrong diagnosis and treatment. Not only cybercriminals but the terrorists can adopt the above techniques and threaten the nations or can even cause large scale fatalities.
Therefore, it becomes extremely important to adequately secure the health sector databases.
Q. The health sector has seen major attacks of ransomware; part of the equation is ‘money aka cryptocurrency’ in organized crime. How do we handle this?
Being proactive about cybersecurity is perhaps the best approach to tackle cyber-attacks. The health sector should form cybersecurity forum for cybersecurity policy formulations and mutually evaluate hospitals’ preparedness against the cyberattacks ensuring adherence to the cybersecurity policies. Additionally, each hospital network should have a dedicated team of IT security professionals to guide the management and proactively check for any cyber invasion. The IT team should ensure that the latest patches for all the devices and software are installed and there is protection from supply chain poisoning. The system should be equipped with features firewalls, Intrusion Detection System, Intrusion Protection system and processes analytical tools among others.
The blockchain techniques can also be explored for data management and the patient databases should be encrypted so that they are of no use to the hacker. Further, the hospitals must take data backup with a fast recovery plan. Regular penetration testing of the system should be done to eliminate potential vulnerabilities.
Hospitals should invest in training IT staff in cybersecurity policies and cybersecurity technologies. Regular analysis should be done of employees’ computer usage pattern so that any compromised user is effectively detected and timely removed from using the system. There should also be a secure access control preferably using biometric features.
Q. Today security has become a hot topic and world over we see that regulation is leading change and innovation! What is your vision for India in regard? What regulations will make the health sector more secure? Or we don’t need regulation?
The cybercriminals attempt to hack the computer resources of the hospitals by exploiting the vulnerabilities in the computer systems. They manipulate the stored information, steal the same or hold it for ransom. The hospital databases work on the trust reposed by patients in the hospital administration that their data will be guarded with privacy.
Cybercriminals can be prosecuted under various provisions of the Indian Information Technology Act, 2000(ITA). The IT Act creates civil liabilities for the offenses under the Act vide Sections 43 to 45, wherein an amount of compensation can be given to victims; it also creates criminal liabilities vide Sections 65 to 74 of the Act. Cybercriminals are liable to both civil and criminal liabilities.
Hospital administration is responsible for protecting the data and failure to protect can result in civil liability under Section 43A of the IT Act. However, this section can be invoked if the breached data results into wrongful loss to the victim or wrongful gain to a cybercriminal. The victim has to prove that there was a wrongful loss to him/her. The offenses by the intermediaries are criminalized under Section 67C of the IT Act. However, the same gets diluted by the provisions contained in Section 79 of the IT Act. Hence, the IT act doesn’t provide absolute data security laws.
The Government of India appointed Justice BN Srikrishna Committee for effective data protection laws in India. The committee submitted the Draft Data Protection Bill, 2018 to the government in July 2018. It will be introduced in parliament after the forthcoming elections in India. The Government of India is also planning to introduce “The Digital Information Security in Healthcare Bill” in the parliament to secure the healthcare data of patients in India.
Q. As the cyber incidents keep rising and legal regime catches up, what is your opinion on our abilities in investigating cybercrime? As you know attribution and audit trail are not the easiest in the cyber world, any advice for stakeholders so that they are not wrongly prosecuted or get justice on time?
According to Section 78 of the IT Act, 2000, a police officer of the rank of Inspector and above is authorized to investigate the offenses under the IT Act. This is to ensure the quality of the investigation. However, all Inspectors in police are not trained in cybercrime investigation. Further, complexities of computer technology, tools, and methodology used by cybercriminals make it difficult even for a trained person to keep pace with the development in this field. Police organizations don’t employ external cyber experts to aid in the investigation. Each police officer investigating the case seeks help from other expert police officers or cyber experts of his/her choice. Therefore, institutional help is lagging.
There is also the dearth of cyber experts in forensic science laboratories, resulting in delays of months and years in getting reports from them which can compromise the further evidence leading from forensic analysis of seized electronic material. During my tenure in the Enforcement Directorate, I found this delay to be of 1 to 3 years, therefore, I initiated six in-house cyber forensic labs. This led to the cyber forensic analysis done at a quicker pace also improving the quality of investigation.
The next hurdle is the global spread of evidence into other jurisdictions. A letter rogatory (letter of request) is sent to each foreign jurisdiction for getting the evidence located in that jurisdiction. The process is slow and it may take 3 to 4 years in getting a reply. If that reply further requires evidence from another foreign jurisdiction then another 3-4 years are gone. Therefore, the entire investigation is time-consuming.
The investigation becomes further complicated if Tor or onion routing is employed by cybercriminals. Finding the cybercriminal in this scenario becomes more difficult.
The IP address (internet protocol) and the time of its use, identify uniquely the source of the attack. However, the cybercriminal may commit cyberattack through Bot or botnet. In that case, the IP address will lead the investigation officer to the slave machine, even though the user of this machine would have no knowledge of the misuse of his computer resources. If the investigating officer doesn’t go into the depth of log analysis of such a system, then the innocent people might have to face false prosecution. The stakeholders should ensure all logs are maintained and stored by his computer system so that the audit trail can lead to actual perpetrator of cyber-attack.