Cyber Crisis Management

it is often said that prevention is better than cure. But, we cannot always guarantee the non-happening of a mishap based on the preventive measures or precautions that we have taken. From what we have read in the last two chapters, we now have a clear understanding of why we need a well-planned cyber-security system. To draw a comparison—cyber security is the prevention while cyber law, commonly known as Information Technology Law, is the cure. In this chapter, we will deal with cyber crisis management within an organisation and the technical precautions that we must take in order to avoid a cyber incident. In the latter part of the chapter, once we have understood the concept of cyber crisis management, we will look into the laws related to these issues.

Cyber crisis management is a complex system which has information management, data privacy and cyber security as its integral essentials. Here, information management involves the collection and processing of information which is then filtered and categorised. Confidentiality is maintained by the element of data privacy; thereafter, a system called the cyber-security system is created to secure the managed information from external and internal threats. A strong nexus between these three elements facilitates cyber crisis management.

Let us start by looking into the essential elements of an efficient cyber crisis management system of an organisation.

Information management is the method of collecting, processing and condensing information with technological guidance, theoretical sophistication and human assistance. It includes the collaboration of both electronic and physical information. It is a broad term that incorporates systematic policies and procedures by the joint effort of the people in the organisation, including the technical and strategic decisions taken by them.

Basically, the management information system, which is popularly known as MIS, is a collection or storage of information and data relating to an organisation’s field of work. This information is intrinsic and essential to the smooth functioning of the organisation. The system also has an element of data privacy which protects valuable information from being exposed. It is then further secured with the system of cyber security so as to make it inaccessible to viruses, hackers, malware and other forms of cyber threats.

Information management and data privacy go hand in hand in the sense that if the information that has been filtered and saved is not protected by cyber security, then it is exposed to internal, external and foreign threats.

The main factors that contribute to a successful information-management system are:

Most of us might be familiar with one of the most famous dialogues of Bollywood actor Shah Rukh Khan in the popular movie Chennai Express where he says, ‘Don’t underestimate the power of a common man!’ Rightly so, the people of any organisation is its most precious asset. An organisation, whether a boutique firm or a big company, requires efficient managing officials to run the firm smoothly.

When it comes to managing information, there are three broad categories of people:

Business process is a collection of related and structured activities that are in a sequence. A business process is usually identified as a flowchart of a sequence of activities with relevant rules based on data in order. Business processes are beneficial to the organisation as they improve customer satisfaction and enhance the capacity for reacting to rapid market changes in an orderly fashion.

Technology has been a continuous asset to the organisation. Advancement of information includes constant acquisition of new technological products, which determines the stability of the technological infrastructure by supporting the organisation’s information-management system, and thereby optimises business processes and delivers benefits.

Management of content involves strategies, policies of information technology and information-systems opportunities, which improve differentiation and competitiveness. Strategic analysis tools, such as the value chain and the critical success-factor analysis are directly dependent on proper attention to the information that is (or could be) managed.

So far, we have dealt with the different elements of managing information and data privacy. Any organisation that seeks to promote and follow an ideal data-management system needs to keep the following points in focus:

What Are the Measures That an Organisation Can Take to Enhance its Information-management System?

Adoption of certain measures is likely to result in the enhancement of the information-management system of the organisation.

Cyber security, which is also known as IT security, is the protection of computer systems from theft or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide. In spite of taking all precautions, that is, management of information, privacy of data and a fantastic system of cyber security, cybercrimes are still committed which cause great harm to individuals and organisations.

Tips for Information Management

Organise a system’s penetration test. These tests help in detecting the loopholes in the cyber-security system.
Simulate crisis situations through interactive training programmes which act as examples of threats in a simulated environment.
Advise employees with daily examples of security lapses, especially, those who are peculiar to your industry.
Continuously update employees regarding subjective knowledge and trends with regard to information management.

Source: ‘Security and Privacy Controls for Federal Information Systems and Organizations’. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf

Cybercrime, as a concept, has not been defined in any one particular fashion. It can be understood to be the illegal Internet-mediated activities which occur across all nations and through global electronic networks. Existing laws in many countries are not framed to deal with cybercrimes which give the criminals an easy vacuum to commit crimes on the Internet. They take advantage of the gap in the law and our inability to track them down hastily. Cybercrimes not only mess with an individual’s data but also put the economic strategies, political decisions and the safety of the nation at risk.

Only recently, with the boom of the Internet and sections of society understanding the working of the cyberspace, governments have been pushed to formulate laws regarding these crimes that are committed behind closed doors.

It is also necessary to understand that cybercrimes are not restricted to one country. The Internet is a vast forum and the crimes committed in that space can spread across borders and barriers. It is a global nuisance and thus requires absolute international cooperation among countries with the best interest in view. Various governments have already made joint efforts in establishing global standards of legislation and law enforcement both on a regional and on an international scale.

The 21st century is often referred to as the Internet Century. We can hardly function without actively scrolling through our social media platforms or otherwise being online on the Internet. As they say, ‘the Internet has immense power; the power to make or break people’. The Internet has a great impact on individuals and organisations in terms of social and political decisions.

Uncle Benjamin Parker wisely said, ‘with great power comes great responsibility’, and it holds true for cyberspace as well. The increasing popularity of the use of the Internet has, unfortunately, led to the exponential rise of cybercrimes on this platform. This global menace can vary from something as minor as cyber bullying to something as grave and serious as cyber terrorism.

We have already had our understanding of the fact that cybercrimes are not well defined, and even though the countries have underlying laws, the various types of crimes with their evolving nature make it extremely confusing.

Let us now, therefore, look at the most significant laws that our favourite countries have adopted. So, the next time you are faced with such a terrible crime, you’d know how to deal with it at the basic level.

The US is one of the worst-affected victims of cybercrimes but it also has one of the strictest frameworks of cyber laws in action. The first-ever law to this effect was formulated in 1984 known as the Computer Fraud and Abuse Act (CFAA). However, the act did not include a provision for the intentional harming of devices by using malicious codes; this entails that the act did not include the idea of viruses.

Did You Know?

The US has been the most-affected country in the world in terms of Internet-related crimes with 23% of world cybercrime rate.

Source: ‘Top 20 Countries Found to Have the Most Cyber-crimes’. https://www.enigmasoftware.com/top-20-countries-the-most-cybercrime/

The National Information Infrastructure Protection Act was legislated in order to form a more wholesome law. It included all the previous statutes and, additionally, held it illegal to view computerised information without authorisation.

The US has also excelled in terms of taking strict action against cybercriminals. Penalties like expulsion for criminal misdemeanour, felony and cyber bullying or 15 years of imprisonment and fine for identity theft or penalty of 6 to 20 years prison time for hacking and damaging computer properties. This demonstrates that the US has quite a stronghold on its cyber laws.

In the year 1997, the Computer Information Network and Internet Security, Protection and Management Regulations codified by the state council came into being in China. This was the first-ever law in relation to cybercrimes.

As per the Chinese criminal law, a minimum of three years of imprisonment has been specified for crimes constituting hacking, sabotaging data or creating and propagating digital viruses. The sentence can be increased as per the seriousness of the case.

The government of China has absolute control over the Internet within their borders since 2010 and while this may appear unfair and ridiculous to us, it has proved to be beneficial for indigenous e-commerce and digital companies of China.

Three per cent of the world’s total cyberattacks are faced by people in India. The Information Technology Act of 2000 and its consequent amendments are the only strong laws that have been enacted in India to deal with cybercrimes. The law takes into account various crimes, such as violation of privacy, identity theft, sending of obscene material, child pornography and cyber terrorism.

Did You Know?

Almost 40% of the cyberattacks in India from January – May 2018 originated from China, 25% from the US, 13% from Pakistan and 9% from Russia, according to CERT-In.

Source: ‘Cyber Attacks Becoming More Frequent in India’. https:// www.hindustantimes.com/india-news/cyber-attacks-becoming-more-frequent-in-india/story-8Os6AtCrHzL6QCBinVQuSM.html

India has also framed strict punishments for these crimes. Penalties of up to ₹2 lakh and imprisonment for heinous crimes, such as violation of privacy, have been formulated in the act. Fines of up to ₹10 lakh and up to five years’ prison time for creating and sharing child pornography and lifelong imprisonment for cyber terrorism have been specified. These laws are quite strong if executed in an efficient way.

A crime-free society is a perfect dream and exists only in illusion. It should be our constant and conscious effort to keep criminalities at their lowest. In a society that is becoming increasingly dependent on technology, crimes in cyberspace are bound to rise and the lawmakers have to walk the extra mile to keep them afar.

In this century, where our world revolves around technology, we have to face the harsh truth that it is a double-edged sword and can be used for both purposes—good and bad. It is up to us to accept it as a boon or a bane. We, as a society, need to be more aware and ensure that technology grows in a healthy manner and is used for legal and ethical business growth and not for committing crimes and bringing others down.

Let us now look into a case which illustrates the necessity of having a cyber crisis management plan within an organisation.

Case Study

The Bangladesh Bank heist in 2016 was one of the most notorious cybercrimes in history, and the shocking part was how the attackers successfully intruded into the Society for Worldwide Interbank Financial Telecommunication (SWIFT), one of the most trusted, reliable and secure financial networks worldwide. It is a global network enabling financial institutions across the world to send and receive critical information regarding financial transactions in a secure standardised environment.

The timeline of the breach is as follows:

15 May 2015: With an initial deposit of $500, three bank accounts under the names of Enrico Teodoro Vasquez, Michael Francisco and Alfred Santos Vergara were opened in the Jupiter Makati branch of the Rizal Commercial Banking Corporation (RCBC), Philippines. These bank accounts remained idle until 4 February 2016 and were later discovered to be hoax/fake bank accounts.

January 2016: The cyberattackers injected malware into the bank’s system.

4 February 2016: Attackers used the malware to hack into Bangladesh Bank’s vostro account with the Federal Reserve Bank of New York (the Fed), and ordered 35 transfers worth $951 million, the bulk of which was to be transferred to the RCBC bank of Philippines. However, 30 out of 35 of these fraudulent transfers were successfully blocked by the Fed, but the remaining five transactions worth $101 million could not be blocked.

5 February 2016: The Fed sought clarification from the Bangladesh Bank regarding the 35 transfers, but failed to get through since it was a banking holiday in Bangladesh.

5–8 February 2016: The remaining five non-blocked transfers were executed. However, one transaction worth $20 million could be recovered owing to the discovery of a typographical error. One of the routing banks (also called intermediate banks), Deutsche Bank, blocked a transfer to a fake Sri Lankan NGO when it discovered the misspelling ‘fandation’ instead of ‘foundation’ in ‘Shalika Foundation’. It was found that no such NGO existed in Sri Lanka. Unfortunately, the remaining $81 million were successfully stolen and routed to sham accounts in RCBC, Philippines.

8 February 2016: A ‘stop payment’ order was sent by Bangladesh Bank to RCBC. However, RCBC could not respond owing to a Chinese New Year holiday in the Philippines.

9 February 2016: RCBC permitted withdrawals from the accounts. Thereafter, the stolen money was consolidated and deposited in a dollar account which was opened on the same day under the name of William So Go of DBA Centurytex Trading. In the next few days, the money was successfully laundered to casinos in Philippines.

Possible measures suggested by cyber-security experts which could have thwarted the attack:

Hackers broke into the perimeter network; stole local administrative credentials from hacked machines; used such stolen privileged local administrative credentials to search and move laterally throughout the environment until they found the SWIFT network; installed monitoring system on SWIFT-connected systems using such local administrative credentials; learnt how the SWIFT platform worked and accessed the digital certificates necessary to authenticate to the SWIFT network.
All of this was possible because of local administrative rights. Therefore, standard business users must never be granted complete local administrative rights. Instead, a system must be in place that removes local administrative rights but enables users to elevate privileges as and when needed for approved tasks.
Credentials of privileged accounts must be centrally secured; access to these credentials must be strictly controlled based on roles and approved tasks, and a multi-factor authentication process must be implemented before granting access to such credentials.
All activities of privileged accounts must be subject to strict scrutiny and monitoring, since privileged accounts host and protect data and assets of the most sensitive nature. In the present case, if Bangladesh Bank had closely monitored the SWIFT account, it could have identified the anomalous activities, that is, the abnormal login patterns and prevented the attack.
Organisations must segment off highly sensitive systems (such as the SWIFT network) from the rest of the IT network. This would ensure control and monitoring access and use, prevention of credential-harvesting techniques and better protection from malware infiltration from user endpoints to these sensitive systems.
Organisations must enforce an application whitelisting policy which allows certain software programs to run while preventing others to do so. In the existence of such a system, Bangladesh Bank could have detected both the monitoring software and the malware in the SWIFT network.

The case mentioned earlier demonstrates the necessity of managing a cyber incident in order to successfully mitigate the adverse effects of, or altogether prevent the occurrence of, a cyber-security attack. Managing of a cyber incident and its utmost importance in protecting cyber security of an entity is discussed in the following chapter.