Good and bad are two sides of the same coin and it is very difficult to invent a technology that could be used for good purposes only. Criminals and bad elements would find one way or the other to abuse any technology and some very legitimate technologies can be used for cyber crimes and cyber attacks. We created pen testing tools but nothing prevents the cyber criminals to use them for exploiting networks and computers. Not only this, there are specific tool that have been created to indulge in cyber attacks and cyber crimes. These tools are openly available to the purchasers at dark web and payments methods are very flexible too. Another category of tools is that are made for government, law enforcement and intelligence agencies alone. Ordinary people do not have access to such tools and this makes creation of counter measures against such tools very difficult.
As a result the cyberspace has become a very unsafe, chaotic and insecure place to venture. It is not even wise to access random websites without proper anti virus, firewall, anti spyware and anti malware tools. Many websites are embedded with malware and mere access of such websites can compromise your computer if proper safeguards are not at place. We are curious by nature and this curiosity and our trusting nature is abused by cyber criminals and social engineers. Sufficient is to say it is unsafe to trust an e-mail or weblink from an unknown person who asks you to either download the attached file or to click upon a link. Spear phishing has taken this to the next level and the targeted people are approached by pretending to be a person of authority and trust. Many people fall prey to such spear phishing and lots of companies are regularly incurring monetary losses due to them.
This article is not about private individuals but about state hacking and state backed cyber crimes. It would be novice to claim that state do not indulge in hacking, spying, surveillance and privacy violation activities. All countries, including India, indulge in such activities whether they admit it or not. States also empower their law enforcement and intelligence agencies to indulge in unconstitutional and illegal spying and e-surveillance. That cannot be disputed by any nation. That is why we launched the exclusive techno legal Centre Of Excellence For Protection Of Human Rights In Cyberspace (CEPHRC) in 2009 and since then we have been fighting against any form of civil liberties violation in cyberspace.
Those working in the field of civil liberties protection can endorse that they have been targeted by state hacking in one form or another and through one mode or another. The crucial question is that if you are targeted by state hacking, whether by your own state or some other nation, what should you do to safeguard your interests? There is no one solution for all formula and every case depends upon its own facts and circumstances. If your mobile has been targeted, you need a particular strategy. If your social media account has been attacked you need a different strategy and so on. Similarly, if you have been targeted by a foreign law enforcement or intelligence agency you have a totally different solution.
What we suggest for such situations is to adopt a techno legal strategy as neither technological nor legal strategy alone would be productive. You have to align you technology solutions with not only law but also conflict of law. This is a tricky issue as laws of different countries are different and there is no harmonisation in this regard. The laws of United States are different from laws of India and what may be legal in US may not be legal in India. For instance, if FBI of US can access, search and hack any computer, device or equipment remotely while sitting at the homeland, that is not alright with laws of different countries. Similar is the case for Indian government or its agencies if they indulge in similar activities in foreign countries. With granting of legal immunity to such agencies and cyber armies, the things would complicate further. But the bottom line is that you have a solution for all such situations and our TeleLaw Project can help you in these cases. It is not fool proof solution as we cannot claim that ever but it is a good techno legal tool in your arsenal to fight against cyber attacks and state hacking. We have combined various LegalTech and RegTech Projects together and they would collectively help you to handle varied and complicated cases of state hacking.
It is important that companies possessing and dealing in very valuable intellectual property (IP), technologies, software, trade secrets, technology companies, etc must put in place a techno legal anti state hacking policy and we at Perry4Law Organisation (P4LO) and TeleLaw would love to help you in this regard. We can also help in resolving various disputes pertaining to IP thefts, state hacking and related issues by using our Online Dispute Resolution (ODR) portal. We recently investigated a spear phishing attack against a company and drafted a techno legal policy for them so they they are not defrauded of any more money. Similarly, we recently investigated a national and international phishing scam and kept on informing Indian government about such activities.
There is another crucial aspect that is related to all cyber breaches and hacking activities. Companies, banks, etc in India are required to disclose about such cyber attacks and cyber breaches to Indian government appointed agencies. But these stakeholders are not doing so and this may attract penal provisions too in near future. The problem has arisen because Indian government has failed to formulate a dedicated law for such breach reporting and companies and banks are taking the directions of government and Reserve Bank of India very lightly. The legal position is that bank officials and directors of companies are liable to be prosecuted for such lapses but in reality nothing like this happens on a significant level. However, recently Indian government hinted on changing this position and now criminal, civil and pecuniary liability of banks, companies, directors, etc could be prescribed and implemented soon. So if state A hacks a bank server or company’s system managing a critical infrastructure, their detection, remediation and reporting would become a mandatory requirement soon.
We know when implementation of even basic cyber security and cyber law policies are missing, asking Indian banks, companies, etc to formulate anti state hacking policy is expecting too much. But the damage caused by state hacking is too much and banks and organisations handling critical infrastructures cannot afford to ignore this policy. Also if you have taken care of state hacking policy, you can easily manage cyber law and cyber security policies too. But as a best practice and prudent exercise, we would recommend to proceed systematically and start with creating cyber law, cyber security and cyber deterrence policies first. of course, P4LO and TeleLaw would be happy to help you in formulating and implementing these and many more techno legal policies. Let us together create a safe, secure and civil liberties compliant cyberspace in India.