VIF Cyber Review: March 2022


National Policy on Electronics 2019: India as a global hub for Electronics System Design and Manufacturing (ESDM)

On 30 March 2022, the National Policy on Electronics (NPE) 2019 was notified by the Ministry of Electronics and Information Technology (MeitY). The vision of NPE 2019 is to establish India as a global hub for Electronics System Design and Manufacturing (ESDM) via encouraging capabilities for developing core components, including Chipsets, and creating an environment for industry to compete globally.

The Scheme for Promotion of Manufacturing of Electronic Components and Semiconductors (SPECS) provides a financial incentive of 25 per cent on capital expenditure for the identified list of electronic goods that comprise the downstream value chain of electronic products, such as semiconductor/display fabrication units, ATMP units, specialised sub-assemblies.

Under Semiconductor and Display Manufacturing Schemes, Prime Minister Narendra Modi approved the comprehensive programme with an outlay of ₹ 76,000 crores (> USD 10 billion) on 15 December 2021 to develop a sustainable and robust Semiconductor and Display environment in India.[1]

CERT-In issued an advisory on multiple vulnerabilities in Microsoft products

The Indian Computer Emergency Response Team (CERT-In), on 09 March 2022, issued an advisory regarding multiple vulnerabilities discovered in Microsoft products thatan attacker could exploit to access sensitive information, bypass security restrictions, execute a Denial of Service (DoS) attack, and perform spoofing attacks on the targeted system(s).[2]The advisory suggested that companies and individuals apply appropriate security updates the vendor offers.

In 2021, phishing attacks recorded more than double: Minister of E&IT

On 30 March 2022, in a written response to a question raised in the Lok Sabha (lower house of the Indian parliament), Minister of Electronics and Information Technology— Ashwini Vaishnaw informed that the number of phishing attacks in India more than doubled in 2021. The Indian Computer Emergency Response Team (CERT-In) observed that phishing attacks have gone up from 280 in 2020 to 523 in 2021. Similarly, the Ransomware attacks have gone up from 54 in 2020 to 132 in 2021. “The government is fully cognizant and aware of the increase in cyber security threats. With the borderless cyberspace coupled with the anonymity, along with rapid growth of the Internet, rise in cyber attacks is a global phenomenon,” said the Minister in response to the question raised in the Lok Sabha.

According to the data from the National Crime Records Bureau (NCRB), in 2020, around 50,035 cyber-crime cases were registered, which is a significant increase from 44,735 cases in 2019.[3]

Social Media intermediaries cannot violate the Constitutional Rights of Indians: MeitY

Amid accusations about digital platforms’ indiscriminately approach totake-off the content, the Ministry of Electronics and Information Technology (MeitY) officials informed that “no social media company can undermine the Constitutional Rights of Indians, and Internet must be a safe and trusted place with all platforms accountable to their users.”

No intermediary can violate any law of India and undermine the rights of Indian citizens to Article 14 (non-discrimination), Article 19 (freedom of speech, subject to certain restrictions), and Article 21 (Right to privacy). Under the Information Technology (IT) Rules notified in February 2021, all intermediaries are expected to conduct due diligence on the users and content posted on the platforms concerned.[4]

Data Centres faced over 51 million cyber-attacks in nine months: IETE & CPF report

On 25 March 2022, a joint research report prepared by the Institution of Electronics and Telecommunication Engineers (IETE) and Cyber Peace Foundation (CPE) has stated that from April-December 2021, the data centres in India recorded more than 51 million cyber-attacks over their networks from 40,937 unique IP addresses globally. The report also mentioned that attackers used 26,166 usernames and 80,282 passwords to log into the networks.

As modus operandi, along with Autobot Infosec, the attackers attempted to execute multiple terminal commands and download malicious payloads, such as botnet, Trojan, etcetera, on the system. Researchers discovered that 1,31,388 unique terminal commands were run in the system while 1,262 unique payloads have been identified that were injected into the environment. [5]


Google, Microsoft to strengthen their cloud environments as cyber-attacks increase

Over the past year, all three major public cloud service providers— Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, have made acquisitions in the cyber security space. Google Cloud has been building cloud-native security into the foundation of its technology to block cyber threats. AWS acquired Wickr— a company that provides an encrypted messaging platform used by companies and government agencies. The acquisition will provide advanced security features for messaging, voice and video calling, file sharing, and collaboration. In 2021, Microsoft made two acquisitions— CloudKnox Security and RiskIQ. The RiskIQ offers assistance to organisations assess the security of their entire attack surface, including Cloud services from Microsoft, AWS, and other Cloud service providers. [6]

Tens of thousands of Modems across Europe got crippled due to a cyber-attack on a Satellite network
On 30 March 2022, the US-based communications company— Viasat issued a statement providing details about the most severe known cyber-attack of the Russia-Ukraine war. A malicious software command— AcidRain malware, immediately crippled tens of thousands of Modems across Europe during a cyber-attack on a satellite network used by the Ukrainian government and military. In response, Viasat shipped 30,000 replacement modems to affected customers across Europe, most of whom use the service for residential broadband Internet access. Viasat did not comment on the actor behind the attack; however, Ukrainian officials blame Russian hackers.

Google, on 30 March 2022, identified a State-backed Russian hacking group involved in a credential-phishing campaign targeting military personnel of Eastern European countries and a NATO Think-Tank. The attack on the KA-SAT satellite network highlighted the vulnerability of commercial satellite networks that serve both military and non-military clients. [7]

The US imposed sanctions on Russian tech firms

The United States (US) imposed a series of sanctions against Russian tech firms, including the largest chip maker, that was ‘instrumental’ to Russia’s invasion of Ukraine. Mikron— the most prominent Russian manufacturer and exporter of microelectronics, was among 21 entities and 13 individuals listed for penalties, including the blocking of any property in the US.

“Russia not only continues to violate the sovereignty of Ukraine with its unprovoked aggression but also escalated its attacks striking civilians and population centres. We will continue to target Putin’s war machine with sanctions from every angle until this senseless war of choice is over,” said US Treasury Secretary— Janet Yellen. [8]

US, EU signed Data Transfer deal to ease privacy concerns

While on a European tour amid the Russia-Ukraine war, United States (US) president Joe Biden and European Commission president Ursula von der Leyen announced the deal that paves the way for Europeans’ personal information to be stored in the US. “Privacy and security are key elements of my digital agenda. The new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and the US, and help companies—both small and large—compete in the digital economy,” said US president Biden.

“The new agreement will help keep people connected and services running. It will provide invaluable certainty for American and European companies of all sizes, including Meta, who rely on transferring data quickly and safely,” said Facebook Head of Global Affairs— Nick Clegg.9]

Irish Data Protection Commission imposed a € 17 million fine on Meta

Following the inquiry into a series of 12 data breach notifications received by the Irish Data Protection Commission (DPC) between June and December 2018, the Commission imposed a € 17 million fine on Meta, the parent of Facebook Inc. The investigation revealed that Meta trespassed Article 5(2) and 24(1) of the General Data Protection Regulation (GDPR), which allows for penalties of up to 04 per cent of a company’s annual revenue.

The DPC discovered that Meta platforms failed to implement technical and organisational measures that would allow it to readily demonstrate the security measures that it implemented in practice to protect European Union (EU) users’ data.[10] Article 5(2)— ‘Principles relating to the processing of personal data’, of the GDPR—states that “the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)[11]; whereas the Article 24(1)— ‘Responsibility of the controller’, of the GDPR— states that “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”[12]