The unfortunate incident of the prestigious website of CII Southern Region http://www.ciisr.org leading
to a pornographic site presents many instructive lessons to Industrial
organizations in India.
It is reflective of
1.Lack of Cyber risk perception and
2. Awareness of the remedial action required.
at the Corporate level.
Problem Analysis:
The problem faced by CII-South appeared at first glance as a classic case of
Cyberjacking (Hijacking the Visitors of a website) where an existing URL is
diverted to a porno site. The objective of such an activity is to divert
the visitors of a popular site to the porno site and keeps happening from time
to time.
This is accomplished by two modes. One of the modes is by hacking into the DNS
servers and changing the mapping of IP addresses to the URL. The second mode
is to hack into the web server where the site is maintained and replacing the
default page by a page which refreshes to the pornographic site.
In either case, it would come under the type of Cyber Crimes called "Hacking"
which according to the Information Technology Act 2000, is punishable with
imprisonment up to 3 years and a fine of Rs 2 lakhs. Further those who commit
such crimes can be convicted even if they are outside India and are citizens
of a foreign country.
What is required for conviction is to trace the culprits and hold appropriate
evidence that would stick in a court of law in India and elsewhere.
The Case of CII
The case of CII was interesting for the reason that the hijacking of visitors
from the target site was facilitated by the organization failing to renew its
domain name in time. Worldwide, Cyberjackers are waiting for popular domain
names to fall due and often register the name in advance contingent to the
original owner defaulting on renewal. Since this is done automatically, the
booking takes place seconds after the lapse of the earlier registration.
Most registrars however do remind registrants repeatedly before the
registration falls due. In spite of this reminders, missing renewals is
a common affair for many companies.
Some Companies take this lightly and think that what they have lost is worth
just a name for which they have spent Rs 500/- and they can shift the website
to an alternate domain name. This is exactly what CII Southern Region thought
it would do by registering a new domain name www.cii-south.org.
When a Domain Name is Given up, We are Giving Up the Brand
It must however be recognized that when a Company registers
a domain name and builds a website, it is actually building a virtual asset
and creating a brand identity. When the domain name is not renewed, the
Company is actually handing over its brand to any other registrant. If the new
holder of the domain name happens to be diverting the domain name to a
pornographic site, or to a competitor's site, then the image of the brand
automatically gets tarnished.
Additionally, the Company is open to litigations for
compensation where members of public may allege that damage has been
done to the society due to the negligence of the Company.
Thank God it was diverted to a Pornographic Site only!!
Looking back, CII should consider itself lucky in one
sense. Imagine the consequences if instead of its site being diverted
to a pornographic site, the site had been diverted to an Al Queda
sympathetic site. In that case, the company officials may have faced
charges under POTA.
May be the next company which is a victim of Cyberjacking
could face such an embarrassing and potentially dangerous situation.
What is the Remedy?
naavi.org strongly feels that any company that is desirous
of harnessing the potential of the Internet should also be aware of the risks
and take sufficient care to protect themselves from such
risks.
In cases such as faced by CII Southern region, the domain
name owner has no option but to take legal steps without any delay to
prevent the established domain name being misused. There are established
procedures and norms to guide the Companies if they know where to seek
assistance.
Cyber Security is Techno Legal Security
For the future guidance of Cyber players however, we need
to urge that there is a need for a total rethinking on the concept of "Network
Security" by the IT industry. naavi.org has always highlighted
that "Cyber Security" does not end with "Technical Security". It needs a "Techno Legal Security
Approach".
What it means is that It is not enough if we secure our
network with a powerful "Fire Wall". We need to also create an insurance for
the Network owner against "Legal Liabilities". This applies not only to a
Company hosting a website with a small hosting company, but also to a Bank or
an Insurance Company which has engaged an Infosys or Wipro to advise them on
Network Security.
For example, CII can now be accused of "Negligence" in
handling an "Information Asset" resulting in damage to the moral values of the
community and a vicarious liability for assisting in the commission of a crime
under Section 67 of Information Technology Act.
A part of this responsibility will also be determined by what CII will do
now, when it has been notified that an asset which is under its control
is burning and disturbing the peace of the surrounding environment. How
quickly can they bring down the site and minimize the damage? could determine
whether they continue to be "negligent" or not.
Cyber Law Compliancy is the key
The issue of whether there will be legal liability or not will
be determined by analyzing the steps the organization has taken to be
"Cyber Law Compliant"? before and after a damaging incident.
Today, neither the security mangers nor the business
managers in the industry have properly insured themselves against "Cyber
Legal Risks". The CII case is one manifestation of this lack of preparedness.
Worldwide, many "Quality Certifiers " specialize in
assessing and certifying Corporate Business Risks and how a Company is
prepared to meet them. Indian Companies run after such certification and are
prepared to invest time and money in the international quality certification
process.
These so called "Quality Certifications" that proclaim that
an organization is "Quality Standard Compliant" and therefore can be relied
upon for long term business dealings have not recognized that "Cyber Law
Compliancy" is an integral part of the ability of an organization to survive
in the long run and any quality certification that ignores this fact is
ignoring a major business risk.
Examples of Companies whose business has been
affected because of uncovered legal risks include Radiant Software of Chennai,
Napster of USA. Even the wiping out of the NBFC industry in India was a result
of the "Lack of Legal Compliancy". (The only problem here was that the law was
imposed after the business was developed and without adequate time for
transition).
Taking a cue from the experience of these companies, it is
necessary for Companies to wake up and take steps for "Cyber Law Compliancy".
CII itself, being the guiding force for the industry should undertake a
leadership role in devising standard processes by which Cyber Law Compliancy
of Companies can be audited, monitored and guided.
We hope that the current incident would catalyze action at
the CII towards preparing the Corporate community to secure their Cyber assets
both technically and legally.
Naavi
June 23, 2002
Your Views
can be sent here