CII Southern Region Site Cyberjacked!!!

Lessons from the experience of CII Southern Region

The unfortunate incident of the prestigious website of CII Southern Region http://www.ciisr.org leading to a pornographic site presents many instructive lessons to Industrial organizations in India.

It is reflective of

1.Lack of Cyber risk perception and

2. Awareness of the remedial action required.

at the Corporate level.

Problem Analysis:

The problem faced by CII-South appeared at first glance as a classic case of Cyberjacking (Hijacking the Visitors of a website) where an existing URL is diverted to a porno site. The objective of such an activity is to divert the visitors of a popular site to the porno site and keeps happening from time to time.

This is accomplished by two modes. One of the modes is by hacking into the DNS servers and changing the mapping of IP addresses to the URL. The second mode is to hack into the web server where the site is maintained and replacing the default page by a page which refreshes to the pornographic site.

In either case, it would come under the type of Cyber Crimes called "Hacking" which according to the Information Technology Act 2000, is punishable with imprisonment up to 3 years and a fine of Rs 2 lakhs. Further those who commit such crimes can be convicted even if they are outside India and are citizens of a foreign country.

What is required for conviction is to trace the culprits and hold appropriate evidence that would stick in a court of law in India and elsewhere.

The Case of CII

The case of CII was interesting for the reason that the hijacking of visitors from the target site was facilitated by the organization failing to renew its domain name in time. Worldwide, Cyberjackers are waiting for popular domain names to fall due and often register the name in advance contingent to the original owner defaulting on renewal. Since this is done automatically, the booking takes place seconds after the lapse of the earlier registration.

Most registrars however do remind registrants repeatedly before the registration falls due. In spite of this reminders, missing renewals is a common affair for many companies.

Some Companies take this lightly and think that what they have lost is worth just a name for which they have spent Rs 500/- and they can shift the website to an alternate domain name. This is exactly what CII Southern Region thought it would do by registering a new domain name www.cii-south.org.

When a Domain Name is Given up, We are Giving Up the Brand

It must however be recognized that when a Company registers a domain name and builds a website, it is actually building a virtual asset and creating a brand identity. When the domain name is not renewed, the Company is actually handing over its brand to any other registrant. If the new holder of the domain name happens to be diverting the domain name to a pornographic site, or to a competitor's site, then the image of the brand automatically gets tarnished.

Additionally, the Company is open to litigations for compensation where members of public may allege that damage has been done to the society due to the negligence of the Company.

Thank God it was diverted to a Pornographic Site only!!

Looking back, CII should consider itself lucky in one sense. Imagine the consequences if instead of its site being diverted to a pornographic site, the site had been diverted to an Al Queda sympathetic site. In that case, the company officials may have faced charges under POTA.

May be the next company which is a victim of Cyberjacking could face such an embarrassing and potentially dangerous situation.

What is the Remedy?

naavi.org strongly feels that any company that is desirous of harnessing the potential of the Internet should also be aware of the risks and take sufficient care to protect themselves from such risks.

In cases such as faced by CII Southern region, the domain name owner has no option but to take legal steps without any delay to prevent the established domain name being misused. There are established procedures and norms to guide the Companies if they know where to seek assistance.

Cyber Security is Techno Legal Security

For the future guidance of Cyber players however, we need to urge that there is a need for a total rethinking on the concept of "Network Security" by the IT industry. naavi.org has always highlighted that "Cyber Security" does not end with "Technical Security". It needs a "Techno Legal Security Approach".

What it means is that It is not enough if we secure our network with a powerful "Fire Wall". We need to also create an insurance for the Network owner against "Legal Liabilities". This applies not only to a Company hosting a website with a small hosting company, but also to a Bank or an Insurance Company which has engaged an Infosys or Wipro to advise them on Network Security.

For example, CII can now be accused of "Negligence" in handling an "Information Asset" resulting in damage to the moral values of the community and a vicarious liability for assisting in the commission of a crime under Section 67 of Information Technology Act.

A part of this responsibility will also be determined by what CII will do now, when it has been notified that an asset which is under its control is burning and disturbing the peace of the surrounding environment. How quickly can they bring down the site and minimize the damage? could determine whether they continue to be "negligent" or not.

Cyber Law Compliancy is the key

The issue of whether there will be legal liability or not will be determined by analyzing the steps the organization has taken to be "Cyber Law Compliant"? before and after a damaging incident.

Today, neither the security mangers nor the business managers in the industry have properly insured themselves against "Cyber Legal Risks". The CII case is one manifestation of this lack of preparedness.

Worldwide, many "Quality Certifiers " specialize in assessing and certifying Corporate Business Risks and how a Company is prepared to meet them. Indian Companies run after such certification and are prepared to invest time and money in the international quality certification process.

These so called "Quality Certifications" that proclaim that an organization is "Quality Standard Compliant" and therefore can be relied upon for long term business dealings have not recognized that "Cyber Law Compliancy" is an integral part of the ability of an organization to survive in the long run and any quality certification that ignores this fact is ignoring a major business risk.

Examples of Companies whose business has been affected because of uncovered legal risks include Radiant Software of Chennai, Napster of USA. Even the wiping out of the NBFC industry in India was a result of the "Lack of Legal Compliancy". (The only problem here was that the law was imposed after the business was developed and without adequate time for transition).

Taking a cue from the experience of these companies, it is necessary for Companies to wake up and take steps for "Cyber Law Compliancy". CII itself, being the guiding force for the industry should undertake a leadership role in devising standard processes by which Cyber Law Compliancy of Companies can be audited, monitored and guided.

We hope that the current incident would catalyze action at the CII towards preparing the Corporate community to secure their Cyber assets both technically and legally.

Naavi

June 23, 2002

Your Views can be sent here

Visit

www.cyberdemocracy.org

and

become a member of the Cyber Democracy Forum

For Structured Online Courses in Cyber laws, Visit Cyber Law College.com

Back To Naavi.org