According to the Global Risks Report 2021, the failure of cyber security will be one of humanity’s most significant concerns in the coming decade. With a sizeable internet population, India has confronted significant cyber terrorism challenges in the last few decades. Cyber terrorism commonly includes coordinated and politically motivated attacks on information systems, programmes, or data. Cyber incidents that are menacing or frightening can be included in the definition of cyber terrorism. Attackers primarily aim to destroy or disrupt a country’s critical infrastructure.
Explanation to Section 70(1) of the Information Technology Act, 2000 defines critical information infrastructure as
“computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.”
Section 70A of the same act recognises National Critical Information Infrastructure Protection Centre (NCIIPC) as the national nodal agency. NCIIPC considers the following sectors as critical infrastructure: power, energy, banking, financial services, insurance, telecom, transport, government, strategic and public enterprises.
Prominent cyber terrorism incidents in India
Investigation of the 26/11 terrorist attack in Mumbai revealed evidence of terrorists using telecommunication technologies to learn about the map, human infrastructure, and location. They actively used Google Earth, a mobile network, and a social media platform to track the activities of Indian forces. Furthermore, they employed technology for converting auditory signals into data, making it impossible for Indian agencies to track down information sources.
In another instance, in June 2011, a security incident led to flight delays at Delhi’s IGI Airport Terminal 3. This incident led to the failure of the Common Use Passengers Processing System (CUPPS). CUPPS handles boarding gates, check-in counters, and information about arrival and departure times for the terminal. The system was down for more than 12 hours, and the airport management termed this a back-end server glitch in their press release. However, CBI registered a case for a virus attack wherein the perpetrator had executed malicious code from a remote location. The 2001 attack on the Indian Parliament also deserves mention. We have discussed this incident in detail here. Other examples of cyber terrorism include a cyber attack on the Kudankulam Nuclear Power Plant and small drones that dropped explosives at the Jammu Air Base.
In 2020, there was a tense stand-off at the India-China border along the Line of Control (LOC). A New York Times report claimed China was targeting India’s critical infrastructure to coerce India on the border issue. Red Echo, a state-sponsored attacking group backed by China, was considered responsible for this attack, resulting in Mumbai facing an electricity blackout.
Where does the Indian law stand?
The 2008 amendment to the Information Technology Act, 2000 added Section 66F, which deals with cyber terrorism. This provision provides life imprisonment for acts that threaten India’s integrity, unity, security, and sovereignty or to strike terror in the general public. The “acts” here include denying access to computer resources, attempting to penetrate a computer resource without authorisation, and introducing any computer contaminant. These acts are likely to cause death or injuries, destroy property, prevent supplies of services essential to the community, or adversely affect the country’s critical information infrastructure.
In the case of Mehid Masroor Biswas v. State of Karnataka, the accused-petitioner from Bangalore was operating a Twitter account to support the claims of ISIS. The accused successfully masked his identity using VPN and ghost IP addresses. He sent thousands of messages and posted content glorifying the Islamic Caliphate through his Twitter account. He was in regular contact with British Jihadis and even praised them as martyrs if they did. Channel 4 exposed him in December 2014, and the police charged him under various provisions of the Unlawful Action (Prevention) Act, 1967, the Indian Penal Code, 1860, and the Information Technology Act, 2000. While rejecting the accused’s bail petition, the Karnataka High Court opined that the allegations are prima facie true.
There are also examples of cases where Section 66F has been misapplied. For example, the Tamil Nadu Police filed an FIR against a social activist for creating a documentary about manual scavenging. In Amish Devgan v. Union of India & Ors, the police charged Amish Devgan, a news anchor, under Section 66F for allegations of hurting religious sentiments.
As our dependency on the internet increases, the potential damage of cyber terrorism will follow the trend. Attackers continuously evolve their tactics and look for the next target; we cannot sit back and relax. If malicious actors successfully infiltrate critical infrastructure, the impact is likely to be adverse and affect public life at large. In such a situation, the role of agencies like NCIIPC and CERT-in becomes more crucial than ever.
Featured Image Credits: Cyber background vector created by freepik – www.freepik.com