FIR misses cyber terrorism against RCC: experts

Terming the cyberattack on the Regional Cancer Centre (RCC) as an act of cyber terrorism, cyber experts have opined that the FIR filed on the case by Kerala Police was facilitating the evasion of Chinese criminals and whitewashing the crime for the benefit of terrorists.

Referring to Kerala Chief Minister Pinarayi Vijayan's recent comment on the State Police’s effectiveness in addressing cybercrimes, although they are generally recognised for their reliability and proficiency, the experts on Friday said the FIR seems like a 'collusive' one, specifically to whitewash the cyber terrorism.

Referring to certain vague points in the FIR, the experts clarified that "the cyber-terrorist attack happened in the servers of the RCC, not in the Internet."

The FIR has been registered under the Information Technology Act of 2000, invoking provisions 43(a), 43(d), 66, and 65, after two weeks since the event happened.

The investigating officer, tasked with elucidating the subsections of 43, has provided rather vague definitions for the latter two sections. It’s important to note that subsections 66(a) through 66(i) under Section 66 are currently in force, except for the Supreme Court’s repeal of 66(a).

A concerning factor is the attitude of the investigating officers, which may have inadvertently facilitated the cybercriminals’ evasion, whitewashing, and manipulation of the crime for the terrorist’s benefit, the experts felt.

Hence, the investigating officer must be very specific in charging the sections of the IT Act 2000 and follow the mandatory rules of the IT Act, they added.

"Section 66F of the IT Act defines cyber terrorism. Section 66F of the Information Technology Act, 2000, defines cyber-terrorism as acts committed with the intent to threaten India's unity, integrity, security, or sovereignty. These acts include denying access to computer resources and attempting to penetrate them without authorisation, introducing computer contaminants, causing death or injury to persons, property damage, disruption of community life, and adverse effects on critical information infrastructure."

"Committing these acts constitutes an offence and can result in imprisonment, potentially for life. Section 66F aims to address serious threats posed by cyberattacks, providing legal recourse against those involved, ensuring accountability, and safeguarding critical infrastructure."

"The Information Technology Act, 2000, especially Section 66F, is indeed a critical legal framework in the context of cyber-attacks on critical infrastructure."

"Cyber terrorism refers to acts committed in the digital realm with the intent to threaten the unity, integrity, security, or sovereignty of a nation. Instill terror in people or specific groups. These acts may include unauthorised access to computer resources, introducing malicious code, or disrupting critical information infrastructure. If such actions cause harm, damage, or disruption, they fall under the offence of cyber terrorism.”

In fact, Section 66F addresses serious offences related to cyberterrorism and aims to safeguard national security.

This act involves offences such as denying authorised access to a computer resource, attempting unauthorised infiltration or penetration to computer resources controlling critical infrastructure, planting malware or computer contaminants in these critical systems to sabotage normal operations, and stealing restricted information that may harm national security. The consequences include death, injuries, property or control of critical infrastructure damage, and disruption of essential services, which can lead to a doomsday scenario or harm to the critical information infrastructure of India.

Whoever commits cyber terrorism shall be punishable with imprisonment, which may extend to life imprisonment.

Another matter of grave concern is the belated digital evidence collection. Digital evidence and chain of custody must be done as quickly as possible, with the help of a technical (domain) expert.

It is imperative to approach such matters with vigilance and precision to ensure justice and uphold cybersecurity.

“In addition to disclosing data, the RCC breach has had an impact on people. Imagine receiving treatment after receiving a diagnosis, only to learn later that someone else has access to your penalised health records. The potential for con artists to take advantage of you is another cause for concern and confusion. RCC's silence adds to the concern. Security professionals' advice to monitor medical statements misses how seriously the intrusion could impact patients' lives.”

Section 66 of the IT Act, 2000, has been divided into several sub-sections, denoted as 66A to 66I. Each of these sub-sections addresses specific aspects related to cybercrimes and offences.

Section 66A was part of the original IT Act but has since been repealed. It criminalised the sending of offensive messages through a computer or other communication devices. Sending information that is grossly offensive, false, and meant to cause annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will.

The Supreme Court ruled in 2015 that Section 66A of the IT Act, 2000, was unconstitutional. The Act aimed to recognise e-commerce and address digital transactions, security, and electronic data. However, the provision faced criticism for its vague language and potential misuse.

The Supreme Court declared Section 66A unconstitutional, violating freedom of speech and expression under Article 19 (1) (a) of the Indian Constitution. The provision did not fall within reasonable restrictions permitted by Article 19 (2) and was considered open-ended and susceptible to misuse.

Since its repeal, 1,307 cases were still registered under Section 66A across India, highlighting continued enforcement.

Section 66B of the IT Act, 2000, deals with the receipt of stolen computer resources or communication devices. Section 66B prescribes penalties for dishonestly handling stolen digital assets, emphasising the importance of ethical conduct in the digital realm.

"Whoever dishonestly receives or retains any stolen computer resource or communication device, knowing or having reason to believe the same to be a stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with a fine which may extend to rupees one lakh.

This section aims to curb offences related to stolen computer resources or communication devices. If someone knowingly receives or keeps a stolen computer resource or communication device, they can face imprisonment or a fine.

The punishment can be imprisonment for up to three years, a fine of up to one lakh rupees, or both.

Section 66C of the IT Act, 2000, deals with identity theft. Section 66C emphasises the importance of safeguarding personal identification features and penalises those who misuse them.

“Whoever, fraudulently or dishonestly, makes use of the electronic signature, password, or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to a fine which may extend to rupees one lakh.”

This section aims to address offences related to identity theft in the digital realm. If someone fraudulently or dishonestly uses another person’s electronic signature, password, or unique identification feature, they can face imprisonment or a fine. The punishment can be imprisonment for up to three years and a fine of up to one lakh rupees, or both.

Section 66D of the IT Act, 2000, deals with the punishment for cheating by personation by using a computer resource. Section 66D emphasises the importance of safeguarding personal identities and penalises those who engage in deceptive impersonation.

"Whoever, by means of any communication device or computer resource, cheats by personating shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to a fine, which may extend to one lakh rupees.”

This section addresses offences related to identity theft and fraudulent impersonation in the digital domain. If someone fraudulently or dishonestly uses another person’s identity through a communication device or computer resource, they can face imprisonment or a fine. The punishment can be imprisonment for up to three years and a fine of up to one lakh rupees, or both.

Section 66E of the IT Act, 2000, deals with violations of privacy. Here are the key points: Whoever intentionally or knowingly captures, publishes, or transmits the image of a private area of any person without their consent, under circumstances that violate the privacy of that person, shall be punished with imprisonment (which may extend to three years), a fine not exceeding two lakh rupees, or both imprisonment and fine."

"In essence, Section 66E prohibits electronic voyeurism and penalises the capturing, publishing, and transmission of images of a person’s private area without their consent, under circumstances that violate their privacy. It aims to safeguard individuals’ privacy rights in the digital realm."

"Despite the lack of a dedicated book on Section 66F, ongoing efforts to educate, discuss, and analyse this provision are essential for safeguarding critical infrastructure."

"Thus, the IT Act, 2000, in India addresses these issues and prescribes penalties for those involved in cyber terrorism."

Legal frameworks are a comprehensive system of laws, rules, and principles. that govern a particular jurisdiction. They ensure consistency, fairness, and predictability in legal processes by guiding how laws are interpreted, enforced, and applied.

Legal frameworks can be local or national, with local rules pertaining to procedural matters within specific court systems and statutes covering substantive areas applicable to the entire jurisdiction.

Jurisdiction, on the other hand, refers to the authority of a court or legal system to hear and decide cases. It determines which court's decisions are binding in a specific matter and can be based on geographical boundaries, subject-matter jurisdiction, or personal jurisdiction.

Determining jurisdiction can be complex, especially in cases involving cross-border issues or online activities.

Section 66G of the IT Act, 2000, deals with tampering with computer source documents. Section 66G emphasises the importance of preserving the integrity of computer source code. and penalises those who engage in malicious alterations.

“Whoever intentionally or knowingly conceals, destroys, alters, or intentionally or knowingly causes another to conceal, destroy, or alter any computer source code used for a computer resource, with an intention to cause damage, shall be punished with imprisonment for a term which may extend to three years or with a fine that may extend to two lakh rupees.

This section addresses offences related to tampering with computer source code. If someone intentionally conceals, destroys, or alters computer source code with the intent to cause damage, they can face imprisonment or a fine. The punishment can be imprisonment for up to three years, a fine of up to two lakh rupees, or both.

Section 66H of the IT Act, 2000, deals with tampering with computer source documents. Section 66H emphasises the importance of preserving the integrity of computer source code. and penalises those who engage in malicious alterations.

“Whoever intentionally or knowingly conceals, destroys, alters, or intentionally or knowingly causes another to conceal, destroy, or alter any computer source code used for a computer resource to cause damage shall be punished with imprisonment of either description for a term which may extend to three years or with a fine which may extend to two lakh rupees, or with both.”

This section addresses offences related to tampering with computer source code. If someone intentionally conceals, destroys, or alters computer source code with the intent to cause damage, they can face imprisonment or a fine. The punishment can be imprisonment for up to three years, a fine of up to two lakh rupees, or both.

Section 66I of the IT Act, 2000, deals with punishment for dishonestly receiving stolen computer resources or communication devices. Section 66I emphasises the importance of ethical conduct and penalises those who dishonestly handle stolen digital assets.

“Whoever dishonestly receives or retains any stolen computer resource or communication device, knowing or having reason to believe the same to be a stolen computer resource or communication device, shall be punished with imprisonment for a term which may extend to three years, with a fine which may extend to rupees one lakh, or with both.”

This section pertains to offences related to stolen computer resources or communication devices. If someone knowingly receives or keeps a stolen computer resource or communication device, they can face imprisonment or a fine. The punishment can be imprisonment for up to three years, a fine of up to one lakh rupees, or both.

In one of the highest volumes of cyberattacks in India, details of 20 lakh patients with the RCC here were compromised, affecting 11 out of 14 servers and causing disruptions in many divisions, including the Radiation Department. The attack compromised the health information of over 20 lakh patients and demanded a ransom in cryptocurrency.