#FactCheck-A manipulated image showing Indian cricketer Virat Kohli allegedly watching Rahul Gandhi's media briefing on his mobile phone has been widely shared online.

Introduction

The digital realm is evolving at a rapid pace, revolutionising cyberspace at a breakneck speed. However, this dynamic growth has left several operational and regulatory lacunae in the fabric of cyberspace, which are exploited by cybercriminals for their ulterior motives. One of the threats that emerged rapidly in 2024 is proxyjacking, in which vulnerable systems are exploited by cyber criminals to sell their bandwidth to third-party proxy servers. This cyber threat poses a significant threat to organisations and individual servers. 

Proxyjacking is a kind of cyber attack that leverages legit bandwidth sharing services such as Peer2Profit and HoneyGain. These are legitimate platforms but proxyjacking occurs when such services are exploited without user consent. These services provide the opportunity to monetize their surplus internet bandwidth by sharing with other users. The model itself is harmless but provides an avenue for numerous cyber hostilities.  The participants install net-sharing software and add the participating system to the proxy network, enabling users to route their traffic through the system. This setup intends to enhance privacy and provide access to geo-locked content. 

The Modus Operandi

These systems are hijacked by cybercriminals, who sell the bandwidth of infected devices. This is achieved by establishing Secure Shell (SSH) connections to vulnerable servers. While hackers rarely use honeypots to render elaborate scams, the technical possibility of them doing so cannot be discounted. Cowrie Honeypots, for instance, are engineered to emulate UNIX systems. Attackers can use similar tactics to gain unauthorized access to poorly secured systems. Once inside the system, attackers utilise legit tools such as public docker images to take over proxy monetization services. These tools are undetectable to anti-malware software due to being genuine software in and of themselves. Endpoint detection and response (EDR) tools also struggle with the same threats.

The Major Challenges 

Limitation Of Current Safeguards – current malware detection software is unable to distinguish between malicious and genuine use of bandwidth services, as the nature of the attack is not inherently malicious. 

Bigger Threat Than Crypto-Jacking – Proxyjacking poses a bigger threat than cryptojacking, where systems are compromised to mine crypto-currency. Proxyjacking uses minimal system resources rendering it more challenging to identify. As such, proxyjacking offers perpetrators a higher degree of stealth because it is a resource-light technique, whereas cryptojacking can leave CPU and GPU usage footprints.

Role of Technology in the Fight Against Proxyjacking

Advanced Safety Measures- Implementing advanced safety measures is crucial in combating proxyjacking. Network monitoring tools can help detect unusual traffic patterns indicative of proxyjacking. Key-based authentication for SSH can significantly reduce the risk of unauthorized access, ensuring that only trusted devices can establish connections. Intrusion Detection Systems and Intrusion Prevention Systems can go a long way towards monitoring unusual outbound traffic.

Robust Verification Processes- sharing services must adopt robust verification processes to ensure that only legitimate users are sharing bandwidth. This could include stricter identity verification methods and continuous monitoring of user activities to identify and block suspicious behaviour. 

Policy Recommendations

Verification for Bandwidth Sharing Services – Mandatory verification standards should be enforced for bandwidth-sharing services, including stringent Know Your Customer (KYC) protocols to verify the identity of users. A strong regulatory body would ensure proper compliance with verification standards and impose penalties. The transparency reports must document the user base, verification processes and incidents. 

Robust SSH Security Protocols – Key-based authentication for SSH across organisations should be mandated, to neutralize the risk of brute force attacks. Mandatory security audits of SSH configuration within organisations to ensure best practices are complied with and vulnerabilities are identified will help. Detailed logging of SSH attempts will streamline the process of identification and investigation of suspicious behaviour. 

Effective Anomaly Detection System – Design a standard anomaly detection system to monitor networks. The industry-wide detection system should focus on detecting inconsistencies in traffic patterns indicating proxy-jacking. Establishing mandatory protocols for incident reporting to centralised authority should be implemented. The system should incorporate machine learning in order to stay abreast with evolving attack methodologies.

Framework for Incident Response – A national framework should include guidelines for investigation, response and remediation to be followed by organisations. A centralized database can be used for logging and tracking all proxy hacking incidents, allowing for information sharing on a real-time basis. This mechanism will aid in identifying emerging trends and common attack vectors. 

Whistleblower Incentives – Enacting whistleblower protection laws will ensure the proper safety of individuals reporting proxyjacking activities. Monetary rewards provide extra incentives and motivate individuals to join whistleblowing programs. To provide further protection to whistleblowers, secure communication channels can be established which will ensure full anonymity to individuals. 

Conclusion

Proxyjacking represents an insidious and complicated threat in cyberspace. By exploiting legitimate bandwidth-sharing services, cybercriminals can profit while remaining entirely anonymous. Addressing this issue requires a multifaceted approach, including advanced anomaly detection systems, effective verification systems, and comprehensive incident response frameworks. These measures of strong cyber awareness among netizens will ensure a healthy and robust cyberspace. 

References 

• https://gridinsoft.com/blogs/what-is-proxyjacking/
• https://www.darkreading.com/cyber-risk/ssh-servers-hit-in-proxyjacking-cyberattacks
• https://therecord.media/hackers-use-log4j-in-proxyjacking-scheme

‍

Introduction

The Digital Personal Data Protection (DPDP) Act, of 2023, introduces a framework for the protection of personal data in India. Data fiduciaries are the entity that essentially determines the purpose and means of processing of personal data. The small-scale industries also fall within the ambit of the term. Startups/Small companies and Micro, Small, and Medium Enterprises (MSMEs) while determining the purpose of processing of personal data in the capacity of ‘data fiduciary’ are also required to comply with the DPDP Act provisions. The obligations set for the data fiduciary will apply to them unilaterally, though compliance with this Act and can be challenging due to resource constraints and limited expertise in data protection. 

DPDP Act, 2023 Section 17(3) gives power to the Central Government to exempt Startups from being obligated to comply with the Act, taking into account the volume and nature of personal data processed. It is the nation's first standalone law on data protection and privacy, which sets forth strict rules on how data fiduciaries can collect and process personal data, focusing on consent-based mechanisms and personal data protection. Small-scale industries are given more time to comply with the DPDP Act. The detailed provisions to be notified in further rulemaking called ‘DPDP rules’.

Obligations on Data Fiduciary under the DPDP Act, 2023

The DPDP Act focuses on processing digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto. Hence, small-scale industries also need to comply with provisions aimed at protecting digital personal data.

The key requirements to be considered:

• Data Processing Principles: Ensuring that data processing is done lawfully, fairly, and transparently. Further, the collection and processing of personal data is only for specific, clear, and legitimate purposes and only the data necessary for the stated purpose. Ensuring that the data is accurate and up to date is also necessary. An important part is that the data is not retained longer than necessary and appropriate security measures are taken to protect the said data.
• Consent Management: Clear and informed consent should be obtained from individuals before collecting their personal data. Further, individuals have the option to withdraw their consent easily.
• Rights of Data Principals: Data principals (individuals) whose data is being collected have the right to Information, the right to correction and erasure of data, the right to grievance redressa, Right to nominate.the right to access, correct, and delete their personal data. Data fiduciaries need to be mindful of mechanisms to handle requests from data principals regarding their concerns.
• Data Breach Notifications: Data fiduciaries are required to notify the data protection board and the affected individuals in case a data breach has occurred.
• Appropriate technical and organisational measures: A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder.Cross-border Data Transfers: Compliance with regulations in relation to the transfer of personal data outside of India should be ensured.

Challenges for Small Scale Industries for the DPDP Act Compliance 

While small-scale industries have high aims for their organisational growth and now in the digital age they also need to place reliance on online security measures and handling of personal data, with the DPDP act in the picture it becomes an obligation to consider and comply with. As small-scale industries including MSMEs, they might face certain challenges in fulfilling these obligations but digital data protection measures will also boost the competitive market and customer growth in their business. Bringing reforms in methods aimed at better data governance in today's digital era is significant. 

One of the major challenges for small-scale industries could be ensuring a skilled workforce that understands and educates internal stakeholders about the DPDP Act compliances. This could undoubtedly become an additional burden.

Further, the limited resources can make the implementation of data protection, which is oftentimes complex for a layperson in the case of a small-scale industry, difficult to implement. Limitations in resources are often financial or human resources.

Cybersecurity, cyber awareness, and protection from cyber threats need some form of expertise, which is lacking in small enterprises. The outsourcing of such expertise is a decision that is sometimes taken too late, and some form of harm can take place between the periods by which an incident can occur.

Investment in the core business or enterprise many times doesn't include technology other than the basic requirements to run the business, nor towards ensuring that the data is secure and all compliances are met. However, in the fast-moving digital world, all industries need to be mindful of their efforts to protect personal data and proper data governance.

Recommendations 

To ensure the proper and effective personal data handling practices as per the provisions of the act, the small companies/startups need to work backend and frontend and ensure that they take adequate measures to comply with the act. While such industries have been given more time to ensure compliance, there are some suggestions for them to be compliant with the new law.

Small companies can ensure compliance with the DPDP Act by implementing robust data protection policies, investing in and providing employee training on data privacy, using age-verification mechanisms, and adopting privacy-by-design principles. Conduct a gap analysis to identify areas where current practices fall short of DPDP Act requirements. Regular audits, secure data storage solutions, and transparent communication with users about data practices are also essential. Use cost-effective tools and technologies for data protection and management.

Conclusion

Small-scale industries must take proactive steps to align with the DPDP Act, 2023 provisions. By understanding the requirements, leveraging external expertise, and adopting best practices, small-scale industries can ensure compliance and protect personal data effectively. In the long run, complying with the new law would lead to greater trust and better business for the enterprises, resulting in a larger revenue share for them.

References

• https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1959161 
• https://www.financialexpress.com/business/digital-transformation-dpdp-act-managing-data-protection-compliance-in-businesses-3305293/ 
• https://economictimes.indiatimes.com/tech/technology/big-tech-coalition-seeks-12-18-month-extension-to-comply-with-indias-dpdp-act/articleshow/104726843.cms?from=mdr 

‍

Introduction

‍
In today’s digital era, warfare is being redefined. Defence Minister Rajnath Singh recently stated that “we are in the age of Grey Zone and hybrid warfare where cyber-attacks, disinformation campaigns and economic warfare have become tools to achieve politico-military aims without a single shot being fired.” The crippling cyberattacks on Estonia in 2007, Russia’s interference in the 2016 US elections, and the ransomware strike on the Colonial Pipeline in the United States in 2021 all demonstrate how states are now using cyberspace to achieve strategic goals while carefully circumventing the threshold of open war.

Legal Complexities: Attribution, Response, and Accountability

‍

Grey zone warfare challenges the traditional notions of security and international conventions on peace due to inherent challenges such as :

• Attribution
  The first challenge in cyber warfare is determining who is responsible. Threat actors hide behind rented botnets, fake IP addresses, and servers scattered across the globe. Investigators can follow digital trails, but those trails often point to machines, not people. That makes attribution more of an educated guess than a certainty. A wrong guess could lead to misattribution of blame, which could beget a diplomatic crisis, or worse, a military one.
• Proportional Response
  Even if attribution is clear, designing a response can be a challenge. International law does give room for countermeasures if they are both ‘necessary’ and ‘proportionate’. But defining these qualifiers can be a long-drawn, contested process. Effectively, governments employ softer measures such as protests or sanctions, tighten their cyber defences or, in extreme cases, strike back digitally.
• Accountability
  States can be held responsible for waging cyber attacks under the UN’s Draft Articles on State Responsibility. But these are non-binding and enforcement depends on collective pressure, which can be slow and inconsistent. In cyberspace, accountability often ends up being more symbolic than real, leaving plenty of room for repeat offences.

International and Indian Legal Frameworks

‍

Cyber law is a step behind cyber warfare since existing international frameworks are often inadequate. For example, the Tallinn Manual 2.0, the closest thing we have to a rulebook for cyber conflict, is just a set of guidelines. It says that if a cyber operation can be tied to a state, even through hired hackers or proxies, then that state can be held responsible. But attribution is a major challenge. Similarly, the United Nations has tried to build order through its Group of Governmental Experts (GGE) that promotes norms like “don’t attack. However, these norms are not binding, effectively leaving practice to diplomacy and trust.

India is susceptible to routine attacks from hostile actors, but does not yet have a dedicated cyber warfare law.  While Section 66F of the IT ACT, 2000, talks about cyber terrorism, and Section 75 lets Indian courts examine crimes committed abroad if they impact India,  grey-zone tactics like fake news campaigns, election meddling, and influence operations fall into a legal vacuum.

Way Forward

‍

• Strengthen International Cooperation
  Frameworks like the Tallinn Manual 2.0 can form the basis for future treaties. Bilateral and multilateral agreements between countries are essential to ensure accountability and cooperation in tackling grey zone activities.
• Develop Grey Zone Legislation
  India currently relies on the IT Act, 2000, but this law needs expansion to specifically cover grey zone tactics such as election interference, propaganda, and large-scale disinformation campaigns.
• Establish Active Monitoring Systems
  India must create robust early detection systems to identify grey zone operations in cyberspace. Agencies can coordinate with social media platforms like Instagram, Facebook, X (Twitter), and YouTube, which are often exploited for propaganda and disinformation, to improve monitoring frameworks.
• Dedicated Theatre Commands for Cyber Operations
  Along with the existing Defence Cyber Agency, India should consider specialised theatre commands for grey zone and cyber warfare. This would optimise resources, enhance coordination, and ensure unified command in dealing with hybrid threats.

Conclusion

‍

Grey zone warfare in cyberspace is no longer an optional tactic used by threat actors but a routine activity. India lacks the early detection systems, robust infrastructure, and strong cyber laws to counter grey-zone warfare. To counter this, India needs sharper attribution tools for early detection and must actively push for stronger international rules in this global landscape. More importantly, instead of merely blaming without clear plans, India should focus on preparing for solid retaliation strategies. By doing so, India can also learn to use cyberspace strategically to achieve politico-military aims without firing a single shot.

References

‍

• Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Michael N. Schmitt)
• UN Document on International Law in Cyberspace (UN Digital Library)
• NATO Cyber Defence Policy
• Texas Law Review: State Responsibility and Attribution of Cyber Intrusions
• Deccan Herald: Defence Minister on Grey Zone Warfare
• VisionIAS: Grey Zone Warfare
• Sachin Tiwari, The Reality of Cyber Operations in the Grey Zone

‍