Comprehensive legal framework a must to curb cybercrime
THE spread of the Internet has made our lives convenient. India has made fast strides towards adopting this technology. The number of digital transactions in the country crossed 10,000 crore in the 2022-23 financial year. However, this convenience has brought some hazards and made us vulnerable to cybercrime. As many as 10.29 lakh cases were reported on the Indian Cybercrime Coordination Centre (I4C) portal in 2022, a jump of 125 per cent over the previous year. Similarly, cyber complaints on the National Cybercrime Helpline have been growing rapidly, with 49 lakh calls made in 2022. However, FIRs were registered in less than 2 per cent of these complaints.
Today, the cyber world is encountering cybercrimes such as online harassment, financial fraud, social media fraud, e-commerce fraud and e-mail-related fraud. Cybercrime perpetrators do not require complex skills or techniques as malware toolkits are readily available. In the Indian context, the cyber criminals and more particularly cyber fraudsters are mostly in the age group of 18-35 years and have barely completed school education. Cybercrime has evolved into a profit-driven industry, with cyber criminals developing training modules.
Cyber security has become a critical concern for businesses, individuals and services. Suspects frequently use anonymisation and obfuscation technologies to commit cybercrime. There are eight main external and internal threats emanating from cyberspace: cyber espionage, supply chain attacks, cyber terrorism, ransomware, critical infrastructure disruption, disruption of services, inter-state organised cybercrime and cyber financial fraud.
International cybercriminal gangs operating from West Asia and South East Asia are using illegal loan apps, Ponzi schemes, gaming and dating apps. Hotspot states and districts in India have been identified after an analysis of the origin of around 11 lakh cases of cyber financial fraud. Six districts of India — Bharatpur, Mathura, Nuh, Deoghar, Jamtara and Gurugram — accounted for about 70 per cent of all complaints of financial fraud, while 20 districts accounted for 99 per cent of them.
In India, the Information Technology Act, 2000, is the principal Act governing the entire cyberspace, and it was last amended in 2008. This legal framework and its amendment provide for an enabling regime for legal recognition of e-commerce, e-governance, electronic records and transactions, e-signature, cybercrimes with punishments and penalties. Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023, provide for Internet-enabled businesses or intermediaries, including social media platforms and mobile applications.
The agencies countering cyber threats in India include CERT-In, National Critical Information Infrastructure Protection Centre (NCIIPC) and I4C. CERT-In is the national nodal agency for responding to computer security incidents. NCIIPC is the national nodal agency in respect of protection against the unauthorised access, modification, use, disruption and incapacitation of critical information infrastructure. Similarly, I4C provides the framework and ecosystem for law enforcement agencies in dealing with cybercrime in a coordinated and comprehensive manner. I4C functions through its seven verticals: cybercrime reporting portal, threat analysis unit, forensics, training, research, coordination, and ecosystem management units.
Cybercrime investigation is a rough road and digital forensics is a challenge because of the anonymity of the perpetrator, the volatile nature of digital evidence, high vulnerability of data contamination and the borderless cyberspace. The first Cyber Forensic Laboratory was established in Hyderabad; last year, it was upgraded as the National Cyber Forensic Laboratory. Another National Cybercrime Forensic Laboratory, located in New Delhi, helps investigating officers carry out forensic analysis of digital evidence. At present, we have a nationwide network of forensic laboratories notified as ‘Examiner of Electronic Evidences’. But considering the scale at which cybercrime and cyber fraud are increasing and digital data is being created, the existing facilities are proving insufficient. We need more cyber forensic labs with professional digital analysts.
CERT-In has identified four major threats: espionage, supply chain attacks, cyber terrorism and ransomware. The government has identified seven critical sectors of the economy vulnerable to cyber threats: banking and financial services, telecom, power and energy, transport, health, strategic and public enterprises and government. Cyber criminals are using fake emails and fake websites to gain access to government departments. In cyber terrorism, hostile elements are using new customised applications in smartphones in which data is encrypted, stored offline and automatically gets deleted after certain time. This modus operandi was detected in the 2019 Pulwama attack and the 2022 Udaipur beheading. Besides, ransomware attacks are rising, with AIIMS, Jawaharlal Nehru Port Trust and SpiceJet being among the victims. CERT-In has identified three major challenges in dealing with these threats: lack of cyber hygiene due to use of unsupported software; lack of advanced forensic skills; and inadequate action on cyber threat intelligence.
The IT Act is unable to keep the law enforcement agencies a step ahead of the cyber criminals. Thus, the need to create a new comprehensive legal framework to address the gaps in the IT Act cannot be overstated; it should incorporate victim protection, trial by video-conferencing and the creation of special courts.
Lack of trained manpower, financial resources, absence of minimum cyber standards, lack of cyber hygiene and excessive dependence on foreign vendors are the other challenging issues which require immediate attention. At the state level, cyber capacity-building and a dedicated and trained technical cadre in the police may be considered. Each state should set up a dedicated cybercrime coordination centre on the lines of I4C. Hotspots require focused attention.
With so much at stake in the cyber world, we cannot take chances. Bill Gates once said, “Security is our top priority because for all the exciting things you will be able to do with computers — organising your lives, staying in touch with people, being creative — if we don’t solve these security problems, people will hold back.”