Indian law enforcement up against cyber criminals who keep upping the stakes


New Delhi, Jan 21 (IANS): With the benefit of the internet and other technologies also comes the obvious flip side -- criminal behaviour.

Cyber technology opens new vistas for bad actors, making them conspire and commit crimes more conveniently, each progressive day. Identity of the individual, travel to ground zero and tools of the trade have all become irrelevant. How can anyone, leave alone a government, penetrate the mind of a cybercriminal to prevent a crime?

Tom Cruise's 'Minority Report' notwithstanding, the world is far from reaching an effective remedy. The issue is not just that the impact of a crime is realized and assessed only once it is committed; it is also the issue of 'crime', civil wrong and bad behaviour evolving each day. Law enforcement working on robberies and motor vehicle accidents is now probably dumbfounded by the elementary nature of traditional crimes.

Cybercrime is far more destructive and affects a wider number of victims. Simply put, cybercrime uses technology to commit traditional offences. Such crime doesn't know the boundaries of an individual, state, or nation -- each is more vulnerable than the other.

And as we spend more time online, and public institutions go further online, this online misbehaviour is bound to increase. How far online does law enforcement go?

The Information Technology Act, 2000, which doesn't define 'cybercrime', is our primary source of comfort in terms of remedies for such bad behaviour. This Act does define, however, various offences related to cybercrime, such as hacking, phishing, and identity theft. These offences are categorized into three categories: unauthorized access to computer systems, data theft, and destruction or alteration of computer systems. In addition to the offence, the Act lays down the punishments too, which range from fines to imprisonment.

The Information Technology (Amendment) Act, 2008, addressed evolving (new) offences, including sending offensive messages, publishing sexually explicit material, and breaching confidentiality.

Under Section 70B of the Act, the Central government appointed the Indian Computer Emergency Response Team (CERT-In) as the national nodal agency for incident response. CERT-In collects, analyses, forecasts and issues advisories, alerts and guidelines on cyber incidents. This is in addition to taking emergency measures for handling cyber security incidents, and coordination of cyber incidents response activities.

The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 form the basis of a legal structure for social media platforms, over-the-top (OTT) platforms, and digital news providers. CERT-In requires the reporting of cybersecurity incidents within six hours of getting to know about them.

A bit of a stretch, but at least it is doing its bit to secure Indian cyberspace by providing guidance and advisories to computer users on possible threats and bad actors. Critical Information Infrastructure (CII) is defined as "facilities, systems or functions whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation", under the Act.

CII is monitored by the National Critical Information Infrastructure Protection Centre (NCIIPC). Critical sectors include power and energy; banking, financial services, and insurance; telecommunication and information; transportation; government; strategic and public enterprises; and, recently, some private banks such as ICICI and HDFC.

Certain sectoral regulators, like the Reserve Bank of India (RBI), have issued comprehensive Cyber Security Frameworks for entities regulated by them. While the adequacy of the above may be a discussion item, there is a larger issue here.

We are discussing techno-legal offences here. This assumes that law enforcement has knowledge, expertise and understanding of both the legal as well as certain technical aspects and procedures.

The evidence here is intangible. Despite the laudatory OTT series 'Indian Police Force', is it fair to assume that an Investigating Officer has the technical knowledge and special skills to collect intangible evidence? Cyber forensics is yet to find its rightful place in the procedural rules currently laid down in India. Being a country that constantly evolves, most investigating agencies have adopted their own Standard Operating Procedure (SOP) which includes forensic aspects.

For Indian law enforcement, though, it is the Indian Penal Code (IPC) that continues to be its Bible and loadstar. The IPC does contain provisions related to cybercrime (notably Sections 406, 408, 420, and 468 which deal with offences related to online fraud and cheating; and Section 509, which deals with offences related to online harassment and stalking).

In terms of procedure, investigation, trial and punishment for criminal offences, it is the Criminal Procedure Code (CrPC) that law enforcement follows in India. The CrPC also directs law enforcement on the rules for arrest, search, seizure, and bail.

The challenge comes when CrPC is expected to access data stored by criminals without physical boundaries. How much more complicated can we make it for our Investigating Officers to collect, analyse and appreciate evidence of cyber crimes, leave alone preserve it? Transnational cyberspace needs more than Indian domestic law to be policed.

Then comes the issue of multinational internet service providers and ISPs. Unless they coordinate with Indian law enforcement agencies, the collection of evidence and monitoring becomes even more complex.

Finally, tangible or intangible evidence would need to pass the test of the Indian Evidence Act. Only then would it be admissible in criminal trials. India would need to seriously consider jurisdiction-related issues to address issues related to cybercrime. Possibly relook at bilateral and multilateral agreements with countries. If possible, enter into regional or international arrangements in the form of conventions. Private-public dialogue and cooperation are also essential to control cybercrime.

The government and the research and development wings of the various investigating agencies need to keep up with sophisticated technologies essential to tackle the menace of cybercrime.

Last year, we got the National Cyber Security Policy 2023 with the stated objective of safeguarding both information and \infrastructure in cyberspace. It is designed to instil a high level of trust and confidence in IT systems while fortifying a regulatory framework to ensure security and bolster the safeguarding and resilience of the nation's CII.

It will establish capabilities needed to prevent and respond effectively to cyber threats, as well as to minimise vulnerabilities and mitigate the impact of cyber incidents. This will be achieved through a combination of institutional structures, skilled individuals, established processes, advanced technology, and collaborative efforts.

The Central Government launched a National Cyber Crime Reporting Portal to enable citizens to report complaints pertaining to all types of cybercrime, with a special focus on crimes against women and children.

Additionally, the Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre) provides for the detection of malicious programmes and provides free tools for cleaning up malicious code.

Last year, we also saw the Digital Personal Data Protection Act 2023 (DPDPA) being notified. The DPDPA deals with the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.

Next in line is the Digital India Act, which will replace the IT Act, and address issues relating to new-age technologies, especially AI and blockchain.

There may be indications of where we are headed in terms of cyber security in India. The growth of the IT/ITES industry in India, however, requires the security of adequate legal protection and suitable enforcement measures. It is not just CERT-In that will provide a safer cyber world to India; it will take each one of us to come together to contribute to the effective regulation of cyber crimes.

 

  

Top Stories


Leave a Comment

Title: Indian law enforcement up against cyber criminals who keep upping the stakes



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.