Cybercrime: A Rising Threat to Internal Security

Rajinder Kumar Vij - Indian Police Service (Retd.)

Introduction

The recently published crime data by the National Crime Record Bureau (NCRB) shows that the number of registered cybercrimes increased significantly from 12,317 in 2016 to 65,893 in 2022, that is, about 435 % in the last seven years; with fraud, extortion and sexual exploitation accounting for the majority of cases in 2022.

According to the Indian Cyber Crime Coordination Centre (IC4) data shared in January 2024 by an official of the Ministry of Home Affairs (MHA), more than three million complaints had been reported since the online portal cybercrime.gov.in was launched by the Central Government in August 2019.

In the case of online financial frauds, the transaction can, if reported quickly through this portal or through the national helpline number 1930, be blocked and the defrauded money may be stopped from passing into the hands of criminals as more than 263 banks are linked to this portal.

The MHA official said that about Rs 922 crore of defrauded money (about 12.32%) was recovered in 2023 which was more than Rs 36 crore (about 6.73%) in 2021. Many online frauds were found to have originated from nations like Myanmar, Cambodia and Dubai as well as China.

Before having a discussion on the preparedness to tackle cybercrimes and emerging challenges in India, it will be relevant to analyse the impact of such incidents on our daily lives.

Impact of Cybercrime

In November 2022, the online services of the All India Institute of Medical Sciences (AIIMS) Delhi were disrupted due to the ransomware attack on its servers (provided and managed by the National Informatics Centre). It was only with the help of the national nodal agency in respect of Critical Information Infrastructure Protection, the Indian Computer Emergency Response Team (CERT-In), that the data for ‘e-Hospital’ could be retrieved from a back-up server and most of the functions restored on new servers after about two weeks. A case of ‘cyber terrorism’ and extortion was registered under the relevant sections of the Information Technology (IT) Act and the Indian Penal Code (IPC) was handled by the Intelligence Fusion Strategic Operations (IFSO), the specialised unit of the Delhi Police, to deal with this cybercrime.

The IT ministry informed the Parliament subsequently that the servers were compromised due to “improper network segmentation” which caused operational disruption due to non-functionality of critical applications. The preliminary analysis revealed that “five servers were found to be affected and approximately 1.3 Terabytes of data was encrypted”. The Minister clarified that “no specific amount of ransom was demanded by the hackers though a message was discovered on the server suggesting that it was a cyberattack”. According to cyber experts, ‘improper network segmentation’ implies that the firewall deployed to protect the network was not configured properly and the (unmanaged) switches lacked safeguards. Since the cyber security was not up-to-the-mark, hackers were able to corrupt the system. The IP addresses of the suspect email suggested that the attack had originated from a foreign land.

Another incident, seen as a threat to the reputation and dignity of an individual, was the deepfake video of an actor from South India impersonating the face of a London-based Indian woman that went viral on social media in November 2023. Though Meta and other social media platforms had removed the video suo moto, the Intelligence Fusion and Strategic Operations (IFSO) wing of the Delhi Police investigated more than 500 internet links, retrieved some deleted accounts and successfully traced the origin of the deepfake. The accused confessed to have created this video to increase his Instagram fan-following but later deleted the posts and also changed the name of the Instagram channel. These two examples are just to demonstrate the extent of damage cyber-attacks may cause to institutions of strategic importance and individuals.

Legal Aspects

While the IT Act, 2000 was enacted with a view to give a fillip to the growth of electronic-based transactions and to provide legal recognition for e-commerce, there are sufficient provisions to deal with computer-based crimes. Various IT rules have also been notified since then to deal with specific issues such as ‘reasonable security practices and procedures etc.’ and ‘national critical information infrastructure etc.’. In order to regulate the intermediaries and the social media platforms, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules were notified in February 2021.

The latest is the Digital Personal Data Protection Act, 2023 with an objective to protect personal data and process it for lawful purposes. However, experience shows that more needs to be done to enhance the capacity and capability of the police forces to deal with emerging challenges rather than just enacting laws and framing regulations.

It must be realised that a regular police officer with an academic background of non-computer subjects cannot be a specialist in dealing with computer related offences. At best, s/he may be trained to act as a first responder to preserve the scene of crime so that the electronic evidence is not diminished in value. Therefore, a sufficient number of cyber experts need to be inducted in the police forces and cyber police stations be set up to effectively deal with the increasing number of cyber complaints.

Second, although the broad ‘guidelines for the identification, collection, acquisition and preservation of digital evidence’ are given in the Indian Standard IS/ISO/IES 20037:2012, issued by the Bureau of Indian Standards (BIS), there is no separate procedural code for the investigation of computer related offences. Similarly, all state cyber forensic labs are neither  equipped to tackle the emerging challenges nor notified as ‘Examiner of Electronic Evidence’ by the Central Government to provide expert opinion on electronic evidence under the IT Act. While the newly-enacted criminal laws lay more emphasis on collecting forensic evidence including the recording of statements using audio-visual means, and the Bharatiya Sakshya Adhiniyam, 2023 provides for a standard format of the certificate to be submitted for admissibility of electronic evidence in the court of law, the lack of training resources may prove counter-effective in producing efficient police officers in this field. 

Third, the concept of ‘safe harbour’ needs to be reconsidered to impose some additional accountability on the intermediaries. The IT Rules of 2021 require the intermediaries and social media platforms to observe “due diligence” and make “reasonable efforts” to cause users not to host, display, upload, share etc. any information inter-alia that is harmful to a child.  However, they are bound to remove such objectionable material in 36 hours, only if they are informed about it either by an authorised government agency or ordered to do so by a court. They are not legally bound to deploy online preventive and investigative tools. India  follows neither the American model nor the British model to proactively identify and block child sexual abuse material (CSAM). It is, in fact, because of the absence of the required cyber infrastructure in place, that even reports of CSAM uploaded from India are identified and geo-tagged by the American ‘National Centre for Missing and Exploited Children’ (NCMEC) and forwarded to the NCRB (under an agreement with the MHA) in the form of the CyberTipline reports for taking legal action. 

Therefore, due to the limited liability of the Internet Service Providers (ISPs) under the IT Act, no proactive steps are known to have been taken by the ISPs. Similarly, though the Ministry of Electronics and Information Technology (MeitY) has issued an advisory to the social media platforms to take down misinformation and deepfake videos and images, these will not be sufficient and effective unless they are compelled to deploy some technical tools to identify necessary devices  and report compliance. This would require the concept of ‘safe harbour’ to be revisited, and made robust under section 79 of the IT Act.

Last but not the least, the cyberattack on the AIIMS Delhi system suggests that even institutions handling sensitive personal health data did not have a robust cyber security policy in place.

The lack of periodic audits, identification of vulnerabilities and upgradation of systems, shortage of committed and trained manpower are the main reasons for invasion into such gaps by the hackers.

Therefore, not only does a sufficient budget need to be allotted to such institutions, a culture of cyber safety needs to be inculcated so that such attacks are not repeated.

Conclusion

While the world is battling with mechanisms and regulations to check the misuse of artificial intelligence (AI), police forces are grappling with investigation of the newer type of crimes. The Prime Minister of India, while inaugurating the annual Global Partnership for AI (GPAI) Summit in Delhi in December 2023, stressed the need to invoke watermarking of AI products as well as the potential for increased cybersecurity and data theft incidents. It is hoped that besides bridging the gaps and strengthening their own infrastructure, the joint efforts of world leaders will help enforcement agencies to meet the challenges posed by newer technologies and ensure the safety and security of our citizens from emerging cyber threats.

(Exclusive to NatStrat)