India needs to think in terms of a separate law that covers the entire gamut of cyber crime as it has evolved in the rest of the world, especially in the United States.
TWO conferences in the United States that I attended last week were extremely rewarding. The first of these, jointly organised by the Confederation of Indian Industry (CII) and the U.S. India Business Council in Washington was on various facets of cyber security. This was in the context of an increasing anxiety all over the world at the ease with which miscreants were able to intrude into cyber space and cause havoc to national security and national economies. Concerns in the area had gone up appreciably after 9/11. There is actually now the speculation that the Al Qaeda, instead of physically confronting the enemy (read the U.S.) once more, would rather unleash cyber weapons from a remote location. Such assessment cannot be ignored as fanciful if one reckons that outfit's capacity to spring shocking surprises.
Cyber terrorism is no longer a mere romantic prediction. It is real, and when it does strike, the consequences could be disastrous. This is why it is frequently discussed with all seriousness in international fora. We have now news of a fresh tape in the voice of Osama bin Laden that hurls serious threat at the U.S. While the vagabond does not spell out details of how he will strike again, we should imagine that he will be even more innovative this time. This is one more reason why all of us will have to protect ourselves against cyber attacks. We should display extra sensitivity with regard to sites that regulate our critical infrastructure, such as air traffic control and distribution of power and water. The U.S. has created what is known as the President's Critical Infrastructure Protection Board (PCIPB). A draft document "The National Strategy to Secure Cyberspace" prepared by the Board is a well-argued paper that invites comments from all sections of society. Paul Kurtz, Senior Director of the PCIPB, who spoke at the Washington conference, was quite persuasive and believed that India and the U.S. could work together. A joint forum of the two countries on cyber security is already in place. But we need to hasten to set up a full-fledged Board of our own to safeguard our critical infrastructure. I am told that the Information Technology Ministry is already working in this direction.
Some readers may recall instances of how a few of our sites had proved themselves vulnerable in the not too distant a past. For example, in 1998, immediately after Pokhran-II, there was a reported intrusion into the network of the Bhabha Atomic Research Centre (BARC). Group Captain H. Kaushal wrote in Business Line last year that hackers stole data, deleted some information and also disabled two out of eight servers. Again in 1998, miscreants managed to get into Government of India's Web site and post objectionable photographs and political propaganda material alleging human rights violations in Jammu and Kashmir.
We do not have data on any further assaults on our critical computer systems. Even if we have had any more intrusions, information is difficult to come by. Both government and private industry are generally reluctant to admit victimisation. One reason for this is a fear of loss of public confidence. This tactic is a double-edged weapon. Are we not likely to promote cyber laxity in users if we do not constantly give publicity to concrete instances of violation of cyber space? Such a strategy of sharing information with the public should enhance regard for cyber security rather than diminish it.
The Washington conference was meant to promote the confidence of U.S. businessmen wanting to deal with Indian companies. There is incredible paranoia in the U.S. when major corporations entrust data to Indian IT companies for producing custom-made software at offshore sites in India. The conference addressed itself to this psychosis, and my impression was that it did succeed to a degree to dispel some major misgivings. The endeavour was to disseminate the information that many large companies had taken several steps to push up standards of security.
Actually, the CII had sponsored a well thought-out study last year by Pricewaterhouse Coopers (PwC). It no doubt concluded that instances of cyber intrusions were in fact rising. Hackers and unauthorised users caused most of the breaches. On the positive side, thanks to this trend, awareness in the area - especially among financial services companies - was growing in India. According to PwC, the pace of introducing anti-cyber attack measures was no doubt impressive among IT companies, but manufacturing companies, which do not normally handle too large a volume of data, were less inclined to invest large sums to protect their systems. Nevertheless, speaking as a whole for Indian industry, one can safely say that investment in security hardening is growing.
Large banks and other financial institutions, which sell online banking, mutual funds, depository services, insurance products and mobile banking, consider it crucial to make online security almost invulnerable.
This is because even a minor intrusion into their systems could prove ruinous in terms of loss of money and customer confidence. Here I would like to share something that I read recently, possibly in a Federal Bureau of Investigation journal. This is something real, and not at all apocryphal.
Two crooks who were computer-savvy managed to transfer electronically one million dollars from one bank into another. A few days later they walked into the bank manager's room and told him of what they had done. He was shocked beyond belief, and his first instinct was to pick up the phone and call the police.
But then the visitors told him that before he did so he would do well to think of the consequences of going to the police, especially if the media picked it up. They wanted him to ponder the impact of such media reporting on customer confidence. There could certainly be a run on the bank. The manager, an experienced professional, quickly realised the perils of moving the police. Ultimately, a deal was struck whereby the two crooks would re-transfer the million, for a `service charge' of half-a-million! This was expediency, not at its best, but at its worst! This tale would amplify my point - that lack of cyber security could bring down what is an otherwise best-managed corporation.
Many Indian companies are slowly veering around to the view that they need to lay down a security policy through a concrete policy document listing their physical and intellectual assets and incorporating strategies and guidelines for their protection. Guarding against virus attacks through innovative software packages has become a rule rather than an exception. Some companies do a virus check almost every day, and frequently update software for this purpose. Installation of firewalls that filter out unauthorised attempts to enter a system, and encryption of data during transmission have also become accepted practices. Logical controls such as allotment of a User ID and password and barring of access to some web sites that are prone to virus have also become accepted practices. What is possibly lacking is a foolproof system of intrusion detection, incident reporting and incident response. This is because there is a definite tendency to suppress intrusions. If this is not curbed ruthlessly, we could be heading towards doom.
The areas of cyber security and cyber crime cry for international cooperation. It is a trite saying that cyber space knows no boundary. If a neighbouring country believes it can get away with perpetrating misdeeds on India's systems, it should well know that, as perhaps the largest builder of the most intricate and sophisticated software in the world, India is no less capable of returning the compliment! So, enlightened self-interest demands that every nation suppresses its instinct for evil and falls in line with cyber propriety that is being increasingly codified. The G-8 nations and the Council of Europe have paved the way for formulating written down dos and don'ts. The Interpol has also been active on the front. I was myself once part of a working group that this world body had set up to bring about a consensus among the Asian nations.
India is one of the first nations to legislate in the area. The Information Technology Act 2000 is a well-drafted document, the product of active collaboration between government and industry. One must, however, remember that this is a law meant mainly to recognise and lend legal cover to e-commerce. It should not be looked upon for a moment as an Act against cyber crime. It no doubt lists some offences - tampering with electronic documents, hacking and publication of material that is pornographic - that the police could take cognisance of. Many discerning observers - including Pavan Duggal of New Delhi who has become a kind of authority on cyber law and whose recent book on the subject has made waves - believe that Chapter XI of the IT Act, which lists computer offences, is an artificial introduction into a statute whose focus was altogether different.
I share the view with others that we need to think in terms of a separate law that covers the entire gamut of cyber crime as it has evolved in the rest of the world, especially in the U.S. The IT Ministry, which has shown itself to be open to ideas and persuasion and has been in constant dialogue with private industry without the usual inhibitions that one attaches to the babus in Delhi, should think along these lines.
A welcome feature of the Indian scene is that law enforcement agencies are fast becoming clued up, with the Central Bureau of Investigation giving able leadership. There is a regular cyber crime investigation unit within the CBI which reacts fast to major assaults on systems. State police agencies have also been proactive in setting up such units and training their personnel. I believe the Karnataka Police has set up a cyber crime police station. It will be of interest to know how it has been performing. It was gratifying to hear one of the American speakers at the Washington conference mention how the Indian police reacted fast to a complaint of theft of a valuable source code belonging to a U.S. company that was stolen by an Indian software engineer. This speaker said it took a while to explain the nuances of the crime to a senior police officer who needed extensive briefing. But once the latter understood all the facts and implications, he acted swiftly to take the offending engineer into custody and proceed thereafter under the law.
It is this kind of rapid response that sends out the right message about India and serves to infuse international confidence and bring in more and more foreign investments. The IT Ministry, under the dynamic leadership of Pramod Mahajan - who was commended in generous terms by several U.S. speakers at the conference - can do much more in the area with the assistance of bodies like the CII and NASSCOM (National Association of Software and Service Companies).
THE American Society of Criminology (ASC) hosted its 54th Annual Meeting in Chicago last week. Founded in 1941, it is a remarkable body that sets the tone for research in all three arms of criminal justice, viz., police, prisons and judiciary. It attracts international membership from a wide cross-section that includes academics and practitioners in a variety of disciplines. It brings out a journal, Criminology, which is reputed for its well-researched papers.
Criminologists over the ages have sought to explain criminal conduct in terms of biological peculiarities, distinct family background, unhappy childhood experiences and unethical pressures at the workplace. Each day sees the arrival of a new theory. It is a sad fact that none of them has carried conviction beyond a point. The sweeping sociological changes and the integration of the globe in our times have only complicated the issues further. Professor David P. Farrington of Cambridge University, who delivered the Sutherland Address at the Chicago conference, spoke on developmental criminology, an area which examines how crime is a sort of continuum in the life of an offender, and how certain events in one's life influence most the onset and flourishing of crime. Experts are confounded why criminal behaviour peaks between the ages of 15 and 19, and why early entry into the field sometimes results in a long career in crime. There are several risk factors that drive a person to crime, and there is here too wide a range of phenomena that only a speculation is possible and no specific corrective action can be suggested. In any case, this is a fascinating area where more and more research throws up unbelievable new facets to the understanding of crime.
COMMents
COMMents
SHARE