Computer users, as well as the police, need to brace themselves to counter the new threat posed by cyber criminals. And international cooperation is essential to fight the complex crimes.
AN interesting incident was recently reported in inconspicuous corners in some newspapers. It was about the hacking of the website of the cyber crime cell of the Mumbai Police by some miscreants. As I write this, I understand - again from a newspaper - that a telecom engineering student, two engineers - one a software engineer and the other a hardware engineer - and a cyber cafe employee have been arrested in this connection. The motive? The student wanted to teach "a lesson" to the cyber police! The Sessions Judge concerned rejected the plea, possibly for anticipatory bail, of the cyber cafe owner himself, despite his professing ignorance about the entire episode. It seems he has been hauled up for having downloaded hacking tools, a totally unauthorised act.
The Mumbai happening is significant, but it has not received the attention it deserves. It confirms that cyber crime in India is no longer an illusion. The situation could go out of hand if computer users, both in the government and the private sector, do not sit up and brace themselves to the challenge. For the police, the temptation especially to view attacks on computer systems as just another form of crime is great. Senior officers need to come down heavily on any such complacence on the part of their investigators.
Three aspects of cyber crime deserve focussed attention. These are: the legal safeguards that are available; the adequacy of training of police investigators, prosecutors and the judiciary; and the nature of links forged by the Indian police with foreign law enforcement agencies so that cooperation in matters of investigation and training is readily forthcoming.
Thanks to international pressure and the growing consensus that cyber crime does not recognise national borders, more than 30 countries have separate laws in their statute books to check this menace. Last year our government succeeded in getting the Information Technology (IT) Act passed by Parliament. The popular misconception is that this Act is solely meant to quell cyber crime. Actually, it is a piece of legislation intended mainly to lend legal recognition to e-commerce. It is also meant to "facilitate electronic filing of documents with the Government agencies". The Act recognises for the first time the concept of digital signature and provides for the appointment of a Controller of Certifying Authorities, the repository of all digital signature certificates issued under the Act. It is only incidentally that the Act (Chapter XI) lists a few offences relating to the use and abuse of computer systems which invites a penalty - a fine or imp- risonment or both.
A wide spectrum of delinquencies come under the umbrella term of 'cyber crime'. However, it is mainly hacking (intentionally destroying or deleting or altering information residing in a computer), publishing obscene information in an electronic form (pornographic websites are countless) and tampering with computer source documents are specifically mentioned in the IT Act. Investigation of these offences will be at the level of a Deputy Superintendent (DSP). While the Act does mention a few other offences, such as misrepresentation before the Controller of Certifying Authorities or his assistants, breach of confidentiality and privacy by a person who has had lawful access to an electronic record and publication of a false digital signature certificate, there is criticism that certain other direct computer-related crimes such as cyber-stalking, cyber-theft and cyber-defamation have not been covered by the IT Act.
My response is that no legislation can be exhaustive enough. We have to implement an Act for a while and get feedback on its lacunae so that there can be meaningful amendments. The Indian Penal Code is so well drafted that offences not listed in the IT Act right now can still be tackled through it, till such time we are convinced that the IT Act needs to be recast in order to cope with the expanding contours of cyber crime.
We may also have to examine whether we need more than one enactment. For instance, the United States has several, including the Computer Fraud and Abuse Act (1986), the Computer Misuse Act (1991), the Electronic Fund Transfer Act (1996) and the Child Online Protection Act (1998). It is just possible that the volume and nature of cyber crime in our country would demand in course of time a variety of laws. Apart from private digital enterprises, law enforcement agencies including the Central Bureau of Investigation (CBI), the Enforcement Directorate, the Directorate of Revenue Intelligence and the Income-Tax Investigation Wing, could provide valuable inputs to the government. There is also the need to draw from the international experience. For instance, the Council of Europe recently agreed on certain parameters with a view to ensuring uniformity in cyber law. The Interpol is also active on this front and may be of help to ensure that our law does not ignore new developments.
NEXT comes the question of educating the police, the prosecutors and the lower judiciary. The CBI, the Bureau of Police Research and Development (BPR&D) and the National Police Academy (NPA), Hyderabad have made significant contributions. Each has prepared a training module to be administered to State police personnel and conducted several training programmes. The NPA is to hold an international seminar later this year. This initiative is commendable. Momentum to this critical area of upgradation of knowledge will, however, have to come from State police agencies. There are unfortunately wide variations in perception and consequently uneven responses. The blame lies squarely at the doors of some chiefs of police whose priorities are skewed and warped. This is despite claims of large-scale computerisation of the police forces. There are brilliant brains in the Indian Police Service (IPS) - graduates from the Indian Institute of Technology and the Indian Institute of Management - who are well clued-up. Unfortunately they do not have the ears of their chiefs and cannot therefore bring about greater sensitivity to the problem.
There is no information that any systematic effort has been made till now to impart training to prosecutors and judges, although there is evidence of their keenness to become knowledgeable. Possibly, here again, the initiative may have to come from law enforcement agencies who boast of quality instructors and training institutions. It is not difficult to draft special capsules for this purpose. The services of the principal law officers of the Central and State governments could be sought to convince the higher judiciary that the exercise is a bona fide one and is worth the time and money spent.
A FINAL word about international cooperation. Like most of modern crime, cyber crime knows no boundaries. A hacker in Albania can break into a system in Kanyakumari without the aid of any extraordinary talent or equipment. A personal computer is all that he or she will need. Software of a mind-boggling variety is available for this operation and there are any number of websites to offer information. The ease with which such cyber vandalism can be committed has helped build an international consensus that a hacker should not be allowed to get away only because of legal inadequacies. Section 75 of the IT Act clearly lays down that its provisions shall also apply to "any offence or contravention committed outside India by any person, irrespective of his nationality", provided that such act involves a computer, a computer system or computer network located in India.
The point is, how far are nations willing to help one another. Police investigations abroad are stifled by a variety of factors, including the desire to protect individuals of certain nationalities. The procedure also involves a request by the court of one country to its counterpart in another. Collection of information in cyber matters requires searches and confiscation of delicate material that needs speedy and expert handling. Assistance in such areas is slow and half-hearted despite the best of relations between countries. An interesting question that has been raised is how far are the police of one country justified in entering a computer system across the border suo motu to secure information that is available online and is crucial to an investigation.
The Commission on Crime Prevention and Criminal Justice (CCPCJ) of the United Nations, with its headquarters in Vienna, has been exercised over how to prevent and control high technology and computer-related crime. The Commission is convinced that one way of doing this is to forge closer links between nations so that the cyber criminal is relentlessly pursued across frontiers. Both the Eighth U.N. Crime Congress and the Tenth one devoted considerable time to this.
The U.N. Convention on Transnational Organised Crime adopted by the General Assembly on November 15, 2000 may not directly apply to routine computer crime. However, it will definitely be attracted where organised gangs use telecommunication and computer networks for their operations. Following this Convention, the CCPCJ held a workshop on "The Challenge of Borderless Cyber Crime" in December 2000 at Palermo, Italy. The workshop, attended by representatives of a large number of countries, gave a fillip to the movement that aims to strengthen the law and procedure for international cooperation in the field.
The Lyon Group of high-level experts set up by the G-8 nations has also been active. At this group's instance, a network of contacts available round-the-clock has been established. The Interpol has now the operational responsibility for this network and the CBI has been identified as a contact point for the Indian subcontinent and its neighbourhood.
IN sum, an ambience has no doubt been created for promoting international cooperation to combat cyber crime. How far this will translate itself into active assistance in the field is an open question. Going by the track record of many countries in tackling more serious transnational criminals - such as Dawood Ibrahim and his ilk - we may not expect miracles. A change of mindset is called for. It will definitely come when nations are overtaken by a rash of major cyber misdeeds which impinge on national security and threaten critical infrastructure. Meanwhile, we in India will have to disseminate zealously knowledge of how to protect our computer systems and encourage freer reporting by victims to police agencies. As it is, there is gross underreporting, alongside a tendency towards vigilantism. Both tendencies need to be curbed.