India Unequipped To Handle Rising Cybercrimes

Cyber attacks (Representative image) | Photo courtesy: Special arrangement

Last week, the Indonesian cyber attack group Hacktivist issued a “red notice” targeting 12,000 Indian government websites. Just a day after the incident, the Indian government said that all its websites were updated and “capable” of handling cyberthreats. In this story, The Probe speaks to several cyber police officials and top cyber experts in the country who say that our laws are ineffective, our cybersecurity systems are outdated, and our agencies are unprepared to handle the growing number of cyber cases.

Also Read: Sudden Spurt in Cyber Security Breaches, Govt Accounts Targeted

“One of the biggest problems we are facing today is to ensure that the money people are losing in cyber frauds is seized as fast as possible and ultimately get it refunded back to the victim. This is the challenge that the cyber police are grappling with daily across the country,” says Thummala Vikram, ADG, Cyber Operations in Kerala.

Cybersecurity expert Ritesh Bhatia speaks to The Probe’s Pavitra Utgikar on the mounting number of cybercrimes in India and India cyber security.

Mausmi Patil, a Police Inspector with the Cyber Police in Mumbai, states that cybercrimes have increased in the country post-lockdown, and cybercriminals are today more advanced than law enforcement agencies. “I have seen that even in Mumbai, we were flooded with cyber complaints after the lockdown. These cybercriminals are so savvy that they can make fake bank pages for many famous banks. They have better technology to do that. They are able to exactly make a duplicate version of these bank pages, and the customers sometimes get taken for a ride. Their customer ids and passwords are illegally acquired this way.”

Mausmi adds that the problem is multi-pronged. While we don’t have adequate cyber protection laws on the one hand, on the other hand, people do not report cybercrimes immediately, and there is a complete lack of cooperation from social media intermediaries while solving crimes. “People don’t immediately report fraud. Delay in reporting cases is one big challenge. Another big problem is that social media intermediaries are not very responsive. When we ask them for details, they are not very forthcoming. There are several cases where we need a response from them within a timeframe to solve cases. But most of the time, they are very laid back in their response. The IT Act does not have any stringent provisions for punishment of cybercriminals. Even if we arrest them and put them behind bars, these criminals don’t have any problem going to jail for three years as they have already stashed money and made enough to sustain themselves for the rest of their lifetime.”

According to a report by Fortinet, a cybersecurity company, 92 per cent of Indian companies were hit by cyber breaches. While these figures may seem extremely hard to digest, the Indian government’s own reports suggest that India witnessed a whopping 13.91 lakh cybersecurity incidents last year.

Also Read: CoWIN Data Breach Reveals Security Gaps In India’s Critical Information Infrastructure

The Computer Emergency Response Team (CERT-In) has stated that a total of 11,58,208 cases were reported in 2020, in 2021 the cases rose to an all-time high at 14,02,809 and dipped to 13,91,457 in 2022. However, many experts say that the government’s figures do not expose the ground realities, and the cases have only risen exponentially in the country.

“India is in a very precarious position regarding cybersecurity breaches. In India, despite a data breach notification law in place, most people choose not to report security breaches to the Indian nodal agency on cybersecurity - CERT-In. Consequently, the actual figures of the government are dependent on the number of cases reported, which does not have any bearing on the ground reality. Underreporting is one of the biggest problems,” notes Pawan Duggal, a Supreme Court lawyer and cybersecurity expert.

Duggal explains that India does not have a dedicated India cyber security law. FIRs are few and far between, and convictions are a bare minimum. “We need a dedicated India cyber security law. The existing provisions on cybersecurity under the Indian Information Technology Act 2000 cannot deal with the growing cybersecurity breaches. The golden age of cybercrime started with the beginning of Covid-19, but the actual quantum of cases reported does not reflect the ground reality. Cybercrime convictions are too few in the country. The government of India has launched the national Cyber Crime Portal, which is a good move. But this is only a cybercrime reporting portal. It is not a cybercrime FIR registration portal or an investigation portal. Since policing is a state subject, these reported cases are referred to the respective states and on average, only less than 5 per cent of the total number of complaints received ultimately transforms into FIRs. The actual registration rate of FIRs is awfully low in our country."

Last month, India cyber security and cybercrime police station of Sivaganga district in Tamil Nadu busted a huge cybercrime gang operating out of Coimbatore. The police seized nearly 23,000 sim cards, around 300 mobile phones, several ATM cards, chequebooks, and other electronic accessories. Speaking on the condition of anonymity, a senior cyber police official told The Probe that it was only in April 2021 did the state of Tamil Nadu start registering FIRs under a dedicated cybercrime cell.

“From April 2021 only, we started registering cybercrime FIRs from all over Tamil Nadu in the cybercrime police station. At present, we have 50 cybercrime police stations in Tamil Nadu. We are now trying to create awareness amongst the people so that they know that once they get defrauded, they must report it immediately, and also, we are trying to create awareness about certain types of cybercrimes so that people don’t fall prey to these. But the fact is that cybercrimes are borderless, and there are many challenges, especially when the cases are inter-state or inter-country,” said the official.

Ritesh Bhatia, a cybersecurity expert, states that cybersecurity is an afterthought in India. “Recently, the Gujarat Mining Development Corporation was infected with ransomware and a demand of 4 crores was made to them. We don’t know what happened after that. The same thing happened with AIIMS. On Good Friday, the criminals were planning to bring down many airport websites, and they managed to hit the Cochin International Airport Ltd (CIAL) airport website. Cybersecurity cannot be an afterthought. These fraudsters usually use mule accounts. Jurisdiction is another major issue. The number of victims falling prey to such crimes is increasing by the hour. The criminals are sitting in other states or perhaps in other countries. So, how do we tackle these crimes using an integrated cyber policing system that does not have jurisdictional issues? These are some of the big challenges. Cybersecurity cannot be an afterthought.”

The CERT-In has stated that it has prevented 2,83,581, 4,32,057 and 3,24,620 malicious cybercrimes during 2020, 2021 and 2022. Tejasi Panjiar, Associate Policy Counsel at the Internet Freedom Foundation (IFF), notes that it is time India took compensating cyberattack victims seriously. “Compensation is a whole different issue. So far, compensation has been part of the law under the IT Act of 2000. But in the draft Data Protection Bill, compensation for victims has been removed. If the Bill is passed, the users whose data has been breached will not be compensated. Why is there no compensation for breaches? The Bill, if it comes into being, would literally make the breach in the right to privacy a non-criminal matter.” 

Also Read :-

Child Brides: Victims of Pandemic, Poverty & Patriarchy