Budapest Convention on Cybercrime – An Overview

By Shalini S

The Convention on Cybercrime or Budapest Convention is the only binding multilateral treaty instrument aimed at combating cybercrime. It was drafted by the Council of Europe with active participation from its observer states in 2001. The Convention provides a framework for international cooperation between state parties to the treaty. It is open for ratification even to states that are not members of the Council of Europe. The Convention is the only substantive multilateral agreement with a stated objective of addressing cybercrime with convergent, harmonized legislation and capability building. Therefore, it is widely recognized as a decisive document on international best practice and enjoys compliance even from non-signatory states. Most model legislation and attempts at drafting a new international instrument on cybercrime have also relied on the principles expounded in this Convention. The Budapest Convention is also supplemented by an Additional Protocol to the Convention which was adopted in 2003.

Offences under the Convention

The Budapest Convention broadly attempts to cover crimes of illegal access, interference and interception of data and system networks, and the criminal misuse of devices. Additionally, offences perpetrated by means of computer systems such as computer-related fraud, production, distribution and transmission of child pornography and copyright offences are addressed by provisions of the Convention. The substantive offences under the Convention can broadly be classified into “(1) offences against the confidentiality, integrity and availability of computer data and systems; (2) computer-related offences; (3) content-related offences; and (4) criminal copyright infringement.”[1] The Additional Protocol makes the act of using computer networks to publish xenophobic and racist propaganda, a punishable offence. However, the full range of cybercrimes are not covered under the Budapest Convention. These include cybercrimes such as identity theft, sexual grooming of children and unsolicited spam and emails.[2]

Provisions of the Convention

The treaty functions on a mutual information sharing and formal assistance model in order to facilitate better law enforcement and lays down procedure to seek and receive such assistance. Article 23 of the Convention outlines the general principles under which international cooperation can be sought, as follows:

“Article 23 – General principles relating to international co-operation

The Parties shall co-operate with each other, in accordance with the provisions of this chapter, and through the application of relevant international instruments on international cooperation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.”

It is clear then that assistance facilitated by the Convention relies on pre-existing cooperative agreements between the parties. Thus, as also stated in Article 39 of the Convention, the provisions only serve to supplement multilateral and bilateral treaties already effective between parties. In addition, mutual legal assistance (MLA) between parties where no such mutual arrangements exists, can be facilitated through procedures laid down under Article 27. Principles and procedures related to extradition for criminal offences under the Convention is also detailed in Article 24 of the Budapest Convention. These sections primarily aid formal legal assistance between signatory parties to the Convention in case of a cybercrime (as defined under the Convention itself).

The Convention itself does not demand ‘dual criminality’ per se. However, the adoption of the Convention demands harmonization of national legislations and results in reciprocal criminalization. This is crucial as the Convention has mutual assistance and extradition provisions, both easier to process when dual criminality is established between the requesting and assisting parties.

The Cybercrime Convention Committee (T-CY) was setup to represent the interests of and foresee regular consultations between state parties to the Convention. The biannual plenaries conducted by the T-CY and working groups discuss developments, shortcomings, grievances and possible amendments of the Budapest Convention.

Significant Drawbacks of the Convention

The Convention on Cybercrime has also come under severe criticism for both its specific provisions that fail to protect rights of individuals and states, and its general inadequacy in sufficing to ensure a cyberspace free of criminal activity.

The 12^th Plenary of the T-CY (at page 123) concluded that the mutual legal assistance facilitated by the Convention was too complex and lengthy, rendering it inefficient in practice. The outdated nature of provisions of the Convention clearly fail to cater to the needs of modern investigation.

The provisions of the Convention have been critiqued for supposedly infringing on state sovereignty. In particular, Article 32 has been contentious as it allows local police to access servers located in another country’s jurisdiction, even without seeking sanction from authorities of the country. In order to enable quick securing of electronic evidence, it allows trans-border access to stored computer data either with permission from the system owner (or service provider) or where publically available. As Russia finds this provision to be an intolerable infringement of its sovereignty (amongst other things),^[3] it has categorically refused to sign the Convention in its current state. However, it is important to note that the claim that provisions infringe on sovereignty has been addressed and countered by the T-CY in its guidance note on Article 32

Russia’s displeasure with the existing multilateral instrument was evidenced by the introduction of a Russia-backed proposal for an international cyberspace treaty. The proposal, specifically for a convention or protocol on cybersecurity and cybercrime was considered and rejected at the 12^th UN Congress on Crime Prevention and Criminal Justice. US and EU refused to countenance a new cybercrime treaty, opining that the Budapest Convention sufficed and efforts should be directed at capacity building.

Regardless, Brazil and China which have expressed displeasure at the primarily-European treaty, have refused to adopt the Convention for the same reason. India also continues to remain a non-signatory to the inequitable Convention, having categorically declined to adopt the Convention which was drafted without its participation. India’s statements also reflect its belief that the Budapest Convention in its present form is insufficient in tackling cybercrimes. This may hold especially true as India routinely faces cyber-attacks from China. This is a problem that will not be resolved by mere ratification of the Budapest Convention as China is a non-signatory to the treaty. With multiple countries remaining a non-signatory, with little scope for change in their positions, the reach of the Convention is certainly limited. There is a demonstrable need for a unique, equitable and all-encompassing instrument that governs cybercrime. To ensure maximum consensus and compliance, this instrument must necessarily be negotiated with active participation from all states.

[1] Jonathan Clough, A World of Difference: The Budapest Convention on Cybercrime and the Challenges of Harmonisation, Monash University Law Review (2014) at page 702, https://www.monash.edu/__data/assets/pdf_file/0019/232525/clough.pdf (last visited Mar 2, 2016).

[2] Ibid.

^[3]Kier Giles, Russia’s Public Stance on Cyberspace Issues, in 4th International Conference on Cyber Conflict (2012) at page 67, https://ccdcoe.org/publications/2012proceedings/2_1_Giles_RussiasPublicStanceOnCyberInformationWarfare.pdf (last visited March 2, 2016).

Cyber Vandalism – Not an Act of War

By Shalini S

In September last year, a mutual cyber hacking marathon ensued between Indian and Pakistani hackers, who each hacked and defaced multiple government and private websites. The incident was triggered by a detected defacement of a Kerala government website which was attributed to a Pakistani hacker. Indian hackers and hacktivist groups retaliated by defacing multiple Pakistani government websites and making several others inaccessible. Media reports were quick to label these cyber vandalism exchanges as a cyber war between the two countries with headlines such as:

“Hacking triggers cyber war on Pak websites”

“Hackathon of another kind: A ‘cyber war’ between India and Pakistan?”

“Indo- Pak Cyber War: Indian Hackers Deface Pakistani website”

“Hackers from India, Pakistan in full-blown online war”

“Cyber-war: Indian hackers hack 250+ Pakistani websites after attack on Kerala govt’s website”

“India and Pakistan seem to be at war; this time in cyberspace!”

These headlines while raising public awareness about politically motivated cyber-attacks, were also misleading and patently wrong in terming the episode as cyber war. Other politically motivated cyber-attacks involving independent hackers have also been termed cyber war in the past. The incidents were noteworthy and raised several red flags about the vulnerability of official government websites and state of security of data contained therein. However, it certainly did not cross the threshold to be termed an ‘act of war’ or ‘cyber warfare’.

There are clear thresholds for an attack to qualify as an act of war and several scholars opine that the same standards apply on a virtual battleground. For instance, the US Strategic Command’s Cyber Warfare Lexicon’s definition of cyber warfare  envisions a military object (Page 8). The document also states that “not all cyber capabilities are weapons or potential weapons” (Page 9). The Tallinn Manual on the International Law Applicable to Cyber Warfare which identifies “laws of armed conflict that apply to cyberspace and delineates the limits and modalities of its application”, does not seek to regulate actions of individual hackers or groups of hackers. Susan Brenner, a cyber conflict specialist opines that cyber warfare is the use of cyberspace to achieve the same ends as conventional warfare[1] – “the conduct of military operations by virtual means”.[2]  However, other definitions allow scope to envision the participation of non-state actors in cyber warfare.[3]

Despite numerous attempts at defining and the lack of a clear consensus in existing definitions, ‘cyber war’ has a specific connotation. Most existing definitions of cyber warfare envisage the subversive use of cyber technologies by a nation-state in the conduct of a military operation.

Cyber-attacks are challenging to evolve specific definitions for and this make it difficult to categorize them. However, it is important to identify the exact nature of each attack, unambiguously define and  categorize cyber-attacks in order to formulate a proportional and appropriate policy response.

The issue of distinguishing cyber vandalism from cyber war was most notably raised in the aftermath of the Sony hack of 2014. President Obama had characterized the attack as an act of cyber vandalism, while others opined that it was an act of terrorism or act of warfare albeit perpetuated virtually. The characterization of that particular attack on Sony has been shifting with allegations of the incident being a state-sponsored act. Regardless, it remains that the consequence of classification of any cyber-attack carries its own implications for the formulation of a response policy and thus it must also be accurately communicated to the public and policy makers.

It is clear that the above-described incident of mutual defacement of websites by hackers and hacktivist groups, falls short of qualifying as a cyber war on many counts. There is no indication of the attacks being sponsored by the Indian or Pakistani state. Evidently, it was also not carried out in the furtherance of a military objective. The target of the primary attack, an official government website is not critical information infrastructure and the nature and severity of the attack was fairly minimal. Thus, the act and the subsequent retaliation do not qualify as acts of cyber war and can only be characterized as ‘cyber vandalism’.

Cyber vandalism is the digital equivalent of conventional vandalism wherein legitimate content of a website will be made unavailable or replaced. As advanced cyber capabilities are within the reach of even non-state actors, attacks of this nature might be a frequent occurrence in the future. It is vital then to evolve appropriate legal and policy responses to effectively deal with individuals, hacktivist and organized groups that indulge in cyber vandalism.

The rules of cyber war are still nascent but the Tallinn Manual sheds light on the form that law might take on regulating acts of such nature. The international community is bound to arrive at a consensus on the definitions and clear demarcations of acts of warfare, terrorism, vandalism and espionage in the cyberspace. In the meantime, there must be a concerted effort to understand these new-age operations and evolve better classifications that aids policy formulation on these issues.

[1] Susan W. Brenner, Cybercrime, cyberterrorism and cyberwarfare, 77 Revue internationale de droit pénal 453 (2006) at Para 45, https://www.cairn.info/revue-internationale-de-droit-penal-2006-3-page-453.htm#no33.

[2] Susan Brenner, At Light Speed: Attribution and Response to Cybercrime/Terrorism/Warfare, 97 Journal of Criminal Law and Criminology (2007) at Page 401, http://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=7260&context=jclc.

[3] Nicolò Bussolati, The Rise of Non-State Actors in Cyberwarfare (2015).

Innovative Reporting and Policing to curb Cyber Crime

By Shalini S

Cyberspace has been continually emerging as a significant forum of criminal activity that requires specialized monitoring. However, cyber crime cases often go unreported in India further increasing online vulnerability. Even reported cases mostly result in acquittal due to the lack of forensic infrastructure and trained policed personnel, who are able to retrieve and present adequate and admissible digital evidence.

Recognizing the difficulty of investigating high-technology crime by technically untrained police personnel, a specialized cyber crime cell was first established in Bangalore in 1999. Soon after, in 2001, the cell was declared as a cyber crime police station, the first one to have been established in India and exercising jurisdiction over Karnataka. A multidisciplinary group of experts was set to aid the police station in investigating registered cyber crime cases.

To tackle the mounting number of cyber crime cases being reported across the country, other states followed suit and several cyber crime investigation cells were established throughout India. At present at least 21 Indian states including New Delhi, Karnataka, Andhra Pradesh, Tamil Nadu, Maharashtra, Odisha and Uttar Pradesh have such dedicated anti-cyber crime cells. Some states which face higher incidence of cyber crime, such as Maharashtra and Odisha even have multiple cyber crime cells or cyber crime police stations staffed with tech-savvy officers.

These cells have been setup specifically to detect, prevent and investigate cyber crimes that fall within the ambit of Information Technology Amendment Act, 2008 (Central Act, 2000) and assist other law enforcement agencies in investigating computer-related crime. The specialized cells are generally equipped with high-tech software and hardware equipment required to pursue investigation of cyber crimes. They are also typically manned by specially trained police officers proficient in conducting cyber crime probes. They play a critical role in quickly retrieving digital evidence in a manner that allows it to be admissible in courts. Some of these cells also organize occasional awareness drives to educate the general public on cyber crime, in collaboration with other stakeholders.

While bigger cyber cells are sufficiently equipped to handle cyber crime complaints, local cells often lack expertise and competence in dealing with instances of cyber crime. This however, has not discouraged law enforcement agencies as they continue to innovate creatively to address the problem of cyber crime in India. Some of these innovative reporting and policing methods adopted in India have been described below.

The Delhi Police announced that FIRs for economic fraud and cyber crime cases could be filed through a mobile application that they were set to launch. This initiative was launched in order to simplify the procedure involved in filing a cyber crime complaint, increase transparency and encourage more victims to file complaints. Use of technology to enable simplified online cyber crime reporting is likely to increase the rate of reporting of cyber crime by victims, a view also espoused in a recent ASSOCHAM-EY study.

The Mumbai Police launched an interactive platform that is designed to help law enforcement agencies with detection of cyber crimes. The application which is termed Collaborative Online Crime Control Network (Coin) is linked to global cyber law databases of over 50 countries and help investigators identify offences under both the Information Technology Act, 2000 and cyber laws of other jurisdictions.

Additionally, the first private cyber crime reporting helpline has also begun operation in the Delhi-NCR region and provides technical assistance to victims upon receiving a complaint about a cyber offence. The helpline is generally used by victims who did not want to formally report cases to law enforcement agencies. It was conceptualized taking inspiration from the Internet Crime Complaint Centre (IC3.gov) operated by FBI. Of the complaints received, some serious crimes were forwarded to the Delhi police for investigation.

The Central Bureau of Investigation (CBI) is also engaged in the fight against cyber crime and has several specialized structures engaged in understanding and combatting cyber crime in India. It is also seemingly equipped with the expertise and equipment to deal with a high-technology crime as it functions as INTERPOL’s National Central Reference Points for Computer-Related Crime. The Cyber Crime Research and Development Unit (CCRDU) liaises with state police to collect information, track developments and trends in cyber crime and disseminates information on cyber crime.  The Cyber Crime Investigation Cell (CCIC) exercises jurisdiction throughout India and possesses the power to investigate high technology crime even if they are not covered under the IT Act. The Cyber Forensics Laboratory of the CBI even provides technical help to other law enforcement agencies in ongoing cyber crime investigation.

India is facing a slew of cyber-attacks, launched from both within and outside its border and it is undisputed that there must be determined efforts for better protection. While it is unclear whether tangible changes in cyber crime trends have already been noted after their introduction, creative reporting and policing initiatives are bound to effectively curb cyber crime rates by bringing an attitude change in victims and law enforcement officers.

Tallinn Manual 1.0 – A Primer

By Shalini S

The Tallinn Manual[1], is an elaborate, academic body of work that examines the applicability of international law to cyber conflicts.  The Manual was prepared by an International Group of Experts (a group of independent international law scholars and practitioners) at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence. The Centre tasked the group of experts with producing a ‘manual on the law governing cyber warfare’.

Object of Creation

Presumably, the basis for curating such a manual is a common understanding amongst scholars that international law as it exists, does undeniably apply to cyberspace.[2]  However, efforts must be directed towards determining precisely how it applies, a view also endorsed by UN Group of Government Experts (UNGGE) in the field of IT.[3] Recognizing cyberspace as a viable battlefield (with states developing cyber offensive capabilities), also presumes that computer network attacks may be governed by International Humanitarian Law in the same manner that traditional weapons are regulated.[4]

The primary objective of the authors of the manual was to identify laws of armed conflict that apply to cyberspace and delineate the limits and modalities of its application. The manual which is designed as a reference tools for policymakers to build on, principally focuses on jus ad bellum^[5] and jus in bello in cyberspace.[6] The book is divided into black-letter rules, products of consensus and unanimity among the authors. It also contains accompanying commentary that indicate the rules’ legal basis, applicability in international and non-international armed conflicts, and normative content. Outlined also, are conflicting or differing positions among the Experts as to the rules’ scope or interpretation.[7]

The manual examines the proper conduct of hostilities in cyberspace to minimize unnecessary harm by assessing below-mentioned critical areas:[8]

“1. What constitutes direct participation in hostilities, thereby delineating what civilians can (and cannot do) with respect to military cyber operations;

2. What types of cyber events can constitute “attacks,” including those affecting computer functionality;
3. How the principle of neutrality applies to cyber operations;
4. Whether and how entities deserving special protections under the LOAC, e.g., the Red Cross, must identify themselves in cyberspace;
5. How to treat non-state actor cyber operations and incidents.”

While the manual itself only offers guidelines to append analogies from established international law principles to cyber conflicts, it has sometimes been understood (in the absence of an overriding caveat to the contrary effect) to encourage hostile or military use of information and communications technology – an invitation to cyber war.[9]

Criticism

The definition of cyber-attack as laid down in the manual has often been criticized for its narrow understanding.[10] While this is attributable to the high threshold to be met by an act to constitute ‘armed conflict’ in international law,[11] the manual fails to clarify the implications of attacks that cause consequential harm, impair functionality without causing physical damage and target physical infrastructure that relies on computer systems.[12] Questions abound on the relationship between cyber warfare operations and lawful self defence.[13] Understandably, scholars opine that cyber warfare poses unique challenges to contemporary jus ad bellum– the body of law governing legitimate use of force.[14] It is also difficult to ‘attribute’ wrongful acts commissioned by states in the existing framework of international law.[15] Uncertainty over applicability of decisions of landmark cases such as the Nicaragua case[16] that decided issues of attribution and state responsibility, to cyberspace is also a cause for concern.[17]

Further, the absence of an international cyberspace law or a cyber security treaty is the most evident limitation on achieving international regulation in cyber space. Consequently, the Tallinn manual which is a non-binding body of personal opinions has been criticized for being premature and undesirable when no universally acceptable cyber security norms exist.[18] Despite the criticism leveled against it, academic collaboration akin to the one that resulted in the publication of the Tallinn Manual is necessary alongside policy deliberations to consider the exact application of international law to conflicts in cyberspace.

Way Forward

The Tallinn Manual 1.0 attempted to “delineate the threshold dividing cyber war from cybercrime and formalize international rules of engagement in cyber space”.[19] It did so by laying down 95 ‘black-letter rules’, focused on codifying principles applicable to cyber-attacks that qualified as armed conflict, an effort that needs to be continued.  Thus, the second iteration to the Tallinn Manual, the Tallinn Manual 2.0, aims to explore peacetime principles[20] such as sovereignty, jurisdiction, state responsibility and intervention in the context of borderless cyberspace.

With the International Court of Justice confirming[21] that use of force provisions in the UN charter apply regardless of the weapon used,[22] customary international law assumes a prominent position in construction of a safer cyber landscape and must be deliberately studied. The NATO Cooperative Cyber Defence Centre of Excellence has in the past, specifically requested cooperation from India to counter growing cyber threats.[23] India must be invested in building international cyber security cooperation and participate in any future negotiations that seek to formulate cyber warfare regulations.

Read more:

1. What constitutes “attack” in the cyberspace: http://www.itu.int/dms_pub/itu-s/opb/gen/S-GEN-WFS.02-1-2014-PDF-E.pdf (Page 35-37)
2. Contextualizing Tallinn Manual’s definition of “attack”: http://www.studentpulse.com/articles/775/the-law-of-attack-in-cyberspace-considering-the-tallinn-manuals-definition-of-attack-in-the-digital-battlespace
3. US policy on cyber warfare (though not related to the manual, makes for an informative read on how States employ International Law in cyberspace): http://www.state.gov/s/l/releases/remarks/197924.htm

[1] Michael N Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press) (2013)

[2] Jacques Hartmann, The Law of Armed Conflict: International Humanitarian Law in War, 80 Nordic Journal of International Law 121-123 (2011)

[3]International Telecommunication Union & World Federation of Scientists, The Quest For Cyber Confidence (2014), http://www.itu.int/dms_pub/itu-s/opb/gen/S-GEN-WFS.02-1-2014-PDF-E.pdf (last visited Aug 24, 2015)

[4] Knut Dörmann, Computer network attack and International Humanitarian Law, Cambridge Review of International Affairs (2001)

[5] The law governing the use of force comprises of the 1899 and 1907 Hague Conventions, the 4 Geneva Conventions supplemented by Additional Protocols of 1977, as well as customary law and State practice

[6]EJIL: Talk! – The Tallinn Manual on the International Law applicable to Cyber Warfare Ejiltalk.org, http://www.ejiltalk.org/the-tallinn-manual-on-the-international-law-applicable-to-cyber-warfare/ (last visited Aug 24, 2015)

[7]Id.

[8]A Call to Cyber Norms Discussions at the Harvard-MIT–University of Toronto Cyber Norms Workshops, 2O11 and 2O12, https://www.americanbar.org/content/dam/aba/uncategorized/GAO/2015apr14_acalltocybernorms.authcheckdam.pdf (last visited Aug 24, 2015)

[9] Supra N. 3

[10] Incoming: What Is a Cyber Attack? SIGNAL Magazine, http://www.afcea.org/content/?q=incoming-what-cyber-attack (last visited Aug 25, 2015)

[11]Kilovaty, Ido. “Cyber Warfare and the Jus Ad Bellum Challenges: Evaluation in the Light of the Tallinn Manual on the International Law Applicable to Cyber Warfare.” National Security Law Brief 5, no. 1 (2014): 91-124.

[12] Michael J. Norris, The Law of Attack in Cyberspace: Considering the Tallinn Manual’s Definition of ‘Attack’ in the Digital Battlespace, 5 Student Pulse (2013), http://www.studentpulse.com/articles/775/the-law-of-attack-in-cyberspace-considering-the-tallinn-manuals-definition-of-attack-in-the-digital-battlespace (last visited Aug 25, 2015)

[13] Ibid.

[14]Reese Nguyen, Navigating Jus Ad Bellum in the Age of Cyber Warfare, 101 Cal. L. Rev. 1079 (2013). Available at: http://scholarship.law.berkeley.edu/californialawreview/vol101/iss4/4

[15] The Attribution Problem in Cyber Attacks – InfoSec Resources, http://resources.infosecinstitute.com/attribution-problem-in-cyber-attacks/ (last visited Aug 25, 2015)

[16] Case Concerning Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v. United States of America); Merits, International Court of Justice (ICJ), 27 June 1986, available at: http://www.refworld.org/docid/4023a44d2.html [accessed 25 August 2015]

[17] Peter Margulies, Sovereignty and Cyber Attacks: Technology’s Challenge to the Law of State Responsibility, 14 Melbourne Journal of International Law (2013), http://www.austlii.edu.au/au/journals/MelbJIL/2013/16.html (last visited Aug 25, 2015)

[18]Is The Tallinn Manual On The International Law Applicable To International Cyber Warfare Attacks And Defence | Centre Of Excellence For Cyber Security Research And Development In India (CECSRDI) Perry4law.org, http://perry4law.org/cecsrdi/?p=453 (last visited Aug 24, 2015)

[19] D. Fleck, Searching for International Rules Applicable to Cyber Warfare–A Critical First Assessment of the New Tallinn Manual, 18 Journal of Conflict and Security Law 331-351 (2013)

[20]Tallinn 2.0: cyberspace and the law Aspistrategist.org.au, http://www.aspistrategist.org.au/tallinn-2-0-cyberspace-and-the-law/ (last visited Aug 24, 2015)

[21] Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, I.C.J. Reports 1996, p. 226, International Court of Justice (ICJ), 8 July 1996, available at: http://www.refworld.org/docid/4b2913d62.html [accessed 25 August 2015]

[22] Michael Schmitt, Cyberspace and International Law: Penumbral Mist of Uncertainty, 126 Harvard Law Review (2012)

[23] The Hindustan Times, Help counter cyber threats from China: NATO to India, 2011, http://www.hindustantimes.com/world-news/help-counter-cyber-threats-from-china-nato-to-india/article1-743664.aspx (last visited Aug 24, 2015)

E-Health, Digital India and Cyber (In)Security

By Shalini S

Under the government’s flagship initiative, Digital India, healthcare has been flagged as a sector awaiting reformation through enabling digital access. Across the world, the internet has increasingly come to serve as a platform for organized public healthcare delivery and has also demonstrated its potential in effectively increasing access to timely, specialized medical care in remote areas. Both e-health and m-health, public health models that use information and communications technology (ICTs) for the provision of both healthcare services and information, have been employed extensively to support physical healthcare infrastructure in several countries and is now finding its way into the Indian public health framework.[1]

The health initiative under the project, attempts to transform healthcare from an event-based intervention to an integrated, continuous delivery model by employing ICTs to remedy information asymmetry and substandard access. The initiative is also expected to partially remedy healthcare access issues extant due to insufficient healthcare infrastructure and manpower. However, the use of ICTs exposes the sector to a range of unique challenges that must be dealt with in order to harness the potential of ICTs for the healthcare sector. This brief post seeks to outline the dangers of digitally storing and transmitting electronic health records and suggests strengthening security and risk management capability to avoid breaches.

E-health Initiative

The health limb of the Digital India project aims to increase access to quality healthcare for all citizens by enabling information flow, facilitating collaboration through the use of ICTs and providing timely, economic health services. It seeks to do so by increasing transparency in healthcare delivery, eliminating structural opacity and multiple intermediaries. Additionally, it envisions the use of emerging technology in bridging the healthcare divide by connecting patients with specialized health professionals, who are geographically far-removed, for online diagnosis. E-health programs are expected to benefit those that have little access to quality healthcare services such as the urban poor and rural populations.

Using hospital management information systems (HMIS), healthcare delivery limb of the Digital India Initiative’s online registration system (ORS) rightly attempts to simplify registration and appointment process. However, each new registrant is assigned a Unique Health Identification (UHID) number which is linked to their Aadhaar number used primarily to seek appointments at registered hospitals and subsequently to access their health records including lab reports. Under the initiative patient’s health records are digitized and uploaded electronically in order to better maintain records and make it easily accessible to health professionals. Further, these health records are to be integrated into a digital locker that can be accessed both by the government and private establishments.

As a part of the above-mentioned Digital India program, the Government of India also proposed to setup a National eHealth Authority (NeHA) under which a “centralized electronic healthcare record repository” containing comprehensive health information of all citizens could be fashioned.[2] While this proposed statutory authority will be vested with the responsibility of managing the complexities birthed by use of ICTs in the healthcare sector and also act as a regulatory authority to ensure privacy, confidentiality and security of patient information, it is yet to be created. In the absence of demonstrable, technical cybersecurity capability and regulatory or legislative cybersecurity framework, this statutory body might remain an insufficient effort. Further, the implementation of privacy and security norms evolved by NeHA by healthcare providers could take years and sensitive patient information might be stolen by persons who stand to benefit from the use or sale of such personal information.

Sensitivity of health records

Healthcare records are primarily attractive to criminals as they contain personally identifiable information and are therefore highly vulnerable. In addition to threat of stolen health data being misused in multiple ways, health records stored and transmitted online can be tampered with and this can have implications on patient health. With the E-health initiative, this holds especially true as the Aadhaar linkage connects health records to other personal information. The proposed healthcare record repository must also address these concerns. Hosting of personal information, especially healthcare records on any internet-based platforms without adequate cybersecurity measures in place is an invitation for large-scale breach.

Why digitize health records and information

Public health has arguably been raised as a national security priority and a centralized information database will undoubtedly be a prodigious healthcare intelligence tool that will allow researchers to engage in disease surveillance in order to better understand the state of public health in any nation. This information is critical to the medical fraternity and policymakers in ensuring medical preparedness and developing prevention and responsive capabilities.

Independently, most private healthcare providers have already made the move to digitizing health records that contain sensitive patient data and storing them electronically on often poorly-secured hospital networks, fueling pertinent privacy and security concerns. These health information systems are designed to host big data in a highly accessible manner in order to leverage speedy access to patient information for newer modalities of treatment that are time and cost effective.[3]

While the potential of information technology in radically transforming healthcare is indisputable, protecting healthcare data against misuse, without impeding healthcare professionals’ access to patient information, remains the biggest security concern.

Way forward

While it might not be necessary to view cybersecurity in healthcare delivery as a novel issue, patient information must be recognized as sensitive information that needs to be protected from breaches. Thus, the overarching Digital India initiative must necessarily account for vulnerabilities in digitally storing healthcare records and develop risk management capabilities as a part of its existing governance. Further, as the healthcare initiative under Digital India hinges on collaboratively partnering with private healthcare providers to bridge the gap in access to advanced medical technology and specialized care, a minimum standard of cybersecurity must be mandated to be followed by all participating private healthcare providers to prevent localized breaches.

[1] Sanjeev Davey & Anuradha Davey, m-Health- Can IT improve Indian Public Health System, 4 National Journal of Community Medicine (2013), http://njcmindia.org/uploads/4-3_545-549.pdf.

[2] The Indian Express, Digital India programme: Govt mulls setting up eHealth Authority, 2015, http://indianexpress.com/article/india/india-others/digital-india-programme-govt-mulls-setting-up-ehealth-authority/ (last visited Nov 7, 2015).

[3] How technology is changing the face of Indian Healthcare, The Economic Times, 2014, http://articles.economictimes.indiatimes.com/2014-04-02/news/48801172_1_indian-healthcare-collaborative-data-exchange-healthcare-information-technology-market (last visited Nov 7, 2015).

Indian hackers, Anonymous and #OpISIS: The grey area of online vigilantism

By Shalini S

The post originally appeared in Scroll.in on 29th November 2015.

While hacktivists help limit the presence and effect of militant groups online, their operations are marred by legal, ethical and privacy concerns.

Photo: Roslan Rahman/ AFP

The Islamic State of Iraq and Syria, better known as ISIS, has been receiving increasing attention, particularly after the recent Paris attacks, and the sporadic news that the militant group was trying to recruit Indian youth through social media. The recent news about some Indian hackers joining Anonymous – a loosely connected international network of activist and “hacktivist” entities around the world – in its cyber operation, #OpISIS, against ISIS’ online presence, was widely celebrated.

In an operation called #OpParis launched under the umbrella of #OpISIS, Anonymous and other hacktivist groups such as CtrlSec and GhostSec directly attacked ISIS’ presence on internet platforms to diminish its online following, disrupt its recruitment drives, and inhibit its dissemination of extremist propaganda.

While Anonymous has been widely lauded for #OpISIS, the operation, much like the collective, is marred by legal and ethical ambiguities. In limiting the presence and effect of extremist groups online, the operations of collectives like Anonymous may become indispensable to law enforcement. However, there is currently a lack of engagement on the possibility of constructively employing the abilities of such unregulated groups within a legally permissible framework.

It is interesting to note how Indian hacktivists are extending advanced technical cooperation to aid the numerous strategies employed by Anonymous to cripple the general outreach of ISIS. Multiple news reports have suggested that Anonymous and other hacktivist groups associated with #OpISIS, are themselves taking down ISIS’ social media accounts. However, this is not accurate as members of Anonymous only monitor social media platforms, identify accounts of ISIS members and recruiters, and report them to the social networking service for suspension.

Legal and strategic issues

Most social networking sites have amended policies to account for increasing social media presence of terror organisations. They suspend user accounts hosting content that “promotes terrorism”. However, these platforms cannot conceivably monitor each account and so allow individual users to report accounts that violate their policies.

To guarantee takedown through increased reporting, Anonymous is also releasing lists of identified accounts publicly and urging other users to report them. Even though new accounts can be opened easily, suspension of existing accounts that have amassed sizeable followers derails ISIS’ social media recruitment drives. While #OpISIS is arguably aiding law enforcement and social networks by ensuring the implementation of existing policies by vehemently flagging violators, experts on Nato, the intergovernmental military alliance, suggest that the operation is a hindrance to the strategised tracking of terrorists by intelligence agencies.

In addition to reporting accounts that share extremist content, Anonymous and its associate hacktivist groups are also attempting to cripple the reach of extremist websites by launching distributed denial-of-service – better known as DDOS – attacks, against them. Such attacks flood the servers of the targeted website beyond capacity with malicious traffic, making it unavailable for public viewing. As this effectively leads to unregulated censorship of online content, it is illegal in most countries. Even in countries that allow blocking and delisting of websites that engage in digital terror propaganda, only internet service providers are commonly allowed to block websites on the request or order of an administrative or judicial authority.

Indian hackers that are aiding Anonymous have also launched DDOS attacks against websites hosting extremist content. To foil future attacks, they are also tracking and spying on personal chats of suspected members and recruiters of extremist groups. Additionally, Indian hacktivists are also engaged in the illegal act of spreading spyware to track the location of suspected ISIS associates. While this monitoring by hacktivists groups may intend to aid law enforcement, it is patently illegal and therefore, principally problematic. Thus, it is critically important to examine how hacktivist cooperation in such operations can be formally endorsed or they must be subjected to regulation of some manner.

Privacy concerns

The most problematic part of Anonymous’ operation is the leaking of personal information of suspected members or recruiters of ISIS, illegally obtained by hacking personal accounts. Evidently, the hacktivist group is engaged in the illegal act of gaining unauthorised access to private user information. Further, a publication of such personal information by non-law enforcement entities is a possible infringement of privacy rights of these individuals.

Even if public interest is cited in justifying the act, we must be mindful that Anonymous is not infallible and has mistakenly identified innocent people as extremists in the past. Considering the nature of the imputed allegations and plausible repercussions, the publication of personal information of suspected extremists must be viewed more seriously. Personal information that Anonymous gained access to is certainly valuable, but must be verified independently by law enforcement authorities.

Law of the land

Hacktivist attacks are generally distinguished from cybercriminal activity as they are often employed to voice civil protest and therefore considered morally defensible. But the law recognises no such distinction and some parts of Anonymous’ operation falls outside the purview of legal permissibility. The effect of employing extra-legal means (described above) to censor extremist content and presence online must be necessarily examined to construct an informed response.

The organisational structure of Anonymous, which lacks a central command and definitive membership, makes it near-impossible to correctly pursue action against verifiable members, if deemed necessary. Regardless, it is important to realise that the impact of our response to Anonymous’ operation today is bound to shape the manner in which hacktivism is construed tomorrow.

With extremist organisations pushing their agenda online, there is a growing need to formally streamline expertise of these individuals and collectives, who have hitherto worked outside the scope of the law. They can be urged to inform larger campaigns against terror groups by working with intelligence agencies instead of operating separately.

Newer reports have claimed that a separate hacker group is engaged in identifying accounts associated with digital currency platform Bitcoin of suspected terror affiliates in order to potentially hamper their financial transactions. Such unconventional engagement in anti-terror programs might even prove beneficial in inhibiting terror organisations’ access and control of financial and physical resources. Nevertheless, we must remain cautious in our reaction to acts of such unorganised groups, as it is likely to shape both the future treatment of hacktivism and the fight against terrorism.

Cybersecurity Cooperation – India’s Latest Bilateral Arrangements

By Shalini S

The current Indian Government has continually offered significant strategic thrust to cybersecurity and related issues. In November 2015 alone, India established multiple collaborative partnerships that for cooperation in cybersecurity with various countries. This is a welcome move for the sector which continually presents advanced security challenges. There is a demonstrated interest in addressing this serious contemporary concern. In addition, efforts are being made to establish extensive cybersecurity cooperation to ensure protected cyber networks. The latest bilateral ties established by India to boost cybersecurity cooperation are elucidated below.

India and UK signed a first of its kind joint statement that will enable them to collaborate and jointly educate and train its cybersecurity professionals. Together, the countries are also slated to establish a cybersecurity training centre to enable dialogue and exchange of expertise. Additionally, the UK will also help setup a new cybercrime unit in India. This joint statement released after Prime Minister Narendra Modi’s visit to the UK closely follows the visit of UK’s first cybersecurity delegation to India in October 2015.

For the first time, India and China have also decided to establish ministerial mechanisms to effectively tackle transnational crime and specifically delineated cybercrime cooperation as a measure to boost security cooperation between the countries. The new high-level mechanism will be established under the home ministries of both the countries and will result in information exchange, law enforcement and technical capacity building to jointly combat cybercriminal activity. An official bilateral document endorsing this new security collaboration is yet to be signed.

A joint statement from Prime Minister Narendra Modi and his Malaysian counterpart released this week, revealed that their delegation-level consultations between the countries had resulted in the signing of a Memorandum of Understanding (MoU) aimed at strengthening cooperation on cybersecurity. As this MoU was signed between Indian Computer Emergency Team (CERT-IN) and CyberSecurity Malaysia (national cybersecurity agency), closer cooperation in cyber-policy evolution, technological expertise exchange and incident management can be expected.

Later in the same week, a similar agreement for bilateral cooperation and collaboration in cybersecurity measures was signed between CERT-IN and SingCERT (Singapore’s Computer Emergency Response Team). The MoU which envisions research collaborations, in the sector, between the two countries, also agreed to setup appropriate mechanisms to facilitate future dialogue on prevalent policies, best practice, bilateral consultations and real-time exchange of information and has established a broader framework of cooperation between the countries.

India’s recently established and renewed bilateral ties with these countries hinges on mutual sharing of information and best-practices, both critical in constructing a shared response to conspicuous cyber incidents. As these collaborations also come in the wake of joint commitment of India and US to strengthen cooperation on a range of cyber issues, India’s serious commitment in fostering multiple bilateral dialogues and cooperation on cybersecurity and related issues is apparent and must be lauded.