Cyber crime has been rising across India. This post reviews advancements in policing technologically advanced crimes and considers potential next steps.
With rising instances of cybercrime being noted across the country, the need for vigilance in the cyber sphere has been highlighted by a number of commentators. These crimes have gained attention subsequent to the notification of demonetization, with rising online banking transactions and a governmental push towards a digital economy.
Several new issues stemming from the distrust in digital payment systems have been reported. For example, the cybercrime cell of the Mumbai Police has received several reports of a scam characterized by persons receiving fraudulent calls allegedly from banks, discussing a new RBI policy. These calls informed consumers that credit and debit cards were soon to be deactivated, but if they released their card details, they would be permitted to continue usage. Once released, these details were misused. While issues such as these do not require extensive cyber expertise to resolve, their incidence is on the rise. Countering them requires banks as well as law enforcement agencies to increase their efforts towards educating new adopters.
More concern may be caused by technology-intensive hacking attacks, both from within the country and outside. Recent instances include the hostilities faced by several Telangana-area software companies by alleged Pakistani attackers, as well as attacks by the group known as Legion. Their actions allegedly include the hacking of the twitter and email accounts of Rahul Gandhi, Vijay Mallya and Barkha Dutt, among others. There has also been an upswing in ransomware attacks recently, with over 11,000 attacks being reported in just three months. Reports of India’s first online Ponzi scheme are also now coming to light. This is despite the fact that that 80% of cybercrimes remain unreported according to recent news reports. This post will review some initiatives taken towards the more efficient investigation of cybercrime by law enforcement across the country.
Cyber Policing in India
Crime and Criminal Tracking Network and Systems (CCTNS)
Approved by the Cabinet Committee on Economic Affairs in 2009, with an allocation of INR 2 billion, the CCTNS is a project under the National e-Governance Plan. It aims at creating a nationwide networking infrastructure for an IT-enabled criminal tracking and crime detection system. The integration of about 15,000 police stations, district and state police headquarters and automated services was originally scheduled to be completed by 2012. However, this still remains incomplete.
Apart from the slow pace of implementation and budgetary problems, on-the-ground hurdles to fully operationalizing CCTNS include unreliable Internet connectivity and under-trained personnel at police stations. Other issues include unavailability of facilities for cyber forensic analysis in most locations, and lack of awareness regarding online citizens’ services such as verification of tenants and employees and clearance for processions and events.
The Central Government, in response to queries by the Supreme Court regarding measures taken to tackle cybercrime, recently announced that they would be setting up a ‘Centre Citizen Portal’. This portal will allow citizens to file complaints online with respect to cybercrimes, including cyber stalking, online financial fraud and others, suffered or observed by them.
The governmental response also details the proposed process, stating that any such complaint on the portal will trigger an alert at the relevant police station and allow the police department to track and update its status, while the complainant too would be able to view updates and escalate the complaint to higher officials.
Cyber Police Stations
Cyber police stations generally include trained personnel as well as the appropriate equipment to analyse and track digital crimes. Maharashtra, where cybercrime has risen over 140% in recent times, and which had the dismal distinction of only recording a single conviction related to cybercrime last year, is converting its existing cybercrime labs into cyber police stations. This will mean there is a cyber police station in each district of the state. The initiative in Maharashtra is useful especially because of the rise in online transactions in Tier II and Tier III cities and the rising cybercrime related thereto. However, despite the rise in cybercrime, complaints remain of low reportage and low success rates in solving crime. Police officers point to problems processing evidence, with complex procedures being required to retrieve data on servers stored abroad.
Further, there have been complaints in Bengaluru of the limited jurisdiction of cyber police stations. Pursuant to a standing order of the DG & IGP of Bengaluru City Police issued in June 2016, only cases with damages of over INR 5 lakh can be registered at cyber police stations in case of bank card fraud. In cases of online cheating, only those instances where damages exceed INR 50 lakh are amenable to the jurisdiction of cyber police stations. All other cases are to be registered with the local police station which, unlike cyber police stations, do not generally include trained personnel or the appropriate equipment to analyse and track digital crimes.
While the order is undoubtedly creating problems for cybercrime victims, it was made taking into account the woefully under-resourced cybercrime police station in Bengaluru which, at the time, consisted of a 15-member staff with two vehicles at its disposal.
Predictive policing involves the usage of data mining, statistical modeling and machine learning on datasets relating to crimes to make predictions about likely locations for police intervention. Examples of predictive policing include hot-spot mapping to identify temporal and spatial hotspots of criminal activity and regression models based on correlations between earlier, relatively minor, crimes and later, violent offences.
In 2013, the Jharkhand Police, in collaboration with the National Informatics Centre, began developing a data mining software for scanning online records to study crime trends. The Jharkhand Police has also been exploring business analytics skills and resources at IIM-Ranchi, in order to tackle crime in Jharkhand.
The Delhi Police has tapped into the expertise at the Indian Space Research Organisation in order to develop a predictive policing tool called CMAPS – Crime Mapping, Analytics and Predictive System. The system identifies crime hotspots by combining Delhi Police’s Dial 100 helpline calls data with ISRO’s satellite imagery and visualizing it as cluster maps. Using CMAPS, Delhi Police has slashed its analysis time from the 15 days it took with its erstwhile mechanical crime mapping to the three minutes it takes for the system to refresh its database.
The Hyderabad City Police is in the process of building a database, called the ‘Integrated People Information Hub’ which, according to the City Police Commissioner, would offer the police a “360-degree view” of citizens, including names, aliases, family details, addresses and information on various documents including passports, Aadhaar cards and driving licenses.
The data is combed from a wide-ranging variety of sources, including information on arrested persons, offenders’ list, FIRs, phone and electricity connections, tax returns, RTA registrations and e-challans. It is further indexed with unique identifiers, and is used to establish the true identity of a person, and present results to relevant authorities within minutes. While the system is aimed at curbing criminal activity and detecting fraud, a lack of clearly identified cyber security and privacy protocols is a worrying sign.
We recently reviewed the National Crime Records Bureau’s statistics relating to cybercrime, as set out in their Crime in India Report 2015. Some concerns that stemmed from the figures set out in the report were the low conviction rates and high pendency of cases. Experts have linked these issues, amongst other things, with the limited mechanisms available for cyber policing and the effectively-defunct status of the cyber tribunals. A recent report by the Bureau for Police Research and Development also highlighted resource constraints affecting police stations, with several stations lacking basic necessities such as a vehicle or a phone connection. Over five lakh posts sanctioned posts also remain vacant.
Given resource limitations, both in fiscal terms and relating to trained personnel, it is heartening to see the steps that have been taken towards efficient cyber-policing. While this post highlights some steps that have been taken in major jurisdictions, there are several initiatives even in non-metro cities towards tackling cybercrime. A National Cybersecurity Co-ordination Centre is also due to be launched around June this year. In a recent response to the Supreme Court, additional solicitor general Maninder Singh also informed the Court of substantial investments being made by the Central Government towards police and judicial training and towards the creation of cybercrime prevention cells. It is hoped that these measures will help to stem the growing tide of cybercrime in India.
In the Union Budget for 2017-18, Finance Minister Mr. Arun Jaitley announced the setting up of a dedicated Computer Emergency Response Team for the Financial Sector (Cert-Fin). The proposed emergency response team is slated to work in co-ordination with financial sector regulators and other stakeholders.
This announcement comes on the heels of the Government’s demonetisation initiative. Demonetisation led to a substantial rise in the volume of digital payments and the use of instruments such as mobile wallets. The cumulative growth of electronic transactions has been reported to range between 95 per cent and 4,025 per cent from November 8 till December 27, 2016. This transition towards digital payments in the financial sector is slated to continue, with one report predicting that by 2020, the digital payments industry will grow to over $500 billion and contribute 15% to the national GDP.
In a previous post, we had examined the legal and policy regime relating to digital payments in the country. In this post, we examine technological vulnerabilities in the financial sector, as well as measures taken towards strengthening cybersecurity.
Cyber Security Vulnerabilities in the Financial Sector
The exponential growth in digital payments in India and the push towards a cashless economy has renewed focus on the need to strengthen financial cybersecurity. Banks and financial institutions are extremely vulnerable to various forms of cyberattacks and online frauds. India has steadily moved up the ranking for countries with the highest number of financial Trojan infections over the past three years. At least forty percent of Banking, Financial Services and Insurance (‘BSFI’) businesses have been attacked at least once. A six-fold increase in credit and debit card fraud cases has been reported over the past three years. In addition to core banking, additional services like e-banking, ATM and retail banking are also increasingly vulnerable to cybercrime. Mobile frauds are also expected to grow to 60-65% in 2017, which is especially alarming because 40-45 % of financial transactions are being conducted on mobile devices today.
The Indian banking landscape has seen several large-scale cyberattacks over the past year. Since June 2016, the SWIFT systems of four Indian banks have been targeted. In October 2016, in what was the largest data breach in the country ever, 32 lakh debit cards of various banks were subject to a cyber malware attack. Earlier this year, it was reported that hackers had infiltrated the systems of three government-owned banks to generate false trade documents. The increased focus on cybersecurity in banks follows not only domestic incidents but global developments as well. In its bulletin on security measures, for instance, the Reserve Bank of India makes reference to the Carbanak Gang which targeted bank’s internal systems across Russia and Ukraine to conduct a robbery of around $ 1 billion. Closer home, in February 2016, there was an attempted heist of around $951 million from the Bangladesh Bank.
Cyber Security Framework for Banks
In October 2016, the Reserve Bank of India directed banks to implement a security policy containing detailing their strategy to for dealing with cyber threats and including tangible “cyber-hygiene” measures. This was following a renewed emphasis on the early implementation of the RBI’s Cyber Security Framework in banks. The RBI had first notified the Cyber Security Framework (‘Framework’) in Banks in June 2016. The Framework was a successor to broad guidelines on information security and cyber frauds which had been issued in line with the recommendations of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds in 2011.
The Framework is geared towards minimising data breaches and implementing immediate containment measures in the event of such breaches. It emphasises the urgent need to put in place a robust cyber security and resilience framework and to ensure continuous cybersecurity preparedness among banks. The Framework also mandates the adoption by banks of a distinct cybersecurity policy to combat threats in accordance with “complexity of business and acceptable levels of risk” within a set deadline. Further, the Framework requires the earliest setting up of Security Operations Centres within banks for continuous surveillance; disallowing unauthorised access to networks and databases; protection of customer information; and the evolution of a cyber crisis management plan.
Other Measures by the RBI and the Government
The RBI has also identified the need to evolve a framework for co-ordination and information sharing between financial institutions and public authorities in the event of cyber attacks. To this end, the RBI recently appointed its first information security officer and has formalised a sectoral sharing interface called the Indian Banks- Centre for Analysis of Risks and Threats (IB-CART). Further, the RBI also issued an ultimatum to banks, requiring them to report any breach of security immediately. Banks have been given until March 31, 2017 to put in place appropriate mechanisms.
Previously, there was limited reporting by banks as they were reluctant to report cyberattacks fearing devaluation of brand equity. Even in the event of large-scale cyberattacks, such as the above-mentioned malware infection which affected 32 lakh cards, it took six weeks to detect the fraudulent transactions. To counter this, and to enhance cyber resilience, the Institute for Development and Research in Banking Technology (‘IDBRT’) has been attacking vulnerabilities in banks’ security networks. This will enable them to share feedback with banks to improve their resilience. Further, the Chief Information Security Officers of banks have also set up a forum to discuss cyberattacks and to share information, manage and plan for issues related to information security. The Ministry for Electronics and Information Technology has also formally urged banks to co-operate with the CERT-In for carrying out audits and other measures to strengthen their cybersecurity systems.
While these proactive steps being taken by the RBI and the Government are timely and much-needed, the resilience of our banking infrastructure against cyber attacks will depend on co-ordinated action from all stakeholders. The Cyber Security Framework must be strictly implemented in a timely manner, with regular audits to ensure comprehensive compliance. Cybersecurity at banks and financial institutions needs to be prioritised as part of the design architecture and must not remain restricted to reactive fire fighting during crises. Cyber security solutions must be deliberately designed to enable stemming of cyber attacks in real time. Experts also suggest that the most effective ways to move forward with digitisation in order to ensure banks remain completely secure include the embracing of crypto-currencies and blockchain technology. Further, the Information Technology Act, 2000 is also ripe for a complete overhaul to counter the increased security risks in a cashless economy. These measures, of course, must also be accompanied by attempts to ensure widespread consumer education and awareness.
by Dhruv Somayajula*
In this second part of our two post series on the Internet of Things, Dhruv examines the policy framework in India to analyse its applicability to the Internet of Things.
In a previous post, we discussed the definition of the ‘Internet of Things’ (“IoT”), its uses and applications for smart cities and personal appliances as well as the security and privacy risks that it can come to pose. In light of the growing risks and security concerns this technology poses, it is essential to examine the existing legal framework to evaluate whether it can tackle the challenges emerging from the Internet of Things.
India’s Policy Framework on the Internet of Things
In recognition of the growing scope of the IoT-connected devices, the Ministry of Electronics and Information Technology released a Policy Document on the Internet of Things in October 2014. Following public comments, a revised draft policy(“Draft Policy”) was released in April 2015. The Draft Policy focuses in detail on the possible uses of IoT in India, which includes its use for infrastructure in creating smart cities, water and agriculture management, health and environment monitoring and traffic management. The Internet of Things, as conceived in India, is geared towards making life easier and ‘smarter’ for the consumer. The introduction of smart cities, smart energy, waste management, water management and other infrastructural development is part of the ambitious program that has been planned using the support of the Internet of Things. The Draft Policy also foresees major growth in the areas of providing wi-fi access, managing traffic, measuring CO2emissions, creating plans for a monitoring system of agriculture and healthcare. This post critically analyzes the existing legal and policy framework regarding the Internet of Things.
Lack of Uniform Global Standards
Paragraph 5.2 of the Draft Policy recognizes the necessity to stay on par with global standards for IoT devices. Further, it proposes the creation of a National Expert Committee to develop globally operable Internet of Things standards comprising of industry experts. However, the lack of a uniform global standard needs to be recognized by the Expert Committee, while framing India’s standards for IoT devices.
Data Security & Privacy
The Draft Policy fails to provide a governance framework for the Internet of Things. As discussed in our previous post, data security and privacy are critical concerns with respect to the Internet of Things. This is primarily on account of the extensive data being collected by these devices. India’s laws on data protection are codified in the Information Technology (Amendment) Act, 2011 (‘ITAA’). Section 43A obligates corporate entities to maintain reasonable security practices for safeguarding sensitive personal data. Accordingly, negligence in maintaining security measures invites liability to pay damages to the affected party. Further, Section 72A of the ITAA protects the right to confidentiality and privacy and makes disclosure of personal information without the consent of a person a punishable offence. The Information Technology (Reasonable Security Practices and Procedures) Rules, 2011 (“Rules”) have elaborated on the ITAA by defining key terms linked with data protection. The Rules define personal data, and elaborate on means to collect and retain such data. However, these Rules only protect data which can be used to identify a person, and don’t cover cases where other background data, such as location and activity, is collected. This loophole renders the Rules ineffective against a large portion of data collected by the IoT devices. Further, the data protection regime in India has also been criticized for the lack of a Data Protection Authority in India, and the low rate of action taken under these laws.
Another question of law that arise with the advent of the Internet of Things is the use of Standard Essential Patents (‘SEPs’) in India. When a company sets a market standard by way of an innovation and patents it, it may force the other players wishing to use the same standard in their devices to pay a huge royalty for a license to the patent. The other players in the market may restrict the standard-setting company from doing so. This is done by arguing that since the patent has set a market trend, the license to use that innovation must be given on fair, reasonable and non-discriminatory (‘FRAND’) terms. This practice is encouraged to avoid anti-competitive behavior by the company obtaining the SEP and to aid the consumer in having a wider choice in the market. The question of standard-setting is vital in the IoT sphere since the Internet of Things will rely on standardized technology, such as Wi-fi, Bluetooth, RFID chips. A large amount of IoT devices rely on data-sharing and interoperability of devices to create a smart sphere, and for doing so, a uniform standard is necessary to keep adding new devices on the common platform.The question of SEPs and their application to IoT devices will raise interesting questions in the coming days.
International Legal Frameworks
On October 2014, an Article 29 data Protection Working Paper analyzed Internet of Things and recommended that the laws on data protection be made stricter to prepare for this new technology. The solutions suggested included:
- Privacy Impact Assessment report to be made before a new application is integrated into the IoT sphere [Paragraph 7.1].
- Raw data collected from a device to be deletedonce the same is processed [Paragraph 7.1].
- Certified standards to be used by standard setting bodies to prevent security threats to the IoT platform [Paragraph 6.5].
- All actors who are a part of the Internet of Things, either as a device or a processor, to be accorded the status of ‘data controllers’, making them responsible for data protection [Paragraph 4.2].
- Additional suggestions such as purpose limitation, minimal retention of data, and transparency in use.
Based on the recommendations of the Working Paper, the European Union passed the General Data Protection Regulation(‘GDPR’) which was adopted on April 2016 and shall come into force in May 2018. The GDPR lays down law on how data is to be collected, processed, used and stored, and the limits on saving such data.
- Article 5 of the GDPR requires the collection of data to be fair, transparent, and lawful. It also provides for the data collected to be minimal and for a limited purpose, and that the data controller is accountable for the safety of the data.
- The GDPR also provides for safeguards on data processing such as pseudonymization (or encryption), as per Article 25, which enforces data protection by design and default.
- Article 26 is relevant in cases where two or more entities jointly determine the means and purposes of processing data If the recommendation to include all the people involved in the IoT chain as data controllers is accepted [Para 4.2 of the Working Paper], this Article would be very crucial in determining liability.
- Article 44 lays down general principles for data transfer to a third country- stating that data can be transferred to a third country when the data protection laws of that country areconsidered adequate.
Similarly, the United States Federal Trade Commission (FTC)has alsoprepared a report that dealt with the benefits and risks of the Internet of Things. The report contains several recommendations towards ensuring security and privacy of consumers, including- data security to be verified, notice and consent to be provided, and security upgrades in installation. The recent TRENDnet case acts as an example of the vulnerability of IoT devices in the market and serves as a reminder that internet security must remain a priority for devices using the Internet of Things.
Several other countries have passed laws relating to data protection which could be applied to the Internet of Things. Canada, for example, passed the Personal Information Protection and Electronic Documents Act (‘PIPEDA’) in 2004. There have been major developments since then, and the Privacy Commissioner of Canada has admitted the need to relook the consent model in force with the advent of the Internet of Things. Australia has the Information Privacy Act, 2014 which lays down rules of keeping consumer data confidential.
Way ahead in India
With an estimated 451.5 million internet users by the end of 2016, India promises to be a significant player in the $300 billion Internet of Things market. India is on the threshold of an internet boom, and has tremendous potential in the Internet of Things, with the present estimate being around $15 billion. It is necessary to evolve legal and policy frameworks tailored to this technology, given the number of substantial benefits the Internet of Things provides for us. The government needs to promptly upgrade its existing data protection regime to match the global standards of privacy and data protection, and needs to take special cognizance of the security and privacy risks associated with the Internet of Things while doing so.
*Dhruv is a third year student at NALSAR University of Law, Hyderabad. Dhruv interned with CCG during November 2016.
The National Crime Records Bureau released their annual “Crime in India” report for the year 2015 earlier this year. This post analyses the trends in cybercrime traced through the report.
The National Crime Records Bureau (“NCRB”) released their annual “Crime in India” report (“NCRB Report, or “Report”) for the year 2015 earlier this year. The report tracks statistics for various types of crimes across India, and provides useful insight into socio-legal trends, as well as problems being faced by law enforcement agencies in the country. This post seeks to review the findings of the report in relation to cybercrime in the context of issues facing crime deterrence and law enforcement in the country.
The NCRB has been tracking statistics relating to cybercrime since their 2014 report. Based on other trackers, between 2011 and 2015, the country witnessed a surge of nearly 350% in cybercrime cases reported. However, despite an increasing number of cases being reported, conviction rates remain very low. For example, Maharashtra saw only a single conviction in 2015 despite over 2000 cases being registered. While it is true that convictions are not generally related to the cases filed in the same year, low conviction rates are generally indicative of high pendency of cases, as well as an underdeveloped architecture of investigation and deterrence.
The NCRB Crime in India Report 2015
The NCRB Report tracks, in their cybercrime chapter, cases filed which are linked with the use of the internet and IT enabled services. Under this broad categorisation, the report seeks to trace (amongst other things) patterns of cases reported, cases pending, arrest rates, conviction rates, and offender demographics. A total of 11,592 cybercrime cases were registered in 2015, representing an increase of approximately 20.5% over the previous year. These include offences registered under the Information Technology Act (“IT Act”), as well as related sections of the Indian Penal Code and other special or local laws. Uttar Pradesh had the highest rate of reportage of such crimes, followed by Maharashtra and Karnataka.
The majority of the cases (6567) were registered under “Computer Related Offences”, which involve cases registered under Sections 66 to 66E of the IT Act. These include offences such as ‘sending offensive messages through a communication service’ (Section 66A), ‘dishonestly receiving stolen computer resource or communication device’ (Section 66B), ‘identity theft’ (Section 66C) and others. It is interesting to note that despite Section 66A being struck down last year by the Supreme Court in the Shreya Singhal case, convictions under the section have risen, and in some instances new cases have also been filed. Under the IPC, the majority of cases filed were relating to cheating, involving over 65% of the total cases filed.
A total of 8121 persons were arrested during 2015 in relation to cybercrime offences, representing a 41.2% increase over 2014. The maximum number of persons arrested were in Uttar Pradesh. However, tracking the persons arrested may not be the most useful metric, because it does not represent the number of cases that were brought to successful completion. In fact, only 250 persons were finally convicted under the IT Act and 20 were convicted under the IPC.
Over 14,000 cases registered under the IT Act were investigated in 2015, including over 6000 pending cases. At the end of the year, over 8000 cases remained pending for investigation. 2396 cases were charge-sheeted in 2015, and 4191 cases were pending for trial. Trials were completed in 486 cases, with 193 ending in conviction. 5,094 cases under the IPC were investigated in 2015, with over 1600 being pending cases from the previous year. 710 cases were charge-sheeted in 2015, and trials were completed for only 53 cases. In cases registered under the IPC, over 3600 cases remained pending for investigation at the end of 2015 – the majority of these cases related to forgery and data theft. It is clear that the pendency of cases is not only high, but increasing, although the NCRB report does not offer any potential reasons.
In terms of offender demographics, the majority of persons arrested fell within the 18-30 age bracket – over 65% of the arrestees under the IT Act, and 55% of the arrestees under the IPC are within this category. However, the NCRB report does not track other demographic statistics, including gender and socio-economic status.
The largest section of arrestees were characterized as ‘business competitors’, followed by ‘neighbours/friends/relatives’. The vast majority of persons arrested were Indian nationals, with only 4 foreign nationals being captured. Given the rising number of cyber incidents stemming from abroad, it is clear that the existing cyber law framework may be insufficient to tackle transnational cyber crime.
The NCRB report highlights the fact that problems that have plagued most areas of the Indian criminal justice system continue to be issues in relation to cybercrime. These include high pendency of cases, low conviction rates and low reporting. These problems are exacerbated by rising usage of information technology resources with limited knowledge of good cybersecurity principles. Experts have also suggested that the Indian ecosystem around cyber policing is simply not equipped to secure convictions, because of an inadequately trained police force, limited technical resources, low co-ordination between the public and private sector, and an unequipped judicial system.
The Supreme Court of India has taken suo moto cognizance of the issue after a letter written by Hyderabad-based NGO Prajwala pointed out that 9 videos of sexual assault were being circulated on WhatsApp. After a CBI probe was ordered into these instances, the Centre also set up an expert group to formulate appropriate means to tackle growing cybercrime in India. Following this, the government agreed to take various steps, including the establishment of a National Cyber Crime Coordination Centre (“NCCC”) in order to focus on cybercrimes and national security issues and ensure appropriate communication between agencies. Reports have suggested that Phase I of the NCCC will be live by March 2017. It has also been agreed that cybercrime complaints can be filed online without the necessity of visiting a police station.
There have also been other steps taken, including the establishment of cyber labs promising additional technical, and increased emphasis on international co-operation. It is to be hoped that these measures will go a long way towards assuaging the policing problems currently facing cybercrime in India.
By Shalini S
The Convention on Cybercrime or Budapest Convention is the only binding multilateral treaty instrument aimed at combating cybercrime. It was drafted by the Council of Europe with active participation from its observer states in 2001. The Convention provides a framework for international cooperation between state parties to the treaty. It is open for ratification even to states that are not members of the Council of Europe. The Convention is the only substantive multilateral agreement with a stated objective of addressing cybercrime with convergent, harmonized legislation and capability building. Therefore, it is widely recognized as a decisive document on international best practice and enjoys compliance even from non-signatory states. Most model legislation and attempts at drafting a new international instrument on cybercrime have also relied on the principles expounded in this Convention. The Budapest Convention is also supplemented by an Additional Protocol to the Convention which was adopted in 2003.
Offences under the Convention
The Budapest Convention broadly attempts to cover crimes of illegal access, interference and interception of data and system networks, and the criminal misuse of devices. Additionally, offences perpetrated by means of computer systems such as computer-related fraud, production, distribution and transmission of child pornography and copyright offences are addressed by provisions of the Convention. The substantive offences under the Convention can broadly be classified into “(1) offences against the confidentiality, integrity and availability of computer data and systems; (2) computer-related offences; (3) content-related offences; and (4) criminal copyright infringement.” The Additional Protocol makes the act of using computer networks to publish xenophobic and racist propaganda, a punishable offence. However, the full range of cybercrimes are not covered under the Budapest Convention. These include cybercrimes such as identity theft, sexual grooming of children and unsolicited spam and emails.
Provisions of the Convention
The treaty functions on a mutual information sharing and formal assistance model in order to facilitate better law enforcement and lays down procedure to seek and receive such assistance. Article 23 of the Convention outlines the general principles under which international cooperation can be sought, as follows:
“Article 23 – General principles relating to international co-operation
The Parties shall co-operate with each other, in accordance with the provisions of this chapter, and through the application of relevant international instruments on international cooperation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.”
It is clear then that assistance facilitated by the Convention relies on pre-existing cooperative agreements between the parties. Thus, as also stated in Article 39 of the Convention, the provisions only serve to supplement multilateral and bilateral treaties already effective between parties. In addition, mutual legal assistance (MLA) between parties where no such mutual arrangements exists, can be facilitated through procedures laid down under Article 27. Principles and procedures related to extradition for criminal offences under the Convention is also detailed in Article 24 of the Budapest Convention. These sections primarily aid formal legal assistance between signatory parties to the Convention in case of a cybercrime (as defined under the Convention itself).
The Convention itself does not demand ‘dual criminality’ per se. However, the adoption of the Convention demands harmonization of national legislations and results in reciprocal criminalization. This is crucial as the Convention has mutual assistance and extradition provisions, both easier to process when dual criminality is established between the requesting and assisting parties.
The Cybercrime Convention Committee (T-CY) was setup to represent the interests of and foresee regular consultations between state parties to the Convention. The biannual plenaries conducted by the T-CY and working groups discuss developments, shortcomings, grievances and possible amendments of the Budapest Convention.
Significant Drawbacks of the Convention
The Convention on Cybercrime has also come under severe criticism for both its specific provisions that fail to protect rights of individuals and states, and its general inadequacy in sufficing to ensure a cyberspace free of criminal activity.
The 12th Plenary of the T-CY (at page 123) concluded that the mutual legal assistance facilitated by the Convention was too complex and lengthy, rendering it inefficient in practice. The outdated nature of provisions of the Convention clearly fail to cater to the needs of modern investigation.
The provisions of the Convention have been critiqued for supposedly infringing on state sovereignty. In particular, Article 32 has been contentious as it allows local police to access servers located in another country’s jurisdiction, even without seeking sanction from authorities of the country. In order to enable quick securing of electronic evidence, it allows trans-border access to stored computer data either with permission from the system owner (or service provider) or where publically available. As Russia finds this provision to be an intolerable infringement of its sovereignty (amongst other things), it has categorically refused to sign the Convention in its current state. However, it is important to note that the claim that provisions infringe on sovereignty has been addressed and countered by the T-CY in its guidance note on Article 32
Russia’s displeasure with the existing multilateral instrument was evidenced by the introduction of a Russia-backed proposal for an international cyberspace treaty. The proposal, specifically for a convention or protocol on cybersecurity and cybercrime was considered and rejected at the 12th UN Congress on Crime Prevention and Criminal Justice. US and EU refused to countenance a new cybercrime treaty, opining that the Budapest Convention sufficed and efforts should be directed at capacity building.
Regardless, Brazil and China which have expressed displeasure at the primarily-European treaty, have refused to adopt the Convention for the same reason. India also continues to remain a non-signatory to the inequitable Convention, having categorically declined to adopt the Convention which was drafted without its participation. India’s statements also reflect its belief that the Budapest Convention in its present form is insufficient in tackling cybercrimes. This may hold especially true as India routinely faces cyber-attacks from China. This is a problem that will not be resolved by mere ratification of the Budapest Convention as China is a non-signatory to the treaty. With multiple countries remaining a non-signatory, with little scope for change in their positions, the reach of the Convention is certainly limited. There is a demonstrable need for a unique, equitable and all-encompassing instrument that governs cybercrime. To ensure maximum consensus and compliance, this instrument must necessarily be negotiated with active participation from all states.
 Jonathan Clough, A World of Difference: The Budapest Convention on Cybercrime and the Challenges of Harmonisation, Monash University Law Review (2014) at page 702, https://www.monash.edu/__data/assets/pdf_file/0019/232525/clough.pdf (last visited Mar 2, 2016).
Kier Giles, Russia’s Public Stance on Cyberspace Issues, in 4th International Conference on Cyber Conflict (2012) at page 67, https://ccdcoe.org/publications/2012proceedings/2_1_Giles_RussiasPublicStanceOnCyberInformationWarfare.pdf (last visited March 2, 2016).
By Shalini S
In September last year, a mutual cyber hacking marathon ensued between Indian and Pakistani hackers, who each hacked and defaced multiple government and private websites. The incident was triggered by a detected defacement of a Kerala government website which was attributed to a Pakistani hacker. Indian hackers and hacktivist groups retaliated by defacing multiple Pakistani government websites and making several others inaccessible. Media reports were quick to label these cyber vandalism exchanges as a cyber war between the two countries with headlines such as:
These headlines while raising public awareness about politically motivated cyber-attacks, were also misleading and patently wrong in terming the episode as cyber war. Other politically motivated cyber-attacks involving independent hackers have also been termed cyber war in the past. The incidents were noteworthy and raised several red flags about the vulnerability of official government websites and state of security of data contained therein. However, it certainly did not cross the threshold to be termed an ‘act of war’ or ‘cyber warfare’.
There are clear thresholds for an attack to qualify as an act of war and several scholars opine that the same standards apply on a virtual battleground. For instance, the US Strategic Command’s Cyber Warfare Lexicon’s definition of cyber warfare envisions a military object (Page 8). The document also states that “not all cyber capabilities are weapons or potential weapons” (Page 9). The Tallinn Manual on the International Law Applicable to Cyber Warfare which identifies “laws of armed conflict that apply to cyberspace and delineates the limits and modalities of its application”, does not seek to regulate actions of individual hackers or groups of hackers. Susan Brenner, a cyber conflict specialist opines that cyber warfare is the use of cyberspace to achieve the same ends as conventional warfare – “the conduct of military operations by virtual means”. However, other definitions allow scope to envision the participation of non-state actors in cyber warfare.
Despite numerous attempts at defining and the lack of a clear consensus in existing definitions, ‘cyber war’ has a specific connotation. Most existing definitions of cyber warfare envisage the subversive use of cyber technologies by a nation-state in the conduct of a military operation.
Cyber-attacks are challenging to evolve specific definitions for and this make it difficult to categorize them. However, it is important to identify the exact nature of each attack, unambiguously define and categorize cyber-attacks in order to formulate a proportional and appropriate policy response.
The issue of distinguishing cyber vandalism from cyber war was most notably raised in the aftermath of the Sony hack of 2014. President Obama had characterized the attack as an act of cyber vandalism, while others opined that it was an act of terrorism or act of warfare albeit perpetuated virtually. The characterization of that particular attack on Sony has been shifting with allegations of the incident being a state-sponsored act. Regardless, it remains that the consequence of classification of any cyber-attack carries its own implications for the formulation of a response policy and thus it must also be accurately communicated to the public and policy makers.
It is clear that the above-described incident of mutual defacement of websites by hackers and hacktivist groups, falls short of qualifying as a cyber war on many counts. There is no indication of the attacks being sponsored by the Indian or Pakistani state. Evidently, it was also not carried out in the furtherance of a military objective. The target of the primary attack, an official government website is not critical information infrastructure and the nature and severity of the attack was fairly minimal. Thus, the act and the subsequent retaliation do not qualify as acts of cyber war and can only be characterized as ‘cyber vandalism’.
Cyber vandalism is the digital equivalent of conventional vandalism wherein legitimate content of a website will be made unavailable or replaced. As advanced cyber capabilities are within the reach of even non-state actors, attacks of this nature might be a frequent occurrence in the future. It is vital then to evolve appropriate legal and policy responses to effectively deal with individuals, hacktivist and organized groups that indulge in cyber vandalism.
The rules of cyber war are still nascent but the Tallinn Manual sheds light on the form that law might take on regulating acts of such nature. The international community is bound to arrive at a consensus on the definitions and clear demarcations of acts of warfare, terrorism, vandalism and espionage in the cyberspace. In the meantime, there must be a concerted effort to understand these new-age operations and evolve better classifications that aids policy formulation on these issues.
 Susan W. Brenner, Cybercrime, cyberterrorism and cyberwarfare, 77 Revue internationale de droit pénal 453 (2006) at Para 45, https://www.cairn.info/revue-internationale-de-droit-penal-2006-3-page-453.htm#no33.
 Susan Brenner, At Light Speed: Attribution and Response to Cybercrime/Terrorism/Warfare, 97 Journal of Criminal Law and Criminology (2007) at Page 401, http://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=7260&context=jclc.
 Nicolò Bussolati, The Rise of Non-State Actors in Cyberwarfare (2015).