Law Enforcement Initiatives Towards Tackling Cyber Crime in India

Cyber crime has been rising across India. This post reviews advancements in policing technologically advanced crimes and considers potential next steps. 

With rising instances of cybercrime being noted across the country, the need for vigilance in the cyber sphere has been highlighted by a number of commentators. These crimes have gained attention subsequent to the notification of demonetization, with rising online banking transactions and a governmental push towards a digital economy.

Several new issues stemming from the distrust in digital payment systems have been reported. For example, the cybercrime cell of the Mumbai Police has received several reports of a scam characterized by persons receiving fraudulent calls allegedly from banks, discussing a new RBI policy. These calls informed consumers that credit and debit cards were soon to be deactivated, but if they released their card details, they would be permitted to continue usage. Once released, these details were misused. While issues such as these do not require extensive cyber expertise to resolve, their incidence is on the rise. Countering them requires banks as well as law enforcement agencies to increase their efforts towards educating new adopters.

More concern may be caused by technology-intensive hacking attacks, both from within the country and outside. Recent instances include the hostilities faced by several Telangana-area software companies by alleged Pakistani attackers, as well as attacks by the group known as Legion. Their actions allegedly include the hacking of the twitter and email accounts of Rahul Gandhi, Vijay Mallya and Barkha Dutt, among others. There has also been an upswing in ransomware attacks recently, with over 11,000 attacks being reported in just three months. Reports of India’s first online Ponzi scheme are also now coming to light. This is despite the fact that that 80% of cybercrimes remain unreported according to recent news reports. This post will review some initiatives taken towards the more efficient investigation of cybercrime by law enforcement across the country.

Cyber Policing in India

Crime and Criminal Tracking Network and Systems (CCTNS)

Approved by the Cabinet Committee on Economic Affairs in 2009, with an allocation of INR 2 billion, the CCTNS is a project under the National e-Governance Plan. It aims at creating a nationwide networking infrastructure for an IT-enabled criminal tracking and crime detection system. The integration of about 15,000 police stations, district and state police headquarters and automated services was originally scheduled to be completed by 2012. However, this still remains incomplete.

Apart from the slow pace of implementation and budgetary problems, on-the-ground hurdles to fully operationalizing CCTNS include unreliable Internet connectivity and under-trained personnel at police stations. Other issues include unavailability of facilities for cyber forensic analysis in most locations, and lack of awareness regarding online citizens’ services such as verification of tenants and employees and clearance for processions and events.

Online Complaints

The Central Government, in response to queries by the Supreme Court regarding measures taken to tackle cybercrime, recently announced that they would be setting up a ‘Centre Citizen Portal’. This portal will allow citizens to file complaints online with respect to cybercrimes, including cyber stalking, online financial fraud and others, suffered or observed by them.

The governmental response also details the proposed process, stating that any such complaint on the portal will trigger an alert at the relevant police station and allow the police department to track and update its status, while the complainant too would be able to view updates and escalate the complaint to higher officials.

Cyber Police Stations

Cyber police stations generally include trained personnel as well as the appropriate equipment to analyse and track digital crimes. Maharashtra, where cybercrime has risen over 140% in recent times, and which had the dismal distinction of only recording a single conviction related to cybercrime last year, is converting its existing cybercrime labs into cyber police stations. This will mean there is a cyber police station in each district of the state. The initiative in Maharashtra is useful especially because of the rise in online transactions in Tier II and Tier III cities and the rising cybercrime related thereto. However, despite the rise in cybercrime, complaints remain of low reportage and low success rates in solving crime. Police officers point to problems processing evidence, with complex procedures being required to retrieve data on servers stored abroad.

Further, there have been complaints in Bengaluru of the limited jurisdiction of cyber police stations. Pursuant to a standing order of the DG & IGP of Bengaluru City Police issued in June 2016, only cases with damages of over INR 5 lakh can be registered at cyber police stations in case of bank card fraud. In cases of online cheating, only those instances where damages exceed INR 50 lakh are amenable to the jurisdiction of cyber police stations. All other cases are to be registered with the local police station which, unlike cyber police stations, do not generally include trained personnel or the appropriate equipment to analyse and track digital crimes.

While the order is undoubtedly creating problems for cybercrime victims, it was made taking into account the woefully under-resourced cybercrime police station in Bengaluru which, at the time, consisted of a 15-member staff with two vehicles at its disposal.

Predictive Policing

Predictive policing involves the usage of data mining, statistical modeling and machine learning on datasets relating to crimes to make predictions about likely locations for police intervention. Examples of predictive policing include hot-spot mapping to identify temporal and spatial hotspots of criminal activity and regression models based on correlations between earlier, relatively minor, crimes and later, violent offences.

In 2013, the Jharkhand Police, in collaboration with the National Informatics Centre, began developing a data mining software for scanning online records to study crime trends. The Jharkhand Police has also been exploring business analytics skills and resources at IIM-Ranchi, in order to tackle crime in Jharkhand.

The Delhi Police has tapped into the expertise at the Indian Space Research Organisation in order to develop a predictive policing tool called CMAPS – Crime Mapping, Analytics and Predictive System. The system identifies crime hotspots by combining Delhi Police’s Dial 100 helpline calls data with ISRO’s satellite imagery and visualizing it as cluster maps. Using CMAPS, Delhi Police has slashed its analysis time from the 15 days it took with its erstwhile mechanical crime mapping to the three minutes it takes for the system to refresh its database.

The Hyderabad City Police is in the process of building a database, called the ‘Integrated People Information Hub’ which, according to the City Police Commissioner, would offer the police a “360-degree view” of citizens, including names, aliases, family details, addresses and information on various documents including passports, Aadhaar cards and driving licenses.

The data is combed from a wide-ranging variety of sources, including information on arrested persons, offenders’ list, FIRs, phone and electricity connections, tax returns, RTA registrations and e-challans. It is further indexed with unique identifiers, and is used to establish the true identity of a person, and present results to relevant authorities within minutes. While the system is aimed at curbing criminal activity and detecting fraud, a lack of clearly identified cyber security and privacy protocols is a worrying sign.

Conclusion

We recently reviewed the National Crime Records Bureau’s statistics relating to cybercrime, as set out in their Crime in India Report 2015. Some concerns that stemmed from the figures set out in the report were the low conviction rates and high pendency of cases. Experts have linked these issues, amongst other things, with the limited mechanisms available for cyber policing and the effectively-defunct status of the cyber tribunals. A recent report by the Bureau for Police Research and Development also highlighted resource constraints affecting police stations, with several stations lacking basic necessities such as a vehicle or a phone connection. Over five lakh posts sanctioned posts also remain vacant.

Given resource limitations, both in fiscal terms and relating to trained personnel, it is heartening to see the steps that have been taken towards efficient cyber-policing. While this post highlights some steps that have been taken in major jurisdictions, there are several initiatives even in non-metro cities towards tackling cybercrime. A National Cybersecurity Co-ordination Centre is also due to be launched around June this year. In a recent response to the Supreme Court, additional solicitor general Maninder Singh also informed the Court of substantial investments being made by the Central Government towards police and judicial training and towards the creation of cybercrime prevention cells. It is hoped that these measures will help to stem the growing tide of cybercrime in India.

 

Cybersecurity in the Financial Sector: An Overview

Sowmya Karun 

In the Union Budget for 2017-18, Finance Minister Mr. Arun Jaitley announced the setting up of a dedicated Computer Emergency Response Team for the Financial Sector (Cert-Fin). The proposed emergency response team is slated to work in co-ordination with financial sector regulators and other stakeholders.

This announcement comes on the heels of the Government’s demonetisation initiative. Demonetisation led to a substantial rise in the volume of digital payments and the use of instruments such as mobile wallets. The cumulative growth of electronic transactions has been reported to range between 95 per cent and 4,025 per cent from November 8 till December 27, 2016. This transition towards digital payments in the financial sector is slated to continue, with one report predicting that by 2020, the digital payments industry will grow to over $500 billion and contribute 15% to the national GDP.

In a previous post, we had examined the legal and policy regime relating to digital payments in the country. In this post, we examine technological vulnerabilities in the financial sector, as well as measures taken towards strengthening cybersecurity.

Cyber Security Vulnerabilities in the Financial Sector

The exponential growth in digital payments in India and the push towards a cashless economy has renewed focus on the need to strengthen financial cybersecurity. Banks and financial institutions are extremely vulnerable to various forms of cyberattacks and online frauds. India has steadily moved up the ranking for countries with the highest number of financial Trojan infections over the past three years. At least forty percent of Banking, Financial Services and Insurance (‘BSFI’) businesses have been attacked at least once. A six-fold increase in credit and debit card fraud cases has been reported over the past three years. In addition to core banking, additional services like e-banking, ATM and retail banking are also increasingly vulnerable to cybercrime. Mobile frauds are also expected to grow to 60-65% in 2017, which is especially alarming because 40-45 % of financial transactions are being conducted on mobile devices today.

The Indian banking landscape has seen several large-scale cyberattacks over the past year. Since June 2016, the SWIFT systems of four Indian banks have been targeted.  In October 2016, in what was the largest data breach in the country ever, 32 lakh debit cards of various banks were subject to a cyber malware attack.  Earlier this year, it was reported that hackers had infiltrated the systems of three government-owned banks to generate false trade documents. The increased focus on cybersecurity in banks follows not only domestic incidents but global developments as well. In its bulletin on security measures, for instance, the Reserve Bank of India makes reference to the Carbanak Gang which targeted bank’s internal systems across Russia and Ukraine to conduct a robbery of around $ 1 billion. Closer home, in February 2016, there was an attempted heist of around $951 million from the Bangladesh Bank.

Cyber Security Framework for Banks

In October 2016, the Reserve Bank of India directed banks to implement a security policy containing detailing their strategy to for dealing with cyber threats and including tangible “cyber-hygiene” measures. This was following a renewed emphasis on the early implementation of the RBI’s Cyber Security Framework in banks. The RBI had first notified the Cyber Security Framework (‘Framework’) in Banks in June 2016. The Framework was a successor to broad guidelines on information security and cyber frauds which had been issued in line with the recommendations of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds in 2011.

The Framework is geared towards minimising data breaches and implementing immediate containment measures in the event of such breaches. It emphasises the urgent need to put in place a robust cyber security and resilience framework and to ensure continuous cybersecurity preparedness among banks. The Framework also mandates the adoption by banks of a distinct cybersecurity policy to combat threats in accordance with “complexity of business and acceptable levels of risk” within a set deadline. Further, the Framework requires the earliest setting up of Security Operations Centres within banks for continuous surveillance; disallowing unauthorised access to networks and databases; protection of customer information; and the evolution of a cyber crisis management plan.

Other Measures by the RBI and the Government

The RBI has also identified the need to evolve a framework for co-ordination and information sharing between financial institutions and public authorities in the event of cyber attacks. To this end, the RBI recently appointed its first information security officer and has formalised a sectoral sharing interface called the Indian Banks- Centre for Analysis of Risks and Threats (IB-CART). Further, the RBI also issued an ultimatum to banks, requiring them to report any breach of security immediately. Banks have been given until March 31, 2017 to put in place appropriate mechanisms.

Previously, there was limited reporting by banks as they were reluctant to report cyberattacks fearing devaluation of brand equity. Even in the event of large-scale cyberattacks, such as the above-mentioned malware infection which affected 32 lakh cards, it took six weeks to detect the fraudulent transactions. To counter this, and to enhance cyber resilience, the Institute for Development and Research in Banking Technology (‘IDBRT’) has been attacking vulnerabilities in banks’ security networks. This will enable them to share feedback with banks to improve their resilience.  Further, the Chief Information Security Officers of banks have also set up a forum to discuss cyberattacks and to share information, manage and plan for issues related to information security. The Ministry for Electronics and Information Technology has also formally urged banks to co-operate with the CERT-In for carrying out audits and other measures to strengthen their cybersecurity systems.

Conclusion

While these proactive steps being taken by the RBI and the Government are timely and much-needed, the resilience of our banking infrastructure against cyber attacks will depend on co-ordinated action from all stakeholders. The Cyber Security Framework must be strictly implemented in a timely manner, with regular audits to ensure comprehensive compliance. Cybersecurity at banks and financial institutions needs to be prioritised as part of the design architecture and must not remain restricted to reactive fire fighting during crises. Cyber security solutions must be deliberately designed to enable stemming of cyber attacks in real time.  Experts also suggest that the most effective ways to move forward with digitisation in order to ensure banks remain completely secure include the embracing of crypto-currencies and blockchain technology. Further, the Information Technology Act, 2000 is also ripe for a complete overhaul to counter the increased security risks in a cashless economy. These measures, of course, must also be accompanied by attempts to ensure widespread consumer education and awareness.

 

 

Tracking Cybercrime through the National Crime Records Bureau’s “Crime in India” Report, 2015

The National Crime Records Bureau released their annual “Crime in India” report for the year 2015 earlier this year. This post analyses the trends in cybercrime traced through the report.  

The National Crime Records Bureau (“NCRB”) released their annual “Crime in India” report (“NCRB Report, or “Report”) for the year 2015 earlier this year. The report tracks statistics for various types of crimes across India, and provides useful insight into socio-legal trends, as well as problems being faced by law enforcement agencies in the country. This post seeks to review the findings of the report in relation to cybercrime in the context of issues facing crime deterrence and law enforcement in the country.

The NCRB has been tracking statistics relating to cybercrime since their 2014 report. Based on other trackers, between 2011 and 2015, the country witnessed a surge of nearly 350% in cybercrime cases reported. However, despite an increasing number of cases being reported, conviction rates remain very low. For example, Maharashtra saw only a single conviction in 2015 despite over 2000 cases being registered. While it is true that convictions are not generally related to the cases filed in the same year, low conviction rates are generally indicative of high pendency of cases, as well as an underdeveloped architecture of investigation and deterrence.

The NCRB Crime in India Report 2015

The NCRB Report tracks, in their cybercrime chapter, cases filed which are linked with the use of the internet and IT enabled services. Under this broad categorisation, the report seeks to trace (amongst other things) patterns of cases reported, cases pending, arrest rates, conviction rates, and offender demographics. A total of 11,592 cybercrime cases were registered in 2015, representing an increase of approximately 20.5% over the previous year. These include offences registered under the Information Technology Act (“IT Act”), as well as related sections of the Indian Penal Code and other special or local laws. Uttar Pradesh had the highest rate of reportage of such crimes, followed by Maharashtra and Karnataka.

The majority of the cases (6567) were registered under “Computer Related Offences”, which involve cases registered under Sections 66 to 66E of the IT Act. These include offences such as ‘sending offensive messages through a communication service’ (Section 66A), ‘dishonestly receiving stolen computer resource or communication device’ (Section 66B), ‘identity theft’ (Section 66C) and others. It is interesting to note that despite Section 66A being struck down last year by the Supreme Court in the Shreya Singhal case, convictions under the section have risen, and in some instances new cases have also been filed. Under the IPC, the majority of cases filed were relating to cheating, involving over 65% of the total cases filed.

A total of 8121 persons were arrested during 2015 in relation to cybercrime offences, representing a 41.2% increase over 2014. The maximum number of persons arrested were in Uttar Pradesh. However, tracking the persons arrested may not be the most useful metric, because it does not represent the number of cases that were brought to successful completion. In fact, only 250 persons were finally convicted under the IT Act and 20 were convicted under the IPC.

Over 14,000 cases registered under the IT Act were investigated in 2015, including over 6000 pending cases. At the end of the year, over 8000 cases remained pending for investigation. 2396 cases were charge-sheeted in 2015, and 4191 cases were pending for trial. Trials were completed in 486 cases, with 193 ending in conviction. 5,094 cases under the IPC were investigated in 2015, with over 1600 being pending cases from the previous year. 710 cases were charge-sheeted in 2015, and trials were completed for only 53 cases. In cases registered under the IPC, over 3600 cases remained pending for investigation at the end of 2015 – the majority of these cases related to forgery and data theft. It is clear that the pendency of cases is not only high, but increasing, although the NCRB report does not offer any potential reasons.

In terms of offender demographics, the majority of persons arrested fell within the 18-30 age bracket – over 65% of the arrestees under the IT Act, and 55% of the arrestees under the IPC are within this category. However, the NCRB report does not track other demographic statistics, including gender and socio-economic status.

The largest section of arrestees were characterized as ‘business competitors’, followed by ‘neighbours/friends/relatives’. The vast majority of persons arrested were Indian nationals, with only 4 foreign nationals being captured. Given the rising number of cyber incidents stemming from abroad, it is clear that the existing cyber law framework may be insufficient to tackle transnational cyber crime.

Conclusions

The NCRB report highlights the fact that problems that have plagued most areas of the Indian criminal justice system continue to be issues in relation to cybercrime. These include high pendency of cases, low conviction rates and low reporting. These problems are exacerbated by rising usage of information technology resources with limited knowledge of good cybersecurity principlesExperts have also suggested that the Indian ecosystem around cyber policing is simply not equipped to secure convictions, because of an inadequately trained police force, limited technical resources, low co-ordination between the public and private sector, and an unequipped judicial system.

The Supreme Court of India has taken suo moto cognizance of the issue after a letter written by Hyderabad-based NGO Prajwala pointed out that 9 videos of sexual assault were being circulated on WhatsApp. After a CBI probe was ordered into these instances, the Centre also set up an expert group to formulate appropriate means to tackle growing cybercrime in India. Following this, the government agreed to take various steps, including the establishment of a National Cyber Crime Coordination Centre (“NCCC”) in order to focus on cybercrimes and national security issues and ensure appropriate communication between agencies. Reports have suggested that Phase I of the NCCC will be live by March 2017. It has also been agreed that cybercrime complaints can be filed online without the necessity of visiting a police station.

There have also been other steps taken, including the establishment of cyber labs promising additional technical, and increased emphasis on international co-operation. It is to be hoped that these measures will go a long way towards assuaging the policing problems currently facing cybercrime in India.

 

Implications of the US-India Cyber Relationship Framework

By Lily Xiao

On 7 June 2016, ongoing discussions between Prime Minister Narendra Modi and President Barack Obama culminated in the US-India Cyber Relationship Framework, expected to be signed within 60 days. As part of a deepening strategic partnership between the US and India, the Framework establishes a bilateral commitment to an open, interoperable, secure and reliable cyberspace environment, and bilateral measures to combat cybercrime. As India’s interests find commonality with those of the US, this post considers what implications the Framework has for India’s foreign policy on Internet governance.

Cybersecurity measures and the Budapest Convention

The Framework instructs on the implementation of a range of bilateral and cooperative cybersecurity measures. They include information sharing, on a real or near real time basis regarding malicious cybersecurity threats; developing joint mechanisms for practical cooperation to mitigate cybersecurity threats; cooperation in research and development; and improving the capacity of law enforcement agencies through joint training programs.

These measures bear some resemblance to Article 23 of the Convention on Cybercrime or Budapest Convention, which was drafted by the Council of Europe in 2001. Article 23 stipulates that signatories ‘shall cooperate with each other… to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence’. The US has suggested that India should join the Budapest Convention, and reiterates this bid in the Framework to ‘[promote] the applicability of international law to state conduct in cyberspace and further exploring how it applies to state conduct in cyberspace’.

However up until now, India has refused to sign the Budapest Convention because they were not involved or consulted in its drafting. While the insistence of the US may be a political factor India considers, this does not change the crucial problem India has with the Budapest Convention; namely that it does not sufficiently reflect India’s priorities regarding cybersecurity. In order to prevent cyber attacks, most notably from China, India’s priority is to establish an equitable and inclusive multilateral instrument, which is created with active participation from all signatories, not just those in Europe.Multilateral cooperative agreements are the most viable solution to combat cybercrimes, because the Internet, by is nature, is unconstrained by state borders, making cybercrimes difficult to attribute to a single country of origin. Thus, bilateral agreements, like the one initiated by this Framework with the US, can only go so far in combatting cybercrime.

India’s recommitment to multi-stakeholderism

In August 2015, India came out in favour of multi-stakeholderism, the model of Internet governance in which all stakeholders have an equal role to play. The Framework indicates the apparent convergence of the US and India’s approaches to Internet governance, citing bilateral support for the multi-stakeholder model of Internet governance that is ‘transparent and accountable to its stakeholders including governments, civil society and the private sector, and promotes cooperation among them’. Questions over India’s commitment to multi-stakeholderism were raised following the joint statement released in April 2016 with Russia and China. Understandably, the US had concerns following the release of this joint statement, which may have led them to ensure the language of the Framework was clearly in support of multi-stakeholderism. The consequences of this Framework for India’s relationship with Russia and China will be considered later.

However, India’s implementation of multi-stakeholderism is not without limitations.The Minister for Communications and IT has stated thatIndia’s approach to multi-stakeholderism is qualified by national security matters, as the government’s role should be given primacy over other stakeholders in this regard.Additionally, India has yet to develop consistent and wide-ranging domestic mechanisms for implementing multi-stakeholderism, which would allow India to increase its participation in Internet governance at the international level.By including a bilateral commitment to multi-stakeholderism and continued dialogue and engagement in the Internet governance fora, the Framework can be interpreted as the US addressing India’s hesitations regarding the multi-stakeholder model. However, whether the approaches of India and the US towards Internet governance truly converge outside of this Framework remains to be seen.

Conflicting interests of Russia and China, and India as a swing state

The Framework comes after the aforementioned joint statement issued by Russia, China and India earlier this year. Paragraph 12 of this joint statement emphasised the need for a ‘broader international universal regulatory binding instrument under the UN’to tackle cybercrime, suggesting a preference for a multilateral governance model with entrenched state sovereignty. In the same paragraph, the Ministers emphasised the need to ensure Internet governance will be based on ‘multilateralism, democracy, transparency with multi-stakeholders in their respective roles and responsibilities’. This language is nearly identical to that used in the outcome document from WSIS +10 High Level Meeting, which stipulates ‘the management of the Internet as a global facility includes multilateral, transparent, democratic and multi-stakeholder processes’. The only qualifying phrase in the joint statement that indicates the reluctance of Russia and China to embrace multi-stakeholderism is that multi-stakeholders ought to be considered ‘in their respective roles and responsibilities’.

Therefore, while the debate over Internet governance is framed as one between the increasing acceptance of multi-stakeholderism, and those who hold out for a state-centric governance model, the language used in diplomacy between the two sides is remarkably similar. As a ‘swing state’ in this diplomatic arena, India holds power as being politically valuable to both sides of the debate. If India can continue to take advantage of the flexibility in discourse of multi-stakeholderism by appealing to both the US, and Russia and China, it can act successfully as a ‘swing state’. However, if, and when India and the US commit to the agreement this Framework pertains to, India should ensure that its bilateral relationship with the US does not impede its relationship to Russia and China.

Conclusion

This Framework is part of a wider arrangement for the US-India relations to deepen ties and to look to each other as ‘priority partners’ in the Asia-Pacific and Indian Ocean region.It remains to be seen whether all these provisions regarding cybersecurity will be included in the final signed agreement, but if they are included, it may contribute to the further acceptance of multi-stakeholderism on a global scale, and be an indication of cybersecurity norms to be taken up by other governments.

Russia, India and China: Perspectives on Internet Governance

By Gangesh Varma

Last week, on 18th April, 2016, a Joint Communique of the 14th Meeting of the Foreign Ministers of Russia, India and China (RIC) raised a few eyebrows. The subject of discussion is paragraph 12 of the Communique which deals with the use of Information & Communication Technologies (ICTs) including the internet and its governance.

Four Key Aspects of Paragraph 12

There are four key aspects that can be gleaned from the text of this paragraph. First, the abuse of ICTs (including the internet) in violation of United Nations Charter and international law, “for terrorism and other criminal purposes”. Second, the need for countering such abuse by strengthening cooperation, and developing an international treaty for addressing such use of ICT for criminal purposes. Third, the adherence to universally recognized principles of international law in the use of ICTs. Fourth, the development of the Internet, and its governance regime.

The first issue is common to all countries, and does not have polarizing responses. The abuse of ICTs and the internet for organized crime, terrorist activities etc. are concerns that required more international cooperation. While the second issue on the need for an international treaty to address cyber-crimes or use of ICTs for criminal purposes is one that has been subject to extensive debate. While Europe has the Budapest Convention addressing this issue, most other countries have to manoeuvre through bilateral Mutual Legal Assistance Treaties (MLAT). There has been a long-standing demand for a universal treaty to address cybercrime ever since the regional Budapest Convention materialised.

The third aspect, in the text of the Communique is reference to adherence of universally recognized principles of international law in the use of ICTs such as:

“… the principles of political independence, territorial integrity and sovereign equality of states, respect for state sovereignty, non-intervention into the internal affairs of other states”.

These principles are focused on the state, however the Communique does not ignore the rights of a citizen. It also specifically refers to “respect for human rights and fundamental freedoms” and considers it of “paramount importance”

Internet Governance in the Communique

The fourth and most interesting issue covered in paragraph 12 of the Communique is that of Internet governance. It considers the Internet a “global resource”. This is language that has been previously used in the Ufa Declaration at the 7th BRICS Summit. It is also not far from the language of the WSIS+10 Review Outcome Document which uses language from the Tunis Agenda and provides for the management of the “Internet as a global facility”. Further borrowing from the WSIS documents, the Communique goes on to refer to participation of all states on “equal footing”. It emphasizes the need for Internet governance to be based “on multilateralism, democracy, transparency with multi-stakeholders in their respective roles and responsibilities” (emphasis supplied). The paragraph concludes with the need for further internationalization of Internet governance and “to enhance in this regard the role of International Telecommunication Union”.  

India’s approach

Some see this text in the Communique as a step forward – as a measure that creates a middle ground between countries with polar opposite positions on internet governance. While others worry this is an exclusionary road to multilateralism, one that can lead to back to an oscillating ambivalence of India’s position on internet governance. However, this text is not far from India’s position on multistakeholderism. While being vocal about India’s support for multistakeholderism in internet governance, the Minister for Communications and IT has also emphasised one condition. That is, government will have supreme right and control on matters of national security. On examining the internet governance related text of the Communique, the heavy focus on security concerns of the countries is evident.

In many ways, this can be seen as a pit-stop before Brazil and South Africa join the discussion at the BRICS Summit later this year. In a post earlier this year, I argued the possibility of a BRICS Bridge for Dialogue on Internet governance. India will host the 8th BRICS Summit, in Goa from 15th to 16th October, 2016. Now could be an opportune moment to take the reins of internet governance debates and steer towards a constructive path.

 

Budapest Convention on Cybercrime – An Overview

By Shalini S

The Convention on Cybercrime or Budapest Convention is the only binding multilateral treaty instrument aimed at combating cybercrime. It was drafted by the Council of Europe with active participation from its observer states in 2001. The Convention provides a framework for international cooperation between state parties to the treaty. It is open for ratification even to states that are not members of the Council of Europe. The Convention is the only substantive multilateral agreement with a stated objective of addressing cybercrime with convergent, harmonized legislation and capability building. Therefore, it is widely recognized as a decisive document on international best practice and enjoys compliance even from non-signatory states. Most model legislation and attempts at drafting a new international instrument on cybercrime have also relied on the principles expounded in this Convention. The Budapest Convention is also supplemented by an Additional Protocol to the Convention which was adopted in 2003.

Offences under the Convention

The Budapest Convention broadly attempts to cover crimes of illegal access, interference and interception of data and system networks, and the criminal misuse of devices. Additionally, offences perpetrated by means of computer systems such as computer-related fraud, production, distribution and transmission of child pornography and copyright offences are addressed by provisions of the Convention. The substantive offences under the Convention can broadly be classified into “(1) offences against the confidentiality, integrity and availability of computer data and systems; (2) computer-related offences; (3) content-related offences; and (4) criminal copyright infringement.[1] The Additional Protocol makes the act of using computer networks to publish xenophobic and racist propaganda, a punishable offence. However, the full range of cybercrimes are not covered under the Budapest Convention. These include cybercrimes such as identity theft, sexual grooming of children and unsolicited spam and emails.[2]

Provisions of the Convention

The treaty functions on a mutual information sharing and formal assistance model in order to facilitate better law enforcement and lays down procedure to seek and receive such assistance. Article 23 of the Convention outlines the general principles under which international cooperation can be sought, as follows:

“Article 23 – General principles relating to international co-operation

The Parties shall co-operate with each other, in accordance with the provisions of this chapter, and through the application of relevant international instruments on international cooperation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.”

It is clear then that assistance facilitated by the Convention relies on pre-existing cooperative agreements between the parties. Thus, as also stated in Article 39 of the Convention, the provisions only serve to supplement multilateral and bilateral treaties already effective between parties. In addition, mutual legal assistance (MLA) between parties where no such mutual arrangements exists, can be facilitated through procedures laid down under Article 27. Principles and procedures related to extradition for criminal offences under the Convention is also detailed in Article 24 of the Budapest Convention. These sections primarily aid formal legal assistance between signatory parties to the Convention in case of a cybercrime (as defined under the Convention itself).

The Convention itself does not demand ‘dual criminality’ per se. However, the adoption of the Convention demands harmonization of national legislations and results in reciprocal criminalization. This is crucial as the Convention has mutual assistance and extradition provisions, both easier to process when dual criminality is established between the requesting and assisting parties.

The Cybercrime Convention Committee (T-CY) was setup to represent the interests of and foresee regular consultations between state parties to the Convention. The biannual plenaries conducted by the T-CY and working groups discuss developments, shortcomings, grievances and possible amendments of the Budapest Convention.

Significant Drawbacks of the Convention

The Convention on Cybercrime has also come under severe criticism for both its specific provisions that fail to protect rights of individuals and states, and its general inadequacy in sufficing to ensure a cyberspace free of criminal activity.

The 12th Plenary of the T-CY (at page 123) concluded that the mutual legal assistance facilitated by the Convention was too complex and lengthy, rendering it inefficient in practice. The outdated nature of provisions of the Convention clearly fail to cater to the needs of modern investigation.

The provisions of the Convention have been critiqued for supposedly infringing on state sovereignty. In particular, Article 32 has been contentious as it allows local police to access servers located in another country’s jurisdiction, even without seeking sanction from authorities of the country. In order to enable quick securing of electronic evidence, it allows trans-border access to stored computer data either with permission from the system owner (or service provider) or where publically available. As Russia finds this provision to be an intolerable infringement of its sovereignty (amongst other things),[3] it has categorically refused to sign the Convention in its current state. However, it is important to note that the claim that provisions infringe on sovereignty has been addressed and countered by the T-CY in its guidance note on Article 32

Russia’s displeasure with the existing multilateral instrument was evidenced by the introduction of a Russia-backed proposal for an international cyberspace treaty. The proposal, specifically for a convention or protocol on cybersecurity and cybercrime was considered and rejected at the 12th UN Congress on Crime Prevention and Criminal Justice. US and EU refused to countenance a new cybercrime treaty, opining that the Budapest Convention sufficed and efforts should be directed at capacity building.

Regardless, Brazil and China which have expressed displeasure at the primarily-European treaty, have refused to adopt the Convention for the same reason. India also continues to remain a non-signatory to the inequitable Convention, having categorically declined to adopt the Convention which was drafted without its participation. India’s statements also reflect its belief that the Budapest Convention in its present form is insufficient in tackling cybercrimes. This may hold especially true as India routinely faces cyber-attacks from China. This is a problem that will not be resolved by mere ratification of the Budapest Convention as China is a non-signatory to the treaty. With multiple countries remaining a non-signatory, with little scope for change in their positions, the reach of the Convention is certainly limited. There is a demonstrable need for a unique, equitable and all-encompassing instrument that governs cybercrime. To ensure maximum consensus and compliance, this instrument must necessarily be negotiated with active participation from all states.

[1] Jonathan Clough, A World of Difference: The Budapest Convention on Cybercrime and the Challenges of Harmonisation, Monash University Law Review (2014) at page 702, https://www.monash.edu/__data/assets/pdf_file/0019/232525/clough.pdf (last visited Mar 2, 2016).

[2] Ibid.

[3]Kier Giles, Russia’s Public Stance on Cyberspace Issuesin 4th International Conference on Cyber Conflict (2012) at page 67, https://ccdcoe.org/publications/2012proceedings/2_1_Giles_RussiasPublicStanceOnCyberInformationWarfare.pdf (last visited March 2, 2016).

Cyber Vandalism – Not an Act of War

By Shalini S

In September last year, a mutual cyber hacking marathon ensued between Indian and Pakistani hackers, who each hacked and defaced multiple government and private websites. The incident was triggered by a detected defacement of a Kerala government website which was attributed to a Pakistani hacker. Indian hackers and hacktivist groups retaliated by defacing multiple Pakistani government websites and making several others inaccessible. Media reports were quick to label these cyber vandalism exchanges as a cyber war between the two countries with headlines such as:

Hacking triggers cyber war on Pak websites

Hackathon of another kind: A ‘cyber war’ between India and Pakistan?

Indo- Pak Cyber War: Indian Hackers Deface Pakistani website

Hackers from India, Pakistan in full-blown online war

Cyber-war: Indian hackers hack 250+ Pakistani websites after attack on Kerala govt’s website

India and Pakistan seem to be at war; this time in cyberspace!

These headlines while raising public awareness about politically motivated cyber-attacks, were also misleading and patently wrong in terming the episode as cyber war. Other politically motivated cyber-attacks involving independent hackers have also been termed cyber war in the past. The incidents were noteworthy and raised several red flags about the vulnerability of official government websites and state of security of data contained therein. However, it certainly did not cross the threshold to be termed an ‘act of war’ or ‘cyber warfare’.

There are clear thresholds for an attack to qualify as an act of war and several scholars opine that the same standards apply on a virtual battleground. For instance, the US Strategic Command’s Cyber Warfare Lexicon’s definition of cyber warfare  envisions a military object (Page 8). The document also states that “not all cyber capabilities are weapons or potential weapons” (Page 9). The Tallinn Manual on the International Law Applicable to Cyber Warfare which identifies “laws of armed conflict that apply to cyberspace and delineates the limits and modalities of its application”, does not seek to regulate actions of individual hackers or groups of hackers. Susan Brenner, a cyber conflict specialist opines that cyber warfare is the use of cyberspace to achieve the same ends as conventional warfare[1] – “the conduct of military operations by virtual means”.[2]  However, other definitions allow scope to envision the participation of non-state actors in cyber warfare.[3]

Despite numerous attempts at defining and the lack of a clear consensus in existing definitions, ‘cyber war’ has a specific connotation. Most existing definitions of cyber warfare envisage the subversive use of cyber technologies by a nation-state in the conduct of a military operation.

Cyber-attacks are challenging to evolve specific definitions for and this make it difficult to categorize them. However, it is important to identify the exact nature of each attack, unambiguously define and  categorize cyber-attacks in order to formulate a proportional and appropriate policy response.

The issue of distinguishing cyber vandalism from cyber war was most notably raised in the aftermath of the Sony hack of 2014. President Obama had characterized the attack as an act of cyber vandalism, while others opined that it was an act of terrorism or act of warfare albeit perpetuated virtually. The characterization of that particular attack on Sony has been shifting with allegations of the incident being a state-sponsored act. Regardless, it remains that the consequence of classification of any cyber-attack carries its own implications for the formulation of a response policy and thus it must also be accurately communicated to the public and policy makers.

It is clear that the above-described incident of mutual defacement of websites by hackers and hacktivist groups, falls short of qualifying as a cyber war on many counts. There is no indication of the attacks being sponsored by the Indian or Pakistani state. Evidently, it was also not carried out in the furtherance of a military objective. The target of the primary attack, an official government website is not critical information infrastructure and the nature and severity of the attack was fairly minimal. Thus, the act and the subsequent retaliation do not qualify as acts of cyber war and can only be characterized as ‘cyber vandalism’.

Cyber vandalism is the digital equivalent of conventional vandalism wherein legitimate content of a website will be made unavailable or replaced. As advanced cyber capabilities are within the reach of even non-state actors, attacks of this nature might be a frequent occurrence in the future. It is vital then to evolve appropriate legal and policy responses to effectively deal with individuals, hacktivist and organized groups that indulge in cyber vandalism.

The rules of cyber war are still nascent but the Tallinn Manual sheds light on the form that law might take on regulating acts of such nature. The international community is bound to arrive at a consensus on the definitions and clear demarcations of acts of warfare, terrorism, vandalism and espionage in the cyberspace. In the meantime, there must be a concerted effort to understand these new-age operations and evolve better classifications that aids policy formulation on these issues.

[1] Susan W. Brenner, Cybercrime, cyberterrorism and cyberwarfare, 77 Revue internationale de droit pénal 453 (2006) at Para 45, https://www.cairn.info/revue-internationale-de-droit-penal-2006-3-page-453.htm#no33.

[2] Susan Brenner, At Light Speed: Attribution and Response to Cybercrime/Terrorism/Warfare, 97 Journal of Criminal Law and Criminology (2007) at Page 401, http://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=7260&context=jclc.

[3] Nicolò Bussolati, The Rise of Non-State Actors in Cyberwarfare (2015).