|HOME | INFOTECH | HEADLINES|
|March 29, 1999||
Of every 1,000 Indians, 15 have access to a telephone and less than 2 to a personal computer. Indian Netizens are still a wafer minority.
Yet, computer crime has become a talking point among the likes of Central Bureau of Investigation sleuths, bankers and executives of financial institutions.
An average Indian does not even posses a credit card and the bank branch she visits still thump large ledgers on antique tables. But the threat of computer crime is real to almost everyone because at least the macroeconomic operations are highly computerised.
After all, a threat at the top is a threat to all. Besides, with each passing day, the influence and use of computers is moving down the society rapidly.
There is no hard data yet, but anecdotal evidence suggests that computer crime is an emerging trend in India.
A few weeks ago, to raise awareness of computer crime, the Central Bureau of Investigation, the Department of Electronics and some financial institutions organised a national seminar on computer related crime.
Staff from various banks, financial institutions, insurance companies, central and state police departments and forensic labs and officials from the finance an industry ministries brainstormed on how best to deal with this new threat.
The Federal Bureau of Investigation of the United States and the Interpol were roped in to conduct 'mini training sessions'.
Most of the audience, including that from organisations facing a high cyber crime risk, came across concepts of computer forensics for the first time. Many could not even put a finger on what was being implied by 'cyber crime'.
Absence of specific laws to deal with cyber crime makes prosecution difficult. But an Information Technology Bill has been drafted and there are grandiose modernisation plans for Indian investigative agencies.
The CBI, which was involved in drafting the proposed legislation, recently set up a 'cyber crime unit'. Its first chief is CBI Deputy Director Navneet Rajan Wasan. He met Patralekha Chatterjee to explain the task at hand. Excerpts from an interview:
What is the current awareness level about computer crime among the staff of various law enforcement agencies including the CBI?
The awareness about computer crime is in its infancy. That's why we held the seminar. The purpose was to sensitise people. The seminar focussed on three areas. One is the financial sector that is going to be the most vulnerable. Second are the police officers, both at the central and at the state levels. And third are the forensic scientists.
This is the beginning of the process. People were made aware that there is something called cyber crime. It is the crime of the future but you have to take preventive steps now.
How many investigating officers in CBI are computer literate?
In most of the states some progress has been made. I can say that some of the police officers have been exposed to computer training. In CBI, computers have been in use for the last four years. We have trained more than 700 people at CBI in the use of computers. Seven hundred out of three thousand people.
Some of them are supporting staff. These people have gone through a week to a month of training. Most crucially, computer training forms an integral part of training for constables, DSPs and sub-inspectors. It is a compulsory subject. Everyone has to go through it. It is like PT and parade, you know. Anyone joining the CBI now has to go through this.
During this seminar, four FBI officers trained CBI staff of various ranks for five full days.
When and why did the CBI decide to set up a unit specially to deal with cyber crime?
I would not really say that it has been set up. We have constituted a cyber crime unit. Yes. But it is still to come up. People who work in it will have to be trained.
We decided to constitute this unit in early 1998. The nucleus for the time being will be the systems division in the CBI.
At the moment, the unit has one DSP and four inspectors. But slowly we will strengthen it. We also plan to induct some computer professionals. They will not be police officers, simply professionals. This has to be done because cyber crime cannot be investigated by run-of-the-mill police officers.
Would you be relying on in-house talent or would you consider tapping the private sector for professional expertise?
We are thinking of hiring people on contracts from outside. We will also be interacting with international agencies. This time round it was the FBI. Next time, it could be the Scotland Yard. Or we could send people there for training.
Is it too premature to ask or does the Cyber Crime Unit already have any achievements to its credit?
It is still too early.
The CBI is reportedly handling a complaint of sexual harassment over the Net and another case of an international racket involving credit cards and jewellery purchase. What is the latest on these cases?
The credit card thing, that is being handled by the Delhi police. As far as the case about the misuse of the Net is concerned, we are handling it.
I don't want to go into details but it is a question of someone inserting an advertisement on someone else's behalf on a free site on the Web. It is an obscene ad and the person who inserted it was pretending to be someone else. On the Web, it is a borderless world, so you can't say easily whether the criminal is in Delhi or not.
So how are you investigating the case?
In every investigation, you have to start at zero. Find out how it is technically possible. Find out if the site where the ad was inserted maintains any log that could tell from where the ad has been inserted, which country is involved and so on... We are in touch with the Interpol on this.
Is there an Indian law which covers offences such as this?
Right now we have no law but a bill has been drafted. The Information Technology Act is on the agenda. The Department of Electronics is the nodal agency for this. Now it has to go to the cabinet and then it will be placed before the Parliament.
At the seminar, the CBI recommended that the law be passed at the earliest. In absence of a law, cyber crime cannot be dealt with because it may not be covered under traditional definitions of crime in the Indian Penal Code.
If I pretend to be someone else and put out obscene advertisements on the Web in somebody's name, or sent obscene emails to someone, that is clearly an offence. But what about voluntarily visiting sites that can be interpreted as obscene? If I were to log on and download material, would I be committing a crime under any Indian law?
Under our current laws? No.
Unless we put a ban on such sites by law, or filter such sites, visiting them would not be a crime.
In fact, one of the recommendations we have made in the proposed IT Act is that the DoT should explore whether these kinds of conditions (filtering sites) can be put on Internet service providers.
Some countries are doing it. The Internet service providers use certain filters such that if you try to log on to certain sites, the screen will go blank.
Most software used in banks, financial institutions and stock exchanges come from the US. But the security built into them is weak. One reason is that US laws don't allow export of strong encryption or the really secure software. That can make cracking into banks a child's play in countries such as India. How do you propose to deal with this reality?
Hacking can be child's play not because of what the Americans have done or not done but because there is a lot of indigenous hacking talent available. All this American software that one speaks of is written mostly by Indians. Indians are known for their software talent.
And after all, what is hacking, it is nothing but intelligence used mischievously. Not all the hacking talent has flown to the US.
Who are these Indian hackers?
They could be young boys studying in class XI or XII. At any given time when you are working on your PC, there are people who can use software to capture your passwords. And this is happening very widely. Schoolgoing children know how to write a program that will steal your password.
We don't have laws defining computer crime yet. But when these laws are in place, will they cover mischief like this?
The law proposes that such kinds of attempts would be an offence. Once the law comes into place, we would also lay down certain conditions. We would say Internet service providers would have to maintain specific sorts of information. Once you put these conditions in, you can investigate matters easily. But the law is the first step. Without that we can't do anything.
What are the major computer crime trends in India?
Unfortunately, the awareness is still not there. So people may be reporting cyber crimes as normal crimes. Somebody diverting funds from account 'a' to account 'b' may refer it to a police station as normal 'defalcation'. The law is not in place, the definition is not there.
The second thing is that no agency in India is compiling these sorts of statistics. If you ask me for hard data, I can't give you any. I can give you a list of four or five cases that have come to our attention but clearly these are very minor ones.
One of the recommendations is to have an organisation that will let us coordinate all these efforts. Secondly, unlike other crimes, here you have to constantly update your knowledge and your crime investigation methods.
Banks and financial institutions are clearly the most vulnerable to computer crime. Could you elaborate on specific methods that crackers could use to create chaos?
Right now, automation in banks is limited to branches. Some Connaught Place (in New Delhi) branches are computerised; some Bandra (in Bombay) branches are computerised. Once these are networked and money is transacted over the network, whether it is an intranet of the banks or something else and telebanking becomes common, then we will really have to watch out.
Now ICICI Bank has introduced Internet banking. You can log in and transfer money. Once this becomes common, cyber crime will be a real threat. Today, cyber crime can only happen with the connivance of a bank employee because computerisation is limited to a branch only.
With the limited automation that we have in the banking sector in India today, is it possible to definitely say computer frauds are increasing?
No. The Reserve Bank of India does not have any specific assessment of this. That's why the RBI is also worried.
They collaborated with us to let us make banks know that this is the area where crime is going to take place. That awareness has to be there. We will know the extent of computer frauds only when people become fully aware of it.
Right now, everything you are saying is based on anecdotal evidence. So there is no hard data to indicate whether a particular sort of crime is on the rise or decline.
Yes. All I can say is that in the future we have to be very, very careful.
So, we can't even say what the past trends were and how the past compares to the present?
That is right. But automation itself is in infancy.
What are the top three challenges you are likely to face?
The most important is to train police officers. Secondly, you have to train computer forensic scientists who are non-existent in India today. That class has to be picked up and be trained. Thirdly, we have the task of creating awareness. That giving away your password can be dangerous. And this awareness has to go beyond police officers. That accessing someone else's computer, playing with it, fiddling with it is a crime and can get you into trouble.
The government has no money and it wants to downsize. Who will pick up the tab for all the training programmes and the equipment necessary to create cyber-investigators?
As far as modernisation is concerned, I don't think, it is a problem. Each police force in the country is undergoing modernisation. The government is giving enough funds. I don't think funds for equipment has ever been a problem. As long as personnel is concerned one can always hire less constables and recruit only computer-literate constables.
The only thing is that in the future the recruitment pattern will change. I already have a boy who works in Tata Consultancy Services and he is joining the CBI. We have people who have the necessary background. We can train them.
What sort of cyber laws are being put into place in India? I understand CBI has been roped in the preparation process. What is happening on that front?
I think you are referring to the Information Technology Bill that has already been drafted by the Department of Electronics. CBI was a member of the drafting committee. The committee had people from the RBI, it had people from the customs and other departments. The draft is already with the government. It should be placed on the floor of the Parliament any time now.
Are you drafting any other laws relating to cyber crimes?
No. That Information Technology Bill is a very comprehensive piece of legislation. It covers crime, it covers the need for a regulatory body. It covers amendments to the existing laws and many other issues.
The objective of the IT Bill is to establish uniform rules, regulations and standards of authentication and integrity of electronic records and to provide a body to formulate and regulate cyber regulations.
Among other things, the bill aims at preventing and laying penalties for the forged electronic records, intentional and unintentional alterations of records, fraud, forgery and falsification.
Are you taking cues from the law in the US as it all began there?
Why only US? I think most countries have their own laws on this. I have the examples of 40-50 laws with me.
Singapore, Australia, Hong Kong, Germany, France, UK, all countries have laws on this. So we will not go only by the US model. We have gone through all such laws, we don't want to start from a scratch.
But you cannot use just one model. I will give you an example. Singapore enacted the Computer Misuse Act in 1997. They have already amended it twice. Technology changes so fast.
How prevalent is the use of security technologies like firewalls in India?
All the companies going in for e-commerce are putting up such systems.
Cracking is a threat. But on the other end of the spectrum, very strong encryption like Pretty Good Privacy could become a nightmare for law enforcers. If Harshad Mehta had used it, his computer records would have still been out of bounds. In such cases, only strong cyber laws could force users to divulge the key. Is the CBI looking at legislation that will put the onus of opening locked digital doors on their owners?
Yes. We have suggested some provisions in the Bill. I cannot give you the details offhand. Suffice it to say that we will take care of the problem.
What are the problems you foresee in prosecuting cyber criminals in the future?
The problems won't be very different from those that we face in prosecuting normal criminals. Now we find it difficult because the laws are not there. But once the laws are in place, it should be easier.
In India, one of the complications is that a few people are extremely computer savvy and the rest are computer-illiterate. This does pose specific challenges. Does not it?
Slowly, everybody will pick up. Slowly, the judiciary will also have its training programmes.
Apart from the IT Bill, you would also have to amend a lot of the existing laws to deal with computer crime. Are you looking into this?
The IT Bill is taking care of that too. The Information Technology Bill has a chapter that suggests amendment to existing laws. For example, the definition of a document in the Indian Evidence Act.
Recently, there have been controversies regarding registration of domain names. Someone in Madras is reported to have registered a domain name that Tata Indica has contested. What is your view on these sorts of cases and how would you deal with this particular sort of computer crime?
Some other person has also done it. Esso and another company were merged. Some fellow in Japan registstered it. Basically, what is a domain name. Somebody has registered an Internet address with a voluntary body in USA. It is only a trade risk. It is not a crime.
But it is tantamount to blackmail. If I were to register a domain name that belongs to you and then say, give me so much money, otherwise...
It is like this. You want to buy a house. I know you are going to buy it. I know you are very keen. I go and buy it before you do. Then I say give me so much money and I will sell it to you.
You don't think that is unethical business practice?
It is the ingenuity of somebody.
In the Tata Indica case, the Tatas do think this is a crime.
Well, it may come under copyright. But it is not a cyber crime. It is a tiff over a trade name. It is like this: Someone puts up a Web site and calls it hindustantimes.com
But would it not be an offence if someone other than Hindustan Times puts up a site with domain name hindustantimes?
It is not a cyber crime. It has nothing to do with computers. I can go and open a shop by the name of Hindustan Times. It is only a case of misusing or trying to misuse someone's trademark.
SHOPPING HOME | BOOK SHOP | MUSIC SHOP | HOTEL RESERVATIONS
PERSONAL HOMEPAGES | FREE EMAIL | FEEDBACK