Breach and the state of Indian cyber crime

Recent reports indicate that India is one of the top ten countries in the world for the incidence of cyber crime. Yet other reports also indicate that spend on cyber and network security by Indian businesses is one of the lowest in the world. The debate is on-going in technology circles where the threats and risks are well understood.

While conducting research for my book Breach, a cyber thriller, I met several people engaged in different aspects of cyber safety. Their stories corroborated the above mentioned reports. Online consumer fraud is increasing. Companies and governments are also facing threats, several leading to material losses, and a growing tribe of cyber forensics professionals in different cities are tracking down the shadowy culprits.Yet the stories on cyber crime that dominate Indian news are about Sony and Target – hacks that happened in other countries and affected other people. True, there have been some local stories of cyber stalking, bullying and faked photo scandals affecting our youth and celebrities, and stories around morphed videos leading to riots and scandals. There is growing effort to create cyber safety awareness for consumers.

But what about news of larger scale crime that affects both consumers and firms? The challenge, perhaps, lies in the awareness and acknowledgement of this in the broader network of stakeholders. Here could be some reasons why:

Latency and lifecycle of ideas

Ideas, like products or companies, go through a lifecycle – latent at first, till they become obvious to someone. They are championed by the early adopters at first, till they become widespread. By the time a notion is accepted as a general principle, it perhaps loses some of its significance. Our Internet usage has been growing at a rapid pace over the past few years. But tens of millions of new internet users start every year, many of them over their mobile phone. Their first brush with the excitement of being online is beginning. Hence cyber crime and awareness of the risks of the digital world are still seeping into our psyche.

Decision making for technology

Does it only seem like short while back that our companies and government were debating the usage of technology? Our IT industry grew through massive technology transformation projects for global clients. But domestic clients followed several years later. The last decade saw the debates around whether the operations, human resources, customer management and other functions needed to be technology enabled or not. While the technology leaders were convinced that business efficiency would increase given technology usage, it took a long while for CEOs, CFOs, and the Board to be convinced. Today no one questions the need for technology. The need for security is already being spoken about in the digital forums led by technology leaders and vendors. The question is whether business decision makers are listening and understanding the issue yet.

Voids in a new area of business

Cyber security is a new area, and like all new domains it faces gaps- not just in understanding and awareness of it, but also in the key enablers.

(a) Legal & Penal Framework

The IT Laws under the Indian Penal Code were amended in 2008 to include hacking, data theft, identity theft, email spoofing and spreading of viruses or worms as punishable and bail-able offences. Cyber crime cells have been established. Law firms are keenly trying to educate both the police and the judiciary on the technical intricacies and prevalence of cyber crime. This is a new area for the governing and judicial bodies, without many precedents and will take some time before cyber crime gets fully understood.

(b) Burden of Proof

While cyber crime is a culpable offence, the challenge lies in the ability of an individual or an organisation to prove that a wrongdoing is taking place. An individual or consumer who has been conned may find it hard to prove that a crime has been committed. Even if it is a systemic crime where multiple card users of a particular bank have been scammed, the bank may not be willing to declare that its data and systems have been breached. The law does not mandate it. In cases of major data theft or hacking, companies or governments may not file an FIR because it may affect credibility or market economics. Without an FIR, neither the police nor the justice system can operate.

(c) Tracking the hacker

Cyber forensics is a growing field in India and several private companies have come up, leveraging the services of ethical hacker. If the malicious hacker is sophisticated and uses anonymous underground networks such as Tor, it becomes harder to trace the origin of an attack. It took all the might of the US government and its various monitoring agencies to track the trail to North Korea in the case of the recent hacking incident at Sony. Most organisations and governments might not have the required resources.

In the case where an individual or organisation is identified as the culprit, the person could be residing in some other country, outside the jurisdiction of local authorities. For example, the hacker could be located in Pakistan, buying malware tools from the US, spoofing server addresses of China and causing mayhem in India. It becomes impossible to react to civilian cases that affect individuals or businesses.

(d) Lack of talent

India graduates a large number of people in engineering and computer science every year. But very few people are trained in cyber security and forensics. There are many candidates available for coding and testing type jobs. But cyber security requires advanced skills in testing and tracing, as well as a keen, independent analytical mind to piece together the puzzle. What’s needed is a modern era Sherlock Holmes, indeed. Experts and businesses agree that there is a severe shortage of talent in the area.

Manning the internal perimeters

Many large businesses today have multi-layered security environments, and not every hacker is sophisticated and technically advanced. Globally as well as in India, majority of breaches happen due to internal hackers (tech savvy employee turned hacker) or driven by internal staff, whether indirectly (through social engineering, to get access to passwords) or directly (through collusion with an employee, who allows access through the legal firewalls). A lot of financial and data theft happens this way. The average time it takes a firm to catch an internal hacker is several weeks. Sometimes it is a junior systems admin or tech help person. Sometimes it is a savvy executive. It appears legitimate business transactions or siphoning off money, making it harder to catch. These stories never make it to the public domain.

While Breach is fiction, it has been informed by stories of cyber crime within India. Given the paucity of local case studies to spread awareness on cyber safety in India, perhaps narrative storytelling could be an easy way to let consumers and executives get a feel for the perils of our interconnected, networked existence.