Over the last few years, cybercrimes have become more intense, sophisticated, and potentially debilitating for individuals, organizations and nations. Law enforcement agencies are finding it difficult to check and prevent the crimes in the cyber space because the perpetrators are faceless and incur very low cost to execute a cybercrime whereas the cost of prevention is extremely high. Targets have increased exponentially due to the increasing reliance of people on the internet. Cybercrimes which were restricted to computer hacking till some time ago, have diversified into data theft, ransomware, child pornography, attacks on critical information infrastructure (CII) and so on.
“Cyber related risks are a global threat of bloodless war. India can work towards giving the world a shield from the threat of cyber warfare”
Prime Minister of India
India is becoming increasingly vulnerable to this menace because of rapid digitization and proliferation of mobile data without matching pace of cyber security and cyber hygiene. At present, India is ranked at 3% in terms of cybercrime incidents as per data shared by a leading security vendor, which compiled data of bot-infected systems controlled by cyber criminals in different countries.
As per CERT-In, one cybercrime was reported every 10 minutes in India during 2017. These statistics are quite alarming and therefore, merit focused and collective attention from law enforcement agencies (LEAs).
Expansion of cyber ecosystem and its impact
The increase in technology convergence has created an extremely complex ICT ecosystem of interdependencies within and among critical sectors. This leads to an increased number of stakeholders and a larger attack surface which can be easily exploited by cyber criminals. There is no silver bullet technology which can identify or predict which element of the system (people, process or technology) is more susceptible to cybercrime, though empirically it is observed that the people are the weakest component of the cyber ecosystem.
Inherent anonymity and closed nature of the dark web has turned it into a safe haven for cyber criminals and their wares. The dark web hosts a wide range of illegal online markets of cyber exploit kits, drugs, counterfeit documents, stolen credit cards, bank account credentials, human trafficking, illegal immigration etc. It has thousands of forums which operate in a tightly controlled environment. Crypto-currencies are used for transactions so that these transactions cannot be traced to individuals or organizations.
Ransomware continues to be a major threat the world over. In 2017, WannaCry, Petya, NotPetya etc., caused major disruptions in the connected cyber ecosystem of the world. India was also affected. CERT-In confirmed 37 incidents of WannaCry and Petya attacks in India between May and June last year. Petya caused extensive disruption of services in India. One terminal of JNPT (Jawaharlal Nehru Port), Mumbai had to switch over to manual operations due to this attack. India was the worst affected country in Asia and seventh overall, due to Petya attack.
Apart from ransomware, another area of significant concern is theft of personal identifiable information (PII) and financial credentials of individuals. In another incident of cybercrime, criminals stole personal data of over 2.74 lakh Indian users of the Ashley Madison website. Hackers, who stole 300GB of personal information of the users, put it up on sale over the dark web. Also, Cryptojacking is another lucrative method adopted by attackers to deploy a malware forcefully and unknowingly into a victim’s computer to use their hardware for generating crypto-currency. It is becoming yet another tool of choice for cyber criminals because it cannot be classically categorized as a crime.
Figure 2: Top cybercrimes in 2017
“The advent of Digital India and Smart City initiatives has brought about a paradigm shift in terms of connectivity, services and threats for both urban and rural eco-systems. While greater connectivity promises wider deliverables, it also paves the way for the emergence of new vulnerabilities. Leading companies in energy, telecommunications, finance, transportation and other sectors are targeted by new-age cyber criminals. The ‘Make in India’ initiative has identified 25 core sectors as part of its effort to give a special thrust. While cyber security is not one of the sectors, it could be embedded in certain sectors like defence manufacturing, electronic systems, and IT & BPM. It is crucial for ‘Make-in-India’ to focus on cyber security as well as promote development of indigenous solutions to combat cyber-crime.”
– Dilip Chenoy
Secretary General, FICCI
Figure 3: Rise in cyber crime
Cybercrimes in the connected world
One reason why cybercrimes are becoming more sophisticated, better orchestrated and increasingly ambitious is because many of the perpetrators operate outside the jurisdiction of the victim’s country. As per industry estimates, 32% of the threat vectors originate from Eastern Europe and Russia, and social engineering is the preferred mode of launch for most perpetrators.
A report indicates that there are four distinct groups of cyber-criminals – traditional gangs, state-sponsored attackers, ideological hackers and hackers-for-hire. The report also states that the entrance of new participants has transformed cybercrime from isolated and individualized acts into pervasive, savage practices run by distinct groups of individuals. Outsourcing is also possible for execution of these crimes on the dark web where cybercrime is offered as a service.
“Cybercrime is the biggest challenge these days with development and access to technology across the globe. Cyber space is increasingly being used to radicalize young minds”
Union Home Minister of India
Cybercrime-as-a-service not only allows malicious actors to leverage other cybercriminals’ resources to conduct attacks but also provides a cheap and easy option to others who are willing to enter the world of cybercrime at a very low entry cost. Netizens have increasingly become more active in leveraging these services, which is driving a surge in activities like illicit drug sale, trafficking of human beings, terrorism, child pornography and other crimes.
Illustrative rates of some of the services offered are given next page.
Cybercrime-as-a-service model has led to the emergence of a complex and multi-layered cybercrime economy where overt acts of crime have been replaced by a covert criminal ecosystem where the services and platforms feed off, and support crime which has become increasingly low-investment, high-yield and a low-risk operation.
“Technological breakthroughs in the cyber landscape over the past few years have caused disruptions of immense magnitude with far reaching implications. On one hand, these have been enablers for good governance, smart policing, better medical care etc., while on the other; there has been a surge in cybercrimes, frauds and data thefts. Frequent criminalization instances of the web has resulted in proliferation of illicit trading of arms and drugs, cyberstalking, cyber-bullying, cyber extortion, child pornography and so on. The protagonists have graduated from being opportunistic individuals to organized criminal groups who offer cybercrime-as-a-service at a minimal cost over the dark net.
To confront these new age cyber criminals, a well thought and effective cybercrime management strategy needs to be devised. If the law enforcement agencies have to win this battle, there is a need for a paradigm shift in the approach to policing. The focus needs to shift from conventional to contemporary methods with the right blend of upskilling and upgrading the three pillars – people, processes and technology. Predictive policing is needed to disrupt the expanding web of crime.”
Partner & Leader – Advisory Services (Digital Government), EY
Figure 4: Rates of cybercrime-as-a-service
A new method of cybercrime has emerged wherein genuine and legitimate social media platforms are used to manipulate opinions of impressionable minds through effective and sustained social media campaigns. There is enough evidence of manipulation of the election process in some countries through this method. This is an alarming sign which has far-reaching implications for the future.
Convergence of cyber and terrorism
Cyber terrorists use computer and network technologies for promotion, communication and coordination to carry out attacks which cause public fear. The intent of conducting nationwide cyber-attacks by jeopardizing critical infrastructure is the latest trend.
Figure 5 gives statistics on motivations behind the attacks based on the type of cybercrime.
Cyberattacks on energy grids are not a new thing. One such attack which was reported in January 2017 by researchers from ESET who identified a new piece of malware that is capable of controlling electricity substation switches and circuit breakers directly, in some cases literally turning them off and on again. They dubbed this malware Industroyer, which is being described as the biggest threat after Stuxnet. It was used for Ukrainian blackout and in other critical sectors of the UK, the US and the EU. Any well-funded attacker can tailor this malware and execute a hacking campaign for specific critical infrastructure targets.
Proactive cyber patrolling and monitoring of everything digital whether it is connected to a public network or otherwise, are only answer to this complex problem. Technological advances in artificial intelligence (AI) and its core areas like machine learning (ML) and natural language processing (NLP) may lead to more sophisticated cyberattacks in future. Cyber criminals may even leverage AI and ML powered hacking kits built from tools that are stolen from statesponsored intelligence agencies.
Emerging focus areas for law enforcement agencies
Technical know-how and skills
Rapid and uncontrolled digitization coupled with inadequate response mechanism allows criminals to unleash cybercrimes through use of sophisticated tools which hide their identity, and tamper, hinder or misdirect investigations. On the other hand, the law-enforcement agencies are still trying to upgrade their technical abilities to match the skills of their adversaries.
With the ever evolving threat landscape in the digital space, there is a constant need to upgrade technical proficiency and skills of the officers of LEAs. Whilst most of these officers are well versed in basic cybercrime investigation techniques, very few of them can be called cybercrime specialists. Moreover, domain specialization is not institutionalized which further restricts their capability to monitor and check any form of cybercrime including trading on the dark net, human trafficking, child and women sexual abuse material, digital forensics, cyber frauds etc.
Some states have taken initiatives to upgrade their cybercrime investigation capabilities through local software development while others are in the process of procuring tools and systems for this purpose. Few states have also procured forensic tools but lack specialized trainers who can train the law enforcement personnel. Further, there is a big crunch of resources to operate these forensic tools. Thus statewide efforts can only bear fruits if capacity building is uniform across country and training programs are standardized to some extent.
Low cost high impact tools
Cybercriminals have easy access to low cost or freely available tools that can identify and exploit vulnerabilities in configuration, create phishing links and pages, design forms to steal personal information, voice impersonation tools and use dictionaries to guess passwords. Further, the distribution of these tools is widespread and law enforcement agencies have no or limited control over these.
The internet penetration rate of India is growing rapidly. However, a lack of awareness and netiquette makes most of the users easy target for cybercriminals. Phishing, for exam ple, is mass rolled out, trapping a few in the chain. Many of the cybercrimes are either reported after a significant delay or not reported at all due to a fear of social shame, lack of knowledge or understanding of whom or where to report. Thus the crucial evidence is lost which makes the task of law enforcement agencies more difficult.
Technological advancements are making the task of cybercriminals easier. Encryption and steganography are being leveraged by cybercriminals to thwart the LEAs, who are not able to decrypt the information in time to predict and prevent crimes. Criminals use the dark and deep web with impunity to exchange information without risking identification through normal and traditional search engines. The complex encryption mechanism along with anonymization tools used to access and trade over the dark net put forth complex challenges for LEAs who are unable to break into these forums and track the criminals.
Migration to VoIP, Volte and other over-the-top (OTT) services like WhatsApp and Viber etc., has made the task of intercepting voice calls extremely complex. These calls can only be intercepted with the active support of the respective service providers. Often, servers are located outside the country that makes it virtually impossible to monitor voice calls of criminals in real time. Tower dump and CDR data can only provide limited information in critical situations like the Mumbai attacks, or in other anti-terrorist operations.
Cybercriminals create botnets by injecting malware into unprotected systems and use them to launch DDoS attacks, command and control, spam broadcast, exfiltration, cryptojacking operations etc. Tracking of botnets is a complicated task and may not point to the offender. As cybercriminals have easy access to advanced technologies, the gap between the capabilities of investigating authorities and activities of cybercriminals continues to widen.
It is a cliché that cyber space knows no boundaries. Conventional policing is geographically bound and thus inadequately equipped to handle crimes in the cyber space. Although, Section 75 in India’s Information Technology Act, 2000 specifies punishment for commission of any offence or contravention by a person outside India irrespective of his nationality, its implementation cannot be ensured due to non-availability of suitable agreements or treaties between countries from where such criminal acts originate. The physical location of servers and data is another challenge. Even if the perpetrator is identified, the process of producing evidence becomes complicated for LEAs. Collaboration and rapid information sharing are required among nations to combat the growing menace of cybercrime. The double criminality or dual criminality principle establishes a dependency on the individual laws of the country that is a required law for extradition in many countries so that a suspect may be extradited from one country to stand trial for breaking laws of the other country.
Every country has its own cyber laws which were enacted keeping its national interest in mind. The requirement of multinational cybercrime conventions is critical to ensure that investigation and subsequent prosecution meet legal rigor needed for bringing cybercriminals to justice. Cybercrime conventions like the Budapest convention facilitate faster investigation and help prosecute cyber criminals within the member nations – India is unfortunately not a part of this convention.
Cloud storage adds to the complexity as far as territorial jurisdiction is concerned. Situations wherein some data lies outside the jurisdiction of a LEA can make evidence collection and subsequent presentation before the courts a major challenge. The data retention periods for phone and internet logs are inconsistent across countries. This limits investigation capabilities of law enforcement agencies e.g., despite the EU directive to retain data for a period of six months; in Germany, service providers are supposed to store call data records (CDR) and metadata for a period of 10 weeks and cell phone location data for four weeks only. The corresponding figure in respect of India is six months.
Sustaining critical infrastructure in wake of cyber terrorism
India has made significant investments in establishing the National Critical Information Infrastructure Protection Center (NCIIPC) in accordance with section 70A of India’s IT (Amendment) Act, 2008. Its aim is to regulate and raise information security awareness among the critical sectors of the nation rather than technology interventions. It started off with only five sectors, though other countries like the US, the UK, the UAE etc., have considered more than ten sectors as critical national infrastructure (CNI), that are essential for society and economy. Non-critical systems/ sectors are taken care by CERT-In.
While India’s National Cyber Security Policy (NCSP) published in 2013 sets the tone for formulating a comprehensive effort for protection of CII, there is still no clarity with regard to coordination mechanism between organizations such as NCIIPC, NTRO and CERT-In, among other agencies mentioned in the policy, specifically with regards to protection of critical Infrastructure.
Disrupting the web of crime
Most of the cyber frauds occur due to a lack of awareness and poor cyber hygiene amongst the citizens. Basic awareness can reduce the effects of various forms of fraudulent social engineering significantly. Innovative and appealing cyber awareness campaigns (with long recall val ue) can help in this regard.
Figure 8: Illustrative Organization structure of Cybercrime Wing
Evolution of innovative cybercrime techniques and increasing threat landscape have resulted in the need to enhance technical capabilities for law enforcement agencies. A focused approach and investigation is required to investigate and prevent cybercrimes. For law enforcement agencies, it is important to make a transition from working in isolation to a collaborative approach and increase their capabilities through technical empowerment of their cadre. Such collaboration may be with the private sector or other states who have taken progressive steps in this domain.
LEAs have taken the first step towards capacity building by training officers on cybercrime investigation techniques. It should be taken further by providing focused training in areas like dark web monitoring, network security, cryptography, image processing, ethical hacking, digital forensics etc. Experts for each domain need to be identified and mapped against sub-units of the cyber wing. The skill upgradation should be carried out in smaller cycles to keep in pace with technological progress.
To facilitate interaction with national and international agencies, India is to setup its first cybersecurity cluster called as Hyderabad Security Cluster (HSC) similar to the lines on world’s largest cybersecurity cluster – the Hague Security Delta.
With the current geopolitical situation prevailing in India, IT laws are required to be strengthened to check the growing crime on the world wide web. India should participate in as many international conventions and mutual legal assistance treaty (MLAT) treaties and increase the number of MoU’s with international agencies.
Laws, rather than guidelines are more needed which are enforceable and deterrent in nature.
Policies need to be rephrased and effective legal frameworks need to be put in place as part of the overall strategy to counter cyber offences. The center has to identify and operationalize sectoral CERTs to tackle cyber threats in specific sectors. The standards on critical infrastructure protection (CIP) need a detailed roadmap.
Certainly, the public and private partnership is crucial for sharing cyber security information, but there should be an approach to facilitate the coordination between security firms and initiate new campaigns on recommendations towards technology verge.
Strengthening the institutional framework
Centers like ‘Cyber Swachhta Kendra’ are steps towards the right direction in creating a secure cyber ecosystem. But it would need a lot more background work to create a realm of tools that citizens trust and use to protect their sensitive data.
Though we have forensic science laboratories (FSL) to conduct digital forensic investigations, the center should also facilitate crime investigation labs focusing on specific domains under cyber security, viz., dark web monitoring, open source intelligence, crime against children and women and other malware attacks. As a first level of defense in cybercrime and cyber security, implementing a security operations center (SOC) with adequate people, process and technology are essential to strengthen the institutional framework.
Initiatives taken by the Government of India under the Ministry of Home Affairs formulated two new divisions to thwart cyber fraud and check radicalization, namely, Counter Terrorism and Counter Radicalization (CTCR) Division and Cyber and Information Security (CIS) Division. The objective of CTCR is to devise strategies and prepare action plans for combatting terrorism, whereas CIS has been created for monitoring online crimes and counter threats like online frauds, dark net, hacking, identity theft, etc.
With the proliferation of digitization, many projects like the Crime and Criminal Tracking Network and System (CCTNS) and Integrated Criminal Justice System (ICJS) have been undertaken by the police forces to bring transparency in police functioning and to provide a hassle-free environment to the citizens. This brings in multiple databases and software applications which need to be managed by police departments. Policemen also collect data from sources like CCTV footage and automatic number plate recognition (ANPR) data through routine policing. Thus, a huge amount of unstructured data is generated which has to be incorporated in the overall response strategy.
Big data technologies can be applied to policing for the collection of data from various sources and apply intelligence and analytics on it to gain a richer understanding on specific crime or criminal. LEAs can benefit tremendously by collecting, integrating, analyzing and delivering realtime crime data using this technology. The inputs can be from internal (crime databases) as well as external sources (like social media). Some of the possible scenarios are depicted in figure 9.
Big data can help in descriptive, diagnostic, predictive and prescriptive analysis, as given in figure 10, thereby giving the LEAs unprecedented advantage over the cyber criminals. Predictive policing can only be achieved through the adoption of a comprehensive and focused approach in this direction.
Cybercrime management framework
Initially, cybercrime evolved as a threat to individuals and organizations, however, today it has started impacting the nations at large. In order to tackle this problem, a synergized and holistic framework is required to be developed which must be universally acceptable and implementable in order to counter the threat of cybercrimes and associated risks in cyber space. An illustrative framework [as shown in figure (11)] explains that cybercrime is a shared responsibility of each and every stakeholder without whose contribution, the cyber ecosystem cannot be protected.
Frequency, sophistication and destructive potential of cybercrimes are increasing at an alarming pace. Traditional methods of cyber security are not adequate to combat these crimes. So, there is an urgent need to devise mechanisms which are proactive and are able to identify and prevent cybercrimes. Cybercrime management is an effective and credible mechanism to thwart cybercrime. This requires higher focus and commitment with a multi-stakeholder framework, and with an impetus on the following aspects:
- Strong bilateral agreements (national and international) on cybercrime investigations, information sharing, intelligence, the applicability of international and territorial laws, capacity building, research and development etc.
- Modular restructuring of cybercrime cells with high tech tools, refining practices and investigation techniques along with human skill enhancement in the areas of digital forensics, dark web monitoring, tackling crime against women and children etc.
- Strengthening the national core networks and systems with establishment/ enhancements of cybersecurity incidence response team (CSIRT), security operations center (SOC) etc.
- Developing and refining cybercrime reporting methodologies along with the adoption of emerging technologies like robotics processing & automation (RPA), artificial intelligence (AI) and analytics for smart policing and investigations.
- Sponsoring nationwide cyber awareness programs for citizens, and central and state government employees.
In order to build a credible and strong cybercrime management framework, it is essential to create an empowered state-of-the-art cybercrime coordination center which should be the nodal agency for formulating a national cybercrime strategic plans and policies, and gathering information and interacting with all major stakeholders. It should be able to coordinate activities of all LEAs and other stakeholders to thwart criminal activities by international cyber gangs who infiltrate the critical networks and extricate data.
The need of the hour is to develop a framework for solving cyber cases as developed by few countries including China. An Inter-Ministerial Committee on Phone Frauds (IMCPF) has been constituted in the Ministry of Home Affairs in Sep, 2017 comprising MHA, MeitY, Department of Financial Services, Department of Telecommunication (DoT), Reserve Bank of India (RBI) and other law enforcement agencies. This Committee should be mandated to include cybercrimes also as part of its charter because the distinction between phones and computers has virtually disappeared with the proliferation of smart phones.
To strengthen the law enforcement against cybercrime, international law enforcement agencies like the EUROPOL have already established a dedicated hub, called the European Cybercrime Centre (EC3). It has made a significant contribution to the fight against cybercrime and has formulated a three-pronged approach or framework. This comprises forensics, strategy and operations. Though EC3 draws on existing law-enforcement, it had set up Joint Cybercrime Action Task Force (JCAT) to work on international cybercrime cases. They also publish the internet organized crime threat assessment report (IOCTA) which gives findings on new developments and emerging threats in cybercrime.
The two major concerns considered by law enforcement agencies (like the FBI) in the developed countries are ‘reporting the cybercrime and public awareness.’
By reporting internet crime, victims are not only alerting law enforcement to the activity, but aiding in the overall fight against cybercrime. Digital crime complaints are increased only with the help of announcements and advertisements reiterating the importance of reporting. Encouraging these initiatives on awareness may help the LEAs to mitigate and combat cybercrime. Awareness may also include current or top crimes reported like financial frauds, personal data breach and phishing.
Currently, India has MoUs with Bangladesh, Israel, Japan, Russia, Singapore, Spain, Malaysia, US, Uzbekistan, Vietnam and the EU in the fields of cybercrime and cyber fraud. The Indian government should further increase collaboration with other countries in this sphere. This will result in a more coordinated governance on cyber related issues. In addition to this, modernization of the LEAs and capacity building at various levels will allow India to carry out effective and timely cybercrime management at all levels.
LEAs have to strive to step up the investigation, leverage provisions of various procedures and agreements, share intelligence and ensure multi-agency collaboration to secure the prosecution of criminals. It will ensure the efforts and resources that are effectively expended in the response to the evolving landscape of crime. Takedowns of websites and forums on the dark web through multinational collaboration have been done in Europe recently. This initiative has to be supported and cooperation to be extended to other nations so that the web of crime is disrupted and prevented from turning into a web of profit for the cyber criminals.