Computer crime in India
By Shehla Raza Hasan | 28 Mar 2003
The Computer Crime & Abuse Report (India) 2001-02 has come out with startling data related to these crimes. The report analyses 6,266 incidents of computer crime and abuse that affected 600 organisations spanning IT, manufacturing financial services, education, telecommunications, healthcare and other services sectors in India during this period. The report has been published by the Computer Emergency Response Team of the Asian School of Cyber Laws.
This data is only the tip of the proverbial iceberg. Like most crimes, these largely go unreported, mainly because people are not aware of laws governing cyber crimes. Says a deputy commissioner of police in Kolkata: Most people are not aware that there are laws governing cyber crime. Therefore a good many of them go unreported. If reported, these cases are taken very seriously.
The
reasons for not reporting are also varied. The report
says that 23 per cent of the organisations did not know
that the police were equipped to handle cyber crime,
8 per cent had no awareness of the cyber law, and 9
per cent feared further attacks, while a good 60 per
cent wanted to avoid negative publicity.
The passage of the Information Technology Act 2000 and subsequent amendments to the Indian Penal Code and the Evidence Act have paved the way for stringent penalties for computer crimes. The law envisages imprisonment up to 10 years and damages in crores of rupees for various computer crimes. Cyber crime investigation cells have been set up in various cities. Bangalore has a dedicated cyber crime police station.
In the light of ever-increasing white-collar crimes, it would be worthwhile to look at an interesting set of facts and figures related to cyber crime.
The above figures give the percentage break-up of incidents and categories of crime. Almost 60 per cent of the incidents in the year were reported in the first six months of the year and the maximum number of incidents were reported in September and the minimum in August. Another interesting fact is that almost 60 per cent were reported on Mondays, Fridays and Saturdays and a minimum number on Sundays.
The perpetrator-wise break-up shows that the largest number of incidents was attributable to former employees (31 per cent) and the second slot was by business rivals (29 per cent). What is interesting is that more than half the incidents are attributable to employees (current as well as former).
Those attacks where sophisticated techniques and methodologies were used have been classified as hacker, constituting 11 per cent, while those done by persons with relatively low knowledge are classified as script kiddies; these constitute 8 per cent of the perpetrators of crime. What is disturbing is that the script kiddies have successfully penetrated organisational networks using freely available hacking tools.
Various categories of crime have been enumerated along with data related to them.
Data
theft
This category accounted for 33 per cent of the total
reported incidents. These included theft and misappropriation
of electronic information and records. Incidents of
unauthorised access where no data was stolen have not
been included. In the category of data theft, stealing
of source code topped the list with 37 per cent, followed
by those of credit card details (29 per cent). Theft
of details of business plans accounted for 20 per cent
and the rest was 14 per cent.
E-mail
abuse
This refers to three categories of abuse obscene
e-mails (60 per cent), threatening ones (25 per cent)
and defamatory matter (15 per cent).
Data
alteration (on the rise)
One of the potentially most dangerous kinds of cyber
crimes constituted 14 per cent of the incidents reported
in 2001. It rose to 17 per cent of the incidents reported
in 2002. This category relates to incidents where unauthorised
alteration of vital information has taken place and
data has been doctored or tampered with, in order to
misrepresent facts.
Such crimes include alteration of hospital records, unauthorised changes made to quotations, financial accounts and bank records. Interestingly, there were many instances where persons having authorised access to the data made the unauthorised alteration.
Unauthorised
access
This category accounted for 19 per cent of the total
incidents. Methods employed for unauthorised access
included malicious code (38 per cent), social engineering
(29 per cent), remote dial-in (18 per cent) and Internet-based
methods (15 per cent).
Virus
This category referred only to those incidents where
viruses were sent deliberately to particular victims.
This category reflected 14 per cent of the total incidents,
but is significant because of the damage potential.
Denial
of service
These included denial of service attacks on web and
mail servers, FTP servers and printers. This category
accounted for 3 per cent of the incidents reported.
In 95 per cent of the cases these attacks appeared to
originate from outside India.
According to an abstract prepared by the Asian School of Cyber Laws, incidents of data theft, data alteration and unauthorised access can be eliminated by the proper use of public key infrastructure (PKI). PKI is the super system that puts in place policies, people, processes and technology to harness the power of cryptography and its applications like digital signatures.
The Indian law specifically recognises digital signatures as being the only accepted mode of authentication of electronics records. While India is one of the first countries to have granted legal recognition to PKI, its use remains minimal primarily because of a lack of awareness about its benefits.
A PKI-based system would help in achieving the objectives of information security, namely privacy, data integrity, entity authentication and identification, message authentication, signature authorisation, validation and access control, certification, time stamping, witnessing, receipt confirmation, ownership, anonymity, non-repudiation and revocation.
It
is clear that there is a crying need to spread awareness
about cyber laws and how to tackle cyber crimes. It
is time we put up a tough battle for cyber criminals.