Although cyber crimes are on the rise in India, their reporting is fractional. There are specific hindrances that prevent organizations from reporting cyber crimes. Cyber crimes directed at organizations range from data thefts, monetary frauds and piracy to copyright violations. Despite being the biggest victim of cyber crimes, organizations always get caught in the debate as to whether they should report these attacks.
One side of the debate is that cyber crime reporting creates panic among stakeholders, diffuses the trust and credibility quotient, exposes security fragility, and attracts unwanted attention of other miscreants. The other side justifies the need for cyber crime reporting, as it contributes towards creating a strong infrastructure to counter such attacks and prevents attackers from striking other targets.
Both views are tenable. However, non-reporting of these cyber attacks is a concern, and will cause a bigger headache in the days ahead. It is felt that companies need to be honest with the customers, offer them security, and take counter measures.
There are organizations that are aware of cyber attacks directed at them and that compromises of information. At the same time, there are organizations which simply do not have the infrastructure and probes that could identify and beat back these attacks.
Need for a cyber crime reporting framework
Hesitation from organizations suggests the lack of an enhanced cyber crime reporting framework. There is a pressing need for defining cyber crimes as well as a clear and distinctive law for prosecuting these criminals. Here are some guidelines that can encourage organizations to report cyber crimes:
Spread awareness: The cyber criminology department in India functions as an independent unit. However, there is ambiguity about which crimes could be typified as cyber crimes. This problem can be solved only by spreading awareness. A crime committed with the aid of the Internet, computers as well as its supporting devices such as servers, databases, routers and networks is termed as cyber crime.
Media sensitization: The media plays an important role by highlighting the crime and need for justice. Today, cyber crime reporting does not find favor, as victims fear negative media publicity. Media sensitization towards the victim can certainly encourage cyber crime reporting. Of course, concealing the details of the victim to prevent the dignity and monetary losses along with projecting the focus on the actual crime is the media’s prime responsibility.
Operational continuity: Most organizations avoid cyber crime reporting because they want to avoid disruption of the organizational operations due to the confiscation of operational assets for investigation (and as evidence by the cyber Police). So the cyber cell must be equipped with essential infrastructure to take asset backups so that it can investigate the crime without disrupting an organization’s operations. Cases of cyber crimes also need to be solved as swiftly as possible. Delay in investigation can facilitate easy escape for the cyber criminals.
Criminology infrastructure: Cyber criminology is still at a relatively nascent stage in India. There is also a pressing need to recruit the right kind of resources in the cyber cell. Remunerate them with the right kind of compensation that is in sync with the remuneration offered by IT industry. The Police cyber cell needs to be trained on the technological advancements on cyber crimes and hacking.
Investigation procedure: The cyber Police must use set methods for investigation that are designed and aided with the help from consultants who possess expertise. They must also adopt equally strong infrastructure and technology to match the wits of cyber criminals.
Centres at multiple levels: There is a need to set up dedicated cyber intelligence centers at different levels (that have security experts as honorary heads) to identify threats and attacks. Intelligence sharing between the organizations must be encouraged to fight the cyber criminals effectively. For example, recently there have been various instances of frauds committed by crooks that double up as anti-piracy agents and raid offices (without proper authority and permissions) under the pretext of copyright violations. All they have is a power of attorney from few software development firms to check and prosecute the copyright violations of software created by them.
These ‘agents’ apply and acquire Police protection to prevent instances of physical abuse while raiding the organizations. These frauds then misguide the organizations that the Police’s cyber cell is raiding them, and demand monetary favors to hide the raid’s outcome. In the process they also malign the cyber cell’s dignity. The cyber centers could not only help in effective mitigation of such frauds, but also encourage cyber crime reporting.
About the author: Shomiron Das Gupta is the founder of NetMonastery, a group specializing in DDoS defense, intrusion analysis and high end security consulting.
This was first published in September 2010