Rediff.com« Back to articlePrint this article

'Our cyber cells are not equipped to deal with cyber crime'

September 20, 2009 00:06 IST

The circular by the Intelligence Bureau seeking to block internet telephony only shows that the country has been sleeping ever since the Mumbai terror attacks. All calls made during the planning stages of the attacks used the Voice over Internet Protocol technology. However, now it is clear that India does not have the capability as yet to track down such calls and hence a ban was sought on this technology.This trend can not continue since the IB says that terror groups will increasingly use this service in future since it cheap and very difficult to track.

Pavan Duggal, an authority on cyber law who is also the president of Cyberlaws.Net in this interview with rediff.com speaks at length to Vicky Nanjappa about the options India has to deal with such a situation. He also gives an insight into why India took so long to react after the Mumbai attacks and also how a ban on VoIP would affect the common man.

How serious is the threat of VoIP being misused in India?

The threat of VOIP misuse in India is indeed very high. India has been the target of cyber criminals and cyber terrorists.  Consequently, VOIP is often used as a tool for communications aimed at harming the sovereign interests of India. VOIP is only legalized in a limited manner in India, even then misuse of VOIP is being often reported. The misuse  of VoIP is a distinct challenge to protection and preservation of India's sovereign interests.

Do you think India can ever secure its lines so that VoIP is not misused?

I don't think any nation can reach the level of absolute security. Security is a relative term and its paradigm keeps on constantly changing.India can try to secure its lines as much as possible but to think of complete and absolute security would be a utopian dream. 

Yes, India can distinctly keep in place effective mechanisms for securing its lines. It needs to come across with a detailed legal policy on VoIP. Misuse of VOIP needs to be specified as a heinous offence punishable with minimum seven years imprisonment and above. 

In addition, it is pertinent to note that the central government has already been granted a large amount of powers pertaining to protection and preservation of cyber security under the Information Technology (Amendment) Act 2008, which has amended the Information Technology Act 2000.  I believe these powers can be distinctly utilized by the government for preventing potential misuse of VoIP lines.

What are the various options before India to secure its telecom lines?

India can adopt various options in order to secure its telecom lines. It can mandate an enhanced level of adoption of security practices and procedures by telecom service providers. This is all the more so, since the telecom service providers are duly licensed by the Department Of Telecommunications. 

A part of the license indicates that the said telecom service providers shall be mandated to follow such other guidelines pertaining to security and otherwise that may be mandated by the government. Further, the government needs to be utilize the enhanced powers for the protection and preservation of cyber security as inserted by the Information Technology (Amendment) Act 2008, under the substituted language under Section 69A and 69B and Section 70A and 70B of the amended Information Technology Act 2000. 

The focus of the new amended Information Technology Act 2000 is on  ensuring cyber security and consequently the government has been empowered to enhance cyber security and has further been empowered to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource. 

Further, the government can mandate the intermediaries or network service providers or any person in charge of a computer resource to provide  technical assistance and extend all facilities to governmental agencies to give online access or to secure and provide online access to computer resources generating, transmitting, receiving or storing  traffic data or information. It will be prudent for the government to invoke the powers under the new amended Information Technology Act in order to secure its telecom lines.

This is although more so, since VOIP is done on computers, computer systems, computer networks, computer resources and communication devices and hence it is fully covered by the provisions of the Information Technology Act 2000 as amended.In addition, the government can also mandate other security parameters and surveillance mechanisms and practices to secure its telecom lines. 

How long do you will India take to effect such an exercise?

There is no information available in the public domain as to how India wants to proceed in this direction. Clearly such an exercise could take anytime from six months onwards. Everything depends upon the proactive approach adopted in this regard.

What sort of an effect would blocking or regulating VoIP calls have on the ordinary user?

I believe that blocking the VOIP is not an option.You cannot block technology for long.The wave of technology is far more stronger than any attempts to lock out the same or any barricades of attempting to block the said technology.           However, VoIP calls can definitely be regulated.

There is need for having a detailed VoIP policy in India.The said policy also needs to have adequate legal regulatory mechanisms for governing VoIP calls. These mechanisms should stipulate the stringent penalty for various contraventions and misuse of VoIP.

Misuses of VoIP should be made a  heinous offence punishable with stringent punishment.  In addition, powers of search, interception and monitoring of VoIP calls need to be specifically provided for to the Government and to the concerned agencies. 

However, in case if VoIP calls are completely blocked, it will have a very detrimental impact on the upon the users. The normal user would not be able to utilize the free benefits and services of VoIP which the normal user is today using not only for his/her interactions but also for business and other social networking transactions.

Regulating VoIP calls would indeed help bringing more order to VoIP regime and prevent potential misuse. In addition, it will also help to enable the Government to put in place an effective mechanism for securing VoIP calls in India.

It is ten months since the Mumbai attacks took place. Why has it taken so long for the government to start even talking about secure VoIP lines?

It is indeed correct that it has taken the government a long time to start talking about secure VoIP lines.Why this has taken a long time is beyond comprehension, having secure VoIP lines is the need of the hour as far as India is concerned.

Do you think that the government just realized ten months after the Mumbai attacks that they were incapable of tracking down calls made using VoIP?

I don't think that the government has just realized now that they are incapable of tracking down calls made using VOIP.  On the contrary, the government is alive to the potentiality of misuse of VoIP calls.In fact, that is reason why the Centre has never really permitted unrestricted VoIP as the legally valid phenomenon in India. 

As per existing policy, VoIP calls are not allowed to be terminated on terrestrial PSTN  network within India. So, the Govt. has been already aware of the problem. 

The Mumbai attacks have further highlighted how potentially VoIP can be misused.However, the governmental process in India is a process which takes time for consultation and interval discussion.The Government needs to now follow up with an effective legal policy and regulatory and security action plan for VoIP in India.

If the DoT has to comply with the IB directive of blocking internet telephony then what does it need to do to comply with the request?

Since the Intelligence Bureau's recommendations are impacting the sovereignty and security of India, the DOT needs to comply with them. However, I believe if DOT complies with the IB recommendations, then it may direct all existing internet service providers providing VoIP telephony services in India to suspend immediately their operations and stop providing such services to clients in India. 

Such an exercise would also entail directing other value added service providers to stop providing services in this regard. However, the directions of the DOT is only limited to Indian service providers and that would have no effect or binding character upon the service providers located outside within the territorial boundaries of India who offer services like Skype on hundreds of such websites. In that sense, the said ban would only be a partial ban and still not address the issue at hand.

What are the options India has legally to go about this issue, considering the fact that many service providers are based out of India?

India is the currently in a catch-22 situation.But this is a situation that almost every country is in.While on the one hand its laws have territorial applicability on activities done on computers, computer systems and computer networks within the territorial boundaries of India, it still has no applicability upon the service providers providing VoIP service outside India.  Consequently, India could legally try to ban VoIP within India.

But such an exercise is likely to have any material significance and relevance considering that a large number of service providers are located outside territorial boundaries of India.Blocking VoIP is no solution. The problem needs to be addressed from fresher broader mindset. It will be far better if India mandates a law which stipulates that all service providers whose services impact computers, computer systems and computer networks located within India to supply to the Centre with all details and aspects relating to monitoring of VoIP calls and if the Indian government works in close coordination with the service providers, that could be a far more preferred approach. 

The governement can also enact various regulations and policies to ensure that in case if the obligation of service providers pertaining to providing information impacting the protection and preservation of India's security and national interest in cyber space are not met, then they would be strict sanctions and penalties, that could be a more better way for proceeding ahead. Even otherwise, given the emerging global trends, service providers are willing to give information of their subscribers and their online activities, which would impact the security and sovereignty of any nation. Having a secure VoIP space is almost the concern of all.

Could you also tell us what the government could do to curb cyber terrorism?

Cyber terrorism is a big challenge for India.Only a couple of years back nobody wanted to acknowledge the relevance of cyber terrorism in the Indian context.

However, it is widely accepted that cyber terrorism is a major challenge for the India. I don't believe that enough is being done to curb cyber terrorism.The centre has already taken a number of steps in this regard. The Information Technology Act 2000 has been amended by the Information Technology (Amendment) Act 2008 to incorporate the specific offence for cyber terrorism.

India has one of the most comprehensive provisions relating to cyber offences across the world.However, more needs to be done in this regard. Appropriate and specialized anti-cyber terror courts needs to be set up as effective implementation of law is just as much important as having put in place a good law.

Further, the entire issue of cyber terrorism cannot be dealt with one single section under the Information Technology Act 2000.Special rules, regulations, procedures and processes needs to be made for expeditious disposal of cyber terror cases. A proactive policy against cyber terrorism i required to prevent potential events and acts constituting cyber terrorism in coming times.

It is also correct that latest technological tools needs to be adopted. There is no doubt that on the proposition that cyber terrorists are ten steps ahead of governements. The Centre needs to take proactive stand in this regard and come up with a comprehensive national policy against cyber terrorism, which need to have enabling rules and regulations to prevent cyber terrorism. There needs to be in place the relevant obligations of service providers and intermediaries in this regard.

Already, a lot of powers pertaining to monitoring and interception have been granted under the amended Information Technology Act 2000. There is a need for maintaining appropriate checks and balances with regard to the exercise of such powers. The Centre needs to do quite a lot and think on its feet, while dealing with such an issue.

Our cyber cells seem to be groping in the dark for want of information regarding cyber terrorism cases. What do you think is the solution?

It is correct that our cyber cells seem to be groping in the dark for want of information regarding such cases.Our cyber cells are not appropriately well equipped to deal with such cases, should they reach up to them. 

The solution lies in the government making special anti-cyber terror courts and in creating more awareness about cyber terrorism amongst the law enforcement agencies and the cyber cells.It will be better if the government comes across with a dedicated law enforcement team, dedicated to cyber terror.

The challenges of cyber terrorism keep on increasing with each passing day.The government has to constantly adapt, react and act proactively at the same time to meet with the increasingly complex challenges, legal regulatory and otherwise , posed to the  security and sovereignty of India by cyber terrorism.

Do you think our cyber crime police wing is equipped to tackle such problems? If not what do you needs to be done?

Our cyber cells is not well equipped to deal with cyber terror related issues. There needs to be constant training, orientation and awareness campaigns that need to be launched amongst cyber crime cells and amongst the law enforcement agencies on cyber terrorism and how to detect, investigate and prosecute cyber terror cases.

The government needs to allocate resources for training and orientation in this regard.  Further, developing a specialized team of anti-cyber terror specialists , amongst the law enforcement agencies would also be good idea.

Do you think that the judiciary has been playing an active role where cyber crime is concerned? If not what should be the role of the judiciary?

The judiciary has a very proactive role to play as far as regulations of cyber crimes are concerned but the role in only limited to what inputs are provided by the prosecution in this regard.  If the prosecution fails in bringing forward the relevant legally admissible electronic evidence, it becomes difficult for the judiciary to assist the law enforcement in this regard.

I believe that there is a need for doing far more training within judicial about the various issues pertaining to cyber crimes and cyber terrorism.  We need to appreciate that ultimately it will be the judiciary which will be responsible for trying any cyber terror cases.

As such it will be important to train the judiciary on various legal and evidentiary issues pertaining to cyber terrorism and further relating to how cyber terror trials have to be expeditiously conducted keep in mind the international best practices in this regard. India has one of the strongest judiciaries in the world and giving appropriate training  and related inputs to the judiciary will enable it to appreciate the nuisances of cyber terrorism and apply it in cases coming up for disposal before the judiciary. 

In any case, the Centre has to put an equal emphasis upon the training of the judiciary as well as of the law enforcement agencies pertaining to cyber terrorism.  As time passes by, India is likely to see far more cases of cyber terrorism and it will be imperative that appropriate appreciation of nuisances therein by proactive judiciary will enable the expeditious disposal of cyber terror related cases in the times to come.

Could you give us a brief comparison between India and the rest of the world on how cyber terrorism has been handled? What are we lacking?

Cyber terrorism is still a recent phenomenon and the jurisprudence on the same is yet to evolve.  Of course, we have nations like United States of America which have after 9/11 attacks come across with a series of legislations aimed to prevent terrorist activities including terror activities on using computer networks. 

The USA Patriot Act was the first legislation to be passed after the 9/11 attacks. Thereafter, the Homeland Securities Act and other appropriate rules and regulations have also been enacted in the USA.  I think India needs to learn from the experience of the west.

India would require a distinct law on cyber terrorism, which should incorporate appropriate practices and procedures to be adopted in cyber terror related cases. 

Cyber terrorism is a different category of cyber crime and cannot be equated with other cyber crimes in terms of its impact upon the sovereignty, integrity and security of a nation. Hence, India needs to proactively come across with not just a dedicated law on cyber terrorism but also appropriate rules and regulations which specify the various practices and procedures to be follow in cyber terror related trials.

Appropriate mechanisms need to be implemented to ensure an expedient and expeditious disposal of cyber terror related trials.

India is currently lacking behind, in the sense that we are putting all our hopes on one section under the Information Technology Act 2000. Clearly one section, being Section 66F of the amended IT Act may not adequately protect India's sovereign interest given the global onslaught of cyber terrorist activities. India requires a dedicated law on cyber terrorism.  The law is distinctly required to ensure that instances like 26/11 do not get repeated. 

Unfortunately, none of the existing laws would be of much help in specific and specialized cyber terrorism cases which would require a proactive approach to be adopted. It is very important that the confidence and trust of the people at large need to be retained and won. That can only happen if there is a detailed comprehensive legal regime as also practices, procedures and processes put in place which can help enable expeditious and quick disposal of cyber terrorism related cases. 

India needs to change its mindset and quickly come across with a dedicated law on cyber terrorism.  India has already had experience in the filed regulating organized crime by enacting state legislations like  Maharashtra Control of Organised Crime Act (MCOCA) 1999.

Considering that the security of the computer systems and computer resources of the government are not of a very high order, the government should be alive to the effect that they could be attacks on governmental systems, computers, computer systems, computer networks, computer resources and communication devices of the government so as to prejudicially impact India's sovereign interests and its sovereignty, integrity, security of the state as also friendly relations with other nations. 

I have no doubt in my mind that Indians wants a secure cyber space and Indians rise up in a  unanimous voice to condemn any cyber terror activities. However, any resolve to condemn cyber terrorism should not be limited to mere resolve or a solitary section under the amended Information Technology Act 2000. The government needs to act in this regard and come across with detailed parameters, processes and procedures. Expeditious action in this regard will enable the prevention of potential losses of property  and life and diminishing the value and utility of computerized systems, services, networks and    related independent data and information in the electronic form connected or associated therewith.

I think India needs to take thought leadership in the field of  fight against cyber terrorism. India should set a shining example which other countries need to follow in their fight against cyber terrorism.  It is important to remember that cyber terrorists leapfrog with technology. India needs to leapfrog in its legislative frameworks to regulate cyber terrorism .

There are IB reports that terror groups could hack into important websites of our country. Do you think that our government is geared up to face such a situation?

There is an ever growing challenge that terror groups could hack into important websites and computers of our country. With the coming of cyber terrorism, hacking of websites will be aimed to be done to achieve a lethal object aimed to paralyze the economy and the affairs of the nation by impacting severely computer based services and information as also databases.  The cyber terrorists today want to focus on depriving people of all computer related or run services to which they are legitimately entitled to and thereby create doubts, fear and terror in the minds of the Indian citizens.

I believe that the Government of India is certainly not geared up to face such a situation. 

The security of governmental websites continues to be not of optimal standards. Awareness about the appropriate security mechanisms itself also is at a lower level. The emergence of new kinds of security threats, intrusions, contaminants and challenges ensure that India needs to inculcate a culture of security amongst not just  its governmental machinery but also amongst the citizens and netizens of the country as a whole. Definite funds needs to be allocated in the fight against cyber terrorism.  Education, awareness and training needs to be the moto of the times. The political leaders of the country and law makers need to be sensitized on the need for having effective anti-cyber terror laws in India.

A broad national culture of security needs to be inculcated amongst the users of  computers, computer systems, computer networks, computer networks and communication devices within India. This can be achieved only by adopting multiple approaches from different perspectives which could enable India to effectively launch its successful opposition to the challenges raised by cyber terrorism and cyber terrorists.

Vicky Nanjappa