Sunday, January 17, 2010

India Caught On The Wrong Foot Of Cyber Anarchy

This work is analysing the strategic and policy lacunas of Indian Government in the fields of Cyber Law, Cyber Security, Cyber Forensics, etc. As a result India has not only become a safe heaven for cyber criminals but also a “soft target” for hackers and cyber war criminals worldwide. A dominant majority of work, suggestions and recommendations in these crucial directions have been done/provided by Mr. Praveen Dalal, Managing Partner of Perry4Law and the leading Techno-Legal Expert of India. This work is summarising his suggestions and recommendations (with his approval) and we hope the Government of India in general and the Prime Minister Mr. Manmohan Singh in particular would consider and act upon these suggestions.

Cyber law enforcement and regulation passing through a bad phase in India. It is evident from the recent attack by the Chinese Hackers to the computers in the Prime Minister's Office (PMO). The sinister attempt was made around December 15 last year. Investigators are still coming to terms with the depth of the damage. There is hardly any conviction of cyber criminals in India. On the one hand India has bad and weak cyber law whereas on the other hand law enforcement is hardly aware about the basics of cyber law and cyber forensics. India has become a safe heaven for cyber criminals. The hackers had aimed high - their targets were the cream of India's national security set-up: National Security Advisor M.K. Narayanan, Cabinet Secretary K.M. Chandrashekhar, PM's Special Envoy Shyam Saran and Deputy National Security Advisor Shekhar Dutt. The four and up to 26 others were squarely in the crosshairs of the hacking attempt.

A top PMO official, whose e-mail account was cracked by the Chinese hackers, confirmed the espionage bid, saying: These kind of hacking attempts are made. To think they are not made is wrong. The internet or intranet is not used for official purposes. As per the India Today, According to Bharat Karnad, a strategic affairs analyst, "China wants war by all means. It doesn't believe in peacetime. For China, it's always rivals, always competition." R.S.N. Singh, a former RAW officer, says: "China wants to dominate and control this space. This cyber army has soldiers not in uniform but anybody and everybody, maybe college students. It's very serious as cyber warfare can bring a country to a crippling halt."

The timing of the espionage attempt has investigators suspecting that the Chinese hackers were desperately trying to access any data on India's position at the Copenhagen Climate Summit. Until Prime Minister Manmohan Singh arrived in Copenhagen on December 17, Environment Minister Jairam Ramesh and PM's Special Envoy Shyam Saran were singing different tunes. While Ramesh was in favour of scrapping the Kyoto Protocol, Saran was against the move. On December 15 when India's final stand was still shrouded in mystery, the Chinese hackers targeted the PMO computers.

But what has disturbed investigators the most is that the Chinese hackers quite likely had inside help. The possibility of a mole within the Indian establishment helping a foreign adversary is staring investigators in the face. And the technology being used is preoccupying the Indian sleuths no end. The espionage attempt was highly evolved and well-researched. The mail was routed through several multi-proxy servers thus obliterating the trail. The hacking spyware itself was embedded in a PDF document. And the trojan was programmed to carry out an array of functions, including downloading files, accessing emails and passwords and also accessing the desktop from a remote location.

The police officers, lawyers and judges must be trained in cyber law aspects so that cyber criminals may be suitably punished. In the absence of proper training, there is almost no conviction of cyber criminals in India. To fight the cyber crimes the Crime and Criminal Tracking Network & Systems (CCTNS) Project has been approved by the Cabinet Committee on Economic Affairs Govt. of India. It has a financial cushion of Rs.2000 Crores as per the 11th Five Year Plan. The Project would be initiated by the Ministry of Home Affairs and implemented by the National Crime Records Bureau. The CCTNS project is to be implemented in a manner where the major role would lie with the State Governments in order to bring in the requisite stakes, ownership and commitment, and only certain core components would be in the hands of the Central Government, apart from the required review and monitoring of project implementation on a continuing basis.

The broad objectives of the CCTNS project are streamlining investigation and prosecution processes, strengthening of intelligence gathering machinery, improved public delivery system and citizen-friendly interface, nationwide sharing of information across on crime and criminals and improving efficiency and effectiveness of police functioning. The Project aims to fulfill various specified objectives over a period of three years. cases registered at Police Stations; obtaining copies of FIRs, post-mortem reports and other permissible documents etc. An indicative list of e-services expected from CCTNS to citizens would be filing of complaints / information to concerned Police Station; obtaining status of complaints.

The information technology is a double edge sword, which can be used for destructive as well as constructive work. For instance, a malicious intention forwarded in the form of hacking, data theft, virus attack, etc can bring only destructive results unless and until these methods have been used for checking the authenticity, safety and security of the technological device which has been primarily relied upon and trusted for providing the security to a particular organisation.

In fact, a society without protection in the form of "self help" cannot be visualised in the present electronic era. Thus, we must concentrate upon securing our ICT and e-governance bases before we start encashing their benefits. The same can be effectively achieved if we give due importance to this fact while discussing, drafting and adopting policies decisions pertaining to ICT in general and e-governance in particular. The same is also important for an effective e-commerce base and an insecure and unsafe ICT base can be the biggest discouraging factor for a flourishing e-commerce business. The factors relevant for this situation are too numerous to be discussed in a single work. Thus, it would be better if we concentrate on each factor in a separate but coherent and holistic manner. The need of the hour is to set priority for a secure and safe electronic environment so that its benefits can be reaped to the maximum possible extent.

The ubiquitous use of computers and other electronic devices is creating a rapidly rising wave of new and stored digital information. The massive proliferation of data creates ever-expanding digital information risks for organizations and individuals. Electronic information is easy to create, inexpensive to store, and virtually effortless to replicate. As a result, increasingly vast quantities of digital information reside on mass storage devices located within and without corporate information systems. Information risks associated with this data are many. For example, electronic data can often show — with a high degree of reliability — who said, knew, took, shared, had and did what, and who else might be involved in the saying, knowing, taking, sharing, having, and doing. For the corporation, the free flow of digital information means that the backdoor is potentially always open to loss.

It is best to state up-front that the emphasis in any cyber forensic examination must be on the forensic element, and it is vital to understand that forensic computing, cyber forensics, or computer forensics is not solely about computers. It is about rules of evidence, legal processes, the integrity and continuity of evidence, the clear and concise reporting of factual information to a court of law, and the provision of expert opinion concerning the provenance of that evidence: Companies are very concerned about the notion that anything they write electronically can be used again at any time. If you have to discipline yourself to think, "can this be misconstrued?" that greatly hampers your ability to communicate and introduces a huge level of inefficiency.

One such improvement that is urgently required to be adopted, implemented and inculcated by the Judges of District Courts, High Courts and Supreme Court of India pertains to Techno-Legal acumen and knowledge. Techno-Legal acumen is difficult to acquire as it requires a sound working and practical knowledge of both technical as well as legal aspect of the Information and Communication Technology (ICT) related aspects. Issues like Cyber Law, International Telecommunications Laws, Cyber Forensics, Digital Evidencing, Cyber Security, etc pose difficult and sometimes non-understandable legal issues before the Courts. The Judges in India must fill in this much needed and unnoticed legal gap that has not yet been explored by them.

The establishment of E-Courts in India requires certain prerequisites. These are: E-Courts Policy, Data Keeping, and Payment Gateway. Simplicity And User Friendly Connectivity, Scope, Authentication, Integrity, Security. However, if the courts have to keep in step and play their part in restoring public confidence in the legal system then they must find new ways to improve the efficiency and effectiveness of their operations. Information and Communication technology (ICT) can be a panacea for the dying judicial system of India. We can effectively use ICT for establishment of E-Courts in India so that E-Judiciary in India can be a reality. However, the task is really difficult to achieve because of lack of expertise and absence of time bound performance. Every year in the month of February, the tenure of E-Courts Committee is extended for another year. This shows there is a lack of Political Will to achieve the task as merely extending time for another year without performance report and accountability is just a pretext to avoid the ultimate accomplishment, i.e. establishment of E-Courts in India.

The fact remains that despite all glamorous conferences and public announcements, we do not have even a single E-Court in India and there is not even a single case that has been filed, contested and finally adjudicated through an E-Court System in India. Where those claimed E-Courts are and what cases they had adjudicated is still a big mystery. It seems India is just making press statements years after years and courts after courts about establishment of E-Courts in India without actually establishing and operationalising them. The task of their establishment and operationalising cannot be accomplished till we honestly and dedicatedly try to achieve the same. Till now India is just adopting the half hearted efforts and evasive approach.

The Cyber Forensics has given new dimensions to the Criminal laws, especially the Evidence law. Electronic evidence and their collection and presentation have posed a challenge to the investigation agencies, prosecution agencies and judiciary. The scope of Cyber Forensics is no more confined to the investigation regime only but is expanding to other segments of justice administration system as well. The justice delivery system cannot afford to take the IT revolution lightly. The significance of cyber forensics emanates from this interface of justice delivery system with the Information Technology.

Evidence must be gathered by law enforcement in accordance with court guidelines governing search and seizure. The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but on probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Computer crime is escalating.

The growing use of IT has posed certain challenges before the justice delivery system that have to be met keeping in mind the contemporary IT revolution. The contemporary need of Cyber Forensics is essential for the following reasons: The traditional methods are inadequate: The law may be categorised as substantive and procedural. The substantive law fixes the liability whereas the procedural law provides the means and methods by which the substantive liability has to contended, analysed and proved. The procedural aspects providing for the guilt establishment provisions were always there but their interface with the IT has almost created a deadlock in investigative and adjudicative mechanisms. The challenges posed by IT are peculiar to contemporary society and so must be their solution. The traditional procedural mechanisms, including forensic science methods, are neither applicable nor appropriate for this situation. Thus, "cyber forensics" is the need of the hour. India is the 12th country in the world that has its own "Cyber law" (IT Act, 2000). However, most of the people of India, including lawyers, judges, professors, etc, are not aware about its existence and use. The traditional forensic methods like finger impressions, DNA testing, blood and other tests, etc play a limited role in this arena.

The changing face of crimes and criminals: The use of Internet has changed the entire platform of crime, criminal and their prosecution. This process involves crimes like hacking, pornography, privacy violations, spamming, phishing, pharming, identity theft, cyber terrorisms, etc. The modus operendi is different that makes it very difficult to trace the culprits. This is because of the anonymous nature of Internet. Besides, certain sites are available that provides sufficient technological measures to maintain secrecy. Similarly, various sites openly provide hacking and other tools to assist commission of various cyber crimes. The Internet is boundary less and that makes the investigation and punishment very difficult. These objects of criminal law will become a distant reality till we have cyber forensics to tackle them.

There is a dire need to compare the traditional crimes and criminals with the crimes and criminal in the IT environment. More specifically, the following must be the parameters of this comparison: Nature of the crime; Manner/Methods of commission of the crime; Purpose of the crime; Players involves in these crimes, etc.

Thus, Cyber Forensics is required to be used by the following players of criminal justice system: Investigation machinery- Statutory as well as non-statutory; Prosecution machinery, and; Adjudication machinery- Judicial, quasi-judicial or administrative; Jurisdictional dilemma: The Internet is not subject to any territorial limits and none can claim any jurisdiction over a particular incidence. Thus, at times there is conflict of laws. The best way is to use the tool of Cyber Forensics as a "preventive measure" rather than using it for "curative purposes.

Cyber Forensics is different from E-Discovery, Digital Recovery or other synonymous terms. Cyber Forensics primarily caters the "Legal Requirements" whereas E-Discovery meets the requirements of private individuals and organizations.

The management of the organisation decides to trace the origin of this breach. After proper analysis they come to know about the source of that breach. Till this stage it is only an E-Discovery. The management can take whatever preventive or remedial measure as it may deem fit.

If the management decides to take a "Legal Action" against the offender, it has to prove the acquired digital evidence before the Court of Law. Mere E-Discovery may not be enough to prove the guilt of the accused as legal requirements regarding evidence and procedural laws must also be complied with. When the E-Discovery is "Law Compliant" it becomes "Cyber Forensics".

Similarly, there are certain laws that require individuals and organisation to exercise "Due Diligence" and "Statutory Compliances". These requirements may fall either in the category of E-Discovery or Cyber Forensics as per the facts and circumstances of each case. The contemporary practice is to perform live analysis to get useful volatile data that is lost the moment a computer is turned off or after the pulling of the plug.

Computer Forensics deals with the preservation, identification, extraction, and documentation of computer evidence. The field is relatively new to the private sector but it has been the mainstay of technology-related investigations and intelligence gathering in law enforcement and military agencies since the mid- 1980s. Like any other forensic science, computer forensics involves the use of sophisticated technology tools and procedures that must be followed to guarantee the accuracy of the preservation of evidence and the accuracy of results concerning computer evidence processing.

It is extremely important to realize that evidence must have been gathered and that computer-generated evidence is considered "hearsay" with some exclusion. Depending on your role or responsibility in the computer forensics investigation, you may be subject to differing sets of rules and regulations. Internal investigators. Typically, computer forensic tools exist in the form of computer software.

Computer forensic specialists guarantee accuracy of evidence processing results through the use of time-tested evidence processing procedures and through the use of multiple software tools, developed by separate and independent developers. The use of different tools that have been developed independently to validate results is important to avoid inaccuracies introduced by potential software design flaws and software bugs. The introduction of the personal computer in 1981 and the resulting popularity came with a mixed blessing. Society in general benefited, but so did criminals using personal computers in the commission of crimes. Today, personal computers are used in every facet of society to create and share messages, compute financial results, transfer funds, purchase stocks, make airline reservations, and access bank accounts and a wealth of worldwide information on essentially any topic. Computer forensics is used to identify evidence when personal computers are used in the commission of crimes or in the abuse of company policies. Computer forensic tools and procedures are also used to identify computer security weaknesses and the leakage of sensitive computer data. In the past, documentary evidence was typically stored on paper and copies were made with carbon paper or photocopy machines.

Most documents are now stored on computer hard disk drives, floppy diskettes, Zip disks, and other forms of removable computer storage media. Computer forensics deals with finding, extracting, and documenting this form of "electronic" documentary evidence. Along the way, prior to formally pursuing a cyber forensics investigation, several important and critical questions must be asked:

The growing use of ICT for administration of all the spheres of our daily life cannot be ignored. Further, we also cannot ignore the need to secure the ICT infrastructures used for meeting these social functions. The threat from "malware" is not only apparent but also very worrisome. There cannot be a single solution to counter such threats. We need a techno-legal "harmonised law". Neither pure law nor pure technology will be of any use. Firstly, a good combination of law and technology must be established and then an effort must be made to harmonise the laws of various countries keeping in mind common security standards. In the era of e-governance and e-commerce a lack of common security standards can create havoc for the global trade in goods and services. The tool of Cyber Forensics, which is not only preventive but also curative, can help a lot in establishing a much needed judicial administration system and security base.

Referred Works

1. Praveen Dalal, Cyber Security In India: An Ignored World

2. Praveen Dalal,
Cybercrime and cyberterrorism: Preventive defense for cyberspace violations

3. Praveen Dalal,
Cyber Forensics In India

4. Shayam Prasad,
Law Enforcement In India Needs Techno-Legal Training

5. Techtalk,
Home Ministry Of India Is Taking Wrong Cyber Security Measures

6. Techtalk,
Crime and Criminal Tracking Network And Systems Of India

7. Praveen Dalal,
TECHNO-LEGAL SUPPORT AND TRAINING FOR CRIME AND CRIMINAL TRACKING NETWORK AND SYSTEMS (CCTNS) PROJECT OF INDIA

8. Praveen Dalal,
TECHNO-LEGAL JUDICIAL TRAINING IN INDIA

9. Praveen Dalal,
E-COURTS IN INDIA: AN ESSENTIAL JUDICIAL REFORM

10. University of California at Berkeley, School of Information Management and Systems, October 2000,
http://www.sims.berkeley.edu/how-much-info/.

11. Designing a Document Strategy: Documents…Technology…People. Craine, K., MC2 Books, 2000.

12.
http://www.cyber-forensic-analysis.com/CyberForensicsIndex.pdf

13 Praveen Dalal, "Securing cyberspace by private defence",

14. Praveen Dalal, "ICT strategy in India: The need of rejuvenation.

15
http://indiatoday.intoday.in/site/Story/79215/India/Chinese+hackers+target+PMO+computers+.html

16. Tabrez Ahmad, Lessons for India in the Backdrop of Chinese Hackers Attack on PMO