cybercrime booklet

7/28/2019 Cybercrime Booklet

1/28

GOVERNMENT AND PUBLIC SECTOR

Cybercrimes

A Financial Sector View


2/28

In a digital age, where online communication has become the

norm, internet users and governments ace increased risks

o becoming the targets o cyber attacks. As cyber criminals

continue to develop and advance their techniques, ocusing on

thet o nancial inormation, business espionage and accessing

government inormation is o prime requirement. To ght ast-

spreading cyber crime, governments must collaborate globally

and with various stakeholders to develop an eective model that

will control the threat.

India has had its share o incidences in Cybercrimes and more

oten in the Financial Sector this has oten signicantly impacted

investor condence. It is time that cybercrimes is not just

thought o as a security issue or a technology issue. It is at the

very heart o how a business or Government builds trust with

customers as well as how it builds and protects its Brand value.

In view o the above scenario, Directorate o Inormation and

Technology, Government o Maharashtra has planned this

conerence on Cybercrimes: A Financial Sector view. The aim

is to share with the government authorities and nancial and

legal sector experts the current scenario o cybercrimes in the

nancial domain and the challenges aced by the legal ecosystem

in keeping pace with the current leap o cybercrimes.

I wish warm regards to the success o the conerence and hope

it will be knowledgeable and useul to the participants.

Shri. Prithviraj Chavan

Honble Chie Minister o Maharashtra


3/28

Recent reports on Cybercrimes launched against large companies

specically in the nancial Sector demonstrate that protecting and

securing data is more important now than ever beore. Cyber attacks

cause an impact on not only the brand value and revenue or the

companies but more severely impact the trust o the customers

involved in the system. In view o the given challenges, identiying how

data compromise occurs and understanding the legal and operational

challenges and identiying the dierent mechanisms o dealing with

these challenges aced would arm the system better to ght this

menace.

The conerence takes a peek on the current scenario o cybercrimes

at the National level with a ocus on Mumbai, the targeted victims,

types o cybercrimes and steps to be taken or securing critical nancial

inrastructure. It also ocuses on the current legal ramework available

and some o the major challenges aced by the Government Authorities,

nancial sectors and the judiciary itsel. We also look orward to a

complete session on the Challenges o dealing with the menace o Cyber

Crimes in terms o the Human Capacity, Technology, Jurisdiction and

legal issues.

The group o panelists is highly qualied proessionals rom the Financial

sector and the legal raternity who bring in extensive knowledge and

case study learnings in the eld o Cybercrimes. This conerence aims

at understanding the menace well and analyzing various challenges and

ways o curbing its eect and work towards a more sae and secureTechnology based nancial transaction environment.

Shri. Rajesh AggarwalIAS, Secretary Inormation and Technology,

Government o Maharashtra


4/28

A nations cyberspace is part o the global cyberspace; it cannot be isolated to dene its

boundaries since cyberspace is borderless. This is what makes cyberspace unique. Unlike thephysical world that is limited by geographical boundaries in spaceland, sea, river waters, andaircyberspace can and is continuing to expand. Increased Internet penetration is leading togrowth o cyberspace, since its size is proportional to the activities that are carried through it.

Cyber security is part o national security. Cyberspace merges seamlessly with the physical world.So do cyber crimes. Cyber attackers can disrupt critical inrastructures such as nancial and airtrac control systems, producing eects that are similar to terrorist attacks in the physical spaceThey can also carry out identity thet and nancial raud; steal corporate inormation such asintellectual property; conduct espionage to steal state and military secrets; and recruit criminalsand others to carry out physical terrorist activities.

Anyone can exploit vulnerabilities in any system connected to the Internet and attack it romanywhere in the world without being identied. As the Internet and new technologies grow,so do their vulnerabilities. Knowledge about these vulnerabilities and how to exploit themare widely available on the Internet. During the development o the global digital Internet andcommunications technology (ICT) inrastructure, the key considerations were interoperability andeciency, not security. The explosion o mobile devices continues to be based on these insecuresystems o Internet protocols.

It is increasingly cheap to launch cyber attacks, but security systems are getting more andmore expensive. This growing asymmetry is a game changer. It has another dimension, too

individuals, terrorists, criminal gangs, or smaller nations can take on much bigger powersin cyberspace, and through it, in the physical world, as well. The eects o attacks on criticalinrastructure such as electricity and water supplies are similar to those that would be caused byweapons o mass destruction, without the need or any physical attacks.

Cyber security is a global problem that has to be addressed globally by all governments jointly.No government can ght cybercrime or secure its cyberspace in isolation. The consequenceso a cyber attack are more likely to be indirect and more uncertain than most scenarios currentlyenvision; we may not always recognize the damage inficted by cyber attackers.

Cyber security is not a technology problem that can be solved; it is a risk to be managed by a

combination o deensive technology, astute analysis and inormation warare, and traditionaldiplomacy. Cyber attacks constitute an instrument o national policy at the nexus o technology,policy, law, ethics, and national security. Such attacks should spur debate and discussion, withoutany secrecy, both inside and outside governments at national and international levels.

Dr. Kamlesh Bajaj

CEO, Data Security Council o India


5/28

The increasing use o technology, particularly by businesses to drive its operations andto deliver world class services has led to the evolution o a new threat. The growth ocomplexity and access to technology has made us more susceptible to hi-tech crime whichis also a new orm o business threat that requires a undamental shit in risk managementarena o businesses, particularly in the nancial domain where the risk is very high.

Seriousness could be ascertained rom the report published by the World Economic Forum:Global Risks 2012 in which Cyber threat is rated as serious threat to the world based onlikelihood o impact. Cyber threats are real and its impact could be elt across borders,businesses and communities.

KPMG in India is proud to be associated as the knowledge partner o this conerenceon Cyber crimes: A nancial sector view and thus continue our association with thisprestigious event or the Government o Maharashtra. We would like to think o this eventas a confuence o thought leadership, where business and technology streams meet todiscuss, share, evaluate, strategise and provide insights or the evolution o secure businesspractices.

This conerence in association with the Government o Maharashtra and Nasscom ocusseson issues and trends o cyber crimes in the nancial domain, and how the industry is dealingwith this new type o crime. Considering the dependency o banking businesses on the

internet and the mediums vast reach, cyber crime could pose a threat to the nancial sectorand partnerships need to be ormed to ght this crime.

These threats can be suitably addressed by sharing insights, experiences, ideas and key skillsets and working through these issues with subject matter specialists. This would also helpcreate secure and robust business practices against existent threats to gain competitivebusiness advantages through business continuity. We at KPMG would like to acilitatethis entire process o collaborating thoughts on cyber security and try to present variousscenarios related to cyber security in the nancial domain which could impact the industry inuture.

As we know, technology is no longer an enabler, but seen as a business driver. We hope youwill appreciate the insights and concerns presented beore you and are able to benet romthe thoughts presented at this event.

Navin Agrawal

Partner, IT Advisory, KPMG in India


6/28


7/28

Contents

Financial Service Sector Overview 02

Technological Risk 03

Time and money spent 04

Threat 04

Types o crimes in Financial sector 04

Statistics - Global & India & ocus Mumbai 08

Legal Framework Support 09

Key Challenges/concernswhich needs to be addressed 11

Challenges aced by governments 13

Way orward 15


8/28

Currently, there are nearly 2 billion internet users and over 5 billionmobile phone connections worldwide.

Everyday, 294 billion emails and 5 billion phone messages are

exchanged.

50,000 Victims every hour

820 Victims every minute

14 Victims every second1

Most people around the world now depend on consistent access and

accuracy o these communication channels. Among all cybercrime victims

surveyed 80 percent were rom emerging markets, compared to 64

percent in developed markets.

The US Government estimates American businesses suered losses

o intellectual property totaling more than USD 1 trillion rom cyber

attacks.

With over ve billion mobile phones coupled with internet

connectivity and cloud-based applications, daily lie is more

vulnerable to cyber threats and digital disruptions. The related

constellation o global risks in this case highlights that incentives

are misaligned with respect to managing this global challenge.

Online security is now considered a public good, implying an

urgent need to encourage greater private sector engagement

to reduce the vulnerability o key inormation technology

systems. A healthy digital space is needed to ensure

stability in the world economy and balance o power.2

1 Symantec Cyber Crime Report 2011

2 World Economic Forum Report Global Report 2012

1 | Cybercrimes: A Financial Sector View


9/28

Financial Services sector

Overview

These are challenging times or the banking industry globally,

thought provoking and extremely rewarding at the same

time. Due to volatile geopolitical and global macroeconomic

conditions, many nancial institutions have been orced to

evaluate their current operating practices and think about

where they would like to be in uture and more importantly,

how to manage growth as well as risk management in line

with stakeholder expectations. The Indian banking industry

provides strategic opportunities or innovation-led growth,a moot point to meet challenges thrown by the current

environment. Technology is likely to play a signicant role in

guiding this new approach to growth and risk management.3

In nancial domain, technology is no longer an enabler, but

a business driver. In last decade phenomenal growth o IT,

mobile penetration and communication network has acilitated

growth in extending nancial services to masses. Technology

has acilitated delivery o banking services to masses andchanged the way o unctioning o nancial institutions.

Technology made banking services aordable and accessible

by optimizing the way these institutions operate today.

Regulatory bodies, banks and other institutions/agencies have

taken paradigm shit in areas o respective operations, service

delivery and consumer satisaction. Financial institutions

gained eciency, outreach, spread through technology in last

two decades.

The benets o technology such as scale, speed and low error

rate are also refecting in the perormance, productivity and

protability o banks, which have improved tremendously in

the past decade. Technology initiatives are taken by banks in

the areas o nancial inclusion, mobile banking, electronic

payments, IT implementation and management, managing

IT risk, internal eectiveness, CRM initiatives and business

innovation.

3 KPMG in India: IT in Banking Managing the present by looking to the

uture, August 2008,

Cybercrimes: A Financial Sector View | 2


10/28

Technological Risk

In a digital age, where online communication has becomethe norm, internet users, governments and organizations

ace increased risks o becoming the targets o cyber

attacks. As cyber criminals continue to develop and advance

their techniques, they are also shiting their targets

ocusing less on thet o nancial inormation and more on

business espionage and accessing business inormation.

To ght ast-spreading cyber crime, sector must collaborate

globally to develop an eective model that will control the

threat.

The issue o primary importance is that, no national

government operates an eective compilation service to

identiy trends in cyber-crime with the exception o the

Internet Crime Complaint Center (IC3). Most cyber-crime is

on such a small scale that law enorcement organizations

are not interested in dealing with individual cases, and, in

many cases, individuals may not care enough about the

amounts involved to take action. Thereore it tends to gounreported.4

Various risks managed

by fnancial bodies are as

ollows:5

Financial Risks

Inrastructure Risks

Technology Risks

Data Risks

Human Risks.

4 Cyber Crime A Growing Challenge or Governments July 2011,

Volume Eight kpmg.com

5 Evolving Security Architecture in

Banks: IBM 2009

Source: World Economic Forum Report: Global Risks 2012 Seventh-edition



11/28

Time and MoneySpent

Global Scenario

USD 114 Billion is total loss o cash in 12 months

USD 274 Billion is the total loss o time or

victims o cyber crime

On an average, 10 days were spent by victims to

satisactorily resolve hassles o cyber crime).

Indian Scenario USD 4 billion is the total loss o cash in 12

months

USD 3.6 billion is the total loss o time or

victims o cyber crime

On an average 15 days were spent by victims to

satisactorily resolve hassles o cyber crime.6

Threat

Among all cybercrime victims surveyed

80 percent were rom emerging markets,compared to 64 percent in developed markets.

Only 21percent o victims reported cybercrimeto the police

59 percent o victims whod suered bothonline and ofine crime elt there were ewer

ways to get help ater the cybercrime

In India, 59 percent o mobile phone ownersaccess internet via mobile device out o which

17 percent experienced mobile related cybercrime.6

6 Symantec Cyber Crime Report 2011 7 KPMG in India: IT in Banking Managing the

present by looking to the uture, August 2008.

Types o Crimes in Financial

Sector7

Control over the physical world is

generally localized, low-tech andunderpinned by many well established

practices and procedures. The challenge

to this seemingly well-oiled machinery is

oered by a new paradigm o organized

crime-cybercrime.

The increasing use o the internet

by all acets o society has led to the

evolution o new eld o criminal activitythat is dened by its dependence on

the internet. While certain aspects o

cyber crime are held common with

previously existing orms o criminality

it is nevertheless true that cyber crime

orms a distinct category o its own,

one that requires dierent mechanisms

to deal with it. Most o the cyber crime

involves multiple, undetectable, smallcrimes or micro-crimes.

Although the headline events are those

where gangs o organized criminals

use technical mean to electronically

steal millions rom banks; successul

operations at beginning o decade used

simple raud technique to steal small

value denominations rom multipleindividuals without alerting the victims

or the law enorcement agencies.

Avenues or these operations could

range rom gaining illegal access to

personal bank accounts to selling

access to compromised computers.



12/28

Vendors o online security products have

an interest in talking up the threats o

cybercrime, while victims o cybercrime

oten have an interest in remaining silent.

It is thereore very dicult or rms and

organizations to get a clear picture othe true levels o the risk and needs or

investment. Correcting such inormation

asymmetries should be at the centre o

policies to improve global cyber security

and to ensure an ecient market. Firms

have an incentive to invest in cyber security

measures that protect their own interests,

rather than in those measures that

contribute to the health o the overarching

critical inormation inrastructure. Innovative

multi stakeholder collaboration will be

required to tip the balance towards

investment in creating systemic resilience.

There are no proven secure systems,

only systems whose aults have not yet

been discovered, so trying to overcomehackability may be as hopeless as

denying gravity. Instead, the goal should be

nding ways or well-intentioned individuals

to identiy those aults and deploy remedies

to end-users beore would-be cyber

criminals can discover and exploit them.

Experts believe that the levels o resource

devoted to this eort are nowhere near

adequate, but there are signs that someindustries are taking cyber threats more

seriously. In November 2011, 87 banks

in England participated in a mock cyber

attack stress test in preparation or an

anticipated increase in attacks during the

2012 Summer Olympic Games.9

9 World Economic Forum Report: Global Risks 2012

Global dimensions and borderless limits

have given rise to new and innovative

responses required to the issue o cyber

crime or electronic crime. The growth in

the o-take o the inormation highway

and telecommunications presents as greata challenge or policing. A hi-tech crime

presents a new orm o business threat

that requires a undamental shit in policing

methodology.8

Financial-services organization provides

specialized, private banking products and

services to its customers. Its services cover

property, investments, capital markets

and asset management. Their customer

base is its biggest asset, and oering

strong protection to these customers is o

paramount importance both to retain and

grow business, and to protect its reputation

or high-quality service.

Companies in nancial domain have

experienced increase in instances o

cybercrime in past ew years. Various levels

o cyber crime threats are at each level o

IT systems. The emergence o such threats

at dierent levels is due to an explosion o

online banking and shopping, coupled with

the increasing willingness o consumers

to disclose personal inormation over the

internet. Hackers are now enabling a largermarket o script-junkies whose decient

skills would otherwise shut them out o the

cyber criminal enterprise.

8 KPMG in India: IT in Banking Managing the

present by looking to the uture, August 2008



13/28

Type o Attacks Details

Viruses and worms

Viruses and worms are computer programs that aect the storage devices o acomputer or network, which then replicate inormation without the knowledgeo the user.

Spam emails

Spam emails are unsolicited emails or junk newsgroup postings. Spam emailsare sent without the consent o the receiver potentially creating a widerange o problems i they are not ltered appropriately.

Trojan

A Trojan is a program that appears legitimate. However, once run, it moves onto locate password inormation or makes the system more vulnerable to utureentry. Or a Trojan may simply destroy programs or data on the hard disk

Denial-o-service

(DoS)

DoS occurs when criminals attempt to bring down or cripple individualwebsites, computers or networks, oten by fooding them with messages.

Malware

Malware is a sotware that takes control o any individuals computer to spreada bug to other peoples devices or social networking proles. Such sotwarecan also be used to create a botnet a network o computers controlledremotely by hackers, known as herders, to spread spam or viruses.

Scareware

Using ear tactics, some cyber criminals compel users to download certainsotware. While such sotware is usually presented as antivirus sotware, atersome time these programs start attacking the users system. The user then hasto pay the criminals to remove such viruses

Phishing

Phishing attacks are designed to steal a persons login and password. Forinstance, the phisher can access the victims bank accounts or assume controlo their social network.

Fiscal raudBy targeting ocial online payment channels, cyber attackers can hamperprocesses such as tax collection or make raudulent claims or benets

State cyber attacks

Experts believe that some government agencies may also be using cyberattacks as a new means o warare. One such attack occurred in 2010, whena computer virus called Stuxnet was used to carry out an invisible attack onIrans secret nuclear program. The virus was aimed at disabling Irans uraniumenrichment centriuges.

CardersStealing bank or credit card details is another major cyber crime. Duplicatecards are then used to withdraw cash at ATMs or in shops



14/28

Cyber-crime has spawned many

entrepreneurs, though o dubious repute.

They have given rise to new criminal hacking

enterprises aimed not at committing raud

but at providing services to help others

commit raud. This operation enables peopleto commit crime vicariously, i.e. without any

direct perpetration.

Another model is to create a subscription

based identity thet service rather than

stealing personal credentials themselves

cyber criminals have hacked into PCs and

then charged clients or a limited period o

unettered access. As is the case with most

business services, customers willing to pay

extra can obtain premium services such as

a complete clean-up o the stolen data,

i.e. getting rid o low-value inormation and

assistance with indexation and tagging o

data, etc.10

New skills, technologies and investigative

techniques, applied in a global context, are

required to detect, prevent and respond

to cyber-crime. This is not just about the

10 KPMG in India: IT in Banking Managing the present by looking to the uture, August 2008

Source: World Economic Forum Report-Global Risks 2012 Seventh-edition

Framework or Cyber threats and responses

realignment o existing eort. This new

business will be characterized by new orms

o crime, a ar broader scope and scale o

oence and victimization, the need to respond

in a much more timely way, and challenging

technical and legal complexities. Innovativeresponses such as the creation o cyber-

cops ,cyber-courts and cyber-judges may

eventually be required to overcome the

signicant jurisdictional issues that law and

order agencies are currently acing.

Law enorcement with regard to investigating

crimes and handling evidence, dealing

with oenders, and assisting victims,

poses complex new challenges. There is

an unprecedented need or international

commitment, coordination and cooperation

since cyber-crime is truly a global

phenomenon. It is also important to have

a better understanding about the nature

o the problem and to address the issue o

signicant under-reporting o this dangerousphenomenon. Prevention and partnerships

will be essential to ght cyber crime.10



15/28

Top 5 global risk in terms o likelihood

Statistics - Global & India and special ocus on Mumbai

Cyber security is on top priority list o various nancial organizations, regulators and

governments. Cyber attacks ranked ourth in top global risks in terms o likelihood in World

Economic Forum Report: Global Risks 2012.

Source: World Economic Forum Report-Global Risks 2012 Seventh-edition



16/28

Legal Framework Support

The Data Security Council o India (DSCI) and the Department oInormation Technology (DIT), India are the prime bodies looking

towards the cyber security in India. To cater to the needs o cybersecurity issues, India has implemented IT Act 2000 and revised IT(Amendment) Act 2008.

Emergence o Inormation

Technology Act, 2000

The Inormation Technology Act 2000 wasenacted ater the United Nation General

Assembly Resolution A/RES/51/162, on 30th

January, 1997 by adopting the Model Law

on Electronic Commerce adopted by the

United Nations Commission on International

Trade Law. This was the rst step towards the

Law relating to e-commerce at international

level to regulate an alternative orm o

commerce and to give legal status in the area

o e-commerce. It was enacted taking into

consideration United Nations Commission on

International Trade Law UNICITRAL model o

Law on e- commerce 1996.

The Act was aimed to provide the legal

inrastructure or e-commerce in India, The

Inormation Technology Act, 2000 also aimed

to provide or the legal ramework so that

legal sanctity is accorded to all electronic

records and other activities carried out by

electronic means. The Act states that unless

otherwise agreed, an acceptance o contract

may be expressed by electronic means ocommunication and the same shall have legal

validity and enorceability.

Dierent types o cyber crimes have been

described as oences under Chapter IX.

Several crimes like hacking, phishing,

data thet, identity thet, denial o service,

spreading o virus, source code thet, sending

lewd SMS/MMS/Email, pornography, childpornography and disclosure o inormation by

organizations have been looked in detail.

The IT Act, 2000 provides or the constitution

o the Cyber Regulations Advisory Committee

which has been advising the government as

regards to any rules or or any other purpose

connected with the act. The Act also has Five

Schedules, the last one being the glossaryand others which amend the Indian Penal

Code, 1860, the Indian Evidence Act, 1872,

The Bankers Books Evidence Act, 1891, The

Reserve Bank o India Act, 1934 to make them

in tune with the provisions o the Act.11

11 The Gazette o India, Extraordinary part -2

http://eprocure.gov.in/cppp/sites/deault/les/eproc/itact2000.pd



17/28

Currently, the IT Act, 2000 has been amended by the Inormation Technology

(Amendment) Act, 2008. This law provides the legal inrastructure or

Inormation Technology in India. The said Act along with its 90 sections is to be

conceived with 23 rules called the IT rules, 2011s

Section Cyber Crime Type Penalty

Sec-43 Damage to Computer system etc. Compensation or Rupees 1crore

Sec-66 Hacking (with intent or knowledge)Fine o 2 lakh rupees, and imprisonment or 3

years

Sec-67Publication o obscene material in

e-orm

Fine o 1 lakh rupees, and imprisonment o

5years, and double conviction on second oence

Sec-68 Not complying with directions ocontroller

Fine upto 2 lakh and imprisonment o 3 years

Sec-70Attempting or securing access to

computerImprisonment upto 10 years

Sec-72For breaking condentiality o the

inormation o computerFine upto 1 lakh and imprisonment upto 2 years

Sec-73Publishing alse digital signatures,

alse in certain particulars

Fine o 1 lakh, or imprisonment o 2 years or

both.

Sec-74Publication o Digital Signatures or

raudulent purpose

Imprisonment or the term o 2 years and ne or

1 lakh rupees

Noteworthy provisions under the IT Act, 2000

IT Act 2000. http://www.mit.gov.in/content/it-act-2000-dpl-cyber-laws



18/28

Key challenges/concernswhich needs to be addressed

Cyber Security Legal Issues

The major concern is primarily attacks on

networks and the need or coming up with

appropriate legislative rameworks or

enhancing, preserving and promoting cyber

security. Lawmakers needs to come up with

appropriate enabling legal regimes that not

only protect and preserve cyber security, butalso urther instill a culture o cyber security

amongst the netizen Large number o existing

cyber legislations across the world, do not

yet address important issues pertaining

to cyber security. A more renewed ocus

and emphasis on coming up with eective

mandatory provisions is required which would

help protect, preserve and promote cyber

security in the context o use o computers,computer systems, computer networks,

computer resources as also communication

devices.

Mobile law challenges

As the mobile users in India are increasing

considerably, the use o mobile devices

and content generated there rom are likely

to bring orth signicant new challenges

or cyber legal jurisprudence. There are no

dened jurisdictions dedicated to laws dealing

with the use o communication devices and

mobile platorms. As increasingly people use

mobile devices or output and input activities,

there will be increased emphasis on meeting

up with the legal challenges emerging with

the use o mobility devices, more so inthe context o mobile crimes, mobile data

protection and mobile privacy.

Spam galore

As more and more users get added to the

Internet and mobile bandwagon, email and

mobile spammers will nd increasingly

innovative methodologies and procedures to

target at digital users. Law makers are likely to

be under pressure to come with up eective

legislative provisions to deal with the menaceo spam.

Cloud computing legal issues

As India is moving towards the adoption o

cloud computing, various important legal

challenges pertaining to cloud computing

will continue to seek attention o Cyberlaw

makers. Cloud computing brings with it,

various distinctive new challenges including

that o data security, data privacy, jurisdiction

and a variety o other legal issues.

Social media legal issues

In the recent times there have been

increasingly signicant legal issues and

challenges raised by social media. As social

media websites continues to become theertile ground or targeting by all relevant

lawyers, law enorcement agencies and

intelligence agencies, social media continues

to become the preerred repository o all data.

As such, social media crimes are increasing

dramatically. Inappropriate use o social

media is urther increasing, thereby leading

to various legal consequences or the users.

The concept o privacy in the context o social



19/28

media is greatly undermined, despite eorts

to the contrary made by some stakeholders.

Cyberlaw makers across the world have to

ace the unique challenge o how to eectively

Way Forward

The Inormation technology Act, 200 and its

amendment in 2008, though provides certain

kind o protection, but does not cover all the

spheres o the IT where protection must

be provided. The Copyright and Trademark

violations do occur on the net, but the

Copyright Act, 1976 or the Trademark Act,

1994, are silent on that which specically

deals with the issue. There is no enorcement

machinery to ensure the protection o domain

names on net. Transmission o e-cash and

transactions online are not given protection

under Negotiable Instrument Act, 1881.

Online privacy is not protected; only Section

43 (penalty or damage to computer or

computer system) and Section 72 (Breach

o condentiality or privacy) talks about it insome extent but doesnt hinder the violations

caused in the cyberspace.

Even the Internet Service Providers (ISP)

who transmit some third party inormation

some third party inormation without human

intervention is not made liable under the

Inormation Technology Act, 2000. Its hard to

prove the commission o oence as the termsdue diligence and lack o knowledge

have not been dened anywhere in the Act.

Even, the Act doesnt mention how the extra

territoriality would be enorced. This aspect

is completely ignored by the Act, where it

had come into existence to look into cyber

crime which is on the ace o it an international

problem with no territorial boundaries.

The Act has its own slated advantages as it

gave legal recognition to electronic records,

transactions, authentication and certication

o digital signatures, prevention o computer

crimes etc. but at the same time is inficted

with various drawbacks also like it doesnt

reer to the protection o Intellectual Property

rights, domain name, cyber squatting etc.

This inhibits the corporate bodies to invest

in the Inormation technology inrastructure.

Cryptography is a new phenomenon to secure

sensitive inormation. There are very ew

companies in present date which have this

technology. Other millions o them are still

posed to the risk o cyber crimes.

India needs to update the Law whether by

amendments or by adopting sui generic

system. Though Judiciary continues to

comprehend the nature o computer relatedcrimes there is a strong need to have better

law enorcement mechanism to make the

system workable.

regulate the misuse o social media by vested

interests and urther how to provide eective

remedy to the victims o various criminal

activities on social media.



20/28

Challengesaced by governmentsAlthough governments are actively ocused

on ghting and preventing cyber criminals

rom damaging inrastructure, the very

nature o cyberspace poses a number o

challenges to the implementation o cyber

regulations in any country. Within cyberspace

it is oten dicult to determine political

borders and culprits. Furthermore, the cyber

criminal community and their techniques

are continously evolving, making it morechallenging or governments and companies

to keep up with ever-changing techniques.

Tracking the origin o crime

According to Rob Wainwright, Director o

Europol, criminal investigations o cyber

crimes are complex, as the criminal activity

itsel is borderless by nature. Tracing cyber

criminals poses a challenge.12While many

experts speculate that the cyber attacks

on Estonia and Georgia, or instance, were

directed by the Russian cyber agencies,

some o the attacks have been traced to the

computers originating in Western countries.

Growth o the underground cyber crime

economy

A major threat that may hamper the ght

against cyber crime is the growth o an

underground economy, which or many

cyber criminals can be a lucrative venture.

The underground economy attracts many

digital experts and talented individuals with

a specialty around cyber initiative. In the

cyber underworld, the hackers and organized

crime rings operate by selling condentialstolen intelligence. Research shows that

criminals are trading bank account inormation

or US$10125, credit card data or up to

US$30 per card, and email account data

or up to US$12.13 Oten, the acquired data

is used in illegal online purchases and in

exchange or other monetary transactions.

The untraceability o the origin o these

transactions poses a major challenge to

government agencies in their eorts to ght

crimes o this nature.

Shortage o skilled cyber crime fghters

Implementing cyber security measures

requires skilled manpower. However, most

countries ace a shortage o skilled people

to counter such cyber attacks. According to

Ronald Noble, Head o Interpol, An eective

cyber attack does not require an army; it

takes just one individual. However, there is a

severe shortage o skills and expertise to ght

this type o crime; not only at Interpol, but in

law enorcement everywhere. Moreover,

most trained or skilled people are recruited

by the private sector, as it oers higher

nancial rewards. In the UK, the PCeU has

experienced this shortage rst hand, with

only 40 core team members.88 Similarly,

in Australia, the majority o the cyber crime

incidents, particularly minor incidents, remain

unsolved or are not investigated due to the

lack o eForensic skills and expertise.

Widespread use o pirated sotware

One o the major challenges to preventing

cyber crime is the prevalence o sotware

piracy, as pirated sotware is more proneto attacks by viruses, malware and

12 E-Crime Survey 2009, KPMG International 13 War in the th domain, Economist, July 1, 2010

14 Will the U.S. get an Internet kill switch?, Technology

Review, March 4, 2011



21/28

trojans. Experts believe that rapid growth

o Consumer PC markets in emerging

countries - such as India, Brazil and China -

has contributed largely to the rising piracy

rates. The pirated sotware can include not

only games, movies, oce applications and

operating systems, but also security sotware.

Oten, users preer to obtain a pirated

security sotware, rather than purchase and

upgrade legal version, thereore increasing

the vulnerability o their systems to cyber

attacks. For instance, one o the reasonsor the spread o the Concker virus in 2008

was the lack o automatic security updates

or unlicensed sotware. The issue becomes

more signicant or those countries where

pirated sotware is a common occurrence.

China, which is one o the largest such

markets, reported that nearly US$19 billion

was spent on pirated sotware in 2009. In

India, the unlicensed sotware market value

stands at nearly US$2 billion. Ensuring cyber

security is also a major challenge or Gul

Cooperation Council (GCC) countries, where

50 percent o sotware is pirated.15

15 KPMG international, Issues Monitor: Cyber Crime A Growing Challenge

or Governments (July 2011, Volume Eight)



22/28

Experts believe that to ght the borderless and continuously evolving cybercrime, global leaders must collaborate in joint initiatives. Nigel Inkster, an

expert on cyber threats at the International Institute or Strategic Studies,

stated, Thus ar, the discussion on how to set international standards on

cyber has been very low prole and largely conned to the margins o the UN

General Assembly. However, to overcome signicant diplomatic hurdles, a

concerted eort on the part o governments must be in place. In April 2010,

the UN rejected a treaty on global cyber crime, due to disagreements over the

national sovereignty issues and concerns or human rights. Many countries

have expressed a concern over the new cyber laws. Russia, as one o theexamples, has reused to endorse the Budapest Convention on Cybercrime,

which allows police and other legal entities to cross national boundaries

without the consent o local authorities, in order to access computer servers.

However, country ocials in most developed nations do agree on the

establishment o policies to protect cyberspace against criminals. Experts

believe that developed countries such as the US should encourage other

countries to introduce policies against cyber attacks, in the similar ashion

they do or nuclear weapons, missile deense and space. The US has to

rame a much clearer strategy with regard to cyber (warare), said Greg

Austin, Vice President o Program Development and Rapid Response at the

EastWest Institute. The US supports an International Telecommunication Union

plan, which obligates the country o origin o Cyber crime acts to conduct

investigation. The US also supports a Russian initiative that has called or a

UN panel to work on cyber-arm limitations. However, experts believe that the

implementation o such a coordinated initiative might take a ew more years.

Apart rom bilateral and multi-lateral initiatives between governments, much

can be achieved by cooperating with the private companies that own and

control the majority o the cyberspace network. Network owners or internet-

service providers can take more responsibility to help identiy cyber attacks

and attackers on user computers, and take the necessary steps to counter

such attacks. Experts believe that while such preventive measures may not

completely eliminate cyber espionage, it can certainly make cyberspace a

much saer place.13

Way orward

13 KPMG international, Issues Monitor: Cyber Crime A Growing Challenge

or Governments (July 2011, Volume Eight)



23/28



24/28

Notes


25/28

Notes


26/28

Notes


27/28

Notes


28/28

KPMG Contacts

Navin Agrawal

Partner and Head

Management Consulting

T: +91 22 3090 1720

M: +91 99670 16367

E: [email protected]

Mahesh Gharat

ManagerManagement Consulting

T: +91 22 3091 3352

M: +91 98337 32033


kpmg.com/in

NASSCOM Contacts

Chetan Samant

Manager

M: +91 98203 04982


DIT Contacts

Suryakanth Jadhav

Director - IT

M: +91 98209 22647


The inormation contained herein is o a general nature and is not intended to address the

circumstances o any particular individual or entity. Although we endeavour to provide accurate and

timely inormation, there can be no guarantee that such inormation is accurate as o the date it is

received or that it will continue to be accurate in the uture. No one should act on such inormation

without appropriate proessional advice ater a thorough examination o the particular situation.

2012 KPMG, an Indian Registered Partnership and a member rm o the KPMG network o

independent member rms aliated with KPMG International Cooperative (KPMG International),a Swiss entity. All rights reserved.

The KPMG name logo and cutting through complexity are registered trademarks or trademarks o

cybercrime booklet

Documents