#dnaEdit: Lurking dangers

The leak of nearly five million usernames and passwords, allegedly associated with Google’s Gmail accounts, has turned the spotlight on data security. Google denied any compromise of its system and blamed the use of malware-infected computers and sharing Google usernames and passwords with untrusted websites. In recent weeks, the US has been roiled by the leak of celebrity nude photos that has posed questions about data protection in cloud-storage services hosting mobile phone data. This April saw a worldwide scare over the “Heartbleed” bug, a vulnerability allowing theft of the server data including users’ session cookies and passwords, which made thousands of webservers susceptible to attacks. India, aiming to become the “back office” of the world, has responded in a typical haphazard fashion to the emerging threats. While Indian businesses, especially BPO firms and financial service companies, have generally tightened security after detecting cyber thefts, frauds and hacking incidents, the government’s policy responses and law-enforcement mechanisms have failed to keep pace with the unfolding challenges.

The National Crime Records Bureau data for 2013 indicates a 122.5 per cent jump in cyber offences from 2012. Hacking accounted for 60 per cent of the 5,693 offences registered under the Information Technology Act. Sexual harassment and economic fraud was the respective motive behind 20 and 21 per cent of the crimes. A cyber-crime cell in each state, the initial police response, has been rendered inadequate with the spurt in crimes. The approach has now shifted to creating cyber-crime police stations but most states have been unable to allocate adequate funds. Kerala, which initially proposed such police stations in every district, has whittled down the proposal to three major cities which will act as regional hubs. Amid this tardy pace of reform, cases registered are a small subset of the complaints received and convictions negligible in the absence of standardised forensic evidence collection practices.

The policy response — restricted for long to the framing of the IT Act and the ill-defined IT Act Rules — is no better. The Centre belatedly released the National Cyber Security Policy-2013, which has mostly languished on paper.

The policy visualises emergency response teams, regular security audits, risk assessment systems, regulatory frameworks, and protection of critical infrastructure and information. The plan to create five lakh cyber security personnel in the next five years to support the economy, IT companies, and e-governance initiatives against cyber attacks has not taken off. But the proposed ban on ministers and bureaucrats using popular e-mail services having servers located abroad, as a response to the all-pervasive US-run National Security Agency surveillance programme, and instead use the National Informatics Centre e-mail service, indicates changing threat perceptions.

Most instances of corporate fraud have revealed the hand of an insider plugging in malicious code to steal real-time business data and acting in association with accomplices in remote locations and even foreign countries. As a result, insuring against data theft is a growing corporate practice now. Like individuals unwilling to pursue cyber cases to their logical conclusion after filing complaints, companies prefer to settle the offences in-house fearing adverse publicity and loss of business. When unscrupulous employees escape without facing prosecution, the perception that crime can go unpunished strengthens. This has a knock-on effect that renders the vast multitude of consumers gullible to confidence tricksters out to steal financial and personal information. Unless the government, private sector and civil society come together, the challenges in this networked environment could prove difficult to surmount.