The advent and widespread usage of the Internet have revolutionized our lives, offering immense convenience and efficiency. India, in particular, has made impressive strides in embracing this technology. The financial year 2022-23 witnessed an unprecedented surge in digital transactions in the country, crossing the remarkable milestone of 10,000 crore. However, amid these remarkable advancements, the dark side of this convenience has become increasingly apparent, leaving us vulnerable to the perils of cybercrime. Alarming statistics reveal a staggering 125 percent increase in reported cybercrime cases, with 10.29 lakh cases registered on the Indian Cybercrime Coordination Centre (I4C) portal in 2022, compared to the previous year. Furthermore, the National Cybercrime Helpline has witnessed a rapid surge in cyber complaints, receiving an overwhelming 49 lakh calls during the same year. Astonishingly, less than 2 percent of these complaints resulted in the registration of First Information Reports (FIRs).
Today, the cyber world grapples with an array of cybercrimes ranging from online harassment to financial fraud, social media fraud, e-commerce fraud, and email-related fraud. What makes matters worse is that cybercriminals do not necessarily possess complex skills or techniques, as they can readily obtain malware toolkits to facilitate their malicious activities. In the Indian context, cyber fraudsters, particularly, are predominantly found within the age group of 18 to 35 and have received only basic schooling. It is crucial to note that cybercrime has evolved into a profit-driven industry, with criminals actively developing training modules to enhance their illicit operations.
Given the escalating concerns surrounding cyber threats, cybersecurity has emerged as a critical issue for businesses, individuals, and various services. Cybercriminals frequently employ anonymization and obfuscation technologies to carry out their illicit activities, adding to the challenges faced by law enforcement agencies. There are eight primary external and internal threats emanating from the cyberspace landscape, including cyber espionage, supply chain attacks, cyber terrorism, ransomware, disruption of critical infrastructure, service disruptions, inter-state organized cybercrime, and cyber financial fraud.
International cybercriminal syndicates operating from regions such as West Asia and Southeast Asia have been utilizing illegal loan apps, Ponzi schemes, gaming platforms, and dating apps to carry out their illicit operations. Through an analysis of the origins of approximately 11 lakh cases of cyber financial fraud, specific states and districts in India have been identified as hotspots. Notably, six districts—Bharatpur, Mathura, Nuh, Deoghar, Jamtara, and Gurugram—accounted for approximately 70 percent of all financial fraud complaints, while the remaining 20 districts accounted for a staggering 99 percent.
At present, the Information Technology Act of 2000 serves as the principal legislation governing cyberspace in India, with its last amendment dating back to 2008. This legal framework, along with its subsequent amendments, provides an enabling environment for the legal recognition of e-commerce, e-governance, electronic records and transactions, e-signatures, cybercrimes, and associated punishments and penalties. Additionally, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules of 2023 specifically address the regulation of internet-enabled businesses, intermediaries, social media platforms, and mobile applications.
To combat the mounting cyber threats, India has established several agencies dedicated to countering such crimes. These include the Computer Emergency Response Team-India (CERT-In), the National Critical Information Infrastructure Protection Centre (NCIIPC), and the Indian Cybercrime Coordination Centre (I4C). CERT-In operates as the national nodal agency for responding to computer security incidents, while NCIIPC serves as the central body responsible for safeguarding critical information infrastructure from unauthorized access, modification, disruption, and incapacitation. I4C, on the other hand, provides a comprehensive framework and ecosystem for law enforcement agencies, facilitating a coordinated and comprehensive approach to combat cybercrime. It operates through its seven verticals, namely the cybercrime reporting portal, threat analysis unit, forensics, training, research, coordination, and ecosystem management units.
The investigation of cybercrimes poses unique challenges, primarily due to the anonymous nature of perpetrators, the volatility of digital evidence, the susceptibility to data contamination, and the borderless nature of cyberspace. To address this, the first Cyber Forensic Laboratory was established in Hyderabad, subsequently elevated to become the National Cyber Forensic Laboratory. Additionally, a National Cybercrime Forensic Laboratory, situated in New Delhi, aids investigating officers in conducting forensic analysis of digital evidence. Currently, a nationwide network of forensic laboratories, recognized as ‘Examiner of Electronic Evidences,’ exists. However, given the escalating scale of cybercrime and cyber fraud, along with the exponential growth of digital data, the existing facilities are proving insufficient. Therefore, there is an urgent need to establish more cyber forensic laboratories staffed by professional digital analysts.
CERT-In has identified four major threats in the cyber landscape, namely espionage, supply chain attacks, cyber terrorism, and ransom ware. Furthermore, the government has identified seven critical sectors of the economy that are particularly vulnerable to cyber threats. These sectors include banking and financial services, telecom, power and energy, transport, health, strategic and public enterprises, and government institutions. Cybercriminals exploit various techniques such as fake emails and bogus websites to gain unauthorized access to sensitive government departments. In cases of cyber terrorism, malicious actors employ customized applications on smartphones, employing encryption, offline data storage, and automatic deletion after a certain period. This modus operandi was detected in notable incidents such as the 2019 Pulwama attack and the 2022 Udaipur beheading. Ransomware attacks are also on the rise, with prominent entities such as AIIMS, Jawaharlal Nehru Port Trust, and SpiceJet falling victim to such malicious acts. CERT-In has identified three major challenges in dealing with these threats: lack of cyber hygiene resulting from the use of unsupported software, inadequate proficiency in advanced forensic skills, and insufficient action on cyber threat intelligence.
It has become evident that the existing provisions of the Information Technology Act are insufficient to keep law enforcement agencies one step ahead of cybercriminals. Therefore, the pressing need for a comprehensive legal framework to bridge the gaps in the current legislation cannot be emphasized enough. Such a framework should encompass victim protection measures, trial proceedings conducted through video conferencing, and the establishment of dedicated special courts.
Moreover, immediate attention is required to address other challenging issues, including the lack of trained manpower, financial resources, absence of minimum cyber standards, inadequate cyber hygiene practices, and excessive reliance on foreign vendors. At the state level, efforts should be made to enhance cyber capacity-building and establish dedicated and trained technical cadres within the police force. Each state should consider establishing a dedicated cybercrime coordination center on the lines of I4C to focus on tackling local cyber threats. Hotspot areas also demand targeted attention and initiatives.
Given the enormous stakes involved in the cyber world, taking chances is simply not an option. As Bill Gates once emphasized, “Security is our top priority because for all the exciting things you will be able to do with computers—organizing your lives, staying in touch with people, being creative—if we don’t solve these security problems, people will hold back.”
