|
|
Searching for Solutions to the Threat of Cyber Crimes
Business Entities have of late been realizing that threats from Cyber Space have increased beyond the critical point where they can either be ignored or covered as a normal business loss. As Cyber Crime is getting more and more targeted towards financial benefits, the CEOs need to realize that "Cyber Extortions" are a reality. The "Internet Underground Mafia" is developing on the successful model of the physical world where extortionists have donned the robe of "Protectionists", "Politicians" and compromised law enforcement through threats, corruption and other illegal means.
If Netizens don't wake up and claim their "Right to Protection", they will soon be reduced to the sorry state of their citizen counterparts and become helpless observers of the erosion of the society.
Two key areas of attention to checking the menace is the need to discourage proliferation of "Crime Ware Services" and to encourage "Crime Prevention Services".
The "Crime-ware Services" include provision of hosting services to criminal organizations who launch Phishing attacks or spread malicious codes and distribute hacking tools. The offenders are operating in the form of ISPs and are often difficult to separate from genuine ISPs whose services are very essential for the positive use of technology by the masses. The legislative immunity some of these "Intermediaries" enjoy is often misused by the black sheep in the community to carry on the illegal hosting of Crime ware services. "Privacy" is often the shield these service providers use when asked for information leading to an investigation of a cyber crime. Even reputed e-mail service providers such as Google have started hiding the IP addresses of the e-mail senders and making it impossible for e-mail receivers to trace the e-mail sender. The ISPs refuse direct requests from e-mail fraud victims to reveal the details of the IP address. Some times the requests are rejected even when the law enforcement agency makes a formal demand.
There is an immediate need for ISPs to make the IP address query a public service not protected by privacy concerns. Information whether an individual has sent an e-mail or not or whether he has posted a comment on a message board or not is not to be considered as "Sensitive Private Information" since it hurts some body else in the receiving side. The dictum "My Privacy Right Ends where my neighbour's nose begins" applies to the situation where the rights of an e-mail sender ends where the rights of the e-mail receiver begins. Every ISP should therefore be subjected to a "Right To Information" policy according to which public or a person or a recipient of an e-mail or an electronic message should be rightfully entitled to demand the identity of the e-mail sender. Failure to furnish this information should be made a punishable offence.
"Crime Prevention Services" include "Security Awareness Education", "Cyber Crime Victim Assistance", "Cyber Security Services" "Cyber Forensic Services" etc. Except for a handful of organizations such as Naavi.org there are not many persons/organizations from the private sector which are presently into the "Security Awareness Education Services". The few organizations which are into "High End Security Education" often provide the "Ethical Hacking Training", which could very easily be misused by criminals in the making. The lack of proper regulation of such "Ethical Hacking Training Establishments" is a point of concern to the society.
The Government machinery need to act in the direction of encouraging well meaning private agencies to start Crime prevention services. In the Indian context, CERT-IN is the only Government organization apart from the Police Machinery which is engaged in activities which can be termed as Crime Prevention Services. While CERT-IN is involved in information dissemination, Cyber Crime Police Stations have the responsibility of providing services to the Citizens which provide them a feeling of living in a "Protected Society".
Towards this end, we need to establish at least one Cyber Crime Police Station/ Cell in every district in the Country. We also need to ensure that Cyber Crime Police Stations don't refuse registration of complaints on unacceptable grounds by making registration of Complaints mandatory through an online process and registration or refusal to register FIRs a transparent process by posting of the preliminary investigations of the IO on line with every registered complaint.
CERT-IN should also try to establish a network of private sector agencies as partners in its education programme by enrolling them as "Accredited Cyber Security Agencies".
Apart from the measures indicated above towards strengthening the infrastructure for fighting against Cyber Crime, it is necessary for Corporates and Individuals to be provided with a suitable "Cyber Crime Insurance Programme" which enable non experts to off-load their security concerns to the Insurance industry.
In order to develop the "Cyber Crime Insurance Industry" we need
1) Effective Cyber Crime Statistics
2) Evaluation of financial value of insured assets
3) Effective standards for Techno Legal Cyber Crime Security.
4) Development of different insurance policies to meet the needs of different types of users
Effective Cyber Crime Statistics will be generated if public can register online complaints. Insurance agencies will benefit from actuarial evaluation if the suggestion that the Police should file their investigative reports online for public information is implemented.
Development of private sector crime detection and investigation agencies on an accreditation with CERT-IN will go a long way in reaching out to the victims. The suggestion that ISPs should submit IP tracing information to public will help in putting a stop to a majority of crimes. The crimes by organized criminals who use sophisticated spoofing technology need to be curbed with a tighter control on the ISPs and use of private sector Cyber forensic agencies.
Since the biggest beneficiary of these suggestions are the Cyber Crime Insurers, it is necessary for the Indian Insurance industry leaders to take the lead in mobilizing the support of the legislators in this direction of creating a "Secure Cyber Society in India".
On our part, Naavi.org which has already set up "Cyber Crime Complaints Resolution and Assistance Center" as well as "Cyber Evidence Archival Center" ,"CyLawCom Audit" and "Cyber Crime Awareness Education" as Cyber Crime Prevention Services, will now be moving towards setting up a "Managed Security Services" activity to provide the technical security requirements associated with the presently available legal guidance services .
We seek the assistance of the Ministry of Communications and Information Technology in implementing some of the suggestions through appropriate legislative changes. We also seek the assistance of the Union Home Ministry and urge them to take up a project for developing one Cyber Crime Cell in every district in the country and request all State Governments to implement the "Online Registration of Cyber Crime Complaints" and "Online filing of Complaint disposal notes by Police".
We also seek the assistance of the public in taking up this cause and raise a demand for "Right To Information" from ISPs and Police" since they would be severely opposed by the respective agencies.
Naavi
April 15, 2008
Related Articles: The latest Cybercrime Business Model... Crimeware-as-a-Service