22 November 2016

Is ‘Defence-Alone’ Strategy Sufficient To Create Secure Cyberspace? – Analysis

By Madan Oberoi
NOVEMBER 21, 2016

Statistics on the registration and prosecution or conviction of cybercrime play a role in illuminating: The reporting of cybercrime, and the investigation of cybercrime in India.

The following evidence suggests that there was gross under-reporting of cybercrimes by victims and problems in investigation and prosecution of cybercrimes. The situation depicted by these statistics implies that cybercriminals can work with a confidence level ranging from 96% to 99% that they will never be punished for their crimes.

This points to the inefficacy of “defence-alone” strategy being advocated by many vendors of security products.
Evidence


As per reports published by CERT-IN and NCRB (National Crime Records Bureau), the rate of prosecution and conviction of cybercrimes in India in 2015 was as low as 4.88 % and 1.78% (respectively) of the total number of cybersecurity incidents reported.

The Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and IT, is the nodal agency responsible for handling cybersecurity incidents. CERT handles incidents related to spam, website defacements, website intrusion, phishing, malware propagation, malicious code and network scanning and probing. Interestingly the number of cybersecurity incidents handled by CERT in 2015 has reduced by 14.7%.
On the other hand, the number of cybercrime cases registered in India has increased considerably in 2015, by 20%. However prosecution of cybercrime in India still remains very low with only 5,425 cases being sent for prosecution in 2015. The percentage of cybercrimes ending in conviction in 2015 was as low as 1.78% of the reported or detected cybersecurity incidents.
Inference

While there has been an increase in the number of cybercrime cases registered in 2015, the number (11,592) still indicates under-reporting of cybercrime cases to LEAs in India. Companies choose not to report cases as they fear loss of reputation; further companies and affected individuals do not have the confidence in the capabilities of LEAs. The percentage of cases being taken up for prosecution (46% of the total number of registered cases) suggests that capabilities to investigate the multi-jurisdictional cybercrime needs to be strengthened.Poor prosecution and conviction rates fail to act as deterrents to cybercriminals. This means that in order to achieve the objective of secure cyberspace, exclusive focus of building defences in forms of anti-virus, firewalls, IDSs, etc. is not going to suffice. Credible deterrence needs to be created through successful prosecutions.

This clearly points to the need to combat these low prosecution and conviction rates of cybercrime through:
Moving from a reactive approach to intelligence led proactive approach to combat cybercrime by law enforcement agencies in collaboration with stakeholders like private sector and academia.
Capacity strengthening of law enforcement agencies to combat cybercrime through bridging the gaps in skillsets and infrastructure.
Developing a platform for global coordination of intelligence and operations.
Providing strategic and research support to law enforcement agencies to combat cybercrime.

The author is an Indian Police Service (IPS) officer presently deployed with INTERPOL as Director of its Global Cybercrime Programme. This post reflects the author’s personal views and not of INTERPOL or the Government of India.

ORF was established on 5 September 1990 as a private, not for profit, ’think tank’ to influence public policy formulation. The Foundation brought together, for the first time, leading Indian economists and policymakers to present An Agenda for Economic Reforms in India. The idea was to help develop a consensus in favour of economic reforms.

No comments: