GOVERNMENT AND PUBLIC SECTOR
Cybercrimes A Financial Sector View
Shri. Prithviraj Chavan Hon’ble Chie Minister o Maharashtra
In a digital age, where online communication has become the norm, internet users and governments ace increased risks o becoming the targets o cyber attacks. As cyber criminals continue to develop and advance their techniques, ocusing on thet o nancial inormation, business espionage and accessing government inormation is o prime requirement. To ght astspreading cyber crime, governments must collaborate globally and with various stakeholders to develop an eective model that will control the threat. India has had its share o incidences in Cybercrimes and more oten in the Financial Sector this has oten signicantly impacted investor condence. It is time that cybercrimes is not just thought o as a security issue or a technology issue. It is at the very heart o how a business or Government builds trust with customers as well as how it builds and protects its Brand value. In view o the above scenario, Directorate o Inormation and Technology, Government o Maharashtra has planned this conerence on Cybercrimes: A Financial Sector Theand aim is to share with the government authorities and view. nancial legal sector experts the current scenario o cybercrimes in the nancial domain and the challenges aced by the legal ecosystem in keeping pace with the current leap o cybercrimes. I wish warm regards to the success o the conerence and hope it will be knowledgeable and useul to the participants.
Shri. Rajesh Aggarwal IAS, Secretary –Inormation and Technology, Government o Maharashtra
Recent reports on Cybercrimes launched against large companies specically in the nancial Sector demonstrate that protecting and securing data is more important now than ever beore. Cyber attacks cause an impact on not only the brand value and revenue or the companies but more severely impact the trust o the customers involved in the system. In view o the given challenges, identiying how data compromise occurs and understanding the legal and operational challenges and identiying the dierent mechanisms o dealing with these challenges aced would arm the system better to ght this menace. The conerence takes a peek on the current scenario o cybercrimes at the National level with a ocus on Mumbai, the targeted victims, types o cybercrimes and steps to be taken or securing critical nancial inrastructure. It also ocuses on the current legal ramework available and some o the major challenges aced by the Government Authorities, nancial sectors and the judiciary itsel. We also look orward to a complete session on the Challenges o dealing with the menace o Cyber Crimes in terms o the Human Capacity, Technology, Jurisdiction and legal issues. The group o panelists is highly qualied proessionals rom the Financial sector and the legal raternity who bring in extensive knowledge and case study learning’s in the eld o Cybercrimes. This conerence aims at understanding the menace well and analyzing various challenges and ways o curbing its eect and work towards a more sae and secure Technology based nancial transaction environment.
Dr. Kamlesh Bajaj CEO, Data Security Council o India A nation’s cyberspace is part o the global cyberspace; it cannot be isolated to dene its boundaries since cyberspace is borderless. This is what makes cyberspace unique. Unlike the physical world that is limited by geographical boundaries in space—land, sea, river waters, and air—cyberspace can and is continuing to expand. Increased Internet penetration is leading to growth o cyberspace, since its size is proportional to the activities that are carried through it. Cyber security is part o national security. Cyberspace merges seamlessly with the physical world. So do cyber crimes. Cyber attackers can disrupt critical inrastructures such as nancial and air trac control systems, producing eects that are similar to terrorist attacks in the physical space They can also carry out identity thet and nancial raud; steal corporate inormation such as intellectual property; conduct espionage to steal state and military secrets; and recruit criminals and others to carry out physical terrorist activities. Anyone can exploit vulnerabilities in any system connected to the Internet and attack it rom anywhere in the world without being identied. As the Internet and new technologies grow, so do their vulnerabilities. Knowledge about these vulnerabilities and how to exploit them are widely available on the Internet. During the development o the global digital Internet and communications technology (ICT) inrastructure, the key considerations were interoperability and eciency, not security. The explosion o mobile devices continues to be based on these insecure systems o Internet protocols. It is increasingly cheap to launch cyber attacks, but security systems are getting more and more expensive. This growing asymmetry is a game changer. It has another dimension, too— individuals, terrorists, criminal gangs, or smaller nations can take on much bigger powers in cyberspace, and through it, in the physical world, as well. The eects o attacks on critical inrastructure such as electricity and water supplies are similar to those that would be caused by weapons o mass destruction, without the need or any physical attacks. Cyber security is a global problem that has to be addressed globally by all governments jointly. No government can ght cybercrime or secure its cyberspace in isolation. The consequences o a cyber attack are more likely to be indirect and more uncertain than most scenarios currently envision; we may not always recognize the damage inficted by cyber attackers. Cyber security is not a technology problem that can be ‘solved’; it is a risk to be managed by a combination o deensive technology, astute analysis and inormation warare, and traditional diplomacy. Cyber attacks constitute an instrument o national policy at the nexus o technology, policy, law, ethics, and national security. Such attacks should spur debate and discussion, without any secrecy, both inside and outside governments at national and international levels.
Navin Agrawal Partner, IT Advisory, KPMG in India
The increasing use o technology, particularly by businesses to drive its operations and to deliver world class services has led to the evolution o a new threat. The growth o complexity and access to technology has made us more susceptible to ‘hi-tech crime’ which is also a new orm o business threat that requires a undamental shit in risk management arena o businesses, particularly in the nancial domain where the risk is very high. Seriousness could be ascertained rom the report published by the World Economic Forum: Global Risks 2012 in which Cyber threat is rated as serious threat to the world based on likelihood oand impact. Cyber threats are real and its impact could be elt across borders, businesses communities. KPMG in India is proud to be associated as the knowledge partner o this conerence on ‘Cyber crimes: A nancial sector view’ and thus continue our association with this prestigious event or the Government o Maharashtra. We would like to think o this event as a confuence o thought leadership, where business and technology streams meet to discuss, share, evaluate, strategise and provide insights or the evolution o secure business practices. This conerence in association with the Government o Maharashtra and Nasscom ocusses on issues and trends o cyber crimes in the nancial domain, and how the industry is dealing with this new ‘type o crime’. Considering the dependency o banking businesses on the internet and the medium’s vast reach, cyber crime could pose a threat to the nancial sector and partnerships need to be ormed to ght this crime. These threats can be suitably addressed by sharing insights, experiences, ideas and key skill sets and working through these issues with subject matter specialists. This would also help create secure and robust business practices against existent threats to gain competitive business advantages through business continuity. We at KPMG would like to acilitate this entire process o collaborating thoughts on cyber security and try to present various scenarios related to cyber security in the nancial domain which could impact the industry in uture. As we know, technology is no longer an enabler, but seen as a business driver. We hope you will appreciate the insights and concerns presented beore you and are able to benet rom the thoughts presented at this event.
Contents Financial Service Sector Overview
02
Technological Risk
03
Time and money spent
04
Threat
04
Types o crimes in Financial sector
04
Statistics - Global & India & ocus Mumbai
08
Legal Framework Support
09
Key Challenges/concerns which needs to be addressed
11
Challenges aced by governments
13
Way orward
15
1 | Cybercrimes: A Financial Sector View
Currently, there are nearly 2 billion internet users and over 5 billion mobile phone connections worldwide. Everyday, 294 billion emails and 5 billion phone messages are exchanged. •
50,000 Victims every hour
•
820 Victims every minute
•
14 Victims every second1
Most people around the world now depend on consistent access and accuracy o thesecommunication channels. Among all cybercrime victims surveyed 80 percent were rom emerging markets, compared to 64 percent in developed markets. The US Government estimates Americanbusinesses suered losses o intellectual property totaling more than USD 1 trillion rom cyber attacks. With over ve billion mobile phones coupled withinternet connectivity and cloud-basedapplications, daily lie is more vulnerable to cyberthreats and digital disruptions.The related constellation o global risks in this case highlights that incentives are misaligned with respectto managing this global challenge. Online security is now considered a public good, implying an urgent need to encouragegreater private sector engagement to reduce the vulnerability okey inormation technology systems. A healthy digital space is needed to ensure stability in the world economy and balance o power .2
1 Symantec Cyber Crime Report 2011 2 World Economic Forum Report Global Report 2012
Cybercrimes: A Financial Sector View | 2
Financial Services sector
Overview These are challenging times or the banking industry globally, thought provoking and extremely rewarding at the same time. Due to volatile geopolitical and global macroeconomic conditions, many nancial institutions have evaluate their current operating practices andbeen thinkorced about to where they would like to be in uture and more importantly, how to manage growth as well as risk management in line with stakeholder expectations. The Indian banking industry provides strategic opportunities or innovation-led growth, a moot point to meet challenges thrown by the current environment. Technology is likely to play a signicant role in guiding this new approach to growth and risk management.3 In nancial domain, technology is no longer an enabler, but a business driver. In last decade phenomenal growth o IT, mobile penetration and communication network has acilitated growth in extending nancial services to masses. Technology has acilitated delivery o banking services to masses and changed the way o unctioning o nancial institutions. Technology made banking services aordable and accessible by optimizing the way these institutions operate today. Regulatory bodies, banks and other institutions/agencies have taken paradigm shit in areas o respective operations, service delivery and consumer satisaction. Financial institutions gained eciency, outreach,spread through technology in last two decades. The benets o technology such as scale, speed and low error rate are also refecting in the perormance, productivity and protability o banks, which have improved tremendously in the past decade. Technology initiatives are taken by banks in the areas o nancial inclusion, mobile banking, electronic payments, IT implementation and management, managing IT risk, internal eectiveness, CRM initiatives and business innovation.
3 KPMG in India: IT in Banking – Managing the present by looking to the uture, August 2008,
3 | Cybercrimes: A Financial Sector View
TechnologicalRisk
Source: World Economic Forum Report: Global Risks 2012 Seventh-edition
In a digital age, where online communication has become the norm, internet users, governments and organizations ace increased risks o becoming the targets o cyber attacks. As cyber criminals continue to develop and advance their techniques, they are also shiting their targets — ocusing less on thet o nancial inormation and more on business espionage and accessing business inormation. To ght ast-spreading cyber crime, sector must collaborate globally to develop an eective model that will control the threat. The issue o primary importance is that, no national
Various risks managed by fnancial bodies are as ollows:5 •
Financial Risks
•
Inrastructure Risks
•
Technology Risks
•
Data Risks
•
Human Risks.
government operates an eective compilation service to identiy trends in cyber-crime with the exception o the Internet Crime Complaint Center (IC3). Most cyber-crime is on such a small scale that law enorcement organizations are not interested in dealing with individual cases, and, in many cases, individuals may not care enough about the amounts involved to take action. Thereore it tends to go unreported.4 4 Cyber Crime – A Growing Challenge or Governments July 201 1, Volume Eight kpmg.com
5 Evolving Security Architecture in Banks: IBM 2009
Cybercrimes: A Financial Sector View | 4
Types o Crimes in Financial Sector7
Time and Money
Spent
Control over the physical world is generally localized, low-tech and underpinned by many well established Global Scenario practices and procedures. The challenge USD 114 Billion is total loss o cash in 12 months to this seemingly well-oiled machinery is •
•
USD 274 is the total loss o time or victims oBillion cyber crime
oered by a new paradigm o organized crime-‘cybercrime’.
On an average, 10 days were spent by victims to The increasing use o the internet satisactorily resolve hassles o cyber crime). by all acets o society has led to the evolution o new eld o criminal activity Indian Scenario that is dened by its dependence on USD 4 billion is the total loss o cash in12 the internet. While certain aspects o months cyber crime are held common with previously existing orms o criminality USD 3.6 billion is the total loss o time or it is nevertheless true that cyber crime victims o cyber crime orms a distinct category o its own, On an average 15 days were spent by victims to one that requires dierent mechanisms •
•
•
•
6
satisactorily resolve hassles o cyber crime.
Threat Among all cybercrime victimssurveyed 80 percent were rom emerging markets, compared to 64 percent in developed markets. Only 21percent o victims reported cybercrime to the police
59 percent o victims who’d suered both online and ofine crime elt there were ewer ways to get help ater the cybercrime In India, 59 percent o mobile phone owners access internet via mobiledevice out o which 17 percent experienced mobile related cyber crime.6 6 S ymantec Cyber Crime Report 2011
to deal with it. Most o the cyber crime involves multiple, undetectable, small crimes or micro-crimes. Although the headline events are those where gangs o organized criminals use technical mean to electronically steal millions rom banks; successul operations at beginning o decade used simple raud technique to steal small value denominations rom multiple individuals without alerting the victims or the law enorcement agencies. Avenues or these operations could range rom gaining illegal access to personal bank accounts to selling access to compromised computers.
7 K PMG in India: IT in Banking Managing the present by looking to the uture, August 2008.
5 | Cybercrimes: A Financial Sector View
Global dimensions and borderless limits have given rise to new and innovative responses required to the issue o cyber crime or electronic crime. The growth in the o-take o the inormation highway and telecommunications presents as great a challenge or policing. A hi-tech crime presents a new orm o business threat that requires a undamental shit in policing methodology.8 Financial-services organization provides specialized, private banking products and services to its customers. It’s services cover property, investments, capital markets and asset management. Their customer base is its biggest asset, and oering strong protection to these customers is o paramount importance – both to retain and grow business, and to protect its reputation or high-quality service.
Vendors o online security products have an interest in talking up the threats o cybercrime, while victims o cybercrime oten have an interest in remaining silent. It is thereore very dicult or rms and organizations to get a clear picture o the true levels o the risk and needs or investment. Correcting such inormation asymmetries should be at the centre o policies to improve global cyber security and to ensure an ecient market. Firms have an incentive to invest in cyber security measures that protect their own interests, rather than in those measures that contribute to the health o the overarching critical inormation inrastructure. Innovative multi stakeholder collaboration will be required to tip the balance towards investment in creating systemic resilience. There are no proven secure systems,
Companies in nancial domain have experienced increase in instances o cybercrime in past ew years. Various levels o cyber crime threats are at each level o IT systems. The emergence o such threats at dierent levels is due to an explosion o online banking and shopping, coupled with the increasing willingness o consumers to disclose personal inormation over the internet. Hackers are now enabling a larger market o ‘script-junkies’ whose decient skills would otherwise shut them out o the
only whose aultstohave not yet beensystems discovered, so trying overcome “hackability” may be as hopeless as denying gravity. Instead, the goal should be nding ways or well-intentioned individuals to identiy those aults and deploy remedies to end-users beore would-be cyber criminals can discover and exploit them. Experts believe that the levels o resource devoted to this eort are nowhere near adequate, but there are signs that some industries are taking cyber threats more seriously. In November 2011, 87 banks
cyber criminal enterprise.
in England participated in a mock cyber attack “stress test” in preparation or an anticipated increase in attacks during the 2012 Summer Olympic Games.9
8 KPMG in India: IT in Banking Managing the present by looking to the uture, August 2008
9 World Economic Forum Report: Global Risks 2012
Cybercrimes: A Financial Sector View | 6 Type oAttacks
Details
Viruses and worms
Viruses and worms are computer programs that aect the storage devices o a computer or network, which then replicate inormation without the knowledge o the user.
Spam emails
Spam emails are unsolicited emails or junk newsgroup postings. Spam emails are sent without the consent o the receiver — potentially creating a wide range o problems i they are not ltered appropriately.
Trojan
A Trojan is a program that appears legitimate. However, once run, it moves on to locate password inormation or makes the system more vulnerable to uture entry. Or a Trojan may simply destroy programs or data on the hard disk
Denial-o-service (DoS)
DoS occurs when criminals attempt to bring down or cripple individual websites, computers or networks, oten by fooding them with messages.
Malware
Malware is a sotware that takes control o any individual’s computer to spread a bug to other people’s devices or social networking proles. Such sotware can also be used to create a ‘botnet’— a network o computers controlled remotely by hackers, known as ‘herders,’ — to spread spam or viruses.
Scareware
Using ear tactics, some cyber criminals compel users to download certain sotware. While such sotware is usually presented as antivirus sotware, ater some time these programs start attacking the user’s system. The user then has to pay the criminals to remove such viruses
Phishing
Phishing attacks are designed to steal a person’s login and password. For instance, the phisher can access the victims’ bank accounts or assume control o their social network.
Fiscal raud
By targeting ocial online payment channels, cyber attackers can hamper processes such as tax collection or make raudulent claims or benets
State cyber attacks
Experts believe that some government agencies may also be using cyber attacks as a new means o warare. One such attack occurred in 2010, when a computer virus called Stuxnet was used to carry out an invisible attack on Iran’s secret nuclear program. The virus was aimed at disabling Iran’s uranium enrichment centriuges.
Carders
Stealing bank or credit card details is another major cyber crime. Duplicate cards are then used to withdraw cash at ATMs or in shops
7 | Cybercrimes: A Financial Sector View
Cyber-crime has spawned many entrepreneurs, though o dubious repute. They have given rise to new criminal hacking enterprises aimed not at committing raud but at providing services to help others commit raud. This operation enables people to commit crime vicariously, i.e. without any direct perpetration. Another model is to create a subscription based identity thet service rather than stealing personal credentials themselves cyber criminals have hacked into PCs and then charged clients or a limited period o unettered access. As is the case with most business services, customers willing to pay extra can obtain premium services such as a complete ‘clean-up’ o the stolen data, i.e. getting rid o low-value inormation and assistance with indexation and tagging o data, etc.10 New skills, technologies and investigative techniques, applied in a global context, are required to detect, prevent and respond to cyber-crime.This is not just about the
realignment o existing eort. This ‘new business’ will be characterized by new orms o crime, a ar broader scope and scale o oence and victimization, the need to respond in a much more timely way, and challenging technical and legal complexities. Innovative responses such as the creation o ‘cybercops’ ,‘cyber-courts’ and ‘cyber-judges’ may eventually be required to overcome the signicant jurisdictional issues that law and order agencies are currently acing. Law enorcement with regard to investigating crimes and handling evidence, dealing with oenders, and assisting victims, poses complex new challenges.There is an unprecedented need or international commitment, coordination and cooperation since cyber-crime is truly a global phenomenon. It is also important to have a better understanding about the nature o the problem and to address thedangerous issue o signicant under-reporting o this phenomenon. Prevention and partnerships will be essential to ght cyber crime.10
Framework or Cyber threats and responses
Source: World Economic Forum Report-Global Risks 2012 Seventh-edition
10 KPMG in India: IT in Banking Managing the present by looking to the uture, August 2008
Cybercrimes: A Financial Sector View | 8
Statistics - Global & India and special ocus on Mumbai Cyber security is on top priority list o various nancial organizations, regulators and governments. Cyber attacks ranked ourth in top global risks in terms o likelihood in World Economic Forum Report: Global Risks 2012.
Top 5 global risk in terms o likelihood
Source: World Economic Forum Report-Global Risks 2012 Seventh-edition
9 | Cybercrimes: A Financial Sector View
Legal FrameworkSupport The Data Security Council o India (DSCI) and the Department o Inormation Technology (DIT), India are the prime bodies looking towards the cyber security in India. To cater to the needs o cyber security issues, India has implemented IT Act 2000 and revised IT (Amendment) Act 2008.
Emergence o Inormation Technology Act, 2000 The Inormation Technology Act 2000 was enacted ater the United Nation General Assembly Resolution A/RES/51/162, on 30th January, 1997 by adopting the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law.This was the rst step towards the Law relating to e-commerce at international level to regulate an alternative orm o commerce and to give legal status in the area o e-commerce. It was enacted taking into consideration United Nations Commission on International Trade Law UNICITRAL model o Law on e- commerce 1996. The Act was aimed to provide the legal inrastructure or e-commerce in India, The Inormation Technology Act, 2000 also aimed to provide or the legal ramework so that legal sanctity is accorded to all electronic records and other activities carried out by electronic means. The Act states that unless otherwise agreed, an acceptance o contract
may be expressed by electronic means o communication and the same shall havelegal validity and enorceability. Dierent types o cyber crimes have been described as oences under Chapter IX. Several crimes like hacking, phishing, data thet, identity thet, denial o service, spreading o virus, source code thet, sending lewd SMS/MMS/Email, pornography, child pornography and disclosure o inormation by organizations have been looked in detail. The IT Act, 2000 provides or the constitution o the Cyber Regulations Advisory Committee which has been advising the government as regards to any rules or or any other purpose connected with the act. The Act also has Five Schedules, the last one being the glossary and others which amend the Indian Penal Code, 1860, the Indian Evidence Act, 1872, The Bankers’ Books Evidence Act, 1891, The Reserve Bank o India Act, 1934 to make them in tune with the provisions o the Act.11
11 The Gazette o India, Extraordinary part -2 http://eprocure.gov.in/cppp/sites/deault/les/eproc/itact2000.pd
Cybercrimes: A Financial Sector View | 10
Noteworthy provisions under the IT Act, 2000 Section
CyberCrime–Type
Sec-43
Damage to Computer system etc.
Sec-66
Hacking (with intent or knowledge)
Fine o 2 lakh rupees, and imprisonment or 3 years
Sec-67
Publication o obscene material in e-orm
Fine o 1 lakh rupees, and imprisonment o 5years, and double conviction on second oence
Sec-68
Not complying with directions o controller
Fine upto 2 lakh and imprisonment o 3 years
Sec-70
Attempting or securing access to computer
Imprisonment upto 10 years
Sec-72
For breaking condentiality o the inormation o computer
Fine upto 1 lakh and imprisonment upto 2 years
Sec-73
Publishing alse digital signatures, alse in certain particulars
Fine o 1 lakh, or imprisonment o 2 years or both.
Publication o Digital Signatures or
Imprisonment or the term o 2 years and ne or
raudulent purpose
1 lakh rupees
Sec-74
Penalty
Compensation or Rupees 1crore
IT Act 2000. http://www.mit.gov.in/content/it-act-2000-dpl-cyber-laws
Currently, the IT Act, 2000 has been amended by the Inormation Technology (Amendment) Act, 2008. This law provides the legal inrastructure or Inormation Technology in India. The said Act along with its 90 sections is to be conceived with 23 rules called the IT rules, 2011s
11 | Cybercrimes: A Financial Sector View
Key challenges/concerns which needs to be addressed Cyber Security – Legal Issues
Spam galore
The major concern is primarily attacks on
As more and more users get added to the
networks and the need or coming up with appropriate legislative rameworks or enhancing, preserving and promoting cyber security. Lawmakers needs to come up with appropriate enabling legal regimes that not only protect and preserve cyber security, but also urther instill a culture o cyber security amongst the netizen Large number o existing cyber legislations across the world, do not yet address important issues pertaining to cyber security. A more renewed ocus and emphasis on coming up with eective mandatory provisions is required which would help protect, preserve and promote cyber security in the context o use o computers, computer systems, computer networks, computer resources as also communication devices.
Internet and mobile bandwagon, email and mobile spammers will nd increasingly innovative methodologies and procedures to target at digital users. Law makers are likely to be under pressure to come with up eective legislative provisions to deal with the menace o spam. Cloud computing legal issues
As India is moving towards the adoption o cloud computing, various important legal challenges pertaining to cloud computing will continue to seek attention o Cyberlaw makers. Cloud computing brings with it, various distinctive new challenges including that o data security, data privacy, jurisdiction and a variety o other legal issues. Social media legal issues
Mobile law challenges
As the mobile users in India are increasing considerably, the use o mobile devices and content generated there rom are likely to bring orth signicant new challenges or cyber legal jurisprudence. There are no dened jurisdictions dedicated to laws dealing with the use o communication devices and mobile platorms. As increasingly people use mobile devices or output and input activities, there will be increased emphasis on meeting up with the legal challenges emerging with the use o mobility devices, more so in the context o mobile crimes, mobile data protection and mobile privacy.
In the recent times there have been increasingly signicant legal issues and challenges raised by social media. As social media websites continues to become the ertile ground or targeting by all relevant lawyers, law enorcement agencies and intelligence agencies, social media continues to become the preerred repository o all data. As such, social media crimes are increasing dramatically. Inappropriate use o social media is urther increasing, thereby leading to various legal consequences or the users. The concept o privacy in the context o social
Cybercrimes: A Financial Sector View | 12
media is greatly undermined, despite eorts to the contrary made by some stakeholders. Cyberlaw makers across the world have to ace the unique challenge o how to eectively
regulate the misuse o social media by vested interests and urther how to provide eective remedy to the victims o various criminal activities on social media.
Way Forward The Inormation technology Act, 200 and its amendment in 2008, though provides certain kind o protection, but does not cover all the spheres o the IT where protection must be provided. The Copyright and Trademark violations do occur on the net, but the Copyright Act, 1976 or the Trademark Act, 1994, are silent on that whichspecically deals with the issue. There is no enorcement machinery to ensure the protection o domain names on net. Transmission o e-cash and transactions online are not given protection under Negotiable Instrument Act, 1881. Online privacy is not protected; only Section 43 (penalty or damage to computer or computer system) and Section 72 (Breach o condentiality or privacy) talks about it in some extent but doesn’t hinder the violations caused in the cyberspace. Even the Internet Service Providers (ISP) who transmit some third party inormation some third party inormation without human intervention is not made liable under the Inormation Technology Act, 2000. It’s hard to prove the commission o oence as the terms “due diligence” and “lack o knowledge” have not been dened anywhere in the Act. Even, the Act doesn’t mention how the extra
territoriality would be enorced. This aspect is completely ignored by the Act, where it had come into existence to look into cyber crime which is on the ace o it an international problem with no territorial boundaries. The Act has its own slated advantages as it gave legal recognition to electronic records, transactions, authentication and certication o digital signatures, prevention o computer crimes etc. but at the same time is inficted with various drawbacks also like it doesn’t reer to the protection o Intellectual Property rights, domain name, cyber squatting etc. This inhibits the corporate bodies to invest in the Inormation technology inrastructure. Cryptography is a new phenomenon to secure sensitive inormation. There are very ew companies in present date which have this technology. Other millions o them are still posed to the risk o cyber crimes. India needs to update the Law whether by amendments or by adopting sui generic system. Though Judiciary continues to comprehend the nature o computer related crimes there is a strong need to have better law enorcement mechanism to make the system workable.
13 | Cybercrimes: A Financial Sector View
Challenges aced by governments Although governments are actively ocused on ghting and preventing cyber criminals rom damaging inrastructure, the very nature o cyberspace poses a number o
criminals are trading bank account inormation or US$10–125, credit card data or up to US$30 per card, and email account data or up to US$12.13 Oten, the acquired data
challenges to the implementation o cyber regulations in any country. Within cyberspace it is oten dicult to determine political borders and culprits. Furthermore, the cyber criminal community and their techniques are continously evolving, making it more challenging or governments and companies to keep up with ever-changing techniques.
is used in illegal online purchases and in exchange or other monetary transactions. The untraceability o the srcin o these transactions poses a major challenge to government agencies in their eorts to ght crimes o this nature.
Tracking the srcin o crime
According to Rob Wainwright, Director o Europol, criminal investigations o cyber crimes are complex, as the criminal activity itsel is borderless by nature. Tracing cyber criminals poses a challenge.12 While many experts speculate that the cyber attacks on Estonia and Georgia, or instance, were directed by the Russian cyber agencies, some o the attacks havebeen traced to the computers srcinating in Western countries. Growth o the underground cyber crime economy
A major threat that may hamper the ght against cyber crime is the growth o an underground economy, which or many cyber criminals can be a lucrative venture. The underground economy attracts many digital experts and talented individuals with a specialty around cyber initiative. In the cyber underworld, the hackers and organized crime rings operate by selling condential stolen intelligence. Research shows that 12 E-Crime Survey 2009, KPMG International
Shortage o skilled cyber crime fghters
Implementing cyber security measures requires skilled manpower. However, most countries ace a shortage o skilled people to counter such cyber attacks. According to Ronald Noble, Head o Interpol, “An eective cyber attack does not require an army; it takes just one individual. However, there is a severe shortage o skills and expertise to ght this type o crime; not only at Interpol, but in law enorcement everywhere.” Moreover, most trained or skilled people are recruited by the private sector, as it oers higher nancial rewards. In the UK, the PCeU has experienced this shortage rst hand, with only 40 core team members.88 Similarly, in Australia, the majority o the cyber crime incidents, particularly minor incidents, remain unsolved or are not investigated due to the lack o eForensic skills and expertise. Widespread use o pirated sotware
One o the major challenges to preventing cyber crime is the prevalence o sotware piracy, as pirated sotware is more prone to attacks by viruses, malware and 13 War in the th domain, Economist, July 1, 2010 14 Will the U.S. get an Internet “kill switch”?,Technology Review, March 4, 2011
Cybercrimes: A Financial Sector View | 14
trojans. Experts believe that rapid growth o Consumer PC markets in emerging countries - such as India, Brazil and China has contributed largely to the rising piracy rates. The pirated sotware can include not
was the lack o automatic security updates or unlicensed sotware. The issue becomes more signicant or those countries where pirated sotware is a common occurrence. China, which is one o the largest such
only games, movies, oce applications and operating systems, but also security sotware. Oten, users preer to obtain a pirated security sotware, rather than purchase and upgrade legal version, thereore increasing the vulnerability o their systems to cyber attacks. For instance, one o the reasons or the spread o the Concker virus in 2008
markets, reported that nearly US$19 billion was spent on pirated sotware in 2009. In India, the unlicensed sotware market value stands at nearly US$2 billion. Ensuring cyber security is also a major challenge or Gul Cooperation Council (GCC) countries, where 50 percent o sotware is pirated. 15
15 KPMG international, Issues Monitor: Cyber Crime – A Growing Challenge or Governments (July 2011, Volume Eight)
15 | Cybercrimes: A Financial Sector View
Way orward Experts believe that to ght the borderless and continuously evolving cyber crime, global leaders must collaborate in joint initiatives. Nigel Inkster, an expert on cyber threats at the International Institute or Strategic Studies, stated, “Thus ar, the discussion on how to set international standards on cyber has been very low prole and largely conned to the margins o the UN General Assembly.” However, to overcome signicant diplomatic hurdles, a concerted eort on the part o governments must be in place. In April 2010, the UN rejected a treaty on global cyber crime, due to disagreements over the national sovereignty issues and concerns or human rights. Many countries have expressed a concern over the new cyber laws. Russia, as one o the examples, has reused to endorse the ‘Budapest Convention on Cybercrime,’ which allows police and other legal entities to cross national boundaries without the consent o local authorities, in order to access computer servers. However, country ocials in most developed nations do agree on the establishment o policies to protect cyberspace against criminals. Experts believe that developed countries such as the US should encourage other countries to introduce policies against cyber attacks, in the similar ashion they do or nuclear weapons, missile deense and space. “The US has to rame a much clearer strategy with regard to cyber (warare),” said Greg Austin, Vice President o Program Development and Rapid Response at the EastWest Institute. The US supports an International Telecommunication Union plan, which obligates the country o srcin o Cyber crime acts to conduct investigation. The US also supports a Russian initiative that has called or a UN panel to work on cyber-arm limitations. However, experts believe that the implementation o such a coordinated initiative might take a ew more years. Apart rom bilateral and multi-lateral initiatives between governments, much can be achieved by cooperating with the private companies that own and control the majority o the cyberspace network. Network owners or internetservice providers can take more responsibility to help identiy cyber attacks and attackers on user computers, and take the necessary steps to counter such attacks. Experts believe that while such preventive measures may not completely eliminate cyber espionage, it can certainly make cyberspace a much saer place.13
13 KPMG international, Issues Monitor: Cyber Crime – A Growing Challenge or Governments (July 2011, Volume Eight)
Cybercrimes: A Financial Sector View | 16
Notes
Notes
Notes
Notes
KPMG Contacts
DIT Contacts
NASSCOM Contacts
Navin Agrawal
Suryakanth Jadhav
Chetan Samant
Partner and Head
Director - IT
Manager
Management Consulting
M: +91 98209 22647
M: +91 98203 04982
T: +91 22 3090 1720 M: +91 99670 16367 E:
[email protected]
E:
[email protected] E:
[email protected]
Mahesh Gharat Manager
Management Consulting T: +91 22 3091 3352 M: +91 98337 32033 E:
[email protected]
kpmg.com/in
The inormation contained herein is o a general nature and is not intended to address the circumstances o any particular individual or entity. Although we endeavour to provide accurate and timely inormation, there can be no guarantee that such inormation is accurate as o the date it is received or that it will continue to be accurate in the uture. No one should act on such inormation without appropriate proessional advice ater a thorough examination o the particular situation. © 2012 KPMG, an Indian Registered Partnership and a member rm o the KPMG network o independent member rms aliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity“ are registered trademarks or trademarks o KPMG International. Printed in India.