Category: Cover Story

Cybercrimes know no borders and have evolved alongside emerging digital technologies. Each year, the number of reported cybercrimes in India continues to rise significantly, and the situation is worsening, says Ivor Vaz.

On a positive note, a vibrant India is on the brink of a digital revolution. Once primarily an agricultural nation, India is undergoing a dramatic transformation driven by the rapid advancement of digital technology and infrastructure. Economists predict that India’s digital economy will exceed US$1 trillion by 2027-28, with a robust annual growth rate of 2.8%. This growth is largely attributed to the exponential rise of digitalisation and data-driven innovation, which are fundamental to modern progress.

In recent years, India has emerged as a significant player in technology and services, transforming the global economy. With a wealth of talent and a thriving IT sector, India has become a hub for innovative ideas, software development, and outsourced business services. The country’s role in the global services landscape has evolved remarkably, establishing it as a centre of excellence and innovation, reflecting its abundant talent, technological capabilities, and business-friendly environment.

However, amidst this rapid digital growth, fueled by advancements in AI, automation, and data-driven technologies, a critical challenge emerges. While increased connectivity and a digital economy promise significant progress, they also expose our digital societies to new vulnerabilities. India has only just begun to develop a cybersecurity framework to protect its vast internet population—the second largest in the world. At the same time, cybercrimes continue to evolve at a pace that matches or surpasses emerging technologies.

Each year, the number of reported cybercrimes continues to rise significantly. In India, the most common type of cybercrime is financial fraud. Over the past few years, financial fraud has become a growing concern, with losses amounting to billions of Indian rupees annually. Between 2020 and 2024, these cases accounted for 75% of all cybercrimes in India, peaking at over 77%.

The increase in reported cases from 2019 to 2024 is striking with 26,049 complaints recorded in 2019, followed by 2,57,777 in 2020, 4,52,414 in 2021, 966,790 in 2022, 15,56,218 in 2023, and 7,40,957 in just the first four months of 2024.

The sectors most vulnerable to cybercrime include IT, healthcare, manufacturing, and finance. Small businesses are also frequent targets, especially since only 41% of Indian companies were at progressive stages of cybersecurity readiness in 2024.

Even though the private sector is heavily affected by online crime, government agencies have also faced incidents of espionage. A notable breach involved India’s unique citizen identification system, the Aadhaar Card, which compromised extensive personal information, including bank details, addresses, and biometrics of over a billion Indians. In 2024, the cost of data breaches in the country surged by more than $2 billion.

One of the major challenges in combating cybercrime in India is the lack of awareness regarding cyber hygiene. Even when crimes are reported to authorities, the existing infrastructure and processes for addressing such cases are largely inefficient. In 2018, India’s Ministry of Home Affairs established the Indian Cyber Crime Coordination Centre (I4C) to provide a framework for combating cybercrime. The Central Government further launched the National Cybercrime Reporting Portal (NCRP) under the I4C in 2019. Additionally, the government has implemented a stringent content regulation policy for the internet and social media platforms. Another area that could help reduce cybercrime numbers is the expansion of the cybersecurity market. Increased investments in this sector can combat the growing threats likely to persist as the world navigates hyper-connectivity and the era of artificial intelligence.

To effectively address the challenges posed by newer technologies and ensure the safety and security of our citizens from emerging cyber threats, it is essential for world leaders to collaborate and strengthen enforcement agencies.

Recent crime data published by the National Crime Record Bureau (NCRB) reveals a significant increase in registered cybercrimes, rising from 12,317 cases in 2016 to 65,893 in 2022—an increase of approximately 435% over seven years. In 2022, fraud, extortion, and sexual exploitation accounted for the majority of these cases.

According to the Indian Cyber Crime Coordination Centre (IC4), an official from the Ministry of Home Affairs (MHA) shared that more than three million complaints have been reported since the launch of the online portal https://cybercrime.gov.in by the Central Government in August 2019.

In cases of online financial fraud, if reported quickly through this portal or the national helpline number 1930, transactions can be blocked, potentially preventing defrauded money from reaching criminals, as over 263 banks are linked to this system.

In 2023, around ₹922 Crore of defrauded money (approximately 12.32%) was recovered, a notable increase from ₹36 Crore (about 6.73%) in 2021. Many online frauds have been traced back to countries such as Myanmar, Cambodia, Dubai, and China.

Before discussing how to prepare for and tackle cybercrimes and emerging challenges in India, it is important to analyse the impact of these incidents on our daily lives.

Impact of Cybercrime

In November 2022, the online services of the All India Institute of Medical Sciences (AIIMS) in Delhi were disrupted due to a ransomware attack on its servers, which are provided and managed by the National Informatics Centre. With the assistance of the national nodal agency for Critical Information Infrastructure Protection, the Indian Computer Emergency Response Team (CERT-In), data for the ‘e-Hospital’ system was retrieved from a backup server, and most functions were restored on new servers after approximately two weeks. A case of cyber terrorism and extortion was registered under the relevant sections of the Information Technology (IT) Act and the Indian Penal Code (IPC). This case was handled by the Intelligence Fusion and Strategic Operations (IFSO), a specialised unit of the Delhi Police that deals with cybercrime.

The Ministry of Information Technology later informed Parliament that the servers had been compromised due to “improper network segmentation,” which led to operational disruptions due to the failure of critical applications. Preliminary analysis revealed that five servers were affected, and approximately 1.3 terabytes of data had been encrypted. The Minister clarified that no specific amount of ransom was demanded by the hackers, although a message on the server indicated that it was indeed a cyber attack. According to cyber experts, “improper network segmentation” suggests that the firewall meant to protect the network was not configured correctly, and the unmanaged switches lacked adequate safeguards. This inadequate cybersecurity allowed the hackers to corrupt the system. Furthermore, the IP addresses from the suspicious emails indicated that the attack originated from a foreign country.

Another incident that threatened the reputation and dignity of an individual was a deepfake video of a South Indian actor impersonating the face of a London-based Indian woman, which went viral on social media in November 2023. Although Meta and other social media platforms removed the video on their own, the IFSO wing of the Delhi Police investigated over 500 internet links, retrieved some deleted accounts, and successfully traced the origin of the deepfake. The accused confessed to creating the video to increase his Instagram following but subsequently deleted the posts and changed the name of his Instagram account. These two examples illustrate the significant damage that cyber-attacks can inflict on both strategically important institutions and individuals.

Legal Aspects

The IT Act of 2000 was enacted to stimulate the growth of electronic transactions and to provide legal recognition for e-commerce. It contains provisions to address computer-related crimes. Since then, various IT rules have been introduced to tackle specific issues, such as “reasonable security practices and procedures” and “national critical information infrastructure.” To regulate intermediaries and social media platforms, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules were notified in February 2021.

The most recent development is the Digital Personal Data Protection Act of 2023, which aims to protect personal data and ensure its lawful processing. However, experience shows that simply enacting laws and regulations is insufficient; enhancing the capacity and capability of police forces to address emerging challenges is essential.

It is important to recognise that a regular police officer without a background in computer science cannot be expected to specialise in tackling computer-related offences. At most, such an officer can be trained to act as a first responder to preserve the crime scene and protect the integrity of electronic evidence. To effectively address the increasing number of cyber complaints, a sufficient number of cyber experts should be integrated into the police force, and dedicated cyber police stations should be established.

Additionally, while broad guidelines for the identification, collection, acquisition, and preservation of digital evidence are outlined in the Indian Standard IS/ISO/IES 20037:2012 issued by the Bureau of Indian Standards (BIS), there is no separate procedural code for investigating computer-related offences. Furthermore, many State cyber forensic labs are not equipped to handle emerging challenges and have not been designated as “Examiners of Electronic Evidence” by the Central Government, which limits their ability to provide expert opinions on electronic evidence under the IT Act.

Although the newly enacted criminal laws emphasise the collection of forensic evidence, including recording statements using audio-visual means, and the Bharatiya Sakshya Adhiniyam of 2023 establishes a standard format for the admissibility of electronic evidence in a court of law, the lack of training resources may hinder the development of effective police officers in this field.

The concept of “safe harbour” should be reconsidered to increase the accountability of intermediaries. The IT Rules of 2021 require intermediaries and social media platforms to exercise “due diligence” and make “reasonable efforts” to prevent users from hosting, displaying, uploading, or sharing any harmful information, especially regarding children. However, these platforms are only required to remove objectionable material within 36 hours if they are notified by an authorised government agency or if a court orders them to do so. They are not legally obligated to implement preventive or investigative online tools.

India does not follow either the American or the British model to proactively identify and block child sexual abuse material (CSAM). The lack of necessary cyberinfrastructure means that reports of CSAM uploaded from India are identified and geo-tagged by the American National Centre for Missing and Exploited Children (NCMEC), which then forwards these reports to the National Crime Records Bureau (NCRB) under an agreement with the Ministry of Home Affairs (MHA) for legal action.

Due to the limited liability of Internet Service Providers (ISPs) under the IT Act, no proactive measures have been taken by them. Although the Ministry of Electronics and Information Technology (MeitY) has issued an advisory for social media platforms to remove misinformation and deepfake content, these measures will be insufficient and ineffective unless the platforms are required to deploy technical tools for identifying such content and reporting compliance. This would necessitate a revision of the “safe harbour” provision to make it more robust under

Section 79 of the IT Act.

Lastly, the cyber attack on the AIIMS Delhi system highlights that even institutions managing sensitive personal health data lack a robust cybersecurity policy.

The primary reasons for vulnerabilities that hackers exploit include the lack of periodic audits, the failure to identify system weaknesses, outdated technology, and a shortage of dedicated and trained personnel.

To address these issues, it is essential to allocate sufficient budget resources to related institutions and to foster a culture of cybersecurity awareness to prevent future attacks.

As the world works to establish mechanisms and regulations to mitigate the misuse of artificial intelligence (AI), law enforcement agencies are facing challenges in investigating new types of crimes. During the inauguration of the annual Global Partnership for AI (GPAI) Summit in Delhi in December 2023, the Prime Minister of India emphasised the importance of watermarking AI products and acknowledged the rising concerns about cybersecurity and data theft. It is hoped that collaborative efforts among world leaders will strengthen infrastructure and assist enforcement agencies in overcoming the challenges posed by emerging technologies, ultimately ensuring the safety and security of citizens against new cyber threats.          

To strengthen the mechanism to deal with cybercrimes in a comprehensive and coordinated manner, the Central Government, through the Ministry of Home Affairs has set up the Indian Cybercrime Coordination Centre (I4C).

As per the Seventh Schedule of the Constitution of India, ‘Police Order’ and ‘Public Order’ are State issues. Hence, States and UTs are primarily responsible for the prevention, detection, investigation and prosecution of cybercrimes through their Law Enforcement Agencies. The Central Government supplements the initiatives of the State Governments through advisories and schemes for the capacity building of their Law Enforcement Agencies. To strengthen the mechanism to deal with cybercrimes in a comprehensive and coordinated manner, the Central Government, through the Ministry of Home Affairs has set up the Indian Cyber Crime Coordination Centre (I4C) to deal with all types of cybercrime in the country.

The National Crime Records Bureau (NCRB) compiles and publishes the statistical data on crimes in its publication ‘Crime in India’. Its Cyber Crime Reporting Portal -https: //cybercrime.gov.in was launched, as a part of the I4C, to enable the public to report incidents about all types of cybercrimes, with a special focus on cybercrimes against women and children. Cybercrime incidents reported on this portal, their conversion into FIRs and subsequent action thereon are handled by the State/UT Law Enforcement Agencies concerned as per the provisions of the law. The ‘Citizen Financial Cyber Fraud Reporting and Management System’, under I4C, has been launched for immediate reporting of financial frauds and to stop siphoning off funds by the fraudsters. Since the inception of the Citizen Financial Cyber Fraud Reporting and Management System, more than ₹1,200 Crore have been saved in more than 4.7 lakh complaints. A toll-free Helpline number 1930 has been operationalised to get assistance in lodging online cyber complaints. The State and UT-wise details of the Citizen Financial Cyber Fraud Reporting Management System from January 1 to December 31, 2023, are in the Annexure. To date, more than 3.2 lakh SIM cards and 49,000 IMEIs as reported by Police authorities have been blocked by the Government of India.

The Computer Emergency Response Team is the National Incident Response Centre for major computer security incidents in the Indian cyber community. CERT-In issues alerts and advisories regarding the latest cyber threats/vulnerabilities and countermeasures to protect computers, mobile phones, networks and data on an ongoing basis. CERT-In, through RBI, has advised all authorised entities and banks issuing pre-paid payment instruments (wallets) in the country to carry out special audits by CERT-In-empanelled

auditors, close the non-compliances identified in the audit report and ensure implementation of security best practices.  CERT-In and the Reserve Bank of India (RBI) jointly carry out a cybersecurity awareness campaign on ‘beware and be aware of financial frauds’ through the Digital India Platform. To enhance the mechanism for addressing cybercrimes comprehensively and in a coordinated manner, the Central Government of India, through the Ministry of Home Affairs, has established the Indian Cybercrime Coordination Centre (I4C). To raise awareness about cybercrime, the Central Government has implemented several measures, including the dissemination of messages through SMS, social media accounts associated with I4C i.e. X (formerly Twitter) – @Cyberdost; Facebook: CyberDostI4C; Instagram – Cyberdosti4C, and Telegram – Cyberdosti4c; a radio campaign, and collaboration with MyGov for publicity across various platforms. They have also organised Cyber Safety and Security Awareness Weeks in partnership with States/UTs and published a Handbook for Adolescents/Students. States and UTs have been encouraged to conduct public awareness campaigns to foster mass awareness of cyber safety.