To effectively address the challenges posed by newer technologies and ensure the safety and security of our citizens from emerging cyber threats, it is essential for world leaders to collaborate and strengthen enforcement agencies.
Recent crime data published by the National Crime Record Bureau (NCRB) reveals a significant increase in registered cybercrimes, rising from 12,317 cases in 2016 to 65,893 in 2022—an increase of approximately 435% over seven years. In 2022, fraud, extortion, and sexual exploitation accounted for the majority of these cases.
According to the Indian Cyber Crime Coordination Centre (IC4), an official from the Ministry of Home Affairs (MHA) shared that more than three million complaints have been reported since the launch of the online portal https://cybercrime.gov.in by the Central Government in August 2019.
In cases of online financial fraud, if reported quickly through this portal or the national helpline number 1930, transactions can be blocked, potentially preventing defrauded money from reaching criminals, as over 263 banks are linked to this system.
In 2023, around ₹922 Crore of defrauded money (approximately 12.32%) was recovered, a notable increase from ₹36 Crore (about 6.73%) in 2021. Many online frauds have been traced back to countries such as Myanmar, Cambodia, Dubai, and China.
Before discussing how to prepare for and tackle cybercrimes and emerging challenges in India, it is important to analyse the impact of these incidents on our daily lives.
Impact of Cybercrime
In November 2022, the online services of the All India Institute of Medical Sciences (AIIMS) in Delhi were disrupted due to a ransomware attack on its servers, which are provided and managed by the National Informatics Centre. With the assistance of the national nodal agency for Critical Information Infrastructure Protection, the Indian Computer Emergency Response Team (CERT-In), data for the ‘e-Hospital’ system was retrieved from a backup server, and most functions were restored on new servers after approximately two weeks. A case of cyber terrorism and extortion was registered under the relevant sections of the Information Technology (IT) Act and the Indian Penal Code (IPC). This case was handled by the Intelligence Fusion and Strategic Operations (IFSO), a specialised unit of the Delhi Police that deals with cybercrime.
The Ministry of Information Technology later informed Parliament that the servers had been compromised due to “improper network segmentation,” which led to operational disruptions due to the failure of critical applications. Preliminary analysis revealed that five servers were affected, and approximately 1.3 terabytes of data had been encrypted. The Minister clarified that no specific amount of ransom was demanded by the hackers, although a message on the server indicated that it was indeed a cyber attack. According to cyber experts, “improper network segmentation” suggests that the firewall meant to protect the network was not configured correctly, and the unmanaged switches lacked adequate safeguards. This inadequate cybersecurity allowed the hackers to corrupt the system. Furthermore, the IP addresses from the suspicious emails indicated that the attack originated from a foreign country.
Another incident that threatened the reputation and dignity of an individual was a deepfake video of a South Indian actor impersonating the face of a London-based Indian woman, which went viral on social media in November 2023. Although Meta and other social media platforms removed the video on their own, the IFSO wing of the Delhi Police investigated over 500 internet links, retrieved some deleted accounts, and successfully traced the origin of the deepfake. The accused confessed to creating the video to increase his Instagram following but subsequently deleted the posts and changed the name of his Instagram account. These two examples illustrate the significant damage that cyber-attacks can inflict on both strategically important institutions and individuals.
Legal Aspects
The IT Act of 2000 was enacted to stimulate the growth of electronic transactions and to provide legal recognition for e-commerce. It contains provisions to address computer-related crimes. Since then, various IT rules have been introduced to tackle specific issues, such as “reasonable security practices and procedures” and “national critical information infrastructure.” To regulate intermediaries and social media platforms, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules were notified in February 2021.
The most recent development is the Digital Personal Data Protection Act of 2023, which aims to protect personal data and ensure its lawful processing. However, experience shows that simply enacting laws and regulations is insufficient; enhancing the capacity and capability of police forces to address emerging challenges is essential.
It is important to recognise that a regular police officer without a background in computer science cannot be expected to specialise in tackling computer-related offences. At most, such an officer can be trained to act as a first responder to preserve the crime scene and protect the integrity of electronic evidence. To effectively address the increasing number of cyber complaints, a sufficient number of cyber experts should be integrated into the police force, and dedicated cyber police stations should be established.
Additionally, while broad guidelines for the identification, collection, acquisition, and preservation of digital evidence are outlined in the Indian Standard IS/ISO/IES 20037:2012 issued by the Bureau of Indian Standards (BIS), there is no separate procedural code for investigating computer-related offences. Furthermore, many State cyber forensic labs are not equipped to handle emerging challenges and have not been designated as “Examiners of Electronic Evidence” by the Central Government, which limits their ability to provide expert opinions on electronic evidence under the IT Act.
Although the newly enacted criminal laws emphasise the collection of forensic evidence, including recording statements using audio-visual means, and the Bharatiya Sakshya Adhiniyam of 2023 establishes a standard format for the admissibility of electronic evidence in a court of law, the lack of training resources may hinder the development of effective police officers in this field.
The concept of “safe harbour” should be reconsidered to increase the accountability of intermediaries. The IT Rules of 2021 require intermediaries and social media platforms to exercise “due diligence” and make “reasonable efforts” to prevent users from hosting, displaying, uploading, or sharing any harmful information, especially regarding children. However, these platforms are only required to remove objectionable material within 36 hours if they are notified by an authorised government agency or if a court orders them to do so. They are not legally obligated to implement preventive or investigative online tools.
India does not follow either the American or the British model to proactively identify and block child sexual abuse material (CSAM). The lack of necessary cyberinfrastructure means that reports of CSAM uploaded from India are identified and geo-tagged by the American National Centre for Missing and Exploited Children (NCMEC), which then forwards these reports to the National Crime Records Bureau (NCRB) under an agreement with the Ministry of Home Affairs (MHA) for legal action.
Due to the limited liability of Internet Service Providers (ISPs) under the IT Act, no proactive measures have been taken by them. Although the Ministry of Electronics and Information Technology (MeitY) has issued an advisory for social media platforms to remove misinformation and deepfake content, these measures will be insufficient and ineffective unless the platforms are required to deploy technical tools for identifying such content and reporting compliance. This would necessitate a revision of the “safe harbour” provision to make it more robust under
Section 79 of the IT Act.
Lastly, the cyber attack on the AIIMS Delhi system highlights that even institutions managing sensitive personal health data lack a robust cybersecurity policy.
The primary reasons for vulnerabilities that hackers exploit include the lack of periodic audits, the failure to identify system weaknesses, outdated technology, and a shortage of dedicated and trained personnel.
To address these issues, it is essential to allocate sufficient budget resources to related institutions and to foster a culture of cybersecurity awareness to prevent future attacks.
As the world works to establish mechanisms and regulations to mitigate the misuse of artificial intelligence (AI), law enforcement agencies are facing challenges in investigating new types of crimes. During the inauguration of the annual Global Partnership for AI (GPAI) Summit in Delhi in December 2023, the Prime Minister of India emphasised the importance of watermarking AI products and acknowledged the rising concerns about cybersecurity and data theft. It is hoped that collaborative efforts among world leaders will strengthen infrastructure and assist enforcement agencies in overcoming the challenges posed by emerging technologies, ultimately ensuring the safety and security of citizens against new cyber threats.
