Let’s examine some of the provisions of the amended Information Technology Act with respect to cyber security. The Act defines cyber security as “protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction”.
Cyber terrorism has been defined as an offence in section 66F—one who causes denial of access to computer resources, or has unauthorized access to a computer resource, or introduces a virus, with the intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in any section of the people is deemed to be committing cyber terrorism. If a person has unauthorized access to a computer resource with the intent to breach the security of the state, its sovereignty and integrity, and friendly relations with foreign states, then also he is deemed to be committing cyber terrorism.
The latter is an existing provision in the IT Act, 2000 (section 69). The former has been added because it’s well known that criminals attack critical infrastructures to disrupt the economy, governance, financial sector, public safety, energy, and health. Such forms of cyber terrorism are addressed by nations all over the world. India needs this to fight terrorists who have begun to use cyberspace for physical attacks.
Mumbai is witness to this—one of the critical elements of the November terrorist attacks was the use of technology by the attackers. They navigated their way to Mumbai by sea with Global Positioning Satellite systems, carried BlackBerrys, had CDs with high-resolution satellite images, used multiple cellphones with switchable SIM cards that were difficult to track, and used satellite phones. They also used remailer service to send emails, while maintaining anonymity. This clearly emphasizes how sophisticated terrorists have become and how complicated it is these days to develop and coordinate all of the necessary security measures to counter such threats.
Law to fight terrorists is only one of the ways, albeit an important one. Arming law-enforcement agencies with appropriate legal provisions with stringent provisions for punishment has the potential of acting as deterrents.
One wonders why an issue should be raised on the provision of life imprisonment for cyber terrorists who are a danger to national security. It is not appropriate to confuse cyber security by raising the issue of right to privacy since investigation into a crime has to follow the procedure set out under the law. National security is of the highest concern.
The current times demand actions commensurate with the threat posed by criminals. It was certainly not the case earlier that a large number of terrorists, spread across the world, could join forces to plan operations using information and communications technology, organize logistics, including maps and weapons. The state’s response, too, has to be different, and must make use of international cooperation to counter, capture and punish criminals.
Financial frauds are being committed in cyberspace by international gangs cutting across national borders with identity and data theft in one country, sale of credit cards in another country and transactions from yet another country. For example, criminal breach of the computer systems of TJX Companies Inc., a US-based retailer, saw the loss of information relating to around 100 million credit and debit cards. Criminals hacked into TJX’s data systems, kept the information in personal computer servers in the US and Eastern Europe and converted some of it into ready-to-use bank cards. Hackers sold the stolen information to people in the US and Europe on the Internet and also used the stolen cards to illegally withdraw tens of thousands of dollars at a time from automated teller machines. A US federal grand jury indicted 11 people of various nationalities.
Such crimes need to be addressed in national data protection laws. They call for not only national laws, but also call for international cooperation in investigations, collection of cyber forensic evidence and prosecution. A strong data protection regime requires all types of cyber crimes be covered to ensure data security and data privacy. The amended Act does precisely that.
Sections 69 and 69A of the amended Act empower the state to issue directions for interception, monitoring, decryption of any information through any computer resource; and for blocking websites in the interest of national security, and friendly relations with foreign states. These are no different from what has been there in the IT Act, 2000, so far. If anything, these sections have made the government more transparent since the procedures and safeguards subject to which interception, monitoring, decryption and blocking of websites will have to be prescribed.
Section 69B empowers the government to authorize to monitor, collect traffic data or information through any computer resource for cyber security. Again, the procedure and safeguards for monitoring and collecting traffic data and information shall have to be prescribed, making it fully transparent. One may sensationalize it again by using words such as “snooping”, but it is no different from the powers vested with the state under the Indian Telegraph Act, 1885, to intercept calls that have been upheld by the Supreme Court.
The amended Act is a step in the right direction. It strengthens the data protection regime, and makes cyberspace more trustworthy, bringing since cyber criminals, whether engaging in data and identity theft, financial frauds or posing a threat to national security through acts of cyber terrorism, to justice.
Kamlesh Bajaj is chief executive officer, Data Security Council of India. Respond to this column at firstname.lastname@example.org
This is the second of a four-part series on cyber security. Read Part 1 at www.livemint.com/ cybersecurity.htm