Unlike the physical world that has clearly defined geographical boundaries, cyberspace is borderless, and with increased Internet penetration, it’s becoming larger since its size is proportionate to the activities carried out in it. Buying and selling of goods or services, transfer of funds through banks, making credit card payments, sending emails, interfacing with people through social networking sites and exchanges of pictures, videos or music are some activities performed in cyberspace. There is, thus, a seamless merging of cyberspace with the physical world.
And clearly of crime, too—it is also used as a medium to exchange information for carrying out financial frauds and terrorist activities in the physical world. Cyber crimes are committed both in the physical world and in cyberspace by exploiting weaknesses in networks and computer resources. Securing of systems through cyber security measures, including their physical security, is essential to protecting cyberspace, thereby reducing chances of unsecure systems becoming vulnerable to attack, or being used to commit crimes. Nations have to take steps to secure systems within their borders even though cyberspace is borderless. Cyber security is essential for a nation’s internal security.
It is in this context that the passing of the Information Technology (Amendment) Bill, in the last Lok Sabha session in December, has to be viewed. The primary objective of the Information Technology Act, 2000, or IT Act, was to provide for legal recognition of electronic documents, and of digital signatures at par with handwritten signatures for e-commerce and e-governance applications in line with the Uncitral Model Law on Electronic Commerce, adopted by the UN Commission on International Trade Law (Uncitral), in January 1997. The Act created a legal environment that was conducive to the growth of e-commerce.
To inspire trust in e-commerce and e-governance, we need appropriate laws to bring cyber criminals to justice. Most countries have created separate laws to deal with computer misuse. India chose to have an omnibus law when it legislated the IT Act that included not only provisions for electronic records, digital signatures and certifying authorities, but also those that deal with unauthorized access to computer systems and some forms of cyber crime. The IT Act created a basic legal framework for e-commerce to promote trust in the electronic environment through acceptance of electronic documents and digital signatures as evidence in a court of law; promoted e-commerce and e-governance as major applications through legal sanctity accorded to electronic records and digital signatures; acceptance of electronic documents by the government, and provided for dealing with offences in cyberspace in the form of hackers and other criminals trying to gain access to databases and other business sites.
However, cyberspace has seen a significant increase in crime worldwide. India is home to the fourth highest number of Internet users in the world; cyber crimes recorded a 50% jump in 2007 over the previous year, under the IT Act, according to the National Crimes Record Bureau. Not many cyber criminals could be brought to justice for want of adequate enabling provisions and other technical-legal requirements for collection of cyber forensic evidence and its acceptance in courts. Besides a host of crimes that were not covered in the Act, there were problems due to the non-availability of data logs in servers and communication devices of Internet Service Providers (ISPs), cyber cafés and other organizations. There were no uniform guidelines for maintenance of logs by these service providers. Cyber cafés, for example, are governed by guidelines issued by state governments or under police orders. With such incoherent and incomplete processes, it has been difficult to arrest criminals and terrorists who have often used cyber cafés to communicate among themselves or have sent threatening mails to their targets.
While the amendments to the IT Act were triggered by the arrest of Avnish Bajaj, CEO, Baazi.com (now part of eBay) for allegedly transmitting obscene images of schoolchildren, as an intermediary, the initial focus of the committee set up by the government to review the Act was on defining the intermediary. At the IT industry’s instance, the government enlarged its scope to deal with data protection issues that were assuming importance. Outsourcing to Indian IT firms by customers in the US, the UK, Europe, Australia and other countries requires that the privacy of clients’ data handled by these firms is maintained and that there should be an enabling legal environment in India to address breaches of confidentiality and integrity of data.
Continued growth of outsourcing, with present revenues of nearly $50 billion (Rs2.44 trillion), depends to a large extent, on having a data protection regime that creates trust in trans-border data flows to India. Cyberspace security for data protection includes everything—from e-commerce and e-governance growth to electronic signatures, data protection, encryption, protection of critical information infrastructure, cyber security and national security. Amendments to the IT Act try to address all these.
Kamlesh Bajaj is chief executive officer, Data Security Council of India. The views expressed here are his personal views. He can be reached at email@example.com
This is the first of a four-part series on cyber security.