The Hindu Business Line : <I>On the job </I>

Invoking the cooperation of all computer users in a country is one effective way of combating cyber crime. The exercise of countering cyber crime requires huge resources (both manpower and equipment) and multiple skills. I still remember the few sessions I had with private industry, especially IT companies, a few years ago, to explore how they could help the CBI (which I was heading at that time) in handling cyber crime.

The response was at best lukewarm, and I am not very sure whether that initiative was ever followed up by my successors. The provocation for my going back in time is the release recently in the US of the 2005 Internet Crime Report compiled by the Internet Crime Complaint Centre (IC3). It has several revelations that are of interest to us in India.

IC3 - a model to follow

IC3 is the creation jointly of the FBI and the National White Collar Crime Centre (NW3C) to facilitate a victim to register his complaint swiftly online. What IC3 does is to analyse the complaint, fill in the gaps and send meaningful reports to the law enforcement machinery immediately concerned. In sum, it is an intelligence agency that is abreast of trends and modus operandi, and is therefore able to provide the cutting edge for solving Internet-based offences. IC3 has six Federal agents and 40 analysts from industry and academia. They have a macro view of cyber abuse in the country and bring this to bear upon individual complaints, so as to end up with a focused note of guidance to the investigating agency. IC3 is an efficient instrument with which to blunt gangs that are out to vandalise cyber space for their personal gain.

I have always admired the FBI's proactive stance in quelling cyber crime. It is, therefore, not surprising that former FBI executives rate very high in the US employment market. For instance, the Bank of America, perhaps the largest bank in the country, has just roped in Christ Swecker, former Assistant Director of the FBI's criminal investigative division, to lead its corporate security tasks. This appointment comes against the backdrop of the bank reporting three separate customer data breaches last year.

I wish we had an apparatus similar to IC3 in India. I am hoping that the CBI will, one of these days, study the US experiment and adapt it to India's needs. Any complacence based on the flimsy statistics we now possess could prove costly in the years to come.

Spurt in complaints

Going back to IC3's report for 2005, one finds a definite spurt in complaints. During 2005, the IC3 received 2,31,493 complaints, a nearly 100 per cent increase over 2003 and 11 per cent over 2004. Internet auction fraud was the most reported crime, accounting for more than 60 per cent of the complaints. E-mail contact between the fraudster and the victim accounted for 73 per cent of the complaints.

Interaction through a Web page was far behind with 17 per cent. Non-delivery of merchandise and credit card/debit card fraud figured prominently among the complaints. While Internet fraudsters gained a whopping $183 million, for individual victims, the Nigerian letter fraud was the costliest, at an average of $5,000 per complaint. Interestingly, Super Bowl ticket frauds are becoming a formidable offence to tackle. I do not think our friends back home who get active during cricket ODIs will ever lag far behind their Super Bowl counterparts! Has the Board of Control for Cricket in India (BCCI) ever thought of preparing itself for this onslaught, if and when it decides to sell tickets online?

NSTC blueprint

News of another US initiative to combat cyber crime has just come in. The President's National Science and Technology Council (NSTC) has released a blueprint for coordinating cyber security research among federal agencies. The document was the culmination of deliberations between representatives of 20 organisations. One criticism of the document — whose main recommendation is the adoption of standard cyber security metrics — is that it has drawn only from government brains. In course of time, private sector views are also likely to be sought, so that the document receives widespread acceptance. The implications of emerging technologies for cyber security is another area of research suggested by the NSTC document.

Safeguard hardware, software

I am conscious that my column focuses too often on monetary losses suffered by private industry, and individuals, from deceit in cyber space. I, therefore, need to counter any possible distortion of the nature of the threat, which incidentally does not make any distinction between public and private damage. To be specific, the hardware and software employed for building or enhancing community safety need special care. This is in the context of growing dangers globally from terrorist recklessness. I have in mind packages such as Dfuze, the brainchild of the US Department of Alcohol, Tobacco, Firearms and Explosives (ATF). This particular database helps international agencies collect, analyse and exchange information on current investigations involving explosives. Most importantly, it provides technical information on the nature of explosives and their mode of delivery. It carries tools for imaging, and for secure record transmissions and high-speed data searches. `Dfuze' is among categories of databases in the governmental sector that are extremely sensitive and require the highest possible security. Any unauthorised access to it could prove disastrous to the community.

As is customary, I cannot sign off without referring to a recent live case, reported this time from Kolkata. Guess who was the offender! Ironically, it was a software developer who sent two offensive e-mails (one of which carried nude images) to an NGO employing women counsellors. The motive: the counsellors had rejected his overtures and he was therefore enraged.

The cyber crime cell of Kolkata Police moved in quickly, identified the miscreant with the help of the IP number and nabbed him. The offender has the prospect of spending five years in jail! While his impetuous act certainly deserves to be condemned, I am more amused by his stupidity! Surely, he has minimum knowledge of cyber forensics, which should have told him that the risk of being caught was too high for him to play any tricks with the innocent women of the NGO.

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Security | Internet | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page