Cyber crime could lure skilled unemployed youth. Authorities need to keep sharper vigil and also educate users on the perils they face.
There is increasing evidence that electronic crime is becoming more and more popular with the youth who have taken to crime these days either for fun or adventure or for crass economic reasons. This is something that should cause concern to policy makers and those in law enforcement. Not that this is something that is not already known to them. But there are growing signs that the trend will become more pronounced in the immediate future.
Technical expertise in the area of cyber attacks is growing. The number of students coming out of engineering colleges in India is huge. With IT companies slowing down intake, there is bound to be a large army of unemployed engineers whose frustration levels could take them directly to the underworld that is waiting to devour them.
Reversing the trend through creating new channels of honourable employment should, no doubt, be a top priority of government. At the same time, law enforcement outfits, especially cyber crime investigation cells, need to get their act together by improving the quality of their investigation as also educating computer users on how to protect themselves. This twin responsibility of police agencies will only get larger and not diminish in the days to come.
Pride led to their fall
A number of daring Internet crimes have been reported at home during the past few months. I shall avoid repeating their sensational details because our newspapers have reported them with the seriousness they deserve and the clarity that is needed for enabling citizens to get themselves educated. I shall, therefore, refer to two recent events abroad, one in Europe and the other in Africa that highlight the gravity of the problem.
Police in France detained, a few weeks ago, a group of hackers comprising 22 youths. The group had 16 minors, one of whom was as young as 14! The oldest was just 25. The arrests were made in Paris and parts of southern and central France. The Web sites affected were 34 and they belonged to business houses in France, Russia and Iceland, again confirming the international spread of the virus of e-crime.
How were the police alerted? This was mainly due to the gang members challenging one another on the greatness of their exploits. Also, such exchanges took place online, letting the entire world know that here was a gang that was reckless and waiting to be apprehended. Clever people can also be downright stupid as this instance of crime indicates. Reports indicate that the arrested youngsters will be convicted shortly. They could receive two years in jail and a fine of 30,000 euros for simple intrusion, and five years if they are found to have damaged data. It is this kind of deterrence that we in India are crying hoarse about, but without avail.
Another daring electronic crime is reported from South Africa, where belated investigations have brought to light a £12.8-million fraud perpetrated on the government. The criminals here used a clever combination of attacks, using a physical device and a malware component. That this was a sophisticated operation could be gauged from the fact that the fraud was continuing for nearly three years, unnoticed by the victim public agencies or the police.
Geoff Sweeney, who is Chief Technology Officer at Tier-3, an IT security vendor, describes the situation appropriately, when he says: "The evolution of malware has reached the point where the lines are blurring between viruses, Trojans and what we call multi-vector IT security threats." He, therefore, pleads for companies opting for a multi-layered security apparatus. (Strong password management, an up-to-date anti-virus software, appropriate firewalls, intrusion detection systems, CCTVs, will all provide a strong support system that could deter a prospective intruder. They may not eliminate break-ins, but will definitely reduce instances of intrusion.)
Sweeney will go beyond traditional defences and advocate the newly available behaviour analysis technology. Such technology will constantly monitor the network and alert the owner whenever abnormal movements are seen. This is perhaps analogous to what certain anti-virus giants, such as Symantec, have all over the globe, looking out for unusual activity in cyberspace.
In the name of ‘ethical hacking’
I go back to where I began, namely, youth involvement in electronic crime. Many experts believe that such crime is more attractive than conventional crime, which is not only hard to commit but is more risky.
What is more striking is the fact that crime syndicates find it time-consuming and expensive to train recruits for traditional crime. On the other hand, they have readily trained youth in the form of graduates coming out of our engineering colleges and who are itching to make a quick buck when frustrated by a tight employment market. When there is such an educated and trained pool of talent available, who will go for the untrained and uninitiated to execute their diabolical plans?
This is a dangerous situation which, unchecked, can lead to a galloping of crime on the Net. It is in this context that recruitment of students for what is interestingly labelled ‘ethical hacking’ becomes ominous. The Serious and Organised Crime Agency (SOCA) in the UK, a near equivalent of the FBI and the CBI, is visibly concerned at this trend. It believes that on-campus recruitment by the smaller companies for so-called consultancy assignments needs a scanner.
Another forum where dubious companies look for recruits is security conferences where disparate elements converge for what is ostensibly a place for exchange of ideas to make networks safer. What happens some times is the identification of talent for promoting illegal activities in cyberspace. Can there be any design that is more obnoxious than this? Unfortunately this is often promoted by companies spying on one another. The moral of the story is eternal vigilance is the price that companies who believe in ethics will have to pay, if they want absolute protection for their online data.
I want to end on a positive note to indicate that unravelling even the most sophisticated of cyber intrusions is not an impossible task. Gadi Evron, an expert who was intimately involved in defending the elaborate systems in Estonia, which were subjected to massive attacks in April 2007, now says that the “cyber riot” was to be viewed in the context of the Estonian authorities’ decision to move a Russian World War II memorial out of a town square and into a military graveyard.
The men behind the cyber attack launched on the occasion were Russian nationalists peeved by Estonia’s action connected with the memorial. Fresh postings in Russian blogosphere at the time gave directions for attacks on new Estonian targets each day. The help of botnet controllers was freely sought to intensify the assaults, first on Estonian government Web sites and later on commercial sites, including those of banks, thereby bringing the economic life of the country to a standstill.
While Evron was happy that all resources could be pooled together to come out of the impact of the attacks, in a recent article in the Georgetown Journal of International Affairs, he calls for a higher degree of coordination among all government agencies to handle future situations. He deserves to be read seriously by all of us in India, as threats to our systems from hostile neighbours are real and serious. A measure of transparency here from the Ministry of Information Technology will help to educate the common computer user, because the latter has also possibly a role during a national crisis caused by major cyber attacks.
The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.Related Stories:
Novelty, thy name is cyber deception
Keep cyber sharks at bay
Stress on safety