Keynote address: Dr. Arvind Gupta, Director Vivekananda International Foundation (VIF)

Hon’ble Union Minister of State for Electronics and IT Sh SS Ahluwalia ji, Sh Rashesh Shah, Sh Gulshan Rai, Sh Chinoy, Sh Sumit Gupta, Sh Rahul Rishi,
VIF is delighted to join FICCI in organising this conference on ‘Cyber Crime Management’. Ensuring the security of cyberspace is a universal challenge. With the onset of technologies like artificial intelligence, machine learning, big data analytics and cloud computing, the nature of cyberspace and the character of cyber threats is changing. Internet of things (IoT) is becoming a reality. Artificial intelligence and deep learning have wide application from health and agriculture to consumer behavior and national security.

The mankind has never generated so much data as before. It has been said that global volume of digital data we create will reach 44 zeta bytes by 2020. Cybercrime and data security are closely interlinked. Data underpins every aspect of our activities. Cyber criminals are after data all the time. This creates issues such as who owns the data, how is data to be shared, what is the meaning of consent, how data privacy can be maintained.

The notion of privacy is undergoing a major transformation. In India, we are debating a data protection law. A White Paper on a data protection framework has been issued. The data protection framework that we adopt will have a major impact on India’s economic growth, societal norms and national security. The adoption of the General Data Protection Regulation (GDPR) by the European Union is a landmark development which will have global impact.
Unfortunately, security is not keeping pace with the rapid growth of data. The billions of devices that are coming on stream are relatively insecure. One can expect a massive rise in cybercrime in future. Urgent steps will be needed to ensure that the cyber products and technologies which are marketed are secure. The legal regime will have to be strengthened to fix responsibility. The emergence of new technology will have a significant impact on cyber crime scenario. These are dual use technologies. Artificial intelligence can be used to make a new generation of malware and cyber tools just as these technologies can also be used by laws enforcement agreement to fight cybercrime.

Cybercrime has cross-border dimension as well. New legal regimes are being adopted to deal with issues like privacy, law enforcement and cross-border flows of data. EU’s General Data Protection Regulation (GDPR) which came into force on 25 May 2018 will have major implications for companies doing businesses with EU countries. The EU has set very high standards of privacy, keeping them far above the obligations of safety and national security. The cost of non-compliance will be very high. Similarly, the Clarifying Lawful Overses Use of Data (Cloud Act) of the US, adopted recently, will have implications for law enforcement agencies. The US and UK are discussing a bilateral agreement under the Cloud Act to set up protocols and procedures by which law enforcement agencies can access information pertaining to terrorism and other cyber crime. India would need to examine whether it should also reach an agreement with the US for the purposes of exchange of information among law enforcement agencies.

Challenges before India

Digital technology is making rapid headway in India. The Government’s Digital India programme has made rapid progress. e-commerce, e-governance, banking and finance, health, education, and manufacturing are revolutionising our lives. The penetration of internet in India has crossed 30 percent mark. More than a billion subscribers are using cellphone. Digital payment system are being used increasingly after de-monetisation. India has the largest database of citizens in the form of Aadhar. Various services are now linked with the Aadhar system. The safety and security of the IT products and services being introduced in India is crucially important. cyber security has not kept pace with the developments in Information and Communication Technologies (ICT). It is important that the technologies that we are adopting in the cause of a governance and e-commerce are sound and secure.

India has been alive to the challenge of cyber security. In 2013 the Government came up with a comprehensive cyber security policy which identified the key elements of a robust assurance framework. The policy focuses on the creation of an assurance framework, open standards, secure e-governance services, protection and resilience of critical information infrastructure, human resource development, and public-private partnership to name a few. A post of National Cyber Security Coordinator was also set up to improve coordination. A target of producing 500,000 cyber security professionals was also set up. The IT Act was amended in 2008 to give it some teeth in dealing with cyber crime.

These steps were important and progressive. An institutional framework of cyber security was created. The awareness about cyber security has also been generated. The country has stepped up cyber security cooperation with a number of countries. However, it is becoming clear that much more needs to be done to deal with cyber security challenge in an effective way. The nature of cyberspace has changed significantly in the last few years. The advent of the mobile phone and apps has made cyber security even a more challenging issue. The onset of the era of IoT will make the cyber security challenge even more complex.

Cybercrime has assumed astronomical proportion. The attacks on financial and power sector have increased. High-profile cases of thefts from banks such as the Bangladesh Bank have been reported. Indian banks have also faced similar attacks. The electric supply system of Ukraine was also attacked. Recently we have seen how the Cambridge Analytica company stole data from Facebook and used it for political purposes. Social media is regularly misused to troll people and spread rumours.
What should India Do?

Cybercrime has already surpassed the proceeds from organised crime like drug trafficking. In order to deal with the new trends in cybercrime, the first requirement will be to review whether our laws are sufficient. The existing criminal justice system in the country does not seem to be geared towards booking cyber criminals. The second aspect of dealing with cybercrime is to ensure that cyber crime investigation in this country is strong. This will require strong cyber forensic system as well as training of investigators in cybercrime. The awareness about cybercrime will also need to be enhanced.

One of the major weaknesses of cyber security in our country is the absence of an indigenous cyber security industry. The security of imported cyber products is doubtful. We do not have an extensive testing infrastructure. Similarly, the Indian contribution to the setting up of global standards in cyber security is also marginal.

Cyber security has a wide array of stakeholders. Each one performs its role. Coordination among stakeholders is very important. However, fixing responsibility for cyber security breaches is a challenge. The cyber security coordinator should be legally empowered to do the coordination amongst different stakeholders. This will help strengthen the cyber security assurance system.

The Government needs to put more resources in cyber security. Cyber security will not come cheap. The shortage of cyber security professionals is key challenge. Resources will be needed to remote cyber security education, certification, training and awareness. Capacity building is equally important. Most departments do not have cyber security professionals or Chief Information Security Officers on a full-time basis. A time bound mission oriented approach will be required to address the shortage of cyber security professionals.

India must participate in the multi-stakeholder model meetings organised by ICANN. Lack of sufficient participation in their meetings has cost us dear. India’s say in the evolution of the multi-stakeholder model is minimal. The industry, civil society will have to take a greater role in engaging with the multistate quorum model.

It is a matter of concern that India, which has some of the most intelligent people in the world, is deficient in cyber security R&D. Indian companies are not spending enough on R&D. In contrast, China has set up special program on R&D including artificial intelligence. If India does not catch up in fundamental and applied research, it will remain dependent upon imported cyber security products and services to the detriment of the nation's cyber security needs. Industry must come forward and spend more on R&D. Similarly, the Government should also provide necessary incentives to industry to encourage them to spend more on cyber security R&D.

Given the enormity of cybercrime, a systematic approach will be required. A cybercrime Centre on the lines of the institutions set up in other countries such as the European Union could be considered in India as well. Timely sharing of information, cyber forensics, cyber investigation, and prosecution is essential.

In conclusion, I would like to emphasise that the approach to cyber security cannot be piecemeal. All stakeholders must work together. Coordination must improve. Indigenous Cyber security industry should be encouraged. Law must be strengthened. Mission oriented approach towards cyber crime should be adopted. Most important, the shortage of skilled people in cyber security must be addressed. A comprehensive approach to cyber security in the age of new technologies need to be adopted. The industry needs to work with the Government and academia to adopt a holistic approach to cyber security.