GOVERNMENT AND PUBLIC SECTOR

Cybercrimes
A Financial Sector View

Shri. Prithviraj Chavan

Honble Chief Minister of Maharashtra

In a digital age, where online communication has become the norm, internet users and governments face increased risks of becoming the targets of cyber attacks. As cyber criminals continue to develop and advance their techniques, focusing on theft of financial information, business espionage and accessing government information is of prime requirement. To fight fastspreading cyber crime, governments must collaborate globally and with various stakeholders to develop an effective model that will control the threat. India has had its share of incidences in Cybercrimes and more often in the Financial Sector this has often significantly impacted investor confidence. It is time that cybercrimes is not just thought of as a security issue or a technology issue. It is at the very heart of how a business or Government builds trust with customers as well as how it builds and protects its Brand value. In view of the above scenario, Directorate of Information and Technology, Government of Maharashtra has planned this conference on Cybercrimes: A Financial Sector view. The aim is to share with the government authorities and financial and legal sector experts the current scenario of cybercrimes in the financial domain and the challenges faced by the legal ecosystem in keeping pace with the current leap of cybercrimes. I wish warm regards to the success of the conference and hope it will be knowledgeable and useful to the participants.

Shri. Rajesh Aggarwal

IAS, Secretary Information and Technology, Government of Maharashtra

Recent reports on Cybercrimes launched against large companies specifically in the financial Sector demonstrate that protecting and securing data is more important now than ever before. Cyber attacks cause an impact on not only the brand value and revenue for the companies but more severely impact the trust of the customers involved in the system. In view of the given challenges, identifying how data compromise occurs and understanding the legal and operational challenges and identifying the different mechanisms of dealing with these challenges faced would arm the system better to fight this menace. The conference takes a peek on the current scenario of cybercrimes at the National level with a focus on Mumbai, the targeted victims, types of cybercrimes and steps to be taken for securing critical financial infrastructure. It also focuses on the current legal framework available and some of the major challenges faced by the Government Authorities, financial sectors and the judiciary itself. We also look forward to a complete session on the Challenges of dealing with the menace of Cyber Crimes in terms of the Human Capacity, Technology, Jurisdiction and legal issues. The group of panelists is highly qualified professionals from the Financial sector and the legal fraternity who bring in extensive knowledge and case study learnings in the field of Cybercrimes. This conference aims at understanding the menace well and analyzing various challenges and ways of curbing its effect and work towards a more safe and secure Technology based financial transaction environment.

Dr. Kamlesh Bajaj

CEO, Data Security Council of India A nations cyberspace is part of the global cyberspace; it cannot be isolated to define its boundaries since cyberspace is borderless. This is what makes cyberspace unique. Unlike the physical world that is limited by geographical boundaries in spaceland, sea, river waters, and aircyberspace can and is continuing to expand. Increased Internet penetration is leading to growth of cyberspace, since its size is proportional to the activities that are carried through it. Cyber security is part of national security. Cyberspace merges seamlessly with the physical world. So do cyber crimes. Cyber attackers can disrupt critical infrastructures such as financial and air traffic control systems, producing effects that are similar to terrorist attacks in the physical space They can also carry out identity theft and financial fraud; steal corporate information such as intellectual property; conduct espionage to steal state and military secrets; and recruit criminals and others to carry out physical terrorist activities. Anyone can exploit vulnerabilities in any system connected to the Internet and attack it from anywhere in the world without being identified. As the Internet and new technologies grow, so do their vulnerabilities. Knowledge about these vulnerabilities and how to exploit them are widely available on the Internet. During the development of the global digital Internet and communications technology (ICT) infrastructure, the key considerations were interoperability and efficiency, not security. The explosion of mobile devices continues to be based on these insecure systems of Internet protocols. It is increasingly cheap to launch cyber attacks, but security systems are getting more and more expensive. This growing asymmetry is a game changer. It has another dimension, too individuals, terrorists, criminal gangs, or smaller nations can take on much bigger powers in cyberspace, and through it, in the physical world, as well. The effects of attacks on critical infrastructure such as electricity and water supplies are similar to those that would be caused by weapons of mass destruction, without the need for any physical attacks. Cyber security is a global problem that has to be addressed globally by all governments jointly. No government can fight cybercrime or secure its cyberspace in isolation. The consequences of a cyber attack are more likely to be indirect and more uncertain than most scenarios currently envision; we may not always recognize the damage inflicted by cyber attackers. Cyber security is not a technology problem that can be solved; it is a risk to be managed by a combination of defensive technology, astute analysis and information warfare, and traditional diplomacy. Cyber attacks constitute an instrument of national policy at the nexus of technology, policy, law, ethics, and national security. Such attacks should spur debate and discussion, without any secrecy, both inside and outside governments at national and international levels.

Navin Agrawal
Partner, IT Advisory, KPMG in India

The increasing use of technology, particularly by businesses to drive its operations and to deliver world class services has led to the evolution of a new threat. The growth of complexity and access to technology has made us more susceptible to hi-tech crime which is also a new form of business threat that requires a fundamental shift in risk management arena of businesses, particularly in the financial domain where the risk is very high. Seriousness could be ascertained from the report published by the World Economic Forum: Global Risks 2012 in which Cyber threat is rated as serious threat to the world based on likelihood of impact. Cyber threats are real and its impact could be felt across borders, businesses and communities. KPMG in India is proud to be associated as the knowledge partner of this conference on Cyber crimes: A financial sector view and thus continue our association with this prestigious event for the Government of Maharashtra. We would like to think of this event as a confluence of thought leadership, where business and technology streams meet to discuss, share, evaluate, strategise and provide insights for the evolution of secure business practices. This conference in association with the Government of Maharashtra and Nasscom focusses on issues and trends of cyber crimes in the financial domain, and how the industry is dealing with this new type of crime. Considering the dependency of banking businesses on the internet and the mediums vast reach, cyber crime could pose a threat to the financial sector and partnerships need to be formed to fight this crime. These threats can be suitably addressed by sharing insights, experiences, ideas and key skill sets and working through these issues with subject matter specialists. This would also help create secure and robust business practices against existent threats to gain competitive business advantages through business continuity. We at KPMG would like to facilitate this entire process of collaborating thoughts on cyber security and try to present various scenarios related to cyber security in the financial domain which could impact the industry in future. As we know, technology is no longer an enabler, but seen as a business driver. We hope you will appreciate the insights and concerns presented before you and are able to benefit from the thoughts presented at this event.

Contents
Financial Service Sector Overview Technological Risk Time and money spent Threat Types of crimes in Financial sector Statistics - Global & India & focus Mumbai Legal Framework Support Key Challenges/concerns which needs to be addressed Challenges faced by governments Way forward 02 03 04 04 04 08 09 11 13 15

1 | Cybercrimes: A Financial Sector View

Currently, there are nearly 2 billion internet users and over 5 billion mobile phone connections worldwide. Everyday, 294 billion emails and 5 billion phone messages are exchanged.

50,000 Victims every hour 820 Victims every minute 14 Victims every second1
Most people around the world now depend on consistent access and accuracy of these communication channels. Among all cybercrime victims surveyed 80 percent were from emerging markets, compared to 64 percent in developed markets. The US Government estimates American businesses suffered losses of intellectual property totaling more than USD 1 trillion from cyber attacks. With over five billion mobile phones coupled with internet connectivity and cloud-based applications, daily life is more vulnerable to cyber threats and digital disruptions. The related constellation of global risks in this case highlights that incentives are misaligned with respect to managing this global challenge. Online security is now considered a public good, implying an urgent need to encourage greater private sector engagement to reduce the vulnerability of key information technology systems. A healthy digital space is needed to ensure stability in the world economy and balance of power.2

1 Symantec Cyber Crime Report 2011 2 World Economic Forum Report Global Report 2012

Cybercrimes: A Financial Sector View | 2

Overview

Financial Services sector

These are challenging times for the banking industry globally, thought provoking and extremely rewarding at the same time. Due to volatile geopolitical and global macroeconomic conditions, many financial institutions have been forced to evaluate their current operating practices and think about where they would like to be in future and more importantly, how to manage growth as well as risk management in line with stakeholder expectations. The Indian banking industry provides strategic opportunities for innovation-led growth, a moot point to meet challenges thrown by the current environment. Technology is likely to play a significant role in guiding this new approach to growth and risk management.3 In financial domain, technology is no longer an enabler, but a business driver. In last decade phenomenal growth of IT, mobile penetration and communication network has facilitated growth in extending financial services to masses. Technology has facilitated delivery of banking services to masses and changed the way of functioning of financial institutions. Technology made banking services affordable and accessible by optimizing the way these institutions operate today. Regulatory bodies, banks and other institutions/agencies have taken paradigm shift in areas of respective operations, service delivery and consumer satisfaction. Financial institutions gained efficiency, outreach, spread through technology in last two decades. The benefits of technology such as scale, speed and low error rate are also reflecting in the performance, productivity and profitability of banks, which have improved tremendously in the past decade. Technology initiatives are taken by banks in the areas of financial inclusion, mobile banking, electronic payments, IT implementation and management, managing IT risk, internal effectiveness, CRM initiatives and business innovation.

3 KPMG in India: IT in Banking Managing the present by looking to the future, August 2008,

3 | Cybercrimes: A Financial Sector View

Technological

Risk

Source: World Economic Forum Report: Global Risks 2012 Seventh-edition

In a digital age, where online communication has become the norm, internet users, governments and organizations face increased risks of becoming the targets of cyber attacks. As cyber criminals continue to develop and advance their techniques, they are also shifting their targets focusing less on theft of financial information and more on business espionage and accessing business information. To fight fast-spreading cyber crime, sector must collaborate globally to develop an effective model that will control the threat. The issue of primary importance is that, no national government operates an effective compilation service to identify trends in cyber-crime with the exception of the Internet Crime Complaint Center (IC3). Most cyber-crime is on such a small scale that law enforcement organizations are not interested in dealing with individual cases, and, in many cases, individuals may not care enough about the amounts involved to take action. Therefore it tends to go unreported.4
4 Cyber Crime A Growing Challenge for Governments July 2011, Volume Eight kpmg.com

Various risks managed by financial bodies are as follows:5

Financial Risks Infrastructure Risks Technology Risks Data Risks Human Risks.

5 Evolving Security Architecture in Banks: IBM 2009

Cybercrimes: A Financial Sector View | 4

Time and Money

Spent

Types of Crimes in Financial Sector7

Control over the physical world is generally localized, low-tech and underpinned by many well established practices and procedures. The challenge to this seemingly well-oiled machinery is offered by a new paradigm of organized crime-cybercrime. The increasing use of the internet by all facets of society has led to the evolution of new field of criminal activity that is defined by its dependence on the internet. While certain aspects of cyber crime are held common with previously existing forms of criminality it is nevertheless true that cyber crime forms a distinct category of its own, one that requires different mechanisms to deal with it. Most of the cyber crime involves multiple, undetectable, small crimes or micro-crimes. Although the headline events are those where gangs of organized criminals use technical mean to electronically steal millions from banks; successful operations at beginning of decade used simple fraud technique to steal small value denominations from multiple individuals without alerting the victims or the law enforcement agencies. Avenues for these operations could range from gaining illegal access to personal bank accounts to selling access to compromised computers.

Global Scenario
USD 114 Billion is total loss of cash in 12 months USD 274 Billion is the total loss of time for victims of cyber crime On an average, 10 days were spent by victims to satisfactorily resolve hassles of cyber crime).

Indian Scenario

USD 4 billion is the total loss of cash in 12 months USD 3.6 billion is the total loss of time for victims of cyber crime On an average 15 days were spent by victims to satisfactorily resolve hassles of cyber crime.6

Threat
Among all cybercrime victims surveyed 80 percent were from emerging markets, compared to 64 percent in developed markets. Only 21percent of victims reported cybercrime to the police

59 percent of victims whod suffered both

online and offline crime felt there were fewer ways to get help after the cybercrime In India, 59 percent of mobile phone owners access internet via mobile device out of which 17 percent experienced mobile related cyber crime.6
6 Symantec Cyber Crime Report 2011

7 KPMG in India: IT in Banking Managing the present by looking to the future, August 2008.

5 | Cybercrimes: A Financial Sector View

Global dimensions and borderless limits have given rise to new and innovative responses required to the issue of cyber crime or electronic crime. The growth in the off-take of the information highway and telecommunications presents as great a challenge for policing. A hi-tech crime presents a new form of business threat that requires a fundamental shift in policing methodology.8 Financial-services organization provides specialized, private banking products and services to its customers. Its services cover property, investments, capital markets and asset management. Their customer base is its biggest asset, and offering strong protection to these customers is of paramount importance both to retain and grow business, and to protect its reputation for high-quality service. Companies in financial domain have experienced increase in instances of cybercrime in past few years. Various levels of cyber crime threats are at each level of IT systems. The emergence of such threats at different levels is due to an explosion of online banking and shopping, coupled with the increasing willingness of consumers to disclose personal information over the internet. Hackers are now enabling a larger market of script-junkies whose deficient skills would otherwise shut them out of the cyber criminal enterprise.

Vendors of online security products have an interest in talking up the threats of cybercrime, while victims of cybercrime often have an interest in remaining silent. It is therefore very difficult for firms and organizations to get a clear picture of the true levels of the risk and needs for investment. Correcting such information asymmetries should be at the centre of policies to improve global cyber security and to ensure an efficient market. Firms have an incentive to invest in cyber security measures that protect their own interests, rather than in those measures that contribute to the health of the overarching critical information infrastructure. Innovative multi stakeholder collaboration will be required to tip the balance towards investment in creating systemic resilience. There are no proven secure systems, only systems whose faults have not yet been discovered, so trying to overcome hackability may be as hopeless as denying gravity. Instead, the goal should be finding ways for well-intentioned individuals to identify those faults and deploy remedies to end-users before would-be cyber criminals can discover and exploit them. Experts believe that the levels of resource devoted to this effort are nowhere near adequate, but there are signs that some industries are taking cyber threats more seriously. In November 2011, 87 banks in England participated in a mock cyber attack stress test in preparation for an anticipated increase in attacks during the 2012 Summer Olympic Games.9

8 KPMG in India: IT in Banking Managing the present by looking to the future, August 2008

9 World Economic Forum Report: Global Risks 2012

Cybercrimes: A Financial Sector View | 6 Type of Attacks Details Viruses and worms are computer programs that affect the storage devices of a computer or network, which then replicate information without the knowledge of the user.

Viruses and worms

Spam emails

Spam emails are unsolicited emails or junk newsgroup postings. Spam emails are sent without the consent of the receiver potentially creating a wide range of problems if they are not filtered appropriately.

Trojan

A Trojan is a program that appears legitimate. However, once run, it moves on to locate password information or makes the system more vulnerable to future entry. Or a Trojan may simply destroy programs or data on the hard disk

Denial-of-service (DoS)

DoS occurs when criminals attempt to bring down or cripple individual websites, computers or networks, often by flooding them with messages. Malware is a software that takes control of any individuals computer to spread a bug to other peoples devices or social networking profiles. Such software can also be used to create a botnet a network of computers controlled remotely by hackers, known as herders, to spread spam or viruses. Using fear tactics, some cyber criminals compel users to download certain software. While such software is usually presented as antivirus software, after some time these programs start attacking the users system. The user then has to pay the criminals to remove such viruses Phishing attacks are designed to steal a persons login and password. For instance, the phisher can access the victims bank accounts or assume control of their social network. By targeting official online payment channels, cyber attackers can hamper processes such as tax collection or make fraudulent claims for benefits Experts believe that some government agencies may also be using cyber attacks as a new means of warfare. One such attack occurred in 2010, when a computer virus called Stuxnet was used to carry out an invisible attack on Irans secret nuclear program. The virus was aimed at disabling Irans uranium enrichment centrifuges. Stealing bank or credit card details is another major cyber crime. Duplicate cards are then used to withdraw cash at ATMs or in shops

Malware

Scareware

Phishing

Fiscal fraud

State cyber attacks

Carders

7 | Cybercrimes: A Financial Sector View

Cyber-crime has spawned many entrepreneurs, though of dubious repute. They have given rise to new criminal hacking enterprises aimed not at committing fraud but at providing services to help others commit fraud. This operation enables people to commit crime vicariously, i.e. without any direct perpetration. Another model is to create a subscription based identity theft service rather than stealing personal credentials themselves cyber criminals have hacked into PCs and then charged clients for a limited period of unfettered access. As is the case with most business services, customers willing to pay extra can obtain premium services such as a complete clean-up of the stolen data, i.e. getting rid of low-value information and assistance with indexation and tagging of data, etc.10 New skills, technologies and investigative techniques, applied in a global context, are required to detect, prevent and respond to cyber-crime. This is not just about the
Framework for Cyber threats and responses

realignment of existing effort. This new business will be characterized by new forms of crime, a far broader scope and scale of offence and victimization, the need to respond in a much more timely way, and challenging technical and legal complexities. Innovative responses such as the creation of cybercops ,cyber-courts and cyber-judges may eventually be required to overcome the significant jurisdictional issues that law and order agencies are currently facing. Law enforcement with regard to investigating crimes and handling evidence, dealing with offenders, and assisting victims, poses complex new challenges. There is an unprecedented need for international commitment, coordination and cooperation since cyber-crime is truly a global phenomenon. It is also important to have a better understanding about the nature of the problem and to address the issue of significant under-reporting of this dangerous phenomenon. Prevention and partnerships will be essential to fight cyber crime.10

Source: World Economic Forum Report-Global Risks 2012 Seventh-edition

10 KPMG in India: IT in Banking Managing the present by looking to the future, August 2008

Cybercrimes: A Financial Sector View | 8

Statistics - Global & India and special focus on Mumbai

Cyber security is on top priority list of various financial organizations, regulators and governments. Cyber attacks ranked fourth in top global risks in terms of likelihood in World Economic Forum Report: Global Risks 2012.

Top 5 global risk in terms of likelihood

Source: World Economic Forum Report-Global Risks 2012 Seventh-edition

9 | Cybercrimes: A Financial Sector View

Legal Framework

Support

The Data Security Council of India (DSCI) and the Department of Information Technology (DIT), India are the prime bodies looking towards the cyber security in India. To cater to the needs of cyber security issues, India has implemented IT Act 2000 and revised IT (Amendment) Act 2008.

Emergence of Information Technology Act, 2000

The Information Technology Act 2000 was enacted after the United Nation General Assembly Resolution A/RES/51/162, on 30th January, 1997 by adopting the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law. This was the first step towards the Law relating to e-commerce at international level to regulate an alternative form of commerce and to give legal status in the area of e-commerce. It was enacted taking into consideration United Nations Commission on International Trade Law UNICITRAL model of Law on e- commerce 1996. The Act was aimed to provide the legal infrastructure for e-commerce in India, The Information Technology Act, 2000 also aimed to provide for the legal framework so that legal sanctity is accorded to all electronic records and other activities carried out by electronic means. The Act states that unless otherwise agreed, an acceptance of contract may be expressed by electronic means of communication and the same shall have legal validity and enforceability. Different types of cyber crimes have been described as offences under Chapter IX. Several crimes like hacking, phishing, data theft, identity theft, denial of service, spreading of virus, source code theft, sending lewd SMS/MMS/Email, pornography, child pornography and disclosure of information by organizations have been looked in detail. The IT Act, 2000 provides for the constitution of the Cyber Regulations Advisory Committee which has been advising the government as regards to any rules or for any other purpose connected with the act. The Act also has Five Schedules, the last one being the glossary and others which amend the Indian Penal Code, 1860, the Indian Evidence Act, 1872, The Bankers Books Evidence Act, 1891, The Reserve Bank of India Act, 1934 to make them in tune with the provisions of the Act.11

11 The Gazette of India, Extraordinary part -2 http://eprocure.gov.in/cppp/sites/default/files/eproc/itact2000.pdf

Cybercrimes: A Financial Sector View | 10

Noteworthy provisions under the IT Act, 2000

Section Sec-43 Cyber Crime Type Damage to Computer system etc. Penalty Compensation for Rupees 1crore Fine of 2 lakh rupees, and imprisonment for 3 years Fine of 1 lakh rupees, and imprisonment of 5years, and double conviction on second offence Fine upto 2 lakh and imprisonment of 3 years

Sec-66

Hacking (with intent or knowledge) Publication of obscene material in e-form Not complying with directions of controller Attempting or securing access to computer For breaking confidentiality of the information of computer Publishing false digital signatures, false in certain particulars Publication of Digital Signatures for fraudulent purpose

Sec-67

Sec-68

Sec-70

Imprisonment upto 10 years

Sec-72

Fine upto 1 lakh and imprisonment upto 2 years Fine of 1 lakh, or imprisonment of 2 years or both. Imprisonment for the term of 2 years and fine for 1 lakh rupees

Sec-73

Sec-74

IT Act 2000. http://www.mit.gov.in/content/it-act-2000-dpl-cyber-laws

Currently, the IT Act, 2000 has been amended by the Information Technology (Amendment) Act, 2008. This law provides the legal infrastructure for Information Technology in India. The said Act along with its 90 sections is to be conceived with 23 rules called the IT rules, 2011s

11 | Cybercrimes: A Financial Sector View

Key challenges/concerns which needs to be addressed

Cyber Security Legal Issues The major concern is primarily attacks on networks and the need for coming up with appropriate legislative frameworks for enhancing, preserving and promoting cyber security. Lawmakers needs to come up with appropriate enabling legal regimes that not only protect and preserve cyber security, but also further instill a culture of cyber security amongst the netizen Large number of existing cyber legislations across the world, do not yet address important issues pertaining to cyber security. A more renewed focus and emphasis on coming up with effective mandatory provisions is required which would help protect, preserve and promote cyber security in the context of use of computers, computer systems, computer networks, computer resources as also communication devices. Mobile law challenges As the mobile users in India are increasing considerably, the use of mobile devices and content generated there from are likely to bring forth significant new challenges for cyber legal jurisprudence. There are no defined jurisdictions dedicated to laws dealing with the use of communication devices and mobile platforms. As increasingly people use mobile devices for output and input activities, there will be increased emphasis on meeting up with the legal challenges emerging with the use of mobility devices, more so in the context of mobile crimes, mobile data protection and mobile privacy. Spam galore As more and more users get added to the Internet and mobile bandwagon, email and mobile spammers will find increasingly innovative methodologies and procedures to target at digital users. Law makers are likely to be under pressure to come with up effective legislative provisions to deal with the menace of spam. Cloud computing legal issues As India is moving towards the adoption of cloud computing, various important legal challenges pertaining to cloud computing will continue to seek attention of Cyberlaw makers. Cloud computing brings with it, various distinctive new challenges including that of data security, data privacy, jurisdiction and a variety of other legal issues. Social media legal issues In the recent times there have been increasingly significant legal issues and challenges raised by social media. As social media websites continues to become the fertile ground for targeting by all relevant lawyers, law enforcement agencies and intelligence agencies, social media continues to become the preferred repository of all data. As such, social media crimes are increasing dramatically. Inappropriate use of social media is further increasing, thereby leading to various legal consequences for the users. The concept of privacy in the context of social

Cybercrimes: A Financial Sector View | 12

media is greatly undermined, despite efforts to the contrary made by some stakeholders. Cyberlaw makers across the world have to face the unique challenge of how to effectively

regulate the misuse of social media by vested interests and further how to provide effective remedy to the victims of various criminal activities on social media.

Way Forward
The Information technology Act, 200 and its amendment in 2008, though provides certain kind of protection, but does not cover all the spheres of the IT where protection must be provided. The Copyright and Trademark violations do occur on the net, but the Copyright Act, 1976 or the Trademark Act, 1994, are silent on that which specifically deals with the issue. There is no enforcement machinery to ensure the protection of domain names on net. Transmission of e-cash and transactions online are not given protection under Negotiable Instrument Act, 1881. Online privacy is not protected; only Section 43 (penalty for damage to computer or computer system) and Section 72 (Breach of confidentiality or privacy) talks about it in some extent but doesnt hinder the violations caused in the cyberspace. Even the Internet Service Providers (ISP) who transmit some third party information some third party information without human intervention is not made liable under the Information Technology Act, 2000. Its hard to prove the commission of offence as the terms due diligence and lack of knowledge have not been defined anywhere in the Act. Even, the Act doesnt mention how the extra territoriality would be enforced. This aspect is completely ignored by the Act, where it had come into existence to look into cyber crime which is on the face of it an international problem with no territorial boundaries. The Act has its own slated advantages as it gave legal recognition to electronic records, transactions, authentication and certification of digital signatures, prevention of computer crimes etc. but at the same time is inflicted with various drawbacks also like it doesnt refer to the protection of Intellectual Property rights, domain name, cyber squatting etc. This inhibits the corporate bodies to invest in the Information technology infrastructure. Cryptography is a new phenomenon to secure sensitive information. There are very few companies in present date which have this technology. Other millions of them are still posed to the risk of cyber crimes. India needs to update the Law whether by amendments or by adopting sui generic system. Though Judiciary continues to comprehend the nature of computer related crimes there is a strong need to have better law enforcement mechanism to make the system workable.

13 | Cybercrimes: A Financial Sector View

Challenges
faced by governments
Although governments are actively focused on fighting and preventing cyber criminals from damaging infrastructure, the very nature of cyberspace poses a number of challenges to the implementation of cyber regulations in any country. Within cyberspace it is often difficult to determine political borders and culprits. Furthermore, the cyber criminal community and their techniques are continously evolving, making it more challenging for governments and companies to keep up with ever-changing techniques. Tracking the origin of crime According to Rob Wainwright, Director of Europol, criminal investigations of cyber crimes are complex, as the criminal activity itself is borderless by nature. Tracing cyber criminals poses a challenge.12 While many experts speculate that the cyber attacks on Estonia and Georgia, for instance, were directed by the Russian cyber agencies, some of the attacks have been traced to the computers originating in Western countries. Growth of the underground cyber crime economy A major threat that may hamper the fight against cyber crime is the growth of an underground economy, which for many cyber criminals can be a lucrative venture. The underground economy attracts many digital experts and talented individuals with a specialty around cyber initiative. In the cyber underworld, the hackers and organized crime rings operate by selling confidential stolen intelligence. Research shows that
12 E-Crime Survey 2009, KPMG International

criminals are trading bank account information for US$10125, credit card data for up to US$30 per card, and email account data for up to US$12.13 Often, the acquired data is used in illegal online purchases and in exchange for other monetary transactions. The untraceability of the origin of these transactions poses a major challenge to government agencies in their efforts to fight crimes of this nature. Shortage of skilled cyber crime fighters Implementing cyber security measures requires skilled manpower. However, most countries face a shortage of skilled people to counter such cyber attacks. According to Ronald Noble, Head of Interpol, An effective cyber attack does not require an army; it takes just one individual. However, there is a severe shortage of skills and expertise to fight this type of crime; not only at Interpol, but in law enforcement everywhere. Moreover, most trained or skilled people are recruited by the private sector, as it offers higher financial rewards. In the UK, the PCeU has experienced this shortage first hand, with only 40 core team members.88 Similarly, in Australia, the majority of the cyber crime incidents, particularly minor incidents, remain unsolved or are not investigated due to the lack of eForensic skills and expertise. Widespread use of pirated software One of the major challenges to preventing cyber crime is the prevalence of software piracy, as pirated software is more prone to attacks by viruses, malware and
13 War in the fifth domain, Economist, July 1, 2010 14 Will the U.S. get an Internet kill switch?, Technology Review, March 4, 2011

Cybercrimes: A Financial Sector View | 14

trojans. Experts believe that rapid growth of Consumer PC markets in emerging countries - such as India, Brazil and China has contributed largely to the rising piracy rates. The pirated software can include not only games, movies, office applications and operating systems, but also security software. Often, users prefer to obtain a pirated security software, rather than purchase and upgrade legal version, therefore increasing the vulnerability of their systems to cyber attacks. For instance, one of the reasons for the spread of the Conficker virus in 2008

was the lack of automatic security updates for unlicensed software. The issue becomes more significant for those countries where pirated software is a common occurrence. China, which is one of the largest such markets, reported that nearly US$19 billion was spent on pirated software in 2009. In India, the unlicensed software market value stands at nearly US$2 billion. Ensuring cyber security is also a major challenge for Gulf Cooperation Council (GCC) countries, where 50 percent of software is pirated.15

15 KPMG international, Issues Monitor: Cyber Crime A Growing Challenge for Governments (July 2011, Volume Eight)

15 | Cybercrimes: A Financial Sector View

Way forward
Experts believe that to fight the borderless and continuously evolving cyber crime, global leaders must collaborate in joint initiatives. Nigel Inkster, an expert on cyber threats at the International Institute for Strategic Studies, stated, Thus far, the discussion on how to set international standards on cyber has been very low profile and largely confined to the margins of the UN General Assembly. However, to overcome significant diplomatic hurdles, a concerted effort on the part of governments must be in place. In April 2010, the UN rejected a treaty on global cyber crime, due to disagreements over the national sovereignty issues and concerns for human rights. Many countries have expressed a concern over the new cyber laws. Russia, as one of the examples, has refused to endorse the Budapest Convention on Cybercrime, which allows police and other legal entities to cross national boundaries without the consent of local authorities, in order to access computer servers. However, country officials in most developed nations do agree on the establishment of policies to protect cyberspace against criminals. Experts believe that developed countries such as the US should encourage other countries to introduce policies against cyber attacks, in the similar fashion they do for nuclear weapons, missile defense and space. The US has to frame a much clearer strategy with regard to cyber (warfare), said Greg Austin, Vice President of Program Development and Rapid Response at the EastWest Institute. The US supports an International Telecommunication Union plan, which obligates the country of origin of Cyber crime acts to conduct investigation. The US also supports a Russian initiative that has called for a UN panel to work on cyber-arm limitations. However, experts believe that the implementation of such a coordinated initiative might take a few more years. Apart from bilateral and multi-lateral initiatives between governments, much can be achieved by cooperating with the private companies that own and control the majority of the cyberspace network. Network owners or internetservice providers can take more responsibility to help identify cyber attacks and attackers on user computers, and take the necessary steps to counter such attacks. Experts believe that while such preventive measures may not completely eliminate cyber espionage, it can certainly make cyberspace a much safer place.13

13 KPMG international, Issues Monitor: Cyber Crime A Growing Challenge for Governments (July 2011, Volume Eight)

Cybercrimes: A Financial Sector View | 16

Notes

Notes

Notes

Notes

KPMG Contacts Navin Agrawal

Partner and Head Management Consulting

DIT Contacts Suryakanth Jadhav

Director - IT

NASSCOM Contacts Chetan Samant

Manager

T: +91 22 3090 1720 M: +91 99670 16367 E: navinagrawal@kpmg.com Mahesh Gharat

Manager Management Consulting

M: +91 98209 22647 E: suryakantjdhv@gmail.com

M: +91 98203 04982 E: Chetan@nasscom.com

T: +91 22 3091 3352 M: +91 98337 32033 E: maheshgharat@kpmg.com

kpmg.com/in

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2012 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. Printed in India.