Why are cybercriminals always a step ahead of us?
On Friday, October 20, we had an insightful session by Dr K Rama Subramaniam, Group CEO of Valiant Technologies Group and an expert in cybercrime.
About Dr K Rama Subramaniam
Dr K Rama Subramaniam is former Chairman of the board of Trustees of Center of Excellence in Digital Forensics (India). He has been the Global Chair, for five consecutive terms of the International Institute of Certified Forensic Investigation Professionals, USA. He has served for three terms as India’s country representative at the International Federation for Information Processing. He served earlier as Global Chair of E&A Committee of the GAISP (Generally Accepted Information Security Principles) initiative in the US. Dr Subramaniam has been Adjunct Professor at the University of Madras and at the University of Dubai. He has a multi-disciplinary doctorate in the area of cyber-criminology from the University of Madras (India); a Masters degree (with Distinction) in Technology Management from the University of Lincoln (UK) and a Masters degree in Law (with Honours) from the University of Salford (UK). Dr Subramaniam holds FCA, CISSP, CISA, CISM, and CDPSE credentials and honorary fellowships – FISC and FCFIP. He is founder President of first Indian chapter or ISC2. (The International Information System Security Certification Consortium, or ISC2, is a non-profit organization which specializes in training and certifications for cybersecurity professionals.)
Dr Subramaniam has served as Vice President of IIA in Zambia and as Vice President of IIA, Chennai Chapter. (The Institute of Internal Auditors (IIA) is an international professional association with global headquarters in Florida, USA.)
Dr Subramaniam has also served earlier on the Boards of ISACA Chapters in Chennai, Bangalore, and Dubai. (ISACA is a professional membership organization committed to the advancement of digital trust by enabling IS/IT professionals to grow their skills and knowledge in audit, cybersecurity, emerging tech and more.)
Definition of cybercrime
There are multiple definitions of cybercrime. The Journal of Economic Criminology lists 22 academically rigorous definitions.
The UNODC definition adopted for this presentation is: “an act that violates the law, which is perpetrated using information and communication technology (ICT) to either target networks, systems, data, websites, and/or technology or facilitate a crime.”
How cybercrimes are different from other crimes
When a conventional crime occurs, it is mostly detected by the victims who then report to the law enforcement agencies. This is followed by prosecution and dispensation of justice.
In case of cybercrime, the victim may not even realize that the crime has happened. That is because in case of digital assets, copies can be made and stolen. Such copied digital assets are as valuable as the “original” assets. Similarly, intrusion into an IT system may be difficult to detect unlike say a household burglary or bank robbery. Whereas in the case of physical assets, the theft is immediately visible, it is not so in case of digital assets.
Dr Subramaniam gave the example of a person keeping patent data for an invention on the laptop for filing the patent application after a long weekend. In the interim, if criminals hack the system, copy the data, and file the patent application in their own name, there is very little the victim can do.
The socio legal system hinges on the victim calling for help. In some cases, even when the victims are aware of the cybercrime, they may not report to the police. There is a fear of reporting as there may be an accusation of carelessness. Many corporates for example do not report cybercrime or delay reporting as there could be a loss of reputation and stakeholders questioning the effectiveness of asset protection process. A recent example is Paytm Payments being fined Rs 5.39 crores for late reporting of a cyber-attack.
Then there are others who believe there is no need to report the crime as they believe that cybercrime will happen only once. Others do not report cybercrimes because they think it is a waste of time. They feel the law enforcement agencies do not have the capabilities to apprehend the cyber criminals.
So the reporting for cybercrimes is very low. According to the WEF Global Risk report, 2020, in the US, only one in 8 cybercrimes are reported. The prosecution rate is only 0.5%.
According to Crime in India, only 127,203 cybercrimes were reported in 2020 and 2021. There are as many as 692 million internet users in the country. So it is an abysmally low reporting rate indeed.
Disconnects
Even if recognizing and reporting of cybercrime are more regular, it may not solve the problem. We first need to address the various disconnects in the system.
The law enforcement people, the public prosecutor, the defence lawyers, and the judiciary do not understand the technical jargons, all in the same way. In Britain, the Lord Chancellor of the Exchequer appointed Lord Justice Robin Auld to review the provisions of English criminal laws. Lord Justice Auld had recommended that an expert should sit on the bench along with the judge in case of technology crimes. But this recommendation was not implemented by their parliament.
Often in case of cybercrimes, it is difficult to find an appropriate provision for prosecution under special laws. So common law (in India, Indian Penal Code), or civil law is used. This often works to the advantage of the cyber criminals.
In short, the cybercriminals know that they will not be easily apprehended.
Value of data infringed is a key consideration in many jurisdictions. In case of digital assets, it is difficult to arrive at value. Many petitions are dismissed ab initio on value grounds. Defence lawyers try to prove that the value involved is less than a certain amount to avoid a jail sentence.
Shaming
Shaming is an important deterrent for crime. A convict is looked down upon by society. But society seems to honour cybercriminals. Kevin David Mitnick (1963 –2023) is best known for his high-profile 1995 arrest and five years in prison for various computer and communications-related crimes. After his release from prison, he ran his own security firm, Mitnick Security Consulting and was also involved with other computer security businesses. Mitnick wrote 12 books and charged $100 for autographing a book. There was no shortage of autograph hunters.
Jurisdiction
Then there are the jurisdictional issues. There was earlier a lack of clarity on which jurisdiction would apply if a cybercriminal was caught. Consider an Indian national walking into a Malaysian cybercafé, hacking the database of an Australian company hosted in the US. Which country’s laws would apply? Later, it was ruled that the laws of the country where the criminal was appended, would apply. So, criminals now choose where to get arrested. They would rather be imprisoned in a place like Scandinavia, where prisoners are treated well rather than in Africa. This is called jurisdictional arbitrage.
Other advantages
Cybercriminals are well funded. They are not short of time. They are investing plenty of money and time in planning and executing cybercrime. They are leveraging new technologies like AI to their advantage. They will be several steps ahead of us, most times. All the stakeholders must come together. Every element of the system should change, not just the laws.
Q&A
Dr Subramaniam is a Chartered Accountant by training. He began his career in ICI. Right from the start he was fascinated by technology. He took a lot of interest in the then prevailing IBM 1401 punched card machines. His interest lay in controls. Soon, he focused on putting controls in a computerised environment.
Dr Subramaniam realized that a multidisciplinary approach was needed to deal with cybercrime. He understood the need for research in this area. He took three years to find a PhD guide. But there has been no looking back since then. Dr Subramaniam has worked at the intersection of social sciences, technology, and law. Many consider him to be the father of cyber criminology in India.
The first generation of cybercriminals were mostly driven by the need to show one upmanship. Consider students who would hack the system to send a message to professors if they were unhappy with the grades.
The second generation of cybercriminals were driven by the need to show one upmanship and also convey that they would attack anyone who did not agree with them.
The third generation of cybercriminals are mostly driven by the need to make money. They are organized gangs which invest heavily in developing capabilities to launch cyber-attacks of different forms. They realize that such crimes can be launched conveniently sitting in air-conditioned offices, without running any physical risk. Their risk assessment tells them that the chances of being apprehended are quite low. So the ROI is very high.
Note: Funding by organized gangs with ulterior motives for the internet is not new. In the past pornographic groups invested heavily to increase the speed of the internet. That was necessary to drive their revenues.
Cybercriminals have also infiltrated the systems of standards setting bodies. As an illustration, an error in the computation of the strength of the Crypto primitives has been uncovered recently.
The kind of reach and capabilities which cybercriminals have developed is indeed scary. It will take time for the police to get on top of cybercrime. However, we will get there. It is like the British constabulary which has evolved over 200 years. Different stakeholders will realize the need to come together.
Edwin Sutherland coined the term white collar crime. The distribution of the population in terms of tendency to commit cybercrime follows a Bell curve. In any community, 1 sigma of the population will be inclined to commit cybercrime. 1 sigma will be inclined to stay away from cybercrime. The remaining four sigma people will be cats on the wall. They will fall in the curious but ignorant category. These are the people who will determine the progress towards controlling cybercrime. As an illustration, instead of following the policy of 8 character passwords, these people may think: why not a seven letter password. But they do not understand the implications. These people may either not take precautions or may flaunt the protocols just to see what happens. They are not necessarily malicious and should be educated and made aware of the risks involved.
Academic institutions can play a big role in spreading awareness, creating a pool of trained professionals, and influencing government policies. Dr Subramaniam had worked with Madras University to launch a Masters course in information security.
Government universities are constrained by various rules and procedures. The private universities can seize the initiative and make an impact in this space. They can collect data and influence the people who matter. The government, police and the judiciary will provide full support.
This is a popular methodology used by cybercriminals. In 80% of the cases, there will be small, minute differences from the authentic URL. Sometimes we may notice it. On other occasions, we may not. We should first check if the mail makes sense. If for example, we get a mail from a source which is not relevant to us, (say a bank in which we do not have an account) we should not fall for it.
Dr Subramaniam once did an interesting experiment. When he got a phishing mail (for reworking the bank account), he provided the user id and password of the bank account, both fictitious of course. The system accepted both of them. Then it asked for the credit card number. Now when he gave a fictitious number, the Luhn’s algorithm (not very expensive to procure) immediately caught it and asked for the correct credit card number. This confirmed that it was a phishing mail. (Phishing is a technique to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site. The cybercriminal misrepresents himself as a legitimate business or reputable person.)
We should not open the mail if we suspect something fishy. Most cybercrimes have happened through at least one suspicious activity.
It is unreasonable to hold the government accountable for controlling cybercrime. The government can only spread awareness. We must report cybercrime and also put in necessary safeguards.
There is no special global all-encompassing law to counter cybercrime as yet. Understanding of cybercrime varies across countries. Some countries follow common law. Others follow civil law / Islamic law.
India has a strong penal code. Cybercrime is often treated under common law as lawyers and judges are more comfortable with common law.
In some countries, law exists only on paper. It is not really implemented.
The understanding of what constitutes a cybercrime varies across countries. Once, there was a threat to the then Prime Minister from a resident of Tamil Nadu. The CBI studied the trail and arrested the person. It was touted as the most significant cybercrime that was averted in the nick of time. But the question rose whether it was really a cybercrime. Many lawyers thought it was a normal crime. The threat may have come online but that was about it.
In the US, different states have different sentencing guidelines. The challenge is how to fit different versions of cybercrime into these guidelines.
The robbery at the central bank of Bangladesh has been touted as the biggest cybercrime so far in the sub-continent. But there have been bigger crimes. The reason for this crime gaining publicity was that the incident had happened at the central bank which is supposed to the citadel of all banking controls.
The biggest crimes in the coming years may however result in an impact on human life rather than just money. Countries have deployed cybercriminals to attack enemies. This has been seen in the Israel Hamas war.
Tomorrow’s cybercriminal will not just look at IP based data but also SCADA (Supervisory Control and Data Acquisition) based systems which control industrial processes. Normally, SCADA based data and IP based data do not talk to each other. If IP and SCADA systems are connected, it may have disastrous consequences. A good example is the Iranian nuclear reactor at Natanz. The incident affected the coolant system network at Natanz, leading to a shut down of the plant until emergency responses kicked in. Next gen attacks on SCADA systems may lead to disruption of water supply, sewage and electricity systems.
Battle tanks are an integral part of land warfare. The protection of the tanks lies in the strength of the armour. This is because of the special metallurgical components used. If SCADA systems are infiltrated, the strength of these components may be seriously undermined. The materials may become as brittle as glass. The result could be severe casualties.
Along with the rise of digital forensics is the rise of anti-digital forensics. The cybercriminals are ensuring that they do not leave behind any traces of the crime.
The police are often helpless. They are understaffed. They have a limited understanding of cybercrime. They do not have enough trained cyber security professionals Today, cybercrime is not their top priority. It will take time. But the government will at some point of time address the problem adequately.
We must take care of security ourselves rather than delegate it to others. There are good protocols and processes available. We just need to follow them. We must do a due diligence at the beginning and end of each day. But we do not pay enough attention to these protocols.
We must not open suspicious emails. If we have a doubt, we must check with our IT department. Most large companies can quarantine such mails. We should not short circuit the prescribed protocols. If we follow prescribed safeguards, we can take care of 99 out of 100 cases. Unfortunately, many of us fall in the category of curious and ignorant.
In case of demat accounts we must follow the guidelines given by the DPs. When we are doing something online, if we suspect something, we must immediately stop what we are doing and talk to the concerned expert who can advise us.
We should not use non secure protocols, like TFT protocol. Enterprise IT must examine the firewall, when there is a ransomware attack. They should determine where the traffic is coming from. Whether we can retrieve our files after a ransomware attack would depend on the nature of the attack.
After a major cyber attack in 2207, Estonia introduced block chain-based security. But Estonia is a small country, like one of our districts. In Estonia, the blockchain regulations were not introduced by the central bank. India is a much larger country. Different states have different regulations. The RBI has introduced various regulations for blockchain. So, replicating the Estonian model in India is not advisable.
For these institutions, data and knowledge are the key assets. They should be put on par with tangible assets. There must be controls which clearly indicate who can access the data, modify the data and so on. Universities must realize the value of their intangible assets. There are examples of universities who have been victims of cyber-attack, though the news has not come out in the open. These arguments also apply to Research, Design and Development organizations for whom the main assets are intangible.