A team of researchers including professors of University of Brighton published a report in July 2009 titled “Crime online — Cybercrime and illegal innovation”. It was picked up by online news channels and quoted in news items to propagate lies about so-called cybercrimes in the business process outsourcing (BPO) industry of India. The report tries to present data from the annual reports of the Indian Computer Emergency Team, and Symantec in a way that suits its story, of India being a centre of cybercrimes and in general being a weak state. We want to set the record straight.
In a section entitled “Global Distribution of Cyber Crime”, the report notes that, “cybercrime is a global industry, but the combination of poor economic opportunities and high skills is driving many developing regions to surface as major players in cyber crime”. It has observed that most cyber attacks are directed to the US and UK even though the origin of phishing activities is also concentrated in a few international locations, namely the US, Southern Asia and Eastern Europe. It also observes that the US is still the major generator of malware, and according to the latest Symantec report it is still the country with the most underground servers. China is the focus of attention when considering the future of cybercrimes even as Russia continues to be the original home of cybercrime, where high technical skills are combined with stumbling economy and a long tradition of organised crime. The report quotes “Sophos Security Threats reports of 2007 and 2008” to identify top 10 countries hosting web-based malware, according to which China is at the top followed by the US, Russia, Ukraine, Germany, Netherlands, France, Poland, the UK and Canada. India does not figure in this list.
The report observes that the cases of spam, hacking and frauds reported in India have multiplied 50-fold during 2004-2007. A closer examination of CERT-In reports, however, reveals that the number of spam cases and phishing websites hosted in India is very small. Of the 2,565 security incidents reported in 2008, there were 604 phishing incidents. In 2007, these were 1,237 and 392, respectively. What do these numbers indicate? Even the growth in incidents from 2007 to 2008 is only 4 times, while the absolute numbers are insignificant on global scale of incidents.
It is instructive to examine Microsoft Security Intelligence Report H2, 2008. It gives worldwide distribution of phishing sites in percentages. India has 0.125 to 0.25 – the same as Australia, compared to the US at 10 per cent, Russia 5 to 10 per cent, and China 2 to 5 per cent. Likewise, for malware hosting sites India is at the bottom with 0.0001 to 0.16 per cent — even lower than Australia — with the US 5 to 10 per cent, and China having malware hosts in excess of 10 per cent.
Clearly, facts tell a different story. India is neither a malware hosting country, nor does it figure anywhere as phishing sites hosting country.
Elsewhere, it observes that “Brazil, Turkey, Poland, India and Russia are expected to increase their share of malicious activity because they have rapidly growing Internet infrastructure. Countries that have a relatively new and growing Internet infrastructure tend to experience increasing levels of malicious activity unless security protocols and measures are improved to control”. This is strange logic. What makes the researchers presume that India will not put ‘security protocols and measures’ in place?
In fact, Indian companies employ highly qualified manpower, put them through intensive training in data security, and implement robust privacy and security policies, which are constantly monitored for compliance. The delivery centres are physically secured, and appropriate technology solutions are deployed to isolate customer networks. Employees are put through stringent background checks at the time of hiring, while the operational area is kept under electronic surveillance.
Finally, the report states that Russia, Brazil and China are world leaders in cybercrimes. It also observes that, “India, Russia and Brazil share a light regulatory regime, an acceptable IT infrastructure and a relatively weak state”. This statement is unwarranted and needs to be strongly condemned. India has a strong data protection regime under the Information Technology (Amendment) Act, 2008 along with several other enactments such as the Indian Penal Code. There are specific clauses like section 43A and 72A in the IT Act, 2008 that mandate implementation of reasonable security practices while processing personal information, and any disclosure of personal information without consent of the data subject constitutes a breach that attracts penal and civil liability including compensation and imprisonment. India is certainly not a banana republic.
(The author is CEO, Data Security Council of India which was set up by software body Nasscom as a self-regulatory organisation to promote best practices in data security and privacy)