Cybercriminals are becoming more confident and experts say this will change only when the laws do.
The Indian penal code comes from the British era when criminals and victims were in the same jurisdiction. In the internet era, a criminal can be in another state or country. Laws and police standard operating procedures must be changed to match the ubiquitous nature of cybercrime.
“India needs a national level cybercrime investigation bureau, more capacity building and skilling of law enforcement authorities, and a cyberforensic lab at each police station,” said former IPS officer and cybersecurity expert Prof Triveni Singh.
Singh said that there is a need to introduce a comprehensive IT Crimes Law with stringent penal provisions and faster judicial process to reduce cybercrime.
“Notably India is an outlier among countries with a federal structure. Cybercrimes are not investigated by a federal agency here”, said Karthik Bappanad, cybersecurity strategist and former head of CySecK, a Centre of Excellence for cybersecurity at IISc backed by the Karnataka government.
Reforms needed across the board
The procedure for reporting a cybercrime needs to change. Currently, to file an FIR you need to be within India. But what if you are a non-Indian victim in another country targeted online by a scammer living in India? The victim can try reporting to their local police in the respective country or come to India to file a complaint. This isn’t practical when the scammed amount is a few hundred dollars.
Catching a cybercriminal is complicated even if it’s a domestic complaint. The victim files a complaint at their local police station which may have to coordinate with another state’s police station to catch the criminal. The average cost for conducting a multi-state police investigation, with travel and accommodation varies but is about Rs 75,000-80,000 per investigating officer.
That’s higher than the actual amount lost in most cases. In addition, current police procedures do not incentivise spending resources on cases originating out-of-state. This must change.
Also the judicial process for cybercrime must be expedited. A separate online court system could hear cases in case of financial cybercrime. This way, the judges, lawyers and victims could be from any location and a physical hearing will not be needed.
“Cooperation between police forces of different states and countries must be encouraged. Judges also need training to understand technology and cybercriminal modus operandi. Many accused get away for ‘lack of evidence’ since the scammer’s phone number linked to ID documents will never match the phone numbers used in a crime,” said Nitin Pandey, who trains law enforcement authorities on cybercrime forensics.
The need for a central agency
Cybercrime is currently a matter for state police to investigate. However, most instances involve criminals and victims in multiple states making it a hassle to decide who is responsible for investigation. That is why police should be open to cooperation and having a central agency step in when required.
State police will be concerned about dilution of powers if such an agency is formed. To mitigate potential power tussles, perhaps laws can be reformed to allow a national cybercrime investigation agency to step in once the state police request it.
What can regulators do?
Where cybercrime involves financial theft, officials say that the Reserve Bank of India needs to step in. “Why can’t the RBI be stricter with banks? Financial cybercrime is easy to stop if mule accounts are detected faster. Bank employees are often in on the scams and know when scammers set up mule accounts that receive stolen money,” said an IPS officer.
“RBI doesn’t want to be strict about who opens bank accounts because reduced bank account registrations will reflect poorly on numbers for Digital India mission. But poor KYC norms while registering new bank accounts is a reason cybercrime is flourishing”, the official said.
Experts say there is a case for the RBI to use AI or build an algorithm that will detect abnormal transaction patterns to identify mule accounts.
(The author is a freelance journalist. Views are her own)