Pre-empting a cyber pandemic: A reminder to revisit digital security in the COVID-19 era

Although courts are coming down on cyber criminals with a heavy hand, the existing provisions do not seem to create adequate deterrence.
Cyber crime, data security
Cyber crime, data security

While the country grapples with the catastrophic impact of the COVID-19 pandemic, cases of financial cyber crime have been at an all-time high. Restrictions on physical movement, growth in augmented digital transactions and online shopping as well as increased online activity due to remote education and Work-From-Home, have led to a large-scale surge in lapses of digital security.

During the second wave of COVID-19, in which India has witnessed a near-collapse of its public healthcare system, citizens have become victims of phishing (fraudulent websites were projected as COVID-19 resources or leads for hospital beds/oxygen cylinders), online sales of counterfeit drugs and bank fraud through fake donation links, including sham versions of the ‘PM CARES Fund’.

The problem of COVID-19 related cyber fraud and online scams is not localized. The Norton Cyber Safety Insights Report released in April, 2021 has revealed that in the past one year, nearly 330 million people across ten countries, including India, have become victims of cyber-crime and more than 55 million people have become victims of identity theft. These statistics are alarming and call for universally coordinated efforts to contain the rapid rise of cyber crime during the pandemic. However, in the first instance, critical and immediate measures in the areas of law, technology and public policy, are required to be taken by India, which is fast becoming one of the biggest hubs for such activities.

Steps/measures taken so far

In 2020, the Central government set up the Indian Cyber Crime Coordination Center (‘I4C’), consisting of seven distinct agencies including the National Cybercrime Reporting Portal, Forensic Laboratory and the Threat Analytics Unit. The severity of the problem was clearly brought out by the fact that as of February 28, 2021, the I4C reporting portal ( had already received 3,17,439 reports of cyber crime incidents and 5,771 FIRs.

The portal also provides for a Citizen Financial Cyber Frauds Reporting and Management System for immediate prevention of money loss, along with a designated helpline number - 155260. A special cyber crime reporting system has also been launched this year by the Bengaluru Police, whereby victims of financial fraud can make a complaint on a designated phone number and the police will register the reported case as a Cybercrime Incident Report (CIR). The said CIR is referred to a particular control room, which will coordinate with the Reserve Bank of India (RBI) to freeze the beneficiary’s accounts within a short period of two hours.

Enforcement agencies such as state police departments have also been holding awareness workshops for their personnel to address common online frauds that have increased during COVID-19, including specific sessions on Internet Protocol Detail Record (IPDR) analysis and cryptocurrency fraud. Public alerts and advisories have been issued by the government for citizens to beware of counterfeit products, phishing attacks and spread of misinformation during the pandemic.

Though the government is becoming more aware and agile in alleviating parts of the problem, the measures remain largely piecemeal and un-coordinated. Both the regulatory and political framework face an acute lack of nuance in strengthening cyber security infrastructure and creating adequate deterrence for fraudulent elements.

Courts are also cognizant of the urgent need for stringent action. Recently, while considering an SLP against an order dismissing the anticipatory bail plea of a petitioner accused of theft of software and illegal copying of database and source code, the Supreme Court remarked that in cases of hacking and data theft, offences under the Indian Penal Code will also be invoked in addition to the penal provisions of the Information Technology Act, 2000 (IT Act).

The Jharkhand High Court also sought a reply from the RBI for devising a mechanism to track and recover fraudulent money, while hearing a PIL seeking to curb the growth of cyber crimes in the State that is home to the Netflix-famous phishing scams in Jamtara district. Earlier this month, the Delhi High Court rejected the anticipatory bail application of an accused in a fake call centre fraud case, while observing that "...the entire conspiracy and the manner in which various data of the victims were collected and the money trail pursuant to the cheating is required to be unearthed.”

Although Courts are coming down on criminals with a heavy hand, the existing provisions do not seem to create adequate deterrence, due to minimal penalties in comparison with the scale of crime as well as problems in enforcement and prosecution against anonymous infringers.

The way forward

The current challenges present an opportunity for the country to develop a robust multi-lateral system to fight against cyber crime. The need of the hour is targeted improvements to law and enforcement, in order to safeguard India’s critical information infrastructure and protect citizens from the pitfalls of digitisation. In this endeavour, the forthcoming National Cyber Security Strategy (NCSS), 2021 will be a crucial piece for the government to align the country’s outdated cyber crime policy with the rapid growth of technology.

However, the NCSS 2021 must adopt a pro-active, rather than a reactive approach, in reducing vulnerabilities and minimising damage from incidents of cyber crime. The focus should be on creating transparent, centralized systems to ensure smooth coordination between State agencies and easy access for victims. Strong emphasis also needs to be placed on increasing accountability of officials in following up complaints in order to address the low complaint-to-FIR conversion rates of cyber crime in India.

The dramatic increase in the rates of cyber crime is also partly attributable to the inadequacy of the legal framework in delegitimising such activities. The face of cyber crime has undergone transformational change in the last few years. Thus, a re-look at the ability of the Information Technology Act, 2000 to address the nuances of cyber security, as well as accommodate newer technologies like quantum computing and artificial intelligence, is the way forward.

The indispensable role of the private sector in prevention and mitigation of cyber crime cannot be ignored either. It is imperative that businesses prioritise digital security as well as protection of their data and intellectual property. Accordingly, immediate attention must be brought on revamping security policies to minimize breach and allocating higher budgets for investment in anti-fraud technologies. Companies must periodically conduct risk assessments and disseminate updated information on best security practices to their personnel. Considering that India has witnessed a significant boost in cyber security ventures/start-ups, partnerships with such tech enterprises would also be crucial in the fight against cyber crime.

The pandemic has altered the world in more than a few ways. As we move towards the peak of digital transformation, it is critical to address the underlying concerns before they become intractable. The multiplying rates of cyber crime over the course of the last one year have revealed the inadequacies of our digital infrastructure and the framework to catch perpetrators of cyber crime, providing the ‘perfect storm’ to take targeted action for a secure tomorrow.

The authors are Associates at Singh & Singh Law Firm LLP.

Bar and Bench - Indian Legal news