D. Murali and C. Ramesh

Chennai, July 4: In the fight against cybercrime, companies are moving towards multi-layered defence of information resources, also referred to as defence in depth, says Dr K. Rama Subramaniam, an information security professional specialising in cybercrime management and CEO of Valiant Technologies, which provides consulting and training services in the areas of information security and digital forensics.

Speaking to Business Line on the gravity of the problem and the challenges that keep popping up with alarming regularity, he said that the use of strong technological defences, coupled with well-orchestrated policy-driven controls supported by clear demonstration that the company takes security seriously, are the best way to minimise the occurrence of cybercrime.

“There are, of course, technology-driven measures, but these are the first layer of defence. A single layer of defence is a thing of the past. The most important thing for organisations is to realise the need to sensitise employees on various processes and procedures to be adopted to enhance security levels in the enterprise.”

Stating that cybercrime has ceased to be an exercise in satisfying intellectual curiosity but has become an economic activity, he said that the profile of cyber criminals is rapidly changing.

“Profiling of cybercrime perpetrators has now become extremely difficult these days unlike a few years ago, when the common profile portrayed cyber criminals as male, in the 20-30 age bracket, addicted to computers and without a permanent girlfriend!”

Earlier, cyber criminals engaged in this activity for fun and for “belonging” to groups they thought was important and to attract attention.

“Most importantly, he did not have malicious intent though the result was devastating. Equally important is that he never did it for money. But today’s cyber criminal is well educated; some convicted criminals in Western Europe even have a doctorate in computer science and have been teaching it.”

According to him, the cyber criminal of today often projects the image of a geek. “They hide behind the belief that hacking is one form of testing security even while harbouring malicious intentions, and take a stand that if owners of information systems can be careless, they deserve to be hacked.”

Though India is yet to evolve a technologically correct and legally tenable definition of cybercrime, it is generally understood that cybercrime results in loss to information assets.

“It includes destruction of some of the key attributes of an information asset like confidentiality, integrity and availability. In addition, cybercrime encompasses the electronic version of traditional crimes like stalking, theft and the like. There are also new forms of crimes that do not have a full equivalent in the pre-cyber era – like phishing and use of Trojans.”

On the motives behind cybercrime, Dr Subramaniam said that the reasons to choose cybercrime over conventional crime are many. “The cyber criminal sees that there is an in-built barrier to entry, since not everyone can commit cybercrime: it requires specialised skills and tools.”

Secondly, the returns-to-efforts ratio makes it attractive. “The effort required to rob a bank is significantly more than that required to hack into a financial system and transfer funds clandestinely, or to hack into a merchant database and use data on thousands of credit cards.”

He added that attacks like cyber extortion, especially when it is a micro-extortion, require very little effort and the victim finds it economically viable to pay up rather than report it.

Besides, cybercrime can be carried out remotely from the comfort of a computer environment; the risk of physical presence is obviated.

“Further, a pseudo-intellectualism continues to be attached to computer crimes. I come across a number of people who take pride in being known as an ethical hacker – an oxymoron in itself.”

He informed that there are also some small-time hackers who work at the periphery and support small-time operations like getting a copy of IP held by a corporation; they are either employed by competition or do so with a view to committing cyber extortion.

One of the chief hurdles in ascertaining the magnitude of the problem is lack of reporting. The Valiant CEO said that there is still a strong feeling that reporting cybercrime is analogous to an open invitation to hack, adding that governance considerations also come into play.

“Cybercrime is seen as absence of due care in the managerial process since the enterprise has not been able to protect a corporate asset, viz. information. The information asset is intangible and a copy is as valuable as the asset itself.”

Moreover, perpetrators have mastered to near perfection the art of removing all traces of an attack and even if a trace were to be left, it will decidedly point to a wrong perpetrator, thus confusing the victim. Finally, victims are not sensitised on identifying cybercrime, their symptoms and manifestations.

“The only issue we face is the inability to quantify the exposure. I have been reiterating the strong need for a national-level survey on the extent and impact of cybercrime in India.”

On what companies can do to ensure that they are not vulnerable, he said that many Indian companies are quite conscious of the need to protect their information assets from the dangers of cybercrime.

“They need to clearly distinguish between cybercrime committed from outside and those committed from inside their systems. There are a few special groups of possible offenders that need to be guarded against – disgruntled employees and those who have left the organisation under unfavourable or unpleasant conditions.”

These people have an edge over the external attackers since they are privy to the internal information processing, access and storage architecture.

India was among the earliest UN members that passed a law regulating information technology.

However, Dr Subramaniam is of the view that the architecture of that law was more to regulate e-commerce and give legal credence to it and to provide a platform for Indian businesses to participate in global e-commerce.

“Though it did talk of computer security violations, the law was not designed as a means to deter cyber criminals and prevent cybercrime. There’s still a very strong case to enact a separate legislation that will address the menace in totality. It should take a more holistic view of cybercrime and address it from multiple perspectives.”

Dr Subramaniam is also Chairman of ISCCRF, a not-for-profit trust focusing on research in information security and cybercrime management.

He holds a doctorate from the University of Madras for research work that studied cybercrime from multiple perspectives – techno-legal, criminological and victimological.

**