Wednesday, March 9, 2011

First Techno Legal Cyber Crimes Investigation Manual Of India

Cyber law is a technical subject and this is the reason why law enforcement officials, lawyers and judges find it difficult to understand and apply. This is also the reason that we have a very bad conviction ratio for cyber criminals in India.

The task of police, lawyers and judges would become easier if there is a ready reference that they can refer and rely upon in cases of cyber crimes. Perry4Law Techno Legal Base (PTLB) and Perry4Law are in the process of writing the first and exclusive techno legal cyber crimes investigation manual of India.

The proposed manual would briefly cover areas like cyber law, cyber crimes, cyber forensics, incidence response, authorship attribution, anonymity, traceability, privacy issues, etc. It would also cover national and international best practices in this regard. The manual is in the final phase of preparation and it may be available to governmental departments and general public after few months.

In fact, an exclusive, extensive and techno legal cyber forensics investigation manual/book has already been written by Praveen Dalal, Managing Partner of Perry4Law and CEO of PTLB. These two manuals/books would cover almost the entire gamut of cyber law, cyber crimes and cyber forensics jurisprudence of India.

Perry4Law and PTLB are also in the process of writing manuals and books in other fields as well. So keep a close watch for the same at this platform and other sites of Perry4Law and PTLB.

We hope Indian government and other stakeholders would find these books/manuals useful and would actively utilise them for effective cyber law and cyber crimes investigations.

Sunday, March 6, 2011

E-Discovery In India And Its Uses

Baljeet Singh

Electronic discovery has many purposes to achieve. It can be used as an effective measure to prevent frauds from being committed by timely detection of suspicious activities. It can also be used for detection of these frauds and crimes after their commission. Thus, e-discovery is both preventive and curative in nature.

E-discovery must be regulated by a legal framework to give it legitimacy. E-discovery law in India has still to be enacted. Although India has the cyber law of India incorporated in the form of information technology act 2000 (IT Act 2000) yet it is far from being sufficient for cyber forensics and e-discovery purposes. Suitable legislation in this regard is urgently needed in India.

E-discovery is also relevant for law enforcement, lawyers and judiciary. Legal and judicial fraternity of India needs a temperament for scientific knowledge. This includes knowledge about cyber law, cyber forensics, digital evidencing and e-discovery.

E-discovery requirements for banks in India have also significantly increased due to the recent guidelines by Reserve Bank of India that requires banks in India to exercise cyber due diligence and adopt sound cyber security practices.

E-discovery can also supplement due diligence, incidence response and periodic inspection of computers and other technology related systems. This helps in timely detection of frauds and other crimes.

We have a single techno legal e-courts training and consultancy centre of India. It is managed by Perry4Law Techno Legal Base (PTLB). It provides techno legal research, training and education in the fields like digital evidencing in India, e-discovery in India, e-courts training in India, judges training, etc.

Friday, March 4, 2011

Cyber Due Diligence Could Have Prevented Citibank Fraud

Praveen Dalal
The Gurgaon based Branch of Citibank was in controversies recently due to the fraud committed by one of its employees. Many depositors and high networth individuals (HNIs) of Citibank were defrauded upto the tune of Rs 460.91 crore in that fraud.

The modus operandi of the crime was very simple. The accused committed the fraud by mobilising funds to the tune of Rs 460.91 crore without authorisation from HNIs customers and certain corporate for the purpose of investing in stock market, assuring them high returns. The accused fabricated a circular of the Securities and Exchange Board of India (SEBI) to lure people into investing into accounts held by his accomplices.

However, Banks and Financial institutions must also be conscious of these fraudulent possibilities and they must be well prepared to prevent and tackle the same. For instance, Banks and Financial Institutions must regularly engage in “Forensics Audit” and “Incidence response”. Presently, Banks and Financial Institutions engage in these “Essential Exercises” when something fraudulent or wrong has already taken place.

Incidence Response and Forensics Audits are essential part of the overall “Due Diligence Strategy” of a Bank or Financial Institution. Recently, the Reserve Bank of India (RBI) executive director G Gopalakrishna said that all banks would have to create a position of Chief Information Officers (CIOs) as well as Steering Committees on Information Security at the Board Level at the earliest. This also means that Banks and Financial Institutions now have to engage in “Cyber Due Diligence” on a “Mandatory Basis”.

Similarly, Amendments have been proposed in the Banking Regulations Act 1949 (BRA 1949) by the Finance Ministry of India. Under the proposed Amendments, RBI would get more “Regulatory Powers” to regulate the affairs of Banks. RBI has also made it clear that it would consider issuing fresh licences for private banks only after getting more regulatory powers, including “Supersession” of bank Boards.

RBI must also constitute a “Core Working Group” consisting of Techno Legal Experts from all fields. This Group can analyse Frauds and Regulatory Aberrations committed by Banks and Financial Institutions or their employees.

The Banking Reforms in India are already in progress and these suggestions can also be a part of the same so that confidence and trust of Bank Customers and Investors is retained.

Banking Regulation Act Amendments Approved By Cabinet

Praveen Dalal
Finance Ministry of India and Reserve Bank of India (RBI) have been working in the direction of bringing many good Financial and Banking Sector Reforms in India. In this direction RBI has already issued two good policy documents that would streamline use of Information Technology to enhance core banking practices in India.

The first document is a report of its Working Group on information security, electronic banking, technology risk management, and cyber frauds. In this report, the RBI mandated cyber due diligence for banks in India.

The second document is known as Information Technology Vision Document for 2011-17 (IT Vision 2011-17). The vision document has recommended many good suggestions including requiring that all banks in India now would have to create a position of CIOs as well as steering committees on information security. These requirements must be fulfilled at the highest level of Board of Directors.

Further, RBI has shown its willingness to allow big industrial houses to set up banks in India. However, it would not allow them to open the banks unless RBI gets the “Power to Supersede” Boards of banks that are not being run properly. RBI also wants the right to oversee the operations of the promoting company and any affiliates that will have business relationships with the bank. RBI has been suggesting bringing suitable Amendments in the Banking Regulation Act, 1949 (BRA 1949) in this regard.

Reacting immediately the Cabinet approved the long-pending amendment to the BRA 1949. The proposed amendments align voting rights of shareholders in proportion to the equity held and provide more regulatory teeth to the RBI. These powers now include the power to supersede bank boards.

Finance Minister Pranab Mukherjee would bring the proposed amendments in the BRA 1949 in current session of Parliament (March 2011) to carry forward the proposals made by RBI in this regard. Mukherjee said RBI proposes to issue guidelines for new private bank licences by the end of March. RBI has also made it clear that it would consider issuing fresh licences for private banks only after getting more regulatory powers, including supersession of bank Boards.

These are the much needed Banking and Financial Sector Reforms that were long pending. By including the contemporary issues of Information and Communication Technology, RBI has also covered a wide area. Hopefully Parliament of India would approve the amendments as soon as possible.

Chief Information Officers (CIOs) Made Mandatory For All Banks In India

Reserve Bank of India (RBI) executive director G Gopalakrishna recently said that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. G Gopalakrishna further said the banks will have to implement the facility of "second factor verification" at merchant establishments and ATMs shortly.

The requirements are arising out of the two recently released documents by RBI. The first document is a report of its working group on information security, electronic banking, technology risk management, and cyber frauds. In this report, the RBI mandated cyber due diligence for banks in India.

The second document is known as information technology vision document for 2011-17 (IT Vision 2011-17). The vision document envisages that all banks in India now would have to create a position of CIOs as well as steering committees on information security. These requirements must be fulfilled at the highest level of board of directors. The vision document also requires that while following the above, legal aspects relating to the provisions of the Acts such as Payments and Settlement Act, 2007 and IT Act, 2000 may be strictly adhered to.

This requirement of CIO/CTO is arising because many small banks do not have a designated CTO and also do not have a clear framework on information sharing. RBI is interested in gradual shift to an online system where it can access all the information from the main server of the bank once the RBI's IT Vision is implemented. Those banks having no CIO/CTOs and a steering committee are now required to have these requirements fulfilled as soon as possible.

The objectives of vision document are to ensure the use of information technology beyond core banking and into newer areas like management of information systems (MIS) and better regulatory reporting.

The vision document has been prepared by a high-level committee chaired by deputy governor K.C. Chakrabarty. The vision document also recognises the growing operational risks arising out of adopting technology in the banking sector like use of Internet banking, which could affect financial stability.

If the vision document is fully implemented, it will ensure that the RBI gets access to the servers of all banks, including foreign banks so that it has access to all the banking transactions. Further, the vision document also emphasises on the need for internal controls, risk mitigation systems, fraud detection/prevention and business continuity plans. These are good banking reforms and they must be implemented by banks in India as soon as possible.

Tuesday, March 1, 2011

Intelligence Infrastructure Of India Is in Big Mess

Praveen Dalal
Intelligence Gathering and its timely Analysis and Utilisation are the bench mark of any good and effective Intelligence Infrastructure. When the terrorists attacked Mumbai recently, lack of Intelligence Sharing proved fatal.

Although Intelligence Inputs were available, they were not shared and made available in a timely manner. In other words, although Intelligence Agencies did no fail yet Intelligence Infrastructure failed to act in a timely manner. This happened for a simple reason that we have good Intelligence Agencies but we have a very bad Intelligence Infrastructure.

Intelligence Infrastructure of India needs streamlining. There are numerous Intelligence Agencies operating in India. However, there is no “Centralised Command” for the same. This results in an anomaly as there is no single authority to whom all of them can report and share their intelligence and other inputs.

The worst part is that the acts and omissions of these Intelligence Agencies are not governed by any Legal Framework. Parliamentary Scrutiny of Intelligence Agencies in general and Intelligence Infrastructure in particular are absolutely missing.

The example of the former is lack of Legal Framework for Intelligence Agencies and Law Enforcement Agencies of India. The example of the latter is absence of Legal Framework for Projects like Crime and Criminal Tracking Network System (CCTNS), National Intelligence Grid (NATGRID), Central Monitoring System (CMS), Aadhar/UID Project, etc.

CCTNS links up all of India's Police Stations and NATGRID would connect 21 sets of available databases for instant analysis and results. The “Biometric Details” obtained by Aadhar Project would be added to this list.

In short, the Intelligence Agencies and Intelligence Infrastructure of India have no clear cut direction, guidance and control. Time has come to create a good and effective “Intelligence Infrastructure” in India. We have already recommended that a “Centralised ICT Control System” (CICS) must be established by the Home Ministry of India under the guidance of Mr. P.Chidambaram.

If there are numerous Intelligence Agencies working for different Government Ministries/Departments, there is a possibility of “Lack of Coordination” and “Inadequate and Inappropriate Information Sharing”. Nothing can be more beneficial than a “Centralised ICT Control Centre” for the Indian National and Internal Security.

In fact, Mr. P.Chidambaram has already expressed his desire to establish a National Counter Terrorism Centre (NCTC) that would act as an “Umbrella Organisation” for all Intelligence Agencies. It may also be considered as a “Centralised ICT Control System” and Home Minister must work really hard to establish NCTC as soon as possible.