Somewhere off a Beijing suburb, a 28-year-old cracks the US
Department of Defense intranet at the Pentagon. He gets out vital defense
secrets.
Where did the crime occur? In cyberspace. The cracker even
used PC and e-mail which did not belong to him. Even if he’s tracked down,
there are few laws in place to charge him, bring him to book or to prove him
guilty.
This is the genre of cyber crime confronting a borderless
world whose laws are not as borderless. One in which there’s no effective,
standard way of legalizing tackling crimes over the Internet.
Nevertheless, each country is trying to evolve its own set of
cyber laws and legalize IT bills to secure its netizens, citizens within a
physical geography who are also part of the global Internet. This is definitely
the first step towards evolving a system of handling cyber-crime and enabling
online, electronic commerce.
India has also been one of the early starters in this area.
It’s studied various models of cyber laws in different countries, and drafted
and announced its IT Act 2000.
Cyber laws: Security and privacy
This summer, the Ministry of IT passed the IT Bill in
Parliament, and announced the IT Act in June this year. This set of "cyberlaws"
spans the recognition and legalization of electronic documents, authorizing use
of these by means of affixing digital signatures, establishing a digital
signature certifying authority, identifying cyber crimes and corresponding
punitive measures, laying down the procedure of regulation for certifying
authorities and amending other laws to make them consistent with the IT Act.
The Act is a good thing, say managers in the IT industry and
user enterprises. "It has boosted the confidence of the people to go in for e-commerce," says
V Ramakrishnan, EDP manager, Indian Bank. "The cyber laws have armed and
strengthened the enterprise. The government has built a lot of the security
aspects into the law. Ashish Sinha, VP, technology, Citibank, agrees. "We’re
one of the few countries where such laws have been formulated," he says.
Explaining the IT Act,
AK Chakravarti, advisor in the Ministry of IT, says that a primary motive was to
instill confidence in the enterprise. "Security is everyone’s primary
concern, including ours," he says. "Before drafting anything, we
studied the latest across the world on IT security, and tried to include their
essence in our draft."
But the enterprise focus also brings in some criticism, such
as from N Vijayashankar (Naavi), who has authored a book on cyberlaws and runs a
Web site on the subject. "Has the government looked at security as an
objective of the IT Act?" he asks. "The basis of cyber laws appears to
be to promote
e-commerce and the billions of dollars in revenue from the same, rather than
providing security."
The enterprise impact
An impact of the IT Act will be on the burgeoning e-economy,
paving the way for digital commerce–and for the long-awaited legalization of
financial transactions on the Internet. With this will come opportunities for
online transactions, online buying and selling, credit card processing and cash
settlement on the net across borders. ISP Satyam Infoway, for instance, is about
to commence its Safescrypt joint venture with Verisign, a global major in
digital authentication and certification, for online transactions in India.
Of course, there’s a healthy dose of criticism and
skepticism about the Cyberlaws. Says Mukund Kumar, VP, IMG Harita Infoserve,
"These laws have not been understood by many. Even if they were, their
implementation will be complex." Especially across geographies.
"Unless there is a common universal law in place, the IT Act will not be
fully effective."
Other industry persons say that the laws do provide a legal
framework for companies to fall back on in case of breach of contract or
non-fulfillment–but that security issues would be better addressed by public
key infrastructure (PKI). This will enable digital certification and
authentication of both businesses and individuals, so that there is the
reassurance of being able to accurately identify the parties one deals with
online. Such authentication is legally recognized and admissible in a court
which in fact will give companies the security to venture online for e-commerce.
Concerns
As a new and emerging area, there are several concerns from
the enterprise segment about the effectiveness of these laws. "There is a
need for a ‘cyber army’ or Cyber Emergency Response Team, as in other
countries, that would advise and guide the netizens on what is to be done after
a crime or disaster has occurred," says Naavi. Although the law has not
explicitly provided for such a team, the government could do this separately.
The ministry is working on providing information security management to the SME
segment, to familiarize companies here with prevalent international practices
and standards available in online trading, and sensitize the enterprise on how
to handle attacks from viruses and hackers. It’s also taking steps to create
awareness about the latest technologies available internationally, and to
certify Indian enterprises based on standards in this arena.
Another enterprise need is a protective umbrella to key
infrastructure and the enterprise segment. "A new initiative is the
National Infrastructure Protection Center, which will protect key infrastructure
such as electricity and telephones within the country," Chakravarti says.
In addition, the government is also mid-way into a project to create core
competency in the network security domain in the country.
There’s also criticism of the Cyber Regulations Appellate
Tribunal. Says Naavi. "This is an apex body that will advise the ministry
on cyberlaws," he says. "Then how can this tribunal comprise members
from the ministry?"
Other issues include some ambiguity in the way the cyber
crimes have been classified in two different chapters of the Act, omission of
some aspects related to intellectual property rights and privacy in the IT Act.
Chakravarti says the Ministry is open to any changes that
have to be made in the IT Act. "We can include any point that we may have
left out, now and as and when new requirements emerge. After all, we cannot
anticipate all the security issues before hand."
Despite these issues, most in the industry agree that the
Indian government has done well to respond early to the requirements of the new
economy, in formulating the IT Act 2000. The Act should have a positive impact
on the enterprise and the economy, helping accelerate the penetration and use of
e-enabling tecnologies.
Akila Subramaniam
in Chennai