Statistics on the registration and prosecution or conviction of cybercrime play a role in illuminating;
- The reporting of cybercrime, and
- The investigation of cybercrime in India.
The following evidence suggests that there was gross under-reporting of cybercrimes by victims and problems in investigation and prosecution of cybercrimes. The situation depicted by these statistics implies that cybercriminals can work with a confidence level ranging from 96% to 99% that they will never be punished for their crimes. This points to the inefficacy of “defence-alone” strategy being advocated by many vendors of security products.
Types of cybersecurity incidents handled by CERT
Evidence
As per reports published by CERT-IN and NCRB (National Crime Records Bureau), the rate of prosecution and conviction of cybercrimes in India in 2015 was as low as 4.88 % and 1.78% (respectively) of the total number of cybersecurity incidents reported.
The Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and IT, is the nodal agency responsible for handling cybersecurity incidents. CERT handles incidents related to spam, website defacements, website intrusion, phishing, malware propagation, malicious code and network scanning and probing. Interestingly the number of cybersecurity incidents handled by CERT in 2015 has reduced by 14.7%.
Number of cybercrime cases registered in India
On the other hand, the number of cybercrime cases registered in India has increased considerably in 2015, by 20%. However prosecution of cybercrime in India still remains very low with only 5,425 cases being sent for prosecution in 2015. The percentage of cybercrimes ending in conviction in 2015 was as low as 1.78% of the reported or detected cybersecurity incidents.
Prosecution of cybercrime in 2015
Conviction of cybercrimes in 2015
Inference
While there has been an increase in the number of cybercrime cases registered in 2015, the number (11,592) still indicates under-reporting of cybercrime cases to LEAs in India. Companies choose not to report cases as they fear loss of reputation; further companies and affected individuals do not have the confidence in the capabilities of LEAs. The percentage of cases being taken up for prosecution (46% of the total number of registered cases) suggests that capabilities to investigate the multi-jurisdictional cybercrime needs to be strengthened.
Percentage of cybercrime cases ending in conviction
Rate of conviction after removing minor offences
Low rate of conviction of cybercrimes
Poor prosecution and conviction rates fail to act as deterrents to cybercriminals. This means that in order to achieve the objective of secure cyberspace, exclusive focus of building defences in forms of anti-virus, firewalls, IDSs, etc. is not going to suffice. Credible deterrence needs to be created through successful prosecutions.
This clearly points to the need to combat these low prosecution and conviction rates of cybercrime through:
- Moving from a reactive approach to intelligence led proactive approach to combat cybercrime by law enforcement agencies in collaboration with stakeholders like private sector and academia.
- Capacity strengthening of law enforcement agencies to combat cybercrime through bridging the gaps in skillsets and infrastructure.
- Developing a platform for global coordination of intelligence and operations.
- Providing strategic and research support to law enforcement agencies to combat cybercrime.
The author is an Indian Police Service (IPS) officer presently deployed with INTERPOL as Director of its Global Cybercrime Programme. This post reflects the author’s personal views and not of INTERPOL or the Government of India.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.