Maharashtra Plans Cyber Cell ExpansionSecurity Experts Warn of Potential Pitfalls
The number of cybercrime cases registered with the authorities in the state of Maharashtra stood at 630 in 2014, up from just 65 in 2010 - a tenfold increase. In response, Chief Minister Devendra Fadnavis recently announced a decision to grant additional resources to the state police to tackle cybercrime. Fadnavis also proposed setting up a regional CERT office in Mumbai and special courts to handle the state's cybercrime cases.
The Fadnavis government directed state police to submit a roadmap for enhancing the capacity of the cyber police station and cyber cell in Mumbai. Fadnavis also announced plans for establishing an officer of deputy commissioner of police rank to oversee cybercrime investigations.
This is the first such move by any state government at this scale. And while experts say that the moves are laudable and proactive on the government's part, they warn of pitfalls faced by other, similar initiatives.
"Cybersecurity cannot be viewed in the same manner as other law enforcement activities, and this is an accepted fact," says Dinesh Bareja, a leading independent security analyst and founder of the Open Security Alliance. "This is a great initiative to raise a force of 1,000 personnel for cyber cells across the state, but it is critical to have this big push in a planned manner."
Proposal and Background
Sadanand Date, joint commissioner (crime), Mumbai Police, who his known to have presented to the CM on this issue, says that the proposal calls for sensitizing 1,000 police personnel with rigorous training over the next two years to enable them to investigate cybercrimes registered under the IT Act.
Per the presentation made to Fadnavis, titled "Road map to deal with cybercrime," an amendment to the IT Act has also been requested from the center. According to the IT Act, only personnel of the rank of police inspector and above can investigate cybercrimes.
"Given that the number of PIs available is low to tackle the exponential rise of cybercrime, we have requested to propose amendment to the I.T. Act to empower junior officers to investigate these cases," Date says.
The proposal also calls for dedicated courts and trained prosecutors to handle cybercrime cases for early and effective disposal, he says.
Gurgaon-based Rakshit Tandon, consultant with the Internet and Mobile Association of India and cybercrime adviser for the Uttar Pradesh Police, says that the move is laudable. "It is known that we have good technology to support the cyber cell investigations in Mumbai," he says. More hands will be a welcome move, he adds.
Sustainable Cybercrime Fighting
Execution, experts say, will be the tricky part. How do the Maharashtra State police propose to implement a sustainable and practical system that trains officers? Do they have the necessary logistics and bureaucracy to make certain the plan doesn't collapse, like several other instances across the country? How do they ensure they get this right?
Bareja says the move requires not just policing, but also a strategic approach, planning and forecasting. The plan must first lay a strategy for tackling cybercrime and a plan for capability and capacity development, governance, relationship building, research, testing and more.
Bareja was an advisor to the Cyber Defense Research Centre (CDRC) - a joint initiative of the Govt. of State of Jharkhand and the Jharkhand State Police (Special Branch). The Centre shut down last year owing to lack of funding.
"One of the most important issues is the retention and growth of skills within the department. Training programs, continuous capability development must be planned for effective execution," Bareja says. Internal transfers usually rob departments of the experience any officer has built up over the years, he adds. It will be ideal to have a technical cadre that will include cybersecurity trained personnel, experts say.
Prashant Mali, a leading cyber law expert and founder and president of Mumbai-based CyberLaw consulting, agrees that having a separate police cadre for dealing with cybercrime and economic offenses will boost the effectiveness in handling these issues. including departmental transfers and skills retention.
"These can be the police with soft-skills," he says. "The new cadre need not be pressed into duty for law and order situations and can comprise personnel with deep technical skills."
This initiative may facilitate close connectivity between law enforcement in different states on these issues and, indeed, even on a global level with the Interpol, Mali says.
"Every police station should have one senior or junior officer trained to handle rising cybercrime," IAMAI's Tandon says. Training junior officers at the sub-inspector level to investigate cybercrime will also help overcome capacity issues on the ground, but this will necessitate a policy shuffle to amend the IT Act.
Mali says training personnel across the state police machinery, rather than setting up district-level cybercrime cells, is a good move. Today, even all other crimes besides cybercrimes usually have an IT or forensic aspect to them - either the evidence is electronic or part of the crime is perpetrated electronically, he says. The state's forensics capability remains poor, he says, with only five or six forensics professionals in the state forensics lab, with the rest on contract. This initiative will give a boost to the trained manpower available to address these issues.
The call for special courts to deal with cybercrime has also been well received. Mali says that India's only Cyber Appellate Tribunal, set up under the IT Act, has been without a chairman for the past three years. This has forced appellate mechanisms to be handled by highly pressed high courts, creating a huge backlog of cases.
"The success of such initiatives will definitely require a close liaison with the judiciary," Mali says.
Other questions remain. Re: setting up of a CERT in Mumbai, who will pay, and to whom will this CERT report? What are the timelines and the budget outlay? Unless a systematic and consistent effort is made, this initiative may also fade from relevance, as others have, observers warn. Details on these points and the way forward are awaited from the government.
Supporting efforts will be required at the back end, Mali says. He suggests constituting a database of offenders and fraudsters that can be shared at the national level to give better visibility of the cybercrime landscape and trends in the region.
From a technical standpoint, all tools are available, as departments have invested in purchases, Bareja says. But whether tools are effectively used is the question.
"Departmental dependency on private and public organizations continues to be high," he says.