Cybercrime cases are getting harder to solve for want of evidence, shows data

As authorities still deal with the ransomware attack on AIIMS servers, an analysis of official data shows that the number of cybercrime investigations which are difficult to crack for want of sufficient evidence jumped up 120 percent in India in 2021 -- the latest year for which data is available.

The number of such cases went up from 13,384 in 2020 to 32,203 in 2021, according to the National Crime Records Bureau (NCRB).

Cybersecurity not being taken seriously

According to experts, there is a lack of seriousness regarding cybersecurity even when it comes to important public institutions.

“Even when there is the smallest rise of tension along the border, you will see one or other websites of government agencies and public institutes getting hacked by hackers across boundaries. Despite such events happening repeatedly, cybersecurity is still not taken seriously in most public institutes,” said Ritesh Bhatia, a cybercrime investigator and founder of V4WEB Cybersecurity.

“We have a lot of regulations for companies when it comes to dealing with finance, etc. But when it comes to other sensitive data such as medical data, which is what is at risk with the AIIMS hack, there isn’t enough scrutiny. In fact, in some sense, leaking someone’s medical records can even be more damning than their financial records,” he added.

Many important government websites run on outdated frameworks, making them vulnerable to attacks. "I have seen government websites with eight year old vulnerabilities. Even when we report such vulnerabilities, they don't get updated often because the web administrator doesn't want to deal with the combability issues in their systems that comes with the upgrade," said Sunny Nehra, a cybersecurity expert and founder of Secure Your Hacks.

Jurisdictional issues

“Cybercrime cases have a huge issue with attribution. That is attributing a cybercrime activity to a cyber-actor. You need to have incriminating electronic evidence to prove a cybercrime and that can be a challenge for investigation agencies, because most often such evidence will be located outside the borders,” said Pavan Duggal, a cyber-law expert and advocate practising at the Supreme Court.

"The prevalence of VPNs and proxies have become a big issue in cybercrime investigations. Even the smallest scamsters use them these days, routing their data through servers across borders. This makes it hard to trace their identity," said Nehra.

Delayed reporting

Delayed reporting is also a problem in such cases, says experts in law enforcement.

“Quite often, the victims won’t come to know of the crime until some time has passed. Moreover, even when they come to know, unlike other crimes, cybercrimes are often not immediately reported. Along with the jurisdictional problem, this also makes it hard for the police to trace the suspect,” said Balu Swaminathan, former additional superintendent of police with the Tamil Nadu cyber cell.

“It is quite hard to ascertain the identities in cybercrime cases with certainty as it is possible to alter them,” he added. Swaminathan was the investigating officer of the ‘Suhas Katti case', which dealt with cyber sexual harassment, and was the first cybercrime case in the country reported under the IT Act to result in a successful conviction.

Intermediaries need to do more

According to Bhatia, intermediaries also need to do more to help law enforcement agencies in curbing cybercrimes.

“Forget social media, even banks, which are also an intermediary, sometimes fail in providing timely support to investigators. Quite often, by the time investigating officers are given the necessary information on financial cybercrimes, it might be too late and other incriminating evidence might have already been destroyed. I have seen cases which were solved only quickly because the investigating officer was close with the nodal officer, who helped to trace the money quickly. But not everybody has such contacts,” he said.

The reduction of operationality in many tech companies during the pandemic only exacerbated this issue. "As tech companies like Facebook and Twitter became less operational, the time taken for complying with requests from investigators went up considerably. From 48 hours, the response time for such requests went up to 20 days for such requests in some cases," said Nehra.

Companies removing their logs too soon also often pose a challenge to investigators. “Most companies don’t keep logs for long and erase them in regular intervals. So quite often, when an investigation requires data from beyond the logging period, they won’t be available and the case will have to be closed citing insufficient evidence,” said Swaminathan.

Ill-equipped law enforcement

Data shows that the police pendency percentage for cybercrimes is more than 56 percent, while the charge-sheeting rate is as low as 33.8. For comparison, the overall charge-sheeting rate for crimes as per the Indian Penal Code (IPC) and Special and Local Laws (SLL) stood at 81.3 in 2021.

Police pendency refers to the percentage of reported cases not yet fully investigated. A charge sheet is prepared by the investigating agencies based on their investigation to prove the accusation of a crime in the court and forms the basis of trial. The charge-sheeting rate is the number of cases charge-sheeted out of the total number of cases disposed of by the police. It is considered as an important indicator in analysing police performance.

“There is no denying the fact that our law enforcement agencies are ill-equipped to deal with cybercrimes. There are a lot of gaps in their capabilities to deal with such cases and there is a need to create capacity and awareness among officers on properly investigating, collecting and dealing with electronic evidence,” said Duggal.

“Even when police officers have the technical knowledge, they are not provided with enough facilities to deal with cybercrimes. Existing rules on admissible evidence in courts makes it hard to gather proof in cybercrime cases, and moreover, most police stations lack the equipment to gather electronic evidence. In addition, cyber forensic experts are all pretty much only based out of state police headquarters and are less in manpower, leading to delays,” said Swaminathan.

“Things are changing with more young officers with technical skills to the force, but it will take time before we can see the improvements on the ground,” he added.

Poor performance in courts

Even in courts, such cases struggle. Out of the 54,979 cybercrime cases that were on trial in 2021, only 7,139 cases were actually concluded. From this, as many as 5,984 cases were disposed off without trial. Among the 1,155 remaining cases that completed trial, only 491 ended up in a conviction.

“There are some judicial officers that are exceptional in matters of cybersecurity, but they are exceptions. If you look at the overall picture, you will realise that there is a need for far greater capacity building. Not all judges are tech-savvy and won’t be able to understand the nuances of such cases. We need to expedite these cases by setting up cybercrime courts as it gets easier to tamper or erase electronic evidence with time,” said Duggal.