Wednesday, December 5, 2012

Cybercrime responders become partners in a new crime

This is copied from my blog infosecgallery.. 



Sometime back I was pondering about surrogate criminal activity that happens in the absence of incident disclosure by corporate bodies. While pondering whether the regulators will act to bring in any form of control I realized that it is not just the corporate but others too who are engaging in criminal activity.

To illustrate I present an example ... I have a pistol and shoot a friend accidentally. We take the injured person to a hospital where he/she will be refused treatment by the doctor until a police compliant is registered. A police complaint will lead to my arrest and confiscation of my gun. I shall be in a lockup I get bail and then even if my friend stands by me the cops will interrogate and investigate and may not drop the case.

Now we come to a cybercrime scenario - a company or government department is breached (they get hacked / data is stolen / phished / financial fraud). The CISO is the first to respond and advises the CxO. Then they call in a forensic/security consultant who provides his/her analysis with remediation advice. Now they go to the Police Cybercrime cell and ask for an investigation. At the end of the Police investigation, they cops are told "we do not want to file a case" and the whole thing is dropped because they "know" who or what happened.

So we have the victim company (organization, bank, department..), CISO, Forensic/Security consultant, and Police investigators who have all colluded to close a criminal case (theft, hacking, piracy, porn... whatever)

Does this make all these people / institutions party to the crime of abetting a criminal act ?

If yes then can the various banks, government departments and organizations be taken to court along with the police departments of all states? I understand Sec 120 b or Section 34 of the IPC establishes guilt for conspirators.

Will the ITA be amended soon for 66A and can the mandarins add "disclosure" as an obligation under the act.

The moot question is whether everyone is a criminal now? The consultant who found out the modus operandi and advised on new controls, the cybercrime police who did not register the case and advised closure thus (possibly) causing loss to shareholders and the exchequer.