CYBER LAW

EMERGING TRENDS AND CHALLENGES

 CYBER LAW
EMERGING TRENDS AND CHALLENGES

EDITORS
Prof. (Dr.) Aditya Tomer
Dr. Harshita Singh
Ms. Garima Wadhwa

STUDENT CO-EDITORS
Aayushi Singh
B.A. LL.B(H), Amity University, Noida, India
Nishita Mahajan
B.A. LL.B(H), Amity University, Noida, India

THE UNITED KINGDOM

 CYBER LAW: EMERGING TRENDS AND CHALLENGES
by: Prof. (Dr.) Aditya Tomer, Dr. Harshita Singh, Ms. Garima Wadhwa,
Aayushi Singh, Nishita Mahajan
■
INFINITY PUBLICATION LLC
232-22, Bilton road, Perivale, Greenford
Passcode: UB6 7HL London, The United Kingdom.
■
Text © Authors, 2023
Cover page ©Redshine Studios, 2023
■
All rights reserved. No part of this publication may be reproduced or used in
any form or by any means- photographic, electronic or mechanical, including
photocopying, recording, taping, or information storage and retrieval
systems- without the prior written permission of the author.
■
ISBN: 978-1-312-37726-4
ISBN-10: 1-312-37726-7
DIP: 18.10.1312377267
DOI: 10.25215/1312377267
Price: £ 20
July, 2023 (First Edition)
■
The views expressed by the authors in their articles, reviews etc. in this book are their
own. The Editors, Publisher and owner are not responsible for them.
■
www.infinitypublication.com | [email protected]
PRINTED IN GREENFORD, UK | TITLE ID: 1312377267
 Foreword

Privacy is an important aspect for one's existence. The indiscriminate use of

software and technologies are an attempt to violate one's privacy. In a
democratic setting, electronic monitoring has always been a source of concern,
as the very premise of using high-intelligence spyware is built on interfering
with people's privacy. Several provisions relating to electronic monitoring can
be found in the Telegraph Act of 1885 and the Information Technology (IT)
Act of 2000. Section 5 of the Telegraph Act of 1885, for example, allows the
government to intercept messages only when public safety, sovereignty, good
relations with other states or India's public order and integrity are at stake.
Section 69 of the Information Technology Act, which authorizes the
government to make directives related to the interception of any information
by computer technology, contains a similar clause.

In this context, this book titled “Emerging Trends and Challenges in

Cyberspace” examines the nature of the problems in Cyberspace that are
recognized at the national and international level. From there, it takes the
reader on a journey of comparison and assimilation regarding the notion of
Cyberspace around the world by elucidating the legal trends and explores the
increasing fear of technology in the minds of the human race.

This book covers each sphere that touches upon the topic of Cyberspace in
detail. It has been extensively researched and the content has been put forth in
a well-structured and informative format to ensure the data does not
overwhelm the reader, but subtly educates them. I remember my own
dilemmas regarding the issue and how I informed myself about the latest
trends related to Cyber Law to keep up with the changing times and policies.

I'd like to commend the editorial staff for addressing this matter, which is the
most intervening and common factor of our lives and yet it has not received as
much attention. I sincerely hope this book strikes a chord with the audience
and effectively expresses the message it encompasses. I also think that this
edited book will serve as a resource for professors, researchers and students to
understand the significance of the “Emerging Trends and Challenges in
Cyberspace” and it’s interpretation by the world, as a boon or a curse.

Yours

Saleh Alobeidli
Executive Chairman
CA SENGINE
 ACKNOWLEDGEMENT

First of all, we would like to thank the Almighty God with whose
help everything becomes possible.
We owe our sincere thanks and profound gratitude to all the
contributors of the book for their invaluable guidance and encouraging
attitude in completing this manuscript. They gave all encouragement and
help as a guide. A special thanks to the student Co- Editors without whose
support this book would not have been possible.
This book looks into the interactions between domestic counter-
cyber terrorism legislation development, while emphasizing on
international talks of cyber terrorism and policy developments. The debate
over cyber security in relation to information security and the associated
issue of information operations and disinformation are of particular note in
this, in addition to, focusing on finding legal solutions to the menace of
cyber terrorism. Hence we are obliged to the Ministry of Electronics and
Information Technology, Government of India, Indian Computer
Emergency Response Team (CERT-in) and Ministry of Law & Justice,
Government of India etc for providing data, reports and surveys vis-a-vis
associated factors causing cyber crime problems in India.
We are also indebted to the staff members of the Library of Indian
Law Institute (Delhi), Library of University of Delhi, Library of Jawaharlal
Nehru University (Delhi), Library of Amity University, Noida (U.P),
Library of Guru Govind Singh Indraprastha University, (Delhi), Library of
Ch. Charan Singh University, Meerut and Department of Law, Meerut
College, Meerut for their generous help.
Our heartfelt thanks to our better halves, who always supported us,
taken full interest in our topic from the starting point of this book and co-
operated us till the end. A sweet thanks to our parents and elders for their
blessing and good wishes.
We are thankful to the learned teachers, scholars, friends and
relatives who have assisted us in completing this book. This work would
not have been possible without their valuable support and assistance. We
are grateful to various legal luminaries whose scholarly and celebrated
works have been helpful in completing the book.
Last but not the least we would like to thank all persons directly or
indirectly related to the book.

- Editors
 PREFACE

This book looks into the interactions between domestic counter-

cyber terrorism legislation development, while emphasizing on
international talks of cyber terrorism, and policy developments. The debate
over cyber security in relation to information security and the associated
issue of information operations and disinformation are of particular note in
this. The book focuses on finding legal solutions to the menace of cyber
terrorism.
All banking activities are conducted using computers in the modern
world, and digital media. In order to benefit from the power and reach of
the internet and keep up with the business environment's rapid
development, banks have established themselves on the web. Popular
names for electronic banking include "PC banking," "online banking,"
"Internet banking," "Telephone-banking," and "mobile banking." E-
banking is a phrase that can be used to describe all of these electronic
banking methods. This book highlights how, while internet banking has
made individuals' life generally straightforward from one perspective, it is
as yet not totally liberated from dangers.
Cyber crimes are taking place through many social media platforms
like, WhatsApp, Instagram, Facebook, etc. and also through various online
shopping sites. To stop or to prevent these types of criminal activities and
to punish these criminals, “Cyber Laws and Policies” are being introduced
by different nations to protect their secret information and data. These
Laws and Policies deals with the cyberspace and other legal issues like
data privacy and security issues. Therefore, the comparative study of
Cyber Laws and Policies of India, USA, Russia and other countries are
done in this book , keeping in mind the above perspective.
Concerns about privacy are inversely proportional to the rise of
electronic transactions. By 2020, India's e-commerce market is anticipated
to be worth $50 to 70 billion. This is evidence that all corporate activity
will be conducted through plastic cards, posing a danger to private rights.
Concerns about privacy necessitate proper legal protection for privacy
rights and the data available in online transactions. As a result, the purpose
of this book is to investigate the adequacy of legislative data privacy
protection in India, with a focus on the rise and decline of e-commerce.
The intruders with evil intent used COVID-19 as a chance to carry
out assaults for monetary gain and to achieve their undesirable objectives.
Attacks using ransomware threaten the integrity and security of patient
information and other resources in healthcare systems. A lot of people
were falling for phishing schemes. This book analyses the pandemic from
the standpoint of cybercrime and demonstrates the range of cyber security
dangers that materialized throughout the globe during the deadly virus's
emergence.
The Pegasus scandal is one of many fundamental problems facing
India, starting with its routine tolerance for violations of its democratic
rights. The widespread use of Pegasus spyware in India means that
democratic institutions at the highest levels of government are being
ignored. What could be worse for the future of Indian democracy? This is
an important point that this book has emphasized, as such interference
could lead to cyber warfare or cyber-attacks that could affect the political
system of various countries.
Cyber forensics are becoming increasingly important in today's
world where more business and personal activities take place online. It is
used in criminal investigations, civil litigation, and corporate investigations
to uncover evidence of fraud and identify potential security threats. Cyber-
forensics is used in various areas of law, including law enforcement.
Electronic evidence is used to find incriminating evidence in various
crimes and can be used to identify business and personal data in civil
litigation. Examples include contracts, divorces, lawsuits, harassment and
defamation cases. The book has dealt with all of the above in detail.
The references has been made more detailed to enable the non-
specialist reader to investigate points which may appear to him worth
pursuing.

- Editors
 CONTENTS

CH.No. CHAPTER AND AUTHOR NAME PAGE NO.

1 CYBER SECURITY THE WORLD OVER 1

Dr. Indra Kumar Singh and Karthikeyan

2 CYBER SECURITY AND FINANCIAL SECTOR 15

Adv. Gauri Grover and Anandit Thakur

3 CYBERTERRORISM: A PHYSICAL REALITY 29

Prof. (Dr.) Avinash Dadhich and Nuha Rahman

4 CYBER TERRORISM IN INDIA: A VIRTUAL THREAT 48

Neha Mishra and Ritika Khandelwal

5 CYBER TERRORISM: THREATENING NATIONAL 68

SECURITY THROUGH GLOBAL NETWORKS
Dr. Praveen Kumar Mall and Ananya Anant

6 CYBERSPACE AND TERRORISM: A STUDY OF LEGAL 80

FRAMEWORK TO TACKLE CYBER TERRORISM WITH
SPECIAL REFERENCE TO ONLINE RADICALIZATION
Adv. S. Rajeshwar Rao and Aayushi Singh

7 THE CONVERGENCE OF CYBERSPACE AND TERRORISM 96

Dr. Tarun Pratap Yadav and Anushka Bhaskar

8 CYBER CRIME: THREAT AND SECURITY TO E-BANKING 110

Prof. (Dr.) Sudhir Kumar and Silky Soni

9 CYBER SECURITY THREATS IN INDIAN BANKING 136

SYSTEM
Pranshul Pathak and Tanishtha Anand

10 A COMPARATIVE STUDY ON CYBER SECURITY LAWS 152

AND POLICIES: LEGISLATIVE FRAMEWORK OF INDIA
AND USA
Dr. Anurag Sharma and Vansh Goyal
CH.No. CHAPTER AND AUTHOR NAME PAGE NO.

11 COMPARATIVE STUDY OF CYBER LAW IN INDIA AND 174

RUSSIA
Dr. Abhishek Kumar and Ishika Raghuvanshi

12 COMPARATIVE STUDY ON INDIAN AND 196

INTERNATIONAL LAWS ON CYBER SECURITY
Dr. Anirudh Vaishisth and Christina Fernandes

13 A CRITICAL AND COMPARATIVE ANALYSIS OF DIGITAL 223

PERSONAL DATA PROTECTION BILL, 2022.
Prachi Rashmi and Sanidhya Gupta

14 CYBER THREATS IN E-COMMERCE VIS-A-VIS DATA 241

PROTECTION LAWS IN INDIA
Pratibha Singh and Mansi Gautam

15 TECHNOLOGY REVOLUTION FACILITATING CYBER 267

CRIME
Dr. Vijaishree Dubey Pandey and Muskan Gautam

16 CYBER SECURITY ISSUES DURING COVID-19 PANDEMIC 288

Adv. Sanyukta Gupta and Punya Singh

17 PEGASUS: A FALLIBILITY TO INDIA’S DEMOCRACY 310

Prof. (Dr.) Somesh Dhamija and Nishita Mahajan

18 CYBER FORENSICS AND CHALLENGES FOR LAW 330

ENFORCEMENT IN INDIA
Dr. Manoranjan Singh and Shubhika Chauhan

19 CYBER FRAUD: A REAL THREAT IN 21ST CENTURY 347

Adv. Manish Kumar and Deeksha

* ANECDOTES OF CYBER CRIME IN EVERYDAY LIFE 362

* PRACTICAL APPROACHES TO TACKLING CYBER-CRIME 366

 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 1

CYBER SECURITY THE WORLD OVER

Dr. Indra Kumar Singh1, Karthikeyan2

“The recent large-scale migration of businesses and organizational

services to the digital platform due to the pandemic has also led to
the proportional growth of cyber attacks throughout the country and
the world. As we keep moving forward towards realizing this
efficient and optimized framework of business, we must keep in mind
to be alert and wary of the various cyber-security threat
implications it poses and how best to legally tackle them”.

INTRODUCTION

T he world at large has already begun its transition into the

post-pandemic state of things and one of the more
momentous changes that we have carried on from the
COVID course of things is the way we conduct our business. Most
businesses and organizations have now transposed their work to be
conducted remotely and a majority of services are made available
through the digital medium. Hackers are continually developing
more and more sophisticated tools and strategies such as phishing,
malwares, trojans, and DDOS, crypto jacking and so on to
undermine and attack digital infrastructures. In this chapter, we shall
be taking a look at the various types of cyber attacks plaguing India
in detail, discuss how the current existing legislations in India aim
to battle the oncoming wave of cyber attacks; will they be enough or
is there a real need to upgrade our cyber laws; and ultimately
analyzing and comparing them with cyber legislations the world
over (especially in the US and South Korea) to see if there is
anything we might be able to glean/learn from them.

1Assistant Proffesor & Program Coordinator, Instititute of Legal Studies & Research,
GLA University, Mathura , (India)
2B.A. LL.B (H), 4th Year, Amity Law School, Amity University, Noida, (India)

1
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CYBER CRIME IN INDIA

To adequately gauge the severity and in turn further develop a
better understanding for the legislations put in place to counter
cyber crime we must first grasp what cyber crime is, while there is
no statutorily mentioned definition for “Cyber Crime”- the term
Cyber is used to refer to everything having to do with computers,
information technology, the internet, and virtual reality. It follows
that "cyber-crimes" are crimes involving computers, information
technology, the internet, and virtual reality.3According to the Data
Security Council of India (DSCI), Cyberattacks are defined as
“deliberate actions to alter, disrupt, deceive, degrade, or destroy
computer systems or networks or the information and/or programs
resident in or transiting these systems or networks.”4
What was once an unusual and an almost exotic crime, is now
commonplace and happens every single day in growingly
concerning numbers. Studies show that 4 out of 5 people have
suffered from a cyber attack, ranging from simple account lockouts
to total bank account flushes. India as of now in 2022, has the
highest reported case numbers of cyber attacks/ cyber bullying in
children at 85%, such as spreading false rumors at 39%, being
excluded from groups and conversations at 35% and name calling at
34% according to a report by McAfee [these percentages are
referring to the whole set of children between the ages 1-18],
extreme forms of cyberbullying such as personal injury threats,
death threats and DOXX attacks are being committed on children as
young as 10.
Beyond just attacking individuals, hackers now regularly
attempt to siege and breach government digital properties. We all
remember the 2018 Aadhaar data breach- wherein India’s unique
citizen identification system was hacked into over the course of
around 6 months- a whopping 25 million accounts were continually
being breached into on a daily basis [that’s 291 records a second],

3 “India: Cyber Crimes Under the IPC And IT Act - An Uneasy Co-Existence”,
available at https://www.mondaq.com/india/it-and-internet/891738/cyber-crimes-unde
r-the-ipc-and-it-act---an-uneasy-co-existence. (Visited on March 7, 2023)
4Cyber Attacks- Promoting Data Protection, available at https://www.dsci.in/content/c

yber-attacks#:~:text=Cyber%20attacks%20are%20defined%20as,to%20the%20pene
tration%20of%20adversary. (Visited on January 16, 2023).

2
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

leading to the exposal of over a billion users’ bank details,

biometrics, beyond other sensitive data.5
Focusing on the contemporary change in the forms of cyber
attacks, Pavan Dugaal, the founder and chairman of International
Commission on Cyber Security law, and a notable expert of the
field, claims that since February 2020, cyberattacks in India have
escalated by up to 500%. Ever since the start of the outbreak, there's
emerged a number of reports of scams that prey on support
networks, engage in PPE fraud, pretend to be official organisations
(like the WHO) and businesses (like shops and airports), and
promote COVID-19 treatments. These scams target both the
hundreds of thousands of individuals who work from their homes as
well as the broader public. The extent of cybersecurity dangers and
difficulties associated with work from home has surprised both the
industry and the general public. To put things in perspective, here
are some of the most severe cyber breaches within recent years.

The 2019 “SBI Quick” Data Breach

The largest bank in the nation, State Bank of India, according
to an anonymous security researcher, failed to protect one of its
servers with a passkey, as a result of which, two months worth of
data from SBI Quick - a service through which customers can
receive information about their most recent transactions and account
balance via text texts was breached into.6

Jubilant Foodworks/ Domino’s Data Breach

In April 2021, details such as the Names, Emails, Mobile
numbers and Credit card details of customers of Dominos India
were hacked and put on sale on the dark web. This was put on blast
by Alon Gal, Israeli based Cyber security expert and CTO of cyber
intelligence firm Hudson Rock. He claimed that someone [hacker]
asked for 10 bitcoins- which translates to 4 crore rupees(1.8 crore as
per current bitcoin rates) for the sale of this data, 13 Terabytes in
size. Just a month after the leakage, the information was made

5Andy Greenberg, “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's
Most Dangerous Hackers”, Publisher- Doubleday (May 7, 2019).
6 India’s largest bank SBI leaked account data on millions of customers, available at

https://techcrunch.com/2019/01/30/state-bank-india-data-leak/ (Visited on February 24,

2023).

3
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

publicly viewable in part on the dark web on a custom made search

engine.7

Air India Security Breach

Air India admitted to a serious data breach in May 2021 that
resulted in the exposure of the personal data of more than 4.5
million passengers. Air India released a statement saying that
customers who enrolled between August 2011 and late February
2021 were impacted by the hack. Two months after SITA's (an
information technology company) Passenger Service System (PSS)
was breached, the vulnerability was confirmed. names, mobile
numbers and emails, birth records, ticket information, passport
information, credit card information, and frequent flyer information
were among the compromised data.8
Now that we’ve examined the nature of some of the various
sorts of cyber attacks, we shall now take a look at the timeline of the
cyber-crime legislations put in place by the government over the
years to fight this:

THE INFORMATION TECHNOLOGY ACT, 2000

● The Information Technology Act or the IT act is a resolution
passed by the General Assembly of the United Nations dated
30th January 1997 would go on to give birth to this act
established 3 years later. The Information Technology Act of
2000 was developed to promote the IT industry, regulate e-
commerce, facilitate e-governance, it is the main piece of law
that governs the use of [the cyber medium] computers,
software, networks, and electronic data. It encompasses
everything from digital signatures, cybercrimes, network
service providers, all the way to digital authentication, bio-
metrics, and so on, making it multifaceted.9

7Fred Kaplan- “Dark Territory: The Secret History of Cyber War”, Simon & Schuster,
ISBN 9781476763255 (ISBN10: 1476763259), March 1, 2016.
8 Air India's Data Breach - data security is more crucial than ever, available at

https://www.cryptomathic.com/news-events/blog/air-indias-massive-data-breach-
compliance-to-major-rule. (Visited on February 3, 2023).
9 Nicole Perlroth- “This Is How They Tell Me the World Ends: The Cyberweapons

Arms Race”,
Bloomsbury Publishing, ISBN 9781635576054 (ISBN10: 1635576059), February 9,
2021.

4
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

● The Information Technology Act, as stated in the act's

preface, aims to promote e-commerce, facilitate e-governance,
and prevent cybercrime in addition to amending the IPC, the
1872 IEA, the Bankers' Books Evidence Act of 1891, and the
RBI Act of 1934. Here we see that this act has varied interests
and not entirely/solely focused on fighting cyber crime,
beyond this, the act had several other shortcomings too, and
so the Government of India revised it in 2008 to address new
developments and rules that the original bill missed due to
growing security and privacy concerns and the rapid
development of the IT sector. The original IT act in India has
been significantly expanded upon by the Information
Technology Amendment Act of 2008 (IT Act 2008).
● The Indian Parliament enacted the Amendment in October
2008, and it went into effect a year later. The act, which is in
accordance with the Indian Penal Code, is managed by the
Indian Computer Emergency Response Team (CERT-In). The
amendment was received with high praise for taking a
proactive step toward safeguarding India's cyberspace and its
people.

An Overview of the Various Important Provision of the IT Act

Whenever a person or business reports being a victim of
cybercrime, the cyber cell at the local police station investigates the
report within 24 hours and takes immediate action to block websites
to mitigate and prevent any further damage, and attempt to recover
the lost data. Furthermore Cybercrime laws can be found to be
scattered across several statutes and even in rules created by
different agencies. So while a good lot of cyber-crimes are punished
by the Information Technology Act, there are also many
prohibitions mentioned in the Indian Penal Code, 1860.
We will list a few key sections of the IT Act pertaining to defenses
against cyber crime for your reference, but understand that this list
is not exhaustive and I would recommend that you further research
on this topic to develop a complete understanding;

43 - Penalties for damage to computer, computer system, etc;

compensation of not more than 1 crore to the victim.

43A - Penalty for failure to protect sensitive data of corporate

nature; compensation of not more than 5 crores to the victim.

5
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

45 - Penalty for acting in violation of any rules of the Act for which
the punishment has not been separately provided; In this case, a
compensation amount equalling or under Rs 25,000 is to be paid to
the victim by the violator

65 and 66 - deals with the penalties for tampering with computer

source code documents, destroying or altering data; punishment of a
term of up to 3 years and/or a fine of up to 2 lakhs.

66A - penalty for sending offensive messages online -

66C - penalty for fraudulent use of e-signature -

66F - penalty for acts of cyber terrorism -

70 - penalty for gaining unauthorised access to a protected system.10

GLOBAL CYBERSECURITY LEGISLATIONS

In this day of computers, cellphones, and increased use of the
internet and technology in general, where it has permeated all
aspects of life, all governments, particularly in recent years, are
working to create a safer cyber environment and promote greater
international trade and e-commerce operations. All nations have
seen an increase in cybersecurity concerns as a result of this, but the
nation we are going to focus on right now, the United States, in
particular, has developed progressive legislation as a result of the
enormous number of daily cyberattacks that are launched against it.
In reality, the United States of America is now the subject of
the greatest number of cyberattacks and cybercrimes worldwide.
The laws governing cybersecurity in the United States are
unsurprisingly quite complex; every federal agency is required to
follow its own set of guidelines, and there are a number of industry-
specific cyber regulations protecting sensitive infrastructure that is
crucial to the nation's economy.
We shall briefly go over some of the more important cyber
legislation in America presently.

10Information Technology Act, 2000, available at https://www.indiancybersecurity.co

m/itact_2000.php. (Visited on March 4, 2023).

6
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

The 1984 Counterfeit Access Device and Computer Fraud and

Abuse Act
This act governs frauds and attacks against “protected”
government computer systems and banks that have access to
sensitive data. “Protected computers” are basically computers used
by or for financial institutions and the U.S. government or any
computer that is used in a sphere that affects cross-state or foreign
commerce. One amusing fact about this piece of legislation is that
this too (just like our own IT act) was released in a rather barebones
fashion in 1984, withholding three key violations primarily, but it
was amended extensively in the following years. These 3 violations
were improper access to information on a government computer,
improper access to certain financial information from financial
institutions, and improper access to government material protected
for national defence or international relations.11
The National Institute of Standards and Technology (NIST)
Previously (1901-88) called the “National Bureau of
Standards”, the NIST was established by the Computer Security Act
of 1987 with an aim to develop safe and sound computers, security
systems, and develop the overall standard of American industrial
mettle, besides increasing cybersecurity awareness, they also deal in
research programs involving nano-tech, and neutron research.
However, their research innovations do not apply to military and
defense-related infrastructure.
The Paperwork Reduction Act of 1995 was initiated to
develop better cybersecurity policies- this act directly deals with
how federal agencies collect information from the American public.
As the name suggests, this act aims to make the process of federal
paperwork and information gathering, more efficient and hassle
free.

The Homeland Security Act

A veritable cornerstone of American legislation put into
enforcement on 25 November, 2002; following the wake of the
World Trade centre terrorist attack by President George W. Bush.
Around this time, the government focused on quickly changing its
infrastructure to include protecting the nation from terrorist attacks
and managing major emergencies. The Department of Homeland

11 Kirstin Chen- “Counterfeit”, William Morrow Publishing, (June 7, 2022).

7
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Security (DHS) was established as a new division within the

executive branch of government and a number of safeguards for the
country's security.
The Homeland Security Act creates the DHS as a
comprehensive executive agency that absorbs a number of pre-
existing governmental institutions, taking on responsibilities for
infrastructure management, federal bureau, coastal defence,
immigration and citizenship, nuclear, transportation security, and
emergency response, to name a few. In addition to forming a
completely new government agency with its own mission and
employing more than 180,000 people at the time of its founding, the
DHS also seized a number of already-existing organisations
formerly under the control of the NSA (the National Security
Agency.) 12 Moving on to the 21st century, one of the most
important pieces of legislation put out was the E-Government Act of
2002. It contains the provisions for creating a Federal Chief
Information Officer working within the Office of Management and
Budget and by putting in place a set of policies that call for the use
of Internet-based information technology to increase citizens' access
to public information and services, among other purposes, It aims to
enhance the administration and marketing of electronic government
procedures and services.
Following the new age wave of cyber attacks, a whole slew of
cybersecurity regulations were created; and past ones altered as part
of a recent attempt to tighten its cybersecurity legislation for a better
security environment. Here are a few examples:

Cybersecurity Information Sharing Act (CISA)

Various federal departments can now share cybersecurity-
related issues thanks to CISA, which was introduced in 2015. Its
primary goal was to create a robust cyber infrastructure by enabling
quick sharing of problems with cybersecurity, bugs, or other issues
affecting various government departments.
CISA establishes a voluntary mechanism for exchanging
cyber threat intelligence between private corporations and
governmental organisations in order to help businesses quickly

12 “United States Department of Homeland Security”, United States government,

available at https://www.britannica.com/topic/United-States-Department-of-Homeland-
Security. (Visited on March 13, 2023).

8
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

identify and mitigate possible cyber incursions. Under CISA, the

Department of Homeland Security (DHS) will gather and store
cyber threat indicators, such as samples of malicious computer code,
from participating companies and use that information to advise
defensive actions. CISA enables individuals or organisations to
communicate information regarding cyberthreat indicators after
eliminating all personally identifying information that isn't
immediately pertinent to the risk.

The 2014 Cybersecurity Enhancement Act

According to the act itself, it aims to provide for “an ongoing,
voluntary public-private partnership to improve cybersecurity, and
to strengthen cybersecurity research and development, workforce
development and education, and public awareness and preparedness,
and for other purposes.”
The purpose of this act, as implied by its name, is to improve
cyber infrastructure, create better cybersecurity regulations, raise
public awareness of cyberattacks, assist victims of such attacks,
employ preventive measures against such crimes, promote voluntary
public-private partnerships, and advance research and development
in this area.
The part played by the National Institute of Standards and
Technology as the manager of the nation’s intentional cybersecurity
system is formalised within its draft. It has arrangements that
bolsters the government approach to cloud computing, awareness
and education campaigns, private-public participation in
cybersecurity, and specialized guidelines. It also calls on NSF to
proceed with the Government Cyber Fellows Program, in which
citizens agree to work within the cybersecurity division of a
government, state, neighbourhood, or tribal office for the duration
of the financial grant.

Federal Exchange Data Breach Notification Act of 2015

This law governs and lays out strict requirements for the
health insurance business, including how to notify patients in the
event of a data breach. This law requires health insurance exchanges
to notify all individuals whose personal information may have been
obtained or accessed due to a security breach of any system they
maintain as soon as practicable, but it must be done before the
expiry of 60 days after getting to know of the breach.

9
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Ever since the Biden administration came into force in early

2021, the American government has expressly doubled down on
cyber offences, regarding them an important threat to the national
economy and security.
The United States of America presently has 50 states that are
governed by both federal and state laws, and it is evident that the
country is continually introducing new cyber regulations and
enhancing infrastructure. Data breaches and phishing attacks
continue to increase in frequency and severity, despite the
government's best efforts to stop them, even with the strictest
security measures in place. These assaults affect both the public and
commercial sectors.

Other Laws of Foreign Governments

Information technology and cybersecurity in the United
Kingdom are not governed by a single body of law in the UK,
unlike with most other global superpowers; here there are a number
of various non-regulatory bodies under the government, exercising
their own statutory powers to put out various legislations like the
Security Services Act of 1989 or the Civil Contingencies Act of
2004. This fragmented and exclusively regulatory framework of
agencies charged with ensuring cybersecurity have a lot of latitude
and freedom in creating various cybersecurity strategies.13
The cornerstone of cyber security in the UK that holds
together all the various wings of security agencies, The Office of
Cyber-Security & Information Assurance (OCSIA) was established
in 2017 by a Council of Ministers Directive. The OCSIA
collaborates with the business sector for information sharing and
standard-setting, and serves as the nexus for cyber security
management. This robust network ensures that all cyber threats are
dealt with promptly, and that the information regarding the same is
distributed seamlessly and efficiently across the board.
Additionally, OCSIA will offer centralised policy advice,
standards, direction, and support to enable all Government
Departments and Statutory Boards to both defend against
cybercrime and maximise the safe use of all the information they

13 Brian Krebs- “Spam Nation: The Inside Story of Organized Cybercrime — from

Global Epidemic to Your Front Door”, Sourcebooks Publishing, ISBN 9781402295614

(ISBN10: 1402295618), November 18, 2014.

10
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

hold through a network of specialist cyber awareness roles and in

collaboration with Government “Risk Owners”- who are those
tasked with the special job of mitigating any risk/damage that can
occur from by way of collateral, or circumstance.
Moving on to other recent cyber legislative bodies, we have
the NCSC or the National Cyber Security Center, which went into
operation in 2016, is an organisation that aims to provide support
and counsel for government and private entities both on how best to
build their infrastructure to protect them against cyber security
threats, and offer general advice on cyber security prep. It may be
compared to be in parallel to the NIST in USA- its not 100%
accurate, as there is a distinction in the fact that NIST produces
tangible products and assets attached with its anti- cyber attack
mandate, whereas OSCIA provides a more consultation based,
advisory service- but there is still a relation to be made between the
two bodies.14
Now this brings up to the latest step in UK’s fight against
cyber-crime, the GDPR or the “General Data Protection
Regulation”, approved of in May, 2016 and going into effect a full
two years after in 2018, this is a much more expansive and
consequential regulation as it not only binds the UK but the entire
EU (European Union) to abide by its provisions. It aims to tackle a
very simple yet invasive problem, the issue of individual, day to
day, privacy breaches. The last statement might have been a bit of
an oversimplification but according to Investopedia, the General
Data Protection Regulation (GDPR) is a legislative framework
establishes standards for the gathering and use of personal data from
residents of the European Union (EU), it also extends its jurisdiction
to those outside EU that members of the EU get in touch with.
In simple terms, the GDPR was developed to regulate how
companies manage and make use of the personal data they collect
online from clients. It also offers instructions on how to migrate
data, whether it is moved fully or partially automatically. It does not
allow for websites to use ambiguous and misleading lingo in their
webpages for ulterior motives, it maintains that users are made
aware of and asked if they consent to the sharing of their data, It

A. Clarke and Robert K Knake, “The Fifth Domain: Defending Our Country,
14Richard

Our Companies, and Ourselves in the Age of Cyber Threats”, Penguin Press, ISBN
9780525561965 (ISBN10: 052556196X, July 16, 2019.

11
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

also pushes for full transparency in the event of a data breach or any
other event. Many other laws throughout the world, including those
in Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South
Africa, Argentina, and Kenya, used the regulation as a model.
Following Brexit, the United Kingdom nonetheless made the
decision to keep the statute in place as of October 6, 2022, even
though it was no longer a member of the European Union.
To prevent third parties from breaching data protection, the
GDPR mandates that private enterprises in the UK use stringent
security measures. They promote the building and upkeep of
infrastructure that is more cyber-secure. Furthermore, it establishes
explicit cybersecurity guidelines for all businesses that offer crucial
services, including those in the health, transportation, and internet
industries.

South Korea
Moving down the list of countries that can be deemed to be
role models for other legislations with how they tackle cyber
security threats we have South Korea. Being a country that faces
threats unceasingly from not just foreign forces but from its
neighbour North Korea as well, South Korea (hereinafter referred to
as RoK “Republic of Korea”) was forced to arm itself with the
latest, most progressive forms of security, some of which we shall
examine now:
Korea's cybersecurity initiative truly took off in the 1980s,
when the RoK government first began to aggressively push the
digitalization of business, government, and society. By the
implementation of e-government services, the administration also
placed a priority on boosting national competitiveness and e-civil
service. Yet, up until the early 2000s, the majority of this effort was
concentrated on document security and physical security, with the
intention of offering a shield of information protection or
information security. The National Intelligence Service (NIS) of
Korea and the Ministry of Science and ICT (MSIT), respectively,
set these targets for improving cybersecurity in the public and
commercial sectors. Nevertheless, instead of creating a proactive,
comprehensive, multi-national cybersecurity strategy or policy,

12
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

these organisations mostly focused on responding to hostile activity

and attempting to create workable responses.15
The cyber threat, though, had multiplied by several measures.
Individuals allegedly connected to Pyongyang had developed the
skills necessary to regularly launch effective attacks on South
Korean IT infrastructure. Pressure on the public and commercial
sectors to develop a more potent toolkit of tactics and skills rose as a
result of the public's rising awareness of the need to boost
cybersecurity. As the damage and chaos brought on by these strikes
grew. In an effort to establish a cohesive, national cybersecurity
strategy in 2009, the National Security Strategy, which was unveiled
in July 2014, identified cyberattacks as a serious threat. It wasn't
until 2015, when the government also appointed a cybersecurity
officer to the National Security Council, directly reporting to the
president of Korea, that the government publicly disclosed
comprehensive cybersecurity measures.
One stark difference in the RoK’s approach to cyber
governance and the rest of world is that they do not have a singular
piece of legislation outlining the security provisions but instead,
accomplish their security goals by way of inculcating cyber security
cognizance throughout all of their legislations, and by employing
strategic plans of action to protect themselves (it is quite similar to
how we Indians choose to go about achieving our economic goals
with the help of 5-year plans, national budgets and so on). One good
example of the aforementioned case of RoK dispersing their cyber
security provision across various acts can be the “PIPA Act” which
controls how public and commercial institutions may acquire, use,
disclose, and otherwise treat personal data. The Standards of
Personal Information Security Measures, which outline specific
security precautions for systems that process personal data, is one of
the PIPA's implementing regulations.
Most Korean legislations are written and only available in
Hangeul/Korean, so we shall not be able to take a deeper insight at
their laws as of now but here are a couple other important laws
relating to data and security:

15 Korean Policies of Cybersecurity and Data Resilience, available at

https://carnegieendowment.org/2021/08/17/korean-policies-of-cybersecurity-and-data-
resilience-pub-85164. (Visited on December 2022).

13
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

The Personal Information Protection Act (PIPA) created the

independent PIPC to uphold peoples' rights to their privacy. The
main responsibility of PIPC is to harmonise conflicting views on the
processing of personal data among various government agencies
and to concentrate on finding solutions to personal data-related
policies. The Korea Internet & Security Agency (KISA): KISA's
role in relation to personal data protection is to support and assist
the Government and local government agencies with data breach
remediation and research and advice on personal data protection
security standards and policies. KISA is a statutory organisation,
established by the Act on Promotion of Information and
Communications Network Utilisation and Information Protection,
etc.16

CONCLUSION
In conclusion, even if it is believed that India's cyber legal
framework satisfies the demands of the time, it has a number of
drawbacks. The cybersecurity regulations of various industry
bodies, in particular, need to be revised to keep up with the rapid
advancements in technology. New policy frameworks are being
developed by the Indian government in order to protect the
aforementioned advances. The provisions of this new policy
framework are thought to be robust enough to withstand the
challenges posed by these new tendencies. Having said that, for
these measures to be effective, the relevant authorities must carry
them out meticulously and without indulging in any corruption.
India is one of the most likely targets for hackers, as history has
shown. Regarding other nations' cyber laws, the United States of
America, although having a range of policies and legal frameworks
to ensure cybersecurity, struggles with proper execution. The policy
frameworks for several areas, such the health sector, the insurance
industry, and private businesses, are consistently deficient in all of
these countries. Therefore, we must consider measures to ensure
that the carefully constructed policies are rigorously enforced in all
situations, including India, or else the policies will be irrelevant.

16South Korea: Cybersecurity, available at https://www.dataguidance.com/opinion/sout

h-korea-cybersecurity#:~:text=1.1.&text=The%20main%20laws%20and%20regulation
s,by%20governmental%20and%20private%20entities. (Visited on January 17, 2023).

14
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 2

CYBER SECURITY AND FINANCIAL SECTOR

Adv. Gauri Grover1, Anandit Thakur2

“The Internet has become a crucial platform in our lifeline, with the
help of the internet one can navigate, start their own businesses,
etc., take classes, and do everything with a touch away with the use
of appliances like Phones, Tablets, Laptops, Screen readers, etc.”.

INTRODUCTION

W hen we look at the terms “cyber” and “finance”, both

have different aspects, but when we relate them on the
internet, they both are related to each other. Finance and
the internet in recent ages are among the most critical factors for the
growth of any economy. When we say economy, it refers to both
developed and developing economies. So, if we look at the internet,
that’s the platform where all our activities take place be it chatting,
online classes, e-business activities, banking, e-commerce, etc.

EVOLUTION OF THE INTERNET AND COMPUTER

NETWORK
The first computer network was mutually introduced by The
Advanced Research Projects Agency (ARPA) and the Department of
Defense (DoD) of the United States in 1969 and was called
ARPANET. It was an experimental project, which connected a few
computers from some of the reputed universities of the USA and
DoD. ARPANET allowed access to computer resource-sharing
projects. This ARPANET was handed over to Defense
Communication Agency (DCA) for further development. As a result,
Defense Data Network (DDN) was established in 1983. The National
Science Foundation Network (NSFNET) was a program of
coordinated, evolving projects sponsored by the National Science
Foundation (NSF) from 1985 to 1995 to promote advanced research

1Advocate, High Court, Delhi, (India)

2B.B.A. LL.B (H), 2nd Year, Amity Law School, Amity University, Noida, (India)

15
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

and education networking in the United States. The internet allows

people to exchange information over computers.3

Additional Advantages of Internet

When we look at the internet, it's so crucial, that we can't live
without it. For e.g.: A company that earlier used to store data in files
and pages is now using services like Google Drive to store their
information, so we can say that applications available online are
helping companies to store their information in a secure way and
helps in saving a lot of time. The Internet has provided us with so
many features, internet is something that is dynamic meaning
something that changes with respect to environmental conditions.
But the Internet also has various disadvantages associated with it.4

Problems Associated with Internet

Cyber hacking is one of the problems associated with the
disadvantages of the internet, Cyber hacking means, the confidential
data which you store online is accessible by scammers or other
people, who use that data to commit fraudulent activities in return
for money. Not only cyber hacking, but various activities like
cyberbullying, and cyber harassment also occur. Cyberbullying
means when people use online platforms / social media sites
wherein people bully their posts, ideas, or pics making them feel
uncomfortable, cyber bully and cyber harassment usually are the
same but are two different words referring to bullying taking place
online. We might put strong passwords etc, but that doesn't work in
this high-level technology environment, therefore it's always
advisable to never share passwords with people whom you do not
know and never click links sent by someone whom you don't know
or isn't adequately verified, as these links are basically sent with
malware that damage your files and appliances.

IS BEING A FULLY DIGITAL ECONOMY A STRENGTH

OR WEAKNESS
With the internet in high demand and utilization, most of the
transactions are nowadays taking place online, with the help of one

3 Evolution of internet available at https://everything.explained.today/%5C/National_

Science_Foundation_Network. (Visited on March 12, 2023).
4 Cyber hacking and types available at https://www.mimecast.com/content/cyber-

hacking/. (Visited on March 18, 2023).

16
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

touch we can send money from one bank account to another in a

secure and simple way. For e.g: Apps like Paytm, PayPal, and Gpay
are most widely used across the world for cashless transactions,
along with that we have NEFT transactions as well as credit and
debit cards. The difference between Paytm/PayPal etc and
Credit/Debit cards is that in Paytm /PayPal a unique ID is made
which is numerical and associated with your bank account, a unique
QR code is associated with the person's bank account, the person
scans the QR code, enters his Unique ID and his/her transaction is
done in a fraction of seconds whereas, in cards such as debit/credit,
a person has to set up his 4 digits unique pin which he uses to
withdraw money from ATMs, etc whereas the CVV is used for
making transactions online along with the 12 digit number written
on the card.
People prefer to do digital transactions, mainly because a
person can give money with the help of his mobile/ appliances,
secondly is that people have fear of getting robbed because of their
cash, and last but not least, a lot of time is saved. With this, we can
only see that digital transactions are the best, but we don't know the
risk problems associated with digital transactions and online
banking services.5
Now let's talk about developing economies where the internet
hasn't been set up, power shortages are widely faced, and the
literacy rate is very low, for such economies, it’s a demerit as in
firstly for setting up internet connections we need a good power
supply, as internet and power go hand and hand. Power is an
essential resource, therefore countries which are developing can go
for renewable resources of energy as an alternative to nonrenewable
sources, secondly awareness on IT and communication and educate
the poor and especially people in rural areas, and lastly training
people on how to use laptops, phones and training them to use
online apps is very important.
Be it developing / developed economies, we might have all
the resources, we might have the best connection facilities, but
cyber hacking is a major problem everywhere, recently In India on
14 December 2022, AIIMS (All India Institute Of Medical Sciences
and Research) their servers were hacked by the Chinese sources, it

5JustinSeitz- “Black Hat Python: Python Programming for Hackers and Pentesters”,
No Starch Press, ISBN 9781593275907 (ISBN10: 1593275900) December 21, 2014.

17
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

was even found that, all the data which was stored by them, server
withheld details of their outpatient and inpatient online medical
services including smart lab, billing, report generation, the
appointment system, were disrupted, leading to disruption in the
lives of the medical staff and the patients.
Similarly, in February 2016, the central bank of Bangladesh
was targeted leading to a lot of issues in SWIFT. It estimated that 35
fraudulent/ spam information was issued by hackers via the SWIFT
network leading to the illegal transfer of 1 billion dollars from the
Federal Reserve Bank of New York account belonging to
Bangladesh Bank. Due to the weaknesses in the security of the
Bangladesh central bank, including the possible involvement of
some of its employees, perpetrators attempted to steal US$951
million from the Bangladesh Bank's account with the Federal
Reserve Bank of New York.
Another incident was faced by BFSI, according to the recent
report it said /estimated that India's Banking and Financial services
are frequently facing cyber hacking and are easily targeted by
hackers online. The research also said that India faced 283 incidents
in the half-yearly 2022, and 469 in the year 2021, this is as per
CNBC’s report. Any cyber attack on any bank, financial institution
directly impacts the economy of the country badly and hampers the
growth of GDP too .
On 6 April 2022, Cash Mama (a loan app of Indian origin)
reported a breaking of information, in which a customer’s data was
exposed, that included personal as well as banking details. If we go
around 1.5 months back, a similar incident was faced by a Russian
Stock exchange called “Moscow Stock Exchange and Sberbank”
on the 28 February where their websites went offline due to cyber
attacks. It’s claimed that it was done by the IT people of Ukrainian
government, this was a type of Ddos attack, Ddos means Denial of
Service attack, it’s a type of cyber attack in which a felon makes a
network unavailable to the users and thereby connectivity of host of
servers connected . In the year 2021, 25 percent attacks that affected
the financial industry were caused by Ddos. In 2020, Imperva a
software company saw a 30 percent increase in Ddos activities. In
2016, Canara Bank (Indian Bank) faced a similar issue of vandalism
wherein their website got blocked and online payments couldn’t
happen.

18
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Similarly, another type of attacks that financial institutions

face are Ddos attacks meaning Ransom denial of service, this means
that actors or parties try to take out money from a person or a
community by threatening them with disruption in their services.
There has been a significant rise of telecommunication, that any
leaked confidential information is like “blocks of gold” for attackers
and helping them to achieve their goals/motives. We share our
personal information i.e.: name, address, gender, income, banking
details, etc, with the bank because of the high level of trust that we
have, that’s the data which is targeted and is attracted to
cybercriminals. It's been estimated that the rate of malware,
hacking, data breaches in financial services, and insider threats is
expected to rise.6

IMPORTANCE OF SOCIETAL ROLE OF BANKS

Cyber security doesn't focus on the topic that our social media
account got hacked, rather it focuses on a broader aspect, cyber
security means, that all the data which we store online is safe and
secure. Cyber security plays an important role in the banking sector,
a lot of transactions take place and people store money in the bank
by opening bank accounts, utilization of lockers, borrowing loans,
etc. It's important for the bank to ensure that they use high-level
technology software to store data properly and is fully secured.
Whenever a financial institution is hacked, not only it causes loss to
the bank, but also it causes loss to the assets of the bank account
holders, it’s necessary to ensure that the banks use efficient methods
to retrieve the bank account holder's money in case of any
fraudulent activities. A bank is also known for its reputation, in
terms of rate of interest, and security, if the bank is known for good
security, then people consider opening bank accounts in that bank
for the reason, that their money is safe. If a bank, is frequently
facing cyber attacks, people would prefer to leave and shift their
accounts from that bank to a bank that provides a safer environment
for their money. Therefore, to safeguard the accounts of the holders,
the bank always advises its customers to not share any valuable
information, or KYC details with unknown people, in this way it

6That Insane, $81M Bangladesh Bank Heist?, Wired, available at https://www.wired.c

om/2016/05/insane-81m-bangladesh-bank-heist-heres-know/. (Visited on February 3,

2023).

19
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

helps to reduce the burden of the banks to enhance security and in a

way leads to people being confident in keeping their accounts and
personal data safe.
In the banking sector, there are several job opportunities
available in terms of cyber security, these are CISO (Chief
Information security officer), Security Architecture, and Network
agency. A CISO is at the top position within an organization and is
responsible for establishing, maintaining the goal, and implementing
the acts in such a way that it leads to the accomplishment of goals
and assets are secured. Security architecture with the desired skills
and qualifications does research and strategy development, they are
basically predictors who predict potential risks and create systems
and strategies to protect the data from hacking and are kept secure.
A Network Security Engineer is responsible to ensure that the data
systems are secure, checking the network systems, help to fix any
minor bugs or issues which is being faced. Central Banks such as
RBI (Reserve Bank Of India) etc have made it mandatory for
commercial banks to follow the guidelines related to “banking and
cyber security”, to ensure that assets are safe and banking is also
safe.

CHALLENGES IN ESTABLISHING A SECURE BANKING

ENVIRONMENT
We feel that lack of awareness and education, and knowing
what is Cybersecurity, is one factor that leads to increased
malpractices, similarly, most financial institutions spend a lot of
their services on enhancing customer services, rather they don't
spend that much amount on enhancing security in banking. As the
digitalization revolution has started most of the banking activities be
it: depositing of money, withdrawal, loans, etc have started taking
place of online on smartphones, pads, etc as a result of which these
devices get hacked by hackers easily. Therefore, to prevent this,
strong antivirus software should be used to enhance security on
firewalls, fraud detection, etc.

5G World and Technology

It's like if people do not want to rob a bank, they try to get
into online activities and get their desired goal by sending malware,
etc to banking institutions, which might corrupt their data.
Technology is beneficial in good as well as bad ways, what we

20
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

meant by a good way is that it helps us in the fields of education,

health, banking, etc, whereas in a bad way, it can act as an agent to
cause harm and sorrow in the lives of the people. Let's talk about 5g
communication (5th Generation), it’s the fastest means of
communication, and it's known to have various demerits, it’s been
declared that 5g was used by people in China to peep into other's
houses, in fact, it can be used to track anywhere in the world, and
thus benefits the hackers thereby leading to increase in cyber
activities online, its comparatively very expensive as compared to
4g, 3g, 2g, 1g, etc, also its harmful for the environment as it's
known to increase the carbon footprint, Various devices do not have
the feature of 5g , therefore adding to the list of “demerits”.
However, it does have several advantages too. It helps to
increase communication, data processing rates, transfer of files at
minimal cost, and improved network capacity. We can see that 5g ,
can benefit the banking sector/financial sector a lot , it can be an
incentive for online/digital banking, thereby increasing productivity
and connectivity, it can lead to modern innovations, demand for AI
(Artificial Intelligence 7 AR (Augmented reality) and VR (Virtual
Reality ) will increase. 5g will tend to increase the GDP of the
Indian economy as it will help to strengthen the economic pillars of
the economy, what I mean by economic pillars are “Manufacturing,
Retail, mobility, education, and health”. 5g services have already
been started by various telecommunication service providers such as
Jio, Airtel, Vodaphone, Idea, etc to various cities across India such
as Delhi, Mumbai, Chennai, Varanasi, etc. “5G can have an impact
of over $180 billion on India’s economy in 2030,” said Barnik
Chitran Maitra, managing partner of Arthur D. Little India and
South Asia.8
In the banking sector, a lot of transactions are happening
every second, in this 5g can play a very important role by increasing
the connectivity speeds and thereby enhancing the transaction
processes. It can use video conferencing, and AI bots to further
handle complex problems, and this will help to increase efficiency

7 Max Tegmark and Rob Shapiro, “Life 3.0: Being Human in the Age of Artificial

Intelligence”, Random House Audio Publishing Group, ISBN 978045148507

6 (ISBN10: 0451485076), August 29, 2017.
8 Cash mama downfall, available at https://shorturl.at/gNO06(Visited on March 18,

2023).

21
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

thereby saving a lot of time and manpower. 5g means till now the
fastest means of communication and technology, having a device
that is capable of 5g will allow banking institutions to access wider
customers throughout the world. 5g can help us provide services of
getting loans online instantly, solving complex problems related to
banking, and even buying and purchasing of shares, so if we do not
want to waste our time on going to banks physically, then why not
we implement 5g technology and save a lot of time, as there is
saying “Time is precious “, so to save time, we can implement this
!.
For our financial sector, we need the implementation of
stricter rules and regulations, stricter rules and regulations will help
to make sure that things run smoothly, efficiently, and in a secure
manner, for this law plays an important role. Since we are living in
the 21st century, we can have as many people hired to control the
law in order of a particular state/district or country, even despite
having a lot of manpower employed, crime rates are so high, in this
kind of a situation, 5g plays a crucial role. Implementation of
CCTVs plays a significant role, let's say a crime has occurred
somewhere and that person has fled away, it would be difficult for a
person to catch him/her, whereas if CCTVs are installed, we can
trace the footprints of that person and also helping us gathering
relevant evidence. 5g helps to process things faster, meaning that
CCTVs will be able to produce clearer images, this helps to increase
and improve the task of the police. 5g will provide a lot of storage,
thereby storing more files and reducing paperwork also it helps to
increase communication between citizens and the government and
provides rapid response in the case of an emergency. Let us explain
with an example over here, Vprotect is a company which has
recently started with security services, what we mean by security
services is that they provide the customer with CCTV surveillance,
motion detector sensors, fire alarms, door magnetic sensors, etc, all
of these appliances are connected to the internet and are controlled
by an application available online, also same features of monitoring
that a customer gets, the same does the company gets, meaning that
they are 24/7 scanning your house from the external boundaries to
make sure that any unwanted activities don't happen, if any intruder
enters your property, they get a notification at their headquarters and
help is sent in no time. This shows that technology plays a crucial
role in the implementation of law in order and in reducing criminal

22
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

activities like Burglary, Trespass, etc, rather than having a man

employed to guard your property, you are getting technology to
guard your property at a cheaper and more efficient way.9
Now let's talk about hackers. Since 5g provides the fastest
data connection, processing rates, etc, it will help to track the IP
(Internet Protocol) address of the person in an efficient way.
Presently a lot of drafting and legal work happens physically. The
implementation of 5g technology, will help to save time and
manpower. We might have the fastest means of technology or the
best of any appliances, it’s necessary to ensure that our data is
secured properly, as we tend to forget that security plays an
important role online. Therefore, we need IT rules that make sure
that cyber activities are being properly governed properly.
Coming back to the financial sector, we saw that law plays a
crucial role in making sure that things run properly, similarly for
financial activities that are taking place online, we need
implementation of stricter IT rules for preventing any fraudulent
transactions, phishing or spoofing, etc. If we want to make online
banking activities secure, just like the way regular banking happens,
then we need to follow protocols that the banks advise us to follow,
to keep our bank accounts secure, and to prevent any fraudulent
transactions.
Now as we mentioned that education plays an important role
in the financial sector and the virtual world, Well education does!!.
We feel that as soon as the child enters primary school, he/she
should know basic ideas of how to keep themselves safe from any
cyber activities, as they are the targeted people who face maximum
child trafficking, cyber bullying, and ransom online, Parents usually
give smartphones to their children at a very young age, as a result,
they fall into traps of these cyber hackers sometimes. Therefore, it's
essential to educate the young youth on cyber safety and how to use
appliances. Now coming at a bigger level, we need software
managers and risk analyst who have the desired qualifications to
make sure that fraudulent activities are reduced, for that education
plays an important role in this. If we want to secure our financial
sector, we need strong qualified and experts who can provide us
with ideas on strengthening our financial sector and making it less
vulnerable to any sort of online activities especially activities like

9AIIMS data breach, available at https://shorturl.at/hjEK0 (Visited on March 20, 2023).

23
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

ransom, malware, phishing, spoofing, DDoS, etc. Therefore,

education is also an important pillar in strengthening the base of the
financial sector. It's necessary that we integrate education and law to
make sure that cyber security is there in the financial sector.

WHY DOES CYBER HACKING OCCUR AND THE

FACTORS AFFECTING BUSINESS
Well as we know “that everything happens for a reason”, but
this quote is not applicable here in this case. Cybercriminals are
waiting for a weakness, and that weakness is human carelessness, as
in not following proper precautions and advice as stated by financial
institutions while doing any transactions online. As assassins are
just waiting for personal details, and information related to your
bank account. This is done for monetary or financial gains. It's
always advisable to never share your confidential details with the
employees with whom you work, or the employees whom you trust
the most, as that can open up a gateway for hackers to access your
information. Even if you share your confidential information with
your close colleague, chances are that because of his/her
carelessness, accidentally, or with a disgruntled mindset, you might
land in a problem.
Sometimes its causes of being envious of others, just because
of their success, as a result of which the person wants the downfall
of another. In the financial sector, every business wants that he/she
has maximum no of clients and is in the top position, able to meet
customer's demands. In this case, Customer Relationship
Management, and internal as well as external factors (SWOT
analysis) play an important role. Let me explain briefly what SWOT
analysis is all about!, SWOT stands for Strength, Weakness,
Opportunity, and Threat. In this Strength and Weakness are your
internal factors, your internal factors include “marketing skills,
management skills, resources, employee’s skills, and brand image.
Internal factors in simpler terms means how a business functions
internally whereas external factors are your Opportunity and
Threats, these include government policies, taxes, setting up SEZ’s.
These are considered important factors for a growth of the business;
we feel internal factors and external factors are both highly
important for the growth of business firms. We might have to pay
low taxes but we need to have resources and funds for growing our
business, taxes come under threats and opportunities of a business

24
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

(external factors) whereas resources and funds come under strength

and weakness (internal factors). Along with this, we should play
equal importance on Customer relationships, if a business firm is
able to meet the demands of the customer, then chances are that the
customer will gain a liking for that firm and would prefer to go
there, therefore its equally important to ensure business firms are
strong complacent, have sufficient resources, marketing skills, and
techniques, in other words, customer relationship management
means, “having the skills to retain a customer “, for this the firms
should take feedbacks, be in touch with the consumers to make sure
they are in contact with them and are able to solve any problems
they might be facing.
We as humans always follow the “law of diminishing
marginal utility”, in economic terms the law of diminishing
marginal utility means that a consumer's satisfaction goes on
decreasing after every additional unit. In other words, we keep
searching for products that give us the satisfaction we want. For
e.g.: If the brand coca-cola changes its flavor a bit and we don't
develop a liking for that new innovation, we would go searching for
a new product that meets our demand. Therefore, businesses need to
pay special emphasis on customer satisfaction.
Every business firm has ups and downs. The financial sector
is dynamic and is widely influenced by consumers. In this way, the
internet plays a major role to make sure that businesses are able to
make profits, which is done through e-commerce sites and
advertising. During the covid pandemic, it was technology that
helped the businesses survive, as due to lockdowns shops, and malls
were closed. People were still able to buy goods online, therefore e-
commerce played a significant role in protecting the financial sector
of the economy. Not only that, with the help of augmented reality
and virtual reality, people can buy glasses and try them online. For
e.g.: Lenskart allows users to buy and try glasses online, firstly the
app clicks the picture of the user and then the user can try different
glasses. E-commerce and e-bussiness has a lot of advantages that is
you can buy goods at any time and at a cheaper price, delivery of
goods at your doorstep, whenever there is a craving for a particular
app , the person can browse anytime. All thanks to the Internet that
we have got all such features. It's seen that in the financial sector ,
ecommerce and e-business play a crucial role in the growth of

25
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

developing and developed economies, they are also the most

important aspects for the growth of the financial sector.

CONCLUSION
The financial sector plays a crucial role in the economy, it’s the
backbone of the economy. Be it exports, imports, manufacturing,
banking, etc all come under this. If we have to make our economy
strong, then we have to pay special emphasis on the financial sector
and its pillars. Since banking institutions are the targets by cyber
hackers, it's necessary to ensure that we take proper precautions to
make sure that we aren't victims of cybercriminal activities. Keeping
our data confidential is one of the best ways by which we can reduce
such activities, secondly never open any links by someone whom you
don't know as that is one of the means of phishing that hackers use. It's
always advisable whenever doing online transactions, to make sure that
no one is next to you, this can help in preventing the other person from
getting information and bank details. Educating and spreading
awareness is another important factor, if we educate people on cyber
safety and precautions that need to be taken whenever a person is doing
online transactions or posting anything on social media, in this way, we
can help in reducing the victims of cyberbullying. The goal of
companies should be eliminating cyber hacking and cyberbullying and
making a safer environment for online transactions.
Old software is more vulnerable to attacks, therefore its
necessary to ensure that software is updated, and passwords are
changed so that chances of hacking get reduced, it's advisable to use
strong passwords and try to put passwords that the owner can
remember. It's necessary to ensure that the financial sector hires
financial advisors who can help and guide businesses. Special
emphasis should be done on the training and skill development of
employees so that they can handle any complex problem or
situation.
We need to make sure that the financial sector provides us
with a safe environment for banking activities, therefore it's
necessary that banking institutions should be able to solve and meet
the requirements of the consumer and is able to keep the owner's
assets safe and secure. The law in this plays a major role also, we
need to have proper IT acts which are modern and help to establish
a further secure internet environment, certain acts need to be
amended. World will not be limited to 5g connectivity, we will

26
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

further have 6gs coming out in the coming years, which will be the
successor to 5g, and would be faster as compared to 5g , therefore
systems should be made in such a way, that they have strong
encryption and can't get easily targeted by hackers. People should be
encouraged to use stronger firewalls and VPNs to further enhance
security, firewalls help in monitoring and scanning the network
traffic, whereas a VPN (Virtual Private Network) helps to hide the
person's actual IP address thereby making it difficult for third-party
people to access the websites, etc.
Lastly, nowadays, our mobile phones store all our accounting
details, credit card, debit card, IFSC codes, etc. It's necessary to
ensure we block all the cards and banking activities if our appliance
is stolen, or lost as soon as possible. Online banking activities
should be resumed only after all the passwords have been changed
and complete verification has been done. Contacting the bank
should be the first thing, this will help you to prevent any losses
caused by fraudulent activities, scammers, or hackers. In recent
times, technology has provided us with a platform that no one could
ever imagine, in the 18th or 19th century. Technology helped us in
the pandemic especially in the education field by having online
classes through various apps like Google meet, classrooms,
Microsoft Teams, etc, it provided teachers with the features of
making online proctored tests, giving them the option of
whiteboards and live one-to-one interactions. Not only in the
pandemic, but it provides us with classes and solves doubts anytime
and anywhere, it's like an open library. In the health field, it enabled
patients to interact with doctors about their problems through video
conferencing through apps like Practo, etc . In the banking and
financial sector, it helps us to deposit, and withdraw money online
through systems like ATMS, instant transfers, etc and solve our
problems with the help of AI bots. With such advancements in
technology, those days are not far when we won't have to visit banks
physically to open up bank accounts etc. Our systems provide us
with various security options like face IDs, fingerprint, patterns,
passcodes, etc to secure our data thereby making it difficult to open
up devices. We nowadays have applications that can even design
our houses and build 3d layouts thereby saving time for the
architects, you name it and technology provides you with so many
choices.

27
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

All services whether it's manufacturing, construction, health,

education, foreign export, or trade etc, all of these are the raw
materials that are responsible for the growth of the financial sector.
All of these are considered important economic activities. As Alfred
Marshall said, “Economics is the study of man in the ordinary
business of life “I feel that Man is equally responsible for the
contributions he makes in each sector and business is done by man
for his sustenance. Before the 21st century ends, let’s make
digitalization a successful revolution, and that can be done by
providing a safe and secure internet environment.

28
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 3

CYBERTERRORISM: A PHYSICAL REALITY

Prof. (Dr.) Avinash Dadhich1, Nuha Rahman2

“The online community is uninformed and of the mindset that their

actions go unreported. We frequently, mistakenly disclose our
highly sensitive and important data online. The Internet's rapid
growth has given rise to threats from cyberterrorism. The number of
cyberattacks has substantially grown over the past several years
due to the expansion of cyberterrorism.”

INTRODUCTION

C
yberterrorism, a worldwide concern, is one of India's most
underrated problems. After the United States and China,
India has the most internet users. We refer to the users as
"Netizens." As a result of their over-dependence on the internet,
which exacerbates their weaknesses and transforms their
aggressions into feelings of retaliation, they end up becoming
criminals, cyber warriors, and state enemies. Most Indians are
unconcerned with the prospect of falling prey to the virtual world.
The globe now has a vast array of chances for developing its
financial infrastructures, thanks to information technology. Every
second sees an increase in cybercrimes. Generally speaking, the
only system affected by cyberterrorism is the national security
system. Yet, it also had an impact on their brain and the psychology
of the minds of people nationwide. It has damaged crucial command
and control systems, and nuclear facilities, and caused widespread
disaster. In light of cyber warfare, this chapter explores the two
deterrent options accessible to nation-states as well as their three
fundamental needs (capacity, communication, and credibility). It
investigates whether attribution and asymmetry, the two most
difficult features of cyber assaults, would make cyber attack
deterrence impossible.

1Director, Manipal Law School, Manipal Academy of Higher Education, Manipal, (India)
2B.A. LL.B (H), 4th Year, Amity Law School, Amity University, Noida, (India)

29
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

The term "Cyber Terrorism" was originally coined by Barry

C. Collin of the Centre for Security and Intelligence in the late
1980s. Any act of terrorism committed utilizing a computer network
or the World Wide Web is referred to as cyberterrorism. This
includes targeted attacks employing malware or computer viruses to
harm people or the government. Our everyday lives are significantly
impacted by computers and the internet. For their everyday tasks,
people, governments, companies, and civilizations use the internet
and computers. People utilize them for practically every facet of
daily life, including typing, editing, creating, and data storage.
A number of problems have arisen while attempting to define
the phrase "cyberterrorism" precisely and completely. To begin
with, as previously indicated, the mainstream press has been an
important platform for the debate on "cyberterrorism." In these
publications, writers frequently prioritize dramatization and tactile
feeling over accurate and practical definitions of newly invented
terminology. Second, when referring to computers, it has long been
customary to simply prefix other phrases with "cyber," "computer,"
or "information" to generate new language. Thankfully, initiatives
have been started to increase semantic clarity.
The most well-known response was given by computer
science professor Dorothy Denning in a number of publications and
during a hearing before the House Armed Services Committee in
May 2000.
The fusion of cyberspace and terrorism results in
cyberterrorism. When committed with the aim of intimidating or
coercing a government or its citizens in pursuit of political or social
goals, wrongful assaults and threats of wrongful assaults on
computers, networks, and the data they contain are described. For an
act to be considered cyberterrorism, it must involve violence against
people or property, or at the very least significant damage that
inspires fear. Assaults resulting in fatalities or serious physical
harm, explosions, or significant financial loss are all examples.
Cyberterrorism may be the classification for serious assaults on
crucial facilities depending on their severity. Attacks that are merely
an expensive annoyance or interfere with unimportant functions
would not.3

3Klein,John J. "Deterring and dissuading cyberterrorism." Journal of Strategic Security

8.4 (2015):23-38

30
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

THE APPEAL OF CYBERTERRORISM FOR TERRORISTS

For many reasons, contemporary terrorists are drawn to
cyberterrorism:
1. Both the diversity and the sheer volume of targets are
daunting. Attacks by cyberterrorists against computers and
computer networks of businesses, individuals, governmental
bodies, commercial aircraft, and other institutions are
possible. Given the quantity and complexity of potential
targets, terrorists will surely look for openings and
vulnerabilities. Critical infrastructures, such as electric power
grids and emergency services, have been proven to be
vulnerable to cyberterrorist attacks because of the
sophisticated nature of the infrastructures and computer
systems that operate them, making it practically hard to
uncover and remedy all holes.
2. It is less complicated and more affordable than traditional
terrorist techniques. Terrorists may construct and transmit
computer viruses via a phone line, cable, or wireless link as
opposed to purchasing weapons like firearms and explosives.
They only need a computer and an internet connection.
3. Cyberterrorism is tougher to monitor than traditional types of
terrorism. Because terrorists utilize "screen names" or access
websites as anonymous "guest users," making it hard to track
them down like many Internet users, security agencies and
law enforcement find it extremely difficult to identify the true
identity of terrorists. Furthermore, it is impossible to evade
physical barriers like checkpoints, borders, or customs
officers online. Terrorists are drawn to it because it enables
remote operations. Because cyberterrorism requires less
physical training, psychological commitment, risk of death,
and travel than other types of terrorism, it is easier for terrorist
organizations to recruit and keep members.
4. Cyberterrorism has the potential to cause more direct
casualties than conventional terrorist strategies, which would
attract more media attention—which is ultimately what
terrorists aim for.

THE CONCEPT OF ‘ROUTINE FAILURE’ AND CYBER ATTACK

New security issues emerge as essential infrastructure is
protected. There are several participants. Municipal and commercial

31
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

systems and services are highlighted not as important as the

military, perhaps.4 Depending on how we define national security
and establish acceptable damage thresholds, the scope of these new
problems will vary. From the point of view of law and public safety,
no nation will accept even a single assault on infrastructure or
suspension of services. To avoid the loss of a day's worth of water
or electricity due to cyberattacks, we have established very stringent
security standards.
Therefore, from a strategic military perspective, attacks that
do not impair national capabilities are of little consequence.5 This
view holds that a cyberattack does not constitute an urgent or
significant danger to national security if it does not result in more
damage than typical economic disruptions. It is important to
remember that routine events like power outages, air turbulence,
water system failures, and other cyber-terrorist scenarios do not
represent a danger to national security in the context of larger
economic activities. When dozens or even hundreds of different
systems provide crucial infrastructure services on a national
magnitude, system or regional failure is common and can leave
consumers without service for hours or days. Cyber terrorists would
have to attack several targets concurrently over a prolonged period
to instill fear, accomplish strategic objectives, or have any
observable impact. For the majority of critical infrastructure, nation-
states, terrorist groups, or hackers do not have a practical choice for
several extended attacks (especially for nation-states, as the risks of
being discovered outweigh the little rewards from infrastructure
hacking).

HACKING, PANIC, AND TERROR

Early warnings of the "cyber menace" said that by entering a
few computer instructions, hackers, terrorists, foreign spies, and
criminal gangs might take control of or damage a nation's vital
infrastructure. There is no evidence to back up this terrifying
scenario. Terrorist groups like Al Qaeda frequently utilize the

4 21st Century Technologies Promises And Perils of a Dynamic Future, OECD,

available at:https://www.oecd.org/futures/35391210.pdf(Last Visited on: March 23,
2023).
5 Gabriel Weimann, United States Institute Of Peace Special Report, available at:

https://www.usip.org/sites/default/files/sr119.pdf (Visited on: March 21, 2023).

32
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Internet, but mostly for fundraising, public relations, and

interpersonal communication. Internet access may be used by
cyberterrorists to get credit card information or other crucial data for
their activities. Although it has received a lot of attention, cyber-
terrorism has often consisted of information gathering, propaganda,
or the online counterpart of graffiti, in which groups deface one
another's websites. Critical organizations have not been shut down
as a result of cyberattacks.6
Early predictions of the "cyber menace" warned that hackers,
terrorists, foreign spies, and criminal gangs may take control of or
harm a country's crucial infrastructure with a few computer
commands. This terrible possibility has no supporting evidence. The
Internet is extensively used by terrorist organizations like Al Qaeda,
although mostly for fundraising, public relations, and interpersonal
connection. Cyberterrorists may exploit internet connections to get
credit card numbers or other vital information for their operations.
Despite the media attention it has gotten, cyber-terrorism has
frequently involved gathering intelligence, spreading
misinformation, or the internet's version of graffiti, in which gangs
deface one another's websites. Cyberattacks have not resulted in the
closure of important organizations.
The desire to attribute cyber occurrences to military or
terrorist operations when their real source is recreational civilian
hackers makes evaluating the threat of cyberterrorism difficult. In
the late 1990s, when DOD computer networks were compromised,
the US instantly suspected potential enemies, namely China or Iraq.
Officials in the United States discussed the advantages of active
defense and whether defending against a counterattack constituted
an act of war. As the crisis worsened, the US realized that the attack
had been carried out by two Southern California high school kids,
not some foreign opponent.
The tendency for individuals to mistakenly ascribe cyber
occurrences to military or terrorist activities when they are the work
of recreational civilian hackers makes assessing the danger of
cyberterrorism more challenging. When DOD computer networks
were breached in the late 1990s, the US first suspected prospective
adversaries, primarily China or Iraq. To assist a counterattack, US
policymakers disputed the merits of active defense and whether this

6Ibid

33
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

constituted an act of war. As the crisis worsened, the US realized

that the attack was carried out by two high school kids from
southern California, not some foreign opponent. In the early phases
of an event, it might be impossible to determine if the assailant is a
terrorist organization, a foreign state, a criminal, or a California
child.7 An examination of instances over the last four years reveals
that the most prevalent reasons for the attack are apathetic youth and
criminals. Even today, amateur hackers account for the great
majority of hacking occurrences.
These stories frequently recycle the same made-up scenarios
that have previously been provided to other countries cyber-warfare
operations, although authorities in government are allegedly
concerned about Al Qaeda's intentions to utilize the Internet to
perpetrate cyber-terrorism. Although the threat is still hypothetical,
the enemy has changed from rival states to organizations like Al
Qaeda. The only novel method employed by Al Qaeda is the use of
hacking to block emergency services to heighten and intensify the
impact of a physical assault. If such attacks were viable, cyber-
attack extensions to more traditional methods of assault would pose
the greatest threat to national security.
As we become more reliant on computer networks that can be
accessed over the internet, espionage will pose a larger threat to
national security than cyberattacks. Intelligence services stand to
gain from both the information that is freely available online and
their capacity to covertly infiltrate computer networks and gather
the information that is not widely available because it is almost
certain that terrorist organizations will use the Internet to gather
information on potential targets. When entering a hostile network, a
terrorist group or intelligence agency will prefer to blend in as much
as possible, as opposed to hacking. An intelligent adversary may
hack into a system, sit there, gather data, and make an effort to go
unnoticed. Instead of interrupting essential services or posting
obnoxious alerts on websites, it will silently collect data in the
background. While new types of data will be obtained, collection
tactics for the Internet are fundamentally different from prior signals
and communications intercept techniques, and while this may result

7West J Emerg Med, The San Bernardino, California, Terror Attack: Two Emergency
Departments’ Response, available at:https://www.ncbi.nlm.nih.gov/pmc/articles/P
MC4729411/ (Visited on: March 23, 2023).

34
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

in some espionage activities becoming significantly more lucrative

overall, more research on this subject is required, which has
implications for espionage as computer networks and Internet
protocols are used more frequently.

GOVERNMENT’S ROLE IN INTENSIFYING COMBAT

TECHNIQUES AGAINST CYBERSECURITY RISKS
Cyberterrorism is the outcome of combining cyberspace and
terrorism. Described are wrongful assaults and threats of wrongful
assaults on computers, networks, and the data they contain when
they are committed to intimidate or coerce a government or its
citizens in pursuit of political or social goals. 8 To qualify as
cyberterrorism, an act must cause violence to individuals or
property, or at least significant damage that induces fear. Examples
include assaults that lead to death or severe physical harm,
explosions, or substantial financial losses. Depending on their
severity, serious attacks on critical facilities could be classified as
cyberterrorism. Attacks that do not cause significant damage or
disrupt critical operations would be considered a minor
inconvenience.
More than 100 nations have implemented national
cybersecurity defense strategies to combat the cybersecurity threats
faced by their residents, businesses, and critical infrastructure. We
analyzed the cybersecurity laws of 11 different nations to assist
emerging governments.9
Even though various countries have chosen a wide variety of
cybersecurity protection options, we have identified five traits that
are shared by all successful national programs.10 This section covers
these strategies. New dangers are always emerging in the field of
cybersecurity. Focusing their efforts on these five areas may better
prepare governments to withstand cyberattacks, limit the harm
caused, and safeguard their people, enterprises, and vital
infrastructure.

8Ankit Fadia, Mahir Nayfeh, and John Noble, Follow the leaders: How governments
can combat intensifying cybersecurity risks, September 16, 2020, available at:
https://www.mckinsey.com/industries/public-and-social-sector/our-insights/follow-the-
leaders-how-governments-can-combat-intensifying-cybersecurity-risks (Visited on:
March 21, 2023)
9Global Cybersecurity Index, International Telecommunication Union, itu.int
10Ibid

35
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

IMPORTANT ELEMENTS OF A NATIONAL CYBERSECURITY

STRATEGY:
Effective national cybersecurity strategy includes the five
elements listed below:
1. A national cybersecurity agency (NCA) that is focused
2. A national program for protecting critical infrastructure
3. A countrywide plan for incident response and recovery
4. Clear laws that apply to all cybercrimes.
5. A thriving ecosystem for cybersecurity

1. National Cybersecurity Agency (NCA)

A national cybersecurity agency, also known as a single
organization, is assigned complete responsibility for developing and
enforcing national cybersecurity policy in innovative nations. To
achieve this, it is necessary to develop a comprehensive plan for
national cybersecurity. This strategy must include efforts such as
protecting the nation's crucial infrastructure, preparing for
responding to cyber events, developing cybersecurity standards,
increasing public awareness of cybersecurity challenges, and
enhancing professional cybersecurity skills.
To carry out these responsibilities, the NCA employees must
have the required technical skills and training. To address any
capability shortages, the NCA regularly collaborates and engages
with the business sector. To enhance the skills of the nation's
cybersecurity experts, the National Cybersecurity Agency of the
United Kingdom works closely with other governmental bodies
such as the Department for Digital, Culture, Media, and Sport.

2. National Critical Infrastructure Protection Program

Protecting the nation's critical infrastructure should be the
top priority for the NCA, even if they can only focus on one aspect
of cybersecurity 11 Hostile state actors often target critical
infrastructure as the most attractive target. The society, corporate
confidence, economy, and even the overall security of the country
may be impacted by major infrastructure disruptions. Combining
operational and information technologies often makes securing

11Protectionof National Critical Information Infrastructure, Vivekananda International

Foundation, available at: https://www.vifindia.org/sites/default/files/Protection-of-
National-Critical-Information-Infrastructure.pdf (Visited on: March 24, 2023).

36
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

critical infrastructure more challenging and time-consuming. The

following three qualities are the focus of the most successful
National Critical Infrastructure Protection strategies, according to
research:

a. Given Priority to Important Industries and Resources.

When determining whether a sector is important to the
nation, factors such as the economy, social cohesion, and national
security are often considered. According to the Network and
Information Security (NIS) directive of the European Union,
safeguarding the transportation, electricity, water, and digital
infrastructure sectors is crucial.12 The majority of the 11 countries in
our global benchmark research recognized 11 important categories,
which range from healthcare and emergency services to energy (oil,
gas, and nuclear power).

b. International Cybersecurity Guidelines to Protect

Valuable Assets.
Governments with advanced technology put pressure on
businesses in crucial sectors to adhere to globally recognized
cybersecurity standards, particularly those outlined in the US
National Institute of Standards and Technology's Cybersecurity
Framework. Businesses can more easily comply with internationally
recognized standards for cybersecurity since their personnel is likely
already familiar with them.

c. An Effective System of Governance.

Enforcement and regulation responsibilities often differ
between nations for various organizations. A strong governance
mechanism is required between sector regulators, who inform their
respective industries about and enforce cybersecurity standards, and
the NCA, which creates the overall strategy, governance, and
technical standards for a nation's National Critical Infrastructure
Protection Program.

12ENISA, European Union Agency for Cyber Security, available at: https://www.eni
sa.europa.eu/topics/cybersecurity-policy/nis-directive-new (Visited on: March 22,
2023).

37
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

National Incident Response and Recovery Plan

As a result of the inevitable nature of cyberattacks, every
government must develop a national incident response and recovery
plan. This will decrease the effects they have and speed up the
healing process. The best countries have clear reporting obligations
for both their citizens and their businesses. For instance, in the
United Kingdom, the National Cyber Security Centre (NCSC),
which acts as a single point of contact, is open to receiving reports
of cyber occurrences from all enterprises and, increasingly, from
individuals. 13 The back end requires the creation of a centralized
repository that compiles data on every cyber incident that occurs in
the country. As a result, governments will be better equipped to
gather information and intelligence and handle cyber emergencies.
In addition to passively documenting all reported crimes,
governments must actively search the internet for cyber threats. For
instance, the US National Security Operations Centre continuously
monitors security risks coming into the country and assesses threats
by combining network patterns with already available information on
national security.
The reference nations assign a level of importance to each
cyber occurrence based on the kind of victim, interdependence,
fatalities, national security, and other criteria. A low-severity
incident may be the hacking of a small business, whereas a high-
severity event could be the hacking of a large bank. Owing to a
standardized matrix, all incident responders have a common
language for talking about cyber occurrences of various levels of
severity.

Cybersecurity Laws Framework

To prevent, investigate, and prosecute cybercrime,
governments should concentrate on two success factors:
a. Strong Procedural and Substantive Cybersecurity
Legislation.
Governments must prioritize the enforcement of cybersecurity
threats through a combination of legislation and advice, rather than
resorting to aggressive tactics immediately. When developing
national cybersecurity laws, it is essential to take into consideration

13TheNational Cyber Security Centre, available at:https://www.ncsc.gov.uk/ (Visited

on: March 24, 2023) The National Cyber Security CentreCyber Security Centre

38
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

the Budapest Convention's recommendations. This international

agreement on cyber laws has been adopted by more than 60 states.
According to the Budapest Conference's guidelines, substantive and
procedural laws must be implemented by governments with the
increasing use of technology in today's society, cybercrime has
become a serious concern. In response to this worry, lawmakers
have created substantive and procedural laws relevant to
cybercrime. Substantive laws comprehensively identify numerous
illegal activities online that can result in punishment upon
conviction. Among the crimes specified are copyright infringement,
computer-related fraud, child pornography, and network security
breaches. Each crime carries associated legal consequences
depending on the severity of the offense.

b. Collaboration and Cooperation on a Global Scale

The transnational nature of this crime necessitates
governmental participation in international forums, collaboration
with other nations to share risks and intelligence, and
implementation of prevention and combat measures. Governments
must engage with one another to develop effective strategies for
addressing this pressing concern. Without collaboration between
nations, the efforts made by individual governments will fall short
of eradicating this global issue.

c. Vibrant Cybersecurity Ecosystem

A study of the information security workforce revealed that
by 2022, the world will need 1.8 million extra cyber-skilled jobs.14
Therefore, governments must actively train, up skill, and maintain
the cyber capabilities of experts in the public and private sectors.
To reward high-quality education, the NCSC has authorized
24 master's degrees, three integrated master's degrees, and five
bachelor's degrees in cybersecurity from 23 UK institutions. Since
its inception in 2001, the Cybercops Scholarship for Service
initiative has placed almost 3,600 graduates in more than 140
federal entities around the United States. Over 70 active universities

14Global cybersecurity workforce shortage to reach 1.8 million as threats loom larger
and stakes risehigher, (ISC)², June 7, 2017 available at:https://www.isc2.org/ (Last
Visited on: March 23, 2023).

39
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

are now taking part in the Cybercops scholarship project.15

We are no longer divided by countries or borders thanks to the
internet. A united effort to stop the increasingly expensive and
dangerous cyber hazards that endanger the global order is necessary
for the protection of all users as well as the prosperity of
communities and economies around the globe. Nations can create
national cybersecurity organizations and policies based on the
lessons learned from the experience of many nations over many
decades to defend this linked globe.

CYBER TERRORISM IN INDIA

The threat that cyberattacks pose to India has been
consistently emphasized by the Central Bureau of Investigation
(CBI) of India and cyber specialists. In 2010, hackers from the
"Pakistani Cyber Army" hacked the CBI website. Dr. Abdul Kalam,
India's former president, raised the alarm about cyberterrorism in a
2005 address.
Unfortunately, India is unfamiliar with the term "cyber
security system." As a result, India would face serious
consequences. Businesses, governments, and private organizations
in India spend less money and are less concerned about cyber
security. This is especially true of the banking and insurance
sectors.
A cyberattack against Indira Gandhi International Airport
(IGI) took place in August 2013. 16 A viral program known as
"Technical Snag" caused pandemonium by disrupting the
functioning of Terminal 3. The purpose of the malicious software's
remote dissemination was to weaken "the airport security system."
On the internet, attackers sought flaws in security mechanisms. The
CUPPS (Common Use Passengers Processing System) finally
received the viral software that had been disseminated through
"check-in centers" at boarding gates. This allowed the airlines'
online reservation systems, forecasted departure times, and waiting
room capacity to be affected.

15 Mc Laughlin, L., 2005. Cybercorps scholarships fund new generation of security

gurus. IEEE Software, 22(1), pp.98-1
16 Park, JiYoung, et al. "A new framework to quantifying the economic impacts of

cyberattacks on aviation systems: a Korean game-theoretic interregional economic

model." Quantitative Regional Economic and Environmental Analysis for
Sustainability in Korea (2016): 153-168.

40
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Furthermore, some 60 Indian websites are defaced daily by

cybercriminals from Pakistan. With relative ease, Pakistani hackers
gained access to our websites and posted derogatory content about
India to further their own political, religious, social, or economic
goals. Cyberterrorists use coded chats, hidden messages in
photographs, email draughts, and encrypted pen drives in addition to
VoIP (voice over Internet Protocol), which includes What's App
audio and video talks, Skype, Google Talk video calls, and other
services. According to NASSCOMIDC polls, there is presently an
estimated 188,000 global need for ethical hackers and 77,000 Indian
demand.17
Evidence of terrorists using the internet to communicate and
obtain information such as maps, demographics, and local
infrastructure was found during the investigation into the 26/11
Mumbai assault.
Hackers use "Google Earth," a mobile network for command
and control, and social media to follow the movements of Indian
defense and rescue workers, among other tools, to carry out their
plans. Additionally, they use "technology for conversion of audio
signals into data," which makes it more difficult for "Indian defense
forces" to identify the information's origin. The ethical hacker Ankit
Wadia deciphered this message.18
Another hack occurred in 2011 when a bomb exploded at the
Jhaveri Bazar market in Mumbai. The 2010 Varanasi bombing case
utilized internet communication similarly.
The Indian government had to finally create a powerful
institution to tackle cyberterrorism. The Information Technology
Act of 2000's Section 66F, which deals with cyberterrorism and
other related concerns, was introduced in 2008, however, it was not
immediately addressed. Revisions were made to the Indian
Evidence Act of 1872 and the Indian Criminal Code of 1860.
Instead, we Indians have reduced our investment in cyber security.

INDIAN GOVERNMENT’S INITIATIVE ON CYBERSECURITY

On June 9, 2000, India's IT Act of 2000 went into force. The
IT Act's prologue declares that the legislation’s goal is to give

17Ibid
18Cyber terrorism: The Fifth Domain, available at:http://www.indiabloom.com
(Visited on March 13, 2023)

41
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

electronic transactions legal legitimacy. It covers a wide variety of

subjects, including data security, cybercrime, online defamation,
and the requirement to monitor communications.
Since 2011, no modifications to the IT Act have been made.
Although cybersecurity concerns have grown significantly over the
past ten years, the IT Act has not been changed. The IT Act will be
updated in 2020 by MeitY to provide a more robust framework for
cyber security, according to a statement made in February of that
year. The government wants to hasten the process of upgrading the
IT Act in response to new technology, the spread of online business
models, and a rise in cybercrimes.
A. The Information Technology (Amendment) Act of 2008
In December 2008, the "Amendment Act" was passed by
Parliament. This Amendment Act made the sending of damaging
messages or any other material designed to cause offense,
inconvenience, or other negative effects illegal. In the Shreya
Singhal case, the Indian Supreme Court nullified this regulation.19
Section 69 of the Amendment Act gave the federal
government and state governments the ability to order the
interception or monitoring of information, following the
recommendations of the Standing Committee on Information
Technology. In addition to transmission, this provision also
encompasses the transfer, creation, and storage of intercepted data.
The revised clause adds further safeguards for the issuance of such
interception orders, such as the Information Technology
Regulations, 2009 ("Interception Rules").
B. National Cyber Security Policy, 2013
In July 2013, the Ministry of Communication and Information
Technology released the National Cyber Security Policy
(NCSP). 20 To achieve the goals of the NCSP 2013 the Indian
government launched the following programs/strategies:
1. NCIIPC, the nation's nodal agency, is conducting CII security
measures.

19Supra (8)
20 Sangeeta Jha, The National Cyber Security Policy, 2013, available at:
https://www.geeksforgeeks.org/the-national-cyber-security-policy-2013/ (Visited on:
March 21, 2023).

42
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

2. The growth of multilateralism in cybersecurity. Coordination

of best cybersecurity practices and the transmission of real-
time information regarding destructive assaults were two
things that India and the US performed in 2016.
3. Creating the National Cyber Coordination Centre ("NCCC")
to fully comprehend cyber security concerns and to facilitate
timely information exchange across various bodies for
preventative action.

C. Personal Data Protection Bill

The union government authorized the PDP Law, which
focuses on localized data, to protect Indian people who are
concerned about global data breaches. According to the law, all
personally identifiable information must be handled and retained in
India. Individuals' sensitive personal information must be stored
locally, but in some cases, it may be handled elsewhere. Major
social media firms would be compelled to resolve problems created
by disagreeable content transmitted on their networks as part of the
law.

D. Surveillance Order Issued by MHA

As part of the Interception Regulations, the MHA21 approved
an order in December 2018 allowing ten security and intelligence
organizations to intercept, monitor, and decode any data delivered
over any computer resource.
The Puttaswamy case demonstrated how this rule infringes on
the right to private inalienable. The order was condemned by the
Supreme Court for infringement on this right. Government
representatives asserted that the directive was intended to
accomplish a valid governmental objective. The government has
also instructed the agencies that if they wish to intercept any
material, they must first get authorization from the appropriate
authorities.

THE BOTTOM LINE

According to the MHA, cybercrime has increased by 86% this
year, with incidents ranging from phishing for PM Cares Fund

21 Ghosh,Nimisha, et al. "Strategies for COVID-19 Epidemiological Surveillance in

India: Overall Policies Till June 2021." Frontiers in Public Health 9 (2021): 708224.

43
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

payment interfaces to Netflix offering frauds. The proliferation of

organizations responsible for cyber security, as well as the foggy
legal underpinning for requests for surveillance and monitoring, to
mention just two possible issues, might further erode the present IT
Act framework.
While revising the IT Act, the government is in a great
position to build a strong framework that prioritizes cyber security.
We're interested to see how the government addresses the concerns
now that data protection laws and a national cyber security policy
are in the works.

ADDITIONAL RELEVANT LEGAL PROVISIONS FOR

CYBER TERRORISM
India has no official laws that address cyberterrorism. To
prevent cyberterrorism, Section 66F was included in the 2008
statute that updated the Information Technology Act of 2000. The
extra-legal safeguards contained in both general and terrorism-
specific legislation are strengthened by these laws and regulations.
In addition to denial-of-service (DoS) attacks, the introduction of
computer contaminants, unauthorized access to computer systems,
the theft of private data, and the disclosure of any data that might
endanger India's interests in sovereignty, integrity, security, or
friendly relations are all covered by this only clause.
Other Section 66 offenses incur a three-year prison penalty
and a five-lakh fine, and they are both cognizable and bailable.
Section 66A outlines the penalties for utilizing communication
services, among other things, to transmit illegal communications.
Under the new Section 84C, the attempted commission of an
infraction is now penalized by up to half the highest period of
imprisonment allowed for that offense. Section 84B punishes aiding
and abetting an infringement with the same penalty as the actual
offense. For specified activities, such as hacking, the penalty has
been increased from three years in prison and a fine of two lakhs to
five lakhs (Section 66).22
The following is a quick summary of the laws and other
recommendations to prevent cyberterrorism.23

22Ibid
23Supra (20)

44
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

• Section 66: Computer-related crimes, such as hacking.

• Section 66A: Sanctions for using communication services to
disseminate offensive communications, etc.
• Section 66C: Identity theft penalties.
• Section 6: 6D: Penalties for impersonating someone else to
cheat while utilizing computer resources. Section 66F:
Cyberterrorism Punishment.
• Section 69: The authority to give instructions for the
monitoring, decryption, or interception of any information
transmitted through any computer resource.
• Sec. 69B: Power to approve to monitor and collect traffic data
or information through any computer resource for cyber
security.
• Section 70B: The Indian Computer Emergency Response
Team will act as the country's lead agency for responding to
incidents.
• Sec.84B: Punishment for abetment of offenses.
• Sec.84C: Punishment for attempt to commit offenses.
Implementation of Information Technology (IT) Security
Guidelines, 2000.
• The Information Technology (Procedure and Safeguard for
Interception Monitoring and Decryption of Information)
Rules, 2009.
• The Information Technology (Procedure and Safeguard for
Blocking for Access of Information by Public) Rules, 2009.
• The Information Technology (Procedure and Safeguard for
Monitoring and Collecting Traffic Data or Information)
Rules, 2009.
• The Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information)
Rules, 2011.
• The Information Technology (Guidelines for Cyber Cafe
Rules, 2011).
• The Information Technology (Electronic Service Delivery)
Rules, 2011.
• The Information Technology (National Critical Information
Infrastructure Protection Centre and Manner of Performing
Functions and Duties Rules, 2013.

45
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CONCLUSION
The Internet is new, and new things tend to seem more
terrifying than they are. Many early evaluations of cyber threats and
cyber security seem to have been built around "The Sky is Falling."
The sky is not falling, and it would seem that using cyberwarfare to
oust or intimidate a government is useless. Examples given in this
study demonstrate that nations are more powerful than what early
theories of cyberterrorism claimed. Redundancy, typical rates of
failure and response, the extent to which essential services are
accessible via public networks, and the amount of security in place
for each target facility would all need to be thoroughly
investigated.24
We might infer from the foregoing analysis that we cannot
completely rule out the possibility of future cyberterrorism-related acts.
Instead of addressing the actual and virtual realities' remedial needs, we
should take preventative action. Today's digital India has to be prepared
for cyberattacks as the country moves towards a fully digitalized
economy. This needed to be ready for cyberattacks and have a timely
response. When it comes to defending against online threats and
assaults, India should be more forceful. For the security of their
information infrastructures and data secrets, private firms have reported
incidences of ransom demand. Even though netizens are digitally
savvy, controlling the function of software developers and IT product
firms is another part of preventative measure. We should make sure
that firms that release such vulnerable software are held accountable
and legally responsible. More serious sanctions should be applied when
software tools are misused, necessitating control of the creation and
distribution of such tools. Similar regulatory rules should apply to
comparable manufacturing or handling practices when producing
firearms or ammunition.25 A recent story entitled "Govt to strike strong
on top militants, cyber terrorism" was published in the Daily Excelsior,
a prominent news source in Kashmir, on June 25, 2019. The Indian
government will soon introduce a legislation, which will mark a
significant advancement in the fight against terrorism and the

24 Ghosh, Nimisha, et al. "Strategies for COVID-19 Epidemiological Surveillance in

India: Overall Policies Till June 2021." Frontiers in Public Health 9 (2021): 708224
25Digital India's response readiness against cyber attacks is frail, lack of online security

awareness biggest weakness – Firstpost available at:https://www.firstpost.com

(Visited on March 21, 2023)

46
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

prevention of cyberterrorism. One of the Law's suggested changes

called for registering lawsuits under several legal sections to stop
cyberterrorism operations. These suggested reforms assist the
government in maintaining rigorous vigilance and surveillance over
terrorists active both in Jammu and Kashmir and elsewhere in India.26
The proposal to amend the NIA Act was accepted by the government,
allowing the agency to report and investigate terrorist activities on
foreign land if any Indian people or interests are at risk. The goal of this
legislative proposal is to increase the variety of topics that an agency
may investigate.
The list of offenses covered by the NIA act is expanding
including crimes like cyberterrorism from the IT act and those
associated with human trafficking from sections 370–371 of the
Indian penal code that often involve foreign links, and a debate was
held during CENTERS's Cyber-terrorism and economy seminar
regarding methods to reinforce cyber warfare capabilities as a
means of ensuring peace and security. The speaker implies that
India will soon enter an era dominated by technology especially
information technology considering the wide-ranging use of these
technologies as one potential threat entails hackers getting access to
virus software from anywhere in the world.27
From a broader security perspective, governments are today
dealing with many amorphous security concerns that traditional
national security instruments find difficult to manage. The most
significant effects on cyber security from these adjustments may be
the need for national policies to modify to reflect the increasing
interconnectedness of economies and emphasize the importance of
international collaboration in combating cyber threats.

26Union Cabinet moves to strengthen anti-terrorism law, India News - Times of India
https:// timesofindia.indiatimes.com (Visited on 05 July, 2019)
27Govt to act tough on top militants, cyber terrorism, available at:https://www.dailyexc

elsior.com (Visited on March 23, 2023)

47
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 4

CYBER TERRORISM IN INDIA: A VIRTUAL THREAT

Neha Mishra1, Ritika Khandelwal2

“A global problem, cyber terrorism is one of the most overlooked

and underappreciated issues in India. After the United States and
China, India has the most "Netizens," or users of the internet. The
over reliance on the internet increased their weaknesses and turned
their aggressions into feelings of retaliation, turning them into
criminals, cyber fighters, and enemies of the state. The majority of
Indians are indifferent to cyber threats of being victims of the
virtual world. The world now has a vast array of chances for
developing its financial infrastructures thanks to information
technology. Every second sees an increase in cybercrimes. The
online community is uninformed and of the mindset that their
actions go unreported. We frequently accidentally share our highly
sensitive and important data online media. Threats from
cyberterrorism have emerged as a result of the Internet's explosive
growth. The presentation of fatal, non-lethal psychological well-
being, public confidence, and political sentiments is a common
feature of cyberattacks. Generally speaking, the only system
affected by cyberterrorism is the national security system. However,
it also has an impact on their cognition and psychology. The
number of cyberattacks has substantially increased over the past
several years due to the expansion of cyberterrorism. It has
damaged crucial command and control systems, nuclear facilities,
and caused widespread disaster. The capacity to prevent
cyberattacks on government systems, defense websites, financial
and banking systems, and the most critical nuclear plants is being
strengthened by the cyber experts”.

1AssistantProfessor, Amity Law School, Amity University, Gurugram, (India)

2 B.A. LL.B (H), 3rd Year, Instititute of Legal Studies & Research, GLA, Mathura,
(India)

48
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

INTRODUCTION

W ith the development of the world, the term terrorism has

also change its course. Apart from the physical violence,
it has become a threat to the economy of a country,
community or society. Now it has became a heinous threat. It is an
unlawful attack against computers, networks and information stored
in any electronic device when done to intimidate or coerce
government or it’s people in promotion of political or social
objectives. It carries an attack which results in violence against
persons or property or at least cause enough harm to generate fear.
The term cyber terrorism is different from the very term of cyber
attack as cyber attack can be on a individual or group of people but
the former is a attack against the countries, community etc.
Cyber terrorism was first coined by Berry Collin in the
1980’s. 3 The cyber terrorism is carried out by hackers through
internet. Internet is one of the most important aspect in today’s
modern era like education, online shopping etc. but it has also given
birth to serious crimes which involves fraud of finance by hacking
accounts, stealing important data or information etc. Many
academicians and researchers who specialize in terrorism studies
have suggested that cyber terrorism does not exist and is really a
matter of hacking of information warfare.
Many nations have increased their dependency on cyberspace
by maximizing the use of Information and Communication
Technology (ICT). The cyberspace has given advantage to terrorists
for doing the cyber attacks and spreading fake rumors over the
internet. The cyber attacks has escalated the terror operations. It is
quite important to secure our cyberspace from these cyber threats.
This article explores cyber terrorism as a major part of Cyber threat.
The internet is a perfect example of the behavioral approach of
terrorists in a multinational way, against this, States require only to
think in equally multinational manner.
One of humanity's greatest achievements is the growth of
cyberspace. With incredible advantages in numerous domains, these
cyberspace advancements are attracting human curiosity. Cyber
attacks have become one of the most pressing security concerns, and

3Collin, B. C. (1997, March). The future of cyberterrorism: Where the physical and
virtual worlds converge. In Remarks to the 11 th Annual International Symposium on
Criminal Justice Issues.

49
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

they pose a serious threat to society. Cyber threats are a fluid shift in
the danger landscape that has the potential to upset global economic
and social stability. Due to their obscurity, cyber risks are
challenging to identify and analyse. As the Internet evolved into an
unstoppable, open architecture, the multinational, internationally
linked nature of cyberspace led to an increase in cyberthreats.

WHAT IS CYBER TERRORISM?

Cyberspace can be thought of as the e-medium of computer
networks that enables online communication for the purpose of
interaction among people from various walks of life, exchanging
ideas, imparting information, providing social assistance,
undertaking businesses, producing inventive media, running games,
having political discussion, and so forth. 4 However, there is a
possibility that the data may be misused. Whatever benefits
technology may have, it is improbable that those benefits will
outweigh any negative effects. What constitutes cyberterrorism and
how is it destructive to society as a whole are the key questions at
hand. Cyberterrorism is defined by the Federal Bureau of
Investigation as any premeditated, politically motivated attack
against information, computer systems, computer programmes, and
data that results in violence by subnational organisations or covert
operatives against non-combatant target5 Simply put, cyberterrorism
is the use of threats, coercion, fear, and other tactics to advance
political or propagandist beliefs. Cyberterrorism, then, is the
exploitation of the internet for criminal purposes to the point where
it could result in physical harm, death, or person(s). Cyber terrorists
frequently target computer networks, gain unauthorized access to
data, destroy networks, and maybe utilize the data they collect to
further their political ideology.

WHO ARE CYBER TERRORISTS?

To shield ourselves from cyber terrorists, we should recognize
who they are in any case. The dangers of cyber terrorism can be
caused by anybody with unfriendly aims who exploit information in

4Dr.Farooq Ahmad, Cyber Law in India, New Era Law Publications, Edition 4th, 2011
5 R.Rajan, ‘Cyber Terrorism’, in R. Rajan (ed.), Cyber Terrorism and Military
Preparedness: An International Perspective, India: Sumit Publication, 2016, p. 7

50
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

digital capacities like beginner and expert programmers, displeased

workers, digital crooks, cyber terrorists groups and others.6
The realistic beneath shows that beginner programmers are by
a long shot the greatest danger on the truth is, the dangers of digital
illegal intimidation can emerge out of so many various sources, and
some of the time apparently to a particularly unimaginable errand to
safeguard ourselves from it. In any case, with legitimate preparation
and key security executions, we would have the option to essentially
decrease the possibilities of cyber terrorism from happening to us.
Web at the ongoing time. They are liable for around 90% of all
hacking exercises

POPULAR TARGETS OF CYBER TERRORISM

Every terrorist group has a different goal and set of objectives,
and every terror strike has a unique focus.7 The following is a partial
list of potential targets for cyberattacks or acts of terrorism:
• News organizations, media outlets, and telecommunications
firms make up the communication infrastructure.
• Corporations: Providers of components and civil consulting
firms
• Financial Institutions: Public and Private Banks, Insurance
Companies, and Government Funding Institutions
• The health care sector includes pharmacies, hospitals, clinics,
and companies that produce medications (such as vaccines
and antibiotics).
• Power grids, transportation networks, water management
organisations, nuclear power plants, railroads, and
information technology systems are a few examples.8

CYBER TERRORISM'S IMPACT ON THE REAL WORLD

According to a large number of academics, it is impossible to
use cyber terrorism as a tool for physical mass destruction.9 It means
that the terrorist acts that result in fatalities, atrocities against

6Cyber Law and its Applications by Prof. Shilpa S. Dongre

7Akhgar.B Cyber Crime and Cyber Terrorism Investigator’s Handbook.
8Ackoski, J., & Dojcinovski, M. (2012, June). Cyber terrorism and cyber-crime–threats

for cyber security. In Proceedings of First Annual International Scientific Conference,

Makedonski Brod, Macedonia, 09 June 2012.
9The Journal of Strategic Information SystemsVolume 22, Issue 2, June 2013, Pages

175-186

51
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

people, destruction of property and population, such as the attack on

the World Trade Center on September 11, 2001 in the United States
of America or the in Mumbai Taj Hotel India, on November 26,
2008, etc. Some people believe that cyber terrorism is incapable of
carrying out physical attacks or destruction like the examples given
above. The cyber terrorists lay a path for mass destruction rather
than immediately conducting an attack. The historic Chernobyl
incident that took place on April 25 and 26, 1986, is one of the most
well-known instances of a cyberattack that caused significant
physical harm. The nuclear plant's automatic monitoring system was
run by computers, which were allegedly unlawfully hacked, leading
to a destructive explosion. The Chernobyl monitoring system was
the target of a cyberattack, which made it feasible for a
cyberterrorist act to have effects in the real world.
On September 11, 2001, a terrorist attack at the World Trade
Center in the US was followed by a cyber terrorist attack. The
terrorist assaults carried out online or through other computer
networks with the intention of destroying crucial infrastructures in
order to endanger human life or cause a national uprising have
increased media attention to the possible dangers of cyber terrorism.
Depending on the goal they are trying to achieve, such actions may
be direct or indirect. Attacks on infrastructure, for instance, can be
categorized as direct attacks while those against financial
development might be categorized as indirect attacks.
Almost everyone has quick, constant access to online
involvement that has been obtained illegally. The internet's web-
based guarantee of the fusion of the physical and virtual worlds,
which affects both realms of reality, is seen by some consultants as
a powerful motivation to further their own political and personal
objectives, nations use it as a stand-in for terrorist organisations.
Different nations employ their political clout and resources to
achieve their political objectives, but due to the operation's immense
size, the truth is likely to surface. On the other side, cyber terrorism
is more probable to disguise identities, which appeals to such
people.
India has a very low level of awareness of cyber terrorism.
The entire dark network serves as a haven for numerous acts that
fall under the category of cyber terrorism. India's government
websites renowned investigating agency. The Central Bureau of
Investigation, was breached in 2010 through a group of Hackers of

52
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Pakistan known as "Pakistani Hacker Army." In addition, the former

Indian President made a point of highlighting the issue of cyber
terrorism while delivering his talk in 2005. However, India's
response to this issue has been subdued, and there is currently no
substantial system that can be classified as a cyber security system.
In the summer of 2011, a viral attack happened at the recently
constructed Terminal T3 of the Indira Gandhi International Airport
in New Delhi, India. Aeronautical Radio Incorporated's (ARI)
Common Use Passengers Processing System (CUPPS) is used to
operate the IGI's check-in counters, transfers counters, and boarding
gates (ARINC). The CUPPS runs on a standard software and
hardware platform that integrates all data, including airline
reservation system, anticipated departure time, and waiting lounge
capacity. The check-in counters for all airlines at T3 ceased to be
operational from 2.30 am on June 29 as a result of the CUPPS issue.
Because of this, airlines were compelled to use manual check-in,
which delayed passengers. Only about a third of the 172 CUPPS
counters were online, according to an official. According to the
inquiry, a virus was injected into the CUPPS's primary server by
someone who had hacked into it. After 12 hours, the system was
repaired with the help of numerous tech companies.
Digital law authorities and social science experts in India do
not launch enough investigations to resolve the significant problem
of Virtual Psychological Oppression, despite the fact that the digital
crimes has the capacity of complexity to attract digital
criminologists from all over the world. The 26/11 attacks on
Mumbai's Taj Hotel may also be seen as a cautionary tale
emphasizing the need for efficient systems to monitor cyber-
terrorism attacks. An examination into the 26/11 Mumbai attacks
found that Pakistani extremists were able to access the property
using online resources that made the map, floor plan, number of
attendees, and other information available.10
In addition, Google Earth was undoubtedly used to carefully
lay out the majority of the 26/11 site composition. The attackers
reportedly used additional technical tools in addition to the WED to
arrange or prepare their operation, which would have allowed them
to convert audio signals into complete data. The Indian commandos

10Ibid.

53
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

found it more challenging to track down the information breaches as

a result of all of this.11
Despite how horrifyingly the media portrays authoritarian
attacks based on fear on busy streets The Indian Ministry of Home
Affairs made a clear connection between the circumstances and
Jewish encampments in Mumbai and the use of contemporary media
by fanatics in their annual report (2010); satellite telephones, GPSs,
and various websites were all frequently used to carry out the
terrorist mission. The open computer systems of the Taj and Trident
hotels were accessible to the intruders, according to intelligence on
the 26/11 attacks. They obtained information about the visitors
using the hotel's computers, paying particular attention to those who
were from the United States and the United Kingdom. They wanted
to target visitors who were in certain rooms, so they obtained room
numbers from the INS computer's database.
According to Section 66F, the perpetrators infiltrated or
gained access to a computer aid without authorization, created fear,
killed or injured the person, and damaged or destroyed property in
order to disturb India's unity, respectability, protection, or sway.12
Secured frameworks, as described by Section 70, have been
vigorously protected by the Information Technology Act of 2000 (as
amended in 2008). "The appropriate government may declare any
computer asset that explicitly or suddenly impacts the Critical
Information Infrastructure office to be a secured framework by
notification in the Official Gazette." The death of principles is also a
result of government initiatives like the Information Technology
(Cyber Cafe Guidelines) Rules, 2011, which are governed by the IT
Act. To balance the fundamental rights, the legislators have to find a
delicate balance. The Indian Constitution's provision of defense and
the demands of national security. Digital fear-based tyranny will
take on new shapes as a result of the quick advancements in the
world of technology. India is dealing with new issues related to
digital fear mongering as a result of the expansion and widespread
usage of long-distance informal communication platforms and
computerized media, India is dealing with fresh issues with online
fear mongering. Following dialogue snippets in which it was
revealed that the intensity of the country's most recent kind of

11Ibid.
12The Information and Technology Act, 2000

54
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

digital psychological warfare, India's parliament restricted a total of

eighty websites.

IS INDIA EQUIPPED TO COMBAT ONLINE TERRORISM?

“Today, the enemy no longer needs to enter the border. 13 He
can also target our security apparatus from outside the border.
Alignment and realignment of global powers have added to the
already changing security challenges,”said the Defense Minister,
Rajnath Singh said on 77th Staff Course at the Defense Services
Staff College (DSSC), Wellington.14

India's Legal Framework for Combating Cyberterrorism

The Information Technology Act (post act) sanctions the
lawful arrangements in regard to the cyber terrorism. Section 66 of
the IT, Act frames legislatives reforms over cyber terrorism. It
provides to punishment, enhancing to life imprisonment, for cyber
terrorism along with three major elements for an act to constitute as
cyber terrorism.
A person does an act with the intent to terrorise others or to
endanger India's unity, integrity, security, or power. The Act must
result in unauthorised attempts to access computer resources, deny
access to any legally authorised individual, or introduce or assist in
the introduction of computer contaminants are all examples of
unlawful computer-related behaviour.
The Act should likewise inflict damage, similar to death,
wounds to individuals, unfavorable or disastrous impact on the basic
data foundation (CII), harm or annihilation of property or such
disturbances prone to cause aggravations in such administrations or
supplies which are fundamental for life. Further, Section 66F
likewise applies to occasions where an individual with no
authorization or by surpassing his genuine authorization deliberately
enters or gets to a computer resource and gets admittance to such
information, or data or computer base which has been limited for
Indian security interests, or whose exposure would influence the
sovereign interests of India, and so on.

13‘Afghanistan situation a challenge, led to strategy rethink, TNN, 30 th August, 2021,

available at: https://timesofindia.indiatimes.com/india/afghanistan-situation-a-challeng
e-led-to-strategy-rethink/articleshow/85752801.cms (Visited on: March 23, 2023).
14Ibid

55
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Bomb explosions in Varanasi in 2010 and Mumbai's Zaveri

Bazaar in 2011 put pressure on the government to implement a
robust cyber security system. This prompted the Indian government
to alter the current Indian Information Technology Act, 2000 in
order to strengthen digital security and ban cyber terrorist activities
online.
India became the twelfth nation in the world to enforce digital
law with the revision to the previous laws.

Here are some of its key sections on cyber terrorism:

1. Section 66-F Cyberterrorism Penalties.—(1) Whoever,—
(A) with the purpose of undermining India's sovereignty,
unity, integrity, security, or any part of the population by—
(i) withholding access to anybody authorised to utilise a
computer resource or causing someone else to do so; or
(ii) trying to break into or gain access to a computer resource
without authorization or going beyond what is permitted; or
(iii) bringing or instigating the bringing of any computer
contaminant, when, via such conduct, negatively affects the
community's ability to access goods or services, damages or disrupts
property, or is otherwise likely to result in death, personal injury,
damage to, or destruction of property to have an impact on the
crucial information infrastructure listed in Section 70; or
(B) knowingly or intentionally breaches or accesses a
computer resource without authorization, exceeds authorised access,
and through such conduct obtains access to restricted information,
data, or computer databases for the purposes of national security or
international relations, or to any restricted information, data, or
computer databases with reasonable grounds to believe that such
restricted information, data, or computer databases so obtained may
be used to cause or be likely to cause a cyberterrorist offence.
(2) Whoever commits or conspires to commit cyber terrorism
shall be punishable with imprisonment which may extend to
imprisonment for life. Information Technology Act in 200015
2. Section 84B - “Whoever abets any offence shall, if the act
abetted is committed in consequence of the abetment, and no
express provision is made by this Act for the punishment of such

15Ibid.

56
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

abetment, be punished with the punishment provided for the offence

under this Act.16
Explanation. - An act or offence is said to be committed in
consequence of abetment, when it is committed in consequence of
the instigation, or in pursuance of the conspiracy, or with the aid
which constitutes the abetment.”17
3. Section 84c 18 – “Whoever attempts to commit an offence
punishable by this Act or causes such an offence to be committed, and
in such an attempt does any act towards the commission of the offence,
shall, where no express provision is made for the punishment19 of such
attempt, be punished with imprisonment of any description provided
for the offence, for a term which may extend to one-half 20 of the
longest term of imprisonment provided for that offence, or with such
fine as is provided for the offence, or with both.”21

Government’s Role in Making People Aware

The government for creating the awareness amongst the
people, several organizations are introduced to intervene in such
cyber terror programmes like UNOCT, should attempt cyber
security awareness programs in the nation and lay out an
educational climate in the country against conceivable cyber threats
(counting cyber terrorism) in the cyberspace. The public authority
should consider sending off a digital education program (at first in
regions defenseless against cyber attacks) on lines with 'Sarva
Shiksha Abhiyan' to accustom the individuals about the network
protection dangers in a period bound way. This is especially
significant during the Coronavirus pandemic when most
organizations are running carefully through internet based mediums.

FURTHER TENETS OF LAW

1. “Implementation of Information Technology (It) Security
Guidelines, 2000.

16Section 84: Punishment for abetment of offences, Info. Technology Law, available at:
https://www.itlaw.in/section-84b-punishment-for-abetment-of-offences/ (Visited on:
March 23, 2023).
17Ibid
18Ibid
19Ibid
20Ibid
21Ibid

57
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

2. Information Technology (Certifying Authorities) Rules, 2000.

The Information Technology (Procedure and Safeguard for
Interception Monitoring and Decryption of Information)
Rules, 2009.
3. The Information Technology (Procedure and Safeguard For
Blocking For Access Of Information By Public) Rules, 2009.
4. The Information Technology (Procedure and Safeguard for
Monitoring and Collecting Traffic Data or Information)
Rules, 2009.
5. The Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information)
Rules, 2011.
6. The Information Technology (Guidelines for Cyber Cafe)
Rules, 2011.
7. The Information Technology (Electronic Service Delivery)
Rules, 2011.
8. The Information Technology (National Critical Information
Infrastructure Protection Centre and Manner of Performing
Functions and Duties Rules, 2013.”22

GLOBAL PERSPECTIVE
Continuous globalization has made it easier than ever for
psychological militant groups operating outside of their own
country to communicate information, interact with other groups,
collect location data, and obtain armaments from within country or
somewhere.23 Associations, particularly Islamic extreme groups, are
currently leading psychological warfare protests, mostly in countries
and regions where the political situation is unstable and the
administration is weak. However, it is believed that the objectives of
exercises and the skills vary from association to association.
Some of such organisations engage in illegality, such as
unlawful trades and kidnappings, in an effort to verify assets.
Osama Bin Laden, the leader of Al-Qaeda, who was hiding in
Pakistan and is widely thought to have planned the 9/11 attacks in

22All these legislative Acts derive validity and authentication from the IT Act, 2000.
These are established within
the meaning of different sections of the IT Act, 2000.
23R. Nagpal, “Cyber Terrorism in the Context of Globalization,” in II World Congress

on Informatics and Law, 2002, no. September, pp. 1-23

58
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

2001, was killed in an operation that was overseen by the US.

Nevertheless, the threat of an Al-Qaeda strike has not been
completely eliminated by Bin Laden's murder. Despite the ability of
the Al-Qaeda effort to uphold law and order has weakened, and it
has been reported that other organisations bearing the term "Al-
Qaeda" in their name are escalating their influence and sowing fear
primarily in North Africa and the Middle East. In addition to North
Africa and the Middle East, numerous regions of South Asia and
Southeast Asia are also experiencing psychological oppression
rallies led by other Al-Qaeda-affiliated Islamic extremist and fear-
based oppressor groups.
According to reports, these groups have the ability to cross
poorly policed borders and conduct psychological warfare protests
in nations other than Algeria, Libya, Mali, Iraq, Egypt, and Syria,
where they have bases of operations. In terms of associations, it has
been said that they have gathered a sizable number of weapons,
which increased when the Gaddafi dictatorship in Libya was
toppled.

INCIDENTS OF CYBER TERRORISM

There were twenty-one bomb explosions in the Ahmedabad
bombings of 2008, which happened over the course of seventy
minutes on each of the city's twenty-six Gregorian calendar months.
56 people lost their lives, while more than 200 people were hurt.24
• Ahmedabad serves as the social and economic hub of Gujarat
state and a major chunk of western India. It was believed that
the effects were mild in nature and resembled those that had
happened in the metropolis the day before. However,
monotheistic militant group Harkat-ul-Jihad-al-Islamic has
claimed responsibility for the attacks. Several TV outlets
initially claimed to have received an email from a terror group
known as the Indian terrorist force claiming credit for the
frightening attacks. The purported genius Mufti Abu Bashir
and nine other people were blamed by the Gujarat police for
the bombs.
• In 1998, ethnic Tamil guerillas bombarded the government
offices in Sri Lanka with 800 SMS every day for more than a

24 Notorious Cyber Security Attacks in India to Date. available

at:https://www.expresscomputer.in/ (Visited on: March 24, 2023)

59
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

week. "We are the Internet Black Tigers, and we're sending
these messages to sabotage your communications", it said in
the mails. Knowledge experts identified it as the first known
attack by terrorists against a nation's computer system.
• While fighting for control of Kosovo in 1999, hacktivists
opposing NATO bombings attacked NATO PCs with
disavowal-of-administration attacks. Additionally, according
to reports, organisations, public associations, and academic
foundations received infection-laden e-raais from a variety of
Eastern European countries that were highly politicised.
Additionally common were web mutilations
• The Electronic Disturbance Theater (EDT) has been
organizing online protests against various locations in support
of the Mexican Zapatistas since December 1997. Many
protesters aim their programmes toward an objective website
at a predetermined time using software that floods the target
quickly with repeated download requests. Basic entitlements
groups have also used EDT's product against organizations
that are allege to abuse animals. When hacktivists Electro
Hipsters convened in Seattle in late 1999, they organized
online protests against the WTO.25
One of the most exceedingly terrible episodes of digital
terrorists at work was when wafers in Romania unlawfully accessed
the PCs controlling the existence emotionally supportive networks
at an Antarctic examination station, imperiling the 58 researchers
included. All the more as of late, in May 2007 Estonia was exposed
to a mass digital assault by programmers inside the Russian League
which some proof proposes was facilitated by the Russian
government, however Russian authorities prevent any information
from getting leaked. This assault was obviously because of the
expulsion of a Russian ship from downtown Estonia.26

PSYCHOLOGICAL EFFECTS OF CYBER TERRORISM ON

HUMANS
Obviously that assuming the country's basic frameworks or
business tasks get harmed or upset by cyber terrorists, individuals
who are straightforwardly impacted will experience huge pressure

25Ibid.
26Ibid

60
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

mentally. 27 We can't underrate the effect that digital illegal

intimidation assaults could have on individuals since various
individuals respond diversely to such circumstances. Certain
individuals who are straightforwardly impacted by cyber terrorists
in cases, for example, loss of crucial organization data that can be
utilized to compromise the prosperity of the association or the
designated individual could result in the impacted person(s) to be
apprehensive and live under serious pressure. The person(s)
involved will endure sincerely and this could influence the
prosperity of their emotional wellness. In different situations where
disinformation assaults utilizing sites, email and other electronic
means may be completed to disperse bits of hearsay about a specific
circumstance, association or individual, it could prompt a tumultous
situation among the overall population. Individuals will frenzy and
subsequently typical business activities and the ordinary lifestyle
will be disturbed.
Therefore, the general public must be well-informed about
digital psychological warfare and able to recognise the steps that
can be taken to handle the anxiety better. In order to provide a
trustworthy and more solid path for people suffering such problems,
the mental issues relating to the effects of digital psychological
oppression on people and approaches of treating the related issues
really need to be studied all the more frequently.

Spreading Terror Propaganda Online

Terrorists used a variety of channels to disseminate their
message, including the internet and social media sites like
Facebook, Twitter, and Whatsapp. 28 Although www.isis.com and
www.alqueda.org no longer exist, their propaganda can still be
accessible online. ISIS posted videos, recruiting materials, and
messages on twitter to further their message. In 2016 Twitter
roughly 1,25,000 accounts connected to ISIS should be frozen. Abu
Abdullah al Malghribi, an ISIS detector, argued that "The media
people are more imported than soldiers." "They make more money
each month. Their automobiles are superior. They have the ability to

27Lerner JS, Gonzalez RM, Small DA et al. . Effects of fear and anger on perceived
risks of terrorism a national field experiment. Psychol Sci 2003;14:144–50.
28 Terrorism, the Internet, and Propaganda: A Deadly Combination Ariel Victoria

Lieberman available at: https://jnslp.com/ (Visited on: March 24, 2023)

61
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

bolster internal resistance and attract new adherents to the Islamic

State.
The ISIS Cyber campaign differs from other terrorist
organisations using social media, like Al Qaeda, in that it posts
videos of beheadings and other horrifying atrocities. These
organisations strive to glorify their actions, especially in the eyes of
young people.

CYBER TERROR LAW OF OTHER COUNTERIES

Not only India has taken the initiatives to prevent the cyber
terrorism in the country. There are other countries as well who have
looked into the same. Countries like UK, Australia, USA, etc are the
major one who got into the matter.29
The following laws of the countries are as follows:

The United Kingdom (UK)

The UK government launched its Cyber security program in
2015 in order to protect the computers from the cyber attack. The
strategy revolve around two pillars which are dependent on to each
other they are30:
• Create a solid framework for hierarchical digital protection
flexibility - the government will present Cyber Security Standards
aligned with the Cyber Assessment Framework (the CAF) to have

29Federal Laws Relating to Cybersecurity: Overview of Major Issues, Current Laws,

and Proposed Legislation.
30Joshi, D. (n.d.). A comparison of legal and regulatory approaches to cybersecurity in

India and the United Kingdom Shared under Creative Commons Attribution 4.0
International license.

62
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

the option to assess risk through a similar focal point across

Government - learning from the journey that the NIS Order has
taken CNI suppliers while also realising the need to customise it for
the Public authority domain.
• "Defend as one" - The System understands that the scope of
the threat necessitates a more comprehensive and coordinated
response; this coordination can provide a guarded power that is
unevenly more potent than the sum of its parts
An administrative tool that authorises agreements on
terrorism, including cyberterrorism, is the Terrorism Act of 2002.
Section 1 of the Act lists three requirements—expectation,
intention, and mischief—that together make up a terrorist act. Acts
performed should be expected to have an effect on public authority
or the international legislative association, or to endanger the public
or a portion of it, according to the act. Additionally, the deed must
be motivated by political, strict, radical, or philosophical reasons.
Section 1(2) further lists any optional damages that could result
from a psychological warfare display. It includes psychologically
abusive behaviours that genuinely hinder or impair an electronic
framework. The phrase "electronic framework" can refer to
financial transactions, computer and network access providers, and
so forth.

Australia
Following the 9/11 terrorist attacks, Australia enacted a set of
five restrictions known as the anti-terror statute.31 The definition of
terrorism was incorporated into the Security Legislation
Amendment (Terrorism) Act of 2002. Section 5.3 of the Australian
Criminal Code is somewhat applicable. The Criminal Code defines
terrorism in Section 100.1. Compared to the UK terror statute,
Australian law sets higher standards for what constitutes terrorism.
In this way, cyberattacks that are only intended to affect the
government are not considered cyberterrorism in Australia.
According to Australian law, a person must intend to intimidate an
administration in order for their actions to qualify as cyberterrorism.
The cyber attack should therefore be forceful or intimidating. When
cyberattacks occur, the Australian Terrorism Act is applicable.

31Australian Federal Police, available at:https://www.afp.gov.au/ (Visited on: March

24, 2023)

63
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Canada
According to The Canadian Criminal Code, Section 83.01
terrorism is defined as any act or omission committed inside or
outside of Canada with the intent of threatening the government or a
group of people, causing harm, death, endangering a person's life,
etc.32 Like Australian law, Canadian law consolidates the exclusion
of political protest. However, it establishes extremely strict
standards for a cyberterrorist act because it states that such attacks
must 'push' a government to behave or stop acting in a particular
way. Attacks against both national and international organisations
are included in the definition of terrorism under Canadian law. In
contrast to "international government associations," this establishes
a larger functional zone. The Canadian law includes assault as well.

COOPERATION ON INTERNATIONAL CYBERSECURITY:

DOMESTIC LAW HARMONIZATION
The transnational person of the internet warrants a worldwide
aim to counter cyber terrorism. To obstruct the hazard of possibly
ruinous cyber terrorism, nations should pursue fostering a generally
satisfactory and powerful system of guard and counter-measures for
cyber terrorism. Numerous nations have continuously effectuated
their digital guards and taken on prevention systems to enhance
their digital protections. Be that as it may, it becomes hard to
counter the dangers of cyber terrorism simply on essential public
arrangements since the internet is universally homogenized and
goes after may arise abroad. Global collaboration between states,
thus, is a successful foundation to foster a compelling battle
instrument and legitimate system to neutralize cyber terrorism.
Deficient worldwide guidelines and clumsy lawful components of
states on cyber terrorism go about as the greatest hindrance in
formulating a powerful worldwide methodology against cyber
terrorism.
Taking into account the dangers, cyber terrorism warrants
prompt worldwide thought. However, as referenced prior, in spite of
being recognized universally as a shaky gamble to worldwide
harmony, no generally concurred definition for cyber terrorism
exists today. The following segment examines how discord over a

32Government of Canada, available at:https://www.canada.ca/ (Last Visited on: March

24, 2023)

64
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

widespread meaning of cyber terrorism causes homegrown

translation of cyber terrorism in each state to contrast from the
other.

COMPARISON OF INDIAN LAW WITH OTHER JURISDICTION

The meaning of cyber terrorism set forth by Indian regulation
incorporates a bigger extent of digital empowered dread exercises, in
contrast to the Canadian fear regulation. The presence of terms
'attempting to penetrat 33 'likely to cause 34 and 'purposely or
intentionally35 under Section 66F, gives bigger functional extension to
the meaning of cyber terrorism in India. Nonetheless, not at all like
England and Canada, the scope of cyber terror exercises in India
doesn't go past the extent of solidarity, security, respectability and
power of India.36 Likewise, digital surveillance acts are covered inside
the ambit of cyber terrorism under Section 66F(1)(B) of the Act. The
Indian law, in contrast to the UK and Canada, doesn't explicitly
accommodate cyberattacks against worldwide associations as cyber
terrorism. Further, the principles for Act to qualify as a act of cyber
terrorism in India are a lot higher than in the UK terror law.
Subsequently, various nations give various definitions to the
acts of cyber terrorism. This variety among terror laws prevents
worldwide participation as these shifted definitions give various
norms to an act to qualify as cyber terrorism. Thus, what might add
up to cyber terrorism in the UK could not necessarily sum to cyber
terrorism in Canada. Thus, to defeat this impediment in worldwide
agreeable network safety methodology, the accompanying advances
should be embraced:
States should acknowledge a generally satisfactory meaning
of cyber terrorism. This would guarantee that the norms for an act
adding up to cyber terrorism would be same in the domestic laws of
each and every country. Subsequently, an act adding up to cyber
terrorism in one country would likewise add up to cyber terrorism in
another. Consequently, on the off chance that a nation turns into a
casualty of a cyber terror attacks beginning from other country,

33 Information Technology Act, 2000 (Act 21 of 2000), Chapter III, Section

66F(1)(A)(ii).
34Information Technology Act,2000., Section 66F(1)(A).
35Information Technology Act,2000., Section 66F(1)(B).
36 Cyber-Laws, available at:https://www.canada.cacomparative-study-of-indian-and-

foreign-laws-/https://calr.in/ (Visited on: March 24, 2023)

65
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

then, at that point, the nation went after could utilize the legitimate
instruments of the other country to punish the culprit(s) or even
remove the assigned culprit(s). States should likewise fit their
domestic terror laws with one another. It would give normal systems
to arraignment and examination of cyber terrorism and help in the
worldwide battle against cyber terrorism. This would prompt a
compelling, effective and straightforward component for
examination and data sharing connected with cyber terrorism.
Notwithstanding participation in examinations, it would likewise
empower sped up collaboration between policing of various nations
for different purposes, similar to limit building projects and
preparing of authorities.
Beneficially, states should speed up worldwide avoidance
against cyber terrorism through more adjusted collaboration in
knowledge sharing, network safety administration, participation in
building online protection readiness and strength, through common
settlements and different instruments. Each state should designate
worldwide helpful network safety system as fundamentally
important region in their international strategy. Endeavors should
likewise be made to develop a generally restricting and for all
intents and purposes implementable worldwide instrument on cyber
terrorism to universally stop the demonstrations of cyber terrorism.
To safeguard its essential that the internet, in India should reinforce
global participation among different states and do whatever it may
take to internationalize its homegrown regulations on cyber
terrorism.

CONCLUSION
The challenges brought on by technological growth cannot be
kept at a safe distance; change is inevitable. At the moment,
criminals have changed their tactics and begun depending on the
public, the law, and therefore the implementation.
In order to combat it, specialists, quasi-organizations, and
associations will find a manageable pace. Another requirement is
that the legitimate, and in this way the authorization, must adopt a
culture of ongoing digital training and learning. A secure web
security system might be maintained by specialists due to data
dynamics.
The Information Technology Act of 2000 was passed with the
intention of providing legal recognition for transactions governed by

66
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

various electronic data trade and online business proposals. Other

Acts have also amended the Indian Penal Code of 1860, the Indian
Evidence Act of 1872, and The Bankers Books Evidence Act of
1891 in order to promote legal recognition and regulation of
business activities.
From this, it can be inferred that the law can't stand to be
static; it needs to adapt to changing circumstances, i.e., with the
development of technology, the government has adopted supportive
legislation. But the issue is that authorities still treat this form of
cyberterrorism with a great deal of laxity. Despite the fact that
technology assistance enables the big attacks, this subject has never
been a top concern.
It is important to educate the general public about the dangers
of the internet and how to handle a situation brought on by
cyberterrorism. The government must take action that can be a part
of a holistic strategy in order to create the secure digital space that
the voter desires.

67
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 5

CYBER TERRORISM: THREATENING NATIONAL

SECURITY THROUGH GLOBAL NETWORKS
Dr. Praveen Kumar Mall 1, Ananya Anant 2

The word "cyberterrorism" combines two of the biggest fears of the

modern era. The mistrust and open terror of computer technology
go hand in hand with the threat of random, violent victimisation. An
unidentified threat is viewed as more dangerous than one that is
identified. This paper aims to establish the connection of global
networks and crisis impacting national security and vice versa. The
unprecedented paradigm shift due to Covid has exacerbated the
danger posed by cybercrimes. Technology has entrenched every
aspect of our daily lives, and with every organisation whether
governmental or public ventures, turning to online medium for
effective functioning, the threat for national security increases by
the day. The power of cyberterrorism to induce hate crimes,
agitations, protests and overturning of companies and governments
is a prospective reality, as data is the key. Even more reasons for
authorities to focus on strategic cyber security measures to build a
strong digital frontier. Technology changes the nature of risks from
national to global security giving way to multi-domain conflicts
which demean the perception and understanding of conventional
warfare. Technology is putting a delicate strategic balance in
jeopardy at the hands of criminal intent and viable resources.

INTRODUCTION

B y 2020, there will be more than 40 times as many bytes of

data (or more than one billion trillion) as stars in the visible
universe. Soon, the datasphere will be growing by around five
zettabytes year, or more than six trillion bytes of data for every

1Associate Professor, College of Law & amp; Legal Studies, Teerthankara Mahaveer
University, Moradabad, (INDIA)
2B.A. LL.B (H), 4th Year, Amity Law School, Amity University, Noida, (India)

68
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

person on the planet. 3 Every mouse click, keyboard button press,

swipe or tap is used to shape major decisions. Everything is about
data these days, information is power. This gives us obvious reasons
to secure the power in the right hands and protect it from disruptive
elements. It’s a technical, cultural, social, economic weapon that
could consolidate and rearrange societal power structures. Often
viewed as an exaggeration of cybercrimes, that do not have a strong
backbone, cyber terrorism is often not taken as seriously as it though
sounds. The intended, partisan operation against data, networks,
software programmes, and information which ends in violence
against non-combatant targets by regional organisations or
clandestine personnel was referred to as cyberterrorism by Mark
Pollitt of the FBI (FBI, 1997). Criminal countries and non state actors
utilise a variety of cyber terrorism attacks for a variety of reasons,
including extortion of money from governments and corporations and
governments, access to and corruption of government, military, and
commercial databases.
These are the tactics that are most frequently utilised in
cyberattacks. According to CRN, the FBI's Internet Crime Complaint
Centre (ICCC) saw an increase of twofold in phishing instances in
2020 compared to 2019. The sheer number and complexity of
prospective targets ensure that terrorists will be able recognise
vulnerabilities and loopholes. The capacity of a terrorist to acquire
control over, meddle with, or influence the command and monitoring
operations carried out by these systems might pose a danger to
regional and possibly even national security. The possibility that
terrorists may create computer software for organisations of
government is equally concerning.
There are more people in the U.S. protecting our national
parks than there are in CISA protecting our critical infrastructure,
Zegart said: Enforcement agencies can buy GPS location data
without court orders or public disclosure since data in the United
States is compiled and sold on the open market with few regulatory

3The mosaic effect: the revelation risks of combining humanitarian and social
protection data, available at
https://blogs.icrc.org/law-and-policy/2021/02/09/mosaic-effect-revelation-ris
ks/(Visited on January 4, 2023)

69
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

limits. 4 In exchange for government monitoring and proactive

policing for the sake of national security, the right to privacy is not
unalienable. Many computer security specialists don't think it's
conceivable to kill a lot of people on the Internet. Some people
made the argument that enormous time, money, and professional
investments led to the resistance of computer systems to attacks.
The 22-23 Global Risks Perception Survey chose
“Cyberattacks on Critical Infrastructure” among the top five risks
for 2023 amongst other risks that sound alarming like, energy and
food supply crisis. The widespread shift to remote working during
the pandemic has resulted in the tracking of employees using
cameras, keystroke monitoring, productivity software, and audio
recordings—practices that, while sometimes allowed by data
protection laws, collect deeper and more sensitive information than
earlier systems. Several forms of monitoring have now become a
commonplace. AI- based tools such as chatbots are now the talk of
the town, the amount of engaging audience it attracts amounts to the
analysis of hold it establishes over people, and so increased
accessibility. Concepts like the Metaverse which rely on concepts
like brain mapping, vocal inflections, vital signs, etc, only
exacerbate the basic need for regulatory protection for the upcoming
century.
The amount of hostile activity online is increasing, and more
aggressive and sophisticated attacks are exploiting wider exposure.
Concepts like mosaicking explain the potential risks faced by people
all around. Because of the gradual erosion of people's digital
autonomy and the potential evolution of data and cyber insecurity, not
merely privacy, but lives are at risk. In a world where hacking tools
are advancing in power, usefulness, and accessibility, the next wave
of terrorists is already taking shape. Cyberterrorism may also become
more alluring when the real and virtual worlds merge more and more.
A terrorist group may simultaneously launch a cyberattack on the
communications network and explode a bomb at a train station to
amplify the effect of the incident. It could be tomorrow just as easy to

4U.S.Cybersecurity Mirrors 9/11 Terror Vulnerability, available at https://about.bgov.c

om/news/u-s-cybersecurity-mirrors-9-11-terror-vulnerability-panel-told/ ( Visited on
February 4, 2023)

70
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

physically hurt someone online as it is to break into a website if these

technologies are not thoroughly guarded.5

A GLOBAL THREAT PERCEPTION

One of the biggest risks to humanity over the next ten years,
according to the World Economic Forum's Global Risk Report for
2021, is a failure in cyber security. Attackers "may cause a
breakdown in the institutions that keep societies functioning,"
according to the WEF research. Industries and vital infrastructure
must operate continually. There are worries that nation-state actors
would try to disrupt supply chains during upcoming geopolitical
conflicts by testing the pressure points of important infrastructure
through cyberattacks. Targeting an opponent's food and energy
sources in such circumstances will be a traditional tactic to start with.
Fuel prices on the whole Eastern coast increased as a result of the
Colonial Pipeline attack in May 2021, which affects 45 percent of the
fuel supply in the Eastern US. This hack caused customers to buy
gasoline in a panic. Twenty percent of the beef supply in the United
States and Canada was shut down by a ransomware attack on JBS a
month later, raising fears about the possibility of a jump in meat
prices and highlighting the food supply as a national security danger.
Cipher, one of the top companies for cyber security in the nation
stated “Cyber security is a topic that often fails to get the attention of
the public until a headline hit about a company that has their personal
information becoming the victim of a hack. But over the past year, a
different threat has taken precedence that goes much deeper into the
psyche and impacts the daily lives of ordinary citizens. The criminals
have started to dig deeper into critical national infrastructure and such
attacks demonstrate the reach of these events. Who could imagine
that attacking and shutting down meat plants in Australia would
impact meat prices in North America?”
The frequent use of hard or soft economic, industrial, and
technological power also demonstrates how threats are combined on
all fronts, and this interconnectedness deems appropriate integrated

5united states institute of peace contents introduction 2 cyberterrorism angst 2 what is

cyberterrorism? 4 the appeal of cyberterrorism for terrorists 6 a growing sense of
vulnerability 6 is the cyberterror threat exaggerated? 8 cyberterrorism today and
tomorrow 10 special report https://www.usip.org/sites/default/files/sr119.pdf ( Visited
on January 2, 2023)

71
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

solutions to the common threats faced at the global level. Nearly

every day, new datasets, and techniques for analysing them are
created. The data of humanitarian groups is accessed by 100,000
individuals on average every month and covers every humanitarian
situation in the globe, covering practically everything from
revealing gender pay inequalities to exposing government
wrongdoing. Concerned authorities must remain informed about the
rapidly evolving global datasphere in order to comprehend new and
emerging hazards and continuously modify their own data practices
in line with those concerns.6
Government security experts have long prophesied the
impending "Cyber 9/11”7, an incident that starts as a digital attack
but spreads to other facets of society and harms both the general
populace and the global financial system. Fear is a powerful
motivator. Therefore, it can be extremely difficult to distinguish
between what experts truly worry might occur and hype intended to
sell tickets to a new security conference or draw attention on social
media to cyber-crimes committed by organisations with purported
ties to Russia or China. They can be grouped into three categories:
physical attacks that disrupt or harm a key component of essential
services; financial attacks that spiral out of control and cause bank
runs; and hacker attacks that alter data in ways that undermine
public confidence in the economy and key national institutions. In
the middle of a cold wave, two days before Christmas in 2015, a
cyber-attack caused significant power outages in Ukraine. In the
dead of winter, about a quarter of a million people were left without
electricity. Increased political and political-related violence, hate
crimes, violent protests, and even civil war have all been reported.
The threat is quite serious and has the capacity to undermine faith in
institutional and political systems.
It's significant that these technologies are developing
concurrently because they could have simultaneous and compound
effects on international security. Even if no conventional or nuclear
attacks are launched, the testing and showcasing of upgraded
capabilities might deteriorate global relations and hasten an arms

6 United Nations: Office of Counter-Terrorism https://www.un.org/counterterrorism/

cybersecurity ( Visited on December 4, 2023)
7 Lt Gen Abhay Krishna, “ will the next 9/11 be a cyber attack?”, The Economics

Times, January 9, 2022.

72
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

race. The development and adherence to the norms, standards, and

safety protocols governing the creation and use of these
technologies will also be hampered by this race, leaving important
issues unresolved, like how to advance fields like quantum
computing without also escalating a global arms race and upending
encryption systems around the world. As a result, consumer
campaigns like the "Stop Killer Robots" coalition and private sector
self-regulation against military applications of technology are likely
to grow.
The WEF Global Risks report is a key essential to explaining
the consequences of unstable infrastructure for cyber security
measures. According to the 2023 report, widespread cybercrime and
cyber security have continuously been placed among the top ten
global dangers we face.8 A very real concern for the future and a
very real threat is a global arms race in new technology. According
to the research, "Technology will make inequality worse while
cybersecurity dangers will continue to be a major worry. With AI,
quantum computing, and so much more in the tech sector, which is
the focus of state interference and stricter industrial rules, it is very
evident that we want complete cyber security measures.

THE ERA OF TECH WARS

Data is people. Data is the new oil. The spread of data-
gathering gadgets and AI systems that rely on data may pave the
way for new types of control over personal autonomy. However,
this is not a traditional war; rather, it is a silent conflict in which
covert operations are concealed in plain sight behind numerous
layers of trustworthy groups and people. A hybrid conflict in which
no shots are fired, and social anarchy and economic subversion are
the preferred weapons. Utilising misinformation campaigns and
hacking hardware in nuclear defence systems, cyber and
information warfare will be utilised to target flaws in ever-
improving military equipment. To find innovative materials for use
in stealth technologies, quantum computing may be applied.
Theoretically, improved sensor technologies, especially once
enabled by quantum computing, might be used to target, and destroy
second-strike capabilities (mobile nuclear weapons) in real-time.

8 TheGlobal Risks Report 2023 18th Edition, World Economic Forum https://ww
w3.weforum.org/docs/WEF_Global_Risks_Report_2023.pdf

73
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

The idea of lower-yield, more precise nuclear weapons has already

cast question on the reliability of the current threshold of activation
for the American "nuclear umbrella". In order to boost deterrence in
reaction to an escalating arms race, nations may decide to abrogate
the no-first-use principle. Together, these new technologies are
raising discourse and placing more pressure on the governing
systems that are already in place.
Newer types of asymmetric warfare may be made possible by
the proliferation of destructive military technology, allowing lesser
states and people to make a bigger impact on the national and
international levels. Many dual-use technologies have lower
thresholds for money, knowledge, and intelligence. For instance,
biotechnology advancements may make it possible for individuals
or small organisations to create infections. Swarm intelligence-
enabled low-cost drones can be deployed to attack bases and fuel
tanks, among other high-value targets.
Cyberattacks on Ukraine were attempted in a coordinated
manner last year, including against electrical grids, financial
websites, and communication systems. As well as attempting to
block access to services, data theft and deep fake technologies also
targeted refugee flows, medications, food, and aid supplies. These
technologies expose people to domestic threats that are typically
intended to disrupt society functioning, thus obfuscating the line
between civilian and military domains. This encompasses the
physical and virtual disruption of vital local and national
infrastructure, financial institutions, public security, transportation,
and energy systems, as well as domestic, space-based, and undersea
communication networks.
Despite wider consequences for the ongoing security of the
data of civilians, there exists growing political and legislative force
to undermine the encryption techniques used by commercial firms,
particularly as it relates to terrorism investigations. 9 The expansive
and innovative applications require enhanced cross-industry and
public-private data aggregation which lends a competitive
advantage to economies such as advancements in biotechnology,
which simultaneously increase the struggle to balance the potential
privacy loss against the rapid technological developments. Research

9Collins, Barry, “Mission Impossible: 7 Countries Tell Facebook to Break Encryption”,

Forbes,

74
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

indicates that highly sensitive databases and technologies, such as

biological data gathering and DNA sequencing, are already
vulnerable to infiltration. 10 Sensitive health data is managed
inconsistently due to the less stable geopolitical environment and
the lack of well-developed legislation that now govern
cyberwarfare, and the emergence of vast pools of personal data is
presenting lucrative targets for cybercriminals. Although the
potential effects of widespread biometric or genetic data theft are
not entirely evident, they might pave the way for targeted
bioweaponry.11
Transparency must undoubtedly be achieved by the
development of agreements and standards on arms control,
disarmament, and non-proliferation that apply to both older and
more modern types of military technology. This can also reduce the
chance of inadvertent escalation, for example by preventing disputes
from moving into other areas, as might happen if a cyberattack on a
crucial piece of infrastructure turned into a targeted exchange of
damaging fire with lethal autonomous weapons. Norms must be
developed to guarantee that the right balance is struck and that
technological innovation may continue to be leveraged to improve
human socioeconomic results.

THE ROLE OF NATION STATES

Even under democratic and heavily regulated regimes, bigger
data sets and more complex analysis increase the potential of
misusing personal information through legal means, diminishing the
right to privacy. Considerations related to public safety, crime
prevention and response, economic development, and improved
health outcomes can all serve as justifications for legal invasions of
privacy. National security worries, which combine the need to
protect communities and nations with a competitive technological
and economic advantage, are putting more and more pressure on the

10 Robbins, Sam and Chia-Shuo Tang, “How Asia’s Digital Governance Beacon
Balances Data Privacy and the ‘Public Good’”, The Diplomat, 20 October 2022.
11 Fayans, Iliya, et al., “Cyber security threats in the microbial genomics era:

implications for public health”, Eurosurvellance, vol. 25, no. 6, 2020; Vinatzer, Boris
A., et al., “Cyberbiosecurity Challenges of Pathogen Genome Databases”, Frontiers in
Bioengineering and Biotechnology, vol. 7, 15 May 2019; Arshad, S., et al., “Analysis
of security and privacy challenges for DNA-genomics applications and databases”,
Journal of Biomedical Informatics, July 2021.

75
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

privacy of personal and sensitive data. Authorities who are in charge

of the situation where people are likely to be targeted and watched
by the public and commercial sector to an unprecedented degree,
frequently without enough anonymity or permission, have the
authority to limit the flow of information. With a 415 crores
investment, the Indian Government launched the I4C scheme 12 ,
which involves training programmesprograms, research and
innovation, threat analysis, cybercrime reporting, forensic
investigative units and is to act as an axial program with several
components working towards fighting several issues relating to the
broader notion of cybercrime. Although an effectively functioning
cyber security agency is yet to be a pivotal positive aspect for India.
Governments are aware of the security risks posed by
sensitive data and the potential for misuse. Countries have increased
data localization policies, tightened restrictions on research
collaborations, and prohibited some foreign-owned companies from
operating in certain markets, including telecommunications,
surveillance technology, and mobile applications, to prevent non-
allied states from gathering and possessing sensitive data. Users
who reside in countries with limited regulatory protections for
digital rights, authoritarian inclinations, or weak digital rights
records suffer with the possibility of information misuse in
particular. As more emerging economies implement their smart city
plans, inadequate governance and security of the gathering of
sensitive citizen data might endanger society even more. But there is
less focus on the potential for misuse and overuse of this data in the
name of national security.13 The gradual loss of a person's digital
sovereignty due to legislative restrictions can have profound,
unintended implications on social control and the downfall of
democracies, for example through restricting press freedom.
Reducing the chance of inadvertent escalation, for example, by
preventing disputes from escalating into other domains, as might
happen if a cyberattack on crucial infrastructure turned into a

12Details about Indian cybercrime coordination centre (i4c) scheme, The Ministry of
Home Affairs, https://shorturl.at/jmBH2( Visited on March 10, 2023)
13Hoster, Ben, Swati Khurana and Rachel Juay, “Still Buffering: Time for a Smart City

Reboot”, Marsh McLennan, October 2022.

76
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

targeted exchange of destructive fire with lethal autonomous

weapons.14
To ensure the proper balance is struck and technology
innovation may be used to continue improving human
socioeconomic outcomes, norms must be established. Nonpartisan
institutions also play a major role in establishing the guidelines and
prospectus for a better policy approach by the government. A
quickly changing data landscape requires efficient policy makers
who take into consideration every aspect of this budding tech
century. Collaboration will be further hampered by an intensifying
arms race, but only international cooperation will allow for the
regulation of emerging weapon technology to limit their use and
proliferation. Increased global power acknowledgment of the
agreements on crucial weapons control issues' strategic relevance
should be the first step. Longer term, it is necessary to investigate
new global governance techniques that can adjust to this new
security setting to allay national fears and prevent a spiral of
instability and unintentional or purposeful damage. These benefits
diffused innovation but also expands privacy breaches on a larger
scale. The attempt to integrate safety precautions with current
advancements in privacy-enhancing technologies like synthetic data,
federated learning, and differential privacy has become necessary.

CONCLUSION
The looming risk of a polycrisis due to the entrenched nature
of technology in almost every aspect of work poses an imminent
threat that may cause unimaginable destruction to the public
ventures which lead to disruption in a democracy, in turn making it
even more necessary for the government to initiate cyber security
measures. The interconnection between the adverse outcome of
frontier technologies and the digital power concentration fuels
widespread cybercrime and cyber insecurity pinned in the loops of
misinformation and disinformation, advance the role of technology
as a weapon of mass destruction, triggering massive notions such as
state conflicts and erosion of social cohesion. This also highlights
that not only governments but multilateral institutions hold the

14 Statistic
of the week: Just 26% of non-partisan respondents in India trust news,
Reuters Institute, University of Oxford https://shorturl.at/erBEU ( Visited on March 5,
2023)

77
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

responsibility of working together with dealing the risk of cyber

terrorism.
One should not collect or share more than the required data,
especially not with risky parties and not to store data for longer than
necessary. Supportive tools to manage and understand the collective
data ecosystem at the disposal of government’s are a key to
establishing safer and manageable datasets. The involved
stakeholders and the types of information being shared are essential
elements of a cohesive data management strategy, and policies of
the government as well. Organisations can select how to build
programmes based on this landscape analysis, deciding the amount
to which they must restrict data collection or lessen their reliance on
third-party processors.
Setting up specific objectives, rules, and restrictions on the
data they will gather, as well as how the data will be used, shared,
and preserved. This directs how governments respond to their own
operations in order to safeguard people and programmes from
potentially harmful risks. The state should necessarily incorporate
measures to establish a stronghold for safeguarding the state’s
resources in terms of accessibility of technology and prevent the
disruption of public services. Given the multiple uses of many of
these technologies, involvement with a wider variety of players,
such as academic researchers and the corporate sector, will be
necessary. Global governance mechanisms are being fast overtaken
by developments. Collaboration will be further hampered by an
intensifying arms race, but only international cooperation will allow
for the regulation of emerging weapon technology to limit their use
and proliferation. Harmonisation of national policies would enable
less complicated and more effective cross-border data-sharing
platforms to foster innovation while yet ensuring the protection of
individuals that is required. The development of a more broadly
applicable taxonomy, data standards, and legal definition of
personal and sensitive information is a critical enabler. These
frameworks ought to take into account the potential for sensitivity
resulting from data-driven conclusions that are made feasible by
massive data sets, the expansion of online social networks, and the
merging of personal and business data in the rollout of "smarter"
cities and the IOT. Thus, stepping up efforts to build resilience in
critical areas pays off in every situation and improves preparedness

78
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

for a range of risks, both known and unknown, short-term and long-
term.
The historically harsh penalties for data loss are also
influencing how the cost-benefit analysis of investing in cybersecurity
measures is done. Organizations will need to take data usage and
collecting ethics into account to reduce reputational risks beyond
regulatory compliance. The voluntary destruction of personal data
may also become more important because of greater cyberattacks and
stricter data rules, with possible environmental benefits from reducing
the need for data storage. To avoid further consequences,
governments will also need to build emergency response skills to
address data breaches and privacy violations. We need an optimistic
outlook but also fortify our digital landscape for the upcoming
possibilities which are dangerous to supply chains, we need policies
but essentially programs promoting safe use of digital mediums.
The future battlefields will be beyond our understanding if we
don’t act now. The least we can do is to be prepared for the shocks
of tomorrow.

79
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 6

CYBERSPACE AND TERRORISM: A STUDY OF

LEGAL FRAMEWORK TO TACKLE CYBER
TERRORISM WITH SPECIAL REFERENCE TO
ONLINE RADICALIZATION
Adv. S. Rajeshwar Rao 1, Aayushi Singh 2

“The potential threat presented by cyberterrorism has sparked

widespread concern. Numerous security professionals, lawmakers,
and others have warned of the dangers of cyber terrorists breaking
into government and non governmental organisations networks and
harming modern countries military, financial, and service sectors.
Cyberterrorism is an enticing alternative for modern day terrorists
who value its anonymous character, potential for vast scale
devastation, psychological impact, and media coverage. Fear of
cyber terrorism has been fuelled by psychological, political, and
economic considerations. These activities have been a recent
phenomena and has been known as incitement to radicalisation
towards violent extremism or violent radicalization. This is mostly
about the Internet at large and social media in particular.
Extremists of all types may now communicate and promote their
beliefs to a far bigger audience thanks to the internet's and social
media's rapid development. As a result, the role of the internet in
encouraging online radicalization has become a prominent topic in
debates about violent extremism among academicians and
governments further, narrowing the scope of cyber terrorism to
online radicalization the research focuses on defining online
radicalization and the legal framework employed to tackle
radicalization through the internet.”

1Senior Counsel, High Court, Chhattisgarh, (India)

2B.A. LL.B (H), 4th Year, Amity Law School, Amity University, Noida, (India)

80
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

INTRODUCTION

C
yberterrorism is an elusive concept. Its definitions covers all
the activities conducted on or through the internet that are
preparatory to or supportive of terrorism, such as
recruitment, communication, and finance. The threat of a violent
terrorist attack is what governments are most concerned about, but
as "pure" cyber terrorism is not yet defined the governments have
mostly focused on blocking the planning of terrorists and radicalised
individuals online. In counterterrorism efforts, there is a lot of
political and legal exceptionalism due to the "low probability, high
impact" character of terrorism, especially post the 9-11 attacks and
the ensuing "war on terror."
Cybersecurity issues have become more prominent in the
current day as the internet and networking gadgets are used more
frequently. It is, therefore, necessary that the countries create a
legislative framework to prevent such activities. Coercive,
normative, and mimetic factors of institutional theory offer a
suitable basis for creating such a cyber-security legislation.
Although countries have formulated necessary laws, they
nevertheless need to make sure that corporations are adhering to
these legal instruments.
This chapter looks into the interactions between domestic
counter-cyber terrorism legislation development, while emphasising
on international talks of cyber terrorism, and policy developments.
The debate over "cyber security" vs "information security" and the
associated issue of information operations and disinformation are of
particular note in this. The research focuses on finding legal
solutions to the menace of cyber terrorism.

INTERNET AND TERRORIST ACTIVITIES

The Internet today is a dynamic means of communication and
is easily accessible to a global audience. A global network with
minimum restriction on access has been made possible by the
evolution of complex technology. With the use of internet
technology, it is easy for a person to communicate effectively and
convey his message across borders to a huge audience. The role of the
Internet was to spread information and exchange ideas, which has

81
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

been acknowledged as a basic human right. 3 However, it is to be

understood that this new age technology that makes such
communications possible can similarly be used to carry out terrorist
attacks. In the fight against terrorism, the deployment of the Internet
for terrorist activities poses major obstacles which need to be
addressed at the earliest.
A functional approach has been used in classifying how the
Internet is exploited to support and encourage acts of terrorism in
the chapter. This approach has led to the identification of six,
categories which are: fundraising, training, planning (including
through secret communication and open-source material),
execution, and cyber attacks. Propaganda includes recruiting,
radicalization, and instigation of terrorism. Each of these categories
is discussed in more depth in the chapter.

Propaganda
Terrorists propagate their ideas through the internet, among
other things. Propaganda frequently appears in multimedia
communications that provide theoretical and practical direction, and
support for terrorist activities. These include virtual communications,
publications, presentations, audio and video content, and video games
created by terrorist groups or their sympathisers. However, it's
frequently a matter of opinion as to what qualifies as terrorist
propaganda as opposed to genuine support of a position. One
recurring topic in propaganda connected to terrorism is the
encouragement of violence. 4 The targeted audience who consume
these materials is highly impacted. Additionally, the ability to
distribute content directly over the Internet provides an alternative to
conventional modes of communication, like news outlets, which have
their set methods of independently evaluating the veracity of the
information provided and overly provocative content would surely be
deleted. The online propaganda also includes materials like video
clippings of the attacks or online games created by terrorist groups
that depict real life attacks on screen and ask the players to take the
lead as virtual terrorists. The fundamental threat presented by their
propaganda, encompasses, the motives behind its dissipation which is

3 International Covenant on Civil and Political Rights (General Assembly resolution

2200 A (XXI), annex), Art. 19, para. 2.

4Ibid

82
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

diverse in its very nature and caters to a wider audience globally.

Other goals of terrorist propaganda could be to spread heightened
worry, dread, or panic throughout a community or a specific group
within a population or to undermine an individual's belief in standards
set by the society. This might be, achieved by circulating
misinformation, rumours, violent threats, or sharing images of such
acts. The targeted audience includes both who consume it directly and
also people who may be affected by it in an indirect way. The
objective is to show willingness towards realising political goals.5

(a) Recruitment
The Internet is imperative in building connections with the
backing of people who swiftly fall prey to propaganda which is
specifically targeted towards them, in addition to publishing
extreme writing and videos. Terrorist organisations disseminate
propaganda channels which are password-protected and restricted
online chat room, as a covert recruitment strategy. 6 The Internet's
worldwide reach exposes terrorist groups to a large pool of potential
members. Cyber forums with restricted access give recruits a
platform to get introduced to terrorist groups, support them, and
participate in direct acts to achieve their terrorist goals.7 Terrorists
target society's most vulnerable and disenfranchised populations
through their propaganda as they are more likely to fall prey to their
nefarious ideology. The recruiting methods target an individual’s
sense of being discriminated, or shamed. 8 Propaganda may be
altered according to demographical requirements like age or gender
as well as social or economic status.
The online space is an effective means to recruit minors as
children are one of the largest groups who spend ample time
browsing the net. Cartoons, video games and more such content are

5 Weimann Gabriel, Terror on the Internet: The New Arena, the New Challenges,
United States Institute of Peace Press, Washington, D.C; pp. 37-38, (2006)
6 Gerwehr Scott and Daly Sarah, “Al-Qaida: terrorist selection and recruitment”, in

David Kamie, The McGraw-Hill Homeland Security Handbook 83 (2006).

7Denning Dorothy E, “Terror’s web: how the Internet is transforming terrorism”, in

Jewkes Yvonne and Yar Majid et.al.(eds.), Handbook of Internet Crime 194-213
(2010)
8 European Commission, Expert Group on Violent Radicalisation, “Radicalisation

processes leading to acts of terrorism” (2008), available at:www.clingendael.nl/

publications/2008/20080500_cscp_report_vries.pdf (Visited on Feb 6, 2023).

83
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

all effectively deployed and transmitted online to attract kids. These

video games may encourage the use of violence against a State or a
famous personality, while rewarding their achievements. The
content is made available in diverse languages to appeal to a larger
audience.9

(b) Incitement
While the use of propaganda is not banned, many Member
States consider it to be violating the law when the terrorists inspire
acts of terrorism through such content. The internet offers an
abundance of options, ranging from downloading, editing, and
advertising anything that might be seen as illegal and spreading
terrorism. It is to be noted, that some non-governmental and human
rights organisations have expressed cynicism regarding the idea of
"glorification" of terrorist’s activities on the internet. The
restrictions of such content is possible due to the exception defined
against right to free expression, as outlined in articles 15 and 19 of
the International Covenant on Civil and Political Rights.10
According to article 19, paragraph 3 of the International
Covenant on Civil and Political Rights 11 , there are legal
justifications for restricting the right to free expression, including
preventing and discouraging instigation to commit terrorist acts for
preserving law and order and national security. However, any
provision negating this right, are both important and appropriate in
light of the danger that exists and given the fundamental nature of
the right to free speech. Other essential rights related to freedom of
expression include freedom of thought, conscience, religion, belief,
and opinion.12

9Weimann Gabriel; 5 March 2008 Yale Global Online; “Online terrorists prey on the
vulnerable”, available at:http://yaleglobal.yale.edu/content/online-terrorists-prey-
vulnerable (Visited on Feb 6, 2023).
10 General Assembly resolution 2200 A (XXI), annex. 10, Also See the following

reports of the Special Rapporteur on the promotion and protection of human rights and
fundamental freedoms while countering terrorism: A/65/258 (para. 46) and A/61/267
(para. 7); see also the report of the Special Rapporteur on the promotion and protection
of the rights to freedom of opinion and expression, addendum on the tenth-anniversary
joint declaration: ten key challenges to freedom of expression in the next decade
(A/HRC/14/23/ Add.2).
11Supra (2), art. 19, para. 3
12Office of the United Nations High Commissioner for Human Rights, “Human rights,

terrorism and counterterrorism”, Fact Sheet No. 32 Chap. III, sect. H (Geneva, 2008).

84
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

(c) Radicalization
The word "radicalization" largely defines the method of
indoctrination that precedes the recruitment stage. Propaganda lays
the foundation of the radicalization process, whether it is
disseminated through offline or online mediums. Depending on
specific circumstances and connections, propaganda and other
persuasive techniques may be used at lengths with varying degrees
of success.

Financing
The Internet is used by terrorist groups and their sympathisers
to fund their activities. To depict how terrorists utilise the Internet to
generate funds and gather resources can be defined in 4 broad
categories which are: direct solicitation, e-commerce, UPI systems,
and through charity. Direct solicitation is the exercise of asking
supporters to donate using websites, chat rooms, bulk mailings etc..
there are online sites where books, recordings on audio and video of
the sympathiser are available. It is quite simple to transfer money
online between parties thanks to e-payment options made available
through various service providers.
Online payment options may also be used to commit financial
frauds like identity theft, credit card theft, wire fraud, stock fraud,
intellectual property crimes, and auction fraud. The case study from
the United Kingdom (The Younis Tsouli Case) represents how
black money is used to fund terrorism. Credit card theft proceeds
were laundered in several ways, including online payment through
e-gold transactions accounts that traversed many nations before
reaching its destination. The laundered money was used by Tsouli to
register 180 websites that uploaded videos of Al-Qaida and was also
used to buy supplies for terrorist acts in several nations. In total
1,400 credit cards were used to get about £1.6 million in illegal cash
to support terrorism.13
Donations to groups that claim to be for charitable purposes,
were all bogus transactions. Some terrorist groups have been known
to set up shell companies that seem to be working for charity, but
the money raised was used to fund terrorist activities. While
ostensibly supporting humanitarian causes, some groups utilise
funds to assist terrorism. Terrorists may also be members in charity

13Written submission of an expert from the United Kingdom.

85
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

organisation, which they use as a front to spread their ideology and

to assist militant groups.14

Training
The Internet provides the most feasible, training environment
for terrorists, according to terrorist groups. A wide range of media
outlets offer space for the propagation of instructions in the form of
online manuals, audio and video clips, data etc. These online
resources also offer comprehensive instructions on wide ranging
subjects, like how to join terrorist groups, manufacture explosives,
usage of firearms, or other weapons or hazardous materials, as well
as the method of planning and carrying out terrorist attacks. These
instructions are available in simple multimedia formats and in
multiple languages. The platforms serve as a digital boot camp. For
instance, Inspire is a website supposedly run by Al-Qaida in the
Arabian Peninsula, with the main aim of making Muslims practice
jihad at home. The autumn 2010 issue detailed hands-on training
materials on how to modify a four-wheeled vehicle to assault
members and how a lone attacker may carry out a strike by firing a
rifle from an elevated position. To improve the possibility of killing
a government official, the newspaper even suggested a specific city
as the target of such an attack.15
Online learning materials teach counterintelligence and
hacking operations as well as ways to improve the security of illegal
online activity and communications by utilising the available
procedures. Internet platforms' interactive features foster a sense of
community among people from various racial and ethnic origins and
promote the development of networks for the sharing of tactical and
educational information.

Planning
Many law enforcement professionals have stated that the
Internet played a crucial role in practically every terrorist act that
was prosecuted. At times, to maintain coordination in a terrorist
operation distance communication between several people is

14Conway Maura, “Terrorist ‘use’ of the Internet and fighting back”, Information &

Security, vol. 19, 12-14 (2006)

15Written submission of an expert from the United Kingdom.

86
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

crucial. Public Prosecutor v. Hicheur 16 , a recent French case,

displays how Internet can be deployed to facilitate the planning of
terrorist acts, including through extensive communication both intra
and inter groups that support violent extremism across international
boundaries.

Execution
While deploying the Internet to terrorize general population,
components from the categories mentioned above may be used. To
cause worry, dread, or terror in a community for instance, explicit
threats of violence, especially those involving the use of firearms,
may be spread online. Even if the threats are not carried out, it may
be illegal to make them in several of the member states.
For instance, the coordination of those involved in the attacks
on September 11, 2001 in the United States made great use of the
Internet.17

Online/Cyber Attacks
The malicious use of cyberspace to carry out an assault is
known as a "cyber attack." These assaults can range from acts like
hacking, sophisticated persistent threat techniques, computer
viruses, malware, or other unauthorised or malicious methods to
interfere with the normal working of target systems, such as servers
or computer systems. In Israel in January 2012, many major
websites, including those of the Stock Exchange of Tel Aviv and the
national airline, were targeted in a cyber attack that resulted in the
unlawful publication of thousands of Israeli citizens' credit card and
bank account information. 18 Although the issue of online terror

16Judgement of 4 May 2012, Case No. 0926639036 of the Tribunal de Grande Instance
de Paris (14th Chamber/2), Paris available at: https://dras.in/use-of-the-internet-by-isis/
(Visited on Feb 4, 2023).
17 The use of the Internet for terrorist purposes; UNODC, (2012), available at:

https://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.
pdf (Visited on Jan 20, 2023).
18Kershner Isabel, New York Times; “Cyberattack exposes 20,000 Israeli credit card

numbers and details about users”, “2 Israeli web sites crippled as cyberwar escalates”,
(January 20212)
available at: https://www.nytimes.com/2012/01/07/world/middleeast/cyberattack-expo
ses-20000-israeli-credit-card-numbers.htmlhttps://www.nytimes.com/2012/01/17/worl
d/middleeast/cyber-attacks-temporarily-cripple-2-israeli-web-sites.html (Visited on Jan
28, 2023)

87
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

attacks has received a lot of attention, the subject is outside the

purview of the current publication and will not be the subject of
investigation.

INTERNET AND COUNTER-TERROR MEASURES

While there are plethora of methods in which the terrorists
utilise the Internet to further their criminal antecedents. But the
Internet also provides opportunities to gather information, that can
then be used to prevent terrorist attacks and also helps gather
evidence which can help prosecute such crimes. The Internet
provides significant insights into the operations and targets of
terrorist organisations. These activities, also increases data that is to
be collected and analysed for counterterrorism purposes.
To prevent, identify, and discourage terrorist behaviour which
uses the Internet, law enforcement agencies are using more
sophisticated technologies. To identify threats, more traditional
investigative tools, such as translation tools are being used. Online
discussions give people the chance to voice out diverse viewpoints or
engage in constructive arguments, which could discourage potential
support. Counter-narratives with strong evidentiary value can be
disseminated using online platforms, images, and videos.
Additionally, effective messages may present a solution
for underlying issues like radicalization and focus on less violent
means of achieving their objectives.19
For instance, in May 2012, the centre was found to have
reacted, within hours, to advertisements endorsing violent acts that
was posted on websites operated by Al-Qaida, but with the same
advertisements giving out a contrasting message on the same
websites intended to convey that the targets of the terrorist’s were
Yemeni nationals. The US Department of State worked along with
the armed forces, intelligence community, and government on the
counter-narrative effort. For counter-narrative dissemination, the

19Counter-Terrorism Implementation Task Force Working Group on Use of the Internet

for Terrorist Purposes; January 2011 ; “Conference summary and follow-
up/recommendations” ; of the Conference on the Use of the Internet to Counter the
Appeal of Extremist Violence, held in Riyadh from. available at: https://www.un.o
rg/en/terrorism/%20ctitf/pdfs/ctitf_riyadh_conference_summary_recommendations.pdf
. (Visited on Feb 6 , 2023)

88
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

centre also makes use of media outlets like Facebook and

YouTube.20
Monitoring suspects and gathering their personal information
may be imperative to prevent terrorists from using the Internet. A
person's right to privacy, which includes the right to keep his or her
identity and private life confidential, should be protected against
arbitrary interference.21 Domestic legislation must be specific about
the particular situations in which such interference can be allowed.
Additionally, measures must be put in place to prevent the misuse of
surveillance system. Additionally, any personal information gathered
needs to be securely safeguarded to prevent unauthorised or
capricious access, disclosure, or use.22

POLICY AND LEGISLATIVE FRAMEWORKS

Terrorists use the Internet in planning and financing their
attacks, as well as in finding and training new recruits, for intra-
communications, looking up or discovering potential targets,
disseminating propaganda, and inciting others to carry out large-
scale attacks. By referring to past experiences of some States. This
section aims to identify common issues and strategies that either
weaken or strengthen investigation and simultaneous prosecution of
violent acts involving some aspect of Internet use. These concerns
make it imperative for the creation of criminal justice laws and
policies meant to mitigate these dangers.

Policy
States need domestic policies and legislations to respond to
threats posed by terrorists acting online effectively through criminal
justice. Such laws and regulations will generally concentrate on

20“United States State Department fights al-Qaeda in cyberspace”, Al Jazeera; (25 May
2012) available at: http://blogs.aljazeera.com/americas;us-state-department-fights-al-
qaeda-cyberspace (Visited on Feb 4th , 2023)
"The U.S. uses Yemeni websites to counter al-Qaeda propaganda"; The Washington
Post, May 2012, available at: www.washingtonpost.com/world/national-security/us-
hacks-web-sites-of-al-qaeda-affiliate-in-yemen/2012/05/23/gJQAGnOxlU_story.html
(Visited on Feb 4 , 2023)
21 See International Covenant on Civil and Political Rights, art. 17. available

at:https://www.ohchr.org/sites/default/files/Documents/ProfessionalInterest/ccpr.pdf
(Visited on Feb 8, 2023)
22“Human rights, terrorism and counter-terrorism”, chap. III, sect. J.

89
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

(a) Criminalizing terrorists' use of the Internet or related services

to commit crimes; (b) giving law enforcement agencies the
ability to conduct investigations into terrorist activity;
(b) Criminalizing terrorists' use of the Internet to commit crimes;
criminalizing terrorists' use of the Internet or related services
to commit crimes;
(c) Giving law enforcement agencies the ability to conduct
investigations into terrorist activity;
(d) Regulating online services, such as ISPs, and exercising
restrictions content being shared;
(e) Promoting cooperation at the International stage;
(f) Creating specialised legal or evidential processes; and
(g) Upholding international human rights standards23
When assessing relevant policy and legislative options for
their specific States, the Working Group's broad classification
system provides policymakers and legislators with a helpful
conceptual framework to help them in their work.
Another useful tool deployed in preventing terrorist activities
being perpetrated through the internet is the Toolkit for Cybercrime
Legislation, produced under the auspices of the ITU. In addition to
other standard criminal provisions, the Toolkit also lists offences
related to terrorism, such as section 3(f), which defines unlawful
acquisition of computer programmes used in the development,
formulation, planning, facilitation, or commission of, or in the
conspiracy to commit, or commission of, acts of terrorism.
Owning a website that promotes or supports terrorism is now
considered a criminal offence in Saudi Arabia, subject to fines and
up to 10 years in jail, according to new technology-related
legislation that was put into effect in 2008.24
However, globally, with a few notable exceptions, majority of
Governments have opted to deal with such dangers by using a
hybrid strategy, by utilising a mix of domestic criminal laws, as well
as formulating specific legislations covering cybercrime and
counter-terrorism. This is because there is no common law that
defines obligation to enact legislation aimed at terrorist
activities online. For instance, criminal laws in certain States don't

23Supra (16)
24 David Westley, “Saudi tightens grip on Internet use”, Arabian Business January
(2008)

90
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

distinguish between the many ways that crimes are committed;

instead, they concentrate on the actual crimes themselves. This
method views the Internet as just a tool used by terrorists to carry
out a real crime that is frequently covered under the national penal
law.

Legislation
As was previously stated, States aren't obligated by any
international accords against terrorism to enact laws that specifically
forbid terrorists from using the Internet. As a result, many States
will likely rely on other legislations under their legislations,
including unclear offences like conspiracy, solicitation, and criminal
association, in addition to provisions covering unlawful
activities outlined in international agreements, even though it is
highly likely that the majority of cases of terrorism will involve
some type of Internet use on the part of the perpetrators.

(a) Online Acts or Statements Supporting Terrorism

There is strong evidence that terrorists are increasingly using
the Internet to garner support like recruiting, sharing information,
spreading propaganda, and inciting the terrorist acts, in addition to
acts related to the commission of violent acts. It is highly possible
that different players will be physically present in various legal
jurisdictions for these sorts of operations due to the design and
worldwide reach of the Internet.
Part VI of the Terrorism Act 2000 in the United Kingdom
provides several offences that can serve as the foundation for
bringing charges against those who use the Internet to promote
terrorism.25
According to Section 54 of the Act, it is unlawful to provide,
accept, or request instruction or training in the production or use of
guns, radioactive material or associated weapons, explosives, or
weapons (chemical, biological or nuclear).26
Possession of certain objects is illegal under Section 57 if
there is reasonable cause to believe that the owner is involved in the
preparation, instigation, or conduct of a terrorist attack. In recent
years, this charge has resulted in the successful prosecution of a

25Part VI of the Terrorism Act 2000

26Section 54 of the Terrorism Act 2000

91
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

number of people who possessed items like hard drives, DVDs, and
instructions on how to assemble or use arsenal like mortars, suicide
vests, and napalm.

(b) Incitement
The crime of supporting terrorism is addressed in Security
Council resolution 1624 from 2005. The Council urged all the
member States to adopt that resolution, among other things, in order
to maintain their legal obligations under international legislations to
forbid and stop the encouragement of terrorist actions.
Younes Tsouli, Waseem Mughal, and Tariq al-Daour pleaded
guilty to charges, under the Terrorism Act 2000 for inciting killing
of innocents, to further their terrorist agendas by creating and
maintaining numerous websites and chat rooms that published
materials and encouraged acts of mass murder, majority of which
where in Iraq. This case is known as R V. Tsouli and others.27

(c) A Review of the Legal Solutions to Incitement

Both Article 3 of the Council of Europe Convention on the
Prevention of Terrorism and Article 5 of the Framework Decision
2008/919/JHA of the Council of the European Union of November
28, 2008 amending Framework Decision 2002/475/JHA on
combating terrorism require the member states of each instrument to
criminalise acts or statements that leads to an incitement to terrorize
people. Making "public incitement for committing a terrorist
offence" as well as terrorist recruiting and training an offence is a
requirement of the Council of Europe Convention on the Prevention
of Terrorism.
The UNODC Digest of Terrorist Cases 97 provides a helpful
overview of the methods used to make acts of encouragement illegal
in Algeria, Egypt, Japan, and Spain. Violent terrorist crimes are
punishable in Algeria by the death penalty, life in prison, or other
harsh penalties, according to Article 87 bis 1 of the Penal Code.
According to Article 87 bis 4, anybody who supports encourages, or
finances any of the above terrorist activities faces imprisonment for
time period of five to ten years as well as a penalty.28

27Rv. Tsouli [2007] EWCA (Crim) 3300.

28UnitedNations Office on Drugs and Crime, Digest of Terrorist Cases (2010) para
100.

92
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Article 86 bis of the Penal Code in Egypt defines as crimes

actions amounting to execution, planning and preparing to commit
acts of terror, member of an illegal business, providing financial and
material support to terrorists. The article also establishes harsher
fines for, among other things, procuring or producing any
articles, or recordings of any kind that are intended to support the
objectives of terrorist groups.29

ONLINE RADICALISATION
The 2030 Sustainable Development Agenda may be supported
and all human rights, including access to information, right to free
speech, and privacy, can be advanced thanks to the Internet. These
rights may also be violated as a result of some Internet usage
patterns and their implications. Therefore, UNESCO works to raise
awareness among all parties involved, to encourage discussion and
identify solutions to limit negative effects, and to increase the
widest possible diffusion of advantages and possibilities. To offer a
worldwide mapping of studies on the supposed roles played by
social media in radicalization processes throughout all parts of the
world, the study Youth and Violent Extremism on Social Media was
commissioned as part of this endeavour.
Our ability to understand the phenomenon of radicalization
and, more importantly, to give the information required to explain
such activities and prevent them has been hampered by international
acts of terrorism. In order to facilitate the flow of knowledge on this
topic, research has developed into a useful tool for understanding
radicalization, sharing intelligence, and taking practical actions. One
such area of knowledge creation is looking into how the Internet,
and social media in particular, contribute to violent radicalization
processes and terrorism.
Terrorist organisations are now widely dispersed online and
make use of cyberspace for a variety of purposes, including
recruiting members online and disseminating deadly material. In
this study, studies on the processes of digital radicalization, the
possible impact of social media on the radicalization of youth and
the emergence of violent extremism, and the function of
countervailing narratives are reviewed.

29Ibid., para. 111.

93
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Prevention of Online Radicalisation

Given the increase in internet radicalization incidents, the
problem must be met with a consistent, organised, and creative
strategy. To address the nature of international issues, a more
effective legal framework and better worldwide information
exchange are required. Instead of relying on mass surveillance
methods, detention, or the banning of internet information, there is a
need for better interagency collaboration and a tailored approach to
intelligence collection on a national scale.30 Setting up groups that
routinely monitor internet information, especially social media, is
necessary to track the online footprint of jihadis and penetrate their
intricate networks. Websites, blogs, chat rooms, and online forums
must be created to provide reliable counter stories and alternate
debate platforms. In this approach, the government must seek
outside its own established spheres of expertise and engage
specialists from non-governmental fields.31
The government's programmes must include psychologists,
religious and community leaders, civil society organisations, and
development planners in the formulation of cooperative and
preventative measures on a regional and global level. Reforms in the
legal system are urgently needed to expedite outstanding terror
cases and free suspects who have been held without charges for
years. To avoid alienation and marginalisation, which would
otherwise support the extremist narrative and widen the web of
recruitment, a comprehensive effort of this sort in a country like
India must take into account the pluralistic and democratic spirit.

CONCLUSION
While policymakers and media have taken a much broader
view of the issue than academics, they have expressed concern that
the term "cyber terrorism" may draw attention away from other
ways that terrorists use the internet. The emphasis on "pure"
cyberterrorism as well as terrorists' access to the internet is
frequently underlined in the new regulations and legislation in
general. Preemption in counter-cyber terrorism policy is driven by

30 “Surveillance and interception of communications”, available at:https://www.unodc.

org/e4j/zh/terrorism/module-12/key-issues/surveillance-and-interception.html (Visited
on Feb 6, 2023)
31Ibid

94
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

the connection between counterterrorism and surveillance

technology used by law enforcement agencies world over. As a
result, online behaviour linked to encouraging and preparing for
cyberterrorism is given a lot of attention in the development of anti-
cyberterrorism. Fundamental liberties like the right to free
expression will inevitably be impacted by the deployment of
surveillance systems and rules built on a thorough understanding of
cyberterrorism.
States have started to handle terrorism at the domestic and
global levels, if not always overtly by that name, given the potential
of cyber terrorism and the reality of terrorism. The connection
between both domestic and international policymaking puts
fundamental rights, such as the right to free speech and association,
at risk because liberal democratic states enact laws that go against
the basic rights, while authoritarian governments actively work to
go beyond them.
Police and security personnel have inadequate resources.
Therefore, among the most practical countermeasures to cyber
terrorism are broad preventative and response tactics. This is
especially true if these forces are able to quickly adjust to the
particular situation that arises. It will be crucial to maintain
investments in global collaboration, industry-government-
community collaborations for crime prevention, specialised
Computer Emergency Response Teams, and competence in
terrorism and cyber attack response. Raising the risks for cyber
terrorists and other criminal actors can also be achieved by taking
steps that can increase the likelihood of an arrest or the disruption of
criminal activity, as well as other efficient countermeasures like
hardening appealing but vulnerable targets and enhancing the cyber
capabilities of information security personnel.
Online terror activities are unlikely to disappear from the
global security debate and are likely to become more entangled with
the conversation around online radicalisation and cyberterrorism, so
policymakers and academics will need to give the topic more
consideration to integrate it into democratic principles.

95
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 7

THE CONVERGENCE OF CYBERSPACE AND

TERRORISM
Dr. Tarun Pratap Yadav 1, Anushka Bhaskar 2

“Cyber-terrorism is compared with conventional or established

terrorism, but this incorporates only those attacks which debilitate
assets (property) or life and are characterized particularly as the
utilisation of CPUs and data or other sources of information. It may
cause genuine physical harm or severe framework disruption.
However, modern extremism and political brutality aren’t easy to
define, and some prominent scholars claim that they're now
"endless" and cause more than physical harm. There’s an adage
which says that death and property loss are by-products of
terrorism. If it can cause terrorism, it can be called cyber-terrorism.
Varying on the circumstances, cyber-terrorism 3 can correspond
significantly with cyber-crimes, cyber-warfare, or mainstream
terrorism. Sir Eugene Kaspersky, the creator of Kaspersky Lab, also
believes that "cyber terrorism" is a more precise term than "cyber
warfare." He said: ‘With today's attack, we don't know who did it or
when it will strike again. This is not cyber warfare. This is cyber
terrorism.’ He equated large-scale cyber-weapons such as the
Flame virus and the Net-Traveller virus with bio-weapons, claiming
that they were equally destructive in the connected world.”

INTRODUCTION

W e are going through a grim time, especially due to cyber

terrorism. The term "cyber terrorism" is widely used to
describe various malicious activities that use computer
technology to interfere, destroy, or gain unauthorized access to
sensitive information. This chapter examines the reality of cyber-

1AssistantProfessor, Institute of Legal Studies & Research, GLA University, Mathura,

(India)
2B.A. LL.B (H), 4th Year, Amity Law School, Amity University, Noida, (India)
3CRS Report for Congress, “Computer Attack and Cyber Terrorism”, October 7, 2003.

96
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

terrorism and shows how cyberspace and terrorism are merging to

create dangerous new forms of warfare. There is some debate about
the basic definition of the increasing scope of cyber terrorism. Such
descriptions can be narrowed down in various manners such as:
utilizing the Internet to assault other frameworks on the Web and
commit savagery against people or property. The possibilities range
from all forms of terrorism over the Internet to typical attacks on
information technology infrastructure. Qualifications differ based on
motives, goals, methods, and the centrality of actually using
computers. US govt. agencies also use different explanations, and
no agency seeks to set mandatory standards outside its sphere of
effect.
Numerous scholars and analysts who major in terrorism's
subject or specialize in it, accept that these cyber-terrorisms don’t
actually exist, and it is just a cyber-attack like data fighting warfare.
They don’t agree with the label of terrorism as the current offensive
and defensive technology cannot electronically induce terror,
serious physical harm, or death in people.
If death or any physical harm that can possibly hurt an
individual is said to be an essential segment of the definition of
cyber-terrorism, despite much political research and public concern,
identifiable Terrorist incidents are rare. The fear of cyber-terrorism
is very real for those affected by such actions. In general,
cybercriminals 4 are lowering the threshold of wisdom and
proficiencies which are required to carry out cyber-terrorism, thanks
to the hacking sets and free E-courses. The real and the E-worlds are
emerging at breakneck speed, as evidenced by notable cyber attacks
such as Stuxnet, his 2018 petrochemical sabotage attempt in Saudi
Arabia, and other notable cyber attacks increase. It's faster and
offers more targeting options gains.

SO, WHAT ACTUALLY CYBERSPACE IS ALL ABOUT?

As we discussed various ranges of cyber-terrorism it is
necessary to know about the idea of cyberspace. So, Cyberspace is a
concept that represents an expansive range of networked E-
technologies.

4 Blue,John (November 2004). "Battle Against Cyber Terrorism". network world.

Retrieved March 20, 2005.

97
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Although, the fact that the term got into prevalent culture
through science fiction & craftsmanship, now it’s utilized through
innovation tacticians, security experts, administrations, military,
commerce leaders and businesspersons, embodies a global system
of co-dependent information technology set-ups, communications
networks, and computer administering systems. It is used to
describe an area of the worldwide tech environment broadly
identified as what others see as cyberspace 5 as merely a fictional
environment in which communications take place over computer-
based networks.
World has become well-known with the internet within the
time of the 1990s while the utilisation of the Web, networking, and
advanced communications were all expanding noticeably; the term
Cyber-Space managed to correspond to numerous innovative ideas
and events that were emergent. As a collective exercise, people can
connect, trade thoughts, share data, give social ratification, run
commerce, play games, get into political talk, and so on, by using
this worldwide network. Surrounded by individuals in cyber-space6,
it is believed that there is a general decree of rules and principles
communally favourable for everyone to obey, known as cybernetics.
Several consider that “the right to privacy” to be a paramount to the
practical norms of cyber ethics. Such ethical duty goes together,
when operating online in a worldwide organize, particularly when
the suppositions relate to online social encounters. As provided by
Chip Morningstar and F. Randall Farmer, the internet is exemplified
by the societal intuitive included in place of the technical executions
or implementations. From their point of view, computer media in
cyberspace7 are extensions of communication channels between real
individuals. A fundamental feature of cyber space is to provide an
environment composed of many contributors who can interact and
influence each other. They infer this concept from their insight that
people look for luxuriousness, complexity, and depth in virtual
universes.

5Albert Benschop, Peculiarities of Cyberspace, December 31, 2007.

6A Declaration of the Independence of Cyberspace by John Perry Barlow, Electronic
Frontier Foundation.
7A Critique of the word "Cyberspace" at Zero Geography

98
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

As far as we have concerned about the usage of cyberspaces it

is pretty clear that it plays a huge role in cyber terrorism so, let's
discuss more about the depth of cyber terrorism in brief.

WHAT DOES CYBER TERRORISM STAND FOR?

Cyber-terrorism is the utilization of the Web or computer
systems in such a manner which carries out rough and dangerous
activities. This includes using malicious software such as viruses
and worms to interfere with or destroy computer systems. Cyber-
terrorism 8 also includes using the Internet to spread false
information, spread propaganda, joining with the terrorist groups.
Cyber-terrorism also includes the use of online social networks to
create psychological warfare and spread fear and chaos. It also
includes using online payment systems to fund terrorist activities.
In recent years, the global threat of cyber terrorism has
increased. In the United States, the Department of Homeland
Security identified cyber-terrorism as one of the top five threats to
national security in 2016. The threat of cyber terrorism is not
limited to the United States. Other countries are also vulnerable. In
the UK, the government identified cyber-terrorism as one of its top
four threats to national security in 2016.

Examples of Cyber Terrorism

One of the most famous examples of cyber terrorism is the
Stuxnet virus, which was used to sabotage Iran's nuclear
programmes in 2010. This virus is designed to attack and infect
industrial control systems used to control and monitor industrial
processes. The virus has seriously damaged Iran's nuclear program
and is believed to have been engineered by the United States9 and
Israel.
In 2013, a group of hackers known as the Syrian Electronic
Army used cyber-terrorism tactics to attack Western government
websites and media organizations. Hackers have taken down
websites using a variety of methods, including Distributed Denial of
Service (DDoS) attacks.

8BBC News – Cyber terrorism 'overhyped', March 4, 2003.

9BBC News – US warns of al-Qaeda cyber threat, December 1, 2026.
https://www.bbc.com/news/world-us-canada-60293497

99
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

In 2014, hackers known as "Peace-Keepers"10 released a large

amount of stolen data, including sensitive information and emails,
from Sony11 Pictures Entertainment. The hacker claims to be part of
the North Korean government and has asked Sony Pictures not to
release a film about the assassination of North Korean leader Kim
Jong Un.

Identifying The Source Of A Potential Cyber-terrorist Attack

Identifying the supply of ability cyber-terrorism assaults is a
crucial step in stopping destiny assaults. Cyber terrorists frequently
use state-of-the-art techniques to conceal their identities, however,
there are a few clues that may assist investigators to decide the
beginning of their assaults. These clues consist of the sort of assault,
the goal of the assault, the approach used to provoke the assault, and
the sort of malware used to assault the goal.
Investigators additionally use Internet Protocol (IP) addresses
and domains to tune the supply of assaults. These IP addresses and
domains may be used to become aware of the character or
institution chargeable for the assault. Additionally, investigators can
use proof from assaults.
B. A code sample or encryption approach to become aware of
the supply of the assault.

Cyber Terrorist Attacks: 2015

2015 was marked by a series of high-profile cyber attacks. In
the United States, the Office of Personnel Management (OPM) was
targeted in a cyber terrorist attack12 that stole over 20 million of its
personnel files, including sensitive information and background
checks. In the UK, the TalkTalk website was targeted in a cyber-his
terrorist attack that destroyed the site and millions of customer
records. Additionally, several power plants have been targeted in
cyber-terrorist attacks in recent years, including a power plant in
Ukraine that was targeted in a cyber-terrorist attack in December

10Boot, William, “"Sony Hackers Guardians of Peace Troll FBI”, December 20, 2014
11 TheNew York Times., “"U.S. Links North Korea to Sony Hacking"”, Retrieved
December 17, 2014.
12Gross, Grant, November 2003.

“Cyber-terrorist attacks will be more sophisticated than previous worms, experts say.”
Computer World.

100
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

2015. Cyber terrorists too target air traffic control centres and water
systems in the US, UK, and other countries.

CURRENT AND FUTURE CYBER THREATS

Current Threats
Cyber terrorism is one of the biggest points of dangerous
safety threats all around the globe. It has got extremely crucial than
all of the improvements of nuclear weapons and the existing
disagreements arising between nations. Because of the
inescapability of the Net and the genuine issues caused by this
innovation, advanced weapons cause a danger to whole financial or
societal frameworks. Some of the main worldwide security troubles
are-:
The DDoS Attacks – So many years of denial-of-service
violence’s and disruptions caused thousands of dollars in downtime
per hour. Keeping perilous systems secure is overly critical in
remaining online throughout these attacks.
Social Engineering - In his 1997 NSA experiment, 35
hackers gained access to serious Pentagon computer systems and
simply changed accounts, formatted data, and closed off the entire
systems. They often use phishing tactics such as calling the office or
impersonating a technician to obtain passwords.
Third-Party Software – Top merchants connect to millions
of discrete third-party assets, & almost 23% or more of these
resources have got at least one or more critical openness in them.
These firms must try to manipulate and reassess their network
defence to protect personal information.

Future Threats
As technology develop into more amalgamated society,
newfound exposures & security threats have been revealed in these
complex networks we have deployed. Once intruders achieve access
to these networks, they can threaten entire communities and
economies. Since we do not know the future, it is important to
establish a system that can respond to changes in the surroundings.
Most apparent cyber-terrorism threat13 in the adjacent future
concerns remote working conditions during the time of the COVID-

13Burton, Dunn (2003). Black ice: The invisible threat of cyber terrorism.
Osborne/McGraw-Hill, USA ISBN 978-0-07-222787-1.

101
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

19 pandemic. Businesses can’t assume every house-based office in

the direction of being modern and secure, so they’ll have to
implement Zero Trust policies for household mechanisms.
In other words, you should assume that corporate assets and
all the unsecured devices share the identical disk-space and function
consequently. Upsurge of crypto currencies develops furthermore
and has created more additional security threats. Cyber-criminals
are here and now hijacking the home processors and corporate
associations just to drill out specific crypto currencies like Bitcoin
etc. This Extraction procedure involves enormous computational
power.

CONCERNS: WHY DO WE REALLY NEED TO WORRY ?

Today, cyber-terrorism is getting increasingly important on
public networks. Since the cyber space gets increasingly ubiquitous,
persons or groups may use concealment provided using cyberspaces
to blackmail other entities, specific assemblies (such as ethnicity or
creed), communities and the whole country. Anonymous use of
instruments such as refusal of service assaults to target and censor
dissenter bunches, raising concerns about respect for liberty and
dissent. Many believe that cyber-intimidation is a severe danger to
national wealth and fears that the outbreak may lead to additional
global economic crisis. Quite a few leaders agree that cyber-
terrorism poses a higher threat rate than other possible attacks on
our nation. Even though natural catastrophes are considered to be
the highest form of danger and have been demonstrated annihilating
to population and terrain, there is a little chance that probably be
ensured to block such occurrences from occurring.
Therefore, it’s presumed that the prominence will be on such
defensive processes which will make attacks against the Internet
nearly impossible. People have access to such section of the Net
which is recognised as “the Dark Web,” which gives them easy
access to illegal conduct in Cyber Space. The Web of Entities
(Things) also proves to further blend the E-world and substantial
worlds, and several experts believe that states will use terrorist
agents to achieve their goals viewed as an incentive. Dependence on
the Internet is growing promptly around the world, creating a
platform for forming and carrying out international cyber-terrorist
conspiracies as an immediate terror to the national safety. Cyber
Attacks have apparent benefits on the real attacks against terrorists.

102
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

They can be performed vaguely, in disguise, quite inexpensively,

and do not need large investments in munitions, explosives, or
personnel. So, their outcome can be significant. Cyber-terrorism
incidents are expected to increase. Deny the service assaults,
malware, and other methods unimaginable today. Examples include
deaths associated with IS & the social linkages online: Facebook,
Twitter, and Google etc. These led towards lawful proceedings
against ISIS and eventually to litigation.14

THE CHARM OF E-WEAPONS IS ALIKE NUCLEAR

ABILITIES
International Organizations
The United Nations has several organizations dedicated to
combating cyber terrorism, including the UN Office for
Counterterrorism etc. EUROPOL and INTERPOL are also
concentrated in this topic. In cooperation of these two, they focus in
combating cyber terrorism, cooperating on various operations, and
holding annual joint cybercrime conferences. Both fight cybercrime,
but their activities are different. Europol launches and harmonizes
cross-border functions opposed to cybercriminals within the EU.
Meanwhile, INTERPOL assists legal authorities & manages
controls beside Cyber Criminals around the world.

In India
To respond to the cyber fear mongers, moreover, known as
"white-collar jihadis", Indian patrol have enrolled people (private
citizens) as volunteers, patrolled the web and report the questioned
C-terrorists to the administration. These people are contemplated
into 3 classifications: first is "Illegal Content Flaggers", then "Cyber
Mindfulness Promoters” & "Cyber Specialists". In the month of
August 2021, patrol halted 5 alleged white-collar jihadis15, outlining
an attack list of journalists, police, social protesters, the political
classes, and lawyers to start apprehension among groups. The white-
collar jihadis 16 are contemplated as 'the dreadfully worsened

14David E. Sanger and Eric Schmitt U.S. Cyber weapons, Against Iran & North Korea,
a Disappointment, Against ISIS, June 12, 2017.
15John Kane and April Wall, Identifying the Links Between White-Collar Crime and

Terrorism (April 2005).

16 https://www.nytimes.com/2017/06/12/world/middleeast/isis-cyber.html, (Visited on

April 2023).

103
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

terrorists' because they persist a shadowy, unidentified, presence

and secure themselves in some different nations then imposes an
"incalculable" sum of destruction and indoctrination. Here in India,
the requirement for cyber security specialists is expected to grow by
more than 100% in 2021 and 200% by 2024.
82% of Indian companies were hit by ransomware in 2020.
These ransomware attacks in India increased from $1.1 million in
the year 2020 to literally $3.38M in 2021. It increased India to the
top 30 nations with the most ransomware attacks.
Cyber Attacks on the power grid in Maharashtra caused a
blackout. This happened in October 2020 and officials think China
is behind it. Sensitive data such as birth dates and names have been
dripped from thousands of patients examined for Covid-19. This
data was published on Google and got leaked from his authority’s
website. The recruitment portal IIM jobs were attacked, the data of
1M job seekers was dripped. The leaked info was quite broad,
including the users' locations, names, and mobile numbers.
Information of approximately 500,000 Indian cops were depleted at
the latter's forums in Feb 2021. That data stored a lot of private
statistics. Data is based on a patrol investigation conducted in
December 2019.

FROM WHERE DO THESE MOTIVATIONS FOR

CYBERATTACKS ASPIRES?
There’re distinct motivations for cyber-attacks, mostly for
financial purposes. But there’s growing verification that hackers are
growing into more administratively motivated 17 areas. Cyber-
terrorists are conscious that administration depends on the web and
also have utilized it appropriately. For instance, Mohammad Bin
Ahmad As-Salim’s article "39 Ways to Serve and Participate in
Jihad" deliberates how an E-jihad might disturb the West beyond
directed attacks on US web site.
Many cyberattacks are carried out not for the sake of money
but rather because of different ideological beliefs and out of a desire
for revenge and personal resentment towards a firm or an individual
that the attacker is invading. E.g., Employees may think of taking

17 Cyberculture, the key Concepts, edited by David Bell, Brian D. Loader, Nicholas

Pleace, and Douglas Schuler

104
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

revenge on the corporation if they are treated badly or improperly

terminated.

Other Motives Of Cybercrime Involve

• Political objectives
• Competition arising between companies.
• Cyberwar between two nations or more etc.

Money– Civic goals18 motivate cyber attackers for the reason

that they are unhappy with the contenders, and they may require
selected contenders to win the poll (election), so that they can
change the electoral votes to assist their favourite contender to win.
Rivalry between two establishments could also lead to cyberattacks,
as companies may hire hackers to attack companies to test their
competitors' security. This also benefits the company as it leads
competitors' customers to believe that the company is insecure
because they are easily exposed to cyberattacks and do not want
their personal credentials exposed.
Cyber warfare is the motive of nations battling each other. It
is mainly tapped to yield the other country by negotiating vulnerable
information such as the other country's mission-critical systems and
the country's data.
Money motivates phishing, ransomware, and information
mugging cyberattacks because virtual offenders can alternatively
link victims to demand money and keep their data safe in return.

WHY DO CYBERTERRORISTS TARGET POWER PLANTS,

AIR TRAFFIC CONTROL CENTRES, AND WATER
SYSTEMS?
Power Control plants, air traffic centres and water organisations
are all critical infrastructure systems, and all are vulnerable to cyber-
terrorist attacks. Cyber terrorists19 attack these systems because they
can cause significant disruption and destruction. For example, if a
cyber-terrorist were to reach a power plant, they could shut down the
power grid and cause a massive blackout. Moreover, if a cyberterrorist

18Coralik, Andrew M. (2006). Cyber terrorism: Political and Economic Impact. Idea
Group, USA ISBN 978-1-59904-022-6.
19Wyman, Gabriel (2006). Terrorism on the Internet: New stage, new challenge. United

States Institute for Peace, US ISBN 978-1-929223-71-8

105
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

is to attain access to an air traffic control centre, it is possible that they

probably could disturb or even halt the air traffic in an entire locale.
Cyber terrorists also target these systems because they can be used to
spread propaganda and terrorist groups. By disrupting or destroying
critical infrastructure systems, cyber-terrorists can spread fear and
confusion that can be used to further their political or ideological goals.

CYBER TERRORISTS CAN ATTACK GOVERNMENTS,

BUT NOT BUSINESSES?
Yes, cyber terrorists can attack governments, but not
businesses. Government agencies typically implement stricter
security measures to protect their networks from cyberattacks. On
the other hand, businesses may not have the same level of security
measures in place and are more vulnerable to cyberattacks.
Government groups also tend to have more assets than
businesses, which has become an attractive target for cyber
terrorists. Cyber terrorists can also target government entities for
political or ideological purposes. For example, cyber terrorists can
target government agencies to disrupt or disrupt their operations or
spread propaganda.

VIRTUAL VS. PHYSICAL REALITY

The threat of cyber terrorism is very real, but it's important to
understand the difference between virtual reality and physical
reality. In the physical world, terrorism is carried out through
physical attacks such as bombing and shooting. In the virtual world,
cyberterrorism using computer networks and the Internet is
occurring.
The main difference between cyberterrorism and physical
terrorism is that cyberterrorism targets computer networks and the
Internet, while physical terrorism targets people and physical
infrastructure. Cyber terrorists use computer networks and the
Internet to spread propaganda, spread false information, and join
terrorist groups. They may also use computer networks to steal
confidential information, sabotage or destroy computer systems, or
gain unauthorized access to your computer.

CYBERSPACE: THE INTERNET PARABLE!

Cyber Space shouldn’t be jumbled with the Net, but that label
is repeatedly used to indicate to substances & characters which

106
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

reside mainly in the communications linkages itself. For example,

websites are sometimes figuratively referred to as "being in
cyberspace." Conferring to this analysis, Internet incidents are
engaged in "cyberspace" rather than where people and servers are
substantially located. The famous philosopher Michel Foucault used
the name heterotopia to illustrate physical and mental space
simultaneously.
Primarily, cyberspace20 demonstrates the drift of prime data
via links of joined computers. At the same time, it is clearly "real"
in its effect, rather than "real" because it cannot be spatially
positioned as a tangible object. Since cyberspace is not physical,
there are some challenges to establish a terse prototype of how
really Cyber Space operates. Second, it is a prototype of computer-
mediated communication (CMC) whereby alternative forms of E-
interactions and E- identities have been portrayed, and the societal
psychology of Web usage and the connection among 'online' and
'offline' procedures21. It raises important questions about existence
and relations, and the connection b/w 'real' and cybernetic things.
Cyber Space is drawing interest to the reconstruction of culture over
newfound media machineries. It’s not only a means of
communication; it is a collective goal & ethnically important in its
peculiar justification. Lastly, Cyber Space is “contributing new
prospects to reshape societies and cultures” via “hidden”
characteristics, or borderless communiqué and culture.
Cyberspace or the internet is the "platform" where phone-
based discussions or communications takes place. It's not a real
phone, but a plastic machine on your desk. In another city, someone
else's phone but the exact location on the cell phone. In the earlier
twenty years, this once thin, dark, one-dimensional electrical
"space" little more than a thin tube spreading from one phone to
another phone, but a gigantic jack-in which was torn like a box. The
strange glow of a radiant computer screen flooded with light. This
dark electronic underworld has grown into an infinite, thriving
electronic reform. Later in the 1960s, the world of the phone has
crossed with the worlds of computers and TV, and in spite of the

20"Crosstalk: Is cyberspace really space? "12-24. Irvine, Martin. “Postmodern Science

Fiction and Cyberpunk,” accessed 19 July 2006. Slater, Don 2002, „
21 Social Relationships and Identity Online and Offline “, in L. Lievrouw und S.

Livingston (Hrsg.), The Handbook of New Media, Sage, London

107
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

fact that there's still no element on the internet, there's nothing you
can operate, it now has a weird form of matter. Today, it makes
sense to discuss about cyberspace as a position in its own right.
"Space" in the virtual aspect of “space” has many things in
common when including the terms of speculative and numerical
implications than with physical space. It lacks the duality of +ve and
-ve volume (while in the actual form of space, like an area, say a
room has a usable spatial volume limited by the positive volume of
the walls, surfers do not curtain & discover the unidentified
fragment of the Web as a leeway of the space containing them), but
the three-dimensional importance can be accredited to the
connection between dissimilar sheets (like books or even
computers) because the un-turned sheets (pages) are someplace "out
there". Thus, the notion of cyberspace does not refer to the content
accessible to the Internet user, but to the capability to surf on
different web pages, with various feedback twists between the user
and the remaining system forming the possibility of continually
encountering something indefinite or unforeseen.
Video22 games are differed from the communication centred
on texts and in the sense that the screen images are characters that
actually take up space, and animations show the motion of the
characters. Pictures are pre-operated into shape, and the high-quality
magnitude is there which portrays the space. A recreation
implements our “online world metaphor” through attractive extra
gamers within side the recreation, after which metaphorically
correspond to them to display like avatar. Games work now no
longer must forestall on the avatar-participant level, however
cutting-edge applications aiming for extra immersive gambling
spaces (i.e., Laser tag) take the shape of supplemented fact in
preference to our online world, absolutely immersive digital realities
last impractical.
Although the extra radical effects of the worldwide
conversation community expected through a few of our online
world protagonists didn't materialize and the phrase misplaced a
number of its originality or novelty appeals, it stays cutting-edge as
of 2006. Some digital groups overtly talk over with the idea of our
online world, for instance, Linden Lab calls their clienteles
"Residents" of Second Life, whilst all those groups, maybe sited "in

22Philip Zhai, Get Real: A Philosophical Adventure in Virtual Reality.

108
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

our online world" for clarifying the proportional purposes mixing

the metaphor hooked onto a much broader cyber-culture.
The representation proved to be beneficial in supporting a
brand-new technology of notion superiors to motivate via new
techniques across the globe, led in large part by the United States
Department of Défense. Nevertheless, using Cyber Space like a
symbol has got its own borders, exceptionally in zones where
metaphors have been baffled with sensible and physical
foundations. It has additionally been criticized as useless and
unhelpful because it misuses spatial metaphors to describe what a
network is in essence.

THE CONVERGENCE OF CYBERSPACE AND TERRORISM:

CONCLUSION
Cyberterrorism is a growing threat with devastating potential.
In recent years, the threat of cyber terrorism has increased, and it is
not limited to one country or region. Cyberterrorists target
government agencies, businesses, and critical infrastructure systems
in countries around the world and it is important to understand the
realities of cyberterrorism and be aware of potential sources of
cyberterrorism attacks. By understanding the threat of
cyberterrorism and taking steps to protect ourselves from it, we can
protect ourselves, businesses, and governments from the devastating
effects of cyberterrorism.
The convergence of cyberspace and terrorism23 poses a grave
threat to national security and public safety. It destroys critical
infrastructure systems, spreads hype, and recruits’ members to
terrorist groups etc. It can also be used to spread false information
and create psychological warfare.
Cyberterrorism threats are becoming more sophisticated, and
the rate of these attacks is increasing. To protect yourself from
cyberterrorism, it is important to pay attention to implementing
strong security measures and identifying potential cyber-terrorism
threats.

23Dorothy E. Denning, “Convergence: Cyber Terrorism - an Overview” Georgetown

University.

109
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 8

CYBER CRIME: THREAT AND SECURITY TO

E-BANKING
Prof. (Dr.) Sudhir Kumar 1, Silky Soni 2

“The Web Revolution, is one of the most significant events in human

history, this has occurred in India over the past ten years. The way
in which business is conducted in practically all organisations has
changed as a result of the fast-growing use of the web, the Internet,
intranets, and extranets, as well as e-business or e-commerce and
mobile commerce. The lines dividing conventional financial
intermediaries like commercial banks, investment banks, and
specialised finance organisations are becoming less clear as a
result of technological innovation. "Banking on the Internet,"
"Banking by Phone," or "Banking on the Go". Financial
institutions, particularly in the banking industry, are now going
through a transformation. The financial sector's operations are
powered by banks. sector, which is essential to any nation's
economy. One of the oldest and the earliest sectors in the economy
is banking the globe. The Indian Banking Industry has not only sat
back and observed. A global revolution in information technology
has occurred. The banking sector in India has seen significant
transformation as a result of the so-called "web revolution." All
banking activities are conducted using computers in the modern
world, and digital media. In order to benefit from the power and
reach of the internet and keep up with the business environment's
rapid development, banks have established themselves on the web.
Popular names for electronic banking include "PC banking,"
"online banking," "Internet banking," "Telephone-banking," and
"mobile banking." E-banking is a phrase that can be used to
describe all of these electronic banking methods. This research

1HOD, School of Legal Studies, Babu Banarsi Das University, Lucknow, (India)
2B.A.LL.B (H), 3rd Year, Instititute of Legal Studies & Research, GLA University,
Mathura, (India)

110
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

paper highlights how, while internet banking has made individuals'

life generally straightforward from one perspective, it is as yet not
totally liberated from dangers”.

INTRODUCTION

N owadays banks are giving or providing their services at just a

click also the customers do not want to wait in long queues or
wait on calls for the basic services. Through online banking,
customers are enjoying anywhere and anytime banking. It allows
customer to perform banking activities at off banking sites such as
from home, office and other locations via internet. Online banking or
e-banking allows people to conduct financial transactions via internet.
The first internet banking application was started in U.S.A in 1996
and then the known banks started providing the e-banking services. In
India, ICICI was the first bank to introduce internet banking in 1996.
They proposed it with lower internet cost and increased awareness
about electronics media. Internet banking had changed both the
banks’ services to its customer as well as banking industry. Web
based banking offers different web-based types of assistance like
financial records status, moving of assets, requesting request drafts,
advance applications, MasterCard confirmations, shopping entryways
and so forth as well as not expecting visits to the branch during
available time. Banking affiliations have been passing organizations
on to purchasers and associations from a distance for a seriously
lengthy time span. Electronic resources move, including little portions
and corporate cash the board systems, as well as straightforwardly
accessible machines for cash withdrawal and retail account the chiefs
are overall contraptions. Notwithstanding, conveying monetary
administrations over open organizations, for example, the Web is
achieving a central change in the monetary administrations industry3.
According to Heikki et al. (2002), the change from the
standard banking towards e-banking has been a 'bounce' change.
The development in information access terminals close by the
creating usage of information fragile applications, for instance,
online business, e-getting the hang of, e-banking and e-clinical
consideration have delivered a veritable essential of trustworthy,
easy to use, and generally alright control strategies for mystery and

3Electronic Banking Risk Management Issues for Bank Supervisors; Electronic

Banking Group White Paper; Oct 2000.

111
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

basic information. On the other hand, the requirement for assurance

ought to be counterbalanced with security necessities for the
potential gain of the general populace. Portions structures are going
through progressive changes blended commonly by particular
progress, for instance, scattered network development, on-going
taking care of and online customers' propensity to use e-banking
association focuses making the examination of biometrics
impressively more critical in this new E-World. Financial
associations offering online things and organizations to their clients
should use convincing techniques to affirm the personality of clients
using those things and administrations. An exact customized
individual ID is essential to a broad assortment of purpose spaces.
Standard individual conspicuous verification systems (e.g.,
passwords, PIN) experience the evil impacts of different drawbacks
and can't satisfy the security essential of us significantly between
related information. Biometrics suggests customized unmistakable
confirmation of a person considering her physiological or social
credits.

E-BANKING INDUSTRY: AN ENGINE OF E-COMMERCE

ECONOMY
Banks are the tools which operates the mechanism of financial
sector, which plays the vital role for the economy of any country.
The oldest industry in the world is banking industry. Banking
system originated about 4000 years ago in places such as Babylon,
Mesopotamia and Egypt. Banking system has been revolutionized
by the emergence of paper currency as a medium of exchange,
before this the batter system prevails as the medium of exchange.
The use of cheque has been becoming widespread by 1600 A.D. and
by the mid 1990s banks started using telegraph technology to ‘wire’
money in seconds from one location to another.4 There have been
three stages or three ages of payment: (1) Notes and Coins (2) Paper
Payments (3) Electronic Payments.
New innovation not just given a steadily expanding scope of
electronic installment items, it has likewise affected the manner by

4S.B.Verma, S.K .Gupta, and M.K. Sharma (edited), E-Banking and Development of
Banks, Deep & Deep Publication Pvt, Ltd.,2007 preface.

112
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

which banks works in the more extensive sense 5 . E-Banking is

termed as a process of doing banking function deploying
Information Technology. It means providing banking services to the
customers at their office or home by using Electronic Technology.
Banking system has a significant impact of emerging global reality
E-commerce. It incorporates three features of an Agreement of
Offer, i.e., Deal, Acknowledgment and Development of Thought.
The installment of cash as one leg of the exchange basically
includes Banking. Today, Internet business is being viewed as the
single biggest business window across the world. It has presented a
change in perspective in the elements of business and banking. The
Indian Financial Industry has not remained absolutely aloof
onlooker of Data Innovation upset that has occurred all over the
planet 6 . Innovation in the Banking has been utilized in four
significant ways7-. Innovation in the Banking has been utilized in
four significant ways -

1. To deal with an incredibly extended client base.

2. To lessen considerably the genuine expense of dealing with
installment.
3. To free the banks from the customary imperatives of general
setting.
4. To present new items and administrations.

Applying electronic innovation to each financial exchange has

become potential on account of the accessibility of correspondence
networks like the Indian Monetary Organization (INFINET), which
utilizes V-SAT satellite innovation, the Optical Fiber Organization,
and other earthly lines committed to the Indian Monetary Area or
Sector 8 .The advancement of web-based business is vigorously
affected by the installment framework. The plan, the board, and
guideline of electronically based installment frameworks are
currently the fundamental subjects of conversation in India. With

5 Patrick Frazer, Plastic and Electronics money, Woodhead- Faulker , Cambridge,

USA, 1i85, p.3.

6R. P. Nainta, Banking System, Frauds and Legal Control, Deep & Deep Publications

Pvt. Ltd., New Delhi, 2005, p. 154

7S.S. Kaptan and N.S. Choubey, Indian Banking in Electronic Era, Sarup & Sons, New

Delhi, 2003, p. 91.

8Ibid

113
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

the approach of new instruments like Visas, telebanking, ATMs,

retail electronic assets move (EFT), and electronic clearing
administrations, the necessity of creating an effective, efficient, and
quick payment system is becoming more pressing (ECS).
The direction of the Indian economy is toward smart cards,
debit cards, and Financial Data Interchange for straight through
processing9. E-Banking has pushed the limits of the term ‘money’ to
a new extreme of ‘e-cash’.

SALIENT FEATURE OF ELECTRONIC BANKING

“Banking Company is one which transacts the business of
banking, which means the accepting for the purpose of lending or
investment of deposits of money from the public repayable on
demand or otherwise and withdraw able by cheque, draft, and order
or otherwise10”, according to Indian Banking Company Act 1949.
Introduction of cyber system or cyber space has put the entire
banking system into a virtual world but the fundamental feature of
physical banking has remained same. The Web is definitely not a
physical or unmistakable substance, but instead a monster network
which interconnects countless or number of more modest gatherings
of connected PC organizations. According to H.L.A. Hart, “A
Banker is one who, in the ordinary course of his business, honours
cheques drawn up to him by persons from and for whom he receives
money on current account”11. The Web is certainly not a physical or
unmistakable element, but instead a monster network which
interconnects endless more modest gatherings of connected PC
organizations or computer networks12.
The evolution of banking system from traditional approach to
modern one has forced the banking industry to rethink, reinvent and
advance the products and services which they are offering to their
customer according to the need of the hour. Internet banking system
provides you various services via you can conduct an array of

9T.K. Velayudham, “Developing in Indian Banking: Past, Present and Future”, Bank
Quest, Vol. 73, No. 4, Oct.-Dec., 2002, p. 90.
10Definition According to Indian Banking Companies Act, 1949.
11Niti Soni and Vandana Gautam, Banking Theory and Practice, Sharma Publications,

Jalandhar, 2009, p.14

12American Civil Liberties Union et.al, vs. Janet Reno, Attorney General of the United

States 929 F Supp. 824 (1996) in Yen Fen Lim, Cyber Space Law: Commentaries and
Material, Oxford University Press, 2007, New Delhi, p. 4.

114
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

banking transaction. Customers are cherishing most of the benefits

from e-banking system like-
(1) Anyplace Banking - Regardless of where on earth the
customer is. A single tick can get to internet banking, balance
requests, administrations solicitations, and guidelines;
(2) Whenever Banking: Time never again is an issue. It is
accessible 24 hours per day, 7 days of the week;
(3) Time, area, and financially savvy;
(4) Money withdrawal from any branch through an ATM;
(5) Brings down the client's expense of banking;
(6) Internet shopping with the assistance of a web-based
installment;
(7) There are no geographic limitations. E-banking offers a
limitless organization to branch areas. Any PC with a modem
and a telephone with a web association can give banking
administrations.
(8) E-Banking and e-commerce has improved transparency in
transactions13.
Clients can utilize e-banking to open records, cover bills, view
account adjusts, apply for advances, work out revenue, view and
print duplicates of checks and stores, report special cases on
overdrawn accounts, move reserves, stop installment, reorder really
take a look at books and proclamations, and get news about the
financial area. They can likewise send and get email messages
to/from the bank. To help new or forthcoming clients, it likewise
incorporates a web-based preparing and exhibition framework.

THREATS TO E- BANKING
The introduction of new technology or the development of new
technology can be used for both the constructive as well as
destructive purpose. The history of computer crime is as old as the
computer itself. Certain individuals use PCs for destructive,
shameless, or criminal purposes, regardless of the way that most of
individuals use them for helpful, moral, and lawful purposes. On the
off chance that an extortion is done with the help of a "PC
Wrongdoing" is a potential name for it. PC wrongdoings are grouped
into three general classes: (a) Information Related Violations; (b)
Programming Related Wrongdoings; and (c) Actual Wrongdoings.

13S.S. Kaptan and N.S. Choubey, pp. 145-147.

115
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

The Web biological system offers an exceptionally basic climate for

PC clients to take part in unlawful exercises. Cybercrimes, or
violations carried out on the web, are what these are called. As of late,
the expression "digital wrongdoing" has acquired use to depict an
assortment of online security chances. Cybercrime is the term used to
portray all unlawful action completed on the web or in the internet.
These could be either customary wrongdoing or various kinds of
activity, due to the headway of the new medium. Any action, which
fundamentally irritates human sensibilities, can be remembered for
the ambit of cybercrimes.14 Inventive crooks utilize many different
techniques and "stunts" to take cash from vulnerable casualties, buy
merchandise without paying for them, sell them without conveying
them, misuse casualties, and do numerous different things. The global
availability of the Internet has also led to an increase in international
fraud. Implementing e-commerce transactions using e-banking
presents a number of challenges. Some examples of threats or risk
are-
1. Erroneous exchange handling.
2. Splits the difference in the respectability of information,
information security, and secrecy.
3. Unapproved admittance to the bank's frameworks.
4. non-enforceability of agreements, and so forth.
An amount of 55 fundamental survey articles were picked in
the SLR and 51 sorts of attacks/risks were recognized in these
articles. An organized portrayal of the attacks/perils perceived by
various experts is yielded and figure 03. Most of the assessment
studies (16.98%) referred to that trojans (different sorts) and
malware (14.55%) are the most serious threats to the online
monetary structure, followed by well disposed planning, pharming,
phishing, secret word breaking, port scanners, server bugs, package
sniffers, renouncing of organization attack, and automated reply.
Trojans has become one of the quickest developing procedures of
cybercriminal on the planet which includes the taking of individual
data from clueless clients and users15.

14Advocate Pavan Duggal, Cyber Lawyer Pavan Duggal Calls For Legal Awareness
Among India's Youth, BW Business World,available at: https://www.businessworld.i
n/article/Cyber-Lawyer-Pavan-Duggal-Calls-For-Legal-Awareness-Among-India-s-
Youth/27-01-2022-418836/ (Visited on 1 February, 2012)
15Andreini, D., & Bettinelli, C. (2017). Business Model Definition and Boundaries. In

Business Model Innovation (pp. 25-53): Springer.

116
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

SECURITY ISSUES
Monetary wrongdoings perpetrated in the e-banking area with
the guide of the Web are developing day to day. Prior to carrying
out E-Banking, perhaps of the most urgent test that should be settled
is security. There is an extensive danger of unapproved
access/misfortune or harm of information by programmers,
misfortune and harm of Information by infection and unapproved
access inside the organization or network16. The danger of safety is
its most extreme pinnacle when an association made a web-based
installment. Secrecy, Trustworthiness, Genuineness, Reputability
and Security are central issues for the assurance of privileges of
customers17.

Phishing
Phishing is a sort of online fraud whereby unsuspecting
individuals are persuaded to reveal sensitive data, such as their user
names and passwords, which is then unlawfully utilised by
spammers. Sending emails posing as someone else is the main
Phishing tactic. Banks or other financial firms that engage with
consumers and already have personal data of the consumer, and the
consumer will be required to click to confirm the information a
private URL supplied in this phony email. This URL takes customer
to a phony site which will be like the certifiable site, and the data
given by shopper in the structures gave in the phony site, will be
accumulated and utilized for committing extortion in their
records/Visa or pull-out reserves unapproved from their records.18
According to IT act, sec 66 defines the punishment for
phishing “The discipline incorporates either detainment for a term
that can surpass as long as three years or a fine that can surpass up
to five lakh rupees, or both, contingent upon the seriousness of the
crime.”19
The costliest phishing attacks to the date till now are-

16 V.P.Shetty, “Electronic Banking”, in S.B. Verma, S.K. Gupta and M.K. Sharma
(edited), p. 24.
17S.Ganesh, p. 31.
18S.C.Gupta, “Internet Banking-Changing Vistas of Delivery Chanel”, in S.B. Verma,

S.K. Gupta and M.K. Sharma (edited), p. 106.

19Definition under information technology act 2000

117
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

1. Facebook and Google

Because of a relentless phishing assault, Facebook and
Google were swindled of $100 million somewhere in the range of
2013 and 2015. The phisher benefitted from the way that the two
organizations used Taiwan-based Quanta as a seller. The
organization that was imitating Quanta got numerous fake bills from
the assailant, which Facebook and Google both paid. After the trick
was at last uncovered, Facebook and Google sent off legitimate
activity in the US. Following the aggressor's catch and removal
from Lithuania, Facebook and Google had the option to recover
$49.7 million of the $100 million that had been taken from them.

2. Crelan Bank
Business email split the difference (BEC) trick cost Crelan
Bank, a Belgian monetary foundation, about $75.8 million. In this
sort of assault, the phisher accesses the record of a senior chief at an
organization and trains the leader's staff to move assets to the
aggressor's record. During an inner assessment, the Crelan Bank
phishing attack was detected, and in light of the fact that the
organization had an adequate number of interior stores, enduring the
loss was capable.

3. FACC
A BEC misrepresentation cost FACC, an Austrian maker of
aviation parts, a sizable amount of cash. The company unveiled the
occurrence in 2016 and said that a phisher mimicking the Chief had
told a bookkeeping staff part to move $61 million to an aggressor-
controlled ledger.
This present circumstance was extraordinary in that the
organization chose to eliminate its Chief and CFO and seek after
lawful activity against them. Since the two chiefs neglected to
appropriately execute interior controls and safety efforts that might
have halted the assault, the firm sued them for $11 million in
punitive fees. This claim filled in as a genuine illustration of the
individual peril that heads of a business show to not working out "a
reasonable level of effort" regarding network safety.

4. Upsher-Smith Research Facilities

A BEC assault against a Minnesotan drug organization in
2014 expense the attackers nearly $39 million. The phisher sent

118
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

messages to the association's records payable organizer while acting

like the President of Upsher-Smith Research facilities, teaching her
with lead explicit wire moves and to comply to the mandates of a
"legal counsellor" working with the aggressors.
The organization had the option to drop one of the nine wire
moves sent in light of the fact that the assault was recognized in it.
Subsequently, the organization's costs dropped from $50 million to
$39 million. Despite the fact that there were a few ignored "red
lights," the partnership decided to sue its bank for approving the
installments.

5. Ubiquity Organizations
A BEC assault against a Minnesotan drug organization in
2014 expense the attackers nearly $39 million. The phisher sent
messages to the association's records payable organizer while acting
like the President of Upsher-Smith Research facilities, teaching her
with lead explicit wire moves and to comply to the mandates of a
"legal counsellor" working with the aggressors.
The organization had the option to drop one of the nine wire
moves sent in light of the fact that the assault was distinguished in
it. Subsequently, the organization's costs dropped from $50 million
to $39 million. Despite the fact that there were a few neglected "red
lights," the organization decided to sue its bank for approving the
installments.

Pharming
Another form of online fraud called pharming involves
diverting as many people as possible away from the trustworthy
online banking websites they intended to visit and onto harmful
ones. In this fraud the criminal generates a malicious code on
computer server which automatically directs the users on to a
fraudulent website without the knowledge of the customer or user.
The sham or phony destinations, to which casualties are diverted
without their insight or assent, will probably look equivalent to a
real site. Be that as it may, when clients enter their login name and
secret phrase, the data is caught by crooks.20
Phishing messages imagining that they are implying from
Brazil's biggest telecom organization which were shipped off the

20S.C. Gupta, p. 106.

119
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

client of UT Starcom or TR-Connection home switch in 2015. The

connections in the email were downloaded the pharming malware
intended to take advantage of switch weaknesses and change the
switch's DNS setting.21
In 2007 more than 50 monetary organizations across the US,
Europe and Asia were designated by one of the most critical
pharming assaults kept ever. Programmer had made an impersonation
page containing vindictive code for each designated monetary
organization. Purchaser's PCs had to download a diversion from the
site. Any resulting sign in data from the designated monetary
organizations was gathered. There are obscure number of casualties,
yet the assault went on for three days22.
Thusly, accessing anybody's PC without consent of the
proprietor will be at risk to pay harms of one corer rupees under
data innovation act 2000 Number crunchers are excluded from this
meaning of "PC framework," which alludes to a gadget that
incorporates info and result support gadgets and frameworks and is
fit for performing legitimate, numerical, information capacity and
recovery, correspondence control, and different capabilities. No
matter what the aim or reason was for gaining unauthorised access
to the computer system, Section 43 of the Information Technology
Act 2000 makes it illegal. Owner need not establish the fact of the
loss, only that it was utilised without his permission.
In this regard, the case of United States v. Rice 23 might be
significant. In that instance, the defendant attempted to learn the
status of his friend's case by using the IRS officer's computer
without permission at the request of his buddy, who was the subject
of the IRS officer's inquiry. Although it didn't result in any losses or
damages for the plaintiff (officer), he was found guilty by the jury
of accessing a government computer system without authorization,
and his conviction was later upheld. Even if one helps the other gain
unauthorised access to the computer, he would still be responsible
for paying damages in the amount of Rs. 1 crore as compensation.
Activating a computer causes unauthorised access? In order to

21Ty Mc Duffey, “Pharming Lawsuits”, Legal Match, available at: https://www.lega

lmatch.com/law-library/article/pharming-lawsuits.html (Visited on: February 15, 2023)

22Ibid
23Hardik, “Cyber Crime”, Legal Services India, available at:https://www.legalservicein

dia.com/legal/article-971-cyber-crime.html(Visited on: February 20, 2023)

120
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

qualify as having mensrea under Section 1 of the Computer Misuse

Act of 1990, a person must have both the purpose and knowledge
necessary to gain unauthorised access to any programmes or piece
of data stored on a computer. e.g., the salesperson was accused of
entering certain orders into the automated till to offer himself a
significant discount when defendants went to his former employee
to buy particular equipment and the salesperson was not looking.
The legal executive on account of R v. Sean Cropp accepted that the
Parliament would have expected to restrict the utilization of the
subsequent PC regardless of whether segment 1 (1) (a) orders that it
be involved.

Identity Theft
A developing cybercrime issue is Fraud, in which a
lawbreaker (Character cheat) acts like another person. The hoodlum
takes government backed retirement numbers and Visa numbers,
normally got from Web, to commit extortion (for example to
purchase items or consume administrations) that the casualty might
be expected to pay for. For this sort of deceitful the individual is
entitled for the discipline which is detainment which may degree to
three years and will likewise be at risk for fine which may degree
for one lakh rupees. For the situation Bari Nessel Takes data from
Representatives24-
Subsequent to going after a position in 1997, Bari Nessel
utilized the data she was given to take Linda Foley's character,
gathering a lot of MasterCard obligation and constraining Foley to
go through pointless tasks in the not-too-distant future while
applying for MasterCard and credits. Foley's robbery shows that it is
so essential to keep your government managed retirement number
secure. Assuming there's one thing to gain from these cases, it's that
it truly is absurd to expect to be too cautious with regards to
safeguarding your personality. Fraud can destroy your life, so
avoiding potential risk with information security is basic to keeping
up with your wellbeing.

24Datasheild crop. The worst identity theft cases ever. Gabriel Jimenez’s Identity Gets
Stolen case

121
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Hacking
Programmer is the term frequently used to depict an external
individual who enters a PC framework. Hacking implies the
adjustment or obliteration of any data which is available in the PC
framework or PC assets, that is annihilation or modification of
unmistakable or/and immaterial resources of the PC assets. There
are two sorts of programmers. White-Cap Programmers perform
moral hacking, doing test on their clients' frameworks so track down
the flimsy spots, so they can be fixed. Dark Cap Programmers
additionally alluded to as wafers, are the crooks. A Wafer is a
malevolent programmer, who might address a difficult issue for an
organization25.
Section 66 of Information technology act 2000 deals with the
offence of hacking, in simple words, hacking is the access to
someone another’s system without the express or implied
permission of the owner of that system. If any person, intended to
cause damage or misuse the data knowing that this will cause a
great loss or damage to the public or person then that person will be
liable for hacking and would be punished under sec 66 of IT act 200
which states that, “punishment for hacking is imprisonment for
three years or fine which may extend up to 2 lakhs rupees or
both.26”
In the case The American Businesses Hacks27 (2005 – 2012),
American Businesses Hack.-
It's a little difficult to comprehend this one. There are
numerous actors and moving parts in it. It has been referred to as the
biggest hacking operation ever found in the United States.
A Russian cyber organisation began targeting different
companies, chains, and systems in 2005, including 7-Eleven and JC
Penney. They were able to obtain 800,000 bank account login
credentials and 160 million credit and debit card numbers over the
course of seven or eight years. They are thought to have caused
losses of at least $300 million worldwide, either directly or
indirectly. Some of the information was sold (credit card numbers
on underground forums sold for $10–50 per), while other

25Efraim Turban, et.al, Electronic Commerce, Prentice Hall, Upper Saddle River, NJ,
2006, p. 118.
26Defined under IT act 2000
27Indus face case studies, another case was- The Iceman Hacks (2006)

122
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

information was used to withdraw money directly from accounts

(they reportedly got away with it).

Trap Door
Trap Door or Secret entryway is a strategy that considers
breaking into programmes code, making it conceivable to embed
extra directions.28 Trap door is also known as back door because it
is a method of bypassing normal authentication. They are quite
difficult to detect and also to find them the programmers or the
developers have to go through the components of the computer.

Salami Slicing
A programmes intended to redirect limited quantity of cash
from various bigger exchanges, so the amount taken isn't promptly
obvious. Electronic monetary systems make it possible to again and
again divert little proportions of money, normally due to changing,
to a beneficiary's record. This overall idea is utilized in famous
programmed reserve funds applications. It has likewise been
supposed to be behind deceitful plans, by which bank exchanges
determined to the closest penny leave unaccounted for parts of a
penny, for fraudsters to redirect into different sums29. Sneaks around
in 2001 excused the reality of such misappropriation plans as a
legend30.
Head prosecutors in Los Angeles accused four men of
misrepresentation in October 1998 for supposedly setting CPUs in
service stations that swindled clients by blowing up the amount
siphoned or pumped 31 . In 2008, a man was captured for falsely
making 58,000 records which he used to gather cash through check
stores from online business firms, a couple of pennies all at once32.
In Bison, New York, a passage box serviceman took more
than US $200,000 in quarters from the nearby travel organization

28 See:P. Weill and M.R. Vitale, Place to Space: Migrating to e-Business Models,
Harvard Business School Press, Boston, 2001.
29 Kabay, M E (24 July 2002). "Salami fraud". Network World.Archived from the

original on 18 June 2005.

30 Mikkelson, David (22 February 2001). "The Salami Embezzlement Technique".

Snopes.Retrieved 15 February 2022.

31Salami fraud By M. E. Kabay Network World Security Newsletter, 07/24/02
32Hacker takes $50,000 a few cents at a time". PC Pro. 2008-05-28.

123
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

north of an eight-year time span extending from 2003 to 2011, and

was condemned to 2.5 years in prison33.

Cookies
When a person accesses a website, a little text file called a
cookie is downloaded to their computer. They include data that the
website server transmitted to the user's browser. A web user may
occasionally examine cookies in the source code of a web page's
header if they so choose. However, the majority of the time, the user
is not seen the information that has been gathered; instead, their
computer and browser record, track, and store it. The user's web
browser will communicate the previously saved data to the website
if they visit it again. By recording the users' movements on certain
computers, cookies can inform a website that a visitor's computer is
the same one that was there previously. The cookies itself may not
contain personally identifying information, but the websites may
know the identity of the user whose browser sends the cookie.34 By
altering or controlling the treat, the assailant can get to the client
information put away in the treat. Treat harming assaults are
perilous on the grounds that they empower aggressors to utilize the
information put away inside treats to acquire unapproved
admittance to clients' records or to take their personalities.

How Cookies Poising Works

Treat harming happens when unapproved people (assailants)
can control treats because of the unfortunate security foundation of
a site. By altering or controlling the treat, the assailant can get to the
client information put away in the treat. Treat harming assaults are
hazardous in light of the fact that they empower aggressors to utilize
the information put away inside treats to acquire unapproved
admittance to clients' records or to take their characters.

Cookie Poisoning Through Cross-Site Scripting (XSS)

One of the most prevalent methods for accessing and
modifying cookie data is cross-site scripting, or XSS. Attackers

33"Convicted parking meter thief amassed $210,000 in stolen cash all of it in quarters".
National Post.Postmedia Network Inc. Associated Press. August 17, 2013. Retrieved
27 August 2019
34Lee Fen Yem, Cyber Space Law, Oxford University Press, New Delhi, 2007, p. 128

124
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

typically locate a page that is open to XSS injection. They can force
the page to send them all visitors' session cookies by adding a
malicious script to the page. They can access all of these users' info
in this way.
Attackers can continue to be logged into their victims'
accounts without the victims noticing it since the stolen cookie
allows the attacker to impersonate its true owner. In addition, no
password is required for attackers to access victim accounts.
Because of this, XSS is a very popular and powerful tool for cookie
poisoning attacks.

Figure. 1 Depicting how cross-site scripting woks 35

Techniques by which users can prevent or at least minimize

poisoning attacks36 -
• Using unique and secure session cookies – It’s essential to
guarantee that meeting identifiers are out of reach to assailants
once the meeting is shut. They ought to likewise be
haphazardly produced and difficult to break by utilizing
savage power or different means.
• Limiting multipurpose cookies – Multipurpose treats make a
great deal of safety gambles, so confining every treat for a
solitary task is significant.
• Using Hypertext Transfer Protocol Secure (HTTPS)
Communications – It is crucial to utilize HTTPS

35 Rahul Awati, “Cookie Poisoning”, Tech Target, available at:

https://www.techtarget.com/searchsecurity/definition/cookie-poisoning?amp=1
(Visited on: February 15, 2023)
36Ibid

125
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

correspondence to lay out secure data stream and lessen the

possibilities of assailants snooping on treat content.
• Having comprehensive session management- Guaranteeing
severe and simultaneous meeting the board can increment
treat security and forestall harming assailants.
• Performing vulnerability scans – By consistently examining
web applications utilizing a weakness scanner, security
weakness that might prompt treat harming can be proactively
recognized and dispensed with.

Cookies should be encrypted before being transferred to a

user's computer by websites that utilise them. To verify the content
in all upcoming communications between the user and the web
server, a digital signature should be made. The signature won't
match the content if it has been altered, and the server won't be able
to access it37.

Figure 2 The Digital Signature Process38

Website using cookies should generate digital signature to

authenticate content and communication between users and web
servers.

37Ibid
38Ibid

126
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Spoofing
Fake e-mail address or web page are designed to trick users to
provide information or send money. Its main purpose is to confuse the
consumers in similar or fake website. In online protection, 'mocking' is
when fraudsters claim to be some other person or thing to win an
individual's trust. The inspiration is normally to get sufficiently close to
frameworks, take information, take cash, or spread malware.
Under Reality in Guest ID Act, FCC rules restrict anybody
from sending misdirecting or off base guest ID data with the goal to
swindle, inflict any kind of damage or wrongly get anything of
significant worth. Anybody who is wrongfully ridiculing can have
to deal with damages of up to $10,000 for every infringement. This
sort of stunt happens when someone needs to cover or hide away the
region from where they're sending or referencing data, so they
replace the source Web show (IP) address with a fake one39.
There is different sort of snooping-Mocking can take many
structures, for example, satirize messages, IP caricaturing, DNS
Ridiculing, GPS parodying, site parodying, and spoofed calls40. It
can better be understandable with the help of illustration Ridiculing
methods shift in light of the kind of assault.
For instance, in email ridiculing, the enemy can hack an
unstable mail waiter to conceal their actual character. In a MitM
assault, an enemy can make a Wi-Fi passageway to catch any web
movement and assemble individual data41.

39Jean Folger, What Is Spoofing? How Scam Works and How To Protect Yourself,

Investopedia, available at: https://www.investopedia.com/terms/s/spoofing.asp (Visited

on: February 20, 2023).
40Ibid
41Ibid

127
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Figure 03: Frequencies of Threats & Attacks on Online Banking42

Note: The Frequencies of rest of attacks are less than “automated
reply”

APPARATUSES AND TECHNIQUES TO GUARANTEE THE

SECURITY IN E-BANKING ADMINISTRATIONS
Clearly, without extraordinary trust in bank security, clients
are reluctant to utilize a Web to see their cash related data on the
web or to continue with monetary exchanges. A piece of the
security gambles coordinates interference of people's protection and
special data thievery.
E-Banking stages offer a few methodologies to ensure a raised
level of safety: (a) ID and demand, (b) encryption, and (c) firewalls
instrument. The ID of an electronic bank shows up as a perceived
Web address or Uniform Resource Locater (URL), while the client
is seen by his login ID and mystery enunciation to ensure just
maintained clients can get to their records. Obviously, messages
among clients and online banks are clearly encoded with the
objective that someone else can't see the things in messages. The
typical encryption standard took on by most projects is called
Secure Connection Layer (SSL).43
A firewall is a kind of group of connected programmes that is
housed at a network gateway server and guards a bank network's
resources from users from other networks. It is a group of hardware

42 Systematic
literature review paper by Iftikhar Ahmad1,*, Shahid Iqbal2,, Shahzad
Jamil3 and Muhammad Kamran
43 IBM, 2009. IBM X-Force Trend and Risk Report [Online] available at:

http://www935.ibm.com/service (Visited on: February 16 2023)

128
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

components set up to accept, reject, encrypt, or decode all computer

traffic between various security domains in accordance with a set of
criteria Client account data can be gotten from undesirable access
utilizing a complex security engineering that incorporates firewalls,
separating switches, encryption, and computerized confirmation or
digital certification.44
Different establishments have in this way as of late replied
with enhancements to their flourishing procedure and have begun
with the substitution of their past TAN records. An Exchange
endorsement number or TAN is involved by some web banking
associations as a kind of single use/when passwords to help cash
related exchanges. TANs are a second layer of prosperity far in
excess of the ordinary single-secret articulation check. In any case,
it is questionable whether changing to the compact TAN will
provoke the best result. With this procedure, ensuing to joining up
with the bank the client gets an exchange related TAN by SMS on
his mobile phone. Since the computerized offender can't meanwhile
tune in the client's PC (client to bank) and the phone association
(bank to dxc client), the compact TAN system is considered
respectably secure (Mohr, 2009).45
Something totally different is protection through chip card
using the HBCI (Home Financial PC Association point) system.
This system guarantees an unimaginably high security standard -
regardless, the client needs to have programming for this and a chip
card getting a handle on gadget. These limitations are obligated for
this procedure getting horrendous reaction saving watch. One more
methodology for secure web banking is the TAN generator. These
devices make a TAN, which is only genuine for a short period of
time and is shown on the contraption show. The methodology,
which is generally called "Astute TAN", impressively thwarts the
impedance and maltreatment of client data. With the more speedy
"Marvellous TAN regardless" framework the client enters
unequivocal exchange information into a wonderful card peruse,
which makes a TAN in mix with the bank-card. The bank PC then,
other than enlists the TAN and enables the trade if there is a match.

44Jun,M. &Cai, S., 2001. The key determinants of Internet Banking service quality: a
content analysis. International Journal of Bank Marketing.19(7), pp.276-291.
45Leow, H.B., 1999. New Distribution Channels in banking Services. Banker’s Journal

Malaysia, (110), pp.48-56.

129
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Since the finished-up TAN should be used for this trade and the not
entirely settled with the aid of the bank card, this technique is
evaluated as being particularly secure. Basically, the section of the
exchange information utilizing the keypad on the examine is now
and again considered unusual and integrates the chance of wrong
passages.46
Another instrument that seemed available to help client
endorsement is the electronic Individual (eID) card. Such e-ID cards
have again been presented in a lot of European nations. In
unambiguous nations, the issuance for these e-ID cards is
coordinated by gatherings, or by grouped public affiliation (PPP)
among banks and state-run associations, as giving bodies. Such are
Sweden, Estonia, or Luxembourg. There is, in unambiguous nations,
a genuine premium of the money related locale to work with public
specialists as close as conceivable in regards to the questions of
client certification and electronic engravings. Biometry isn't as of
now utilized and ought not be a gigantic strategy for confirming
clients soon in Europe because of variables like shortage of
adequacy bother of heading, and cost ampleness or adequacy.47
The figure 04 highlights the action that the specialist has stressed
for the purpose of further developing web-based assault anticipations.
Out of the absolute chosen investigations, 27.27 percent of scientists
underlined that a wide range of safety efforts, for example, framework
security, server security, security control, IP security, data security,
versatility of safety frameworks, security evaluation, and dynamic
security skin can forestall computerized assaults. Additionally, 20%
investigations give smidgens of proof that instruction, mindfulness, and
staff preparing can essentially defend the client from online
assailants/extortion. Different investigations (12.73 percent) stressed on
strong ID and validation framework, gadget recognizable proof, IP
address ID, and utilization of biometrics for the purpose of further
developing internet-based extortion anticipations. Scientists
demonstrated that a distinguishing proof framework, for example,

46Mohr, E., 2009. Security is decisive. Beitrag für IT Banken & Versicherungen, 5 Oct,
available athttp://www.gemalto.com/financial/ebanking/security/ (Visited on:
February 17, 2023)
47 Rombel, A., 2005. Next step for Internet Banking, available at:
http://www.gfmag.com/archives/87-87-february-2003/2176-features--next-step-
forinternet-banking.html#axzz0IhUm79xl (Visited on: February 17, 2023)

130
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

biometrics innovation can essentially diminish online cheats and has

proactively been carried out in many banks.48

Figure 04: Frequencies of common solutions to attacks on online banking

The current study's objective was to pinpoint an e-banking

system's security risk.
This study's main objective is to identify the most useful
preventative measures that can lower the risk of e-fraud. The report
highlights 51 different types of security difficulties that banking
institutions encountered during their e-operations in order to address
question 1.6 billion dollars have already been lost as a result of
these combined dangers to clients and companies. Because to their
insufficient security measures or lack of up-to-date knowledge, the
majority of them (clients or organisations) are impacted. Therefore,
it is crucial that all parties involved in digital transactions take these
risks into account and are equipped with current information to
reduce their risk. Trojans are listed as the most serious threat out of
the aforementioned 51 different categories. The majority of the
literature (16.36%) poses a danger to e-banking. Typically, it
appears as an attachment. It takes advantage of user ignorance and
lack of security, which may result in financial setbacks It is viewed
as a significant concern for both online and mobile banking. The
severity of malware threats was stressed in the literature in second

48 Systematic
literature review paper by Iftikhar Ahmad1,*, Shahid Iqbal2,, Shahzad
Jamil3 and Muhammad Kamran

131
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

place, followed by social engineering (10.91%), pharming (9.09%),

and phishing (9.09%). The top 10 list also includes server flaws,
port scanners, and password cracking. When using digital bank
services, e-banking users should take them seriously. Numerous
research has outlined numerous forms of prevention measures that
can lower the danger of online financial fraud. 42 different types of
protection techniques were emphasised in the chosen literature as
ways to protect yourself against the hazards mentioned and lessen
the likelihood of financial loss. Be that as it may, more prominent
consideration has been paid by numerous specialists to appropriate
training and attention to shield against digital tricks. Different
security strategies might shift now and again and rely upon the
activities that can get computerized exchanges. According to
Barker's (2018) analysis, people and businesses that implement
modern security measures and keep up with cybercriminals' tactics
are more likely to be secure49.

PROTECTION OF CONSUMER INTERESTS AND E-

BANKING PLATFORM SECURITY
It's a given that keeping up serious areas of strength for with
of safety for e-banking stages will at last tie down shoppers'
admittance to electronic administrations and, likewise, the interests
of monetary organizations. For a monetary foundation to keep up
with its validity about the capacity to channel e-banking
administrations and to protect the secrecy and honesty of data, it is
critical to oversee data security, for this situation in view of data and
correspondence advancements.
The majority of legal requirements for safeguarding the
security of e-Banking platforms that protect consumer interests take
into account50:
• Ensuring the security and arrangement of client information;
• Affirmation against any normal risks or dangers to the
security or uprightness of such information

49Zimmerman, J. M., & Baur, S. (2016). Understanding how consumer risks in digital
social payments can erode their financial inclusion potential.
50 Sohail, M. & Shanmugham, B., 2003. E-banking and Customers’ preferences in

Malaysia: an empirical investigation. Information sciences, Informatics and Computer

Science: an international journal, 150(3-4), pp. 207-217.

132
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

• Affirmation against unapproved permission to or usage of

such information that could achieve gigantic harms or weight
to any client.
In Romania, explicit regulation has been made by the
improvement of Government Statute no. 130/2000 on the system of
distance contracts, Regulation no. 455/2001 on Electronic Marks,
the Public authority Crisis Mandate no. 193/2002 concerning the
presentation of current method for installment, Regulation no.
677/2001 on the security of the handling of individual information
and free development of such information, with resulting revisions,
Guidelines of Public Bank of Romania no. 4/2002 concerning
exchanges by electronic installment instruments and the connection
between members in these exchanges, the Law no. 365/2002 on
electronic business and the Request for the Service of
Correspondences and Data Innovation no. 389/27.06.2007 in
regards to the endorsement system of installment instruments with
remote access applications, for example, Web banking, home-
banking or portable banking.
The latest resolution makes getting a license vital to give
remote access installment instruments. The approval will likely
decide whether the pertinent monetary establishment and the
product arrangement that fills in as a mediator for the remote access
installment instrument stick to a severe arrangement of safety
necessities, for example, as51:
• Privacy and honesty of interchanges;
• Privacy and non-disavowal of exchanges;
• Privacy and information honesty;
• Validation of gatherings engaged with exchanges;
• Assurance of individual information;
• Continue to bank mystery;
• Discernibility of exchanges;
• Progression of client support;
• Countering, recognizable proof and seeing of unapproved
permission to the framework;

51 Sathye, M., 1999. Adoption of Internet banking by Australian consumers: an

empirical investigation. International Journal of Bank Marketing, 17(7), pp. 324-334

133
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

• Rebuilding of data oversaw by the framework if there should

be an occurrence of catastrophic events and unanticipated
occasions;
• The executives and organization of data framework;
• Some other exercises or specialized measures taken for the
protected activity of the framework.
Likewise, there are an official drive with respect to battling
digital wrongdoing: Title III in the Law no. 161/04.19.2003 with
respect to certain actions to guarantee straightforwardness in
practicing public office and in the business climate and the Law no.
64/03.24.2004 with respect to the endorsement of the European
Gathering Show on digital wrongdoing was taken on in Budapest on
November 23rd 200152.

CONCLUSION
“Mankind faces huge challenges as the 21st Century unfolds.
It is essential that our leading thinkers commit time, energy and
resources how to finding solutions to these risks and problems
which could threaten the future of humanity itself.53”

James Martin
Although there are several advantages to using electronic
banking for both existing clients and prospective. Business
opportunities exist for banks, and typical banking risks—particularly
security risks—are exacerbated issues. Additionally, we cannot
disregard the fact that Competitive Intelligence programmes' main
objective to combine different information sources in order to boost
the industry's competitiveness financial institution while undermining
the advantage of its competitors. This knowledge is frequently
obtained using legal, ethical, and covert methods involving financial
espionage. The review applied SLR procedure to aggregate basic
information spread in different articles. Immediately, 1404 articles
were taken out from six specific enlightening assortments and were

52Mohr, E., 2009, Matilla, S. et. al., 2003.Security is decisive, Beitrag für IT Banken &
Versicherungen, 5 Oct. Available at http://www.gemalto.com/financial/ebanking/secu
rity/ (Visited on: February 17, 2023)
53Pranab Kumar Bhattacharya, “Legal Framework of Electronic Commerce: A Study

with Special Reference to Information Technology Act 2000”, The Indian Journal of
Commerce, No. 4, Vol. 54, October December, 2001

134
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

explored tollbooth approach in five novel all in all 55 articles were

confined. The picked articles summed up 51 sorts of various dangers
which can cause cash related difficulties while utilizing e-banking
associations. The most serious vulnerable to risk is Trojan by 16.36
percent studies. Malware is explained as second cut off risk by 14.55
percent studies, trailed by agreeable preparation, pharming, phishing,
secret word breaking, port scanners and cut off bugs are in the top
once-finished. To lessen e-banking plausibility and defend against
these dangers, 42 kinds of abhorrence mechanical congregations are
summed up from the picked articles. More put together has been put
with respect to security strategies and material direction/care. Cash
related affiliations ought to take on areas of strength for a, and
resuscitated security framework and should zeroed in on arranging
and mentoring to make due and facilitate these dangers. For a long
time, the discussions are around the following phase of e-banking
security has previously started. It is trying to figure out what
eventually; the market will really take off and embrace state of the art
new advancements. The choice for banks in the e-Banking
environment is not straightforward. More noteworthy security they
add, the less client comfort they get with huge help costs. The
Assaults against e-Banking stages have expanded in volume across all
business sectors with choices for e-Banking that are notable.
Numerous banks have understood that the current. The drawbacks of
authentication tools are the same. They don't stop online man-in-the-
middle attacks. The majority of attacks today occur in the centre, and
these replacement for security procedures. Different products on the
market all aim to achieve the same thing: adding an extra layer of
protection on the user's end so that they must physically authenticate
any recognised transactions. A multi-facet insurance method is the
best choice for security techniques, as there is definitely not a solitary
procedure that tends to every one of the different dangers influencing
the e-banking stage.

135
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 9

CYBER SECURITY THREATS IN INDIAN

BANKING SYSTEM
Pranshul Pathak 1, Tanishtha Anand 2

“India's banking system, large population, and growing economy

make it a target for cybercriminals. Therefore, cybersecurity is
critical in today's digital age as businesses and individuals rely on
technology to store and transmit sensitive information. From
identity theft to financial fraud, the risks are real, and the
consequences can be devastating. That's why it's crucial to take
proactive steps to protect your finances online. Today, cyber-
security is a complex field that involves a range of measures to
protect against cyber threats”.

INTRODUCTION

W ith the rise of digital banking and online transactions,

cybersecurity has become an increasingly important
concern for individuals and businesses alike.
Cybersecurity refers to the practices and technologies designed to
protect computer systems3, networks, and digital information from
unauthorized access, theft, damage, or disruption.
One of the most critical cybersecurity measures is
authentication. Authentication is the process of verifying the
identity of users accessing a system or network. This is typically
done through the use of usernames, passwords, biometrics, or other
identification methods. Authentication is essential because it
ensures that only authorized users have access to sensitive
information and systems.
Encryption is another critical cybersecurity measure.
Encryption is the process of converting sensitive data into an

1AssistantProfessor Amity Law School, Amity University,Gurugram, (India)

2B.A.LL.B (H), 4th Year, Amity Law School, Amity University, Noida, (India)
3 Richard Kemmerer, “Cybersecurity”, International Conference on Software
Engineering (ICSE) (2003).

136
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

unreadable format that can only be accessed with the correct

decryption key. Encryption is important because it ensures that even
if a cybercriminal gains access to sensitive information, they will
not be able to read or use it.
Firewalls are another important cybersecurity measure. A
firewall is a system that monitors and controls incoming and
outgoing network traffic to prevent unauthorized access to or from a
network. Firewalls are essential because they provide an additional
layer of security and can prevent cybercriminals from accessing
sensitive information. Antivirus and anti-malware software are also
essential cybersecurity measures. These programmes detect and
remove malicious software such as viruses, worms, and Trojan
horses from computer systems. Antivirus and anti-malware software
are important because they can prevent cybercriminals from
accessing sensitive information and causing damage to computer
systems.
Security patches are another critical cybersecurity measure.
Software vendors release security patches to fix security
vulnerabilities in their products. Security patches are essential
because they can prevent cybercriminals from exploiting security
vulnerabilities to gain access to sensitive information or cause
damage to computer systems. Training and awareness are also
essential cybersecurity measures. Educating employees and users
about cybersecurity risks and best practices is important because it
reduces the likelihood of security breaches. Employees and users
need to be aware of the risks associated with using the internet and
technology and understand how to protect themselves and their
sensitive information.
Cybersecurity threats come in many forms, and the best
defence is a multi-layered approach that combines multiple
cybersecurity measures. Some common cybersecurity threats
include phishing attacks, malware, and ransomware.

THE IMPORTANCE OF CYBERSECURITY IN INDIA'S

BANKING SYSTEM
India is the world's second-most populous nation, and its
rapidly growing economy has made it an attractive target for
cybercriminals. With the rise of digital banking and online
transactions, cybersecurity has become a critical concern for banks
in India. Cybersecurity breaches can result in the loss of sensitive

137
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

customer data, financial fraud, and damage to a bank's reputation.4

Cybersecurity is crucial for the banking system in India as it
protects sensitive information and financial transactions from cyber-
attacks. In recent years, there has been a significant increase in
cybercrime, with hackers using sophisticated methods to gain access
to banking systems and steal confidential data. Therefore, ensuring
the security of the banking system is of utmost importance.
In the banking sector, cyber security is crucial because banks
are responsible for safeguarding their customers' financial
information, such as bank account numbers, credit card details, and
personal identification numbers (PINs). Cybercriminals can use this
information to steal money, commit identity theft, and engage in
other fraudulent activities. Therefore, banks must take every
precaution to protect their customers' data from cyber threats.
Moreover, banks are also responsible for maintaining the integrity
of the financial system, which is critical for the overall economic
stability of the country. Cyber-attacks on banks can lead to
disruptions in the financial system, which can have far-reaching
consequences for the economy. Therefore, it is essential for banks to
have robust cyber security measures in place to prevent cyber-
attacks and minimize their impact.
The Reserve Bank of India (RBI) has recognized the
importance of cybersecurity in the banking industry and has taken
steps to ensure that banks are adequately protected. The RBI5 has
issued guidelines on information security, electronic banking, and
technology risk management to ensure that banks have robust
cybersecurity measures in place. These guidelines require banks to
identify, assess, and manage all technology-related risks, including
those related to cybersecurity. Banks are also required to conduct
regular audits of their cybersecurity systems and report any breaches
to the RBI. The RBI has also established a cybersecurity framework
that outlines the roles and responsibilities of banks, the RBI, and
other stakeholders in ensuring the security of the banking system.

4J. M. Alghazo, Z. Kazmi and G. Latif, "Cyber security analysis of internet banking in
emerging countries: User and bank perspectives," 2017 4th IEEE International
Conference on Engineering Technologies and Applied Sciences (ICETAS),
Salmabad, Bahrain, 2017.
5 Reserve Bank of India, “Cyber Security Framework in Banks”, available at

https://www.inspirajournals.com/uploads/Issues/1440414074.pdf. (Visited on January

5, 2023).

138
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Reasons why cybersecurity is vital in India's banking system:

1. Protection of Sensitive Information: Cybersecurity helps
protect sensitive information, such as customer data, financial
information, and transaction details, from falling into the
wrong hands. Cybercriminals can use this information to
commit fraud and identity theft, which can cause financial
losses to customers and banks alike.
2. Prevention of Financial Losses: Cyber-attacks can cause
significant financial losses to banks and their customers.
Cybersecurity measures can prevent these losses by detecting
and preventing cyber-attacks before they cause any damage.
3. Maintaining Trust: Banks rely on the trust of their customers
to maintain their business. A cyber-attack that results in a
breach of sensitive information can lead to a loss of trust
among customers. Cybersecurity measures can help maintain
this trust by ensuring that customer data is secure.
4. Compliance with Regulations: The Reserve Bank of India
(RBI) has issued guidelines on cybersecurity for banks and
financial institutions in India. Compliance 6 with these
guidelines is mandatory, and banks that fail to comply can
face penalties. Cybersecurity measures can help banks comply
with these regulations and avoid penalties.
5. Business Continuity: Cybersecurity measures can ensure
business continuity by protecting the banking system from
cyber-attacks. A successful cyber-attack can cause disruptions
to banking operations, leading to financial losses and a loss of
trust among customers.
Despite these efforts, cyber threats remain a significant
concern for banks in India.

TYPES OF CYBER THREATS FACED BY BANKS IN INDIA

The types of cyber threats faced by banks in India are diverse
and continually evolving. Cybercriminals7 use a range of tactics to
penetrate banks' cybersecurity defences, including malware,
phishing, and social engineering. Malware is software designed to

6Subodh Kesharwani, Madhulika P. Sarkar, & Shelly Oberoi. (2019). Growing Threat
of Cyber Crime in Indian Banking Sector. CYBERNOMICS, 1(4), 19-22.
7Klynveld Peat Marwick Goerdeler, “Indian Banking Sector - Cyber Security Survey

2019-20” (2019-20).

139
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

harm or exploit computer systems, such as viruses, worms, and

Trojan horses. Phishing is a type of cyber-attack in which criminals
use email, text messages, or social media to trick people into giving
away sensitive information, such as passwords and credit card
numbers. Social engineering is a tactic that involves manipulating
people into divulging sensitive information, such as their login
credentials.
One of the most significant cyber threats facing banks in India
is ransomware. Ransomware is a type of malware that is used by
cybercriminals to encrypt files on a victim's computer system and
then demand payment in exchange for the decryption key.
Ransomware attacks on banks and other financial institutions can
have serious consequences, including the loss of sensitive customer
data, financial losses, and damage to the reputation of the
institution.
In recent years, there have been several high-profile
ransomware attacks on banks around the world. One such attack
was the WannaCry ransomware attack in 2017, which affected
banks and other institutions in over 150 countries. Another notable
attack was the 2018 attack on Citycomp, a German IT services
provider that provided services to several banks, including Deutsche
Bank and Commerz bank.
Ransomware attacks on banks can be devastating, as banks
are responsible for managing and safeguarding large amounts of
customer data and financial assets. Cybercriminals who gain access
to a bank's computer systems can potentially steal sensitive
customer data, such as bank account numbers, social security
numbers, and other personal information. This information can then
be sold on the dark web to other cybercriminals or used to commit
identity theft or financial fraud.
Another significant cyber threat facing banks in India is
Distributed Denial8 of Service (DDoS) attacks. Distributed Denial
of Service (DDoS) attacks are a type of cyberattack that is aimed at
disrupting the availability of a website or an online service by
overwhelming it with a massive amount of traffic from multiple
sources. In the financial sector, DDoS attacks can have significant
consequences, including the loss of customer trust, financial losses,

8Rashmi V. Deshmukh and Kailas K. Devadkar, “Understanding DDoS Attack & its
Effect in Cloud Environment” 49 Procedia Computer Science 202-210 (2015).

140
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

and damage to the reputation of the affected institution. DDoS

attacks on the financial sector have become increasingly common in
recent years, with some attacks causing significant disruption to the
operations of banks, financial institutions, and other organizations in
the sector. One such attack was the 2012 DDoS attack on major
U.S. banks, which resulted in significant disruption to their online
banking services for several days. The impact of DDoS attacks on
the financial sector can be severe, as these attacks can prevent
customers from accessing their accounts, making transactions, and
other critical services. Additionally, DDoS attacks can be used as a
smokescreen for other malicious activities, such as stealing
customer data, infiltrating the bank's systems, and launching other
types of cyberattacks.

REGULATIONS AND LAWS GOVERNING CYBERSECURITY

IN INDIA'S BANKING SYSTEM
The Indian government has recognized the importance of
cybersecurity in the banking industry and has taken steps to ensure
that banks are adequately protected.9 The Information Technology
(IT) Act, of 2000, is the premier legislation governing cybersecurity
in India. The act provides legal recognition for electronic
transactions, digital signatures, and electronic records. It also
defines offenses related to cybercrime and lays down penalties for
these offenses.
The RBI has put in place several guidelines and regulations to
ensure that banks and financial institutions maintain a robust
cybersecurity framework to protect their systems, networks, and
customer data from cyber threats. These guidelines and regulations
include:
1. Cyber Security Framework for Banks: In 2016, the RBI
issued a comprehensive Cyber Security Framework for
Banks, 10 which requires banks to have a board-approved
cybersecurity policy, an incident response plan, and regular
cybersecurity audits. The framework also mandates the
appointment of a Chief Information Security Officer (CISO)

9IndiaCode, “The Information Technology Act, 2000”.

10Kshetri, N. Cybercrime and cybersecurity in India: causes, consequences and
implications for the future. Crime Law Soc Change 66, 313–338 (2016).

141
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

and the adoption of multi-factor authentication for all

financial transactions.
2. Cybersecurity and Information Technology Examination
(CITE) Framework: The CITE framework was introduced in
2021 by the RBI to standardize the cybersecurity assessment
process for banks and financial institutions. Under this
framework, the RBI conducts periodic cybersecurity
assessments of banks and financial institutions to ensure that
they comply with cybersecurity guidelines and regulations.
3. RBI Guidelines on Outsourcing of Financial Services: The
RBI has also issued guidelines on outsourcing of financial
services, which require banks to ensure that their third-party
service providers comply with the RBI's cybersecurity
guidelines and regulations.
4. IT Act 2000: The Information Technology (IT) Act 2000 is
comprehensive legislation that covers various aspects of
cybersecurity, including data protection, cybercrime, and
electronic commerce. The act provides legal recognition to
electronic transactions and defines offenses related to data
theft, hacking, and cyber-terrorism.
5. Personal Data Protection Bill 2019: The Personal Data
Protection Bill 2019 is a draft bill that aims to provide a
comprehensive framework for the protection of personal data
in India. The bill outlines the obligations of data controllers
and processors and provides for penalties in case of non-
compliance.
6. Payment and Settlement Systems Act 2007: The Payment
and Settlement Systems Act 2007 11 regulates payment and
settlement systems in India. The act provides for the
regulation of payment systems and mandates the use of secure
electronic payment methods.
7. Guidelines on Information Security, Electronic Banking,
and Technology Risk Management: The RBI has issued
several guidelines on information security, electronic banking,
and technology risk management, which require banks to
adopt robust cybersecurity measures, including encryption,
multi-factor authentication, and network segmentation.

11Kshetri, Nir, “Cybersecurity and Development,” 1 Markets, Globalization &

Development Review (2016).

142
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

The RBI has also established the 12 Cyber Security and

Information Technology Examination (CSITE) framework to assess
banks' cybersecurity preparedness. The CSITE framework includes
a comprehensive checklist of cybersecurity controls and is used by
the RBI to evaluate banks' cybersecurity systems during audits.

CYBERSECURITY MEASURES TAKEN BY BANKS IN

INDIA
Banks in India have implemented a range of cybersecurity
measures to protect their systems and customers from cyber threats.
Measures include firewalls, intrusion detection and prevention
systems, antivirus, and encryption. Banks in India have
implemented Two-factor authentication (2FA) to enhance the
security of their online banking services. With 2FA, customers are
required to provide a second form of identification, such as a
password or biometric authentication, in addition to their login
credentials. This ensures that even if a user's login credentials are
compromised, the attacker would still need to provide the second
form of identification, making it harder for them to gain access to
the account. This is an integral method to ensure privacy. Another
measure is Regular security audits, banks in India conduct regular
security audits to identify and address vulnerabilities in their
systems and processes. These audits are conducted by internal and
external auditors and help banks to identify weaknesses in their
security posture. Banks can then take steps to address these
weaknesses and improve their overall security. Thirdly, employee
training, employees are often the weakest link in a bank's
cybersecurity defences, as they may inadvertently click on phishing
emails or other malicious links. Banks in India provide regular
cybersecurity training to their employees to help them identify and
prevent cyber threats. Employees are trained to recognize phishing
emails, malware, and other common cyber threats. This helps to
reduce the likelihood of employees falling victim to cyber-attacks.
Fourthly, 13 incident response plans, banks in India have incident

12 Reserve Bank of India, “Master Circular - Cyber Security Framework in Banks”,

available at https://www2.deloitte.com/content/dam/Deloitte/in/Documents/risk/in-risk-
rbi-guidelines-for-cyber-security-framework-noexp.pdf. (Visited on March 7, 2023).
13G. R. Jidiga and P. Sammulal, "The need of awareness in cyber security with a case

study," 2013 Fourth International Conference on Computing, Communications and

Networking Technologies (ICCCNT), Tiruchengode, India, 2013.

143
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

response plans in place to respond to cyber-attacks quickly and

effectively. These plans outline the steps to be taken in the event of
a cyber-attack and help to minimize the impact of such attacks.
Banks may also conduct regular drills to test their incident response
plans and ensure that they are able to respond quickly and
effectively in the event of a real attack. Lastly, compliance with
cybersecurity regulations, the banking industry in India is highly
regulated, and banks are required to comply with various
cybersecurity standards and regulations to ensure the security of
their systems and customer data. The Reserve Bank of India (RBI)
has issued guidelines on cybersecurity for banks, which include
requirements for banks to implement security measures such as
firewalls, anti-virus software, and encryption. Banks are also
required to conduct regular security audits and report any
cybersecurity incidents to the RBI.
Banks in India also use advanced analytics and machine
learning to detect and prevent fraud. Banks also conduct regular
cybersecurity audits to ensure that their systems are up-to-date and
effective in protecting against cyber threats.

CYBERSECURITY TOOLS AND TECHNOLOGIES FOR

BANKING SECURITY
Banks in India use a range of cybersecurity tools and
technologies to protect their systems and customers from cyber
threats. 14 These tools include firewalls, intrusion detection and
prevention systems, antivirus software, and encryption. Banks also
use advanced analytics and machine learning to detect and prevent
fraud. To prevent cyber-attacks and protect their customers' data,
banks in India use a wide range of cyber security tools and
technologies. These include firewalls, intrusion detection and
prevention systems (IDPS), antivirus software, and encryption
technologies. Firewalls are used to block unauthorized access to
bank systems, while IDPS are used to detect and prevent cyber-
attacks in real time. Antivirus software is used to scan bank systems
for malware and remove any infections, while encryption

14 Reserve Bank of India, “Guidelines on Information Security, Electronic Banking,

Technology Risk Management and Cyber Frauds”, available at https://www.oracle.co

m/a/ocom/docs/rbi-advisory-2011-guidelines.pdf. (Visited on February 16, 2023).

144
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

technologies are used to protect sensitive data from unauthorized

access.
Moreover, banks also use multi-factor authentication (MFA)
to strengthen their security, which requires customers to provide
two or more forms of identification, such as a password and a one-
time code sent to their mobile phones. This makes it more difficult
for cybercriminals to access bank accounts, even if they have stolen
the customer's login credentials. Individuals can use a range of
cybersecurity tools to protect their finances online. These tools
include antivirus software, firewalls, and virtual private networks
(VPNs). Antivirus software can detect and remove malware from a
computer, while firewalls can block unauthorized access to a
computer's network. VPNs can encrypt internet traffic, making it
more difficult for cybercriminals to intercept sensitive information.

Cybersecurity Training and Awareness for Bank Employees

and Customers
Banks provide cybersecurity training and awareness
programmes for their employees and customers. These programmes
help employees and customers understand the risks of cyber threats
and how to prevent them. Training programmes may include
simulated phishing attacks and cybersecurity best practices.
Individuals can also benefit from cybersecurity training and
awareness programmes. By understanding the risks of cyber threats
and the best practices for protecting their finances online,
individuals can reduce their risk of falling victim to cybercrime.

COMMON CYBERSECURITY SCAMS

Cybersecurity scams are becoming increasingly sophisticated
and difficult to detect. Cybercriminals use a range of techniques to
trick people into revealing sensitive information, downloading
malicious software, or sending money. In this article, we will
discuss some of the most common cybersecurity scams and how to
avoid them.
1. Phishing Scams: Phishing scams are one of the most
common cybersecurity scams. In a phishing scam, a
cybercriminal sends an email or message that appears to be
from a legitimate source, such as a bank or social media site.
The email or message typically contains a link to a fake
website that asks the user to enter their login credentials or

145
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

other sensitive information. Phishing scams can be difficult to

detect because they are often well-crafted and appear to be
legitimate.
How to avoid phishing scams: Be wary of any unsolicited
emails or messages that ask you to click on a link or provide
personal information. The trick is to always double-check the
sender's email address or website URL to ensure it is
warrantable. Use anti-phishing software to help detect and
block phishing emails.
2. Malware Scams: Malware scams are a type of cybersecurity
scam in which a cybercriminal sends an email or message that
contains a link to download malware. Malware is a software
malicious in nature that is designed only to damage, disrupt,
or gain unauthorized access to a computer system. Malware
can come in many forms, including viruses, worms, and
Trojan horses.
How to avoid malware scams: Be cautious when clicking on
links or downloading attachments from unknown sources. Use
antivirus software to detect and remove malware from your
computer system.
3. Social Engineering Scams: Social engineering scams15 are a
type of cybersecurity scam in which a cybercriminal uses
social engineering techniques to manipulate people into
revealing sensitive information or performing actions that
benefit the cybercriminal. Social engineering scams can take
many forms, including phone calls, emails, or in-person
interactions.
4. How to Avoid Social Engineering Scams: Be cautious when
providing the sensitive information to anyone, even if they
appear to be from a legitimate source. Be wary of unsolicited
phone calls or emails that ask for personal information or
payment.
5. Tech Support Scams: Tech support scams are a type of
cybersecurity scam in which a cybercriminal poses as a
technical support representative and contacts the victim,
claiming that there is a problem with their computer system.

15 Neha Chhabra Roy and Sreeleakha Prabhakaran, “Sustainable Response System

Building Against Insider-Led Cyber Frauds in Banking Sector: A Machine Learning
Approach” 29 Journal of Financial Crime (2022).

146
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

The cybercriminal then offers to fix the problem for a fee or

by gaining remote access to the victim's computer system.
How to avoid tech support scams: Be wary of unsolicited
phone calls or emails claiming that there is a problem with
your computer system. Never provide remote access to your
computer system unless you have initiated the request and
have verified the identity of the person providing the support.
6. Fake Anti-Virus Scams: Fake anti-virus scams are a type of
cybersecurity scam in which a cybercriminal poses as an anti-
virus software provider and offers to sell or provide fake anti-
virus software. The fake software may contain malware that
can damage or steal sensitive information from the victim's
computer system.
How to avoid fake anti-virus scams: Only download and
install anti-virus software from reputable sources. Be wary of
unsolicited emails or messages claiming that there is a
problem with your computer system and offering to sell or
provide anti-virus software
7. Email Spoofing Scams: Email spoofing scams are a type of
cybersecurity scam in which a cybercriminal spoofs the
sender's email address to make it appear as though the email
is from a legitimate source. The email may contain a link to a
fake website that asks the user to enter their login credentials
or other sensitive information.
How to avoid email spoofing scams: Always double-check
the sender's email address to ensure it is legitimate. Be wary
of unsolicited emails that ask you to click on a link or provide
personal information.

CASE STUDIES OF CYBERSECURITY BREACHES IN

INDIA'S BANKING SYSTEM
Cybersecurity breaches in India's banking system are not
uncommon, and several banks and financial institutions have fallen
victim to cyber-attacks over the years. India has experienced several
high-profile cybersecurity breaches in its banking system in recent
years. Some of the notable cybersecurity breaches in India's banking
system are:

147
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

1. State Bank of India: In 2016,16 cybercriminals breached the

systems of India's largest bank, the State Bank of India, and
stole the personal information of millions of customers. The
attackers were able to access the personal and financial
information of the affected customers, including their names,
addresses, phone numbers, and bank account details. The
bank detected the breach after it received complaints from
customers about unauthorized transactions and reported the
incident to the authorities.
2. Punjab National Bank System Breach: In 2018,17 hackers
breached the systems of Punjab National Bank and stole over
$2 billion through fraudulent transactions.
3. State Bank of India (SBI) Data Leak: In 2019, a
cybersecurity researcher discovered that a server of the State
Bank of India's Quick app had been left unprotected, exposing
the data of millions of SBI customers. The data leak included
sensitive information like account numbers, bank balances,
and recent transactions.
4. Cosmos Bank Cyber-Attack: In August 2018, Cosmos
Bank, 18 a cooperative bank based in Pune, Maharashtra,
suffered a cyber-attack that resulted in a loss of over Rs. 94
crore ($13.5 million). The hackers used malware to infiltrate
the bank's ATM switch server and conducted fraudulent
transactions in 28 countries.
5. Bank of Maharashtra Cyber-Attack: In 2018, the Bank of
Maharashtra reported that hackers had stolen Rs. 25 crore
($3.5 million) through fraudulent transactions on its ATM
switch server. The bank's internal investigation revealed that
the hackers had used malware to infiltrate the bank's servers
and conduct unauthorized transactions.

16 Satyanarayan Iyer, 'Security breach: SBI blocks over 6L debit cards',

timesofindia.indiatimes.com, available at https://shorturl.at/flF24. (Visited on
November 8, 2022).
17IANS, ‘Now, A Data Breach At Punjab National Bank’, cioandleader.com, available

at https://www.cioandleader.com/article/2018/02/23/now-data-breach-punjab-national-
bank. (Visited on January 23, 2023).
18M. L. Reddy and V. Bhargavi,” Cybersecurity attacks in banking sector” Emerging

security challenges and threats. American International Journal of Research in

Humanities, Arts and Social Sciences, 21(1), 65–71, (2018).

148
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

6. Union Bank of India Data Leak: In 2017, Union Bank of

India discovered that its system had been hacked, and the data
of around 3.5 million customers had been stolen. The data
included names, addresses, account numbers, and Aadhaar
card details.
7. Yes Bank Data Breach: In 2019, Yes Bank, 19 a private
sector bank, reported a data breach that had exposed the
personal data of around 2.6 lakh customers. The data leak
included names, addresses, mobile numbers, and email IDs.

These cybersecurity breaches highlight the need for banks and

financial institutions to maintain a robust cybersecurity framework
to protect their systems, networks, and customer data from cyber
threats. The RBI has put in place several guidelines and regulations
to ensure that banks and financial institutions maintain a strong
cybersecurity posture. However, it is also essential for banks to
continuously update their cybersecurity measures and conduct
regular cybersecurity audits to identify and address vulnerabilities.

CONCLUSION
Cyber security is of paramount importance in India's banking
sector, given the sensitive financial data that banks handle on a daily
basis. The country's large population and growing economy make it
an attractive target for cybercriminals. Banks in India have
implemented a range of cybersecurity measures to protect their
systems and customers from cyber threats, but cybercriminals
continue to evolve their tactics, making it essential for banks and
individuals to remain vigilant.
Cybersecurity threats continue to pose significant challenges
to the banking sector in India and across the world. Banks and
financial institutions face a growing number of cyber-attacks that
are becoming more sophisticated and targeted. The consequences of
a successful cyber-attack can be severe, including financial losses,
reputational damage, and regulatory penalties. Therefore, it is
crucial for banks to implement robust cybersecurity measures to

19 Bamrara, Dr. Atul and Singh, Gajendra and Bhatt, Mamta,” Cyber Attacks and

Defense Strategies in India: An Empirical Assessment of Banking Sector”, SSRN

(January 1, 2013)

149
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

protect their systems, networks, and customer data from cyber

threats.
To ensure better cybersecurity practices in banking, there is a
need for a multi-pronged approach that includes the following:
1. Awareness and Education: Banks must raise awareness
among their employees, customers, and stakeholders about
cybersecurity risks and best practices. This includes regular
training and awareness campaigns on safe online practices
and the importance of cybersecurity.
2. Investment in Cybersecurity: Banks must invest in
cybersecurity infrastructure, including firewalls, intrusion
detection and prevention systems, and content filtering,
among others. This includes regularly reviewing and updating
their cybersecurity measures to keep up with emerging
threats.
3. Collaboration: Banks should collaborate with each other,
government agencies, and cybersecurity experts to share
information and best practices on cybersecurity. This includes
participating in cyber incident response exercises and sharing
threat intelligence.20
4. Regulatory Compliance: Banks must comply with
regulatory requirements related to cybersecurity, including
guidelines issued by the RBI and other regulatory bodies. This
includes conducting regular cybersecurity audits and
assessments to identify vulnerabilities and address them
promptly.
Cybersecurity threats pose a significant challenge to the
banking sector, and banks must take proactive steps to protect their
systems, networks, and customer data. By raising awareness,
investing in cybersecurity infrastructure, collaborating with
stakeholders, and complying with regulatory requirements, banks
can better protect themselves from cyber threats and ensure a secure
banking environment for their customers.
By following best practices for protecting their finances
online, individuals can reduce their risk of falling victim to
cybercrime. Banks can also benefit from increased cybersecurity
awareness and training for their employees and customers.

20Ahmad Ali, “Cyber Security Policing: Analysing National Cyber Security Policies of
India and Pakistan” 40 (2022).

150
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

As the banking industry in India continues to grow and

evolve, it's essential to prioritize cybersecurity to maintain customer
trust and protect against cyber threats. Together, we can create safer
and more secure digital banking in India.

151
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 10

A COMPARATIVE STUDY ON CYBER SECURITY

LAWS AND POLICIES: LEGISLATIVE FRAMEWORK
OF INDIA AND USA
Dr. Anurag Sharma 1, Vansh Goyal 2

“Internet has made the inflow and outflow of data and various
information between different networks easily and rapidly. The
transmission of the information at faraway locations has caused a
major concern from the security perspective. This issue is increasing
day by day from the past few years. Security concern is related to the
criminal activities which are being performed by few people for their
economic benefits. Criminal Activities like fake economic scams,
unallowed access to other networks, etc. are some of the major
cybercrimes. These crimes are also taking place through many social
media platforms like, WhatsApp, Instagram, Facebook, etc. and also
through various online shopping sites. Therefore, to stop or to prevent
these types of criminal activities and to punish these criminals, “Cyber
Laws and Policies” are being introduced by different nations to protect
their secret information and data. These Laws and Policies deals with
the cyberspace and other legal issues like data privacy and security
issues. Therefore, the comparative study of Cyber Laws and Policies of
India and USA may be done, keeping in mind the above perspective.
This chapter is divided into three sections in order to provide a brief
overview of Cyber Laws and Policies of India & USA and their
comparative study”.

1Principal, Vivekananda College of Law, Aligarh (Mahendra Pratap Singh University,

Aligarh), (India)
2B.Com. LL.B (H), 3rd Year, Institute of Legal Studies & Research, GLA University,

Mathura, (India)

152
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

INTRODUCTION

T he Internet has revolutionized the transfer of data and

information between different networks, making it faster and
easier. With the widespread use of the Internet for activities
like online shopping and financial transactions, security has become
a major concern. The resulting security concerns have given rise to
"Cyber Crimes" which are crimes committed through the computer
network and capture the cyberspace. Cybercriminals, commonly
known as "Hackers," gain unauthorized access to users' information,
leak confidential information, disclose sensitive business
information and government information concerning national
security.
To protect individuals, organizations, and governments from
these e-crimes, various CyberLaws and policies have been
implemented to safeguard sensitive information. CyberLaws are
laws that govern cyberspace, digital and electronic signatures, data
protection, privacy, and other aspects of electronic transactions. The
Information Technology (IT) Act of India, enacted in 2000, was
modeled after the United Nations Model Law on Electronic
Commerce (UNCITRAL).

CYBERLAWS IN INDIA
Cyber Laws hold significant importance in a country like
India where internet usage is widespread, as they regulate the use of
cyberspace and protect the use of information, software, electronic
commerce, and financial transactions. These laws are strict and help
to improve connectivity while addressing security risks.
Furthermore, Indian Cyber Laws have played a crucial role in
promoting the adoption of e-commerce and e-governance, thus
advancing the goals of the Digital India initiative with broader reach
and greater efficiency.
As we study about the Cyber Laws, there is a question which
we have to answer that ‘Why there is a need for Cyber Crimes?’
Just like other countries have some certain laws on Cyber Crimes,
India is also required and concerned about such crimes. As in the
recent population data index India is now the most populated
country in the world by defeating China so as the population grows
faster, there is a rapid growth in the cybercrimes due to the
technological change in the world. It is required for the security
concerns issues of private data and information to solve it. In recent

153
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

data which is revealed that government is losing approximately Rs

1.25 lakh Crore per year due to the cyberattacks only. This data is
revealed by Economic Times Analysis of CyberCrime.
In recent report of Kaspersky, there are 1.3 million to 3.3
million cyberattacks which took place in the first quarter of the year
2020 which was the period of the pandemic COVID-19. And there
are approximately 4.5 million cyberattacks cases which took place
in July 2020 which was the largest number recorded so far. So
prevention of cyberattacks, which cause economic harm to the
people, it is required to draft and introduced the Cyber Laws. By
seeing this our Parliament enact some Cyber Laws in previous
years.

Information Technology Act, 2000 (IT Act)

The IT Act of 2000, also known as Act 21 of 2000, was the
first legislation in India that focused on cybercrime and e-
commerce. It was enacted by the Parliament on June 9, 2000, and
became effective on October 17, 2000. The act is comprised of 94
sections divided into 13 chapters and 4 schedules, and is applicable
throughout the entire territory of India. The Intermediary Guidelines
Rules of 2011 and the Information Technology (Intermediary
Guidelines and Digital Media Ethics Code) Rules of 2021 are
secondary regulations under this act. In cases where a computer or
network in India is involved in the crime, individuals from other
countries can also be charged under the law.
The objective of this act is “to provide legal recognition to the
financial transactions which are carried out through electronic data
swapping and other different means of e-communication, commonly
named as the methods of e-communication and storage of
information, to facilitate electronic filing of documents with the
Government agencies and further to amend the Indian Penal Code,
1860, the Indian Evidence Act, 1872, the Banker’s Book Evidence
Act, 1891, and the Reserve Bank of India Act, 1934, and for matters
connected there with or incidental there to.”
The Information Technology Act of 2000 includes several
noteworthy provisions, such as:

• The legal recognition of email as a valid method of

communication and the validity of digital signatures. The act
also allows new businesses to issue digital certificates that

154
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

hold legal recognition. Additionally, the government is

permitted to use electronic governance to issue notices, and
communication between different companies and between
companies and the government can be easily conducted
through the internet.
• Digital signatures are now helpful in determining the identity
of an individual; this act provides a remedy in case of any loss
or harm caused to any individual; it also gives the legal
validity for the acceptance of any contract electronically.

This act was amended in the year 2008 because it didn’t cover
all the grounds of cybercrimes committed, amendments were done
in Rajya Sabha on 23rd December, 2008. Some major sections were
incorporated in this act. The Section 66 (A), Section 67 (B) and
Section 69 were incorporated through amendment in 2008.3
There are some important provisions of IT (Amendment) Act,
2008 which tackle about the cybercrimes ‘punishments’. Section 43
of the law outlines the penalty and compensation for damages
caused to computers, computer systems, and similar resources. It
states that anyone who gains access to a computer, computer
system, or computer network, or any related resources without
authorization from the owner or person in charge, and downloads,
copies, or extracts any data or information, including those stored in
removable storage media, or introduces a computer virus or
contaminant, or manipulates a computer network to charge services
to another person's account, shall be held accountable for paying
compensation to the affected person for any resulting damages.
Second important section is Section 65 of the act deals with
tampering with computer source documents, which is defined as
willfully altering, destroying, or concealing a computer source code
used for a computer programme, computer system, or computer
network. Those found guilty of this offence may face imprisonment
for up to three years and a fine of up to ₹2 lakhs. Section 66 of the
act covers hacking into a computer system. It states that any
individual who commits one of the acts outlined in section 43 with
dishonest or fraudulent intent can face imprisonment for upto three

3Section 43 of the Information Technology Act, The Centre for Internet and Society,
available at:https://cis-india.org/internet-governance/resources/section-43-it-act.txt
(Visited on: March 12, 2023)

155
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

years, a fine of upto ₹5 lakhs, or both.

Section 66 (A) covers cyber stalking and can result in a prison
term of upto three years and a fine for transmitting offensive
messages via communication devices like computers or mobile
phones.4 Next one is Section 66 (B), deals with the punishment for
receiving stolen computer resources or communication devices
dishonestly.5 If an individual holds or receives a stolen device or
resource with knowledge or suspicion of it being stolen, they may
face a prison term of upto three years, a fine of upto ₹1lakh, or both.
The act of identity theft specified under Section 66 (C) 6 can result in
imprisonment for a maximum of three years and a fine of up to ₹1 lakh.
This includes fraudulent or deceitful use of someone else's electronic
signature, password, or any other unique identification feature.
Section 66(D) of the IT Act deals with the punishment for
cheating by impersonation, using a computer resource. It stipulates
that individuals who commit fraud by impersonating someone else
using a computer resource or communication device may face a
maximum fine of ₹1lakh and imprisonment of up to three years.
Section 66(E) pertains to the violation of privacy and imposes
imprisonment of up to three years and/or a fine of up to ₹2 lakhs for
publishing, capturing, or transmitting private images without the
consent of the individual depicted. Section 66(F) concerns
cyberterrorism and provides for imprisonment for individuals who
intentionally engage in any cyberterrorism act, which may extend
up to life imprisonment.
Section 67 of the IT (Amendment) Act, 2008 addresses the
publication of obscene material in electronic form and prescribes
penalties for offenders. The first conviction for publishing,
transmitting or sharing lascivious content that has the potential to
corrupt individuals may result in imprisonment for up to three years,
a fine of up to ₹10 lakhs, and up to five years of imprisonment for
subsequent convictions. Section 67(A) pertains to the publication of
sexually explicit material and carries penalties of imprisonment for
upto five years and a fine of upto ₹10 lakhs for the first offense, and
up to seven years of imprisonment and a fine of up to ₹10 lakhs for
subsequent convictions. Section 67(B) addresses the criminal

4ShreyaSinghalv.Union ofIndia[AIR2015 SC1523]

5JuvenileX v.St. of UP and Anr.[2022]
6CBI v. Arif Azim (Sony Sambandh Case) [(2008)150 DLT769]

156
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

offense of producing, transmitting, or possessing child pornography

and provides for imprisonment of up to five years and a fine of up to
₹10 lakhs for the first conviction, and imprisonment of up to seven
years and a fine of up to ₹10 lakhs for subsequent convictions.
Section 67(C) imposes an obligation on intermediaries to retain
information in accordance with government regulations, and
intentional or knowing violation may result in imprisonment of upto
three years and a fine.
Section 68 of the IT Act empowers the Controller to issue
directions if any measures or cessation of activities are necessary to
ensure compliance with the Act, rules, or regulations framed under
it. The Controller can issue an order to a Certifying Authority or its
employee to adopt such measures or stop the activities mentioned in
the order. Anyone who intentionally disobeys a direction under sub-
section (1) is liable to be punished with imprisonment for a
maximum term of two years and/or a fine of up to ₹1 lakh upon
conviction. Section 69 talks about the Failure/refusal to decrypt
data. According to this section, the Central Government, State
Government, or their authorized officers have the authority to direct
an agency of the appropriate Government to intercept, monitor, or
decrypt any information that is produced, transmitted, received, or
stored in any computer resource. This action can be taken if it is
deemed necessary or expedient in the interest of India's sovereignty
or integrity, defense, security, friendly relations with foreign States,
or public order, or to prevent incitement to commit any offense
relating to the above or for investigating any offense. The order
must be documented in writing, and the interception or monitoring
must be performed according to the prescribed procedure and
safeguards. The subscriber, intermediary, or person in charge of the
computer resource is obliged to provide technical assistance and
access to the information when requested by the agency. Failure to
do so can result in imprisonment for up to seven years and a fine.7
Section 70 of the IT Act pertains to securing access or
attempting to secure access to a protected system. When a computer
resource has an impact on Critical Information Infrastructure, the
appropriate government can declare it a protected system. Those
who gain or attempt to gain access to such a system may face

7Government Website, available at:https://www.indiacode.nic.in/ (Visited on: March

12, 2023)

157
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

imprisonment of up to ten years and fines. The Central Government

is responsible for establishing information security practices and
procedures for these protected systems. Section 71 outlines the
penalty for misrepresentation, stating that those who falsify or
withhold information to obtain a license or electronic signature
certificate may face imprisonment of upto two years, a fine of upto
₹1lakh, or both. Section 72 covers the penalty for breaching
confidentiality and privacy, making unauthorized access to
electronic records or information without consent illegal. Those who
violate this may face imprisonment for up to two years, a fine of
upto ₹1 lakh, or both.
Section 72(A) of the IT Act provides punishment for
disclosing personal information obtained under a lawful contract
without the concerned person's consent, with the intention of
causing wrongful gain or loss. The offender may face imprisonment
for up to three years, a fine of upto ₹5 lakhs, or both. Section 73
prohibits publishing electronic signature certificates to the public or
others, knowing that the certificate has not been issued by the listed
Certifying Authority, accepted by the subscriber listed in the
certificate, or has been revoked or suspended, except for verifying a
digital signature made before such suspension or revocation. A
violation of this provision may lead to imprisonment for up to two
years and a fine of up to ₹1 lakh Section 74 deals with the
punishment for intentionally manufacturing, publishing, or making
available an electronic signature certificate for any fraudulent or
illegal purpose. Such an offense may result in imprisonment for up
to two years, a fine of upto ₹1 lakh, or both.
In State of Tamil Nadu v. Dr. L Prakash8 - Dr. L. Prakash
was charged with producing pornographic tapes and sending them
to France and the US for publication. Under Sections 67 of the IT
Act of 2000, Sections 4 and 6 of the Indecent Representation of
Women Act, Section 27 of the Guns Act, and Sections 120B and
506 (2) of the IPC, an FIR was filed against him. The Fast Track
Court found the defendant guilty in accordance with the
aforementioned clauses and sentenced him to life in prison and a
fine of Rs. 1.27 lakh. As the first case in which pornographic

8 W.P.M.P.No. 10120 of 2002, available at:https://www.lawyersclubindia.com/article

s/important-cases-on-information-technology-act-2000-14861.asp(Visited on: March
15, 2023)

158
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

websites and their brokers were targeted in India, this is a seminal

instance of cybercrime law.
In Nirmaljit Singh Narula v. Indijobsat Hubpages.Com9 -
this lawsuit concerns the slanderous article the defendant wrote
against the petitioner (popularly known as Nirmal Baba). The
petitioner sent the intermediary a legal notification requesting the
removal of that defamatory content in accordance with Section 79
of the Information Technology Act of 2000. But, the intermediary
refused, and an FIR was then filed against them.
The Court ruled that if the intermediary receives a legal
notification to remove from the harmed party, it is required to take
down the libelous article. The intermediary takes down third-party
content after being notified, it is not held accountable. The
defendant was also issued an injunction by the court forbidding it
from releasing any more false information on the petitioner.
The petitioner, Shankar, in the case of Shankar v. State
Rep10 - filed a petition in court under Section 482 of the CrPC to
dismiss the accusation of gaining unauthorized access to the secure
system of the Legal Adviser of the Directorate of Vigilance and
Anti-Corruption (DVAC), which violated Sections 66, 70, and 72 of
the IT Act. However, the court ruled that the chargesheet filed
against Shankar cannot be overturned, as the law does not allow for
the granting of prosecution sanction under Section 72 of the IT Act.
In Umashankar Sivasubramanian v. ICICI Bank 11 the
petitioner received an email from ICICI Bank requesting his login
credentials for Internet Banking. The petitioner replied to the mail
with the aforementioned details, only to subsequently learn that he
had been conned out of Rs. 6.46 lakhs. Then, in order to receive
compensation, he filed a complaint with the adjudicating authorities
regarding ICICI Bank. As a result of ICICI Bank's violation of
Sections 85 and 43 of the IT Act, 2000, the adjudicating authority
ordered it to pay the petitioner Rs.12.85 lakh.
In CBI Vs Arif Azim (Sony Sambandh case)12 –involves a
website called www.sony-sambandh.com that permitted NRIs to
send Sony products to their Indian acquaintances, provided that

9CS(OS) 871 /2012

10Crl.O.PNo.6628 of 2010
11Petition No.2462 of2008
12Supra (6)

159
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

payment was made prior to booking the products. In May 2002, an

order for a Sony TV and a cordless phone was placed by someone
using the login name Barbara Campa on behalf of Arif Azim, a
resident of Noida. The payment was made using a credit card and
the order was delivered to the correct address. However, the actual
owner of the goods protested the purchase, and the credit card
company notified Sony Co. that the payment was illegal. A
complaint was filed and a case was initiated under sections 418,
419, and 420 of the IPC. According to the investigation, Arif Azim,
who worked at a call centre in Noida, had access to Barbara
Campa's credit card information. The issue raised was whether the
IPC could be relied upon as credible and effective legislation when
the IT Act was not comprehensive enough. Arif Azim was found
guilty, but due to being a first-time offender and a minor, the judge
imposed a lenient sentence of a year's probation. The court
determined that the IPC could be dependable and beneficial when
the IT Act was inadequate.
In State of Tamil Nadu Vs Suhas Katti 13 - the accused
planned to marry the victim, who was a family friend of his, but she
got married to another man first, and they later got divorced. The
accused then pressured her once again into getting hitched to him,
but she refused. The accused harasses her on her desire for marriage
by soliciting online support. He created a false email account in the
victim's name, then began publishing offensive, damaging
information about the victim on it. The chargesheet was submitted
against the accused in accordance with sections 67 of the IT Act and
469 and 509 of the IPC. The Additional Chief Metropolitan
Magistrate found the suspects guilty, under Sections 469 and 509 of
the IPC, he was sentenced to two years of rigorous imprisonment
and a fine of Rs. 500; under Section 67 of the IT Act, he was
sentenced to one year of simple imprisonment and a fine of Rs. 500;
and under Section 469, he was sentenced to two years of rigorous
imprisonment and a fine of Rs. 4,000.
Government of India has taken several other following
conditions to prevent Cybercrimes:
To report and look into cases of cybercrime, cybercrime cells
have been established in states and UTs; in addition, the government
has established Cyber Forensic and Training Labs under the IT Act

13CC No. 4680 of 2004

160
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

of 2000 in the states of Kerala, Assam, Bombay, Mizoram,

Manipur, Nagaland, Arunachal Pradesh, etc. with the purpose of
raising awareness about and preparing people to combat
cybercrimes.
The Indian government has collaborated with various
organizations, including the Data Security Council of India (DSCI)
and NASSCOM, to establish Cyber Forensic Labs in Mumbai,
Bangalore, Pune, and Kolkata. These labs serve as centers for
education, research, and training in the field of cybercrimes. To
increase public awareness of cybercrimes, the government has also
initiated several programmes. Additionally, National Law School in
Bengaluru and NALSAR University of Law in Hyderabad are
currently offering various programmes to educate judicial personnel
on cyberlaws and cybercrimes.14

INFORMATION TECHNOLOGY RULES, 2011 (IT RULES)

The 2011 Information Technology (Reasonable Security
Policies and Procedures and Sensitive Personal Data or Information)
Rules were introduced to limit the managing of private information
by organizations, in line with the 2008 update to India's IT Security
Act. Businesses and institutions that handle personal information are
required to establish comprehensive accountability mechanisms.
This includes those that collect, receive, hold, store, ordeal with
such information. The summary of the Information Rules, 2011 are:
• Restrictions on Data Collection and Processing: At the
time of first collection, businesses are required to notify
individuals that their information is being collected. The
reason the information is being gathered, the targeted
recipients, and the contact information for both the collecting
agency and the receiving agency must also be disclosed to
them. Moreover, constraints are put in place to prevent the
processing of data for unrelated purposes, allowing it to only
be used for that purpose.
• Definition of Personal Data: Personal Data denotes
information pertaining to an individual that can aid in their
identification and may be merged with other data procured or
utilized by the organization. Sensitive Personal Data

14 Verma A., Pandey A.K., Women in Parliament-Issues and Discussions, EduPedia

Publication (P) Ltd., NewDelhi, India, 2016, pp. 59-60

161
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

encompasses passwords, financial details, health information

(such as physical, mental, medical, and biometric data), and
information about sexual orientation. Nevertheless,
information accessible to the public or obtained via public
domains do not fall under the category of sensitive personal
data.
• Additional Restrictions for Sensitive Personal Data:
Written consent must be obtained by the processor either by
letter, mail or fax, before processing the sensitive data.
• Security: According to this requirement, a firm must adhere
to appropriate security procedures. Additionally, it stipulates
that a business must publish its thorough information security
programme, which must include guidelines for "managerial,
technical, operational, and physical control mechanisms"
pertaining to information assets and the sector they belong to.
Additionally, it specifies that organisations must demonstrate
that they have followed their stated security control
procedures in the event of a security breach.

Future Implications of IT Rules, 2011

The Government of India released National Cyber Security
Policy, 2013 on July 2nd, 2013. In this policy some future
implications were mentioned. These are:
• The objective includes the development of approximately
500,000 skilled professionals of cybersecurity over the next 5
years; and the establishment of a National Critical
Information Infrastructure Protection Centre, as well as the
assignment of a national body to manage all cybersecurity-
related activities
• Increasing international collaboration in the fight against
cybersecurity threats and improving cybersecurity training
and education programmes; and the creation of a dynamic
legislative framework to handle cybersecurity issues in fields
like cloud computing, mobile computing, and social media, as
well as the appointment of a Chief Information Security
Officer for all commercial and governmental companies.
Government of India took too many measures to prevent
Cybercrimes. Indian Government made Information Technology
Act, 2000 and the problems in IT Act, 2000 were amended IT
(Amendment) Act, 2008 and inserted several new provisions in IT

162
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Act. Govt. also made IT Rules, 2011 which defines some important
terms.

CYBER LAWS IN USA

The United States of America has approximately 334 million
population in 2023 which makes it the third most populous country
in the world behind only China (1.426 billion) and India (1.425
billion). The data had been released by the US Federal Agencies in
which the cyberattack cases had been recorded of the year 2006-20.
The data has been shocking to everyone because the cases are large
in numbers.

Computer Fraud and Abuse Act, 1986 (18 USC 1030)

The Computer Fraud and Abuse Act (CFAA) of 1986 is an
amendment to the Comprehensive Crime Control Act of 1984
(CCCA), and prohibits unauthorized access to computer systems.
Given the increasing prevalence of cybercrime, consistent
enforcement of the CFAA is necessary. Over time, the CFAA has
undergone amendments, including revisions made under the USA
Patriot Act in response to the 2001 terrorist attack. These revisions
allow for the search and seizure of records from internet service
providers.15 Recently in 2008, it was amended to cover the broad
range of cybercrimes.

CFAA criminalizes the following conduct:

• covers the deliberate act of gaining unauthorized entry into a
computer system or exceeding the authorized access level to
access protected information. It also encompasses the act of
accessing a protected computer without authorization with the
intention of committing fraud and stealing anything worth
over $5,000 within a year;
• deliberate act of transmitting a programme, information, code,
or command with the awareness that it will cause the
destruction of a protected computer without proper
authorization;
• unauthorized access to a secure computer with the intention of

15 Cole B., What is Computer Fraud and Abuse Act, 2012, available at:
https://www.techtarget.com/searchsecurity/definition/Computer-Fraud-and-Abuse-Act-
CFAA/ (Visited on: March 13, 2023)

163
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

causing harm, trafficking password so access credential to

deceive, and extortion through the use of computers are all
covered by this provision.

In some circumstances, the civil actions can also be taken

under CFAA:
• Loss of $5,000 or more incurred by one or more individuals
within a 12-month period (including losses resulting from a
related series of activities affecting one or more additional
protected systems) would be subject to investigation,
prosecution, or other legal action taken by the United States.
• The alteration, impairment, or possible alteration, of a medical
examination, diagnosis, therapy, or care given to one or more
people; any physical harm to a person; a danger to the safety
or health of the public;
• A computer that is utilized by or for a United States
Government entity suffers damage that hinders the
administration of justice, national defence, or national
security; or, damage that occurs over the course of a year to
ten or more protected computers.

In US v. Andrew Auernheimer 16 - Andrew Auernheimer

was able to obtain email addresses of AT&T customers who
registered for iPad accounts using their email addresses. Despite
informing AT&T about the security issue, no action was taken. We
even released some of the email addresses to the media, but did not
obtain additional customer information. AT & T reported to federal
authorities for violating the Computer Fraud and Abuse Act
(CFAA), although the incident did not occur in New Jersey. The
CFAA violation was used to enhance a violation of the state's
computer crime law, resulting in a potential sentence upgrade from
a misdemeanour to a felony. This practice is known as "stacking"
crimes, in which the federal government employs state laws to
increase charges, even if both federal and state statutes cover the
same offence.
In US v. Lori Drew 17 - involved the prosecution of Lori
Drew, after a 13-year-old girl committed suicide. Drew and others

16No. 13 - 1816; 3rd CIR. Apr. 11, 2014

17No. CR08-0582 - GW;C.D.Cal. Aug.28, 2009

164
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

created a fake account on MySpace in order to interact with the girl.

This was against the platform's terms of service, and Drew was
charged with CFAA crimes and conspiracy after the incident.
Although Drew was acquitted on most counts, she was found guilty
of a minor CFAA violation. The U.S. District Court overruled the
verdict, stating that violating a website's terms of service does not
necessarily constitute a federal crime. The court argued that
interpreting the law too broadly would result in many innocent
internet users being charged with federal crimes, and they should be
given clear notice of prohibited actions.
In US v. David Nosal18- in order to help him launch a new,
rival firm, David Nosal recruited his former co-workers to use their
log-in credentials to extract certain data from corporate computers.
This was the central accusation against him. Although these co-
workers had permission to see the material, sharing it was against
corporate policy. Twenty offences were brought against Nosal by
the government, including theft of trade secrets, mail fraud,
conspiracy, and CFAA crimes. The U.S. District Court dismissed
the CFAA charges after receiving a request to dismiss on the
grounds that the term "exceeds allowed access" does not include
business standards limiting the use of information. The Ninth
Circuit sided with the government in its appeal (opinion). According
to the Ninth Circuit, breaking usage limits does not fall within the
CFAA's definition of "exceeds allowed access." The court arrived at
this result using both common sense and the norm of lenity. The
court specifically argued that a more restrictive reading is
acceptable since the CFAA is a law against hacking and Lawmakers
addressed the theft of trade secrets in another section of the federal
code. The co-workers' actions could not be "without authority" or
"beyond allowed access" because they had permission to access the
corporate data bases and get the information. The government
continued to prosecute Nosal and eventually found him guilty on the
remaining counts after the Ninth Circuit upheld the dismissal of the
CFAA offences.
In US v. Aaron Swartz –Aaron Swartz, an activist,
entrepreneur, and computer programmer, was accused of wire fraud
and CFAA charges for allegedly trying to download about 4.8
million articles from JSTOR, a non-profit digital library, through the

18No. 10-10038;9th CIR.Apr.10,2012

165
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

MIT network. While JSTOR was accessible to anyone on the MIT

campus, its terms of service limited the number of articles that could
be downloaded at once. Swartz used a script to download articles
continuously, deceiving the JSTOR servers by faking his computer's
address. The prosecutors added nine more felony charges in 2012,
exposing Swartz to up to 50 years in prison and a $1million fine.
Swartz was offered a plea deal to admit guilt to 13 felonies for a
sentence of four to six months, or he could face a potential seven-
year penalty if he went to trial. Although the "victims," MIT and
JSTOR, opted not to sue, the government continued with the case.
Swartz tragically took his life on January 11, 2013, in response to
the prosecution and possible jailterm. Following his death, the
prosecutors dismissed the charges against him.
In US v. Matthew Keys19- in March 2013, Matthew Keys, a
former social media editor for Reuters, was charged for allegedly
providing hackers with access to websites owned by the Tribune
Company after he was fired. The authorities claimed that his actions
were part of a larger plan to breach Tribune's systems and websites
and make unauthorized modifications. The indictment accused Keys
of three CFAA breaches, including conspiracy to harm a protected
computer, distribution of harmful code, and attempted distribution
of malicious code. After an eight-day jury trial, Keys was found
guilty of three CFAA violations, and he decline the plea agreement.
The potential penalties for these offenses could have been up to 25
years in jail and a $750,000 fine. On April 13, 2016, Keys was
sentenced to 24 months in jail, 24 months on probation, and
$249,956 in restitution. Currently, his appeal is being reviewed by
the Ninth Circuit.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY

ACT, 1996 (HIPAA)
HIPAA is a federal legislation that mandates healthcare
providers to safeguard sensitive patient health information from
unauthorized disclosure without the patient's consent. It includes
two rules: the Privacy Rule, which applies to health information
whether it is in electronic or paper format, and the Security Rule,
which specifically addresses computerized health information. The

19Crim.No.1:11-CR-10260;D.Mass.2012

No.2:13-CR-00082;E.D.Cal.2013

166
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

US Health and Human Services (HHS) is responsible for issuing the

HIPAA Privacy Rules to ensure compliance with HIPAA's
provisions.

Privacy Rules Under HIPAA

Covered entities, comprising of individuals and organizations,
are subject to the Privacy Rule's regulations that govern the
utilization and exposure of health information. The rule also
establishes a framework to empower individuals to manage and
comprehend how their health information is employed. Its goal is to
safeguard heal thin formation while still all owing for the
appropriate dissemination of data to enhance healthcare quality and
protect public health. While allowing certain information uses, it
also protects the confidentiality of individuals seeking medical
treatment and recovery.

Covered Entities
The following types of individuals and organizations are
considered as covered entities:
• Healthcare Providers: The requirement to comply with
electronic data communication standards applies to healthcare
providers of any size who participate in certain transactions,
such as claims and benefit eligibility inquiries, involving
patient information.
• Health Plans: This category encompasses various entities
such as health, dental, vision, and prescription drug insurers,
health maintenance organizations (HMOs), Medicare,
Medicaid, Medicare+Choice, Medicare supplement insurers,
and others.
• Healthcare Clearinghouses: Healthcare clearing houses act
as intermediaries between different entities, converting non-
standard health information to a standard format or the other
way around. When providing processing services as business
associates for health care providers or health plans, they
usually handle individually identifiable health information.
• Business Associates: A business associate is a person or
organization that discloses or uses individually identifiable
health information to perform tasks, activities, or services for
a covered entity, but is not an employee of that entity.

167
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Security Rule sunder HIPAA

The HIPAA Security Rule provides protection for a particular
set of electronically-generated personally identifiable health
information (e-PHI) that is obtained, created, stored, or transmitted
by a covered entity. Unlike the Privacy Rule which offers
safeguards for all forms of PHI, the Security Rule only applies to e-
PHI and not to PHI shared verbally or in written form.To meet the
requirements of the HIPAA Security Rule, all covered entities are
obligated to:

➢ adhere to the HIPAA Security Rule, covered entities are

obligated to ensure the confidentiality, integrity, and
accessibility of all electronic Protected Health Information (e-
PHI), and to identify and prevent potential security threats
➢ covered entities must also guard against expected
unauthorized disclosure so ruses that violate the rule, and
ensure that their staff members comply with the requirements
by obtaining certification of their compliance.

When assessing requests for permissible uses and disclosures

of PHI, covered entities are expected to apply their professional
ethics and exercise sound judgment. The HHS Office for Civil
Rights is responsible for enforcing HIPAA regulations, and
complaints can be filed with them. Penalties for violations of
HIPAA regulations may result in financial or legal consequences.

Gramm–Leach–Bliley Act (GLB), 1999

The Financial Services Modernization Act, also known as the
law that covers financial transactions involving consumers,
safeguards sensitive personal information such as names, phone
numbers, addresses, social security numbers, credit card numbers,
dates of birth, financial account numbers, and financial institution
activities, particularly when paired with financial account numbers.
There are three main components of this regulation:
1. The Privacy Rule mandates that financial institutions provide
their clients with a Notice of Privacy Policies.
2. The Pretexting Rule prohibits the use of social engineering to
gain consumer information and mandates that businesses
provide personnel with security awareness training.
3. The Safeguard Rule mandates Financial institutions create an

168
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

information security programmes that outlines the physical,

administrative, and technical safeguards utilized to safeguard
customer financial information.
To comply with the GLB Act, a risk assessment programme,
contractor control, regular policy reviews, staff training, and an
incident response programme are necessary. Additionally, a
designated employee must oversee security. However, the main
drawback of the legislation was that it only covered banking
institutions, leaving out numerous merchants and other businesses
that offer credit, making its scope too limited.

FEDERAL INFORMATION SECURITY MANAGEMENT

ACT, 2002 (FISMA)
The Federal Information Security Management Act (FISMA)
was established in 2002 to define guidelines and security standards
for safeguarding the US Government's information and operations.
FISMA applies not only to state agencies overseeing federal
programme but also to private businesses and service providers with
government contracts. FISMA's primary objective is to reduce risks
to federal data security while maintaining cost-effectiveness.
FISMA requires federal agencies and related entities to create,
document, and execute information security programmes for
safeguarding sensitive data. NIST and OMB have been given
supplementary responsibilities under this legislation. The agency's
information security programmes must be assessed every year by
authorized personnel, such as the chief information officer and
inspector general, who then submit their findings to OMB. OMB
utilizes this information to fulfill its supervisory obligations and
present annual reports to Congress.
To ensure the security of data in the federal government,
FISMA allocates responsibilities to multiple agencies. The act
mandates that officials of the information security programmes and
heads of each agency effectively manage risks, implement timely
and efficient security measures, and conduct annual evaluations of
the information security programme to ensure the data remains
secure.

To comply with FISMA, NIST outlines several measures:

• Risk Categorization: This involves classifying information
systems based on their intended use to establish an appropriate

169
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

level of security. The categorization process should be

conducted in order of the level of risk, prioritizing the
protection of sensitive information.
• Selection of minimum baseline controls: Fedral systems
must meet the security standards that are applicable to
organization and technology.
• Documenting the controls selected in the system security
plan: Maintain a record of all utilized systems, networks,
tools, and associated information. Document the baseline
security measures implemented to protect these systems.
Finally, implement security controls on the required
information system.
• Refining controls through a risk assessment process:
Conducting security assessments is important to ensure the
effectiveness of security measures and identify the need for
additional controls. After implementing security controls,
there effectiveness should be evaluated.
• Monitoring the security controls on a continuous basis:
Continuous monitoring of accredited systems is necessary to
enable prompt responses to security issues and data breaches.
Documentation must be updated whenever any changes are
made. Constant observation of status reporting, configuration
management, security measures, and security measures and
system modifications is crucial.
There are some practices that are needed to follow to ensure
compliance with FISMA:

a) Maintain compliance with FISMA standards and NIST

guidelines by staying informed about any new updates.
Detailed records of compliance measures should be kept for
future FISMA audits.
One approach to secure data is to categorize it according to its
level of sensitivity at the time of creation. By doing so, sensitive
information can be given appropriate security measures. An
automatic encryption tool can be employed to secure sensitive data
based on its classification level.20

20 Gillis A.S., Federal Information Security Management Act, 2020;available

at:https://www.techtarget.com/searchsecurity/definition/Federal-Information-Security-
Management-Act (Visited on : March 16, 2023)

170
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Pros and Cons of FISMA

There are somethings which FISMA allows:
a) An improvement in information security for both federal and
state institutions; any private sector company should make
sure they're following the greatest security procedures.
b) A greater capacity to address problems as well as more
baseline controls and security procedures; continuous
monitoring ensures a constant degree of security and enables
an organization to promptly address problems.
c) Adaptability in execution; a smart place to start when putting
security measures in place.
There are somethings also which are concerning under FISMA:
a) It can be challenging for agencies to exchange cybersecurity
information; as new dangers emerge, FISMA's enhancements
must be made better overtime.
b) Instead of measuring information security, FISMA measures
security planning; using controls could be confusing.
It is the best which is used for the implementation of security
measures.
COMPARATIVE ANALYSIS
a) In India, the IT Act of 2000 specifies jurisdiction under
sections 1(2) and 75. The act grants extraterritorial
jurisdiction over any offense against a computer system
located in India, but it does not address jurisdiction in Jammu
& Kashmir. However, the act extends to the state of Jammu &
Kashmir. On the other hand, in the USA, jurisdiction is being
interpreted within the context of a borderless cyberspace. The
concept of in rem jurisdiction may be applied to claims based
on e-mail storage or stored files located on a computer server
in the forum jurisdiction.21
b) The definition of cybercrime is not defined in the laws of both
the countries. Many authors try to define it but they are failed
to define. There is no statutory define of cybercrimein both
the countries.

21 Jain J., Chaudhary R., Understanding The Concept of Cyber Crimes in India vis-a-
vis Cyber Laws of USA,International Journal of Research and Analytical Reviews, Vol.
VI, Issue II, Atman Publishing Academy,Gujarat,India, May2019,pp.430

171
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

c) In India, the cybercrimes are specified in Chapter IX of IT

Act, 2000. But in USA, the cybercrimes are not defined in any
of the law.
d) The IT Act of 2000 in India did not address obscenity.
However, the IT Amendment Act of 2008 made it illegal to
transmit or publish pornographic material or acts of obscenity.
In the United States, two laws were passed on this matter. The
first law is The Child Pornographic Prevention Act of 1996,
which prohibits the production of pornographic scenes using
computers. The second law is The Child Online Protection
Act of 1998, which requires commercial site operators to
establish the identity of visitors to their site using legitimate
methods, if they offer material that is considered harmful to
minors.22
e) After India amended the IT Act in 2008, Section 66E was
introduced to penalize privacy violations. The section covers
three stages of bodily privacy violation: capture, publication,
and transmission, and criminalizes these stages if carried out
without the victim's consent. Whether or not the recipient
reads the email is irrelevant. The US has the Electronic
Communication Privacy Act (ECPA) of 1986, which is a
wiretap law that holds "anyone" liable under section
2511(1)(a) for committing the breach. To protect individual
privacy, the Online Privacy Protection Act of 2000 was
passed based on are commendation by the Federal Trade
Corporation.
f) The IT Act, 2000 in India does not define the term 'cyber
defamation,' but it penalizes sending material that is grossly
offensive, causing insult, annoyance or criminal intimidation.
The Indian Penal Code, 1860 also addresses cyber defamation
under section 499, which has been extended to include
'speech' and 'documents' in electronic form by the IT Act,
2000. In contrast, the Communications Decency Act (CDA),
1996, is a valuable tool in the USA for protecting freedom of
expression and innovation on the internet. Section 223 of the
CDA states that any person who intentionally puts obscene,
lewd, lascivious, filthy or indecent information on the web to

22Shaffer v. Heitner,[433US186:53LEd2d 683(1997)]

172
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

annoy, abuse, threaten, or harass another person may be

punished with imprisonment or a fine.23
g) Before the Information Technology (Amendment) Act, 2008,
section 66 of the Indian law covered the offense of 'Hacking
with Computer System'. 'Computer related offences' has taken
the role of hacking, nevertheless. Only when hacking is
carried out dishonestly or fraudulently in accordance with
section 43 of the Act does it become a crime under section 66.
While The United States 'Computer Fraud and Abuse Act of
1986 addresses the crime of "hacking," which is only
inherently criminal with regard to systems utilised solely by
the US government.

CONCLUSION
There are hundreds of incidents occurring in the nations, but
only a small number of cases are reported as complaints. Some
cybervictims regard this experience as their nightmare, badluck, or a
desire from God and go on with their lives by forgetting all the
incidences since many victims, out of fear of being mistreated in
society and the danger of doing so, do not file any complaints
against the cybercriminals. However, as a result of this,
cybercriminals are more motivated to engage in these kinds of
illegal operations. It is necessary to encourage more people to file
complaints in order to fight cybercrime on a national and worldwide
scale.
After analyzing the comparative study of the laws of both
countries, it is evident that despite the USA enacting various laws to
combat cybercrime, there remain several intricate legal matters that
require resolution. Similarly, India's Information Technology Act of
2000 is a comprehensive law for preventing cybercrime, but it still
lacks adequate provisions for addressing certain legal challenges.
The absence of sufficient international legislation has resulted in
ambiguous or unclear legal issues regarding electronic transactions
and civil liability in cyberspace. It is therefore imperative for the
adoption of robust cyber regulations at a global level.24

23Ibid,pp.434
24Ibid pp 436-437

173
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 11

COMPARATIVE STUDY OF CYBER LAW IN INDIA

AND RUSSIA
Dr. Abhishek Kumar 1, Ishika Raghuvanshi 2

“The study examines the legal framework governing cybercrime

and cybersecurity in both countries, as well as the relevant
legislation, policies, and regulations. It explores the similarities and
differences in the legal approaches taken by the two countries and
identifies the challenges and opportunities facing them in this field.
This chapter also analyses the role of the judiciary, law enforcement
agencies, and other stakeholders in implementing and enforcing
cyber laws in India and Russia. It discusses the challenges faced by
these stakeholders in dealing with cybercrime, such as the
jurisdictional issues arising from cross-border cyberattacks.
Finally, the chapter provides recommendations for strengthening
cyber laws in both countries and improving their cooperation in this
area. These recommendations include enhancing public awareness
of cyber risks, increasing international cooperation in combating
cybercrime, and promoting the development of robust cybersecurity
infrastructure. Overall, this comparative study provides valuable
insights into the legal and policy frameworks governing cyber law
in two important countries and highlights the need for continued
cooperation and collaboration to address the growing challenges
posed by cybercrime and cyber security threats.”

INTRODUCTION

C
ybercrime can be defined as those species that fall under the
category of traditional crime and in which the computer
serves as either an object or a motivation for unlawful
behavior.3

1Associate Professsor, Faculty of Law, Integral University, Lucknow, (India)

2B.A.LL.B (H), 3rd Year, Instititute of Legal Studies & Research, GLA University,
Mathura, (India)

174
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Cyber law is a collection of regulations that focuses on how

technology, including networks, the internet, software, and attack,
should be used. This also reflects how motorway people utilize
technology in everyday life. Cyber law filters stoners by enabling
the investigation and control of internet lawlessness. The efforts of
individuals, organizations, the media, governmental bodies, and
private businesses are all covered. All forms of identity, groupings,
media, governmental operations, and non-profit organizations are
covered. Cybercrime is defined as crimes committed online that
target a computer either as a tool or as a victim. We divided cyber
law into two categories, with the computer being classified as both a
device and a prey in the first one. A crime is classified as Person,
Property, or Victimless/Vice offense by the dispensable procurator.
Cybercrime can be defined simply as unlawful conduct committed
using a computer as a tool, a prey, or both. The classic offenses of
fraud, larceny, falsification of documents, slander, and malicious
mischief are all covered by the Indian Penal Code and can all be
characterized as cybercrimes. The IT Act of 2000 governs a new
category of offenses that have arisen as a result of computer
scurrility. Two motorways can be used to categorize cybercrime.
Using a computer to attack other computers is known as "using the
computer as prey. "For instance, DOS rush, worm/contagion raids,
and hacking. Using a computer to commit crimes in the real world is
known as using a computer as a weapon. Examples include
cyberterrorism, IPR violations, credential card fraud, EFT fraud,
and pornography.4 Internet law and cyber law are further names for
cyber law. Cyber laws address information access, data storage bias,
insulation, trade, intellectual property (IP), and the right to freedom
of speech and expression as they relate to the use of email,
computers, mobile phones, software, and other online trap runners.
Cyber laws support or lessen large-scale damage caused by
cybercriminal activity. India and Russia's strategic partnership is
supported by five primary pillars: politics, defense, civil dynamism,

3 Parthasarathi Pati, Cyber Crime, https://www.naavi.org/pati/pati_cybercrimes_de

c03.htm (Visited on July 12, 2022).
4 Cyber Laws of India, available at https://infosecawareness.in/cyber-laws-of-india.

(Visited on March 23, 2023)

175
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

counterterrorism cooperation, and space.5 Conciliating the ILTP are

the Indian Department of Science and Technology, the Academy of
Legends, the Ministries of Science and Education, and the
Ministries of Industry and Commerce. Advancement of SARAS
Some of the priority areas of cooperation under the ILTP are duet
aircraft, semiconductor manufacture, supercomputers, poly-
vaccines, shaft wisdom and technology, seismology, high-purity
equipment, software & IT, and Ayurveda.6 As far as we can tell,
there are numerous laws governing cybersecurity, and these laws
depend on non identical, diverse, and territorially expansive
governments. Additionally, depending on the offense committed,
the punishments for the same range from penalties to immurement.
A Memorandum of Understanding was signed in Moscow in August
2007 between the Department of Science and Technology and the
Russian Foundation of Basic Research.7

INGREDIENTS OF CYBERCRIME
Since nation governments around the world have yet to have a
complete dimension that can meet the wide range of interpretations and
which acts can be designated as terrorism, the components that make
up cyber terror are being described differently from expert to expert.
Some define cyberterrorism as any act that can be associated with other
operations that are often classified as terrorism by governments or
other countries that uses the internet to help the advancement of such
activities on the other hand, according to another component,
cyberterrorism refers to any activity that uses the internet to help the
advancement of work that is commonly defined as terrorism by the
government or other nation-states. The two sets of specialists could not
agree on a common definition, but they generally agreed that it
involves the criminal destruction of digital property in order to put
pressure on the government to uphold a certain group's Religious,

5 Plans to boost ties with Russia, India: China, available at https://www

.aninews.in/news/world/asia/plans-to-boost-ties-with-russia-india-china2023
0404020244/. (Visited on April 4, 2023)
6 The Imagindia Institute, “ Promoting the imagination and image of India, and the

people of Indian Origin, globally”, available at http://www.imagindia.org/. (Visited on

April 3, 2023)
7U.S. Department of State- Investigating War Crimes and Other Atrocities in Ukraine,

“Victims of Russia’s war of aggression against Ukraine deserve justice”, available at

https://www.state.gov/ (Visited on January 4, 2023)

176
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Political, or Ideological demands. For instance, over a two-week stretch

in 1998, a rebel group in Sri Lanka sent one of its government offices
to receive 800 emails every day. The text of the email was as follows:
We are the Internet Black Tigers, and we are interfering with your
communications by doing this. This is the first instance that has come
to light, according to cyber security experts, of a terrorist group using
the internet to interfere with official functions for personal gain.

TYPES OF CYBER CRIME IN INDIA

Child Pornography:
Child pornography is a type of cybercrime that involves the
creation, distribution, and possession of images and videos that
depict minors engaging in sexual activity or posing in a sexually
suggestive manner. It is a serious form of online exploitation of
children and is illegal in most countries.
Hacking
Hacking is a type of cybercrime that involves gaining
unauthorized access to computer systems or networks with the
intent to steal, alter, or destroy sensitive information or disrupt
normal operations.
Denial of Service Attack
A cyber assault is known as a denial of service (DoS) attempt
that seeks to stop an internet site, server, or network from operating
normally by flooding it with legitimate or malicious traffic. In a
DoS attack, the attacker attempts to flood the target system with
traffic or requests, making it unavailable to legitimate users.
Virus Dissemination
This form of criminal behaviour necessitates either direct or
unauthorized access to the computer's operating system via the
installation of additional software classed as issues, bugs, or logic
bombs. Unauthorized destruction or deletion of machine information
or an online feature that disables ordinary machine functions is
obviously unlawful and is frequently referred to as computer
sabotage.
Computer Forgery
This happens when data in computerized records are altered
and processed. Machines, on the other hand, can be utilized to

177
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

commit forgery. With the advent of computerized colour laser

copies, another era of dishonest alteration or replication arose.
There are many other cybercrimes which are given below in
the diagram:

178
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CYBER SECURITY FRAMEWORK IN INDIA

In addition to the laws mentioned earlier, Russia also has a
number of other regulations and decrees related to cyber security
and internet regulation, such as the Law on Countering Extremist
Activity and the Law on Information, Information Technologies,
and Protection of Information. The Russian government has been
known to use these laws to block or censor online content that it
deems to be a threat to national security or public order. In 2019,
Russia passed a controversial law that requires internet service
providers to install hardware that can reroute all Russian internet
traffic through servers in the country, giving the government greater
control over the online activity.

Why Cybercrime Laws in India?

Our country, like other countries, is too worried about internet
safety and related crimes. There is an increasing range of cyber
security dangers, notably in India, and they must be addressed.
According to a cybercrime study conducted by an economist, the
government loses approximately Rs. 1.25 lakh crore every year as a
consequence of cyber-attacks. The national strategic plans, which
commonly act as guides for government agencies and, on occasion,
the private sector, use analogous language and more detailed
definitions for "cyber-attack" such a violation separate from and
more dangerous than a computer crime. Another analysis conducted
by Kaspersky found that between the beginning of 2020 and the end
of that quarter, the number of attacks in India grew from 1.3 million
to 3.3 million. India recorded the most attacks ever in July 2020,
totaling 4.5 million, making it the highest amount ever. 8 In July
2021, Mastercard Asia/Pacific Pvt. Ltd (Mastercard) was prohibited
from bringing onboard new domestic clients because it had violated
Reserve Bank of India guidelines on the storage of payment system
data. However, a cyber security policy is insufficient to address the
risks created by the internet, and training is the most efficient way to
deal with these dangers.9

8 High-risk data fiduciaries to be regulated more granularly under Data Bill, The
Economics Times, available at https://ciso.economictimes.indiatimes.com. (Visited on
January 6, 2023)
9The Business Today, available at https://www.businesstoday.in. (Visited on February

18, 2023)

179
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

According to court documents, governments are particularly

concerned about cybercrimes including money laundering, child
pornography, and unauthorized use of computer data. For these
violations, there are sanctions in place in each of the countries our
research examined. Massive resources must be devoted by the
government to safeguarding valuable data assets. Cyber law must be
updated to take into account the most recent developments in both
“law and technology” as well as to address the issues caused by the
accelerating rate of technological change.

Needs For Cybercrime Laws in India

India has been experiencing a rise in cybercrime incidents
over the past few years. In order to address this issue, there is a
pressing need for effective cybercrime laws in India. Here are some
reasons why:
1. Increasing Incidents of Cybercrime: With the rapid growth
of the internet and the increasing use of technology in all
spheres of life, cybercrime has become a major threat to
individuals, businesses, and even governments. India has
witnessed a sharp increase in cybercrime incidents, including
online fraud, identity theft, cyberbullying, and hacking. A
strong legal framework is needed to prevent and punish such
crimes.
2. Protection of Personal Information: The misuse of personal
Information has become a significant concern for individuals
and businesses. Cybercriminals often steal personal
information such as credit card details, social security
numbers, and bank account details. Cybercrime laws are
needed to protect the privacy and confidentiality of personal
data and to prevent its unauthorized use.
3. Ensuring Cybersecurity: Cyber security is a significant
concern for businesses and governments. Cybercrime laws
can help in ensuring cybersecurity by mandating the use of
security measures such as firewalls, encryption, and multi-
factor authentication. These laws can also ensure that
companies take adequate steps to protect their customers'
data.
4. Establishing a Legal Framework: The existing laws in India
do not provide adequate protection against cybercrime. “The
Information Technology Act, 2000”, which is the primary

180
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

legislation governing cybercrime, is outdated and needs to be

amended. Cybercrime laws can provide a comprehensive
legal framework for dealing with cybercrime.
5. International Cooperation Cybercrime is a worldwide issue
that calls for cooperation on a global scale. India must
collaborate with other nations to create a coordinated strategy
to fight cybercrime. The adoption of strict cybercrime
legislation can help with this.
6. Economic Impact: Cybercrime has a significant economic
impact on individuals, businesses, and the country as a whole.
According to a report by McAfee and the Center for Strategic
and International Studies (CSIS), cybercrime costs the global
economy around $600 billion annually, which is
approximately 0.8% of the world's GDP. In India, the
economic impact of cybercrime is estimated to be around $3
billion annually. In recent years, there has been a rise in
cybercrimes targeting financial institutions in India. Effective
cybercrime laws can help in reducing this economic impact by
deterring cybercriminals and providing victims with legal
remedies. 10 In recent years, there has been a rise in
cybercrimes targeting financial institutions in India. The
Reserve Bank of India reported that cyberattacks on banks
increased by 2.5 times in 2020 compared to the previous
year.11
7. Cyberbullying is a growing concern in India, particularly
among children and teenagers. A survey conducted by
Microsoft in 2020 found that 53% of Indian children had
experienced cyberbullying, and 67% of parents were
concerned about their children being bullied online.12
8. People nowadays use credit and debit cards to shop.
Unfortunately, certain online criminals clone such debit and
credit cards. A copy of a credit or debit card is a means for

10The Economic Impact of Cybercrime and Cyber Espionage, available at https://csis-

website-prod.s3.amazonaws.com/s3fs-
public/legacy_files/files/publication/60396rpt_cybercrime-cost_0713_ph4_0.pdf.
(Visited on March 2, 2023).
11 Sharma A. and Shukla N., "Cybercrime in India: Challenges and Solutions",

Springer, 2020, pp. 19.

12Nappinai N., Technology Laws Decoded: A Practitioner's Guide", LexisNexis, 2020,

pp. 228.

181
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

someone to obtain your information online. In business

transactions, electronic agreements and electronic signatures
are often employed. Anyone taking part in them has the
potential to unlawfully use online signatures and digital
agreements. Cyberlaw provides protection against such
frauds. A method that enables someone to acquire your
information online is the clone of a debit or credit card.
Cyberlaw can prevent this as Section 66C of the IT Act
stipulates a 3-year prison sentence and a fine of up to one lakh
rupees for anyone found using an electronic password
dishonestly or fraudulently.13
9. Because every one of the stock trades are now performed in
demit format, everyone associated with stock transactions is
protected by cyber regulations in the event of any fraudulent
acts.
10. Electronic records are used by almost all of Indian enterprises.
A company can be forced to comply with this law in order to
stop the unlawful utilisation of such information.
11. Due to the rapid advancement of technology, many official
papers, such as income tax and tax on services returns, are
now completed electronically. Anyone can abuse those forms
by hacking into governmental portal websites, hence
cybersecurity is required in relation to take legal action.

IMPORTANCE FOR CYBERCRIME LAWS IN INDIA

The following factors illustrate the importance of cyber laws:
• The prosecution of those who participate in illegal internet
activity is a key objective of any cyber law. Internet offences
include cyberbullying, attacks on other websites or people,
theft of records, meddling with every company's online
business, and other illegal acts must be successfully
prosecuted.
• In cases involving cybercrime, individuals will be prosecuted
based on their location and how they participated in the crime.
• Prosecuting or eliminating the hacker is the most important
thing because most cybercrime is more than a crime; it is not
a crime.

13Section 66A has been struck down by Supreme Court's Order dated 24th March, 2015
in the Shreya Singhal vs. Union of India, AIR 2015 SC. 1523.

182
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

• Security is a concern when using the internet, and some

thieves want to access computer hardware so they may later
exploit it fraudulently. As a result, all laws and regulations
pertaining to cyberspace are created to safeguard users and
Internet businesses against illegal activity.
• There are many ways for a person or organization to attack
others who engage in or engage in illegal acts online.
• Protecting Personal Data: With the growing use of
technology, individuals share personal data online, making
them vulnerable to cyber-attacks. Cybercrime laws ensure the
protection of this data and hold offenders accountable.14
• Curbing Cyber Fraud: Cyber frauds, including phishing and
identity theft, are prevalent in India. Combating Cyber
Terrorism: Cyberterrorism is a growing threat to India's
national security. Cybercrime laws have provisions to tackle
these issues and provide legal remedies to victims.15
• Combating Cyber-Terrorism: cyber-Terrorism is a growing
threat to India’s National Security. Cybercrime laws provide
legal frameworks to combat such attacks and hold
perpetrators accountable.16
• Strengthening Law Enforcement: Cybercrime investigation
and prosecution require specialized skills and training.
Cybercrime laws provide law enforcement agencies with the
necessary tools and powers to investigate and prosecute such
cases.17

LAWS REGULATING CYBER-CRIME IN INDIA

Information Technology (IT) Act 2000
The IT Act 2000 is a comprehensive legislation that addresses
various aspects of cyberspace, including electronic transactions,
data protection, and cybercrime. It provides legal recognition to
electronic documents and signatures, and outlines penalties for
cyber offenses. The Act covers sanctions and punishments for

14Kamath and Nandan., Cyber Law and Information Security. LexisNexis, 2017.
15Sood and Vivek., Cyber Law Simplified., Universal Law Publishing Co. Pvt. Ltd.,
2019
16Seth and Karnika., Cyber Law: The Indian Perspective. Universal Law Publishing

Co. Pvt. Ltd., 2019.

17Sood, Vivek. Cyber Law Simplified. Universal Law Publishing Co. Pvt. Ltd., 2019.

183
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

cybercrimes while also protecting the fields of e-commerce, e-

governance, and e-banking. The IT Act was introduced in 2000 to
provide legal recognition for electronic transactions and digital
signatures. It was amended in 2008 to include provisions related to
cybercrimes such as unauthorized access to computers, identity
theft, and phishing. The above Act was further amended in the form
of the IT Amendment Act, 2008 [ITAA-2008]. 18
A Cyber Appeal Tribunal will be established in accordance
with the IT Act to handle appeals in cybercrime matters. However,
this tribunal has not been active since 2011 due to a lack of judges.
In 2018, the Indian government proposed a “new data protection
bill, the Personal Data Protection Bill, which seeks to provide a
comprehensive framework for the nation's data security. The bill is
currently under review by a parliamentary committee. The IT Act of
2000's digital certificates, which were later replaced by e-signatures
by the ITAA of 2008, were covered in further detail in the Act on
the procedures involving Certifying Authorities. Numerous crimes
have been mentioned, particularly those involving data theft and the
legal processes involved in such crimes. Additionally, it describes
the prominent and typical offenses that are performed every day as
well as their associated penalties. The most important law is the IT
Act, which requires that cybercrime be strictly regulated by all
Indian laws. Additionally, it describes the popular and typical
crimes that are committed every day as well as their associated
penalties. In order to eliminate this risk, emphasis has also been
focused on a few provisions, the function of intermediaries, and the
significance of undertaking due diligence.19
The most important is the IT Act, which requires all Indian
legislation to tightly restrict cybercrime.
1. Section 437 20 Computer or computer system damage:
[Penalty and Compensation] if anybody accesses a computer,
computer network, or computer system without the owner's or
the appropriate authority's permission.

18 Gupta, Rohit. (n.d.). An Overview of Cyber Laws vs. Cyber Crimes: In Indian
Perspective - Privacy - India. Www.Mondaq.Com. Or https://www.mondaq.com/india
/privacy-protection/257328/an-overview-of-cyber-laws-vscyber-crimes-in-indian-
perspective (Visited on January 5, 2023)
19Cyber Laws in India. (n.d.). Retrieved August 18, 2020, from https://www.latestlaws.

com/wpcontent/uploads/2015/05/Cyber-laws-in-India. (Visited on April 4, 2023)

20Information Technology Act, 2000, § 43, No. 21, Acts of Parliament, 2000 (India).

184
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

2. Section 6621 Computer-related offenses - A penalty of up to

three years in jail, a fine of up to five lakh rupees, or a
combination of the two may be imposed on anyone who
engages in one of the dishonestly or fraudulently committed
acts enumerated in section 43.
3. Section 66B22 Punishment for dishonestly receiving stolen
computer resource or communication device - If you
dishonestly receive or retain a stolen computer resource or
communication device and you are aware that it is stolen or
you have reason to suspect that it is stolen, you may be
subject to a jail sentence and/or a fine of up to one lakh
rupees, or both.
4. Section 66C 23 Punishment for identity theft– Any
individual who dishonestly or fraudulently utilizes another
person's digital signature, password, or other special
identification feature may be sentenced to up to three years in
prison and/or fined up to Rs. 1 lakh, among other penalties.
5. Section 66D24 Punishment for cheating by personation by
using computer resource Anyone who engages in fraud
through impersonation while using a machine resources or
communication device is subject to a fine of up to one lakh
rupees and a maximum sentence of three years in jail for
either type of infraction.

Indian Penal Code (IPC), 1860

Identity theft and other associated cybercrimes are prosecuted
under all the information technology law of 2000 and the Indian
Penal Code (IPC), 1860.
The most significant component of the IPC addresses cyber
frauds:
a) (Section 464)25 Fraud.
b) According to Section 46526, false documentation is forbidden.
c) Intentional forgery used for fraud (Section 468)27

21Ibid. pp.66
22Ibid. pp.66B
23Ibid. pp.66C
24Ibid. pp.66D.
25The Indian Penal Code, 1860, § 464, No. 45, Acts of Parliament, 1860 (India)
26Ibid. pp.465
27Ibid. pp.468

185
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

d) Reputational harm (Section 469)28

e) Creating the appearance that a document is genuine (Section
471)29

India has implemented several cybersecurity frameworks to

ensure the safety and security of its digital infrastructure. Some of
these frameworks are:
• National Cyber Security Policy 2013: This policy aims to
create a secure and resilient cyberspace for citizens,
businesses, and government. It identifies the roles and
responsibilities of various stakeholders, defines the
institutional framework for cybersecurity, and outlines the
strategies and measures for securing cyberspace.
• Indian Computer Emergency Response Team (CERT-In)
The country's nodal agency for reacting to cybersecurity
issues is CERT-In. It works to enhance the security of India's
cyberspace by providing early warning and response to cyber
threats.
• Cyber Swachh Kendra: The Cyber Swachh Kendra is an
initiative by the Indian government to secure cyberspace and
prevent malware infections. It provides tools and techniques
to detect and remove malware from infected systems.
• Digital India: The goal of the digital India programmes is to
transform India into a digitally enabled society and
knowledge economy. It includes initiatives to improve
cybersecurity, such as the establishment of Cyber Security
Operation Centres (C-SOCs) and the National Cyber
Coordination Centre (NCCC).
• Personal Data Protection Bill: The Personal Information
Protection Bill attempts to safeguard Indian people’s personal
information and privacy. It sets out rules and regulations for
the collection, storage, and use of personal data by companies
and government agencies. These frameworks, along with
other measures and initiatives, demonstrate India's
commitment to cybersecurity and its efforts to protect its
digital infrastructure from cyber threats.

28Ibid. pp.469
29Ibid. pp.471

186
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

• National Cyber Coordination Centre (NCCC): The NCCC

is a government initiative to provide real-time situational
awareness and monitoring of India's cyberspace. It helps in
the early detection and prevention of cyber threats and enables
a coordinated response to cyber incidents.
• Cyber Crime Investigation Training and Research
(CCITR) centres: The CCITR centres are established to
provide specialized training to law enforcement agencies and
judiciary in cybercrime investigation and prosecution.
• Indian Cyber Crime Coordination Centre (I4C): The I4C
is a multi-agency centre that focuses on tackling cyber crime
and strengthening cyber security in India. It is a joint initiative
of the Ministry of Home Affairs and the Ministry of
Electronics and Information Technology.
• Cyber Surakshit Bharat: Cyber Surakshit Bharat is an
initiative to promote cybersecurity awareness among citizens,
especially in rural areas. It aims to educate people about safe
online behavior and provides training and tools to secure their
digital devices. These frameworks and initiatives highlight the
comprehensive approach taken by the Indian government to
address cybersecurity challenges and safeguard its digital
infrastructure.

FUNDAMENTALS OF TECHNOLOGY RESEARCH POLIY

Adjudication
The act's Section 46 details the adjudication power and adds
that the federal government has the power to appoint an adjudicator
who must have a rank above Director for the Government of India
or one that is similar to an office of the state government so as to
decide the cases in keeping with the rules.30 The statute specifies the
procedure for adjudication, which mandates that the petitioner get
an impartial chance to submit his case and that, the law enforcement
officer is required to designate or apply the punishment specified in
the statute if they believe the offense was committed. The Centre for
Cyber Administrative Tribunal's construction is also laid forth in the
law. The Code of Civil Procedure accords the Internet appellate

30 Penalties and Adjudication in IT ACT 2000 – PATHLEGAL, available

athttps://www.pathlegal.in/Penalties-and-Adjudication-in-IT-ACT-2000-blog-
1831947(Visited on April 7, 2023)

187
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

panel with the same authority as a civil court, and every deciding
official has a similar authority as a civil court.31 In order to make
online buying less difficult and to enforce severe penalties for
disobedience, it also aims to lessen fraud and forgeries.32 The first
case to be determined in India was the ICICI Bank fraud case. In
that instance, the applicant alleged that the bank's lack of security
had caused him to lose cash from the account he was using; the
applicant was granted the funds that were lost by a court order.

E-commerce
Over the past few years, the Indian e-commerce industry has
experienced remarkable growth. India is seeing a significant
economic transition from neighbourhood markets to online
marketplaces. The IT legislation gives all e-commerce activities a
legal foundation that safeguards both buyers and sellers. It also
emphasizes the need to secure customer privacy data and electronic
records while validating and enforcing digital signatures.

E-governance
IT Act 2000 deals with electronic regulation issues
in Chapter III, process and legal recognition of electronic data.
Electronic data explain the storage and maintenance process and
passed verification process the procedures regarding electronic
signatures and the management instructions for physical
authentications of a contract concluded electronically are specified
in the following section.

Digital Signatures
Digital signature refers to the acceptance of electronic data by
the user through electronic means or a transaction in accordance
with Section 3 which takes into account situations in which it is
possible to employ additional digital signatures to authenticate
electronic data twice. To ensure the integrity of the communication
included in the electronic file, the electronic data is first transformed

31 Gupta, Rohit. (n.d.). An Overview of Cyber Laws vs. Cyber Crimes: In Indian
Perspective - Privacy - India. Www.Mondaq.Com.https://www.mondaq.com/india/pr
ivacy-protection/257328/an-overview-of-cyber-laws-vscyber-crimes-in-indian-persp
ective (Visited on January 4, 2023)
32Raj, Aijaj& Rahman, Wazida., E-commerce Laws and Regulations in India: Issues

and Challenges, 2016, pp. 44-51.

188
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

into a digest message using a mathematical operation known as the

"hash function." Any modification to the information in the
electronic file immediately renders the digital signature invalid.
Secondly, makes use of a private key included with the message
digest to confirm who added the digital signature; anyone with
access to the public key, which corresponds to the private key, can
verify this. Information is king in today's world. Anyone will be
able to use this to determine whether the electronic record has been
altered since it was fixed with the digital signature or has been
retained intact.33 Information is king in today's world. A statutory
remedy is now available to corporations under the IT Act of 2000 in
the event that someone hacks into their computer systems or
network and causes harm or copies data.34

Cyber Security Policy 2013

The Indian government introduced a strategy in 2013 to
provide an updated framework and prevent cyberattacks in response
to the worrying increase in cyberattacks and the rapid growth of the
IT sector. This policy provides a foundation for secure electronic
transactions as well as principles for safer cyberspace in India. The
policy also outlines a plan for developing a framework for a
thorough, team-based, and collective response to deal with the
problem of cyber security at all tiers of government in the nation.35
The strategy has 14 goals, among them the adoption of procedures
to protect e-commerce transactions, citizen privacy, the
improvement of India's cyber ecosystem, and efficient collaboration
between the public and commercial sectors. 36 The institution also
creates a nodal organization for efficient cooperation and crisis

33OVERVIEW OF CYBER LAWS IN INDIA Index. (n.d.). Retrieved August 18, 2020,
from https://taxguru.in/wp-content/uploads/2012/10/cyber-laws-overview.pdf. (Visited
on January 2, 2023)
34Dugal, P. (2001, September). Cyberlaw In India: The Information Technology Act

2000 - Some Perspectives - Media, Telecoms, IT, Entertainment - India. www.monda

q.com. orhttps://www.mondaq.com/india/it-andinternet/13430/cyberlaw-in-india-the-
information-technology-act-2000--some-perspectives. (Visited on February 16, 2023)
35Andrew, A. (2013, December 4). National Cyber Security Policy 2013 – In a nutshell.

ClearIAS. https://www.clearias.com/national-cyber-security-policy-2013/. (Visited on

January 17, 2023)
36PTI. (2013, July 2). Govt releases National Cyber Security Policy 2013. Livemint.

https://www.livemint.com/Politics/DQ8gg6eCNeZwHJxt84rhMN/Govt-releases-
National-Cyber-SecurityPolicy-2013.html (Visited on February 8, 2023)

189
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

management during cyberattacks. Cert-In gathers, evaluates, and

publishes data on cyber incidents, forecasts and alerts of cyber
security occurrences, and employs emergency response techniques
to address cyber security issues, among other things. It is impressive
how CERT-In contributes to the e-publication of security flaws and
security alerts. It is impressive how CERT-In contributes to the e-
publication of security flaws and security alerts. The CERT-In
assists in fighting cybercrime through legal procedures.37

National Cyber Security Strategy 2020

New technical developments and reforms occur every day; as
a result of the rapid changes, stricter regulation and more recent
laws are required. In view of recent substantial advancements and
new challenges that both the business sector and the government are
now confronting, the Indian government has unveiled a new cyber
safety policy. 2020 to 2025, the National Cybersecurity Strategy
will be in effect. It is used to provide a safe, secure, reliable, robust
and robust cyberspace that supports. Now we understand what cyber
law prevail in Russia.

RUSSIAN FEDERATION
Fighting cybercrime in Russia is the responsibility of
Department "K" of the Ministry of Internal Affairs of the Russian
Federation (Russian: Minister Delhi or MVD). The MVD published
its most current report in late 2012, which contained statistical
information on high-tech crimes. (Expanding in the first half of
2012). The findings show that during that time, 5696 cybercrimes
were found in Russia, an 11% rise from the corresponding period in
2011. The significant Russian cyber security firm Group-IB offers
two causes for the country's continued and dramatic increase in
cybercrime. First, Russia's legal system is ineffective at stopping
cybercrime, and the punishment is incredibly lenient: sentences for
computer-related offences are either short or delayed. Second,
several hacking groups strive to cooperate in order to boost revenue
and support their illegal actions.

37 Cyber Laws in India. (n.d.). Retrieved August 18, 2020, from

https://www.latestlaws.com/wpcontent/uploads/2015/05/Cyber-laws-in-India.pdf.
(Visited on March 4, 2023).

190
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

1) A variety of online fraud schemes (including phishing

assaults, SMS text message con artists, software that steals
payroll information, etc.)
2) The most frequent cybercrimes in Russia involve the
spreading of spam.
3) DDoS attacks. Cybercrime connected to child pornography is
a particularly contentious topic in Russia. A national initiative
called Sornyak 93 was started by the government in 2011 to
address this specific kind of crime.38

Cyber-Crime Vs Cyber Welfare in Russia

In strategic planning and policy documents, Russian and
Chinese authorities frequently use the phrase informationization,
which refers to the in-depth analysis and application of data assets
for both social and economic development. The term "cyber" is not
widely used in Russia outside of intellectual journals and the media.
Instead of "cyberspace," the phrases "information" or
"informational" are frequently used in official policy documents, as
in the terms "information security," "information resistance,"
"information space," and so forth. Although the terms "cybercrime,"
"cyber-warfare," or "cyber-attack" aren't used in any official public
records, the federal government appears to distinguish between
common cybercrime and cyber-warfare based on the use of terms
like "information security," "computer information crime," or
"computers crime," and "informational resistance."
The key document that explains Russia's national objectives
in the information sector is the Doctrine on the Security of
Information of the Russian Federation, which was published in
2000. 1) the defense of each individual's informational liberties and
rights under the Constitution. 2) increasing understanding of
Russia's communication policy on a national and international level.
3) protection against unauthorized access to information resources,
as well as the assurance of the security of data as well as
telecommunication systems currently in place or being built up in
Russia.39
In 2010, a new Military Policy was formed that gave
information security a high priority. It states that the military is in

38http://data.conferenceworld.in, (Visited on April 7, 2023).

39http://data.conferenceworld.in. (Visited on April 3, 2023)

191
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

charge of information security. The Military Doctrine says that

information resistance is one of the characteristics of the numerous
types of contemporary military encounters. The Code of Criminal
Procedure (1996) and the Legal-Procedural Code (2001) both
provide an overview of the rules pertaining to criminal offences
committed in cyberspace:
• Article 272. illegal access to data on a computer.
• Article 273. the development, utilization, and dissemination
of harmful software.40
• Article 274 misuse of computer networks and tools for
storing, processing, or transmitting information.41
The foundation of Russian law is continental civil law. There
are both federal and regional laws, however in the event of a
disagreement, federal laws take precedence. Although certain Russian
regions lack any specific laws or regulations in this area, the federal
government regulates data privacy. The Russian Constitution was
amended in 1993 to incorporate the right to privacy as well as the
right to household and personal secrecy. They still have the right to
maintain the secrecy of their communications, and any limitations on
this right has to be authorised by a judge. Information regarding their
personal affairs may only be gathered, used, saved, and shared with
their consent. Specialised standards that have been developed in
regard to these laws and particular laws that address these rights
determine how these fundamental rights are protected. The FBI
discovered several thefts into the functioning networks of numerous
American businesses in the year 2000. The FBI named two Russians
as the perpetrators of these cyberattacks: Vasilis Gorshkov and
Alexey Ivanov. The Invite Company was established as a means of
luring people to the United States of America. Then, they were each
invited to a meeting at the company. During the interrogation, the
defendant and Ivanov were requested to demonstrate their proficiency
in computer hacking. They were handed laptops so they could access

40 On the issue of criminal responsibility for the creation, use and distribution of
“botnets”, available at https://cyberleninka.ru/article/n/on-the-issue-of-criminal-
responsibility-for-the-creation-use-and-distribution-of-botnets (Visited on December
11, 2023)
41Ligh M.H., Adair S., Hartstein B., and Richard M., "Malware Analyst's Cookbook

and DVD: Tools and Techniques for Fighting Malicious Code", MECS Press,
IJCNISVol.7, No.7, Jun. 2015

192
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

one's own computers, which contained their hacking tools. The FBI
employed a technique that the Russians were not aware of to obtain
the password and user name of the hackers. Ivanov and the defendant
were immediately detained after the incident. Using their user name
and password, the FBI followed by downloading data from the
defendant or Ivanov's Russian home computers, which they used as
proof against both of them without a warrant. Gorshkov filed a
request to suppress the evidence after they were found guilty,
claiming that both Russian law and the Fourth Amendment of the
Constitution were being violated. The FBI insisted that approval from
Russian authorities is not required because downloading from an
electronic source is not seen as a search. The court rejected Gorshkov
and Ivanov's petition, noting that the Fourth Amendment's protections
should only be invoked whenever a search and seizure fell under its
ambit. However, the act of copying the material from the Russian
gadgets did not infringe upon the defendant's own passion for the
data, and the act of the law enforcement officers accessing
information from a gadget located in another nation did not constitute
a search or seizure.
Federal Law No. 149-FZ, the Information Law, was passed in
2006 and has subsequently undergone numerous revisions. The law
creates the regulatory framework for information technology use
and data protection in Russia. It governs a wide range of topics,
including as accountability for legal violations, encryption,
electronic papers and signatures, and data protection. On the website
of the Russian government, the complete text of the law is available
in Russian. It governs a wide range of topics, including as
accountability for legal violations, encryption, electronic papers and
signatures, and data protection. Federal Law No. 152-FZ, the
Personal Data Law, was passed in 2006 and has since undergone
numerous revisions. The collection, storage, use, and transfer of
personal data are all subject to legal restrictions. It establishes
individuals' rights with regard to their personal data and requires
data controllers and processors to safeguard personal data from
unauthorized access, disclosure, or destruction. On the website of
the Russian government, the complete text of the law is available in
Russian. The Cybersecurity Law (Federal Law No. 187-FZ), one of
Russia's most significant cybersecurity laws, was adopted in 2019.
The law creates the legal framework for safeguarding the security of
Russia's important information infrastructure and requires operators

193
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

of such infrastructure to put protective measures in place to guard

against cyber threats. Additionally, the law calls for the creation of a
national system for identifying, avoiding, and retaliating against
cyberattacks. On the website of the Russian government, the
complete text of the law is available in Russian. Additionally, the
law calls for the creation of a national system for identifying,
thwarting, and responding to cyberattacks. The Russian government
has also established several initiatives to promote cybersecurity in
the country, including the National Cybersecurity Strategy and the
creation of a Cyber Polygon exercise to simulate cyber-attacks on
critical infrastructure. The government has also established
partnerships with private sector organizations to promote
cybersecurity, such as the establishment of the Cybersecurity
Consortium with major Russian banks and the development of a
cybersecurity certification system for IT products and services.42 In
addition to the laws mentioned earlier, Russia has also enacted a
number of other laws related to cybersecurity and data protection,
including the Law on Information, Information Technologies and
Protection of Information (1995), the Law on Electronic Digital
Signature (2002), and the Law on Personal Data (2010). 43 The
Russian government has established the Federal Service for
Technical and Export Control (FSTEC) as the main agency
responsible for cybersecurity regulation and oversight. FSTEC is
responsible for approving and certifying information security
products, technologies and services for use in government agencies
and critical infrastructure facilities.44
Russia has been accused of conducting cyberattacks against
other countries, including the United States, European countries,
and Ukraine. These attacks have targeted a range of organizations
and infrastructure, including government agencies, military units,
and critical infrastructure facilities. 45 The use of encryption

42Russia:Overview of cyber laws and regulations," Baker McKenzie, 2021.

43Bambauer, Derek E., and Laura K. Donohue. "Surveillance and Privacy in Russia." In
"The Cambridge Handbook of Surveillance Law," edited by David Gray and Stephen
E. Henderson, 385-396. Cambridge University Press, 2017.
44Czosseck, Christian, and Kenneth Geers, eds. "The Virtual Battlefield: Perspectives

on Cyber Warfare." IOS Press, 2009.

45 Gompert, David C., and Martin C. Libicki. "Cyberwarfare in Russia's Military

Doctrine." In "The Russian Military Today and Tomorrow: Essays in Memory of Mary
FitzGerald," edited by Stephen J. Blank, 165-182. Strategic Studies Institute, 2010.

194
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

technologies is tightly controlled in Russia. The law requires that

encryption products and services be approved and certified by the
government, and individuals and organizations are required to
obtain permission before using encryption for certain types of
activities.46 There are concerns among some observers that Russia's
cybersecurity laws and policies are overly restrictive and could be
used to suppress political dissent and free speech online. 47 The
Russian government has established the Federal Service for
Technical and Export Control (FSTEC) as the main agency
responsible for cybersecurity regulation and oversight. Russia has
been accused of conducting cyber-attacks against other countries,
including the United States, European countries, and Ukraine. The
use of encryption technologies is tightly controlled in Russia.

CONCLUSION
It's interesting to note that in some countries legislation, the
terms "cybercrime” and "computer crime" are frequently specified
and implied. The national strategic plans, which frequently act as
guides for government agencies and, on certain occasions, the
private sector, use comparable language and more specific terms for
"cyber-attack" as an offense distinct from and more dangerous than
a cyber-crime. Governments are especially worried about
cybercrimes like money laundering, pornography involving
children, and unauthorized utilization of computer data, according
to legal records. Each of the nations this report looked at has
imposed penalties for these infractions. In order to combat
cybercrime, all of the nations included in this research are currently
building new units or organizations as well as revising existing
legislation. The examined policies, strategic acts, and agreements
reveal a startling correlation between the two, allowing us to
distinguish between cyber-attacks and cyber-crimes. As a result, the
strategic focus of the cyber security approach has shifted from
simply identifying and combating local cybercrimes to more
involved efforts like defending the nation's infrastructure against
cyberattacks from both abroad and within the country.

46Hill and Fiona., "Putin's Cyberwar." Foreign Affairs 93, no. 3 (2014), pp. 78-89.
47Likhomanov, Pavel, and Shumilova O., "Cyber Law in Russia." Springer, 2017.

195
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 12

COMPARATIVE STUDY ON INDIAN AND

INTERNATIONAL LAWS ON CYBER SECURITY
Dr. Anirudh Vaishisth 1, Christina Fernandes 2

“There has been a rise in the acceptance and usage of electronic

media, a meteoric rise in the e-commerce business and trade, a
proliferation of international trade, and an increase in the
prevalence of previously unrecognized transgressions of online
norms. There are a plethora of legal complications and questions
this brings. This paved the way for the legitimization of cyber law in
India”.

INTRODUCTION

A
n increase in cybersecurity risks has been seen in India as a
direct result of the country's increased reliance on electronic
devices and the internet since the recent emergence of the
COVID-19 epidemic. The rapid spread of COVID-19 has highlighted
the many shortcomings of our increasingly Internet-dependent
culture. Increases in phishing, Trojan horses, malware assaults, and
invasions of privacy highlight the need for India to clarify its cyber
security legislation and provide victims with clearer access to legal
recourse. Since February 2020, cyberattacks in India have acquired
significant traction, with the proportion of cyberattacks increasing to
500% in 2020 alone, and this trend is only projected to accelerate
shortly.
The purpose of this chapter is to examine the present cyber
law, cyber security, and victim remedies in India. The essay also
discusses the consequences of forthcoming cyber legislation in India
for topics like cyber security and cyber assaults. This study seeks to
ascertain whether the present body of law, together with pending
legislation, is enough to handle future privacy and cybersecurity

1Assistant Professor, Amity Law Shool, Amity University, Noida, (India)

2B.B.A. LL.B (H), 2nd Year, Amity Law School, Amity University, Noida, (India)

196
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

issues. Cybercrime legislation in Australia, India, Russia, the United

States, and the United Kingdom.

CYBER CRIMES
"Cyber crimes" are not specified in any laws or statutes in
India. The term "cyber" is frequently used in relation to computers,
data innovation, etc. Crimes committed using electronic means
(such as computers, data innovations, the internet, and virtual
reality) are appropriately termed "cyber-crimes"3. Since the world
has come to rely more and more on the internet for basic necessities,
cybercrime has also developed at a rapid rate in recent years.
Cybercrimes have evolved to the point that they occur almost daily
today. Even the most secure government websites are routinely
breached, much less the social media accounts of average people.
Eight out of ten people, according to the research, fall for
cybercriminals' traps of various kinds4.
Information held by the government was included in over a
thousand of the most serious data breaches. Aadhaar, India's one-of-
a-kind system of citizen-recognized evidence, was affected by one
of these security vulnerabilities. In the early months of 2018,
hackers broke into the Aadhaar system, exposing the personal
information of over a billion People. The victims of cyberbullying
and other forms of cyber misuse suffer additional harm beyond the
financial losses caused by cybercrime. More than 4,000 women and
children in India were victims of cyberbullying and 4,444
cybercrime incidents including sexual badgering were reported in
2018. Although a large percentage of Indians acknowledged that
both clients and social media platforms were liable for damaging
conduct on social media, growing awareness of the problem of
cyberbullying may be driving this high number of incidents. In
2018, the government moved to establish a nationwide cybercrime
reporting system, allowing individuals to register concerns over the
internet.

3 Cyber Crimes Under The IPC And IT Act - An Uneasy Co-Existence - Media,
Telecoms, IT, and Entertainment – India, available athttps://www.mondaq.com/india/it
-and-internet/13430/cyberlaw-in-india-the-information-technology-act-2000--some-per
spectives. ( Visited on March 6, 2023)
4 Varsha, An Analysis on Cyber Crime in India, available at www.le
galserviceindia.com/legal/article-797-an-analysis-on-cyber-crime-in-india.html.
(Visited on February 2, 2023)

197
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Types Of Cyber Crime

Criminals have found new methods to take advantage of
individuals on the Internet as a result of the development of
technology and the ongoing progress of science. Some of the more
frequent and scary forms of cybercrime are described here.
a) Identity Theft:- Using a false identity to trick someone into
believing you are someone else. Using another person's
identity to steal or commit fraud According to Section 66-C of
the Information Technology (Amendment) Act of 2008, the
theft of identity is described as follows. The offender risks a
fine of up to 10 million Indian rupees and a prison sentence of
up to three years.5
b) Getting to networks or computers without authorization:
Although the term "hacking" is often used to describe this
behavior, Indian law considers hacking to be merely one kind
of "unauthorized access" and hence defines it more broadly.
By definition, "hacking" refers to the illegal deletion or
modification of data, whether it be immaterial or physical,
held in a computer asset. Except as provided in Section 66,
anyone who deletes, alters, or otherwise disposes of
information in a change with the intent to or knowledge that
doing so would result in illegal loss or harm to the public or
any other person will be subject to criminal prosecution.
Reduce the value or utility of computer resources, cause
damage to the computer, or engage in hacking activities.
Hacking offenses are punishable by up to three years in
prison, a fine of up to Rs 2 lakh, or in some cases both.6
c) Cyber terrorism: In Section 66F of the Information
Technology Act, the Indian government explicitly defined
"cyberterrorism" following the terrorist attacks on September
11, 2001. Cyberterrorism includes hacking, poisoning, and
preventing access to information that is required by law.
Attacking vital government databases online is a primary goal
of cyberterrorism. National security and diplomatic sensitivity
need the secrecy of this information. These violent activities

5 Kumar S and Uday Kumar, “Present scenario of cybercrime in INDIA and its
preventions”,May 12, 2012.
6 Overview of Cyber Laws in India, available athttps://taxguru.in/wp-
content/uploads/2012/10/cyber-laws-overview.pdf. (Visited on February 15, 2023).

198
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

endanger national security in order to extract money from the

government. Create fear among the Indian populace by
disrupting public order or spreading false information. It
threatens not just vital public services but also vital
information infrastructure, which may lead to loss of life,
injury, and property.7
d) Cyberstalking: To cyberstalk is to harass, stalk, or make
covert approaches toward another person through the Internet
or other electronic methods. One example is making repeated
threats or sending harassing messages because you posted
sexually explicit content online. Anyone who engages in
cyberbullying or cyber-harassment of another person, who
send or use sexually explicit information, or who publishes
obscene content about victims should face criminal penalties
under Section 67 of the Information Technology Act of 2000.
As the usage of social media increased, Section 67B of the
Information Technology Act of 2000 was passed to protect
children from cyberbullying and cyberstalking. The
promotion of material on the site that is terrifying to children's
brains is also penalized in this part.8

CYBER ATTACKS IN INDIA

On Friday, 10 February, Rajeev Chandrasekhar, India's
minister of state for electronics and IT, informed parliament that the
country had recorded 13.91 crore cyber incidents in 2022. Although
these findings do include data documented and monitored by India's
Computer Crisis Response Group (CERT-In), they still do not
provide a comprehensive picture of cyberattacks inside the country.
Nonetheless, there were fewer targeted cyberattacks in 2022 than
his Rs 14.02 crore in 2021. According to official statistics, 11.58
lakh cybersecurity events were reported to CERT-In in 2020, up
from 2.08 lakh the previous year. The results of a specialist study on
cyber attacks conducted by AIIMS Delhi were also disseminated by
the minister. According to Chandrasekhar, the attack was carried out

7 Information Technology Act and Cyber Terrorism: A Critical Review, available

atwww.researchgate.net/publication/228192670_Information_Technology_Act_and_C
yber_Terrorism_A_Critical_Review. ( Visited on February 1, 2023).
8 Keswani M, “Cyber Stalking: a critical study”, available at http://docs.

manupatra.in/newsline/articles/Upload/455C1055-C2B6-4839-82AC-
5AB08CBA7489.pdf. (Visited on February 7, 2023)

199
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

by an unidentified risk performer and was the result of a

dishonorable organization division. According to the analysis, a
server inside the AIIMS IT arranges was hacked by a mysterious
attacker because of shameful arrange division, resulting in a
disruption of commerce since fundamental programmes stopped
working. According to the response, "CERT-In and other partners
have prompted the necessary remedial activities in this respect." The
massive cyberattack on the country's primary therapeutic institution
last November damaged the basic national framework.
Ultimately, the Intelligence Fusion and Strategic Operations
(IFSO) department of the Delhi Police filed complaints of extortion
and cyber terrorism. The matter is now being probed by CERT-In,
the Central Bureau of Investigation (CBI), and the National
Investigation Agency (NIA).
MoS was informed by his representative, Sushil Modi, that a
National Cybersecurity Strategy has been created by the Secretariat
of the National Security Council (NSCS) to deal with concerns
about the safety of the nation's cyberspace.
The government stated it was "fully aware" of many
cyberattacks and was working to "enhance its cybersecurity posture
and mitigate cybersecurity events."

REMEDIES FOR CYBER CRIME CASUALTIES IN INDIA

If a person or business has fallen victim to cybercrime, they
may file a report at any local police station and get a response from
Cyber Cell within 24 hours. In response to the complaint, they will
move swiftly to put the site together to predict, aid in accessing, and
attempt to retrieve information. Several laws and regulations from
various government agencies also include provisions criminalizing
cybercrime. The Information Technology Act of 2000 and the
Indian Penal Code of 1860 both provide legal sanctions for certain
cybercrimes.

Sections of the Offenses Penalties

2000, IT Act

43 Damage to computers Compensation not

or its system exceeding 1 crore.

200
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

43A Failure of the body Compensation for

corporate to protect the affected
data individual not to
exceed more than Rs.
5 crores.

45 If no punishment has A penalty of not

been specified more than twenty-
individually five thousand rupees
or compensation for
the person who was
harmed by the
violation, whichever
is greater.

66 Computer system A sentence of up to

hacking, data three years in jail, a
modification, etc. fine of up to five
lakh rupees, or a
combination of the
two.

66A Using A sentence that may

IPC 378 communication last up to three years
facilities to send and a fine and in
hateful messages, etc. IPC: either a
sentence of up to
three (three) years in
prison or a fine, or
both.

66C Usage of an Imprisonment for a

electronic signature time that may last
fraudulently three years, as well
as being subject to a
fine that may amount
to 1 lakh rupees.

201
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

66F Internet-Based Life imprisonment is

terrorism a possibility for
punishment.

66D Tricks by Imprisonment over a

impersonating and period that may last
accessing resources three years, as well
from computers as being subject to a
fine that may amount
to 1 lakh rupees.

70 Access to the Imprisoned to a

protected system period that might last
without authorization 10 years, as well as
being subject to a
fine.

The following are the cyberattack remedies covered under the IPC:
Sending threatening emails over the Internet Section 503 of the
IPC

Using email to send offensive messages Section 499 of the

IPC

Counterfeiting of digital Records Section 463 of the

IPC

False Websites and Online fraud Section 420 of the

IPC

Data thievery Section 378 of the

IPC

202
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Sharing of offensive content Section 292 of the

IPC

Cyber Terrorism Section 121 of the

IPC

Fraudulent Personification Section 419 of the

IPC

Email forgery Section 463 of the

IPC

Phishing- Attack Section 383 of the

IPC

Email Violence Section 500 of the

IPC

HISTORY OF CYBER LAW IN INDIA

India's cyber legal framework emerged in the early 21st
century. The Data Innovation Act, India's first anti-cybercrime
legislation, was approved by parliament in the year 2000. The
National Cybersecurity Accord, which outlined India's strategy for
preventing and responding to cybercrime, was scrapped by the
government in 2011.9
The decision of the joint meeting of the united states on
January 30, 1997, passed the Data Innovation Act, which led to the
agreement to enact advanced electronic commerce in global
commercial law. The Department of Utilities (DoE) drafted the
allegation in July 1998. Either way, it was introduced in the House

9Hardik Mishra, Cyber Laws in India, available at .https://legaldesire.com/cyber-law-

in-india-meaning-introduction-history-need-important-terms-and-amendments. (Visited
on March 2, 2023).

203
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

of Agents on December 16, 1999, when the modern Data Innovation

Bureau was established. In any case, it has been revised by the
community of players following several recommendations regarding
e-commerce and questions about World Trade Organization (WTO)
commitments. After the charge was submitted to parliament, it was
brought before a 42-member parliamentary standing committee,
based on the requests and recommendations of MPs. One debated
proposal is that the owner of his web cafe should keep track of the
names and addresses of all his cafe's guests, as well as a list of the
websites he has visited. This proposal is made to control cybercrime
and make the quick search for cybercriminals less demanding. But
at the same time, he was criticized for abusing the right to protect
Internet users and was not conservative. In the end, the proposal was
rejected by the IT department in the final draft.10

CYBER LAW LEGISLATION IN INDIA

Cyberlaw, often known as information technology law, refers
to the body of law that governs electronic communications and
computing devices. He manages the legal sector's use of information
technology, including e-commerce, information security, and
software distribution. Contract law, intellectual property law,
personality law, and data protection law are all components of IT
law and not distinct fields of law in and of themselves. IT law
focuses heavily on protecting creators' work. The IT Act regulates
data, software, and other aspects of the digital era while taking into
account the nuances of legal terminology and expertise.11
While not limited by any one body of law, it effectively
encompasses a wide range of issues related to intellectual property,
data protection, and personal privacy. Electronic trade, electronic
governance, electronic banking, and cybercrime are all protected by
the law. The Information Technology (Amendment) Act of 2008
revised the aforementioned statute. [ITAA-2008].

10Hardik Mishra, Cyber Laws in India, available at.https://legaldesire.com/cyber-law-

in-india-meaning-introduction-history-need-important-terms-and-amendments(Visited
on March 3, 2023).
11PP Pankaj (ed),“Cyber Law (IT) Law in India”, available at https://www.geeksforg

eeks.org/cyber-law-it-law-in-india/( Visited on January 2, 2023).

204
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Information Technology Act, 2000

When it comes to managing high-tech or digital information,
the IT Act of 2000 serves as the overarching regulatory framework.
Distinct in that it accommodates such novel concepts as advanced
marks, cyber wrongdoings, structured benefit providers, and
electronic certifications. The purpose of the IT Act is to enhance e-
government, legitimate e-commerce, stop cybercrime, and enforce
the Indian Penal Code, according to the preamble of the Act. The
Government of India revised the Act in 2008 to incorporate
provisions for emerging technologies and regulations that had been
left out of the original legislation due to escalating safety concerns
and the quick expansion of the information technology industry.
The statute shows certifying expert tactics (computerized
certificates beneath the IT Act 2000 supplanted by electronic marks
in ITAA 2008). Various wrongdoings were said, particularly
information burglary and methods for judging such wrongdoings. It
moreover covers common wrongdoings committed on an everyday
premise and their disciplines. In expansion, a few clauses, the part
of mediators, and the significance of conducting due perseverance
to dodge such dangers were highlighted. In arrange to keep certain
logs, the Government under the
IT Act has set up particular controls centering on particular
regions of information collection, transmission, and preparing,
mounting Control on enrollment of Cyber Cafes in India built up the
rules. It too disallows the show of shocking substance at different
advanced stages and requires the mediator to piece and expel such
substance from his site. Moreover, the protection and security of
clients’ information have ended up a major concern nowadays, and
such information given by citizens must be satisfactorily ensured
and secured. As such, lawful directions were presented by the
government in 2011 that require organizations that hold touchy
client individual data to comply with certain built-up security
guidelines, and on the off chance that they don't comply with the
controls, they will be subject to the laws. Overwhelming fines and
detainment are forced.

IMPORTANCE OF CYBER LAW IN INDIA

Cyber law is one of the most prominent laws in India and is
considered one of the foremost critical laws of the 21st century. It is
an evolving field of law in India with the potential for encouraging

205
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

improvement. Indian cyber laws are defined with the assistance of

various universal traditions and traditions. The most objective of
Cyber Law in India is to legitimately recognize and direct electronic
exchanges. Indian cyber law has numerous benefits. We offer
assistance to encourage e-commerce in India and guarantee lawful
endorsement of e-commerce. It too directs e-commerce in India.
Indian cyber laws too offer assistance to avoid data innovation-
related wrongdoings. It moreover controls the Web and other
computer systems. Indian Cyber Law to make a difference to
encourage the improvement of electronic foundations in India.
Indian cyber laws too offer assistance to avoid the abuse of
computers and other electronic gadgets. It too makes a difference
anticipate unauthorized get to computer frameworks and systems.
Indian Cyber Law will moreover offer assistance to advance the
advancement of the Indian e-economy.12

Summary of Important Articles Of The IT Act

Adjudication: The term "arbitration" is defined in Section 46
of the Act, and the Secretary of the Government of India, or an
equivalent, serves as the arbitrator and is expected to be handled by
state governments in accordance with set protocols. The Act
establishes a procedure for making decisions in which applicants are
afforded a fair opportunity to present their cases and, following a
thorough investigation by a designated official, are subject to the
penalties outlined in Section of the Act if the officer determines that
a crime has been committed. The Act also details the Cyber Central
Administrative Court's establishment procedure. The Code of Civil
Process vests the civil courts and the online court of appeals with
the authority to decide cases. His ICICI bank fraud lawsuit in India
was the first case to be resolved. In that case, the plaintiff said that
he had suffered financial losses owing to the bank's lax security
measures.
E-commerce: The expansion of India's e-commerce industry
in recent years has been phenomenal. There has been a dramatic
transition in commerce in India from traditional marketplaces to
online ones. The IT Act establishes a regulatory framework for all

12 Brief guides to understanding cyber laws in India, available at

https://khatabook.com/blog/article-1019-importance-of-cyber-law-in-india/. (Visited on
March 4, 2023).

206
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

aspects of electronic commerce, guaranteeing the validity of digital

signatures and electronic records, safeguarding customers' private
information, and placing special emphasis on the security of such
records. Its other goals are to make electronic trade easier and more
secure, to crack down on fraud and counterfeiting, and to punish
offenders severely.
Electronic Governance: Section 4, followed by Electronic
Records, Storage, and Electronic Records, provides a thorough
discussion of the concerns, processes, and legal recognition of
electronic records discussed in Chapter 3 of the IT Act of 2000.
Here's how the process goes down. The following parts provide
processes relating to electronic signatures and regulatory rules for
agency authentication and apply throughout contract maintenance
and after the validity of an electronically completed contract has
been recognized.13
Digital Signature: The phrase "digital signature" as used in
Section 3 refers to the subscriber's electronic or procedural
authentication of each electronic record. Digital signatures with
attachments are generated in two distinct procedures. To protect the
authenticity of the information included in an electronic record and
guarantee its transmission, a mathematical function known as a
"hash function" is first used to turn the record into a message digest.
If the data in an electronic record is altered in any way, the signature
becomes invalid. Second, the message digest contains the digital
signature's creator's private key, whose identity can be verified by
anybody with access to their public key. Anybody with access to the
digital signature may then confirm the authenticity and integrity of
the signed electronic record.14
Now, more than ever, knowledge is critical. Under the
Information Technology Act of 2000, a firm would be entitled to
legal recourse if a hacker gained access to its computer system or
network and damaged it or copied data.15

13Raj,Aijaj& Rahman, Wazida, “E-commerce Laws and Regulations in India: Issues

and Challenges”, (2016).
14 Overview of Cyber Laws in India, available at https://taxguru.in/wp-
content/uploads/2012/10/cyber-laws-overview.pdf. ( Visited on February 1, 2023).
15 DugalP,“Cyberlaw In India: The Information Technology Act 2000, Some

Perspectives - Media, Telecoms, IT, Entertainment”, available at https://www.mond

aq.com/india/it-and-internet/13430/cyberlaw-in-india-the-information-technology-act-
2000--some-perspectives. (Visited on January 17, 2023).

207
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

The Cybersecurity Policy Of 2013

In 2013, the Indian government devised a new framework to
create legislation to prevent cyberattacks in response to the IT
industry's phenomenal growth and the startling increase in such
attacks. The policy establishes standards for safe online activity in
India and a framework for conducting secure electronic transactions.
Coordination between the public and private sectors is essential for
securing private data and improving India's cyber environment. The
judgment orders Cert-In to carry out Section 70 of the IT Act, which
among other things mandates that it conduct prediction and warning
studies of cyber security risks, analyze and publish data on cyber
events, and offer emergency support to deal with such occurrences.
They've begun to take action. Noteworthy is CERT-function In's as
an electronic publisher of security flaws and security warnings.
With the support of CERT-In, you may lawfully combat
cybercrime.

INDIA AND THE UNITED STATES: UNDERSTANDING

THE LAW ON CYBERSPACE FROM A COMPARATIVE
INTERNATIONAL PERSPECTIVE
The concept of privacy is vague and open to numerous
interpretations. A person's or a group's capacity to shield their
private lives and activities from public view and exert control over
the dissemination of information about them. An individual's, a
community's, or an organization's right to control the timing,
manner, and scope of the dissemination of information about itself
is known as privacy. To be left alone in peace and quiet is to enjoy
the right to privacy. It may also indicate keeping one's distance from
the spotlight so as to escape unwanted attention. To be left alone is a
basic human need, and the right to privacy is an implied duty. 16

INDIAN LEGAL FRAMEWORK

Privacy Rights Under Indian Cyber Law
The idea that one's personal information is like any other kind
of property has to be protected. So, an individual has the same legal
right to protection for his or her identity and associated information
as they have for their property. Despite the absence of explicit data

16Debesh, “Understanding Cyber Law: International Perspective Comparative Study -

India And USA”, 2022.

208
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

protection laws in India, Article 21 of the Indian Constitution,

which covers personal liberties, has been properly interpreted in
several cases concerning privacy rights and the protection of
sensitive information.
That's the situation; as a result of the ongoing debate,
numerous nations have established new laws and utilized new
technology to better protect individuals' privacy online.
Numerous international agreements protect persons' right to
privacy. Article 17 of the Covenant on the Protection of Human
Rights and Fundamental Freedoms.
Article 8 of the Covenant on Fundamental European Rights.
Twenty nations have so far signed the Convention on Human Rights
for the Protection of Privacy Relating to Information Technology,
which was adopted by the Council of Europe in 1985.
Data protection, cross-border information sharing, advisory
committee composition, and EU Agreement amendment processes
are all spelled out in the accord. The EU Data Protection Directive
of 1998 reinforced the principles set out in the EU treaties. In 2000,
India approved the Information Technology (IT) Act to regulate the
country's IT sector in the face of widespread cybercrime.
Damages resulting from computer intrusion, hacking, privacy
and confidentiality breaches brought on by computer contamination,
and the release of counterfeit digital signature certificates are
covered by this statute. Definitions of terminology like
"transmission," "collection," "private domain," and "public" may be
found in Section 66E of the Information Technology Act of 2000.
The Information Technology Act of 2000 includes penalties for
violations of confidentiality under section 72. Confidentiality and
privacy are inextricably linked. As only authorized officials are
covered by this provision, its reach is limited. This means that the
arrangements described in this section remain in effect for approved
information gatherers. Although these agreements are meant to
address crimes perpetrated by professionals like arbitrators,
members of the Cyber Regulatory Offers Tribunal (CRAT), and
certifying organizations, their applicability is severely limited by the
Act. Unauthorized access to computer systems is penalized by fines
and jail time under Section 43 of the Information Technology Act of
2000. Those who gain unauthorized access to a computer system
and steal data or introduce viruses shall be held accountable under
this section.

209
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

India's New Privacy And Data Protection Regulation

India's information technology system has been updated with the
passage of the Information Technology (Amendment) Act, 2009. All
parties (including middlemen) who provide services according to a
valid contract should perform such services in accordance with the
terms of the contract and shall not be responsible for wrongful loss or
unlawful conduct under Section 72A of this Act, you shouldn't give out
any information that might put you at risk financially. If this obligation
is broken, the criminal might spend up to three years in jail and/or pay
a fine of up to Rs. 5 lakhs. Furthermore, there are certain constraints on
how subscribers may use their privacy rights under Articles 67 and 69,
which ban things like pornographic content and interference with
national security, sovereignty, and direction from the controller.
Decoding deployment information is one of the few exceptions to this
rule. The Information Technology (Amendments) Act of 2009
amended Section 69 to cover legitimate instances of Internet
censorship. The federal government or the government of a state and its
authorized representatives may intercept, monitor, or decrypt any
information created, transmitted, received, or stored in a computer
resource under this provision if doing so is necessary or advantageous
for defending India, preserving the sovereignty of India and integrity,
assuring the state's security, maintaining friendly and peaceful relations
with other states, upholding public order, or preventing an emergency.
Websites that include material listed in Section 69 may also be blocked
under Section 69A. If it is determined that it is essential to put
reasonable limits on basic rights guaranteed by the Constitution of
India to safeguard public order, national integrity, sovereignty, and
allied interests, then this clause is in line with such restrictions. Section
69B gives the Central Government the authority to permit any
government agency to monitor and collect traffic data or information
generated, transmitted, or received by, or stored in, any computer
resource in order to further strengthen cyber security and to identify,
analyze, and prevent the intrusion of computer contaminants.

INTERNATIONAL LEGAL FRAMEWORK

The US Of America, The UK, And Australia's Privacy Laws On
Cybersecurity
There are various industry-specific cyber regulations
protecting critical infrastructure in the United States, and each
federal agency has its own cybersecurity requirements that must be

210
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

adhered to. Despite this, the rate of cyberattacks and cybercrimes in

the United States remains the highest in the world. Other state and
federal legislation are also included in the statutes 17. The following
legislation has noteworthy provisions. Furthermore, a substantial
amount of both federal and state laws are covered by the act. The
aforementioned acts contain some significant clauses. The
Counterfeit Access Device and Computer Fraud and Abuse Act of
1984 governs frauds or attacks on the federal computer system or
any banks, interstate access to sensitive information pertaining to
overseas trade, and trade between nations.
• The Computer Security Act of 1987 created the National
Institute of Standards and Technology (NIST), which is
responsible for developing secure systems, upholding security
standards, reducing cybercrime to an alarming degree, and
establishing programmes to raise awareness about
cybersecurity. However, topics pertaining to national defense
are exempt from this.
• The Documentation Reducing Act of 1995 was one of the
reasons for wanting enhanced cybersecurity regulations.
• According to the 2002 Homeland Security Act (HSA), the
Department of Homeland Security was given responsibility
for defining the requirements for cybersecurity.
• The National Science Foundation (NSF) and the National
Institute of Standards and Technology (NIST) were given the
task of developing a research agency to combat cyberattacks
and improve the United States cyberspace infrastructure in
2002, thanks to the Cyber Security Research and
Development Act.
• The Electronic Government Act of 2002 is a landmark piece
of legislation. Federal information technology principles and
regulations are included in the legislation, and stringent
requirements for cyber security are established.
The federal government has recently enacted new
cybersecurity legislation and altered existing ones to create a more
robust security environment.

17Federal Laws Relating to Cybersecurity: Overview of Major Issues, Current Laws,

and Proposed Legislation, available at https://sgp.fas.org/crs/natsec/R42114.pdf. (
Visited on February 14, 2023).

211
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

1) The Act of Sharing Cybersecurity Information (CISA)–

To enable the sharing of worries about cybersecurity across several
government authorities, this legislation was introduced in 2015. Its
main objective was to enable the development of a robust
cyberinfrastructure for the immediate exchange of cybersecurity
issues, disruptions, and other concerns among various government
agencies.
2) 2014’s Cybersecurity Enhancement Act: As suggested
by its name, this Act will enhance cyberinfrastructure, develop
better regulation of cybersecurity issues, raise awareness of
cyberattacks, and reduce cyberattacks. It was launched to help
victims and apply measures against cybercrime. Encourage
voluntary public-private relations and research and development in
this field.
3) Government Trade Information Breach Notice Act of
2015: The statute mandates that patients be notified of a data breach
within 60 days of the incident and provides victims with rights for
their well-being to cover the disappointment. sets stringent
guidelines for the section and directs. Doing so will result in serious
punishments beneath the law. Right now, the joined together states
have 50 government and state statutes beneath this act, and it is
evident that the nation is continually working to overhaul modern
cyber approaches and superior frameworks. But despite persistent
endeavors, the government is still incapable to contain cyberattacks
in America. This also applies to the private segment with the most
excellent frameworks input, protection breaches, and phishing
assaults within the private segment happen on a day-by-day
premise.18
Within the Joined together States, in expansion to the
assurances given by government law, an individual's data is
additionally ensured by state laws. Numerous states have buyer
assurance and extortion laws that frequently address attacks of
protection and unlawful information collection hones. For
illustration, Virginia has consolidated information collected through
the web into its protection law. Appropriately, companies that
collect information over the Web may be held at risk beneath a few

18HardeepSingh, “A Glance At The United States Cyber Security Laws”, Centre for
Academic Legal Research | Journal of Applicable law & Jurisprudence, Volume 1 |
Issue 1.

212
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

or all of these directions in purviews where the information is

accessible over the Web. In countries like India and the Joined
together States, proper protection isn't unequivocally cherished in
lawful terms, but it is recognized as a verifiable right within the
constitutions of these two nations. The Electronic Communications
Security Act of 1986 (ECPA) gives due thought to information
subject permission, as the need for educated consent may be used as
a court defense. From a security viewpoint, India's Data Innovation
(Correction) Act, 2009 presents a qualification from wrongdoing by
presenting a component of human common sense to recognize
between encroachment (infringement) and wrongdoing.19

United Kingdom
There is no overarching legislation in the UK managing IT or
cyber security, and instead, based on laws like the Security Services
Act of 1989 and the Civil Emergency Act of 2004, several
government entities are subject to various legal obligations. It offers
a great deal of leeway for the creation of novel cyber shielding
techniques. The year 2009 saw the Office of Cyber Security's
establishment. By 2010 it has expanded its remit to include
Information Assurance (OCSIA). Collaborate with businesses to
establish shared norms and information sharing. When it comes to
enforcing national cybersecurity standards, the National Cyber
Security Center (NCSC) has all the power. Advising and
coordinating government and private sector cybersecurity activities.
NCSC was established in 2016, and its responsibilities encompass
those of the communications-electronics security group, CERT-UK,
and GCHQ, the National Security Agency of the UK's intelligence
division. The National Infrastructure Protection Center and Network
and Information Security Regulations 2018 oversee the cyber
evaluation center and other essential infrastructure security
responsibilities (NIS). 20 The Privacy and Electronic
Communications (EC Directive) Regulations of 2003, the

19Debesh, Understanding Cyber Law: International Perspective Comparative Study -

India And USA, available at https://www.legalserviceindia.com/legal/article-8855-
understanding-cyber-law-international-perspective-comparative-study-india-and-
usa.html. ( Visited on March 19, 2023).
20Joshi., A comparison of legal and regulatory approaches to cybersecurity in India and

the United Kingdom Shared under Creative Commons Attribution 4.0 International
license.

213
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Communications Act of 2003, the Computer Misuse Act of 1990,

the Financial Conduct Authority, the Prudential Regulation
Authority Rules, the common law, and the common law tort of
misuse of private information are all examples of other laws and
regulations that may be applicable.
The UK's business sector is under strict restrictions under the
General Data Protection Regulation (GDPR) and the Cybercrime
Act of 2018 (Act) to take action to prevent third parties from
violating data security and to take further measures to combat
cybercrime. We advocate for the establishment and maintenance of
several cyber hygiene measures. All suppliers of essential services,
including hospitals, transportation systems, and online
marketplaces, are subject to the law's cyber security provisions.21

Australia
The Cybercrime Act is a comprehensive law that addresses
computer and online crime. The sending of commercial electronic
communications, including emails, has been subject to regulation
under various laws, such as the Spam Act. Limit the sending of
spam and other unwanted electronic communications, with a few
caveats. The Australian Communications and Media Authority is in
charge of enforcing this legislation. The Preventive Privacy and
Security Structure and the Privacy and Information Security
Handbook are only two of the rules and regulations the Australian
government has in place to safeguard public privacy. Recently, the
Australian government published its strategy for enhancing
cybersecurity by 2020. Its goals include reducing cybercrime and
raising awareness of the issue, as well as providing cyber assistance
to individuals and small companies. Although similar to the United
States in terms of basic cyber regulation, Australia lacks specific
legislation in several sectors, including health, personal, and
commercial insurance.

COMPARATIVE ANALYSIS: RUSSIAN AND INDIAN

CYBER LAWS
The special connection between Russia and India was
established after the Soviet Union's fall because Russia inherited India's

21Cybersecurity and the UK legal landscape, available at https://www.whitecase.com/i

nsight-alert/cybersecurity-and-uk-legal-landscape. (Visited on February 17, 2023).

214
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

preexisting good ties with the Soviet Union. There are five key areas of
collaboration between India and Russia: politics, military, civil energy,
counter-terrorism cooperation, and space exploration. The sixth
dimension, which focuses on economics, has been trending in recent
years. The largest project in this field, the Integrated Long-Term
Cooperation Program (ILTP) between India and Russia, comprises
ongoing research and technological partners. Organizing the ILTP are
the Indian Academy of Sciences, the Indian Ministry of Science and
Technology, the Indian Ministry of Science and Education, and the
Indian Ministry of Industry and Commerce. The SARAS Duet aircraft,
semiconductor goods, supercomputers, poly vaccines, laser-based
technology, seismography, highly pure supplies, applications, and its
IT & Ayurveda are among the priority areas for partnership under the
ILTP. In August 2007, a memorandum of understanding was signed in
Moscow by the Ministry of Science and Technology and The Russian
Fund for Basic Research.

The Viewpoint of Russia On Cyber Laws

The civil law of the European Union is the cornerstone of
Russian law. Both civil law and indigenous law exist, albeit civil
law would take precedence in a dispute. Although data sequestration
is governed on a federal level, and several areas of Russia have yet
to pass regional rules. The Russian Constitution was amended in
1993 to add the right to privacy and to personal and family
confidentiality. Despite this, they are protected by the right to the
privacy of their communications, and any restrictions on this right
must be approved by a judge. Information concerning an
individual's private life should only be gathered, utilized, kept, and
shared with their consent. Certain laws and other rules established
concerning these laws govern the safeguarding of these initial
rights. In 2000, the FBI uncovered a widespread hacking campaign
that had penetrated the computer networks of thousands of
businesses throughout the United States. The FBI has identified two
Russian nationals, Vasiliy Gorshkov, and Alexey Ivanov, as the
hackers responsible for previous similar operations. The Invita
Corporation was founded on a plan to entice them to the United
States. They were both allowed to interview for the position. During
the interview, Gorshkov and Ivanov were put to the test by showing
off their hacking skills. A laptop was provided as an entry point into
their private networks; these networks were located on their own

215
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

PCs. The Russians had no idea that the FBI had gotten the hacker's
stoner ID and word via some kind of style. Gorshkov and Ivanov
were immediately detained after the incident. In addition, the FBI
illegally downloaded information from the Russian homes of
Gorshkov and Ivanov using the stoner ID and password. Gorshkov
filed a motion to suppress the evidence after they were convicted,
claiming that their rights had been violated in breach of both
Russian law and the Fourth Amendment. The FBI argued that since
downloading from an online source did not qualify as a hunt, it was
not necessary to obtain permission from the Russian government.
The Fourth Amendment's prohibition on unwarranted searches and
seizures served as the court's justification for rejecting Gorshkov
and Ivanov's petition in response. However, because the defendant
had a possessory interest in the data, the FBI agent's actions to copy
it from the Russian computers did not amount to a search or seizure.
Data protection has been a contentious issue since at least 2014. As
sequestration approached, the administration took a more
protectionist stance. The Personal Information Law (The Database
Local Law) was changed by the Russian parliament in a manner
reminiscent of Indian law, limiting data collectors to exclusively
access Russian databases. The Data Localization Law was
implemented on September 1, 2015, despite widespread opposition
from businesses and the press. Russia has updated its Data
Localisation Law as well as its Information and Information
Technology Federal Laws and its Information Protection Federal
Law. Businesses that offer video, audio, or text-based
communication services must now register with the government,
retain call records for not more than six months, and give the
government decryption keys if translated discussions are retained.
Russian data privacy laws have recently faced certain difficulties.
On May 5, 2014, Russian lawmakers passed Federal Law Number,
97-FZ, which made major changes to additional legislation,
including Federal Law Number, 149-FZ, enacted on July 27, 2000.
In recent years, major revisions have been made to the Information
Law, which went into effect on July 1, 2018. The amendments,
known as the Yarovaya Law, were written by Irina Yarovaya and
had a significant impact on Russian telecommunications and
internet regulation. Particularly, mobile device drivers were
mandated to spend a lot of money storing all call recordings and
textbook dispatch content for six months, and internet service

216
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

providers were mandated to spend a lot of money storing all call

recordings and textbook dispatch content for six months. The
Yarovaya Law mandates that, if requested by Russian law
enforcement or intelligence agencies, drivers must provide overall
communications of a similar kind, create specific systems to
conduct investigations, and provide decryption keys if the
communications are translated. The DPA compiled a list of illegal
sites using the Data Localisation Act as the legal basis. Under the
law, a detailed procedure for "notice and takedown" is specified. To
comply with Russian law, any databases holding personal
information about Russian people must be located inside Russia.
Recently, lawmakers have proposed changes that would
significantly raise penalties for violations. Russian cybercrime is on
the increase for two reasons, according to the country's preeminent
computer security firm, Group- IB. The egal structure in place in
Russia to combat cybercrime is insufficient, and the country's laws
are highly lenient when it comes to punishing offenders. Decisions
on computer-related offenses are often sometimes delayed or made
interminably quickly in addition, a variety of hacking groups get
together to pool resources for their unethical training. Although the
word "cyber" is often kept for the medical and academic sectors in
Russia, the phrase "informatization" is commonly employed by the
authorities, and it alludes to the aggressive disquisition and use of
digital technologies for social and commercial progress. Despite the
concepts of "cyber-crime" and "cyber-warfare" or "cyber-attack" are
not mentioned in any official public documents, it is evident that the
government distinguishes between common cybercrimes and cyber-
warfare through the use of terms like the security of information,
computer data crime, electronic crime, and instructional resistance
to the virus. Data sequestration issues were legislated in Russia in
2007. Federal Law No. 152-FZ on Personal Data, enacted on July
27, 2006, is known as the Personal Data Law, almost all aspects of
data security are covered, including the definition of "personal data"
and the categories of data that may be gathered and utilized. The
methods by which such data may be collected and reused, the
conditions under which such data may be collected and reused, and
the protections that must be enforced by the agencies conducting
such collection. Data processors and data regulators are treated
equally under the Private Data Law. Hence, the provisions of this
Law apply to anybody or any organization handling specific data.

217
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

The requirements of the Personal Data Law may be better

understood concerning a variety of other laws that regulate more
specific areas of data processing. Similar rules are enforced by the
Federal Service for Supervision in the Field of Communication,
Information Technology, and Mass Dispatches (DPA), the Russian
Government's Data Protection Authority, and/or other security
organizations like the Federal Service for Technical and Export
Control (FSTEK) or the Russian Federal Security Service.

INDIA’S TAKE ON CYBER LAWS

To control unlawful activities online and protect users of e-
commerce, e-governance, e-banking, etc., strict regulations are
needed due to the widespread abuse of technology in India and the
lack of legislation to manage it. The Indian Parliament has given its
approval to the Information Technology Act of 2000. The Devices
(Amendment) Act of 2008 was ratified to amend the Act. The scope
and breadth of the statute were both expanded by the changes. Data
theft now takes the role of hacking in Article 66, which replaced
Article 3. Articles 66a through 66f have been expanded greatly due
to the changes. Some of the offenses mentioned here are: sending
harassing messages via a communication service; deceiving a donor
about the origin of a similar message; breaking into a computer or
other communication device without permission; using another
person's electronic hand or identity; committing fraud through
impersonation using a computer or communication device; and
publishing private information about another person. Offenses listed
in Section 66 as felonies are both cognizable and not subject to bail.
According to Section 66 of the Amendment Act, if a comparable act
is carried out with criminal intent or mens rea, it will not subject the
perpetrator to criminal liability and will instead result in civil
liability with only civil penalties and compensation as remedies.
The primary Indian laws were updated when the IT Act of 2000 was
enacted. By including the word " electronic " in the Indian Criminal
Code, digital records and papers are given less legal weight than
their paper counterparts. The IPC now has jurisdiction over "
electronic records and electronic documents," which was not the
case before the amendment of certain sections (such as 192, 204,
463, 464, 468 through 470, 471, 474, 476, etc.). When performing
acts of fabrication of physical records in a crime, electronic records
and electronic documents are now treated the same as tangible

218
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

archives and papers. To make sure that the evidence and/or

punishment can be covered and proven under either of these or the
other law, the inquiry agencies are going to submit cases charging
distance citing the appropriate sections derived from the IPC under
sections, 464, 468, and 469 read with the IT Act/IT amending act
under sections, 43 and 66 in similar offenses after making the
appropriate adjustments. Before the IT Act was passed, only
physical documents could be used as evidence in court. After the IT
Act was enacted into law, electronic documents and records were
recognized. With a change to the Indian Substantial Act, the phrase
"all papers including electronic records" were replaced with the
original wording. Words like "digital hand", "electronic form",
"secure electronic record" and "information" were adapted from the
IT Act and given evidential weight as well. Section 65B of the Act,
which recognizes electronic recordings as admissible substantiation,
is often regarded as the most consequential change. Before the
introduction of the IT Act, a bank was needed to present the original
tally or other physical documents to validate its books following the
Bankers Books Substantiation Act of 1891 22. When the Information
Technology Act was passed into law, the definitions section was
revised to read as follows: "Bankers' books include checks, day-
books, cashbooks, account- books, and all other books used in the
ordinary business of a bank, whether kept in written form or as
printouts of data stored in droopy, slice, sellotape recording, or any
other form of electromagnetic data storehouse device". There are
still a lot of cybercrime mysteries to be solved.

SCOPE OF THE COUNTRIES FOR EXPANSION OF THEIR

RESPECTIVE CYBER LAWS
The frequency of lawsuits regarding data sequestration is on
the rise in Russia, prompting businesses there to plan for more
compliance efforts and additional judicial interpretations. We hope
that including would adopt a robust public cybersecurity policy and
invest heavily in this area. Cybersecurity collaboration on a global
scale is necessary for countries to develop effective responses to
cyber threats. To prevent the present restrictions from becoming
paper tigers, we must also ensure that they are properly

22 Cyber Laws IT act, available at https://www.vskills.in/certification/tutorial/cyber-

laws-it-act-etc. ( Visited on February 27, 2023).

219
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

implemented. Nations must be aware of the magnitude of cyber

dangers and the potential harm they might do to public
infrastructure, enterprises, and people notwithstanding the
difficulties in recognizing cybercrime and estimating the effect of
cyberattacks. However, there is a growing perception among the
public that cyberattacks are becoming more sophisticated and
pervasive. Technological advancements, the expansion of implied
profits from cybercrime, and the diminished likelihood that court
rulings will be upheld are all thought to have contributed to an
overall rise in the frequency of cyber hazards over the past few
years.

CONCLUSION
Cybercrime has existed since the dawn of the computer, the
miraculous device that revolutionized human life. These days, we
can't imagine living without our computers. They have been put to
many different uses, ranging from leisure to serious research.
Because of the widespread use and usage of computers, new forms
of technology have emerged. It's hardly an exaggeration to argue
that PCs are what started the IT revolution. That's why secrecy is so
important. India can adapt to modern demands thanks to its cyber
legal framework, however, this structure might need some
improvement. In particular, it is important to improve the supporting
controller's cybersecurity architecture so that it can keep up with the
rapidly developing field of technology. The government of India is
constructing new political institutions to accommodate these shifts
because it recognizes the need of doing so. The flaws in this new
policy framework are tolerated as long as these persistent
development challenges persist. Nevertheless, the objectives show
that India is a potential target for cybercriminals, therefore the
success of these initiatives relies on the agencies' ability to
implement them in a responsible and untainted manner. Although
the USA has several programmes and regulatory organizations in
place to defend cybersecurity, it still lacks essential offenders as
compared to other countries.
In addition, the healthcare, insurance, and business sectors in
each of these nations are underdeveloped. And it's important that
India, like every other country, be quite strict about carrying out
well-specified plans. Under Section 72 of the Information
Technology Act, 2000 in India, fines are imposed for the

220
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

unauthorized disclosure of personal information. Similar to the

electronic communication Security Act (ECPA) of 1986 and the
Online Privacy Protection Act (OPPA) of 2000 in the United States,
the new Section 66-E makes it unlawful to infringe on someone
else's privacy. Both the United States and India have been making
progress on this front, although the issue of privacy has been given
more attention in India.

221
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 13

A CRITICAL AND COMPARATIVE ANALYSIS OF

DIGITAL PERSONAL DATA PROTECTION BILL, 2022
Prachi Rashmi 1, Sanidhya Gupta 2

“Data is the pollution problem of Information age and, and

protecting privacy is the environmental challenge”.
– American Cryptographer, Bruce Schneier

INTRODUCTION

W e, the citizens of the world are on the verge of getting

exploited by our own companies and governments. With
the advent of technology in 21st century and its ever-
increasing developments has led to many unknown possible
adversities under the guise of a better and healthy standard of living.
With new development, there comes many new crimes and
problems. We are oblivious to the repercussions of our interaction
with technology. As the mathematician Clive Humby said, “Data is
the new oil” and we are the new oil reserve. What we search, what
we browse, what we see, what we want, It’s all in our phones,
laptops, and computers. Through data analytics the genius evil
minds sitting in front of their computers are using this information
and spreading it in the market.
5 billion (59% of the total population) people in the world are
actively using Internet and sharing their data voluntarily or
involuntarily. India alone has 1.15 billion users, according to
Telecom subscription data3. Many data hungry and massive hyper
personalizing giants like Google, Facebook, Instagram, snapchat
YouTube, etc, are running in excess of 1 billion downloads each.
Ergo, their intake of our personal data is huge in number.

1AssistantProfessor, Lloyds Law College, Greater Noida, (India)

2B.A. LL.B (H), 4th Year, Amity Law School, Amity University, Noida, (India)
3Telecom regulatory authority ofIndia, “Highlights of Telecom Subscription Data as on

30th September, 2022

223
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

NEED FOR DATA PROTECTION

Any information that might be used to identify a specific
natural human being is considered personal data4. The process of
acquiring and processing personal data aids in understanding
personal preferences, which are then used for customization,
recommendation development, and personalized advertising.
Personal data analysis is also important in the enforcement of laws.
However, when this processing is carried out unchecked, it results
in serious invasions of persons' privacy, which is recognized as a
universal fundamental right.5 It may result in an individual's image
and monetary damage. Following are the major factors why data
protection is crucial in the current world scenario:
1. Growing internet usage: Since India has the largest
population and the most users online, it is crucial for their
government to take steps to avoid any data breaches.
2. Data breaches: Compared to other nations, India has had the
most data breaches worldwide6. The personal information of
thousands of Indians continues to be exposed since there is no
comprehensive data protection regulation that covers all
potential circumstances pertaining to data in India. It is quite
likely that they will be sold, utilized unfairly, or mistreated
without their knowledge.
3. Individual Privacy: While data may be utilized to track the
movements of psychotic criminals and terrorists, if this
power is overused, it might violate someone's privacy. The
commercialization of data occurs at the expense of citizens'
human rights. The databases that contain highly sensitive
personal information about individuals, such as their medical
histories, whereabouts, and financial information, are those
that big businesses require the most.
4. Absence of writ procedures for corporate action:
According to Article 12 of the Indian Constitution, private
companies and corporations are not regarded as responsible
and subject to writ proceedings inside the boundaries of India.

4General Data Protection regulation, 2018, Art.4(1)

5 Justice K.S. Puttaswamy (Retd) vs. Union of India,W.P. (Civil) No 494 of 2012,
Supreme Court of India, August 24, 2017.
6 The biggest data breaches in India, availableat:https://www.csoonline.com/artic

le/3541148/the-biggest-data-breaches-in-india.html(visitedon24thFebruary2023)

224
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

This is because basic rights are typically not upheld by

private, non-state actors. Therefore, an individual has only
limited remedies against private sector.

THE EVOLUTION OF DATA PRIVACY

There is an ever growing need to regulate, process, and
cultivate the gold i.e., information and this need has been addressed
by many sovereign entities. In order to prevent any misuse and to
ensure a comprehensive regulation of the data used across by
anyone domestic or foreign companies and government rules are
need to be enacted. Europe is the leading country in this race.
It passed the General Data Protection Regulation, or GDPR
(more on this in the next sections). Along with the European Union,
many other nations, including the United States of America, China,
and Australia, have woken up since it was put into effect and are
addressing the need to establish safeguards lowering data
susceptibility and avoiding erosion of user privacy.
India has always supported policies that safeguard individuals'
personal information. The Information Technology Act (IT), 20007,
regulated personal information. A data principal must now seek
compensation for unauthorized disclosure of sensitive personal
information under Section 43A of the IT Act, 2000. While Section
72A of the Act has a punitive clause that allows for either
imprisonment or a fine for anybody, including an intermediary, who
discloses sensitive information without permission The Right to
Privacy Bill, 2011, which was being discussed by the department of
personnel and training at the time, marked the beginning of the
journey towards a comprehensive data protection bill.
Despite these mandatory laws and their provisions, it was
found that some of them, like the IT Act, were insufficient to
guarantee the security of personal data. The K.S. Puttaswamy
judgement from 2017 is seen as a turning point in the matter of data
protection since the Supreme Court made a significant ruling there
declaring that the "Right to Privacy" is a Fundamental Right under
Article 21 of the Indian Constitution, together with the Right to life
and Personal Liberty.
As a result, the Hon'ble Justice B.M. Srikrishna-led

7 Report of the Joint Committee on the Personal Data Protection Bill, 2019,

(December2021)

225
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

committee of experts on data protection was established by the

federal government in 2017 to look into the many different aspects
of data protection in this nation.
The committee produced a thoroughly thought-out and
researched report in July 2018.8 The Personal Data Protection Bill
was consequently tabled in Lok Sabha in December 2019 in
accordance with all of the committee's recommendations9.
A Joint Parliamentary Committee was also given the
opportunity to review the measure; they modified its language and
intent and turned in their findings in August 2022. The Ministry of
Electronics and Information Technology issued the Draft Digital
Personal Data Protection Bill, 2022 for public comment in
November 202210.

HOW IS CYBERSECURITY AND DATA PROTECTION

RELATED?
Data protection is a group of procedures designed to
safeguard the confidential information stored in a system. The
provisions of data management, availability, preventing
unauthorized access, and application have previously been included
in a number of strong rules, such as the Health Insurance Portability
and Accountability Act (HIPAA) or the Global Data Protection
Regulation (GDPR). Data protection, in contrast to cybersecurity,
which is the responsibility of IT specialists, necessitates effort from
all personnel handling sensitive data. Therefore, Data protection
puts a strong front when it comes to the problems of Data storage,
access and administration while the cybersecurity protects from all
kinds of cyberattacks. These two fields differ from one another. So,
the question that comes up is “Why do we need to combine them?”
An entire organization's stakeholders are impacted by a data
breach, not just the security division. Few people can tell
cybersecurity from data protection. There cent high-profile hacksat
Facebook and Equifax serve as a prime example. Few individuals
can tell the difference between Facebook's data handling and the

8 ‘A Freeand Fair Digital Economy Protecting Privacy, Empowering Indians’,

Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, July 2018.
9The Personal Data Protection Bill, 2019
10The Draft Digital Personal Data Protection Bill, 2022, Ministry of Electronics and

Information Technology, November 18, 2022.

226
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Equifax data breach. Both events involved unauthorized data access,

while one constituted a cyberattack. It is important to assess
incidents like this one from an integrated overview that strives to
incorporate issues like cybersecurity and protection of data, rather
than from two distinct points of view.
Since data breaches affects multifarious aspects of an
organization, the response to it needs to be multilateral.
Consequently, both Data Protection and Cybersecurity needs to be
combined together and guard the organizations from in and out to
prevent such breaches. This amazing combination comes with
several benefits like, namely:
1) Prevention of Data Breaches: There is an enormous
reduction in data breaches once both the data and the systems
are overlooked at the same time as it leaves no space for
vulnerabilities and exploitations.
2) Addressing of emerging threats in the digital space: Many
digital threats can lead to high risks for both systems and data.
3) Improvement of Information Security Management
System: An ISMS with a single pane of glass gives you far
more control over your data than a separate infrastructure
would.
4) Improving compliance: Reducing the likelihood of data
breaches enables you to maintain compliance and avoid
compliance fines.

Its motive of both Data Protection and Cyber Security to deal

with protecting sensitive data from myriad digital threats including
cyber-attacks and data breaches. Thus, their interconnection is
inevitable, which results in a more integrated approach.
The Digital Personal Data Protection Bill, 2022, is essentially
the topic of this chapter. It portrays the vision of this bill, its key
features, and certain important provisions. Since, General Data
Protection regulation is an ideal law from which many countries
have taken inspiration including India, this chapter will explain
GDPR, its key features and a comprehensive comparison between
DPDPB, 2022 and GDPR. At the end of this chapter, we will be
enlightened with digital protection and cybersecurity. How they are
interrelated and the way forward.
THE DIGITAL PERSONAL DATA PROTECTION DATA
BILL, 2022

227
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

In its fourth reiteration since 2017, the DPDPB, 2022 11

attempts to embody a better “Comprehensive legal framework”. The
aforementioned legislation focuses on three main issues: the duty of
the data fiduciary, the regulation of processing (which includes data
collection, recording, storage, distribution, and removal or deletion),
and the rights and obligations of the data principal. A Data
Protection Board must be established as part of the compliance
framework established under the Bill. The Personal Data Protection
Act of 201212 in Singapore may seem to be the inspiration for the
General Data Protection Regulation (GDPR), yet there are a number
of welcome changes and ambiguous provisions in this legislation.
In contrast to the earlier unsuccessful attempts to formulate a
complete bill, the bill of 2022 only includes a limited range of
Personal Data Protection safeguards, thereby only marginally
eliminating the personal digital data. It covers a variety of subjects,
including the establishment of the Data Protection Board of India,
the right of the data fiduciary, and the right and duties of the data
principal, although having just 30 sections.
It has taken inspiration from countries like Singapore,
Australia, and the European Union, thus making it a comprehensive
bill. It majorly embodies 7 key principles:

1. Lawfulness, justice, and transparency: The bill must

outline how big businesses use people's personal information.
It must be carried out in a way that abides by the law, is fair to
the people involved, and is transparent.
2. Purposeful dissemination: The second principle is based on
the idea that the usage of data that has been obtained must be
restricted to the initial goals for which it was collected.
3. Data minimization: The third principle focuses on the
concept that data collected should be as less as possible. Only
essential data ought to be collected for the necessary purpose.
4. Data Accuracy: All data collected should be original and
there should not be any duplication of those private and
personal information.
5. Storage restriction: The fifth principle ensures that the

11The Draft Digital Personal Data Protection Bill, 2022, Ministry of Electronics and
Information Technology, November 18, 2022.
12Personal Data Protection act 2012,Singapore Statutes Online, 2012

228
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

obtained personal data can only be kept for a specific amount

of time and not indefinitely by default.
6. Authorized collection and processing of data: It’s
imperative to have sufficient safety measures to ensure that
there is “non authorized collection or processing of personal
data.”
7. Answerability: The organization or person responsible for
obtaining the personal data must be held liable for how it is used.

DISTINCTIONS OF THE NEW BILL FROM ITS EARLIER

VERSIONS:
The 2022 Bill focuses to conform to the data protection legal
framework as the Puttuswamy Judgment aimed to have. Over the
four waves of amendments of this bill, many key features have been
inducted. It aims at learning from its earlier mistake and developing
a liberal yet legally sound privacy law.
1. Gender Neutrality: The bill's inclusion of any potential
gender-based disputes has been praised. 'She' and 'her' have
been used without regard to gender for the first time in the
history of legislation. It has demonstrated to the world
community and the Indian women that the nation's lawmakers
want them to advance and become more independent.
2. Promotes best practices from across the world: The
nation's brightest brains have worked to ensure that the finest
data protection laws are adopted, including a careful
examination of the European Union, Australia, and
Singaporean data protection laws.
3. Comprehensiveness: The Draft Bill 2022 has 25 Points in
total and "Six Chapters" in total. The chapters include Special
Provisions, Compliance Framework, Miscellaneous, Rights
and Duties of Data Principal, and Preliminary Obligations of
Data Fiduciary.
4. A hard push on Child Protection: It aims at safeguarding
the future of our country, the children. If any personal data is
aimed at harming a child in any manner, its processing will be
restricted.
Key Features Of The Bill
It's critical to comprehend the fundamental elements of 2022,
Bill, to avoid any myopic sub-contextual interpretation.
1. Scope: The 2022 Draft Bill aims to concentrate on the

229
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

processing of "Digital Personal Data," or personal information

that is acquired both online and offline and is digitized13. As a
result, it also wants to handle personal data outside of India.
This data is used to profile Indian residents or to offer them
services or commodities. Additionally, it limits processing to
manual methods or individual users for "personal or domestic
purposes." Additionally, it seeks to exclude any personal
information that has been around for at least the past 100
years14.
2. Processing: The act of carrying out an operation or series of
actions on a person's digital data is referred to as processing.
Data acquisition, usage, sharing, and storage are all included.
Although the law prefers to keep the words, it has been
suggested that the Justice Srikrishna Committee15 eliminated
Data Fiduciary. It covers a variety of subjects, including the
establishment of the Data Protection Board of India, the rights
of a data fiduciary 16 , and the rights and duties of a data
principal, although having just 30 sections17.
3. Consent: Personal data may only be handled with consent for
legitimate purposes. In order to get consent, a notification that
includes the reason for processing the data as well as other
pertinent information is required. When processing is required
for (i) any statutory function, (ii) the State's supply of a
service or benefit, (iii) any medical emergency, or (iv) any
other reason, consent will be taken into consideration. (iv) for
employment purposes, and (v) for certain public interest
issues such information security, fraud avoidance, and
national security. The legal guardian must provide permission
on behalf of minors under the age of 18.
4. A Data Principal Has Many Rights and Duties: Any

13The Draft Digital Personal Data Protection Bill, 2022, Ministry of Electronics and
Information Technology, November 18, 2022, Clause4(1)
14The Draft Digital Personal Data Protection Bill, 2022, Ministry of Electronics and

Information Technology, November18, 2022, Clause4(3)

15 Government of India Planning Commission, Report of the Group of Experts on
th
Privacy, 16 October 2012.
16The Draft Digital Personal Data Protection Bill, 2022, Ministry of Electronics and

Information Technology, November18, 2022. Clause2(5)

17The Draft Digital Personal Data Protection Bill, 2022, Ministry of Electronics and

InformationTechnology, November18, 2022, Clause5.

230
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

individual who has given consent to the processing of their

personal data (a "Data Principal") has certain rights, including
the ability to (i) obtain information about that processing, (ii)
request the rectification and deletion of their data, (iii)
designate a substitute for them to exercise those rights in the
event of their decease or incapacity, and (iv) file a grievance.
Additionally, data principals are obligated to: (i) file any
fictitious complaints; and (ii) provide any fictitious
information, withhold information, or impersonate another
person in specific circumstances. Duty violations are subject
to fines of up to Rs 10,000.
i. Data fiduciaries' responsibilities include the following: (i)
making sufficient efforts to ensure data accuracy; (ii)
developing reasonable security measures to prevent a data
breach and notifying the Data Protection Board of India and
affected individuals in the event of a breach; and (iii) ceasing
to retain personal data as soon as the purpose is fulfilled
(storage limitation). Storage restrictions do not apply to
processing by government organizations.
ii. Transferring personal data outside of India: The federal
government has the authority to notify nations where a data
fiduciary has the authority to transfer personal data. All
transfers will take place in accordance with the particular
rules and regulations. While the 2021 Bill proposed to impose
data localization obligations with respect to certain personal
data, the new bill's Section 17 completely overturns this
proposed framework and is expected to facilitate the free flow
of data to reputable nations, ensuring a cross-border
globalised developed economy in the process.
iii. Exemptions: The freedom of the data principal and the
responsibilities of the data fiduciaries are restricted in order to
prevent and investigate crimes and to enforce any lawful
rights. The center has the full authority to exclude certain
operations from the bill's purview, including: (i) processing
done by government agencies to protect the security and
integrity of the nation; and (ii) research and data archiving
done for statistical reasons.
iv. Data Protection Board of India: The Draft Bill 2022
proposes the establishment of The Data Protection Board of
India by the central government. A few of the Board's

231
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

numerous duties include: (i) enforcing different sanctions and

monitoring compliance; (ii) providing guidance to data
fiduciaries in the case of a data breach; and (iii) acting as a
grievance redressal mechanism. Data fiduciaries have control
over the appointment and makeup of the board.
v. Penalties: The Draft Bill 2022 specifies severe penalties for a
number of violations, including (i) fines of up to Rs 150
crores for failing to satisfy duties to minors and (ii) fines of up
to Rs 250 crores for failing to take security precautions to
avoid data breaches. The board will only issue these fines
following a thorough investigation.

Positive Aspects of The Bill

The new bill in many dimensions proposes to better the
economy of the country. It plays a crucial role in the new India.
Unlike the earlier bills it resonates more with the demand of the
global economy. Moreover, it meets the demand of a just and
transparent economy for its customers and companies.
• Extending the scope of the data: The extent of the data is
quite important. The data protection policy's purview has been
constrained to safeguarding personal information. It is
progressive and addresses the worries of several stakeholders.
• Tapping into economic potential: With the enactment of
sound data privacy laws, several significant private
corporations would be enticed to invest in Indian resources.
Now, it is possible to separate socioeconomic value from data
without a private capacity, which will help many Indian
individuals and enterprises.
• Eliminating the intense push for Data localization: As was
already said, this draught does not use data localization.
Therefore, it may assist India in gaining access to the
privilege of producing and using technical solutions from
across the world. It could help India in unlocking the privilege
of accessing technological solutions and developing from
across the globe, therefore, even helping the domestic
companies.
• Free movement of information: The new law will shape
India's economic destiny. According to studies, increased data
exchange between nations and businesses can assist startups
in gaining access to affordable technology and storage

232
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

options.
• Permitting data transfers: means that India is represented on
a global stage, supporting businesses in managing their
production and supply chains and boosting international
cooperation.
• A brief introduction to "Deemed Consent": The bill's novel
idea of processing solely with the data owner's consent is
essential and innovative, keeping in mind the citizens' basic
rights and privacy.

GENERAL DATA PROTECTION REGULATION

(EUROPEAN UNION)
The Indian government has been unwilling to build a legal
framework to strike a compromise between "protection of personal
data" and "establishment of a regulatory framework," which has led
to data fiduciaries handling and keeping personal data. Many
countries have drawn inspiration from the General Data Protection
Regulations of the European Union, which are recognized as a
model law for enforcing local regulations.
The GDPR supersedes the Directives of the European
Parliament and Council from 1995 and is applicable to all 28
member states of the European Union in order to protect individuals
regarding the processing of personal data and the free movement of
such data18. Regarding the protection of individuals' personal data,
the Directives fell short of removing adequate dangers and avoiding
uncertainty in the law.
To deal with these issues, a new regulation was created and
implemented. Additionally, the right of the data subject to request
any stored information is another innovative and revolutionary
feature of the GDPR. Additionally, several laws outlined in the Act
support the use of procedures to protect personal data such
anonymization, pseudonymization, and encryption. The Rule of
Law, an independent supervisory authority, respect for human
rights, and other important aspects are all considered by the EU's

18GDPR: What Do You Need To Know -AGP& Co, A.G. Paphitis & Co: Cyprus
Lawyers, Cyprus Law Firm, agplaw.com (Last visited on 25thFebruary 2023)

233
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

GDPR's adequacy mechanism19.

A COMPREHENSIVE COMPARISON BETWEEN THE

DPDP BILL 2022 & THE GDPR
1. Personal information classification
Racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, health, genetic or
biometric data used for identification, sex life, and sexual
orientation are just a few of the categories added by the GDPR to
personal data. The 2022 Bill, on the other hand, does not categorize
personal data into sensitive or crucial categories and instead applies
to a larger range of personal data. The Bill also requires the
deployment of adequate security measures to safeguard people's
personal information.

2. Majority age
The age of majority differs significantly between the two acts
in important ways. Children are defined as those under the age of 16
under the GDPR. On the other hand, the 2022 Bill classifies those
who have not yet turned 18 as minors.

a. Categorization Of Data Fiduciaries

The GDPR primarily focuses on defining the role of Data
Controllers and detailing their duties and rules for compliance. The
2022 Bill, in contrast, takes things a step further by defining
"significant data fiduciaries," who are subjected to stricter
compliance requirements. If data fiduciaries are deemed to be
"significant," factors such the quantity and sensitiveness of the
obtained personal data, the potential harm to data principals, the
impact on India's sovereignty and integrity, among other things, are
taken into consideration.
The purpose of the aforementioned clause is to provide early-
stage start-ups and smaller data fiduciaries some wiggle room as
they do not have the necessary infrastructure and resources to
achieve compliance with the Bill's many provisions.
b. Notice Requirements

19 Check out 10 key features of GDPR – Geospatial World, available at:

https://www.geospatialworld.net/blogs/check-out-10-key-features-of-gdpr/(Last visited
th
on 24 February 2023)

234
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

The GDPR, prescribes the data principals to at the time of, or

prior to, collecting person a data issue a privacy notice to the data
subjects. It should mandatorily have certain details like the identity
and contact details of the data controller and, where applicable, of
the data controller’s representative, categorization of the data
collected, purpose of processing, etc.
According to the Bill, the privacy notices are required to be
provided to data principals as and when the ground for processing
the data is consent. The privacy notice should only include the
description of the personal data being sought and the purpose of
processing.

c. Consent Managers
Both GDPR and Bill recognizes the consent of individuals as
one of the bases for processing data, but has introduced the novel
concept of‘consent managers.
Consent, which are required to register themselves with the
Data Protection Board, are the data fiduciaries who, on behalf of the
data principals, collect and manage consent provided by them.
Consent managers enable the data principals to give, manage,
withdraw, and review their consent through an accessible,
transparent, and interoperable platform.

d. Right of Data Portability

The bill, unlike GDPR does not provide a right of data
portability in favor of data principles. This right was incorporated in
Personal data Protection Bill, 2019, but It has been withdrawn in the
2022 Bill.

e. The Concept of Deemed Consent

One notable difference between the GDPR and the Bill is
that the Bill acknowledges that a data principal is ‘deemed’ to
have given consent for processing in a situation where the data
principal voluntarily provides personal data to the data fiduciary
and it is hence reasonably expected that the data principal would
provide such personal data.

f. Reporting of Personal Data Breaches

There appears to be a significant disagreement between the
Bill and the GDPR when calculating the threshold for informing

235
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

authorities and impacted persons of the occurrence of a personal

data breach. In order to inform the appropriate authorities of
personal data breaches, the GDPR uses a risk-based approach.
Additionally, the GDPR mandates that authorities be notified of any
personal data breaches that pose any harm to the rights and
freedoms of data subjects. In accordance with the GDPR, data
processors are only required to notify the relevant data controller of
data breaches they have experienced.
However, there is no such barrier mentioned in the Bill. The
measure effectively requires both data fiduciaries and data
processors to report personal data breaches, in contrast to the
GDPR's position.

g. Penalties
One of the most significant aspects of the Bill is the extremely
severe penalties for non compliance. For instance, in the event of
specific non-compliances, such as those pertaining to the processing
of special categories of personal data, up to € 20 million, or in the
case of an undertaking, up to 4% of the total worldwide annual
revenue of the preceding financial year, whichever is larger. The
GDPR's financial penalties are based on the greater of a dollar
amount cap or a specific proportion of the violating entity's global
revenue. The Bill does not attach financial penalties to precise
percentages of global turnovers; instead, it solely specifies capped
financial penalties. The Bill allows for monetary fines of up to INR
250 crores (about € 29 million), and for serious infractions, fines of
up to INR 500 crores (about € 58 million). Furthermore, unlike the
GDPR, the Bill does not mandate the payment of compensation to
data principals.

h. Data Principal’s Duties

The GDPR does not provide particular obligations for data
principals, but the Bill does. Data principles are prohibited by the
Bill from making fake or unfounded complaints or grievances
against data fiduciaries. They must also contain details that can be
confirmed to be accurate. If the data principles breach these
requirements, they might be subject to fines of up to INR 10,000. It
is significant to note that analogous provisions addressing duties and
penalties for data principals are absent from the GDPR.
i. Cross-Border Personal Data Transfer

236
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

The Bill introduces a simpler process for transferring personal

data to other countries. It allows the transmission of personal data to
nations with prior authorization based on specifications set by the
executive. Contrarily, the GDPR provides a range of options for the
sharing of personal data. Standard Contractual Clauses (SCCs),
adequacy findings, legally binding agreements between public
bodies, binding business regulations, approved codes of conduct,
and approved certification processes may all be permitted by the
European Commission or a supervisory agency. These procedures
ensure that personal data transfers are made using GDPR-compliant
safeguards and data protection systems. While there are certain
parallels between the Bill and the GDPR, their implementation
tactics obviously differ significantly. The GDPR is well known for
being stringent and for laying out precise guidelines and
requirements for data protection. The Bill, on the other hand,
accepts fundamental concepts and tenets while delegating
responsibility for many implementation-related difficulties to lower-
level legislation and regulations. This approach provides a
foundation for the security of personal information while allowing
for adaptability to new technologies and procedures. The Bill grants
subordinate authorities the power to establish detailed rules and
regulations that may deal with specific circumstances and ensure
that data protection safeguards are actually put into practice.

MAJOR LAPSES OF THE DIGITAL PERSONAL DATA

PROTECTION BILL, 2022
1) Narrow applicability of The DPDP Bill: Despite the fact that
this measure is focused on personal digital data, it simply
defines the term "personal data.20" Because of this, any breach
of personally identifiable information that is not saved in a
digital format goes unreported and unprotected. However, the
GDPR's rules apply to all "personal data" regardless of
whether it is digital or not.
2) No compulsion for a data fiduciary to prepare a privacy
policy design: Article 25 21 of the GDPR contains a clause
requiring data fiduciaries to fulfil their commitments. The

20The Draft Digital Personal Data Protection Bill, 2022 , Ministry of Electronics and
Information Technology, November 18,Section 2 (13)
21General Data Protection regulation, 2018, Section.25

237
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

2022 Bill, however, does not mandate that a data fiduciary

create a privacy policy before to processing data from the
moment of collection until destruction, unlike the 2019 Bill.
3) No offence, only penalty provided: The legislature has made
several attempts to discourage behavior by imposing severe
fines measured in crores, yet this Bill makes no mention of
any infraction22. As a result, the processes would be useless if
a data fiduciary committed a significant legal violation but
lacked the funds to pay the penalties. Furthermore, according
to studies, prison time as a punishment is believed to act as a
more effective deterrence than any form of civil liability.
Furthermore, the severe fines can make it difficult for brand-
new, modest firms to expand and seize the market.
4) Strict Approval of cross-border flow of digital personal data:
In this world of globalization, it’s very likely that cross border
flow of data can occur very easily. Concerning controlling
this prospective cross-border movement of digital personal
data, the 2022 law says nothing at all. India would then have
fulfilled its responsibilities to other countries if the Bill was
enacted with these revisions.
5) The provision of Right to be forgotten: The phrase "in
accordance with the applicable laws and in such manner as
may be prescribed" is used in Section 13 of the 2022 Bill and
is too general to be controlled. In light of the present state of
Indian law, the latter half of this statement renders it
ambiguous and abstract. Although the right to privacy and the
right to be forgotten23 are related concepts that were discussed
in the KS Puttaswamy Judgement, the Supreme Court has not
yet given the right to be forgotten the stature of a fundamental
right under Article 21. The right to be forgotten is seen as an
integral aspect of the right to privacy in the landmark decision
of Google v. Spain24.
6) No guarantee on independence of the Date Protection Board

22General Data Protection regulation, 2018, Section25

23 The Right to be forgotten, available at: https://ssrana.in/articles/the-right-to-
beforgotten/?utm_source=mondaq&utm_medium=syndication&utm_content=inarticlel
ink&utm_campaign=arti cle (visited on 24th February 2023)
24 Global Freedom of Expression | Google Spain SL v. Agencia Española de

Protecciónde Datos - Global Freedom of Expression (columbia.edu) (Last visited on

23rd February 2023)

238
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

of India:
The Bill mandates the establishment of the Data Protection
Board of India, but later rules published by the federal
government would determine the specific membership,
conditions of appointment, and means of removal of its
members. This approach calls into doubt the Board's
independence because these key decisions are left to the
government's discretion. However, other laws in the country,
such as those that control the Telecom Regulatory Authority
of India 25 and the Competition Commission of India,
explicitly mention the specifics of member makeup,
appointment lengths, and firing. These clear guidelines are
meant to protect these regulatory agencies' independence and
guarantee openness. The Data Protection Board's
independence and efficiency as an independent regulatory
body may be questioned because the Bill makes no express
provisions for the Data Protection Board's make-up and
conditions of appointment for both the Indian Competition
Commission 26 and the Telecom Regulatory Authority of
India.
7) Whether the consent is needed where government agencies
provide commercial services?
It is reasonable to question the legality of the Bill's clause
allowing government health agencies and particular
companies like SBI, BSNL, and state discoms to handle data
without individual person authorization. On the one hand,
there may be circumstances where data processing by
government health departments is required for public health
objectives, such as handling health crises or disease
surveillance. Like this, some government organizations, such
as SBI, BSNL, and state discoms, may need access to
personal data in order to provide crucial services to the
general public. The preservation of people's private rights
must be balanced with the legitimate objectives of these
organizations, nevertheless. In order to guarantee that data
processing by these organizations is necessary, reasonable,

25 ChapterII: Telecom Regulatory Authority of India, The Telecom Regulatory

Authority of India Act, 1997
26 Chapter III: Central Information Commission, The Right to Information Act, 2005.

239
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

and carried out in a way that protects people' privacy to the

greatest degree feasible, the Bill should give explicit and
precise explanations for such exclusions.
Ultimately, the appropriateness of these exemptions
depends on how effectively they are justified, implemented, and
monitored to protect the privacy and rights of individuals while
meeting legitimate societal needs.

CONCLUSION
The 2022 Bill represents a positive step towards data
protection, although its adoption is currently on hold. It strives to
balance various interests such as national security, public order, ease
of doing business, international diplomacy, technology
advancements, and data volumes. The Bill gives optimism for
safeguarding data principals' interests while acknowledging the
difficulties encountered by enterprises. Although there has been a
lot of curiosity, its ultimate shape is yet unknown. Aspects including
geographical and subject-matter application, definitions, extent, and
redressal procedures have been discussed.
However, certain concerns exist. The Bill provides a broader
scope for definitions related to data compared to the GDPR. The
open-ended exception granted to the government, particularly
highlighted during the launch of the Arogya Setu app for tracking
COVID-19 cases, raises concerns about the government's
responsibility in protecting personal information. The Bill may need
to address these shortcomings, as the government is given
considerable freedom to modify definitions and their scope. This
situation raises privacy concerns, especially considering the
government's access to sensitive personal data like fingerprints and
Aadhar card details.
During the formative stages of legislation, the Central
government requires flexibility for navigation. If reservations and
amendments can be seamlessly operationalized in their respective
contexts, the Bill has the potential to become a trailblazer among
global digital personal data protection laws.

240
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 14

CYBER THREATS IN E-COMMERCE VIS-A-VIS

DATA PROTECTION LAWS IN INDIA
Pratibha Singh 1, Mansi Gautam 2

“The growth of information and technology in the field of

communication led to a number of ethical and legal concerns that we
are still grappling with today. However, both private parties and the
government apparatus have a history of abusing this type of
technology. Personal information is now easily available,
approachable, and communicable on a worldwide scale because to
advances in information technology. This confluence of rapid transfer
of such personal information has created a new set of issues,
significantly raising privacy concerns in electronic transactions.
Concerns about privacy are inversely proportional to the rise of
electronic transactions. By 2020, India's e-commerce market is
anticipated to be worth $50 to 70 billion. This is evidence that all
corporate activity will be conducted through plastic cards, posing a
danger to private rights. Concerns about privacy necessitate proper
legal protection for privacy rights and the data available in online
transactions. As a result, the purpose of this chapter is to investigate
the adequacy of legislative data privacy protection in India, with a
focus on the rise and decline of e-commerce”.

INTRODUCTION

T he sale and purchase of goods and services over the Internet

is known as e-commerce. Through all the integration of
internal and external operations and the reduction of
transaction costs, e-commerce enables businesses to widen their
distribution networks, boost revenue, and make more money.
Numerous business sectors have adopted e-commerce. Business-to-

1 Assistant Professor, B. M. S. College of Law, Bengaluru, Karnataka State Law

University, Hubli, (India)
2B.A. LL.B (H), 3rd Year, Institute of Legal Studies & Research, GLA University,

Mathura, (India)

241
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Business (B2B) and business-to-consumer (B2C) are the two main

contexts in which it is used (B2C). Due to the early 1980s advent of
Electronic Data Interchange (EDI), the B2B sector is older and has
had faster growth than the B2C sector. Alongside the growth and
use of the Internet, the B2C sector is currently developing.
Business-to-consumer e-commerce describes online exchanges
between retailers and their end users. Business-to-consumer (B2C)
sales models are among the most common online. A typical B2C e-
commerce transaction involves a customer buying shoes from a
store on the Internet. Business-to-business (B2B) e-commerce, in
contrast to business-to-consumer (B2C) e-commerce, refers to
online transactions between businesses rather than between
individual consumers and businesses. Business-to-business (B2B)
transactions are only conducted between other businesses; they are
not directed at end users.
Protection of personal information and the right to privacy are
interdependent principles. The term "data protection" is used to
describe the body of regulations and protocols enacted to limit the
potential for privacy violations resulting from the collecting,
storage, and dissemination of private information. Whether
collected by a government agency, a commercial firm, or another
entity, any information or data that may be used to determine the
identity of an individual is considered personal data. According to
Article 21 of the Indian Constitution, citizens have a basic right to
privacy. In the current situation, the data protection provisions are
limited to India's borders. Data is protected within the boundaries of
India by Sections 43A and 72A of the Information Technology Act.
Under these Sections, even data that has been transferred to India is
protected.3 However, sending data outside of Indian Territory is not
permitted when requesting security under these Sections. The
countries that India transmits sensitive personal data to for
processing are not required to have a strong privacy regime. In such
cases, India lacks jurisdiction.
Information and communication technology use has changed
society's culture and customs in a number of spheres of life,
including politics, education, and economics. Electronic commerce,

3Soshte R.A., A Study of Data Protection and Implications for E-Commerce, Vol. 2

Issue 3, International Journal of Advance Research and Innovative Ideas in Education,

Gujarat, 2017.

242
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

sometimes known as the digital economy, is expanding quickly in

tandem with these changes. An emerging economic pillar for the
country that must be sustained for sustainability is the growth of e-
commerce. At least three factors make it important to strengthen
ecommerce legislation. The first step is to use information
technology to facilitate economic expansion. In order to meet the
needs of the community, it is necessary to alter outdated policies
that are ineffective. Additionally, the community must be shielded
from the consequences of illegal technology use.4

APPLICATION OF E-COMMERCE
The widespread availability of the web has greatly boosted the
acceptance of online shopping. Shoppers can use their own devices
to browse the selection and make purchases from any given store.
The customer's browser and the server hosting the e-commerce site
will communicate back and forth as the order is being placed. The
deal manager, a centrally controlled computer, will receive the order
data. Then, it will be transmitted to the systems of financial
institutions, companies, stock inventories, and retailers making use
of payment processing applications like PayPal. The order manager
will receive a copy of the document. This is done to make sure the
item the consumer wants is in stock and the funds are available in
their account.
When a sale is finalised, the store's web server will be notified
by the transaction manager. After a successful transaction, the
customer will see a confirmation screen. Next, the order manager
will notify the appropriate departments (fulfilment or warehouse)
that the order is ready to be processed and shipped to the customer.
It is now possible to provide a customer with access to a service as
well as physical or digital goods. Internet-based marketplaces like
Amazon which enable sellers to sign up for an account, software as
a service (SAAS) tools that enable customers to "rent" web store
infrastructure, and open-source programmes that organisations run
internally with the help of engineers are some of the technologies
that host e-commerce operations.

4 e-commerce, available at https://www.techtarget.com/searchcio/definition/e-

commerce( Visited on January 4, 2023)

243
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

TYPES OF E-COMMERCE
Business to Business (B2B)

If the design of your products or services is geared toward

addressing the demands of businesses, implementing a business-to-
business programme is your best option. This technique's more
crucial features are reaching out and networking. Large marketing
expenses are ineffective. Convincing established firms that your
products are an excellent fit for their process will be your most
difficult challenge.

Business to Consumer (B2C)

The development of electronic business interactions between
businesses and final consumers distinguishes the Business-to-
Consumer kind of e-commerce. It refers to the area of e-commerce
devoted to retail, which is where conventional retail trade often
takes place.5

Consumer to Consumer (C2C)

C2C (consumer-to-consumer) E-commerce, sometimes
known as online shopping, is the exchange of goods and services as
well as data through the Internet. These transactions are typically
handled by a third party that offers an online execution service.
Online retailers and classified ads are two examples of C2C
platforms. Craigslist and E-Bay are two instances of well-known

5Types of e-commerce, available at https://bloomidea.com/en/blog/types-e-commerce (

Visited on January 7, 2023)

244
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

internet markets. This branch of e-commerce, which include

websites like eBay, is frequently referred to as "consumer-to-
business-to-consumer" (C2B2C) trading. Both the online clothes
marketplace Depop and Facebook Marketplace enable consumer-to-
consumer purchases.
Consumer to Business (C2B)
Consumer-to-business Electronic commerce (also known as
"e-commerce" or "online business") refers to the practice of
businesses and individuals transacting business activities online
(C2B). This differs from the common business practice of selling
directly to consumers i-Stock, a marketplace for selling royalty-free
photographs, photos, media, and building components, is a well-
known example of a C2B platform. Alternatively, you might look
for work through an online platform.
Business to Administration (B2A)
Online purchases between companies and public
bureaucracies or government entities are known as business-to-
administration (B2A) transactions. Different government
departments require various forms of e-services or e-products. Full-
time employment, social assistance, financial data, official
documentation, certifications, and banking details are common
topics addressed by these services and products. They are typically
made electronic by companies. Advances in e-government
capabilities have led to a boom in B2A firms in recent years.
Consumer to Administration (C2A)
Consumer-to-administration (C2A) engagements are online
interactions involving users and the government or the public sector.
People commonly contribute the following services and
commodities to the government, notwithstanding how infrequently
they do so:
• Social Security- dispersing data and payment making.
• Taxes- filing income tax returns and payment making.
• Health- scheduling appointments, communicating test results
and medical condition information, and paying for health
services.6

6 e-commerce, available at https://www.techtarget.com/searchcio/definition/e-

commerce ( Visited on March 5, 2023)

245
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

M-commerce, also known as mobile e-commerce, describes

online transactions completed utilising portable electronics like
smartphones and tablets. Payments, banking, and shopping can all
be done on mobile devices. By enabling clients to execute
transactions via voice or text contact, mobile chatbots aid m-
commerce.

TRANSFORMATION IN E-COMMERCE
Electronic commerce was born out of a protocol for
exchanging commercial documents like purchase orders and
invoices electronically between businesses. This practice of placing
orders for supplies mostly through telex dates back to the Berlin
blockade and airlift of 1948–1949. Throughout the succeeding
decades, other sectors refined that framework, culminating in 1975's
publication of the first universal standard. The resulting electronic
data exchange (EDI) standard is adaptable enough to support the
majority of straightforward electronic business operations. 7 The
earliest EC applications were developed as a result of innovations
from the early 1970s such electronic funds transfer (EFT), which
enabled money to be transferred digitally from one organization to
another. However, only major firms, financial institutions, and a few
other bold businesses used these applications. Then, everyday
papers could be transferred electronically thanks to the development
of electronic data interchange (EDI), which broadened the usage of
electronic transfers beyond financial transactions. Financial
institutions, as well as other types of manufacturers, retailers, and
service providers, were added to the list of collaborating
corporations by EDI. Interor ganizational system (IOS) applications
were the name of these systems and their strategic importance to
organization is well acknowledged. The next wave of new EC
applications included anything from stock trading to reservations for
travel. The U.S. government launched the Internet as an experiment
in 1969, and the majority of its early users were government
organization, academic researchers, and scientists. The term
"electronic commerce" was first used in the early 1990s, when the
Internet started to be used for business purposes and users flocked to
use the World Wide Web. Applications for EC grew quickly. There

7virtualcommunity, available at https://www.britannica.com/topic/virtual-community (

Visited on March 4, 2023)

246
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

are a lot of “dot coms”, or internet startups, additionally showed.

The creation of new networks, protocols, and EC software were
some of the factors contributing to this quick expansion.
From e-commerce to e-learning, the past two decades have
seen a proliferation of creative uses for the Internet. Most significant
firms in the United States have elaborate portals through which their
workers, business partners, and the general public can gain access to
a wealth of information about the company. There are potentially
tens of thousands of pages and links on many of these sites. The
focus of EC evolved from business-to-consumer to business-to-
business in 1999, and then from business-to-enterprise to business-
to-enterprise, consumer, government, educational, and mobile
markets in 2001.

E-COMMERCE AND THE NEED FOR CONSUMER PROTECTION

Every market in the world is acutely concerned about the
security of online shoppers. Electronic commerce, sometimes
known as e-commerce, is the practice of purchasing and offering
goods and services online. E-commerce increases output and
broadens consumer alternatives by lowering costs, fostering
competition, and streamlining manufacturing. E-commerce is
defined by Organisation for Economic Cooperation and
Development (OECD) guidelines from 1999 as online business
operations that include both communications, such as marketing and
advertising, and transactions, such as ordering, invoicing, and
payments. 8 There are multiple facets to consumer protection in
online transactions, but the OCED-1999 standards highlight three in
particular. In order for the economy to thrive, people everywhere
must have the option to shop online. Second, improved
manufacturing process organization and more open and effective
consumer protection procedures are necessary to increase
consumers' trust in online shopping.
The Organization for Economic Co-operation and
Development (OECD) defined E-Commerce in 1999 as "all aspects
of doing business electronically," including "all forms of electronic
communication between buyers and sellers" (including marketing
and advertising) and "all electronic forms of commerce" (including

8Guidelines for Consumer Protection in context of Electronic Commerce. https://www

.oecd.org/sti/consumer/ 34023811.pdf.

247
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

ordering, invoicing, and payment). There are multiple facets to

consumer protection in online transactions, but the OCED-1999
standards highlight three in particular. In order for the economy to
thrive, people everywhere must have the option to shop online.
Second, consumers need to feel safe and secure while shopping
online, therefore it's important to keep improving consumer
protections that are both open and effective. Third, there needs to be
a lot of focus on developing efficient redress processes from all
parties involved (government, corporations, consumers, and their
representatives). International business is the primary focus of these
rules (OECD, 2000).
Given the extensive accessibility of the web, the increasing
popularity of smartphones, and the exponential expansion of e-
commerce driven by social media, the OECD updated its guidelines
for consumer safety in 2016. By concentrating on non-financial
payments, electronic document items, consumer-to-consumer (C2C)
exchanges, mobile devices, privacy and security risks, financial
protection, and product safety, the 2016 proposals aim to address
these emerging challenges. It also emphasises how crucial it is for
consumer protection organisations to be able to collaborate
internationally and protect internet buyers. The e-commerce
industry faces comparable consumer protection issues, according to
UNCTAD's Notes-2017. The notes look at how governments might
foster greater consumer trust by adopting and enforcing relevant
laws, educating consumers, encouraging moral business conduct,
and working together internationally. The OECD and UNCTAD are
two international organisations dedicated to promoting fair and
competitive trade. Consumer International (CI), a network of some
250 consumer organisations operating in more than 100 nations,
was established in 1960 with the purpose of supporting and
defending consumer rights in international policy forums and the
global economy.9
European Consumer Cooperation Network (ECC-Net),
International Consumer Protection and Enforcement Agency
(ICPEA), and International Consumer Center Network (ECCN) are
some of the other top international organizations advocating free
and fair commerce worldwide. The current incarnation of ICPEN

9Chawla N., Kumar B., E-Commerce and Consumer Protection in India; The emerging
Trend, Journal of Business Ethics, United Kingdom, 2021.

248
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

has been in operation since 2002, and its members come from
consumer protection agencies in 64 countries (with India joining in
2019) with an additional 6 agencies serving as observers
(COMESA, EU, GPEN, FIAGC, OECD and UNCTAD). Its focus is
on consumer protection rather than financial services or product
safety regulation, and it works to disseminate information about
customer protection trends and exchange successful approaches to
enforcement agencies. Jointly led by the Federal Trade Commission
(FTC) and the International Center for Projects in Electronic
Commerce (ICPEN), the econsumer.gov programme addresses
cross-border cybercrime. Econsumer.gov is an international
organisation comprised of customer protection authorities from 41
different nations deals with following online frauds:
• Online shopping/internet services/computer equipment
• Credit and debit
• Telemarketing & spam
• Employement & money making
• Imposters scam: family, friend, government, business or
romance
• Lottery or sweepstake or prize scams
• Travel & holidays
• Telephones/Phone devices & Mobile services
• Another thing.10
Identity and financial data are prime targets for
cybercriminals. Scammers frequently target those who purchase,
sell, and trade goods and services online, which creates problems
for the industry as a whole. According to econsumer.gov data on
international online fraud complaints (Table 1), overseas frauds are
on the rise. By June 30th of this year, there were a total of 33,968
international allegations of fraud, totaling a reported loss of
US$91.95 million, down from 40,432 cases, totaling a loss of
US$151.3 million, and 14,797 grievances, totaling a loss of
US$40.83 million, five years earlier. Online shoppers frequently
experience problems such as fraud, incorrect product descriptions,
shipping delays, and refund requests. Based on the location of both
consumers and businesses, Figure 1 reveals that the United States
has the highest number of reported cases of online fraud. India

10Ibid

249
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

ranked second only to France in terms of consumer reports of

internet fraud, but seventh among businesses in terms of such
reports. Citizens from several countries, including but not limited to
the USA, India, Poland, Australia, the UK, Canada, Turkey, Spain,
and Mexico, lodged numerous complaints. The countries with the
most complaints were China, the UK, France, Hong Kong, Spain,
Canada, Poland, and Turkey.

The claimed lost amount is larger than 60%, making the trend
a huge global issue. This essay examines consumer protection in e-
business in the context of India, inspired by the worldwide
landscape and viewpoints on it. This is due to the fact that India has
become a global leader in instances of online consumer fraud,
raising awareness of electronic governance systems that may have
an impact on the ease of doing business in the nation. In an effort to
prevent fraud and safeguard customers making online purchases, the
Act of 2019 and the E-Commerce Rule of 2020 have replaced the
Consumer Protection Act of 1986.

250
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

GROWTH OF E-COMMERCE
Despite the widespread belief that the advent of the internet in
1991 was responsible for the explosion of e-commerce, the concept
actually originated during the Berlin Blockade (24 June 1948-12
May 1949), when goods were ordered and airlifted via telex. Since
then, technological advances, the increased internet accessibility,
and widespread customer and business acceptance have all helped e-
commerce flourish and grow. The Boston Computer Exchange,
which launched its first e-commerce platform in 1982, handled the
first online transaction.11 Internet adoption is directly related to the
growth potential of e-commerce. E-commerce has mostly expanded
as a result of the rise in mobile device and smartphone usage around
the world. People are more adaptable and passive when purchasing
and selling online thanks to mobile devices. 12 The historically
sluggish B2B industry is under pressure due to the expansion of the
millennial generation's digitally savvy workforce, the widespread
use of mobile devices, and ongoing e-commerce technology
optimisation.13 The ideal storm fueling the expansion of business-to-
consumer enterprises is set to hit the roughly $1 billion B2B e-
commerce sector. Since then, however, e-commerce has
revolutionized the retail industry around the world. Due to reasons
like the increasing spending power of customers throughout the
world, the constantly growing number of social media users, and the
constantly improving quality of infrastructure and technology, the
future of e-commerce appears more competitive than it has in the
past.
Buying online continues to be highly valued by consumers as
evidenced by the e-commerce expansion trend since 2015. With
more and more consumers taking advantage of buy-online-return-
local initiatives, internet merchants will increase their footprint.
There has been a global increase in e-commerce of 15% between
2014 and 2020, and this is expected to increase to 25% between
2020 and 2025. An even deeper dive into the e-commerce market
indicates that by 2020, over 60% of the population will have access

11Azamat N., Rashad Y., Shahriar M., Behrang S., & Menon M., The evolution and
development of E-commerce market and E-cash, SSRN Electronic Journal, 2011.
12Harrisson B., Jean P., & Dahl B., 10 E-COMMERCE TRENDS FOR 2018 Project:

Growth Strategies in an Omnichannel Retail Context,2017 https://doi.org/10.13140

/RG.2.2.34264.19205.
13Ibid

251
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

to the internet, and that roughly 42% of the population now has a
smartphone. Thirdly, those between the ages of 25 and 34 make up
31% of the user population, followed by 24% of those between the
ages of 35 and 44, and then 22% of those between the ages of 18
and 24. Because of the extensive infrastructure and networking in
the Asia-Pacific area, it accounts for more than 70 percent of
worldwide e-commerce.14
At US$740 billion, China is by far the largest contributor, but
the US contributes more than US $560 billion. Consumers in all
regions are looking beyond their boundaries, as seen by the
prevalence of cross-border internet purchases (Fig. 2). By July of
2020, 90% of shoppers will have visited an online store, 74% will
have made a purchase, and 52% will have done so through a mobile
device.
A lot of money may be made from the surge in online
shopping happening in Asia and the Pacific. The region dominates
the global business-to-consumer online market (UNCTAD, 2017).
By 2015, e-commerce accounted for 4.5 percent of the regional
GDP. To compete on a global scale, even small and medium-sized
businesses need access to worldwide markets, and e-commerce
provides that access. It has increased inclusivity across
demographic, economic, geographical, cultural, and linguistic lines
while also boosting economic efficiency in developing economies
and least developed countries. It's a positive step toward bridging
the gap between rural and urban areas.

14Supranoteat 6

252
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

The Asian e-commerce market is still highly diversified,

nevertheless. The Republic of Korea ranks fifth globally in terms of
e-commerce preparedness according to the UNCTAD e-commerce
index 2017 (score 95.5), while Afghanistan is ranked 132nd with a
score of 17. 2017 (UNCTAD). Asia has the largest pace of growth
in the global e-commerce business, according to research done in
2018 by the Asian Development Bank (ADB) and the United
Nations Economic and Social Commission for Asia and the Pacific
(UNESCAP). The region's B2C e-commerce market share was
shown to be much higher than the global average by studies
conducted by UNESCAP and the Asian Development Bank (2019).
The World Retail Congress (2019) published the Global E-
Commerce Market Ranking 2019, which ranked the top 30 e-
commerce markets based on a variety of metrics and determined
that the United States, the United Kingdom, China, Japan, and
Germany were at the top. Between 2018 and 2022, India had a
CAGR of 19.8%, good for 15th place. The results suggest that as
online retail evolves, businesses should place a greater emphasis on
catering to local tastes in product selection.

CYBER CRIME
The debate over whether cybercrimes need for new legislation
or whether the existing legal system is flexible enough to deal with
this new type of criminality effectively has started. According to
one school of thought, the only difference between cyber crimes and
regular crimes like trespassing, theft, and conspiracy is that a
computer has been employed as a tool or media for the conduct of
the crime.15 The opposing school of thinking places more emphasis
on the fact that emerging technologies bring with them unique
problems that are not addressed by existing criminal legislation.
These include the nature and breadth of cybercrime, the motivations
of those who commit it, the difficulty of identifying the perpetrator,
and the jurisdiction and enforcement issues that arise because of
these factors. It argues that existing laws are inadequate and that
new, sweeping legislation is required to address cybercrime.
Countries that are serious about stopping cybercrime typically use a
two-pronged approach, viewing cybercrime as both a new form of

15Watkins, Computer Crime: Separating the Myth from Reality, C.A. Magazine, Jan
1981.

253
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

conventional crime perpetrated using advanced technology and as a

distinct crime category necessitating a different set of laws. Because
of the internet's remarkable expansion, cybercriminals now have
access to hitherto unexplored territory. Ninety percent of
respondents (mostly major firms and government organisations)
reported having discovered computer security breaches in the
previous year, and 74% reported having suffered financial losses as
a result. and 42 percent acknowledged having lost money totaling
$265,589,940, with an average total loss over the previous three
years of $ 120,240,180. Twenty businesses revealed, in response to
an annual security survey, that computer break-ins caused them to
lose more than $1 million.16 The annual cost of software piracy is
estimated to be $2.8 billion, and in 1996, criminals caused losses of
almost $650 million to the mobile phone sector by switching the
software status on cordless devices in order to make free calls.
In another survey of those who facilitate online message
boards, 69% of respondents said they were worried about serious
security threats, and 50% of those people said they had stolen
$10,000 or more worth of property. Worse yet, 18% of respondents
blamed an insider or trusted party for the computer frauds, while
only 10% blamed an outsider for the crimes. The proliferation of the
internet has given rise to a new type of crime. Criminal behaviour in
this area includes hacking, software piracy, online paedophilia,
corporate espionage, credential cracking, spoofing, telephone
scams, e-mail bombing, spamming, pornography, and the
distribution of illegal or unlicensed goods and services. Theft of
credit cards through the Internet, cyberattacks, financial fraud, and
the use of encrypted chat services by criminals are all recent
developments. With the existing insecure digital payment
mechanism and lack of anti-money-laundering measures, there is a
significant risk of unlawful transfer from banks. Software piracy is a
boom business and video and photographic industries are sinking
day by day globally.17 It's common knowledge that criminals with
computer skills steal huge sums of money through nefarious means
enabled by the Internet, such as system intrusion, data theft, and
other malicious actions. We must ask: what exactly constitutes a

16Lewis P.H., Losses from Computer Breaches are on the rise, a study finds, New York
Times, November 20, 1993
17David Teather Pirates Sink Music Firms, Hindustan Times, April 21, 2001.

254
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

computer crime? Both the Indian penal code and the Information
Technology Act fail to provide a definition. Recent changes to
India's penal code have made it illegal to commit certain acts
without specifically naming them as cybercrimes. However, there
has been a lot of trouble elsewhere trying to define computer crime
because people don't agree on how broad or narrow the definition
should be. To further confuse, the terms "cyber crimes" and
"computer misuse" are frequently interchanged when referring to a
wide range of illegal behaviours computer related, yet there is no
universally accepted definition for either term. Cracking accessing
computers, corrupting data, distributing passwords and other
hacking tools, making and selling illegal copies of software, and
transmitting pornographic materials over the internet are all
examples of such activities. The term computer “ is invariably used
with computer misuse”, “IT crime” or “cyber crime”. This is the
reason why the current trend is to incorporate computer-related
crime in place of the phrase "computer crime".18

E-COMMERCE DATA PRIVACY: AN INDIAN LEGAL

PERSPECTIVE
The terms "privacy" and "data protection" are closely related
in today's society that is equipped with technologies for
communication and information. Data about a person, including as
his name, phone number, career, family, and preferences, as well as
his identification number, credit card information, and other details,
are revealed during electronic transactions and subsequently made
public on other websites.19 Although the authorised gathering and
storing of data only increases the likelihood that information privacy
will be lost 20 . Yet, a person's right to privacy in their data is
essentially violated whenever their data is accessed, acquired, used,
abused, relocated, or transmitted to a third party without their
consent.
As a result, issues with privacy in online transactions may
stem from poor information transfer management. The law defines

18General accounting Officer, Computer Related Crimes in Federal Programmes, 1976

19PhilipE. Agre & Marc Rotenberg, Technology and Privacy: The New Landscape,
Massachusetts Institute of Technology Press. USA. (1997) (May 27, 2015).
20 Metzger M.J., Privacy, Trust and Disclosure: Exposing Barriers to Electronic

Commerce, Journal of Computer Mediated Communication, Vol. 9 No. 4, (2004) (May

27, 2015).

255
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

what it means to be private, how it should be valued, and how much

of it should be protected by the law. It also specifies the
circumstances in which people can place a high value on their own
secrecy and safeguard it from unauthorised access by others.
Despite the fact that it would be wrong to say that India lacks
legislation to handle cyberspace issues, the lack of any particular
regulation makes the security of personal information and data in e-
commerce exchanges appear unsafe and distorted. Many pieces of
legislation have been enacted by the Indian government to deal with
ICT issues, such as the Information Technology Act, 2000 and the
Information Technology (Amendment) Act, 2008, but they do not
comprehensively address the issues of information privacy and data
privacy.
India lacks a thorough regulatory framework to address
privacy concerns in particular with regard to electronic transactions.
The Information Technology Act of 2000 was passed primarily to
support e-commerce; as a result, privacy is not one of the Act's
primary concerns.21
CLASSIFICATION OF CYBER CRIMES
Based on who or what is being targeted, cybercrime can be
broken down into one of three broad categories. It could be a crime
committed against a person, their property, or the government itself.
Hateful and threatening messages, stalking, slander, and the
distribution of pornographic content are all examples of cybercrimes
that target individuals. Unauthorised computer access, vandalism,
the distribution of hazardous software, and the unauthorised
ownership of computerised data are all examples of cybercrime that
affects property. Cyberterrorism is a more common name for the
third type of cybercrime.22
David L. Carter provides the most in-depth categorization of
computer crimes by dividing them into three categories.
• When a computer is the intended victim of a crime;
• When a computer helps a crime be committed; or
• When a computer is just a byproduct of a crime.

21Mathur, S. K., Indian Information Technology Industry: Past, Present and Future A
Tool for National Development, Journal of Theoretical and Applied Information
Technology, 2006, http://perso.univrennes1.fr/eric.darmon/floss/papers/MATHUR.
22Dubey A., Cyber Law and Terrorism, Souvenir, National Conference on Cyber Laws

and Legal Education, NALSAR University of Law, 2000.

256
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Computer As Target Of Crime

This category of computer crimes aims at damaging computer
system or stealing valuable information stored on the system and
includes:
1. Computer and computer system or computer network
sabotage;
2. Theft of data or information;
3. Theft of marketable information;
4. Intellectual property theft, such as computer software;
5. Blackmail based on computerised file information, such as
financial information, personal history, sexual preferences,
and medical information.
6. Unauthorised access to government and criminal justice
records.

Computer As An Instrument Of Crime

Computers are used to commit crimes that come under this
category of computer crimes. To mislead others, computer
programmes are modified.
1. Using ATMs and their associated accounts fraudulently;
2. frauds using credit cards;
3. frauds involving electronic money transfers;
4. frauds involving stock transfers;
5. frauds involving e-commerce;
6. frauds involving telecommunications.

Computer as Incidental to the Crime

The diverse application of Internet made it incidental to the
crimes that may be classified into two broad categories:
(A) Internet crime.
(B) Web based crime.

Internet Crime
The group of offences that misuse online infrastructure is
included in the category of internet crimes. Which are:
1. Hacking.
a. Information theft
b. Password theft.
c. Credit card data theft.
2. The beginning of harmful programming.

257
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

3. Espionage.
4. Spamming.

Web Based Crime

Web-based crimes are classified as cyber crimes and have
their own category. Additional classification included 4
subcategories:
(a) Crime committed on websites, including
1) chat fraud,
2) insurance fraud,
3) gambling,
4) pornographic material distribution;
5) The sale of illegal software;
(b) Crimes committed by email include:
1) threats;
2) extortion;
3) email bombing;
4) defamation; and
5) the introduction of dangerous software.
(c) Usenet-related offences:
1) The distribution or sale of pornographic content;
2) The sale and distribution of pirated software;
3) A discussion of hacking techniques;
4) The sale of credit card information;
5) Theft of data sold.
(d) Internet relay chat crime-
1) Cyber stocking.
2) Fraudsters establish relationships with unknowing victims in
chat groups.
3) Criminals meet there to coordinate schemes.
4) Hackers use it to discuss and demonstrate their knowledge.
5) Paedophiles recruit young children into chat rooms.23

TARGET OF COMPUTER CRIME

How someone gets online, what kind of computer they have,
how many and what kind of security measures they have in place,
and what kind of user they are (school, government, company,

23 Ahmad F., Cyber Law in India (Law on Internet), New Era Law Publication,
Faridabad, 2011, pp 307-309.

258
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

home) all contribute to the potential for Internet abuse. In most

cases, computers that use an ISP to connect to the internet are safer
than those that bypass such a middleman and go straight to the
internet. Furthermore, businesses and government agencies are the
most likely targets for hackers, followed by schools and private
homes. The usual victims of computer crimes are:-
• utilised by military and intelligence organisations;
• commercial houses' computers targeted by rivals;
• banks' and other financial organisations' computers targeted
by white collar criminals.
• Government or service sectors targeted by terrorists or
cybercriminals;
• businesses, factories, or trading firms targeted by dissatisfied
staff;
• universities, scientific organisations, and research institutions
targeted by students, industrial, or business organisations.24

CHALLENGES OF CYBER CRIMES

Unlike the real world, cyberspace knows no borders. This has
been a huge help to criminals who engage in illicit activities on the
web without worrying about being tracked down. The issue is made
more complicated by the fact that law enforcement agencies have
little to no understanding of how the internet actually functions.
Generally speaking, cybercrime presents four types of difficulties:
1) First, there are the legal hurdles, which necessitate existing
legislation to be used as a means of investigating and
regulation of cyber crimes;
2) Second, there are the operations and maintenance hurdles,
which call for a unified, well-trained, and well-equipped force
of forensic experts to operate and coordinate at the
international and national levels.
3) Thirdly, there are technical obstacles that make it difficult for
law enforcement to track down and prosecute cybercriminals.
Crimes committed online frequently occur on a global scale,
spanning multiple countries. Criminal behaviour is judged
differently in different countries. Because of the ease with which
wrongdoers can remain anonymous online, it is also difficult to

24Ibid pp 309-310

259
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

track them down. As a result, cybercrime presents its own set of

challenges that are distinct from those presented by more
conventional forms of criminal activity. Creating uniform laws at
the federal level is not sufficient to address these offences. Any
violation of or offence under the IT Act that is committed outside of
India is subject to the full force of the law. This aspect of IT is
commonplace. Other jurisdictions' IT laws also contain provisions
along these lines. This provision, however, can only work if
enforcement agencies and governments around the world work
together.

CYBER CRIMES RELATED TO E-COMMERCE

With new ways of doing business like banking, retail, etc. that
rely on electronic media, the internet is like candy for
cybercriminals. Companies that move their businesses online are
happy about their growth, but they are also worried about security.
Cybercriminals could steal all of their information and money. E-
Commerce is different in how it works, so it has its own challenges
and risks. Because there isn't a physical presence, fraud and other
crimes are more likely to happen. In India, there are a lot more
reasons why E-Commerce cyber frauds can't be stopped. The cost of
cyber crimes will keep going up as more business functions move
online and as people and groups from all over the world gather in
cyber space. The risk of intellectual property theft goes up, which
can lead to copies of products that use the same technology. This is
a huge loss for the original company because it lowers the rate of
return on their innovations.

UNAUTHORIZED ACCESS
An individual can be sued for up to one lakh crore in penalties
if they use or gain access to a personal computer, computer
programme, or network node without the owner's or the individual
in charge's consent.
Computer refers to any high-speed information processing
gadget or system that uses electronic, magnetised, or optical
impulses to manipulate data. It also includes all input, output,
processing, storage, computer software, and communication
facilities that are linked to the computer as part of a computing

260
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

system or networked computer.25 A device or group of devices, such

as both input and output promote devices, that contain software
programmes, electronic directions, input data, and output data, and
carry out logic, arithmetic, data storage and retrieval, interaction
control, and other tasks are referred to as a computer system.
Calculators that cannot be programmed or used together with
external files are excluded from this definition.26
The expression “computer network” means the
interconnection of one or more computers or computer systems or
communication device through-
1. Terminals are devices that or a complex made up of two or
more connected computers or devices for communication,
whether or not the connectivity is constantly maintained.
2. The use of satellite, microwave, terrestrial line, wire, wireless,
or another form of communication medium.27
Without proper authorization, entering IT is criminal. This
applies regardless of motive. To file a claim, the complaining party
must provide evidence that the defendant gained unauthorised
access to a computer, computer system, or computer network. He
need not demonstrate any kind of loss as a result of this. Access is
defined as "entry into, instruction of, or communication with the
logical, arithmetic, or memory performance capabilities of a
computer, personal computer, or computer network" in Section
2(1)(a) of the IT Act. According to this clause, it is irrelevant why
an unauthorised user gained access in the first place. Even if the
accused was found to have just switched on a device without the
consent of the owner or person in charge of the computer, the
requirements of this section would have been met. To that end, it
will be against the law to: (a) power on a computer, (b) run an
application stored on a computer, (c) examine data stored on a
floppy or CD-ROM, (d) print something from a computer, (e)
access the internet, and (f) ping a computer.
Assistance in an unauthorised entry is prohibited by Section
43 of the IT Act (g) One who aids someone in breaching the
security of a computer, computer system, or computer network
without the consent of the owner or other person in control of the

25Section 2(i) of IT Act, 2000.

26Section 2(i) of IT Act 2000.
27Section 2(j) of the IT Act.

261
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

computer, personal computer, or network device may be held liable

for damages of up to Rs. 1 crore.
It's still not clear how the courts will understand these rules.
But it seems that: (a) websites like AntiOnline.com give information
on how to get unauthorised access; (b) websites like BO2K.com and
Anticode.com give tools that can be used to get unauthorised access;
and (c) search engines like Altavista.com link to websites that make
it easy to get unauthorised access. Rediff.com, Google.com, (d)
Employees who make holes in their employers' computers on
purpose to allow unauthorised access. (e) Employees who make
their employers' security measures less effective on purpose. Both
of these actions would be considered helping unauthorised access.
The survey of 6266 cases of computer crime and abuse from
January 1, 2001, to December 31, 2002, shows that 19% of all cases
involved unauthorised access. This includes cases where no data
was thought to have been stolen or taken without permission. People
who committed the crime used a variety of methods, such as
malicious code (38%), social engineering (29%), taking advantage
of remote dial-in vulnerabilities (18%), and internet-based attacks
(15%). 55% of the unauthorised access was caused by rival
organisations, and 15% could not be found. There are different ways
to get access without permission, such as packet sniffing, tempest
attack, cracking a password, and buffer overflow.

DISHONESTY RECEIVING STOLEN COMPUTER

RESOURCE
Anyone caught receiving or keeping a stolen computer
resource or communication device dishonestly is subject to a fine of
up to one lakh rupees, a term of imprisonment of up to three years,
or both.28

Identity Theft
The crime currently is the theft of any part of a person's
identity that is closely linked to that individual. Use of another
person's electronic signature, password, or other kind of unique
identity to impersonate that person is also included. However, it is
essential that the person who is accused of using an electronic
signature, a username and password or unique identity feature did so

28Section 66-B of IT Act, 2000.

262
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

dishonestly or fraudulently.29 This means that the accused will be

found not guilty unless and until it can be shown that he acted with
the necessary mens rea. Anyone found guilty of fraud or dishonesty
with another person's electronic signature, password, or identifying
feature is subject to either imprisonment of either description for a
time which may extend to three years and/or a fine which may
amount to one million Indian rupees (about $1,500).

Violation of Privacy
The amendment act of 2008 created the crime of privacy
breach. Whoever violates another person's privacy by purposefully
or knowingly taking, publishing, or transmitting a picture of a
private area of that person—either with or without that person's
consent—shall be punished with up to three years in prison, a fine
of no more than 2 lakh rupees, or both.30
This section holds anyone person accountable for invading
privacy if he conducts any of the acts listed in that provision
willingly or knowingly, implying that the mental aspect is critical in
assessing the accused's responsibility. The conduct of this offence
necessitates a specific mental condition.
Under this rule, a person is accountable if he just obtains an
image of the victim's private location without advertising or
transferring it. He will also be held accountable under the IT act,
regardless of the device he used to capture or transmit the image.
In order to clarify the expression used in the provision, a
thorough explanation is supplied alongside it. The verb "transmit"
refers to sending a visual image electrically with the intention that it
be viewed by the intended recipient or recipients. 31 "Capture" refers
to the act of taking a picture, videotaping something, or making any
other kind of recording of an image.32 The term "private area" refers
to the female breast, buttocks, or public area that is not covered by
clothing. 33 "Publisher" refers to a person who makes anything
available to the public by reproducing it in printed or electronic
form. 34

29Section 66-C of IT Act, 2000.

30Section 66-E of IT Act, 2000.
31Section 66-E(a) of IT Act, 2000.
32Section 66-E(b) of IT Act, 2000.
33Section 66-E(c) of IT Act, 2000.
34Section 66-E(d) of IT Act, 2000.

263
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

The grounds under which privacy can be considered breached

have also been outlined. It refers to situations in which a person can
reasonably expect –
1. Any portion of his or her private region would not be
accessible to the public irrespective of whether that individual
is in a public or private setting.
2. He or she could undress in privacy without worrying that an
image of his private area was being caught.35
The foregoing discussion makes it very evident that the
victim's physical location is not the deciding factor in determining
whether or not their privacy has been invaded. It's the level of
seclusion one anticipates in any given setting, regardless of whether
it's intended for private or public use. This clarification is rather
general. Since it is illegal to reproduce an image of a private place
in printed or electronic form, this law applies not just to cyberspace,
for which the IT act was enacted, but also to the physical world.

Internet Fraud
Although the term "internet fraud" is very broad, the IT Act
does not contain a specific definition of it. This phrase may also
refer to other offences that are specifically mentioned in the IT Act.
The types of online scams vary, making it difficult to maintain a
classification system for them. 36 Fraud involving credit cards has
reached hazardous levels all around the globe. Unsent and
undervalued services, damaged, faulty, misleading or undelivered
commodities, auction sales, pyramid schemes, and fraudulent
marketing of goods are the ten most widespread frauds recorded in
the United States, with fraud involving credit cards being the most
frequent.
In F.T.C v Crang Lee Hare, 37 the defendant engaged in
dishonest business practises. He set up a fake online auction for the
selling of never-delivered computer items. The defendant admitted
to wire fraud and was given a sentence of three years of probation,
six months of home detention, and a $22,000 fine. Additionally, he
was permanently prohibited from engaging in online business.

35Section 66-E(e) of IT Act, 2000.

36Supranote at 17, pp. 350.
37S.D. Fla. 4/98 (USA).

264
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

In U.S. v Pirello, 38 the accused was discovered setting

computers online fraudulently. He was looking for computer
customers and had posted four adverts on online classifieds
websites. Pirello got three orders, paid for them with his own
money, but never delivered any machines. The defendant was found
guilty of fraud by the court for utilising an online website to solicit
orders for machines that didn't exist.

CONCLUSION
By the end of this year, India is expected to surpass the US as
the second-largest Internet market in the world with 500 million
users online, helped by a rapid increase in Internet usage on mobile
devices.39 In the current context, information technology is rapidly
increasing, as are cyber crimes. We are completely lopsided since,
with the speed of technology, our rules are ineffective, thus we
require such a law that will fight cybercrime while also protecting
consumers' privacy rights.
The current issue is that privacy abuse persists on a large and
persistent scale despite the presence of the statutory framework and
the efforts of national and international data protection agencies and
organisations since the current laws wouldn't be capable to enforce
them effectively.40 We can cite other explanations, such as how the
internet has expanded purchasing parity in recent years. Many
consumers do not want to bear more burdens because, nowadays, if
a consumer purchases products from the internet, the goods will be
delivered to his door the next day, saving the consumer time and
energy. On the one hand, this method has brought additional
benefits, but on the other hand, without the consumers' awareness,
their information is transferred and misused by different companies
or inside the companies.
Personal information is in danger. In recent years, the
majority of governments around the world have come to understand
that the issue of privacy violations affects every nation, not just one.
It decides that international acceptance of privacy violation shall be

38255 F. 3d 728 (9thCir.2001) U.S.A.

39Deccan Herald’, ‘India to have over 300 million internet users by year–end’ Saturday,
November 22, 2014, pp. 15.
40Madiwalar M.B., & Reddy B.S., Privacy Rights and Data Protection in Cyberspace

With Special Reference to E-Commerce, Bharati Law Review, April-June, 2017.

265
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

determined. The hard reality that needs to be recognised is this.

Laws in many nations, including India, have not kept up with
technology, leaving enormous gaps in protection. It is our
responsibility to implement computer technology in a way that
strengthens and supports those ideas rather than subverting them.

266
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 15

TECHNOLOGY REVOLUTION FACILITATING

CYBERCRIME
Dr. Vijaishree Dubey Pandey 1, Muskan Gautam 2

“We are living in a technological era, in which innovations are

becoming digitally altered and spread widely at a faster rate. As an
outcome of this entire society is getting encircled by gadgets.
Criminals also are incentivized by advanced the relationship
between technology and criminality is now being turned with the
rise of cybercrime aid of technological devices Laptops, desktop
machines, and smartphones and the list goes on. The nature of
crime continues to remain the same, however the technique has
changed dramatically; The criminals are now engaging advanced
technologies to reach out to victims instead of physically visiting
them”.

INTRODUCTION

W hen did cybercrime start? The evolution and expansion of

cybercrime seem to be straightforward. follow, as does
the simultaneous evolution of the Internet itself. Of
course, the very first offenses were the necessary hacks to access
data from nearby networks, however, as the Internet has
demonstrated evolved, so did the attacks. Although cyberattacks
existed before then, the first major increase in cybercrime occurred
in the late 1980s with the spread of electronic mail. It has facilitated
the production of several different scams and/or viruses to your
mailbox.
The next wave of cybercrime history took place in the 1990s
due to the development of web browsers. The days were at that time
a lot more. There had been much larger populations to pick from

1AssistantProfessor, School of Law, Christ University, Ghaziabad, (India)

2B.Com. Ll.B (H), 3rd Year, Institute of Legal Studies & Research, GLA University,
Mathura, (India)

267
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

than there are now, and the majority were exposed to infections.
While in doubt, viruses were distributed through Internet
connections when they were made available. As social media
became more popular in the early 2000s, cybercrime became
rampant. The increase in individuals throwing all the information
they could into a profile folder tends to lead to an increase in
personal information and the emergence of ID fraud. Thieves have
used this information to set up bank accounts, acquire credit cards,
and get involved in other forms of financial fraud The formation of
an annual multinational criminal organisation of about $500 billion
dollars is the new trend. The criminals operate within gangs, using
well-honed strategies, and targeting everyone as well as everything
has an internet existence.3
Technology is booming and fresh, making cybercrime more
difficult to detect in the past few years, 689 million people across 21
countries have encountered cyberattack in their day to day lives. It
has spread to the point that many individuals are equally worried
about online and offline hazards. The majority of individuals think
that being safe online has been harder over the previous five years
than it has in the "real world." Indians are quickly overtaking other
countries as the top users of several mobile apps and websites. It is
reportedly more difficult to maintain security, according to several
security service companies. Therefore, it is very advantageous for
cybercriminals to attack online using fake apps that are posted to the
Android Market.
As banking becomes a progressively usage of portable
gadgets is essential., hackers had already started incorporating
greater sophistication features in their own internet banking
malware. "By remaining unrecognized, they obtain much more than
just credit card information and bypass security mechanisms," says
Nilesh Jain, Trend Micro's vice president for Southeast Asia and
India. One of the most famous cases of cybercrime in the virtual
world is the "Blue Whale Challenges Game", invented by 21-year-
old Russian Phillip Bedecking and started to be played by young
people in the virtual world, which took approx. 130 lives worldwide
between 2015 and 2016. Location monitoring is required by 46% of
the top Android applications and 25% of the top iOS apps,

3Grove, G. D., Goodman, S. E., & Lukasik, S. J. Cyber-attacks and. Survival, Vol. 42,
Issue 3, 2000, pp.89-103.

268
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

according to Symantec, as opposed to 45% of the top Android apps

and 25% of the top iOS apps. Popular iOS applications (24%) and
Android apps (46%) both request access to the device's camera,
while 44% and 48%, respectively, provide email addresses.4
Due to the coronavirus pandemic, many organizations have
become more vulnerable to cyber-attacks. Review environments
that have been released, processes and procedures that have been
revised, and employee profiles that have changed.
All criminals look for vulnerabilities, and the Internet is same
as before. Your fortifications can have holes that can be exploited
on both a systemic and human level. In addition to the pandemic,
there have been a number of serious data breaches at well-known
organisations during the past five years.5 Businesses must become
more ready and capable of spotting and addressing online dangers.
Even larger companies that make significant IT security investments
must always stay on top of the changing cyber threat scenario.6
Everything has shifted to the internet in our modern digital
society. Whether it's obtaining information or saving data, we utilise
the internet to assist us in our daily activities. We are more
susceptible to online attacks as a result of our growing participation
in the digital world.
There is no denying that cybercrime is expanding rapidly. The
personal information of Internet users is compromised and used by
criminals or hackers on the World Wide Web. "Last year, 85% of
worldwide industries were susceptible to phishing and social
engineering assaults. The quantity tends to grow with time. With the
development of new technologies and cyber techniques, online
thieves are getting stronger. They frequently break into private
information and target the Internet. In this chapter, we will describe
cybercrime and analyse various kinds of digital attacks. Further we
discuss about history of cybercrime, how cybercrime disseminates
and its effect on society. With advancement of cybercrime,
technological advancement has advanced in a linear way. A few
strategies are also enforced for data protection from cybercrime

4 Marvin, C. (1988). When old technologies were new: Thinking about electric
communication in the late nineteenth century, 1988, Vol.4, Issue 1, pp.88-97
5 Chaubey R.K., Cyber Crime and Cyber Law, Kolkata: Kamal Law House, 2008,

pp712 to 714.
6The Information and Technology Act, 2000.

269
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

have been implemented. But even so, cybercriminals continue to

find new ways to violate the security. Cyber attackers also work
together on particular components with the goal to open a defence
mechanism from a system. Cybercrime employs spy agencies or
investigators in order to increase profit. All these things will be
substantially discussed in this chapter

DIFFERENT CATEGORIES OF CYBERCRIME

The term "cybercrime" is used broadly to describe criminal
activity that uses computers or computer networks as a tool, goal, or
venue—including the usage of computers themselves. The phrase is
a general one that covers offences like kidnapping kids through
chatroom frauds. It also addresses the use of networks and
computers to support criminal activity.
In order to aid investigations into cybercrime, the US
Department of Justice classifies cybercrime as happening when a
computer is used towards a target or when the use of computers is
an accidental aspect of other crimes. Tech-savvy people abuse
computer networks to carry out a range of illegal activities on the
Internet. These categories include unlawful activities that might be
accomplished in various ways, but criminals opt to do so by using
computers. Information form Europol is as well as a EMCDDA (the
European Monitoring Centre for Drugs and Drug Addiction), for
instance, the primary types of darknet crimes include drug
trafficking, the sale of counterfeit goods, the theft of personal
information, and the use of weapons.

A. Financial Fraud Through the Internet

Notwithstanding the reality that organised crime organisations
are prevalent in many sorts of unlawful activities; the criminal
environment seems to be more diversified. Particular focus has been
placed on organised criminal organisations' utilisation of
cyberattacks as a tool for activities which includes trafficking in
drugs and money laundering. This type of crime includes the usage
of digital currencies including Litecoin, Bitcoin, Bitcoin Cash,
Monaro, and Ethereum. The Electronic Frontier Foundation (EFF)

270
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

and the Digital Millennium Copyright Act (DMCA), both of which

are American laws, endorse this.7

B. Cyber Terrorism
Terrorist groups have made it apparent that they would carry
out significant assaults if they can, and they are enthused about the
concept of cyberterrorism and cyberwarfare. Although many
terrorist groups lack the resources to plan significant hackers-
terrorist attacks, they have made efforts to develop the technical
know-how necessary to carry out devastating attacks.8

C. Online Child Pornography

Child pornography refers to any portrayal of a child's genital
organs for primarily sexual objectives, whether it depicts actual or
fictional explicit sexual activity. The sale and dissemination of child
pornography are regarded by law enforcement authorities and
international organisations across the world as highly serious
crimes. The prevalence of offences involving child pornography has
increased as a result of the advent of personal computers and the
Internet. The sort of individual who conducts these crimes often has
a clean record or no legal record in relation to sexual misconduct or
the sexual assault of children. However, depending on the specifics
of the alleged act, they may be detained and charged if child
pornographic evidence is discovered.

D. Online Bullying
Online harrying has become a serious threat to many people's
safety and wellbeing as a result of the Internet's widespread use in
daily life. Threatening emails, verbal or physical violence, or
disclosing information online, these are all examples of online
harassment. Online harassment can also take place when someone
sends threatening messages via a phone or computer, sometimes
under an assumed identity.

7 Preliminary Consultation Paper on Mobile Phone Theft, Telecom Regulatory

Authority of India, New Delhi, January, 2004. pp. 4-5)
8N. Scaife, P. Traynor K. Butler, "Making sense of the ransomware mess planning a

sensible path forward)", IEEE Potentials, vol. 36, no. 6, pp 28-31, 2017

271
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Online harassment is defined as Internet trolling, online

predatory activity, cyberbullying, spreading obscene or objectionable
information without a licence, as well as harassment and threats.
In contrast to physical bullying, cyberbullying frequently
targeted on young people and can result in tactics, humiliation, as
well as shame digitally.

E. Targeting a computer
A criminal behaviour involving networks, computers, and
other networked devices is called cybercrime. To do this, computers
are infected containing computer viruses, which then propagate to
servers, networks, and more computer systems inside a network.
When computing is the principal goal of an illegal act, it usually
refers to a network or computer. Computers are considered targets
of DDoS assaults and viruses.

F. Computer Use as a Tool

When people are the main targets of a crime, the use of
computers as a tool is classified. Such cybercrimes require
substantially less technological know-how. Spam, phishing scams,
and identity theft are some online crimes that use computers as a
weapon.

G. Cyber Staking
Someone who is a target is stalked or tormented online; this is
referred to as cyberstalking. It might be seen as a development from
online bullying as well as stalking in person. However, it typically
manifests as persistent, deliberate, and systematic texting, emailing,
postings on social media, and other kinds of communication.
Sometimes interactions that at first glance seem innocent
develop into obtrusive or terrifying cyberstalking. Although some
people find the initial stages of cyberstalking amusing and harmless,
it loses its amusement value when interactions continue despite the
target's indications of annoyance and requests that they stop.9
Cyberstalks employ a range of strategies and methods to
degrade, harass, dominate, as well as intimidate their victims. Many

9Hakim, M. ,Plight of Youth Perception on Cyber Crime in South Asia, American

Journal of Information Science and Computer Engineering, Vol 2, Issue 4,2016

,pp.22–28 , ISSN:2381-7488

272
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

cyberstalks are both technologically astute and inventive in their

approaches. Here are some instances of possible cyberstalking:
Posting harsh, provocative, or insulting remarks online,
sending the victim obscene, vulgar, or threatening emails or texts,
registering with the victim's groups and forums revealing private
data about the victim online, using tracking devices, follow the
victim's online activities at all times. threatening or blackmailing the
victim through technology, involving the victim excessively in
pointless posts, Taking part in all of the victim's internet posts
making phoney social media accounts to keep tabs on the victim,
posting or sharing images of the victim, whether they are genuine or
phoney giving the victim a lot of graphic images of oneself making
false posts to humiliate the victim, texting the victim repeatedly, the
victim's internet accounts by hacking into them, attempting to obtain
the victim's graphic images for ransom.10

THE INTRIGUED PAST OF CYBERCRIME

The first cyberattack technically took place in France in 1834,
long before the internet ever existed. Hackers got access to the
French telegraph system as well as stole capital market information.
Ever since, cybercrime had also grown at such an enormous speed,
categorised by such a fascinating development of tactics, strategies,
and developed — all used only for malicious benefit.
Even though, cyberattacks wasn't getting popularity till the
mid-twentieth century. As a consequence of the digital revolution,
cybercriminals had become technology's early adopters, through
using their mind start and smartness to implement up to, devious
techniques of dividing organizations and people from their
documentation and money.

YEARS CRIMES
1962 The current era of cybercrime began when Allen
Scherr launched a cyber-attack against the MIT
computer networks, stealing login and credential
from their database mostly using punch cards.

10Paul,
P. K., & Aithal, P. S., “Cyber Crime : Challenges, Issues, Recommendation and
Suggestion in Indian Context”, International Journal of Advanced Trends in
Engineering and Technology (IJATET), Vol 3, Issue 1,2018, pp.59–62, ISSN : 2456 -
4664

273
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

YEARS CRIMES
1971 The first ever computer virus was generated by Bob
Thomas, the founder of BBN Technologies for
research reasons. The Creeper Virus, a self-
replicating code that foresaw the potential for viruses
to cause serious harm to computer networks, was
found on the ARPANET in 1971.
1981 After successfully breaking into AT&T's internal
systems and causing havoc by altering the clocks on
their computers, Ian Murphy turned the first person
to be found guilty of a cybercrime.
1988 altering the clocks on AT&T's computers by
breaking into their internal systems and wreaking
mayhem.

New Technology Brings New Crime in the 1990s

The internet connected individuals across different
communication systems wherever they were on the earth in the
1990s, ushering in some of the finest communication technologies
ever devised by mankind.
It wasn't all good news, either. These developments have
increased the power of cybercrime. as these novel innovations were
being created and constructed, criminals and evil actors profited
from the reality the fact that confidence and security manages
weren't initially a major concern. The major focus of these early
years was on creating revolutionary technologies for
communications and commercial efficiency while cybercrime was
not yet a concept, or even an active field. Nonetheless, an
underground economy was gradually gaining strength.
Rising cybercrime 11 rates indicated that attackers were
becoming more sophisticated. Now that they had new opportunities,
they were coming up with new strategies to enter systems without
authorization and modify data online.
Some notable cybercrimes from this decade are listed below:

11Survive and Thrive: A Stochastic Game for DDoS Attacks in Bitcoin Mining Pools,
available at 10.1109/TNET.2020.2973410. (Visited on November 5, 2022).

274
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

1994 Using a "password sniffer" programme, DataStream

Cowboy and Kuji, a 16-year-old British student and his
accomplice, launched a series of attacks against the Air
Force's Rome Laboratory while obtaining research data
that served as attacking instructions for jets in combat.
1995 The first documented hacker to make an attempt to steal
a bank—and a pretty sizable bank at that—was
Vladimir Levin. He gained access to Citibank's network
and carried out several illegal activities there. In total,
he moved more than $10 million into numerous
accounts at banks all over the world.12
1995 Kevin Mitnick — In order to get access to Motorola and
Nokia's business, among other huge networks, Kevin
Mitnick, one of history's most prominent hackers, had to
manipulate people and use insiders.
1998 Max Butler, a safety advisor for the FBI and
others, under false pretences broke into websites run by
the US government. Officials were made aware of his
crimes by the US Air Force, and he was given an 18-
month term. Later, he received a record-breaking 13-
year sentence for a hacker for yet another illegal
venture.
1998 Under false pretences, Max Butler, a security consultant
for the FBI among others, broke into websites run by the
US government. Officials were made aware of his
crimes by the US Air Force, and he was given an 18-
month term. Later, he received a record-breaking 13-
year sentence for a hacker for yet another illegal
venture.
Before the Melissa Virus struck in March 1999 and
affected users all across the internet, the general public
was largely unaware of computer viruses. The Melissa
Virus corrupted users' Microsoft document files and
resulted in an estimated dollar80 million in losses.13

12A.J. Burns, M.E. Johnson, D.D. Caputo, “Spear phishing in a barrel: Insights from a
targeted phishing campaign”, Research Gate, Journal of Organizational Computing
and Electronic Commerce 29(1):24-39.

275
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Cybercrime has Increased in the New Millennium (2000s)

In the first ten years of the new century, we saw an increase in
sophisticated attacks and an abundance of advanced persistent threat
actors (APTs), the majority of which were funded by nation-states.
Cybercrime has evolved, resulting in the development of viruses
and worms that have severely hurt key sectors of the worldwide,
digital economy. At the conclusion of the decade over that period,
cybersecurity was a concern for all computer users, but large
corporations and governmental organisations were particularly
concerned because they were going to suffer the most. The ten most
significant cybercrimes are listed below:14

2000 Several Michael Calse, a 5-year-old hacker, launched

distributed denial of service (DDoS) assaults on some of
the largest commercial websites in the world., also known
digitally as "Mafia boy." eBay and CNN. The attack cost
these companies countless millions of dollars and forced
the websites to go offline for hours in certain cases.
2005 .4 million HSBC Bank MasterCard users' personal
information was exposed as a result of a secure flaw at a
United States. store.
2008 In one of the worst hacks ever, The Heartland payment
systems were targeted using a combination of injection of
SQL, password sniffers, and malware, harming the
personal information of 134 million people.

The Decade of the 2010s Have Seen an Explosion in

Cyberattacks
Cybercrime has skyrocketed in the last ten years, transforming
what was once a cottage industry into a huge multinational industry.
Attackers created new hacking tools and tools, boosting both the
rate of cybercrime as well as the number of attacks in a day. A
trillion dollars had been squandered. Cybercrime was not the only
industry that experienced rapid growth. Organisations started to
employ more cybersecurity experts as the illusion of presumed
digital security subsided in order to mitigate the danger of cyber
assaults. In addition, a new discipline called legitimate hacking

14Ibid

276
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

evolved as a result of the ongoing need for data security, with the
primary objective of identifying vulnerabilities before they are
maliciously exploited.
The diversification and heightened complexity of
cyberthreatss, as well as how they are used in When it comes to
defending against attacks, organisations are put in a difficult
position.

Billions of Dollars Have Been Lost Since 2020 to Today

2020 - Neiman Marcus informed 4.7 million customers that
personal information including login details, passwords, user titles,
contact details, credit card numbers, dates of expiration, and digital
card numbers had been compromised and the worst data breaches
that ocurred in 2020. Attackers have access to a wealth of
personally identifiable information as a result of these data
breaches, including financial information, software source code,
usernames and passwords and usernames.
2021 - At the beginning of May, Colonial Pipeline was taken
down for a period of over three days by a suspect Russian hacking
organisation, which helped spread the phrase "ransomware."
Colonial provides 45% of the petrol, diesel and jet fuel used on the
East Coast, so this was a serious blow. The cost of gas increased
nationwide, several fuelling stations ran lacking petroleum, over-
the-road deliveries were sluggish and there were accusations of
petrol hoarding enterprises on five continents were impacted by this
assault, which also resulted in the shutdown of public educational
institutions in New Zealand, a significant supermarket network in
Sweden, and the interruption of operation for hundreds of
enterprises in the US in 2022 in the middle of September, breach of
a major player in the gaming business produced a staggering
quantity of information. Rockstar Games' much awaited game
Grand Theft Auto 6 release was derailed after a hacker going by the
handle "teapotuberhacker" gained access to Rockstar's secret
Discord channel and grabbed 90 videos of gameplay that was still in
development. However, this hacker was not finished.
On September 14, teapotuberhacker lived up to their screen
name in an extremely similar Slack attack when they, well, hacked
Uber. The attackers gained "pretty much full access to Uber,"
comprised of email programs, corporate messaging, cloud-based

277
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

storage, and code repositories, which was even more extensive than
the breach at Rockstar
Cybercrime is a lucrative business. This world of hackers,
malware, and brokers is now a trillion-dollar industry, the world's
number one threat, and shows no signs of slowing down.
More avenues for threat actors to exploit have opened up as a
result of the digital revolution, the global shift to a hybrid work
model, and the rapid adoption of the cloud. And their attack
methods are evolving, with new innovations keeping them one step
ahead of a cybersecurity industry determined to stop them.15
A ransomware attack is launched every 11 seconds in this day
and age. It's a battle. And it's being fought all over the world, 24
hours a day, seven days a week. But it's difficult to fight someone
you can't see, hear, or understand.

EFFECT OF CYBERCRIME ON SOCIETY

Our online presence is growing day by day. whether we're
shopping for clothes online or buying groceries in a store, we leave
a digital footprint that online criminals are continuously seeking to
exploit. Globally, as internet usage has increased, so has the number
of cybercrimes. In accordance with a National Crime Records
Bureau of India report, cybercrime in India increased by 84%
between 2018 and 2020. Cybercrime has an impact both on
individuals and large corporations. This article describes the
numerous negative effects of cybercrime on society.16

EFFECT OF CYBERCRIME ON BUSINESS

Businesses of all sizes are now dealing with the costly and
disruptive problem of cybercrime. Data breaches, ransomware, and
phishing scams are just a few of the many ways that cybercriminals
have learned to take advantage of technology flaws in order to steal
critical company data or demand money. These attacks can cause
not only financial loss, but also reputational harm, regulatory fines,
and long-term litigation costs.

15 O.E. Omolara, A.I. Oludare, S.E. Abdulahi, Developing a modified hybrid caesar
cipher and vigenere cipher for secure data communication , Comp. Eng. Intelligent
Syst., Vol5, Issue 5, 2014 , pp. 34-46, ISSN 2222-2863.
16Supranote at 12

278
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

1.) Financial Losses

Businesses can suffer a variety of financial losses as a result
of cybersecurity breaches. These costs include Notifying consumers,
engaging specialists to assess and restore the harm, and resolving
legal disputes. In addition to reputational harm, breaches can result
in revenue losses through plan delays or cancellations as well as
financial losses. Companies that fail to meet minimum security
requirements may also face significant fines from Government
regulators. A cybersecurity compromise might, in some situations,
even compel a business to shut down.

2.) Reputational Harm

Cybersecurity breaches harm reputation when private
consumer data is taken or disclosed. This may lead to a decline in
customer confidence in the business as well as unfavourable press
that might damage its reputation and brand. Companies that do not
sufficiently secure customer data risk legal repercussions. When a
firm breaches its security requirements, customers may in some
situations file a lawsuit against the company. Organisations should
take every effort to safeguard themselves and their clients from
cyber threats because reputational harm caused by cybercrime can
be expensive and difficult to reverse.

3.) Customer Faith

Similarly, as a result of the breach, Customers could no longer
trust the business with their private information and may choose to
take their business elsewhere. Negative publicity may also harm the
company's reputation, resulting in lost customers and revenue.

EFFECT OF CYBERCRIME ON INDIVIDUALS

In the past year, victims of cybercrime have lost 19.7 hours,
or the time it would take four flights from New York to Los
Angeles, and have spent $126 billion worldwide. The number of
linked devices has increased dramatically over the past year, and
connectivity is increasingly necessary. In fact, many are willing to
take chances online just to get access to Wi-Fi. Additionally, it is
common for people to click on dubious links, share their passwords
with acquaintances, and access financial data over unsecure Wi-Fi
networks, all of which increase the susceptibility of the devices they
are connected to. In reaction to a possible phishing attack, 80% of

279
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

consumers made compromising actions that resulted in undesirable

outcomes, such as identity theft, credit cards opened in their names,
money taken from bank accounts, and unauthorised apps
downloaded on their smartphone.

Table 1: What are the Impacts of Cybercrime on the Society?

S/N Impacts Responses Level of Argument
SA A U DA SDA
1. Child N 120 70 0 10 0
exploitation % (60) (35) (0) (5) (0)
2. Harassment N 100 80 10 0 10
% (50) (40) (5) (0) (5)
3. Digital N 70 120 10 0 0
Privacy % (35) (60) (5) (0) (0)

4. Hacking N 80 80 10 20 10
% (40) (40) (5) (10) (5)
• Intentional N 60 80 40 10 10
5. damage % (30) (40) (20) (5) (5)

Results of Table 1 The majority of respondents (95%) stated

that pornography (child exploitation) is one way that cybercrime
impacts children, and just 5% of respondents disagreed with this
statement. A vast majority of respondents (90%) claimed that
cybercrimes also disturb society. This is where someone may abuse
others through text messages or social networks like Facebook using
a computer or a mobile device. A small percentage of responders
(5%) also denied this impact on society, while the remainder (5%)
did not know about the crime. Another effect that cybercrimes have
on society is digital piracy; according to the results, the majority of
respondents (95%) agreed with this, while the remaining
respondents (5%), were unsure. In a same vein, a sufficient
percentage of respondents (80%) agreed that hackers pose a threat
to society as a result of cybercrimes. Most responders report having
experienced it either personally or through others. One of the effects
of cybercrimes on society was intentional destruction, which was
also reported by 70% of respondents. A considerable majority of

280
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

respondents (85%) agreed that spam email is another outcome of

cybercrimes, while just 10% disagreed.17

NEED OF CYBERSECURITY MODEL

In order to safeguard electronic data, cybersecurity practices
comprise minimising information risks and vulnerabilities.
Information dangers can include, but are not limited to,
unauthorised entry, use, release, interception, and data destruction.
Cybersecurity is highly crucial in the digital era. The reason for this
is the rise in frequency and sophistication of cyberattacks. Our
dependence on technology makes us more vulnerable to these
attacks. Cybersecurity helps to secure our information and
infrastructure from these dangers.

Cybersecurity in the Digital Age: Its Importance

The importance of online safety in the digital era cannot be
overstated. A single security breach may have a big impact in
today's connected society. For example, the 2017 Equifax breach

17 Alalwan J. A., “Fear of cybercrime and the compliance with information security
policies: A theoretical study”, ACM International Conference Proceeding Series,
2008, pp.85–87.

281
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

exposed the personal information of over 145 million individuals,

while the 2018 Marriott breach exposed the information of over 500
million people. The affected companies paid a high price for these
violations, which also hurt their standing with clients. Therefore,
protecting both organisations and individuals from the potentially
catastrophic consequences of a security breach requires strong
cybersecurity.
To understand why it is so important to learn, you must first
understand how a good cybersecurity system helps and protects
students, businesses, organisations, and other stakeholders.18

Cybersecurity is Important for Students

Since they are frequently the target of attacks, scholars ought
to be concerned about cyber security. Hackers recently targeted a
group of college students in the US and gained access to their
personal information, especially their Social Security numbers and
credit card information. The hackers used this information to make
thousands of dollars in unauthorised charges to the students' credit
cards. After accruing a significant amount of debt, the youngsters
needed to spend months rebuilding their credit. This event
highlights the need of cyber security because students are regularly
the victims of cybercrime. Identity theft might happen if a
cyberattack causes the theft of an educational institution's personal
information. Identity theft might happen if a cyberattack causes the
theft of an educational institution's personal information. The
student may find it difficult to get finance funding a vehicle or for
their school as a result of it hurting their credit. In extreme cases,
identity theft can lead to jail time.

Importance of Cyber Security in Organisations and Business

The subject of the data breach serves as an illustration of how
important cyber security is to companies and enterprises. In this
case, hackers were able to obtain sensitive customer data, containing
information about credit and debit cards. As a result, Target had to
settle for hundreds of millions of dollars in damages, and its
standing with customers declined. A Target data breach is just one

18 Herhalt,J., “Cyber-crime-A growing challenge for governments”, KPMG Issues

Monitor,8, 2011,pp.1-24, ISSN2224-5782.

282
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

example of how important cyber security is for companies and

organisations.
Another example of a data breach is the WannaCry
ransomware epidemic, which affected organisations and businesses
all throughout the world. As a result of this attack, several
companies suffered data and financial losses, while some were also
compelled to close down.
In order to protect their personal information against viruses
and security breaches, people can enrol in authorised courses in
ethical hacking. To learn everything, you need to understand about
cyber security.

The Significance of Cyber Security for the Banking Industry

The 2014 JPMorgan Chase data leak serves as an example of
how important cyber security is to the banking sector. In this
incident, hackers gained access to the telephone numbers, addresses,
as well as email information of more than 76 million homes
including seven million small enterprises. Additionally, a total of 83
million JPMorgan Chase customers' account information, such as
their account numbers and balances, was accessible to the hackers.
This incident acts as a reminder of the importance of cyber
safety for banking organisations because the attackers were capable

283
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

of to access a sizable amount of sensitive client information. If it

had fallen into the wrong hands, the data may have been exploited
for fraud, identity theft, or other illicit acts.

WAYS TO PREVENT COMMON CYBER-ATTACKS

Informing Employees About Cyber Security
Ensuring that employees understand the significance of cyber
security is crucial for all firms. Provide users with ongoing, updated
cyber security training so they are aware of:
Before clicking a link, double-check it.
Check the email addresses that were delivered.
Give it some thinking before sending any important
information. Anything that seems odd is typically one. Prior to
executing a transaction are doubtful of, call the individual in
question to confirm.
Social engineering initiatives will be less likely to succeed
with user education, training, and awareness.

Data Backup and Encryption

Businesses regularly gather and maintain personal data that
might be utilised to identify a person. These details can be used by
cybercriminals for a variety of purposes, including identity theft and
business data corruption. In order to prevent serious interruption,
loss of information, and monetary loss in the event of a cyberattack,
you must back up your data despite the fact that you have strong
safety precautions in effect, ransomware might target your backup
software and damage your backup data if it strikes and creates
havoc. Take steps that you secure any information that is
confidential, including that of your clients and employees.

Regularly Conduct Audits

Although you cannot completely eliminate the possibility of
cyber assaults, you may take steps to regularly check your cyber
defence. Review your cybersecurity policy, and keep software,
systems, and servers under regular observation to ensure that your
business is entirely secure. Access backed-up files and download
them to evaluate how the recovery process might work for your
firm. Check for any potential flaws, devise remedies, and see
whether the backup files have been compromised in any way. To

284
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

lessen the chance that hackers may utilise useless software to steal
or destroy your data, remove it.

Keep an Eye Out for Insider Data Breaches

Create an extensive data usage policy that is simple for
everyone to understand as insider data breaches become more
common. Put limitations on who can access what. Consider the
danger, for instance, of letting independent contractors enter your
organisation with unscreened devices without a complete access
procedure and take action to solve it.

Limit the Admin Rights

By limiting admin privileges to a small group of employees
and implementing a system that provides security from employee to
employee, you can reduce the danger of being hacked. In order to
enforce the concept of least privilege and regulate user access,
typical users' execution rights must be restricted. Having workers
install software on company-owned devices that might jeopardise
your systems is one of the concerns for firms. Your security will
benefit if you forbid employees from installing or even viewing
specific files on your network.

Putting in a Firewall
Placing your network behind a firewall is one of the finest
ways to defend yourself from a cyberattack. Before they even begin,
a firewall system can help stop brute force attacks on your network
or systems. have a chance to cause any harm.

Make Sure Your Password Policy is up to Date

Make sure a password policy is in place and being followed.
A reasonable and well implemented password policy will prohibit
users from using readily known passwords and should lock accounts
after a certain number of failed attempts. Employees should use
letters, special characters, and numbers to construct strong
passwords. They should also activate multi-factor authentication to
protect their devices against unauthorised access. Passwords may be
used instead of passwords by businesses to increase system security.
It is critical not to reuse passwords or passphrases throughout the
organization, and to remember to create a password to secure your
Wi-Fi network.

285
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Ensure Endpoint Security

Endpoint security is the act of safeguarding endpoints such as
desktop computers, laptop computers, Protecting smartphones and
devices against harmful threats and online attacks. Using endpoint
security software, businesses can protect employees' workstations
from online threats whether they are connected to a network or
stored in the cloud. More information about endpoint security and
endpoint protection may be found here.

Updating Software, Gadgets, and Operating Systems

Because outdated systems and software expose
vulnerabilities, cyberattacks frequently happen. These loopholes are
used by hackers to break into your network. To combat this, some
businesses spend money on a patch management system, which
coordinates all software and system updates and keeps your system
secure and current.

CONCLUSION
Cybercrime is a criminal offence. It is harmful to the larger
community. Many parties objected and criticised cybercriminals'
conduct. The advent of cybercrime has prompted the introduction
and modification of legislation to anticipate and counteract these
behaviours. The legislation is incapable of appropriately regulating
internet users. The legislation only applies to cybercriminals and not
to internet users. Users that wished to experiment with a system or
social media were the origins of cybercrime. They eventually
became specialists in the industry and were interested in
cybercrime. To tackle cybercrime, the government can work with
other agencies. The statistics indicate that cybercrime will not cease
and will continue to rise in tandem with the increase in irresponsible
parties.
Cybercriminals are extending their reach over the network,
incurring consumers and millions of dollars to organisations.
Anyone who uses ought to exercise extreme caution when visiting
the web and follow all security instructions. With more advanced
tactics and tools, the future of cybercrime is bleak. Organizations
should employ every available safeguard against cybercriminals and
hackers. Everyone must endeavour to defend oneself against
cybercrime by using anti-virus software, firewalls, biometrics,
updated software versions, and so on. Countries and international

286
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

organisations should enact tougher anti-cybercrime legislation.

protection organisations might strive to identify additional strategies
to stop online attacks and give internet users with protection. Last
but not least, internet users need to be aware of and updated on
security and cyber threats, as well as how to deal with them.

287
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 16

CYBER SECURITY ISSUES DURING COVID-19

PANDEMIC
Adv. Sanyukta Gupta 1, Punya Singh 2

“An extraordinary and unusual occurrence during the COVID-19

pandemic changed the lives of billions of people worldwide. It also
has a significant impact on the business industry and society as a
whole. The global pandemic gave rise to several unusual conditions
involving cybercrime that were harmful to both society and
industry. The increase in panic brought on by the epidemic
corresponded with an increase in both the quantity and diversity of
cyberattacks, which increased the possibility that they would be
effective. Most nations implemented travel restrictions, security
measures and social segregation policies. People became connected
in substantial ways via Information and Communications
Technology. A large number of educational institutions employed
online systems, enabling remote work for staff as well as students.
In addition, there was a big market for online purchasing of
groceries, delivery of meals services, and e-healthcare services. The
intruders with evil intent used COVID-19 as a chance to carry out
assaults for monetary gain and to achieve their undesirable
objectives. Attacks using ransomware threaten the integrity and
security of patient information and other resources in healthcare
systems. A lot of people were falling for phishing schemes. This
chapter analyses the pandemic from the standpoint of cybercrime
and demonstrates the range of cyber security dangers that
materialized throughout the globe during the deadly virus's
emergence”.

1Advocate, Supreme Court & High Court, Delhi, (India)

2B.Com. LL.B (H), 3rd Year, Institute of Legal Studies & Research, GLA University,
Mathura, (India)

288
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

INTRODUCTION

W ith the global spread of the novel corona virus infection

(COVID-19), the World Health Organization (WHO)
proclaimed a "health emergency for the public of global
concern" in 2020. In the end of January in 2020 the Centers for
Disease Control and Prevention further proclaimed an emergency of
public health in the US as well3. In addition to endangering lives,
COVID-19 has caused business instability, harm to everyday
routines, causing worry and strain in people. The growth of world’s
economy stunted. Businesses swiftly adjusted by abruptly
converting workers to remote work. To stop the transmission of this
exceedingly contagious disease, social distancing practices were
implemented and big gatherings, crowds, and groups of people were
strongly prohibited. Employees of all ranks were either laid off or
instructed to work from home (WFH) for safety as a result of self-
and government-mandated quarantines. Organizations faced the
problem of securing sensitive data from dangerous employee
behaviors targeted by hackers and social engineering as WFH or
teleworking became the norm.
A further main hazard to a society was created as virus
all over the world that relies heavily on technology, included a
number of random cyberattacks as well as a number of targeted
cybercrime acts. Since the viral pandemic, there have been several
cases of hackers pretending to be official agencies (such as the
WHO) and organizations like supermarkets and airline companies,
targeting support platforms, committing PPE fraud, and advertising
COVID19 treatments. These frauds targeted both the millions of
people who work from home and the general public. Levels of cyber
security problems and difficulties have emerged due to the
widespread use of remote working. Cybercriminals have seized this
opportunity to step up their crimes, relying on age-old deception
that also preys on people's increased stress, concern, and strain.
Additionally, working from home exposed software companies'
general level of unpreparedness, particularly with regard to the
security of their products due to the increased usage of online
working, critical infrastructure, such as health care services, has also
been the target of cyberattacks. To address this, on April 8, 2020,

3 Bajema K.L. , “Persons evaluated for 2019 novel coronavirus— United States, ,”

Morb. Mortal. Wkly. Rep., 69(6), 2020, pp. 166-170, January 2020.

289
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

the National Cyber Security Centre (NCSC) of the UK and the

Cyber Security and Infrastructure Security Agency (CISA) of
America together issued a note of caution on the various manners
whereby fraudsters and Advanced Persistent Threat (APT) groups
were making money from the ongoing pandemic. Cybercriminals
have seized this opportunity to step up their crimes. This advice
covered topics such as malware, phishing, and compromised
messaging platforms like Zoom and Microsoft Teams. One could
argue that a more thorough evaluation of the full spectrum of
pandemic-related attacks is required, both in practice and in study.
With allegations of attacks coming from law enforcement, the
media, security organizations, and crisis management teams, the
realm of the art is currently quite fragmented. Therefore, in the
given ever-changing circumstances, it was incredibly difficult for
enterprises to create appropriate security and reaction strategies.
A brand-new timeline of cyber-attacks related to the outbreak
is put out in this chapter. This chronology and the analysis it
generates can aid in our understanding of those assaults and how
they designed, which will enable us to better prepare for them if
they reoccur in the future. Our timeline shows notable cyber-
attempts to stop the virus's spread worldwide, along with defences
like the activation of lockdowns. The timeline shows a pattern that
draws attention to cyber-attacks and campaigns that commonly take
place following occasions like policy releases. This makes it
possible for us to monitor how quickly crimes and cyberattacks took
place in comparison to when initial pandemic cases in the area were
recorded, or even if some of these instances were preceded by
assaults.
Most companies and organizations do not currently have any
plans in place to sustain sudden, drastic change over a brief duration
of time. Just 38% of businesses really have a cyber security policy
in place. The work-from-home, or WFH, business model has been
embraced by organizations and companies all over the world,
raising the dangers and threats to business information.
It is significant to highlight that for people throughout in the
world WFH has taken the place of usual routine. The majority of the
time, this means that employees must utilize their own gadgets and
network connections at home, which are frequently inherently
vulnerable and lack the essential security measures required by
industry standards. Institutions frequently encrypt business devices

290
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

with little to no administrative powers or with little administrative

rights if they already impart their employees access to them. On the
other hand, it becomes a problem when staff are given restricted
authorization to install the software they need. Therefore, businesses
must offer more practical solutions and give employees more rights,
which tacitly suggests that there may be additional security issues.
To address this, on April 8, 2020, the National Cyber Security
Centre (NCSC) of the UK and the Cyber Security and Infrastructure
Security Agency (CISA) of America together issued a note of
caution on the various manners whereby fraudsters and Advanced
Persistent Threat (APT) groups were making money from the
ongoing pandemic.4 This chapter concentrates on issues with cyber
security that have emerged because to the global pandemic in many
contexts.

BACKGROUND
Even in ordinary circumstances, internet crimes such as scams
provide more rewards with minimal threat right away to the
attackers. More of them are unemployed, they devote a greater
amount of time indoors, and they use the internet for both job
searching and interacting with others. In an effort to attract or keep
consumers, both the government and other enterprises have
provided incentives to assist people with financial issues. Any
information regarding "COVID-19" will be of interest to internet
users while the world waits for a viable cure to halt the disease's
spread. Scammers utilize this method to send those targeted
malware phishing assaults while pretending to be government
agencies, tax authorities, or other organizations, and they do so by
include links pleading for help with COVID-19.
The World Economic Forum (WEF) underlined in its report
that even when diseases have vanished, hacking and phishing have
become the new standard. 5 Since particularly endangered
individuals are more worried and expecting text messages, emails,
phone calls etc. on COVID-19 from the government, these scams
are much more successful now during the pandemic. It becomes
increasingly easier for hackers to construct fictitious
communications or websites that imitate the look of pertinent and

4 Ibid
5 Ibid

291
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

well-known authority as they become more knowledgeable of the

issue. To capitalize on the pervasive fear element connected with
the requirement of resolving an emergency and meeting demands,
they also utilize terms that convey urgency. The outcome is
phishing efforts might be strengthened by hostile online attackers.
These attacks may involve both internal and external improvements,
individual earning and philanthropic donations, among other things.
A recent F-Secure analysis found that spam is one of the main
channels via which malware spreads. Additionally, it highlighted
the way that hackers utilize the worldwide outbreak to lure users
into clicking, mainly by concealing programs within compressed
files like. zip files.6 In order to trick people into doing a dangerous
action, such opening on a hyperlink or accessing an attachment,
attackers may exploit legitimate, already-existing material. Users
should check the originator of the email and the hyperlinks provided
before making a decision. In order to deceive people into viewing
hazardous files or tapping on hyperlinks, hackers frequently
impersonate the World Health Organization (WHO), the UN, or
other legitimate organizations. Nearly the whole planet is currently
on total lockdown due to the epidemic. The transition to a new way
of earning a living, in which employees use home systems that have
been protected by their employers to conduct much of their business
from remote locations, has prompted concerns within the sector.
This widespread quarantine timetable has raised fresh concerns
regarding how robust technical approaches are to the majority of
environments, especially on how reliable the present technology is
inside companies' current cyber facilities.

MAJOR TECHNOLOGIES IN FIGHTING COVID-19

Far stronger than 4G-enabled technology, controlling
COVID-19 is aided by innovative technology with an emphasis on
5G or even beyond 5G (B5G). The control of the unique disease is
made easier by the deployment of edge computing powered by a 5G
wireless network. A hierarchical edge computing system has
benefits, such as scalability, low latency, and data protection for
training models. It is possible to improve security by utilizing

6Understanding and dealing with phishing during the COVID-19 pandemic, available
athttps://www.enisa.europa.eu/news/enisa-news/understanding-and-dealing-with-phis
hing-during-the-covid-19-pandemic. (Visited on January 4, 2023).

292
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

pervasive edge computing. To combat outbreaks like COVID-19, a

B5G-based healthcare framework was created. The system includes
coverage for an interest layer, a border layer, and an IT cloud layer.
For the purpose of temperature checks, application of masks, and
isolated social life, it is compatible with monitoring systems. The
newly created COVID-19 testing approach may assist in processing
private information, identifying people with no COVID-19
infection, and preventing medical congestion.7 Table 1 summarizes
additional technologies and their primary COVID-19 prevention
applications.

Table 1. The Primary Manners that Various Technologies are Used

to Combat COVID-198
Technologies Main applications
Virus genome • Selecting the virus's genetic layout and
sequencing keeping track of virus genetic evolution.
technology • Recognizing the virus movement to
manage it.
IoT • Eliminating tangible interactions among
equipment and replacing them with a
digital connection.
• Gathering real-time information from
COVID-19-infected individuals.
Drones • Cleaning up areas, including clinics.
• Moving the patient laboratory specimens,
meals, beverages, and medications.
• Spotting risk-prone individuals and
assisting them.
Geographic • Determining service delivery priorities
information based on the demand for healthcare
system facilities or the presence of COVID-19.
• Conducting intricate geographical studies
to determine the geographic spread of

7 Wang L., Alexander Ann C.,Cyber security during the Covid-19 pandemic, AIMS
Electronics and Electrical Engineering,5(2), USA,2021, pp.146-157 DOI:10.3934/
electreng.2021008.
8Mastaneh Z, MouseliA. ,Technology and its Solutions in the Era of COVID-19 Crisis:

A Review of Literature, Evidence Based Health Policy, Management and Economics,

4(2), Iran, 2020, pp.138‒149 ISSN:2538-5070.

293
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Technologies Main applications

COVID-19 infection.
Artificial • Looking at the data pertaining to COVID-
intelligence (AI) 19;
• Figuring out the composition of corona
virus proteins.
• Setting COVID-19 apart from other
respiratory infectious diseases.
• Patient count estimation using clinical
information.
• Making a novel coronavirus infection
diagnosis.
Telemedicine • Online education to stop pandemic.
• A synchronized remote surveillance in
mobile medical centers.
• Tele-triage to keep an eye on people,
especially during isolation.
• Follow-up after departure.
Big data and • Assembling enormous volumes of
block chain information onto a safe system;
• Doing studies, removing frameworks of
virus conduct, and identifying the best
vaccinations and medications.
Robots • Dispensing medications and private
security devices.
• Giving meals to those under isolation.
• Sanitizing and cleaning medical centers.
• Managing hazardous materials.
• Minimizing immediate patient interaction
by conducting blood tests,
monitoring health indicators, etc.
• Regulating social behaviors and educating
people about COVID-19.

294
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Cloud-assisted vehicular ad hoc networks (VANETs) were

given an authorization system9. The bodily state of travelers can be
quickly and with no contact tracked using vehicular cloud (VC).
Using peripheral devices and the VC, a block chain-based vehicle
tracking method was realized. COVID-19 control necessities can be
fulfilled.10 Required Table 2 lists the primary safety characteristics
of a VANET security plan.

Table 2. Important Safety Aspects for a VANET Security Plan.11

Security features Description
Mutual a cutting-edge security mechanism that
authentication guards against attacks centered around
imitating others on specific devices
Conditional privacy The components of contingent confidentiality
protection concern vehicle information retrieval and
user confidentiality preservation. The VC is
in charge of running the VANET system and
ought to make it possible to reveal the true
identity of suspicious motor vehicles..
Unforgeability The primary characteristic of safe
transmission of information is unforgeability
for targeted messages attacks.
Non-repudiation Assured is the accuracy of the data that is
sent.
Anonymity Every VANET device required to maintain
its confidentiality.
Session key A specific automobile and the VANET
establishment system share a single access password. It
must be made in order to follow sharing of
data protection.

CYBER-SECURITY: SECTORS OF THE ECONOMY MOST

AFFECTED BY THE CRISIS OF COVID-19

9. Tan H., Kim P, Chung I. , Practical Homomorphic Authentication in Cloud-Assisted

VANETs with Block chain-Based Healthcare Monitoring for Pandemic Control,
Electronics, 9(10), Chosun University, 2020, pp.1683; DOI: 10.3390/electronics91016
83.
10Ibid
11Ibid

295
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Following is a discussion of the economic sectors most

affected by cyberattacks:

1.) Financial Industry

Global economies and financial systems have reached their
lowest levels in the previous 30 years as a result of COVID-19.
Since 1991, the price of crude oil has never been lower. The
economies of the oil-producing nations are now at risk because of
this. The experts had formerly forecast a financial crisis when this
pandemic outbreak even got off the ground. The financial sectors
are additionally exposed to digital threats like phishing and
malware 12 or ransomware 13 attacks. Additionally, in a typical
scenario, the majority of fintech users have fallen prey to social
engineering, in which hackers use deceptive tactics to present
themselves as legitimate users in order to acquire personal data like
password recovery. It is absolutely important to develop a
combination of hybrid encryption 14 and contemporary, safeguard
encryption methods so as to safeguard information during digital
transactions.

2) Healthcare Sector
Modern medical organizations are built on ICT programs that
provide a wide range of medical services to their clients, which may
involve medical professionals, pharmacists, nurses, and clients. This
concept of online healthcare is used to describe these services. They
were among the most vulnerable and specifically attacked systems
in the latest pandemic a catastrophe. A poor circumstance might
result from anything that goes wrong, such as the loss of a valued
human life. The challenge now being experienced by medical
facilities, where personnel and assets have become exceedingly thin
in reaction to the new corona virus, is likely to be exacerbated by

12 Y. Dion and S. N. Brohi, An Experimental Study to Evaluate the Performance of

Machine Learning Algorithms in Ransomware Detection, J. Eng. Sci. Technol., 15(2),
Malaysia,2020, pp.967–981, ISSN 1823-4690.
13A. Ren, C. Liang, I. Hyug, S. Broh, and N. Z. Jhanjhi, “A Three Level Ransomware

Detection and Prevention Mechanism,” EAI Endorsed Trans. Energy Web, 7(26),
2020,DOI: https://doi.org/10.4108/eai.13-7-2018.162691
14 O.E. Omolara, A.I. Oludare, S.E. Abdulahi, Developing a modified hybrid caesar

cipher and vigenere cipher for secure data communication, Comp. Eng. Intelligent
Syst., 5 (5), 2014 , pp. 34-46, ISSN 2222-2863.

296
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

any purposeful cyber-attack. The Covid-19 had a fivefold increase

in cyberattacks, according to the World Health Organization
(WHO), which caused public alarm. In the month of April 2020,
around 450 working email accounts with WHO usernames and
credentials were exposed to danger.15
Hackers and vicious individuals are fully cognizant of the
negative impact of the epidemic on the worldwide healthcare sector.
As numerous individuals used the internet-based care system,
attackers became more involved in gaining access to hospital
networks around the world for monetary advantage. Telemedicine
took the place of all other health care methods during the illness
outbreak. Due to the treatment, attackers now find it easier to collect
the necessary information from specific patients. According to
reports, a DDoS attack in the USA attacked the Department of
Health and Human Services after receiving countless requests for
connectivity within a few hours.16

3) Education Sector
The COVID-19 crisis' sudden transition had a profound
impact on educational institutions. Regardless of level, the majority
of today's students rely on online education, which puts them at
danger for cybercrime. Additionally, Zoom is used by most
educational organizations to facilitate online learning. However, as
a result of the attack, certain educational institutions in California
were forced to temporarily halt their curricular activities. WebEx,
Zoom, Google Classroom, Ultra Collaborative, Skye, Blackboard
Learn, GoToMeeting, Monitor Lockdown Browser, and Responds
are a few notable examples of software used to deliver lectures.
Using social media platforms like Facebook, YouTube, WhatsApp,
and others that provide online services, both academic and non-
academic employees as well as learners often engage with one
another. During COVID-19, different avenues were utilized for
fostering education. Due to this, during the crisis, expert-led online

15 . WHO reports fivefold increase in cyber-attacks, urges vigilance, available at,

https://www.who.int/news/item/23-04-2020-who-reports-fivefold-increase-in-cyber-
attacks-urges-vigilance. (Visited on February 27, 2023).
16 Cyber-Attack Hits U.S. Health Agency Amid Covid-19 Outbreak available at,

https://www.bloomberg.com/news/articles/2020-03-16/u-s-health-agency-suffers-
cyber-attack-during-covid-19-response?leadSource=uverify%20wall. (Visited on
March 6, 2023).

297
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

courses were offered in English, French, Spanish, Italian,

Portuguese, and various other dialects.

4) Defence Sector
A computer's Master Boot Record (MBR) has been known to
be overwritten by malware with corona virus themes, making the
system unbootable. Another malicious HTA file (HTML executable
file) has been discovered that has the words "Coronavirus Installer"
in its description with Coronavirus themes used the Covid-19 issue
and lock downs regulation as a trap. It most is most certainly a
product of the infamous SideWinder gang, which has a history of
assaulting military targets. A window that opens a Pdfs temptation
containing headlines that are clickable and pictures of the Pakistani
army is present in this HTA file. CEOs and upper management of
energy companies are particularly susceptible to security and cyber
risks. When workers access crucial manufacturing facilities and
utility networks from their homes, rolling power outages, safety
issues, and second-wave crises are all exacerbated. When keeping
the lights or electricity on, rolling power outages and safety events
coincide, which raises the risk of a second-wave crisis when
employees utilize their residences to get to vital production facilities
and grid systems. Attackers will profit from the sudden access to
remote mechanisms, overcrowded facilities, and creative working
techniques.

5) Power Industry
The energy sector concentrates on ways to protect individuals
and keep the lights on for consumers during emergencies like
COVID-19. Utility firms prioritize remote work above all else, yet
this puts the energy sector at risk from both inside and outside of its
cyber defenses. Since lives are at stake, energy firms must both
safeguard their pe-Ronnell and assiduously prevent disruptions.
Because of remote working, energy companies are now subject to
new cyber-risks. Attackers will search for fresh infrastructural flaws
in an energy source to take advantage of. Utility workflows for
power generation are fundamentally altering, and cybersecurity
strategies and organizational frameworks will need to be changed as
well.

298
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

6) Manufacturing Sector
If those in the manufacturing industries believed they were
safe from cyber-attacks, that view is rapidly being disproved,
especially in 2020. More people become aware of Industry 4.0 and
the growth of cybercrime in 2017 and 2018. But many businesses in
the industry were utterly ignorant of the dangers. The industrial
sector was the ninth most frequently targeted by cybercriminals by
2019. The issue was made worse in 2020 when a number of
institutions were forced to depend upon almost on remote workers
as a result of the pandemic limitations. Cyber attackers were ready
for COVID-19's impact, but the majority of people were not. In
terms of cyber-attacks, the industrial sector has dropped from eighth
to second place. It is crucial to keep an eye for potential
irregularities in the network environment of the firm in order to
avoid cyberattacks. During the aftermath of COVID-19, it is
impossible to take some security measures when working from
home. For instance, instructions from outside the business were both
legal and erroneous it is challenging to determine who they are and
what they want. Monitoring is therefore considerably more crucial
to distinguish between attackers and workers.

7) Technological Sector
The largest theft of information in history occurred between
2020 and 2021. Businesses in the information technology sector,
such as Google, Twitter, Zoom, Amazon, Finastra, CD Project Red,
Solar Wind supply chain, etc., suffered serious losses as a result of
these breaches. Google claimed on the Chrome update page that it is
cognizant of attacks for two weaknesses, CVE-CVE-2021-38003
and 2021-38000.
Users of Chrome should upgrade their browsers because these
problems have been fixed. Google announced the modification,
saying, "The Fixed line was recently updated to 95.0." Several
trustworthy Twitter accounts were taken over and used to spread
false information about Bitcoin. The accounts requested Bitcoin
payments from their followers in return for a double reward. The
tweets only circulated for a short while, yet they generated more
than $1 million in Bitcoin. Those who sent Bitcoin after being
duped received nothing in return.
Due to the rapid rise in people working from home brought on
by COVID-19, Zoom transformed itself from a previously obscure

299
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

exclusive company into one of the most widely recognized and used
video and audio communication platforms almost overnight.
Between the first and subsequent quarters of 2019 and 2020, the
revenue increased 3.55 times. Due to its quick expansion, Zoom ran
into a number of security difficulties, the most serious of which was
the acquisition of over five hundred thousand account users on an
unauthorized internet forum. Credential stuffing, or utilizing
previously disclosed usernames and passwords to access accounts,
is what's thought to have happened. The largest cyberattack in 2020
targeted the Solar Wind supply chain, which also included well-
known commercial companies including Microsoft, as well as
FireEye and Cisco, and NVidia. A major DDoS attack was also
launched on Amazon by the attackers.

8) Commerce Sector
Between the years the initial and subsequent quarters of the
year 2020, the amount of online shopping overall the retail industry
in the US raised carefully via 9.6% to 11.8% or from nine percent to
eleven percent, yet during the initial and next quarters of 2020, it
raised to 16.1%. Electronic commerce is currently the preferred
method of making purchases of goods and services. Similar patterns
have been seen in the UK, where e-commerce's share of retail
increased from seventeen percent to 20.3% during the initial and
subsequent quarters of 2018 and 2020 before significantly
increasing to 31.3 per cent between those same quarters. Similar
trends have been seen in other nations, including the Communist
Party of China, where online retail sales as a percentage of total net
retail sales jumped from 19.4% in the month of August 2019 to
17.3% in August 2018, and then to 24.6% of those between January
to August 2020.

MAIN CHALLENGES TO CYBER SECURITY AMID THE

COVID-19 PANDEMIC
With the advancement of the internet, maintaining cyber
security is getting increasingly challenging. Attackers, scammers,
and hackers commonly profit from emergencies, especially when
individuals are most frightened, defenseless, and unarmed. The
epidemic of this virus reflects this as well. The corona virus has
become a new tool for criminals to use in their illicit actions, such
as hacking, assaults, and scams.

300
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Major cyber security threats or vulnerabilities amid Covid-19

are as follows:

1) Hacking
Scammers targeting clients on online networks, including
those linked to gadgets, laptops, tablets, and phones, launched an
assault on them. This results in the theft of private data like
usernames, passwords, bank information, and other personal details.
The data was stolen by certain attackers, who used it to drain money
from accounts. Bank loan scams also grew swiftly during the
COVID-19 crisis since many of them focused on obtaining people's
cash and private details through online shopping. The pandemic
caused a 42 percent increase in fraud cases from 2019 to 2020 as
fraudsters benefited from the closing a number of physical stores.
Several bank customers asserted that they received SMS texts
instructing them to organize an online product delivery. Others
completed. When other people entered out their financial details at
the same time, their accounts were compromised. Two Indonesian
perpetrators were taken into custody in the month of April, 2021, as
reported by CBS News, for a $60 million scam. The two suspects
were captured in Surabaya, Indonesia's second-largest city, as a
result of a tip from US investigators.17

2) Phishing
Cybercriminals trick their victim into divulging their bank
information, system login passwords, and other personal
information by sending them false messages. Phishing is a popular
technique for exploiting social engineering flaws to obtain sensitive
information from users, such as passwords, usernames, and login
credentials for online banking, companies, and organizations. The
easiest way for attackers to infect an electronic gadget with malware
is still through phishing. Phishing aims to fool users towards
opening emails or tapping on links that look to be from reliable
sources or respectable companies. The link may send individuals to
a harmful website that installs malware on their computers directly
or to a fake website that demands personal information. As a result,

17 Indonesia arrests hackers over $60 million U.S. COVID-19 scam available at,

https://www.cbsnews.com/news/us-covid-relief-hacking-hackers-arrested-indonesia-
aid-program-scam/. (Visited on March 9, 2023).

301
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

if you are unsure about a link, you shouldn't click it. Hackers sent
numerous phishing emails to individuals by taking advantage of the
widespread lockdown brought on by the Corona virus.
False websites that can gather a user's personal information
are included in phishing emails. They are susceptible to phishing
assaults since most people increasingly depend on internet to assist
them with the pandemic. 9,116 fraudulent emails pertaining to
COVID-19 were among the 4,67,825 fraudulent emails that were
sent in March 2020, amounting approximately just under two
percent of all phishing messages.18 Although an extensive amount of
fraudulent and smishing incidents happened during the outbreak, the
quantity of suspected email attacks that have been recorded provides
a glimpse into the United Kingdom's (UK) concerns with
cybercrime incidence.
Smishing is a kind of fraud in which victims are persuaded to
provide sensitive information such as debit and credit card numbers,
login details, and passwords via SMS messages that appear to be
from reputable and dependable sources. By the start of May,
specifically on May 7, 2020, nearly 160,000 cautious email
incidents were being disclosed to the National Cyber Security
Centre (NCSC), and by the end of May, specifically on May 29,
2020, approximately £4.6 million was lost to COVID-19-related
frauds, with approximately 11,206 those targeted of fraudulent
and/or smishing advertisements. In reaction, 471 illegal web stores
were shut down by the NCSC and Her Majesty's Revenue and
Customs (HMRC). additionally, 292 forged websites. Offenders
utilize smishing and vishing, two types of online fraud, to trick
consumers into giving them cash or private data. False SMS
messages are used in smishing, whereas telephone conversations are
used in vishing.

3) Ransomware
Ransomware is destructive software that prohibits clients
from using their computers until they pay a fee, and it is produced
by criminals. Ransomware assaults increased during the outbreak as
more people took remote jobs. Ransomware is growing and getting
increasingly complicated. In alongside encoding, additional

18Naidoo R., European Journal of Information Systems, 29(3), Taylor and Francis Ltd.,
South Africa, 2020, pp.306-321 ISSN:0960085X.

302
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

innovations are increasingly being incorporated into ransomware's

toolbox. Ransomware attacks typically target many industries, but
particularly the financial sector. The COVID-19 scenario is causing
problems for many countries, but at the same time, ransomware has
become more prevalent and intense, damaging businesses,
organizations, medical professionals, and governmental entities.
It continues to be ranked among the most prevalent global
cyber hazards to healthcare, therefore security employees need to be
cautious and knowledgeable of the methods that hackers will use to
gain money. Attacks using ransomware are being carried out by
cybercriminals on institutions that are publicly funded, such as
schools, hospitals, and clinics.
Hacker has no conviction that these companies will be able to
pay the ransom since they are unable to remain barred into their
computer networks. By means of attachments to emails, hyperlinks,
or proactively employed staff members whose passwords were
previously stolen by taking advantage of a loophole in the systems
they use, the ransomware attack affects the system. 19.On the dark
web, criminals are at present even selling malware as an item of
service. A false Wise Cleaner (system optimization software)
website was used to transmit the Corona Virus, a new ransomware
that was recently published. The targets were made to visit the web
page to obtain a malicious setup file under duress. A malware
infection can obtain a login ID, encode data in order to ensure it
can't be decoded later, and even take information from the operating
system once it has been installed on the machine being targeted.20

4) Botnet Attack
A computer system, server, or mobile device that has been
infected with malicious software, which includes worms, viruses,
malicious programmed, and malicious programmed, is referred to as
a botnet or a bot. These gadgets injure individuals without their
knowledge. Botnets are collections of devices with malware which
operate under the attacker's command. Botnets are used in

19Cyberthreats are constantly evolving in order to take advantage of online behavior

and trends. The COVID-19 outbreak is no exception, available at,
https://www.interpol.int/en/Crimes/Cybercrime/COVID-19-cyberthreats. (Visited on
January 15, 2023).
20Supranote at 21

303
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

fraudulent assaults, distributed denial of service (DDoS) assaults,

and fraud operations. To overload any one Web computer or
resources and prevent it from reacting to valid inquiries, the
majority of botnets employ distributed denial-of-service attacks. As
a result of Mozi virus spreading around the globe, fraudsters are
reportedly fast recruiting Internet of Things (IoT) gadgets into their
botnet armies, according to recent intelligence on threat reports by
A10 Technologies' security experts. 21 Hackers tend to concentrate
increasingly on brief, repeated strikes that can deal substantial
damage without being tracked down, identified, or stopped by
defenses put in place by targets.
Thus, risks from botnets like emoted threats have been
reported in the wake of COVID-19. Emoted is a form of malware
that was initially intended to be a banking Trojan. Numerous
botnets, like emoted, have polymorphic natures. When malware is
active, its code alters due to emoticon polymorphism. Most antivirus
programmers often scan the machine for any viruses that may
already be there. A coding update, however, can make it more
challenging to see the virus, allowing it to go undiscovered. Over
time, Emotet increased in scale and was in charge of millions of
expensive hacks across the globe. Cybercrime was handled
professionally and persistently by Emotet. Emotet, formerly known
as Windows computers which became infected by Trick Bot
malware at its peak of COVID-19 are now running "the the globe's
most dangerous malware," which has made a comeback. A total of
1.6 million computer systems were infected by the emoted Malware,
which resulted in damages totalling billions of dollars.

5) APT
During the period of lockdown that followed the COVID-19
outbreak, cybercriminals and APT groups preyed on vulnerable
individuals and systems. An attack occurs when unauthorised user
breaks access an appliance or internet using cutting-edge and
sophisticated methods. Attacking groups with governmental support
are known as APTs. APT often use methods like spyware, phishing,
ransomware, and information intrusions to harm their intended

21 O.I. Abiodun, E.O. Abiodun, M. Alawida, R.S. Alkhawaldeh, H. Arshad, A review

on the security of the internet of things: challenges and solutions, Wireless Pers.
Commun., 119 (3) , 2021, pp. 2603-2637DO.

304
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

victims. 22 The fact that the group frequently targets the

telecommunications, military, and tourism industries suggests that it
aims to carry out inspection, tracking, or monitoring operations on
certain people. The purpose of gathering private or client data to
meet commercial or operational requirements to support
governmental priorities, or to develop fresh routes and routes to
support upcoming campaigns.
The secondary objective of targeting government
organisations is to collect geopolitical information to assist nation-
state decision-making. On February 2021, three members of North
Korea's Reconnaissance General Bureau were charged in an
incident concerning an APT risk for their roles in WannaCry, the
Sony Pictures hack, and a number of other online crimes. At the
height of the pandemic, APT cybercriminals used fraudulent activity
LNK files, malicious macros, template injection, and RTF scams.
Threats on stolen data increase, forcing organisations to pay
enormous sums of money as ransom. 23 Therefore, more study is
needed to determine how to defend against APT attacks.

6) Malware
Malware is software that has been specifically created to harm
computers by encoding data, damaging hardware, obstructing the
correct operation of software, stealing documents or sneaking into a
computer with no permission.
In order to damage a system or delete data, malware
additionally has the ability to reproduce by itself on a device, like a
computer or a network of computers. It is a common cyber-threat
that companies and other entities have to cope with today. The word
means a kind of dangerous malware, including trojan horses,
worms, and ransomware. The peak of COVID-19 occurred when
malware started gathering data. That is to say, the use of data-
harvesting tools by hackers has increased, including banking
Trojans, spyware, info stealers, and Remote Access Trojan gaining

22Mohamed, N. A., Jantan, A., Abiodun, O. I., An improved behavior specification to

stop advanced persistent threat on governments and organizations network.
In proceedings of the International MultiConference of Engineers and Computer
Scientists, 1, pp. 14-16. ISSN: 2078-0966.
23 O.T. Taofeek, M. Alawida, A. Alabdulatif, A.E. Omolara, O.I. Abiodun ,A cognitive

deception model for generating fake documents to curb data exfiltration in networks
during cyber-attacks, IEEE Access, 10, 2022 DOI: 10.1109/ACCESS.2022.3166628

305
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

access to networks, stealing data. Threat actors utilize material

associated with COVID-19 as bait to gain access to networks, steal
data, move money unlawfully online, and build botnets. During this
Coronavirus outbreak, cybercriminals are downloading malware
onto our devices. If malware creates a backdoor in a user's devices,
cybercriminals can access all of the user's confidential data,
including username and password. This malware spreads by using a
few Corona tracing maps available online.
Hackers are making pleasure in the present scenario by
disseminating spyware, Trojan horses, and Virus via integrated
internet pages and charts that include the virus.24 Spam emails are
frequently used to deceive consumers into clicking links or
downloading malware. By using their PCs or cellphones, users can
become victims of these frauds. Johns Hopkins University created a
geographical representation containing a widget that shows data and
deaths on the new virus. 25 During the COVID-19 crisis, further
disruptive malware, including DDoS and ransomware, was released.
Because of the potential for financial benefit, cybercriminals are
ruthlessly using disruptive malware on crucial infrastructure and
healthcare organisations. For example, in the initial week of April
2020, a number of threat companies that had been relatively inactive
for a few months launched an upsurge of ransomware attacks.
Consequently, there is a pressing need for more research into
malware invasion defenses, particularly in these trying times.

7) Harmful Social Networking Site Posts

During the height of the COVID-19 attack and the state of
emergency, there were a lot of false social media posts. Fake news
and destructive online communications to specific people have
reached alarming heights. Untrustworthy details, a lack of knowledge
of risks, and an upsurge of conspiracies have all added to public
anxiety and, in some circumstances, assisted in the execution of
cyberattacks. Inaccurate information regarding COVID-19 was
discovered to be spreading in about 30% of the nations taking part in

24J.W. Han, O. J. Hoe, J. S. Wing, and S. N. Brohi, “A conceptual security approach

with awareness strategy and implementation policy to eliminate ransomware,” in
Proceedings of the 2017 International Conference on Computer Science and Artificial
Intelligence, ACM, NY USA, 2017, pp. 222–226.
25Supranote at 21

306
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

the global cybercrime research. In one month, 290 postings were

made, the majority of which included undetected spyware.
Misinformation has reportedly also been connected to the illegal
distribution of false medical products. Frauds, including "too good to
be true" offers like free food, were mentioned in addition to other
cases of misinformation. In order to address the issue of damaging
social media messaging attacks, which are on the rise as a type of
cyber-attack, there is an urgent need for research. By doing such,
attackers may grab their login details or infected their computer
systems, smartphones, and websites with malware to access data and
cookies, rendering the individual a target.

8) Business Email Compromise

As the attackers misused COVID-19, Agari Cyber
Intelligence Division 26 An organization-wide Emails Capture
incident was discovered. The Ancient Tortoise, a cybercrime gang
responsible for a number of BEC instances in the past, carried out
the attack. This attack is thought to be a string of earlier strikes the
group carried out. The bank accounts are the attackers' initial focus.
Then, due to the unique corona virus, they send emails to the clients
using their information for modifying their bank details and
payment methods. Hackers pose as representatives of trustworthy
companies or organizations.27
Business email compromise scams are currently using the
corona virus illness as a technique. The trick entails convincing or
duping those targeted into sending cash to an intruder posing as an
actual representative of the target company. The most evident
impact of BEC fraud is monetary damage. When the scammer can
tailor aspects of their strategies to the target's unique defects or
inadequacies, the scam succeeds. Offenders may accomplish such
through carrying out extensive research about the organization as
well as the individuals related to it with the aim to conduct a
credible assault. Through a website, knowledge about certain
organizations is easily accessible28.

26Supranote at 21
27Supranote at 21
28A.J. Burns, M.E. Johnson, D.D. Caputo, Spear phishing in a barrel: Insights from a

targeted phishing campaign,J.Organiz. Comp. Electr. Commerce, 29 (1) , 2019, pp. 24-
39.

307
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Criminals can gather details about a business and its

employees via hacking social media platforms or using information
that is freely accessible. As a result, individuals, businesses, and
governments must begin spending more time and money on cyber
security in order to decrease cyberattacks like BEC in crisis
situations.

9) Distributed Denial-of-Service (DDoS) Attack

DDoS assaults are a type of attack used by cybercriminals to
generate a lot of congestion and prevent people from using internet
services. DDoS attacks have tripled in quantity relative to the past
three-month period. DDoS assaults have increased nearly three
more frequently than they did during the three months before that.
There were 242 recorded DDoS assaults overall during the initial
period of 2020, while 300 incidents were identified in the
subsequent period 29 . Numerous individuals underwent significant
changes that put them at greater risk, such as working from home
rather than an office, taking care of young children, and worrying
about their future financial security and well-being. Given that the
medical industry has the most vulnerable and targeted systems,
COVID-19 has had a significant and lasting impact on it. A DDoS
assault that bombarded the online presence of the United States
government's Department of Human Services and Health (DHoS)
with thousands of people using it instantly serves as a latest instance
on this.

10) Malicious Websites

A malicious website apps attack is any attempt made by a
dangerous intruder to compromise the safety of a web app. The
attacks on internet-based applications and online apps can either aim
directly at the application to gain access to secure data or use it as a
preparation site for assaults on the users of the programmer. At the
height of COVID-19, misuse of the web to harm others dramatically
increased. Dangerous cyberattacks including email spam, fraud,
viruses, ransomware, and fraudulent websites which employ the

29S. Wu, Y. Chen, M. Li, X. Luo, Z. Liu, L. Liu, Survive and thrive: A stochastic game

for DDoS attacks in bitcoin mining pools, IEEE/ACM Trans. Networking, 28 (2), 2020
, pp. 874-887DOI: 10.1109/TNET.2020.2973410.

308
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

viruses like lure are currently on increasing levels in addition to the

virus’s spread rate.30

CONCLUSION
The growing demand on companies of all sizes to address the
challenges brought on COVID-19 cyberattacks. In actuality,
criminals constantly come up with new ways to attack and deceive
people in order to take advantage of the panic and confusion caused
by the ongoing pandemic and stay one step ahead. In March 2020
compared to February 2020, web stealing increased by 26%, based
on recent Malware bytes statistics. Another interesting discovery
was that there was a 26% rise in people skimming the internet from
February to March 2020, following a 2.5% increase from January to
February 2020. Malware bytes says that despite the fact that this is
still a very little rise, it is indicative of an ongoing trend that is going
to grow more apparent over the next several months. The CEOs
should thus give operational skills a higher priority over the next
two years in order to eliminate dangerous websites in order to
advance business. Researchers also need to look on ways to block
dangerous websites so that digital businesses can be resilient.

30 G. French, M. Hulse, D. Nguyen, K. Sobotka, K. Webster, J. Corman, M. Ewing,

Impact of hospital strain on excess deaths during the COVID-19 pandemic—United
States, July 2020–July 2021, Morb. Mortal. Wkly Rep., 70 (46) , 2021, pp. 1613.

309
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 17

PEGASUS: A FALLIBILITY TO INDIA’S

DEMOCRACY
Prof. (Dr.) Somesh Dhamija 1, Nishita Mahajan 2

“The Pegasus scandal is one of many fundamental problems facing

India, starting with its routine tolerance for violations of its
democratic rights. The widespread use of Pegasus spyware in India
means that democratic institutions at the highest levels of
government are being ignored. What could be worse for the future
of Indian democracy? On the one hand, such organizations and
businesses are highly controversial as they can attack civilians in
society and protesters everywhere under the guise of combating
criminal activity. This is an important point that needs to be
emphasized, as such interference could lead to cyber warfare or
cyber-attacks that could affect the political system of countries. In a
democratic environment, electronic surveillance has always been a
cause for concern, as the premise of using highly intelligent
spyware is based on violating people's privacy”.

INTRODUCTION

T he Covid-19 pandemic has laid bare many of India's social

and economic ills. The 10-day ongoing report on phone
hacks of opposition leaders, trade union government
ministers, senior civil servants, military and police officials, his
leaders in business, and civil society. Activists and journalists have
exposed the extent of the country's democracy and the subversion of
its institutions. Spyware is a controversial topic in several countries
for espionage. Spyware has been identified as a key factor as it is
believed to be important in monitoring and targeting individuals
who may be involved in criminal or terrorist activities.

1 Dean, Institute of Legal Studies & Research, GLA University, Mathura, (India)
2B.A. LL.B (H), 4th Year, Amity Law School, Amity University, Noida, (India)

310
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

There was a warning of looming cybersecurity concerns and

the regulations needed to address them. The Pegasus invasion marks
the complete destruction of the level playing field that a healthy
democracy needs to function. Basic rights are routinely violated in
India, even if they are not legally repressed by the declaration of a
state of emergency.
Spyware developed by an Israeli company appears to be
marketed as being used to monitor serious crimes and terrorism via
mobile phones, but Zero Click Trojan developed by NSO Group is a
virus. Spyware provides attackers with all sorts of personal access to
targeted smartphones. The world began to shake when it became
clear that spyware was being widely exploited. The NSO Group's
first known government customer, Mexico, purchased the Pegasus,
pushing the boundaries of its use. The motto was to fight drug
trafficking, but it was later revealed that it was misused to spy on
the then-presidential candidate, his family, and colleagues. In this
case, it violated a very blatant human rights violation.
In India several electronic surveillance provisions can be
found in the Telegraph Act of 1885 and the Information Technology
(IT) Act of 2000. For example, Section 5 of the Telegraph Act of
1885 permits governments to intercept messages only where there is
public safety, sovereignty and good standing. Other states and
public order and the integrity of India are at stake. Section 69 of the
Information Technology Act authorizes the government to issue
policies on information interception by computer technology and
contains similar provisions.
Individual privacy is also safeguarded by Article 17 of the
International Covenant on Civil and Political Rights, stating that
“no person shall be subject to arbitrary or unlawful interference
with his privacy, family, must not legitimately attack the company or
reputation." Article 12 of the Universal Declaration of Human
Rights contains similar provisions. "No one shall have their privacy,
family, home, or correspondence arbitrarily interfered with, or their
honour or reputation attacked. Everyone has a legal right to be
protected from such interference or attacks." Because India is
bound by these international treaties, it must follow them and
protect its citizens' privacy by adhering to their provisions.
Privacy is an important aspect of one's existence. The
indiscriminate use of software such as Pegasus is an attempt to
violate one's privacy. The number put under Pegasus use in India is

311
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

worrisome and should be taken seriously: if true, it is a clear

infringement of a right to privacy, which is now a well-recognized
fundamental right. When confronted with such questions,
governments frequently invoke a defence of national security. A
proper balance must be struck between the nation's security interests
and individual freedom and privacy.

EVOLUTION OF PEGASUS SPYWARE

Pegasus, the horse of Greek mythology, has reappeared and
the world was not ready for it. This has caused a great deal of
turmoil in India. Spyware developed by the Israeli NSO group in
2016. NSO stands for Niv, Shalev, and Omri, the name of the
founder of the company. The spyware they develop can be attacked
and exploited without user intervention. No need to press or click
any keys. This is known as "zero-click monitoring". Having
developed his one of the world's most curious mobile spy kits, they
have captured the world's attention. The spyware that can silently
jailbreak a phone, codenamed Pegasus, threatens all private
communications and the location of the target phone. The NSO
group was able to keep its work confidential until analysis by
Citizen Lab and Lookout was carried out, ensuring its delivery to
the UAE. The Israeli representative attended meetings between
Arab countries and NSO leaders. Clearly, NSO is one of the most
active Israeli companies in the Gulf. Ahmed Mansoor, an
internationally recognized human rights advocate, alerted the
Institute to an attack on his phone on August 10, 2016.
The message had a link that read, "New Secrets on Emirati
Torture in State Prison," which he didn't click because he had
already been a victim of government hackers. After he alerted
Citizen Lab, they found that the link did not lead to secrets, but
rather a path to malware that could help the attackers gain complete
control of Mansoor's phone. After researching the issue, they found
that Pegasus may already be deployed in countries around the
world, including Turkey, Israel, Thailand, Qatar, Kenya, and
Nigeria. "The NSO is committed to making the world a safer place
by making technology available to sanctioned governments to help
combat terrorism and crime," the NSO said in an emailed statement
to FORBES. We are committed to our mission.”
The company operates under strict rules and laws and has
agreed with government customers that its products can only be

312
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

used in legal ways. This malware was introduced to him in 2011 and
remained hidden until news broke. In 2011, the NSO helped
Mexican authorities arrest a drug lord named El Chapo. The
Mexican government purchased approximately $80 million worth of
spyware from the NSO group. In 2017, Mexican activists, human
rights lawyers and journalists filed criminal charges after reports
that their smartphones were infected with spy software sold to the
government to combat criminals and terrorists.
In India, news surfaced that between 2018 and his 2019,
Pegasus was being used to spy on more than 121 people. The
disclosure follows a lawsuit filed in U.S. federal court in San
Francisco, in which WhatsApp claims that his NSO group in Israel
used Pegasus to attack about 1,400 of his WhatsApp users. Several
lawsuits allege that NSO assisted customers in manipulating
software and was involved in numerous human rights violations.
The most prominent leaders, journalists and activists were targeted.
Amnesty International's security lab found evidence of a
Pegasus intrusion in mid-2019. The selection of the target figures is
speculated to have started during Prime Minister Modi's visit to
Israel in 2017. His visit to Israel marks growing ties between the
two countries, with a year-long investigation revealing that the
Indian government bought Israeli spyware as part of his $2 billion
package of weapons. However, so far, neither the Indian nor Israeli
governments have accepted participation in the Pegasus deal.
France-based media outlets Forbidden Stories and Amnesty
International had access to leaked documents containing a list of
targeted phone numbers. The list also included a number of
journalists and editors from top Indian media such as Hindustan
Times, India Today and The Wire. This list was shared with other
organizations around the world as part of a joint research project
known as the Pegasus Project.3
NSO sells software for targeted espionage and mass
surveillance. With one license he can spy on multiple smartphones.
In 2016, NSO charged a client for his $650,000 and compromised
10 devices. Prices have risen as spyware has become more
suspicious and harder to track. Previously, techniques were used

Richard and Sandrine Rigaud, “Pegasus:How a Spy in Your Pocket Threatens

3Laurent

the End of Privacy, Dignity, and Democracy”, Henry Holt and Co, ISBN
9781250858696.

313
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

that required user interaction. Via text messages, but the latest one
was able to get into the device via WhatsApp missed calls.
WhatsApp sued NSO in 2019 for being the company behind a
cyberattack on 1,400 phones, and the company was banned from
using WhatsApp. The number of still unknown facts about this
entire Pegasus invasion is staggering. So far, the company has
denied all allegations and published its first transparency report
covering it up. The report was not taken seriously by human rights
groups, all parties to the Pegasus project, and victims, and was
dismissed as a sales pamphlet.

IMPLEMENTATION OF PEGASUS IN INDIA

Pegasus is a malicious software program that injects spyware
into devices without the user's consent or knowledge, placing those
exposed to it in a vulnerable position. It requires full surveillance
and installs the necessary files to read user's messages, emails, and
phone calls, as well as to send back browsing history. As a result, it
has the potential to control almost all aspects of digital life,
including the ability to eavesdrop on audio and video conversations,
track location via GPS, and retrieve passwords and authentication
codes without the user's knowledge.4
The only way to confirm a potential attack is to send the
device for forensic examination, and experts will then assess the
data transfer from and to the phone. The malicious software exploits
a zero-day vulnerability, so unless OS developers actively ship
updates to their phones aimed at protecting users from high-tech
malware, such compromises are possible. It means you can't do
anything about it.
So, the question that arises how Pegasus spyware works. The
three modes are:
• Earmark - Someone sends a so-called trap link to their
smartphone and tricks the victim into tapping it to activate it, or
activates themselves without any input, like most sophisticated
"zero-click" hacks. Most of the time, it is spam emails that the target
accidentally opens.
• Contamination – Spyware records and replicates the
phone's most fundamental operations, shows NSO marketing

4Ajay Chawla, Pegasus Spyware - 'A Privacy Killer', Eliva Press, ISBN:978-
1636483375.

314
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

materials, location, and audio and video recordings. It also extracts

location data, call logs, photos, and emails, as well as contacts.
• Tracking - The implant secretly reports this information to
the agent. Agents use this information to map sensitive information
in the victim's life.
The victim’s mobile device is always accessible and gather
information about target contacts, whereabouts, phone
conversations, plans, and activities surreptitiously and remotely for
simple access anytime, anywhere, keep an open eye on her VoIP
calls and real-time phone calls. In order to deliver the most precise
and comprehensive information possible, we gather novel and
unusual sorts of information (contacts, files, environmental bugs,
passwords, etc.) overcome the challenges posed by the convoluted
communications landscape, including encryption, SSL, proprietary
protocols, and others.
Application monitoring: Track a variety of programs,
including Skype, WhatsApp, Viber, Facebook, and BlackBerry
Messenger (BBM). GPS may be used to monitor targets and obtain
accurate location data. There is no need to collaborate with a
neighbourhood Mobile Network Operator (MNO). Pegasus allows
the controller to access the phone's microphone and camera, but
doesn't say how this affects other programs. The controller can
access files and photos, and even read encrypted messages and
emails, but it's unclear if it can tamper with other apps on the phone.
This spyware also affects Apple and Android devices, but due to its
reliance on unreliable rooting techniques, it is less efficient. If the
initial infection attempt fails, the spyware will likely prompt users to
purchase the necessary permissions so that it can be distributed
efficiently. It also provides access to user location data and the
ability to inspect screenshots and enter feedback logs. This allows
the controller to see the passwords used to access various websites
and banking applications. In addition, when anyone access contact
information, internet history, microphone recordings and even
recovered files the target user's phone can be hacked by Pegasus
malware, giving it access to all of their personal data even Whats
App chats that are encrypted are accessible. The audience might be
surprised to learn that this spyware can read messages, track calls,
monitor user activity in apps, collect location data, and even access

315
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

your phone's video camera not only that, hackers can also use the
Pegasus malware to eavesdrop on your microphone.5

WHAT DOES IT MEAN FOR INDIAN DEMOCRACY TO BE

HACKED BY PEGASUS?
Surveillance has become a pillar of human organizational and
epistemological efforts, as well as governmental activity in various
institutional spheres. Science has unintentionally contributed to the
political game of undermining fundamental human rights, leading to
the development of tools that breach people's private all the way
down to their beds. In the face of an unrestrained free market
economy, democratic structures and fundamental freedoms are
being compromised. The sole purpose of a free-market economy is
to exercise total control. This is a panopticon system, a building that
allows prisoners to monitor prisoners in their cells from a central
tower without seeing the guards. It's not hard to see why so many
people are so deeply concerned about the spread of surveillance that
their personal lives are becoming less private. This societal shift to
expanded, enhanced, and integrated surveillance has had multiple
impacts. It also raises concerns about the impact of surveillance on
democratic processes and much more about what surveillance
means and means for civil liberties, political processes, public
discourse, state enforcement and public consent.
Like former Sun Microsystems CEO Scott McNealy, privacy
is dead and we have no choice but to “get over it” and embrace our
newly transparent life but, perhaps the most notable increase in
surveillance in recent years has been in data surveillance. Today,
both governments and the private sector often demand large
amounts of personal data for legal reasons or in exchange for access
to services.
Is surveillance an obstacle to democratic processes, or is it an
essential part of democracy? What role has the legacy of post-9/11
surveillance progress played in shaping democratic processes? Is it
possible that a shadow “security state” will emerge as surveillance
technology becomes more justified for national security reasons?

5 Laurent
Richard and Sandrine Rigaud,“Pegasus: The Story of the World's Most
Dangerous Spyware”, Pan Macmillan UK, ISBN. 1761265601, 9781761265600.

316
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

How would it affect the basic concept of citizenship? What impact

might modern communications and surveillance systems have on
the prospects for true public activism?
As a result, Pegasus' use poses a serious threat to democracy
and freedom, especially in the 10 governments that are believed to
be his NSO Group's clients- Azerbaijan, Bahrain, Kazakhstan,
Mexico, Morocco, Rwanda, Hungary, India and the United Arab
Emirates are considered to have poor records in terms of human
rights protection. The entrenchment of power through surveillance
not only leads to information overload, but also to state institutions
of behavioural control that undermine the inviolability of individual
privacy and endanger democracy with devastating consequences.
rice field.
By maintaining a feedback system between the lower and
upper echelons, the oversight regime imposed on those doing the
hard work of maintaining democracy will not survive. According to
the Supreme Court, indiscriminate espionage by the state against
individuals is not permissible in a democracy. We live in a society
where the brutal realities of power and its use trump the
constitutionally guaranteed right to self-determination and free
speech. But the main goal is to maintain political control by
suppressing opposition and ideological deviations from the regime.
Security agencies in democracies and dictatorships collect phone
"data" from dissident citizens and store it for possible future
contingencies.
Contrary to all legal norms, a national security state exists
“legitimately” and overtly pursues acts of social control through
national security surveillance. Fear of a devastating hacking scandal
ultimately led to Pegasus new role as a way to punish people and
threaten freedom on Earth.
“Of course, democracy is nothing like the individual,” wrote
Sushanto Singh, whose phone was attacked by Pegasus with his
spyware. “When my phone was hacked, I survived the ordeal to tell
my story. But when democracy is hacked, it risks leaving no one to
tell its history. This is my fear of India today. This fear should not
be real. "
This is at the heart of the current debate over the use of
Pegasus, pitting totalitarian states against dissidents. It's the same as
being labeled "target". Many have been detained for years without
trial. Interrogation of national policy amounts to treason in the

317
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Orwellian sense, where free thought and debate are abhorred,

according to the fascist conception.

WHAT LAWS DOES PEGASUS VIOLATE

The unauthorized invasion by Pegasus spyware in the devices
clearly explains the controversy around the several legal, privacy
and ethical issues it has raised. NSO group has never failed to deny
the allegations claiming it to be misleading. NSO has always
promoted the spyware as some that is strictly for the purpose of
tracking criminals and terrorists for the prevention of terror and
crime.
The following legislations are the relevant legislations that
can regulate and question the invasion of privacy and menace of this
spyware.

Telegraph Act
According to Section 5(2) of the Telegraph Act, any officer
specifically authorized in this regard by the central government or
the state government, in the event of a public emergency or in the
interest of public safety, may direct the interception of any
communication or class of communications to or from any person or
class of persons, or relating to any specific subject, brought for
interception.
It must be made clear that, among other things, the central
government or a state government may order such interception if it
determines that doing so is necessary to protect India's sovereignty
and integrity.6
ii. The state's security.
iii. Goodwill towards foreign nations.
iv. Maintaining public order.
v. Preventing the arousal of criminal activity.
The act's provisions provide that an interception should only
be used when there are no other reasonable options for getting the
information. The total number of days that can be intercepted should
not be more than 180.7

6Indian Wireless Telegraph Act, 1933, No. 17, Acts of Parliament, 1933.
7Indian Telegraph Act, 1885, No. 13, Acts of Parliament, 1885.

318
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

IT Act – Section 69
Any agency of the appropriate government may be instructed
to, among other things, intercept, monitor, or cause to be intercepted
or monitored any information generated, transmitted, received, or
stored in any computer resource by the central government, the state
government, or any officer specially authorized in this regard by the
central government to the state government.
It must be made clear once more that the aforementioned right
to intercept or monitor communications will only be used if it is
required to protect India's security, sovereignty, or integrity. Having
a cordial relationship with the foreign government or maintaining
public order, prohibiting public incitement to commit any crime
related to the aforementioned, or looking into any crime.
Section 43, among other things, provides for the payment of
damages in the event that anybody uses a computer, computer
system, computer network, or computer system without the owner's
or another person in charge's consent. (i) uses such a computer,
computer system, computer network, or computer resource, or
secures access to them. (ii) obtains any data, computer database, or
information from the aforementioned computer, computer system,
or computer network, including any data retained or stored on any
removable storage medium. (iii) introduces or permits the
introduction of any computer virus or contamination into a
computer, a computer system, or a computer network. If the
aforementioned actions or omissions were committed dishonestly or
fraudulently, the offender may furthermore be punished with up to
three years in prison, a fine up to five lakh rupees, or a combination
of the two.8
Therefore, it may be said that both acts require a court order
to be issued before any type of data collection, monitoring, or
inscription. The installation of spyware on devices for the purpose
of fraudulent hacking is not permitted by the Telegraph Act or the
IT Act,9 so permission can be given for Pegasus to be installed.

8 Section 43 of the Information Technology Act, available athttps://cis-

india.org/internet-governance/resources/section-43-it-act.(Visited on February 4,
2023).
9 Section 69A of the IT Act, 2000, allows the Centre to block public access to an

intermediary “in the interest of sovereignty and integrity of India, defence of India,
security of the State, friendly relations with foreign States or public order or for
preventing incitement to the commission of any cognisable offence.

319
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

In a democratic country like India, where right to privacy is a

fundamental right, the usage and installation of Pegasus in the
devices for secret acts outside the boundaries of the applicable laws,
makes it look like a serious violation. The issue of Pegasus has
raised some serious issues because the nature of invasion it does on
the attacked device. It accesses the stored information and data
which is not even authorized under the applicable laws of India.10
Thus, it seems to be a serious privacy concern and breach of basic
constitutional rights.

MEASURES TO BE TAKEN FROM PEGASUS ATTACK

The Qualys Mobile Vulnerability Detection and Response
(VMDR) for Mobile Devices uses a proactive approach to identify
devices that may be susceptible to Pegasus spyware, based on the
vulnerabilities outlined below. Pegasus is a sophisticated type of
spyware, with features such as anti-forensics and self-destruction
that make it difficult to detect. Furthermore, uninstalling later can
leave no trace. Therefore, the objective of the VMDR for mobile
should be to determine whether a device is susceptible to the
Pegasus spyware, rather than to detect the presence of the spyware
itself.
VMDR provides a comprehensive overview of vulnerabilities
and their prioritization. By prioritizing vulnerabilities by severity,
remediation and preventive action can be taken on affected devices.
Additionally, patch orchestration is available for Android devices,
allowing users to quickly remediate their Android assets with the
appropriate version of patches for each application

Stay Away from Social Engineering Clickbait.

There have been numerous claims that Pegasus assaults have
targeted human rights advocates and journalists who have received
fake SMS or WhatsApp messages advising them to click on risky
links. The links install spyware on your device by taking advantage
of browser and operating system flaws. This attack method is

10Under the IT Act, the term 'computer' means "any electronic, magnetic, optical or
other high-speed data processing device or system which performs logical, arithmetic
and memory functions by manipulations of electronic, magnetic optical impulses, and
includes all input, output, processing, storage, computer software or communication
facilities which are connected or related to the computer in a computer system or
computer network".

320
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

referred to as Enhanced Social Engineer Message (ESEM) in the

leaked brochure. It stated that "the credibility of the content is
entirely dependent on the likelihood of a target clicking a link." The
Pegasus solution offers a wide range of tools for crafting harmless,
individualised messages that persuade your target to open your
message.
His ESEM fake messages about Pegasus, according to the
Committee to Protect Journalists, can be divided into numerous
groups. Some claim to be from reputable businesses like banks,
embassies, news organisations, and delivery services. Others
become involved in sensitive issues like work, possible infidelity, or
assertions that one or both of the parties is in immediate danger.
A variety of decoy messages may be used by his ESEM
attacks in the future, so be cautious of communications that try to
persuade you to take digital actions. Here's a specific illustration of
what those entails.
Avoid the urge to click a link the moment you receive a
communication with one, especially if there is a pressing matter at
hand (like a delivery arriving or a credit card charge). If the
connected page appears good, manually type in the website address.
If you frequently visit a website, bookmark it and only use the links
in the bookmark folder to reach it.
Use a URL expansion service, such as URL Expander or
Expand URL, to examine the actual lengthy link that a link that
appears to be a truncated URL leads to before clicking on it.
Verify the sender's identity before clicking on a link that
purports to be from someone you know. Your phone number may
have been faked, or your account may have been compromised.
Confirm by a different channel of communication than the one that
carried the message. Please get in touch with the sender if, for
instance, the link was delivered to her via SMS or email. That
constitutes out-of-band authentication or verification.

Defending Against Network Injection Attacks

In many instances, Pegasus infected devices by intercepting
unencrypted network traffic (such as HTTP web requests) and
rerouting it to malicious payloads. This is known as a man in the
middle (MITM) attack. This could be accomplished by pretending
to connect to a malicious portable device that poses as a cell tower
nearby or by acquiring access to the target's cellular provider (which

321
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

is doable if the target is situated in a government-controlled nation

where telecommunication services are offered).
Even with the phone in mobile data only mode and
disconnected from a Wi-Fi network, this attack proved successful.
The customizations (available till the end of August) and the
software loaded from an unauthorised source will be recognised by
VMDR. The Pegasus spyware may be downloaded or installed on
Android devices by an unidentified source and request authorization
to track users' online behaviour. The Pegasus spyware can take over
a device thanks to every Android and iOS security flaw that Apple
and Google patched in security updates. Take the appropriate
safeguards and keep an eye out for potential weak points. As
Pegasus spyware can only be installed if the device has the
vulnerabilities, doing this will help you protect your devices from
the spyware.

Zero-Click Exploits
Zero-click exploits are distinct from infection attempts in that
they do not necessitate the victim to take an action, such as clicking
a link, or opening an attachment. All that is required for an attack to
succeed is for the victim to have an operating system or application
that is vulnerable installed on their device. Amnesty International's
forensic analysis of the recently made public Pegasus data revealed
that some infections were spread via iMessage or Apple Music
through zero-click attacks. It's crucial to remember that your mobile
should only have the apps you need. This is not the first time NSO
Group products have been linked to zero-click assaults; a complaint
was made in 2017 against Ricardo Martinelli, the former president
of Panama, and one in 2019 against WhatsApp and Facebook. The
complaint alleged that NSO Group developed malware that was able
to exploit vulnerability in WhatsApp.
Zero-click vulnerabilities are the most difficult to fight against
because they do not involve any user interaction. Users can lessen
their "attack surface" and practice device compartmentalization to
reduce their vulnerability to these attacks. Simply said, lowering
your attack surface implies limiting the potential infection vectors
for your device. Device compartmentalization is the practise of
distributing your data and programs across numerous devices. To be
specific, users can -:

322
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

➢ Keep the number of apps on your phone to a minimum. The

less unlocked doors there are in your house, the harder it will
be for burglars to break in. In a similar vein, fewer apps mean
less room on your phone for potential threats to enter. Only
the apps you absolutely must have on your phone should be
there. Some apps, such as iMessage, cannot be deleted. In
these situations, you can often turn them off. However, this
will prevent text messaging from working on your iPhone.
➢ Check installed apps' permissions on a regular basis, and
remove any programs you no longer require. Rarely used apps
should be removed and reinstalled when needed rather than
being left on your phone.
➢ Update your phone's operating system and individual apps on
a regular basis.
➢ Divide the remaining apps into sections. If your phone is
compromised with only WhatsApp loaded, hackers can access
your WhatsApp data, but not other important information
such as emails, calendars, photos, Signal communications,
etc.
➢ Keep the devices physically separate as even a blocked phone
can be used as a listening and locating device. This means
keeping it in another room, preferably in a tamper-proof bag.

Physical Access
Another way a hacker can infect your phone is by contacting
it directly. The brochure says, "If you have physical access to the
device, you can manually inject the Pegasus agent and deploy it in
less than five minutes." It's unclear if could infect his PIN Protected
Phone. Although there doesn't seem to be any evidence of a physical
Pegasus attack, these exploits can be hard to spot and tell apart from
online attacks. The following measures to be taken from online
attacks:
➢ Always keep your gadget in plain sight. You run the risk of
getting hurt if you lose your gadget. There are differences
between leaving your laptop in your room when you go to the
toilet and having a customs officer take your phone at the
airport, but both involve some level of risk and are within
your own risk tolerance. Value needs to be assessed.
➢ If you leave the device unattended, put it in a tamper-resistant
bag, especially in a hazardous environment such as a hotel

323
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

room. This does not prevent the device from being tampered
with, but it should immediately alert you that the item has
been removed from your pocket and may have been tampered
with, and the device should not be used at that time.
➢ While entering government buildings, especially those that
may be unfriendly, like embassies and consulates, or while
crossing borders, use burner phones or other
compartmentalised devices.
Pegasus is sophisticated malware, but there are specific steps
you can take to reduce the chances of your device getting infected.
There is no ideal technique for totally reducing risk, but you may
always take steps to mitigate it. There is absolutely no justification
for adopting the pessimistic attitude that Pegasus is "no match" for
you.

DATA PROTECTION BILL 2021

The news has been dominated by revelations that human
rights activists, intelligence personnel, lawyers, and numerous
others were subjected to widespread surveillance, including in India
and other nations such as Azerbaijan, Bahrain, Hungary,
Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the
United Arab Emirates. Pegasus is a malware that infects iPhones
and Android bias, allowing tool drivers to recoup textbooks, photos,
and emails, as well as record calls without the phone stoner's
knowledge. Legislation addressing data protection and sequestration
is therefore urgently needed in India. This is particularly important
because a nine-judge Supreme Court bench ruled in the 2017 case of
Justice K.S. Puttaswamy v. Union of India that the right to
sequestration is a fundamental component of the right to life and
particular liberty under Article 21 and one of the freedoms protected
by Part III of the Indian Constitution. Despite the fact that the Indian
government established a commission of experts in 2017 with the
chairmanship of Justice B.N. Sri Krishna charged with relating
significant data protection issues and ways to address them, it did
not pass the Personal Data Protection Bill until December 11, 2019.
The bill exempts major government agencies from its
operation and authorizes the government to order data trustees to
expose particular and non-personal information of Indian resides
under Section 91. A doused - down interpretation of the offer. It was
at the center of Twitter's recent battle with the government, which

324
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

redounded in the company losing liability protection. Surprisingly,

Section 3(28) of the Bill defines "particular data" as information that
directly or indirectly identifies a person or pertains to the traits,
traits, or characteristics of a person who is comparable to that
person. Non-personal information11 is not described, despite the fact
that it is specified. In reality, the government has permitted the
enforcement of a variety of statutory laws that go against the
sequestration of res. For instance, the Government is required to
protect India's sovereignty and integrity, security, cordial relations
with other countries, and prevention of instigation to commit
crimes, according to Section 5(2) of the Indian Telegraph Act, 1885.
Regulation 419A of the Indian Telegraph Regulations, 1951,
provides a description of this technique. Going back to the draft,
Article 25 addresses specific data breaches. Any specific data
breach that could be harmful to the data regulator must be reported
to the Data Protection Authority of India (DPAI) by data trustees.
Section 41 describes DSAI liabilities. It includes guarding the
rights of data regulators, precluding abuse of particular data, icing
compliance, and raising mindfulness of data protection. Despite
these measures, there are enterprises about the independence of the
DPAI. The EU Model Regulation (GDPR), known as the General
Data Protection Regulation, could serve as a model then. Pursuant
to Composition 34, the regulator is obliged to notify the data
regulator of a data breach if the breach could pose a significant
threat to the rights and freedoms of the data subjects. From a
transnational perspective, a Pegasus-suchlike discovery was made in
the United States in 2013, revealing that the National Security
Agency was tapping the phones of millions of Americans exposed
by, current political shelter candidate Edward Snowden he revealed
that, the U.S. government was covering the emails and social media
posts of millions of Americans and non-Americans through his
PRISM programmed, including Facebook, Yahoo, and Google.
However, a civil petitions court ultimately decided that the
government's actions, which had the effect of leaving millions of
individuals exposed, went beyond its legal jurisdiction.

11 Government withdraws Data Protection Bill, 2021, available on http

s://economictimes.indiatimes.com/tech/technology/government-to-withdraw-data-prote
ction-bill-2021/articleshow/93326169.cms?from=mdr. (Visited on March 20, 2023)

325
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

The American Freedom Act of 2015 was enacted by the

government as a result of this decision in order to employ
surveillance, trap and track bias, and other sorts of intelligence to
gather foreign intelligence and counter terrorism improved the
process. This regulation also prevents the collection of large
quantities of data and ensures translucency.
In India “The data protection law” on the other hand, lacks a
crucial provision for surveillance reform, giving the government
broad powers. The Sri Krishna Judges Commission also set up
surveillance reforms outside the compass of data protection. It
makes sense to infer that as technology has developed, so too has
the capacity of governments and private companies to eaves drop on
people's private lives. Additionally, under the cover of terrorism and
public security, governments all over the world are obfuscating the
distinction between lawful monitoring and data collecting.
According to astronomy, governments should enact public policies
that not only deal with data protection and sequestration but also
inform citizens about the dangers of identity theft and fraud in the
digital age. Similar rules should specify how certain information
should be collected and provide sequestration safeguards that can be
built into technological solutions.

OPPOSITION REACTION TO PEGASUS

The opposition was more scared than irked, as the leaders in
the opposition noticed that Modi government was spying on
journalists, activists and politicians who were opposed to its
policies. Congress being the biggest party in opposition was under
greatest threat. "It is an attack on the democratic foundations of our
country."12
The news of surveillance has reverberated across the globe. A
joint investigation by Forbidden Stories, a French media non-profit,
and Amnesty International, a database containing more than 50,000
phone numbers of journalists, government officials, opposition
figures, activists and judges was discovered. The list of numbers
was shared with 17 media partners, but the presence of the number
did not indicate an infection in the device.

12 https://twitter.com/TimesNow/status/1417086893326438415. (Visited on January 2,

2023).

326
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Without a proper digital forensic analysis, it is impossible to

determine whether the phone was the target of surveillance. Debates
on the potential privacy breach were held in the Rajya and Lok
Sabha. During the discussion, the government argued that any
interception, monitoring, or decoding of any kind of information is
done in accordance with due process of law and that there is a well-
established procedure for the lawful interception of electronic
communications, particularly in the event of a public emergency or
for the protection of public security. On receiving the questionnaire
from media houses and the opposition parties the government said
that the commitment to free speech is the cornerstone of the
democracy of in India but the news and stories about Pegasus of
being crafted in way which focuses on pre-assumed conclusions.
The opposition seeking an independent probe in the spyware
snooping case, approached the supreme court. Petitions were filed
before the supreme court by former union minister Yashwant Sinha,
CPM MP John Brittas, Supreme Court advocate ML Sharma, the
Editors' Guild of India and individual journalists seeking a court
monitored probe by a special investigation team. While the matter
was being heard, Centre filed and affidavit claiming that the
allegations are based on conjecture and pre-assumed reports made
by the media houses. While the opposition made it clear that the
Prime Minister is not above nation and it is criminal if he is using
this spyware as a personal tool to spy on people ad decrypt the
messages. The Supreme Court waited and provided the Centre with
some time to file a response to pleas seeking an independent probe.
A bench of Chief Justice of India N.V. Ramana, Justice Surya Kant
and Justice Hima Kohli was hearing the matter.
The opposition and the Centre, both had their own strong
takes on the spyware case. The Centre was of clear opinion that the
issues were being created and manufactured on the basis of false
propaganda and unsubstantiated reports. The opposition stood and
posed three questions. “Who authorized Pegasus, which agency,
which person authorized Pegasus? Who are the victims of Pegasus
and the final thing, which we think is very important, did any other

327
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

country have access to information of our people, were they privy,

was this data kept with them?”13
The Supreme Court gave an ample amount of time to the
center and it could come up with nothing but a vague denial about
the use of spyware illegally. The investigation will be led by retired
Supreme Court Justice RV Ravindran, with assistance from an IPS
officer and representatives from the National Forensic University.
By the following hearing two months later, the committee must
"expeditiously probe" the charge and provide a report to the court.
The judgment by the Chief Justice NV Ramana began with a quote
from George Orwell's 1984 -"If you want to keep a secret, you must
also hide it from yourself."

CONCLUSION
Spyware incidents like Pegasus mark the beginning of a new
era of digital warfare. Situations like this are likely to become more
common as technology advances. It is important to set strict rules
for restricting unauthorized access to devices and spyware control.
The Pegasus case also highlights the need for spyware regulation.
The purpose of targeting criminals and users suspected of such
activity can also extend to spying on individuals such as activists
and protesters, damaging the entire fabric of democracy and privacy
in the long run because it can give Individual.
Tools like Pegasus are only successful when used against a
small number of high-value targets such as: National security
threats, crime syndicate bosses, etc. This technology relies heavily
on the stealth element of its use, making it of little value as a mass
surveillance tool, heavy consumption can lead to system-wide
failure. Furthermore, NSO Group sells the system and charges on a
per-use basis, so using Pegasus as a large-scale surveillance tool is
clearly disastrously expensive from a financial point of view, and as
a large-scale surveillance tool. The claim regarding the use of it, is
false, nil, and invalid. The extremely wide parameters of the state's
present statute governing surveillance laws impose unfettered
authority on the administration. The well-known case of Shreya

13 Dear Standing Committee, We Have Some Questions on Pegasus, available at

https://internetfreedom.in/dear-standing-committee-we-have-some-questions-on-
pegasus/.(Visited on March 16, 2023).

328
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Singhal14 is an example of such arbitrary power. Such power not

only leads in a disproportionate limitation of citizen’s fundamental
right to privacy, but it also has far-reaching implications for other
freedoms. To summarize, our phone has a "one in a billion chance"
of being infected by Pegasus or being used for mass surveillance of
its population with transnational businesses controlling the
communication arenas in the digital age, authorities have had
difficulty identifying offenders since the intermediates refuse to
cooperate with law enforcement.
There, is no doubt that in this new age of digitization,
adequate surveillance is critical in order to prevent large-scale
misuse of the internet and communication networks for organized
crime and terrorism. The period of communication being limited to
only telephones is over, and hence there is a need to increase the
reach of the laws with technological innovation.

14AIR 2015 SC, Pg. 1523

329
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 18

CYBER FORENSICS AND CHALLENGES FOR LAW

ENFORCEMENT IN INDIA
Dr. Manoranjan Singh 1, Shubhika Chauhan 2

“When we talk about “cyber,” we automatically think of the

internet, technology, and virtual worlds. For lawyers, it brings
many other nuances. Therefore, anything that has its roots in
technology or is somehow connected to the general term "computer"
and its descendants is commonly referred to as cyberspace. Cyber
forensics is becoming increasingly important in today's world where
more business and personal activities take place online. It is used in
criminal investigations, civil litigation, and corporate investigations
to uncover evidence of fraud and identify potential security threats.
Cyber-forensics is used in various areas of law, including law
enforcement. Electronic evidence is used to find incriminating
evidence in various crimes and can be used to identify business and
personal data in civil litigation. Examples include contracts,
divorces, lawsuits, harassment and defamation cases”.

INTRODUCTION

C
yber forensics is the application of scientific procedures and
techniques to gather, assess, and preserve electronic data to
support investigations or lawsuits. It is often referred to as
digital forensics or computer forensics. Cyber forensics uses
specialized software and hardware tools to gather information from
digital devices, networks, and storage media.
Criminals use these exclusive technologies of hers to
perpetrate crimes that are beyond the reach of ordinary people.
Those unfamiliar with this technology cannot truly understand the
origin of crime. In recent times, a new term has emerged

1AssistantProfessor, Public Administration Government Arts College, Kota, (India)

2 3rd
Year, B.A. LL.B(H), Institute of Legal Studies and Research, GLA University,
Mathura. (U.P)

330
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

“cybercrime”. For crimes that facilitate the use of technology,

evidence provided is also provided in popular electronic formats.
Without experts, it is difficult to verify the veracity of such
evidence. This is where the function of cyber forensics comes into
play. Generally, forensics refers to the use of technology to
demonstrate facts in court. If it is preceded by the word cyber, it
clearly indicates its relationship to cyberspace. Etymologically, it is
called "electronic evidence". It is broadly defined as collecting,
storing, analysing, and presenting computer-related evidence in
court.
The main purpose of cyber forensics is to identify, store and
analyse electronic evidence that can be used in court. This evidence
includes emails, documents, images, videos, and other data stored
on your computer, smartphone, or other digital device. Cyber
forensic scientists work to uncover the causes of cyberattacks,
identify potential security breaches, and reconstruct digital events
that may have occurred.
In the massive lawsuit, “Lorraine v. Markel American
Insurance Company”, Grimm J. explains a model that enables
electronic evidence.3 The Lorraine model shows that the applicability
of electronic evidence focuses primarily on importance, and that
electronic evidence tends to make the facts about the outcome of
litigation more or less likely than they otherwise would be. Second,
the question of authenticity needs to be addressed, whether electronic
evidence can be carried to prove authenticity. Third, which is one the
major concern related to electronic evidence is that the veracity of the
alleged matter was created by the declarant, not by the declarant
during testimony in court or at a hearing supported by the statements.
You should respond appropriately by asking if there is. Whether the
dismissal or exception to this rule applies if the electronic information
is hearsay. Fourth, the application of the original document rules must
be ensured. Fifth, consider if the physical value of electronic evidence
is significantly overshadowed by the risk of undue bias, confusion, or
wasted time. Careful consideration of these traditional notarization
principles will help supporters to successfully approve electronic
notarization.

3 https://www.lexisnexis.com/applieddiscovery/LawLibrary/whitePapers/ADI_WP_L
orraineVMarkel.pdf.

331
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

IMPORTANCE OF CYBER FORENSIC

Cyber Forensics is important in the following given fields:

1. Criminal Investigation
Cyber forensics plays an important role in investigating and
solving cyber-crimes such as hacks, data breaches and cyber-
attacks. Help identify perpetrators and provide evidence for legal
action.

2. Cyber Security
Cyber forensics play an important role in ensuring cyber
security. It helps companies identify system and network
vulnerabilities and implement appropriate measures to prevent
cyberattacks.

3. Litigation
In litigation, cyber forensics can help provide reliable
evidence that can be used in court. This ensures that justice is served
and cybercriminals are held accountable for their actions.

4. Crisis Management
Cyber forensics helps companies assess the risk of
cyberattacks and develop effective risk management strategies.
Understanding the nature of cyber threats and system vulnerabilities
can help organizations protect against cyber-attacks.

CYBER FORENSIC TOOLS

Cyber forensic tools are critical to extracting digital evidence
admissible in court. Electronic evidence plays an important role in
cybercrime. A computer forensics tool for finding frameworks in
digital media. Investigators may have valuable methods and skills to
oppose the use of anti-forensic tactics, which can lessen the impact
of anti-forensic instruments. Digital evidence of illegal activity can
also be collected through Facebook, Twitter, Orkut, Myspace, etc.
Obtaining this information required a subpoena rather than a special
forensic tool. Chats and E-mails from such social networking sites
may be permissible as evidence. A state-of-the-art snapshot of
mobile forensic software tools. Various cyber forensic tools are
listed below.

332
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

1. A forensic toolbox for looking into "UNIX systems" is called

"Coroner's Toolkit" (TCT).
3. The industry-standard application that law enforcement
organisations employ is called "Encase".
4. Although it's not simple to use, "The Forensic Toolkit"
(FTK) is a very effective tool.
5. "Analysts" are a different class of analytical instrument and
program for visual inspection and analysis.
6. A potent distributed log analysis tool is "Log Logic's LX
2000".
7. “Net Witness and Security Intelligence” are tools for
analysing the security of network traffic.
8. A comprehensive IT forensics application called "Pro
Discover Incident Response" (IR) enables you to access
computers over a network and examine network behaviours.
9. A network forensics program called "Sleuth Kit" is used to
look for file instances in NTFS files.

INDIAN CYBER FORENSIC TOOLS' EFFECTIVENESS IN

EXAMINING EVIDENCE
Cyber forensic tools are "X-Ways Win Hex, First on Scene,
Rifiuti, Pasco, Galleta/Cookie, Forensic Acquisition Utilities,
Nmap, Ethereal, BinText, Encrypted Disk Detector, MemGator".
Using the program Rifiuti, you can get the most recent information
regarding the Recycle Bin on your computer. You can use it to
retrieve both deleted and retained files. Pasco, which means "scan"
in Latin, aids in our analysis of all the browsing content you have
provided. In other words, it belongs to the group of specialised
tools, or other steganography tools. In order to deceive others, it
essentially changes a data or text file and embeds it in an image file.
Hackers and malicious individuals now have the new notion
of injecting data files, not just as image files but also as video and
music files. Criminal information can be concealed by people by
renaming one file type to another and changing the extension.
Because of this, it is challenging to tell whether the file type is
accurate or not. Encase is used to find a suspicious file. The file
headers are interpreted and marked as bad header information when
a hash function is run on the disc. It is crucial to obtain a correct and
comprehensive overview of the information before using it as
evidence in court. Therefore, for each patient, the specialist must

333
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

accurately store the details of the work that should not be known to
anyone, and all materials that can be presented as concrete evidence
in court. Whatever best could be done to collect information, we’ll
do.
When all the information and the evidences are collected,
experts will make a report which could be filed in the court. As
these people has the expertise in their respective fields and have
experience in the subject they are working on. Today, malicious
angry employees are attacking many e-commerce websites with
viruses, eavesdropping, financial fraud, etc. in various states and
independent companies and businesses. This e-commerce attack
brings several financial difficulties for businesses. This has been
observed as a common attribute of those who are fired or humiliated
by large departments, whether hackers or cybercriminals. There
were downsides. Retaining data or information for evidentiary
purposes is beneficial to courts, but there can be technical and
human barriers to collecting such information.

Some of the restrictions are:

1. Few options for saving WWW pages to disk that exist in
browsers aren’t ideal as they may save the text but not the
associated image.
2. There may be differences among what you see on your screen
and what is stored on your hard drive.
3. The method used to store a particular file must not contain a
unique identifier as to when and where it was obtained. These
files can easily be forged or tampered with.
4. Finding the last page captured by the system can be difficult.
Looking at the series as a whole makes it even harder to tell
which is slower and which is faster. Many ISPs use proxy
servers to deliver the popular websites in a speedy way on the
Internet. Therefore, a user may not be sure what she received
from her ISP from a particular website.
5. Common mistakes such as changing date and time stamps,
stopping the rouge process, and applying system patches
before exams can disconnect data from hard drives, crash
electronic files stored on computers, and destroy evidence can
be obtained. New technologies help engineers design and
build more robust hardware and software for investigating
computer crime. The evolution of cryptography is a debate

334
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

between foreign cyber-forensics systems and their Indian

counterparts.
India has attempted in a number of ways to address the law
and order and terrorism challenges faced by its security agencies.
2011, Yahoo! petition India Private Limited v Indian Union of Delhi
High Court. The petition documents the government's repeated
requests for access to IP addresses and email content, citing requests
from the Information Service (IB). National Intelligence Agency of
India. This petition documents how IB obtained this data under
Section 28 of the Information Technology Act, 2000 through the
Office of the Certification Authority Administrator (CCA), the
Information Technology Agency of the Government of
India. Concerns are often related to online jurisdiction issues. For
example, if an online crime occurred outside of India's borders, but
the evidence is there in India, does the laws of other countries apply
here in India? The fact that there are many people is also
complicated. This is the main reason India opposes the Council of
Europe's cybercrime treaty, known as the Budapest Treaty.

MECHANISM FOR INVESTIGATION

First, there is the interrogation process, which attempts to
gather information about the crime, why it happened, who
committed it, and how to proceed with the investigation. The next
step is to collect information by checking webcams, listening
devices, etc. In some cases, evidence is collected from the hacker's
computer. Then came the next step. H. Cyber Forensics, which
investigates cybercrime using a variety of techniques:
• Tracking IP address
• Analysis of web server logs
• Email account tracking
• Attempts to recover deleted evidence
• Password cracking attempts
• Try to find hidden data
Computer forensic investigators must use multiple
investigative techniques to uncover the truth. To find out the truth,
you have to follow a few steps. Evidence must be collected without
breaking the chain of evidence. Once evidence is collected, the
original data must be kept safe and duplicate data handled. Data
integrity must be maintained by forensic investigators.

335
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Forensic investigators should follow the steps below when

investigating a cyber forensic case.
The research process should not damage the reputation of the
researcher or the reputation of the organization.
1. Businesses should consult an attorney for a legal opinion.
2. The initial statement of procedure is made by a forensic
investigator.
3. Evidence from crime scenes is collected by forensic
investigators and brought to forensic laboratories.
4. The collected evidence is processed as a bit stream image and
converted to MD5 hashing algorithm.
5. Before completing the investigation, the forensic investigator
must review the evidence and finally prepare an investigation
report.
6. Finally, the forensic investigator must hand over the
investigative report to the client.4

CYBER FORENSICS APPLICABILITY

Technology is a double-edged sword. 5 It can be used for
economic sustainability, assisting law enforcement in investigating
cybercrime cases, collecting, producing, and creating hard evidence,
but it can also be used by cybercriminals to commit more serious
crimes. increase in May. To bring criminals to justice when critical
assets and systems are compromised, security professionals must be
able to gather electronic evidence. A cyber thief or rogue employee
can use a variety of freeware, its tools and shareware, and
commercial utility suites to hide or remove evidence from your
media storage. Such attacks are often seen as the result of multiple
attacks or as a symptom of something bigger. Hackers can access
bank accounts and obtain credit card numbers. Cybercriminals need
digital evidence to get caught so investigators can get to the bottom
of the crime. While it is true that cyber forensics has done a lot to
combat this type of crime, it is not without its challenges. Computer
professionals can use a variety of methods to locate data on your
computer, PDA, SIM card, or credit/debit card and recover data

4M. Elavarasi and N.M. Elango, Analysis of Cybercrime Investigation Mechanism in

India, October 2017.
5 Digital Forensics: Applications and Challenges, available at https://legaldesire.c

om/digital-forensics-applications-and-challenges/. (Visited on February 14, 2023).

336
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

from deleted, encrypted, or corrupted files. In the event of an

investigation, filing, or litigation, some or all of this material may be
useful. The anonymity of the Internet makes it difficult to track your
identity in cyberspace. If the international goal is a secure
cyberspace, it requires a comprehensive social commitment.
Managing a digital environment of increasing size and scope
requires maintaining a cyber citizenship culture.

Admissibility of Digital Evidences

The quality of a digital record and evidentiary value of a
particular digital record is directly proportional to each other. In digital
forensic scenarios, the definition of a mobile device associated with a
computer or computer tool is clarified in the Information Technology
Amendments Act of 2008. Therefore, according to the ITAA 2008
definition, mobile devices are considered computers with similar
attributes. The Indian Evidence Act, 1872 clearly states the
admissibility and restructure of electronic records under section 3 and
section 65A. Section 65B of the same Act also addresses the
admissibility and evidentiary value of electronic records submitted in
the court. As far as electronic evidence is concerned, the law itself
seeks to clarify its guidelines. However, since this is new territory,
there are many ways to invalidate the evidence you have gathered. This
is not about law or forensic proceedings; it's a matter of balancing the
two. The law is very reluctant to accept evidence because court
proceedings rely heavily on the information provided, which can lead
to serious errors. Since it is the responsibility of the investigator to
confirm and support the veracity of the source, device mobility is a
significant issue. The situation involving engineer "Lakshmana K.
Kailash" is a prime illustration of the requirement for reciprocal
precision between procedure and legislation. The rise of counterfeit
goods, such as SIM cards, smartphones, and other items, is a severe
issue. Fully analysing a case and reporting it in its entirety in a legal
manner is a challenging undertaking for investigators. Even the finest
investigator cannot dispute that a single abuse of electronic evidence
might result in the falsification or manipulation of evidence because it
is so dynamic. When required by law, source code modification is
made a criminal offence under Section 65 of the IT Act. Investigators

337
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

should take this into account when working with such information.6
Some electronic evidence can now be submitted in presentable formats
such as physical paper copies or in other formats. It is also a challenge
for investigators to comply with electronic evidence regulations and
submit evidence on a regular basis. Maintaining integrity during this
transformation is the real job. Simply put, evidence from an electronic
source, be it paper or electronic, is valid only if it is from a well-
controlled system and the data has been tampered with. There is no
method that works with or without the integrity of directly generated
data. Human intervention is guaranteed.7

GROWING DEMAND FOR CYBER FORENSICS EXPERTS

The constant fear of cyberattacks will force companies to fight
for their survival. Data breaches are expensive, costing up to $180 per
record compromised (IBM, 2021). Additionally, data breaches can
expose organizations to sabotage, espionage, and extortion.
Responding to security incidents is difficult. It can take up to 287 days
or 9 months or more to find and fix a data breach (IBM, 2021). At this
point, the company loses vital information it can use to find the culprit.
Many companies work with cybersecurity forensic consultants or
employ other in-house computer forensic scientists as a defence. These
specialists help combat a variety of new threats such as:

1. Rapidly Developing Technology

Sudden changes in information technology architecture can
bring new threats. For example, the introduction of remote work
during Covid increased his phishing attempts by 220% (Warburton,
2021).

2. Internet of Things (IoT) Vulnerabilities

There are approximately 13 billion IoT devices online. Some
of these devices are insecure and therefore targeted by hackers.
Additionally, these devices can be used as a basis for botnet attacks.

6 Naman Jain, Admissibility of E-evidence in India: An Overview, SSRN Publisher,

available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3816724. (Visited on April

1, 2023).
7D. Yadav, M. Mishra and S. Prakash, "Mobile Forensics Challenges and Admissibility of

Electronic Evidences in India," 2013 5th International Conference and Computational

Intelligence and Communication Networks, Mathura, India, 2013, pp. 237-242, doi:
10.1109/CICN.2013.57.

338
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

3. Cryptocurrencies
It is difficult to track cryptocurrencies. As a result,
ransomware attackers are having a good time, but cyber forensic
analysts are having a hard time. Cryptocurrencies will be used for
$14 billion in criminal activity in 2021, a 79% increase for him from
2020 (2022; Chavez-Dreyfuss).

4. Easy Access to Advanced Hacking Tools

Aspiring hackers can now pay to access these tools. This
accessibility leads more often to cyber crime.

5. Anti-Forensic Technology
Criminals are constantly coming up with new strategies to
cover their tracks. Detecting and investigating cyberattacks can
become more difficult as forensics evolves.

PSYCHOLOGY IN CYBER FORENSICS

Psychology plays an important role in cyber forensics,
especially in the field of digital crime investigation and analysis.
Here are some of the way’s psychology can contribute to the field of
cyber forensics.

1. Behavioural Analysis
Cybercriminals often leave a digital footprint that can be
analysed to gain insights into their behaviour, motivations and
personality traits. This information is used to profile suspects,
identify patterns, and predict future behaviour.

2. Human Factors
Cybersecurity incidents often involve human factors such as:
B. Social Engineering and Phishing. Understanding how people
think, act, and make decisions helps investigators identify
vulnerabilities and develop strategies to prevent future attacks.

3. Digital Forensic Interrogation:

Psychologists with specialized training in forensic interview
techniques can assist in interviewing witnesses, victims, and
suspects in cybercrime incidents. They provide more accurate and
reliable information and help us identify potential areas of
discrepancy or deception.

339
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

5. Cyberbullying and Online Harassment:

Psychologists help resolve cases of cyberbullying and online
harassment by examining the psychological effects on victims and
the motivations of perpetrators. It also helps develop interventions
to prevent future incidents and promote online safety.8

6. Cybersecurity Training and Awareness:

Psychology can be used to design and implement effective
cybersecurity training programs that consider the cognitive and
behavioural factors that influence human decision making. These
programs help reduce the risk of human error and increase overall
cybersecurity awareness.
Integrating psychology and cyber forensics can provide
valuable insight into the behaviour and motivations of
cybercriminals and help design effective prevention and
intervention strategies.

EMERGING TRENDS IN CYBER FORENSICS

Digital forensics uses scientific techniques to assess the
evidence that has been discovered on one or more digital devices in
order to reconstruct the sequence of events that must have taken
place during the formation of such artefacts. Fundamentally, the
goal of digital forensics is to gather, examine, assess, and ultimately
record the development of these items and events for use as
evidence in court. In a social media enhanced world, advances in
technology go hand in hand with advances in cybercrime, allowing
criminals to infiltrate more complex or well-controlled
environments and cause more damage. We are constantly
developing new types of threats, attacks, tools, and techniques.
remains untraceable. Because of this, organizations are constantly
being attacked by more and more malware distributions at an
unprecedented rate.
In 2015, British insurer Lloyd's estimated that cyberattacks
against various businesses alone could cost up to US$400 billion

8 Cyberbullying & Harassment Online: Awareness & Prevention, Available at

https://www.edumed.org/resources/preventing-cyberbullying-and-harassment-online/.
(Visited on March 4, 2023).

340
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

annually. 9 According to “KPMG’s cyber-crime Analysis” 72% of

Indian businesses faced cyber-attacks in the year 2016, in which
there is about 63% of economic losses, and about 55% of sensory
information theft and 49 % of reputational damage. In 2018, the
Centre for Strategic and International Studies (CSIS), partnered with
McAfee, and gave a report which shows that approximately $600
billion, (almost 1% of global GDP), is lost to cybercrime each
year. 10 Cloud computing, social media, internet gaming, virtual
reality, and the Internet of Things are among the newest
technologies in space.11

IoT Forensics
The Internet of Things (IoT) is a new model that is gaining
exponential importance in today's mobile communication scenarios.
At a conceptual level, IoT refers to the interconnection of our
everyday devices, along with process independence, cognition, and
situational awareness. IoT devices primarily include PCs, laptops,
tablets, smartphones, personal digital assistants (PDAs), and other
portable fixed devices.12 People can now share data thanks to the
IoT contract devices' ongoing rise. These IoT systems can
communicate with one another directly or via internet application
programming interfaces, and they can be controlled by high-tech
computing tools like cloud servers. IoT systems' intelligence and
connectivity have a lot to offer both private and commercial
applications. Even Nevertheless, emerging IoT technologies are
constantly under attack and in danger. Ransomware assaults, denial
of service (DoS) attacks, interruptions to the Internet of Things
(IoT) network, and mass spying are a few notable concerns.1314

9 Cyber Crime Costs Projected to Reach \$2 Trillion by 2019, available at

https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-
reach-2-trillion-by-2019/. (Visited on February 22, 2023).
10J. Lewis, Economic impact of cybercrime no slowing down.
11Angel Castro, Alexander Perez-Pons, "Virtual Assistant for Forensics Recovery of IoT

Devices", 2021 7th IEEE Intl Conference on Big Data Security on Cloud (BigDataSecurity),
IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl
Conference on Intelligent Data and Security (IDS), pp.186-190, 2021.
12 Q. Zhou and J. Zhang, "Research prospect of Internet of Things geography", Pro

ceedings of the 19th International Conference on Geoinformatics, pp. 1-5, 2011.

13M.M. Hossain, M. Fotouhi and R. Hasan, "Towards an analysis of security issues

challenges and open problems in the internet of things", World Congress on Services,
pp. 21-28, 2015.

341
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

IoT forensics, or digital crime scene investigations, are

therefore carried out by well-trained teams to look into these
attacks. IoT-enabled applications are made up of numerous
heterogeneous devices that bind a lot of resources and produce a lot
of data, or "big IoT data."15 According to McDermott, et al., (2018),
large scale of IoT data ingestion significantly increases the
workload that data centres must handle. Alenzi et al. (2019) claim
that the security challenges that pose the least amount of difficulty
for IoT forensics are chain of custody security, the complexity and
diversity of IoT devices, the absence of forensic tools, identity
spoofing, data manipulation, getting unauthorised access control,
and DOS attacks. Additionally, employing conventional
investigation techniques to locate, collect, analyse, and preserve
evidence presents additional difficulties for forensic investigators.

Social Media Forensics

A part of network forensics is social media forensics. Various
social media networks, including Facebook, Twitter, and LinkedIn,
have been subject to attacks and threats in the past. Social
networking websites are subject to both internal and external
attacks. Attacks like data retrieval via cookies happen inside the
network, but DDoS and DoS attacks happen outside the system.
These websites are not protected or defended against many types of
cyber-attacks.
In a criminal investigation system, social media posts can be a
great resource for investigators if used appropriately. Properly
identified evidence from social media can also help determine guilt
or innocence. However, in order to make money from data stored on
social media platforms, investigators must deal with imposing
resources, technological, and legal difficulties. There are technical
difficulties first. Artefacts could be far too complicated to transform
into information that can be understood. Second, legal
considerations encompass concerns about the collecting of data and
admissibility of evidence. Evidence collection on public platforms is

14 M.A. Khan and K. Salah, "Iot security: Review blockchain solutions and open
challenges", Future Gener. Comput. Syst., vol. 82, pp. 395-411, 2018.
15 Z.A. Baig, P. Szewczyk, C. Valli, P. Rabadia, P. Hannay, M. Chernyshev, M.

Johnstone, P. Kerai, A. Ibrahim, K. Sansurooah et al., "Future challenges for smart

cities: Cyber-security and digital forensics", Digital Investigation, vol. 22, pp. 3-13,
2017.

342
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

also restricted as the personal rights of defendants are protected.

Finally, the use of social networks in investigations creates a
enormous amount of investigative work for digital forensics
professionals.

Cloud Forensics
In recent years, cloud computing has grown in popularity and
is now utilised to support many facets of daily life. The majority of
firms and organisations constantly move their products to the cloud,
and many people are interested in this innovation. Changing to a
cloud infrastructure has a number of advantages, such as: Lower
costs for IT, scalability, automatic update access, business
continuity, etc. The key benefits of cloud computing, according to
EurActive (2011), have dramatically reduced IT expenditures. As a
result, cloud computing will continue to be widely adopted by both
private businesses and governments. 16 Major telecom companies
operate data centres in numerous countries where they provide
cloud services in order to guarantee service availability and cost-
effectiveness. To guarantee adequate security, these several data
centres duplicate the information kept in a specific data centre.

LEGAL PROVISIONS
Modern technology appears to be upending traditional
approaches of acquiring and producing evidence. Digital evidence
gathering and preservation are inherently difficult because of the
intangible nature of digital evidence and the Internet's brittleness.
Domestic cybercrime has surely increased as a result of the absence
of appropriate technological and legal competence as well as the
inability to gather such evidence. Although there are many
cybercrime cases registered under the Cybercrime Section of the IT
Act and the Penal Code of India, there are still a significant number
of cybercrimes that go unreported. This makes cyber forensics even
more important in India today.
Cyber forensics is occasionally used in the strictest legal
terminology to refer to the employment of suitable forensic
instruments and the technical know-how to gather electronic
evidence that can be used in court within the parameters of the
Rules of Evidence. By tracing digital footprints through the storage,

16"EurActiv (2011) Cloud computing: A legal maze for Europe", EurActiv.

343
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

extraction, interpretation, and documentation of digital evidence, the

obtained electronic evidence must adhere to criminal attribution
requirements. There are some areas where it overlaps. Database
forensics, wireless forensics, network forensics, hard drive
forensics, media forensics, IP address tracking, cloud computing,
email tracking, and more techniques are available. Data is
recovered, temporary and hidden file contents are revealed,
protected or encrypted file contents are accessed, pertinent data is
analysed, and statements are provided based on the examination of
the provided evidence.
The intersection of two paradigms—the law of evidence and
the law of information technology—has brought the legal system up
to speed with the issues posed by contemporary cybercrime. Section
3 of the Evidence Act of 1872 changed the way that the term
"evidence" was defined to encompass electronic evidence. Parallel
to this, Section 4 of the Information Technology (Amendment) Act
2008 expressly establishes the legal possibility of processing
electronic documents "in writing" after receipt. They serve as a
symbol for the initial acceptance of digital evidence in legal
processes.
Additionally, electronic evidence is defined as evidence that is
stored or communicated in electronic form, including computer
evidence, digital audio, digital video, mobile phones, and digital fax
machines, according to section 79A of the IT (Amendment) Act
2008. The Evidence Act of 1872's Section 65-B lays out a number
of requirements for the admissibility of electronic records.17
Since digital evidence is designed to be gathered and kept in a
certain manner, the compatibility of media for collecting crime
scene media information is another crucial factor. Certain
computerised versions of original electronic records are now
admissible as evidence in computer printouts, diskettes, and
compact discs after the cumulative reading of Section 3 and Section
65-B of The Evidence Act, 1872. We can infer that it is now
acknowledged.
Another key issue in cybercrime investigations regarding the
reliability of digital evidence was resolved by Section 79A of the IT
(Amendment) Act 2008, electronic evidence. This agency plays an

17Section 79A of Income Tax Act for AY 2023-24, available at

https://www.aubsp.com/section-79a-income-tax-act/. (Visited January 6, 2023).

344
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

important role in providing expert opinion on electronic evidence.18

Under the IT Act, the Government of India has established the
Indian Computer Emergency Response Team (CERT-In) to
facilitate detection, prevention and response to cyber-attacks.
CERT-In is responsible for coordinating the activities of various
organizations involved in cybersecurity and promotes the
development of standards and guidelines for cybersecurity practices.

CHALLENGES OF INDIAN CYBERCRIME

Indian Law enforcement faces several challenges when
investigating and prosecuting cyber-crimes. These challenges
include:
• Lack of Cyber Forensic Expertise: One of the biggest
challenges facing Indian law enforcement is the lack of cyber
forensic expertise. Forensic cyber analysis is a critical aspect
of investigating cyber-crimes, and it requires specialized skills
and knowledge that many Indian law enforcement officers
lack.
• Limited Resources: Another challenge facing law
enforcement agencies is the limited resources needed to
investigate and prosecute cyber-crimes. Cyber-crimes can be
complex and tracking and identifying perpetrators requires
sophisticated tools and technology which can be costly and
time consuming.
• Rapidly Evolving Nature of Cyber Crimes: Cyber criminals
are constantly developing new techniques and methods to
evade detection, and law enforcement agencies in India need
to stay up-to-date with the latest trends and technologies to
keep pace with these developments.
• Jurisdictional Awareness: Many Indians are unaware of the
dangers posed by cybercrimes, which can make it challenging
for law enforcement to look into and prosecute these crimes.
People need to be aware of the danger and take precautions to
keep themselves safe online.
• Inadequate Infrastructure: The infrastructure for cyber forensics
in India is inadequate, and this poses a significant challenge to

18 T.Vikram, “Cyber Crimes- A Study with a Case”, July-September 2002, Indian

Police Journal 78.

345
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

law enforcement agencies. The lack of modern equipment,

software, and tools make it difficult to carry out effective cyber
forensic investigations.
• Complexity of Cyber-crimes: Cybercrimes are often complex
and require specialized knowledge to investigate and
prosecute. Cybercriminals are always coming up with new
techniques and tools to avoid detection, making it challenging
for law enforcement organisations to keep up.
• Jurisdictional Issues: In India, cybercrime laws fall under the
purview of both state and central governments, which can
create jurisdictional issues. This can lead to delays in
investigations and the prosecution of offenders.
• Lack of awareness: There is a lack of awareness among the
general public, law enforcement agencies, and the judiciary
about the nature and severity of cybercrimes. This can result
in a lack of cooperation and coordination in investigating and
prosecuting cybercriminals.
• Delayed Response: Cybercrime investigations and
prosecutions can be time consuming, and delays in the
process can lead to the destruction of critical digital evidence.
The delay in obtaining a court order to access digital data can
also result in the loss of important evidence.

CONCLUSION
Overall, addressing these challenges will require significant
investment in training and resources for law enforcement agencies,
as well as increased public awareness about the risks associated
with cyber-crimes. It is essential to establish clear guidelines and
standard operating procedures for cybercrime investigations too
ensure effective and efficient prosecutions.

346
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CHAPTER 19

CYBER FRAUD: A REAL THREAT IN 21ST CENTURY

Adv. Manish Kumar 1, Deeksha 2

“The world has shrunk in many ways thanks to the internet, but it
has also given us access to a plethora of evil forces that are more
diverse and intricate than ever before. The world of hacking has
developed more rapidly than cybersecurity solutions. The practice
of preventing malicious attackers from gaining unauthorized access
to computers, servers, mobile devices, electronic systems, networks,
and corporate data is known as cybersecurity. Online protection
today is a complex and quickly developing field that requires
continuous watchfulness and variation to new dangers. It is
fundamental for people, organizations and states to remain
informed about the most recent network safety patterns and to go to
proactive lengths to safeguard against digital assaults”.

INTRODUCTION

C
yber attackers possess a unique set of abilities and tools. We
should do everything within our power to find data security
dangers and weaknesses through innovation as well as
through human way of behaving. They utilize this data to design
goes after that will cause an expected $6 trillion in harm in 2021. In
contrast to the business world, which guards intellectual property
(IP), hackers are happy to share their methods and tools with other
cybercriminals. As a result, novice hackers can easily locate free
online tools to plan an online cyberattack. With the development of
new technologies on a daily basis, the landscape of cyber security is
ever-evolving, providing opportunities for hackers who are always
looking for new ways to exploit individuals and businesses.

1 Advocate, High Court, Delhi (India)

2B.A. LL.B (H), 4th Year, Amity Law School, Amity University, Noida, (India)

347
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

CYBER FRAUD VIS-A VIS CYBER SECURITY

Network safety is of basic significance in the present
advanced age3 as our reliance on innovation keeps on developing.
The expression "network safety" alludes to the actions taken to
safeguard PC frameworks, organizations, and delicate information
from unapproved access, use, exposure, disturbance, adjustment, or
annihilation. With the rising measure of individual and touchy data
put away in computerized structure, it is basic to guarantee that this
data is shielded from burglary, abuse, or unapproved access. A
security break can make huge harm an organization's standing,
monetary steadiness, and capacity to work. Network protection
breaks can bring about huge monetary misfortunes for the two
people and associations. These misfortunes can come as taken
reserves, wholesale fraud, emancipate installments or different
expenses related with fixing the harm brought about by a
cyberattack. Network protection is additionally significant for
public safety because cyberattacks can be utilized to upset basic
foundation, take delicate data, or complete demonstrations of digital
secret activities.
Online protection is fundamental to guarantee the wellbeing
and security of people, organizations, and state-run administrations.
As innovation proceeds to advance and our dependence on it
develops, the requirement for powerful network protection estimates
will just turn out to be more significant.
Network protection today is a higher priority than any time in
recent memory as the world turns out to be progressively dependent
on innovation. With the fast development of the web, distributed
computing, and cell phones, online protection dangers have likewise
become more refined and complex. The following are a couple of
patterns that are forming the ongoing network protection scene.4

Ransomware Assaults
Ransomware is a kind of malware that encodes a casualty's
documents and requests installments in return for the unscrambling

3 Why Cyber security is Important for a Modern-day Society, available athttps://

enhalo.co/must-know-cyber/why-cybersecurity-important-for-modern-day-society/.
(Visited on February 23, 2023).
4Top Cybersecurity Threats in 2023, available at https://onlinedegreessandiego.edu/to

p-cyber-security-threats/. (Visited on March 7, 2023).

348
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

key. Ransomware assaults have become progressively normal, with

high-profile assaults on organizations and government offices
standing out as truly newsworthy.

Cloud Security
As additional organizations move their information and
applications to the cloud, the requirement for solid cloud safety
efforts has become fundamental. Cloud security includes
safeguarding information, applications, and foundation in the cloud
from digital dangers.

Web of Things (IoT) Security

IoT alludes to the organization of actual gadgets, vehicles,
apparatuses, and different articles that are implanted with sensors,
programming, and organization network. The developing number of
IoT gadgets has made new security gambles, as these gadgets can be
powerless against digital assaults.

Man-Made Consciousness and Artificial Intelligence (AI)

Computer based intelligence and ML advancements can
possibly change network protection by distinguishing and
moderating dangers continuously. In any case, cybercriminals are
additionally utilizing these advances to make more refined assaults.

Administrative Consistence
States all over the planet are acquainting new network safety
guidelines with guarantee that organizations are going to
satisfactory lengths to safeguard delicate information. Consistence
with these guidelines is turning out to be progressively significant
for organizations to keep away from lawful and monetary
punishments.
Online protection5 today is a complex and quickly developing
field that requires continuous watchfulness and variation to new
dangers. It is fundamental for people, organizations, and states to
remain informed about the most recent network safety patterns and
to go to proactive lengths to safeguard against digital assaults.

5 How to Protect Your Digital Privacy, available at https://www.nytimes.com/guides

/privacy-project/how-to-protect-your-digital-privacy. (Visited on September 4, 2022)

349
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

THREAT OF CYBER SURVEILLANCE ON PRIVACY

Cyber-surveillance6 also known as cyber monitoring, refers to
the monitoring of online activities, communications, and behaviour
of individuals, groups, or organizations in the digital world. It
involves the collection, analysis, and interpretation of data
generated by online activity such as web browsing, social media
usage, emails, messaging, and other online interactions.7
Cyber-surveillance can be conducted by governments, law
enforcement agencies, private companies, or individuals. The
primary goal of cyber-surveillance is to gather information for a
variety of purposes, including:
• Cyber-surveillance can be used to monitor potential threats to
national security, public safety, or corporate security.
• Law enforcement agencies can use cyber surveillance to
investigate criminal activities such as cybercrime, terrorism,
and organized crime.
• Private companies can use cyber surveillance to monitor
consumer behaviour, preferences, and trends to tailor their
marketing and advertising strategies.
• Employers can use cyber surveillance to monitor employee
activities, including emails, internet usage, and other online
behaviour, to ensure productivity and prevent potential misuse
of company resources.
However, cyber surveillance can raise concerns about privacy,
civil liberties, and human rights. There are ongoing debates about
the appropriate use of cyber-surveillance, including issues such as
legal frameworks, oversight, transparency, and accountability.

CYBER-SURVEILLANCE: A CRITICAL ASPECT

From our government to the world's biggest partnerships, to
you as an individual, online protection assumes a basic part. For
what reason is network protection so significant? The system
safeguards organizations and individuals the same from vindictive

6Importance of Cyber Security: Need and Benefits, available at https://www.knowle

dgehut.com/blog/security/importance-of-cyber-security. (Visited on February 7, 2023).
7Edward Snowden, “Permanent Record”, by Metropolitan Books, ISBN97812502372

31 (ISBN10: 1250237238)September 17, 2019.

350
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

interruption from programmers, malware, spyware, and other

hazardous strategies for hacking.8
The job of network protection will almost certainly increment
in the future as we keep on utilizing new advances for the capacity
and handling of delicate data, and there's no better time than right
now to guarantee that both you and your business are secure from
new and arising dangers”
The significance of digital protection boils down to the need
and prerequisite to keep data, information, and gadgets secure. In
this day and age, individuals store immense amounts of information
on PCs, servers and other associated gadgets. Quite a bit of this is
touchy, like by and by Recognizable Data (PII) including passwords
or monetary information and afterward there's Protected innovation
(IP).
If a cybercriminal was to get close enough to this information,
they can cause ruin. They can share delicate data, use passwords to
take assets, or even change information with the goal that it benefits
them, the aggressor. Associations need to have security
arrangements that empower them to be agreeable.
On account of public administrations or legislative
associations, digital protection guarantees that the local area can
keep on depending on their administrations. For instance, if a digital
assault designated the energy business, a power plant for instance, it
could cause a far-reaching power outage. On the off chance that it
designated a bank, it could take from a huge number of individuals.

AI : A BANE TO HUMAN RIGHTS

The development and use of artificial intelligence (AI)
technologies raise important human rights concerns, particularly in
areas such as privacy, non-discrimination, and freedom of
expression.9 By collect, analyse, and use vast amounts of personal
data, which can raise serious privacy concerns. There is a risk that
AI systems could be used to conduct mass surveillance or to create
profiles of individuals based on their personal data without their

8“What is Cybersecurity and Why is it Important?”- Understanding cybersecurity and

cyberattacks, available at https://www.onelogin.com/learn/what-is-cyber-security.
(Visited on January 9, 2023).
9 Beginning of Artificial Intelligence, End of Human Rights, available at

https://blogs.lse.ac.uk/humanrights/2020/07/16/beginning-of-artificial-intelligence-end-
of-human-rights/. (Visited on November 27, 2022)

351
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

consent. Further, it can also reinforce and perpetuate existing biases

and discrimination, particularly in areas such as employment,
housing, and credit. This can lead to unfair treatment and exclusion
of certain groups, such as racial minorities or people with
disabilities. It can limit freedom of expression, particularly on social
media platforms particularly in authoritarian regimes. AI
technologies are increasingly being used in the criminal justice
system, but there are concerns that they may reinforce existing
biases and lead to wrongful convictions. There is also a risk that AI
technologies could be used to conduct extrajudicial surveillance or
to target political dissidents. There have been several incidents
where the use of artificial intelligence (AI) has had negative impacts
on human rights.10
In 2018, programmers utilized the source code of Monero to
contaminate huge number of sites. Monero is a famous
cryptographic money that mines fake computerized coins. A well-
known programming instrument for the outwardly hindered, browse
aloud, had the pernicious code introduced, which impacted
government locales, including the US court framework, the UK
Public Wellbeing Administration, and the Queensland government.
In 2013, a DDoS Assault hit a few Dutch government sites,
which impacted the Netherlands' DigiD framework. This framework
permits residents to get to civil administrations utilizing
computerized ID. Through this assault, 10 million individuals were
kept from taking care of bills and assessments on the web. It
additionally impacted major monetary organizations like ING and
ABN Amro. It likewise impacted KLM, the public aircraft.
Law enforcement agencies use A.I. for facial recognition to
identify and track individuals, but there are concerns that it could be
used for mass surveillance and violate individuals' right to privacy.
In addition, studies have shown that facial recognition technology
can be biased against certain groups, particularly people of colour,
leading to false identifications and potential harm. Without a doubt,
man-made intelligence calculations and face-acknowledgment
frameworks have more than once neglected to guarantee an essential
norm of correspondence, especially by showing biased propensities

10 Global Information Society Watch (GISWatch) is a collaborative community

committed to building an open, inclusive and sustainable information society, available
at https://giswatch.org/node/6205. (Visited on December 9, 2022).

352
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

towards Individuals of colour. In 2015, Google Photographs, which

is viewed as a high-level acknowledgment programming, classified
a photograph of two Individuals of colour as an image of gorillas.
At the point when watchwords, for example, 'People of colour’s
were inputted into the Google search bar, the calculation showed
physically express material accordingly. Specialists have likewise
found that a calculation that distinguishes which patients need extra
clinical consideration underestimated the clinical requirements of
Dark patients. Facial-acknowledgment innovation is presently being
embraced in the law enforcement frameworks of various states -
including Hong Kong, China, Denmark and India - to recognize
suspects for prescient policing. Cynics have called attention to that
as opposed to alleviating and controlling police work, such
calculations rather improve previous biased policing. The
unevaluated predisposition of these devices has put Individuals of
colour at greater gamble of being seen as high-risk wrongdoers, in
this manner further digging in bigoted propensities in the equity and
jail frameworks. Such racial segregation acquired in artificial
intelligence shames its ground-breaking execution into society and
disregards equivalent treatment and the right to assurance.
The option to work and assurance against joblessness is
ensured under Article 23 of UDHR, Article 6 of ICESCR, and
Article 1(2) of the ILO. However, the quick increment of computer-
based intelligence has changed existing organizations and individual
lives by working on the productivity of apparatus and
administrations, such change has likewise birthed a period of
joblessness because of the relocation of human work.
In 2017, Changying Accuracy Innovation, a Chinese
manufacturing plant delivering cell phones, supplanted 90% of its
human labour force with machines, which prompted a 250%
increment in its efficiency and a significant 8% drop in surrenders.
Essentially, Adidas has moved towards 'robot-just' industrial
facilities to further develop productivity. Subsequently, business
development no longer depends on a human labour force; truth be
told, human work may adversely influence efficiency. As of
recently, innovation significantly affects low and centre gifted
laborers, with diminishing work amazing open doors and falling
wages, prompting the rise of occupation polarization. Nonetheless,
as innovation keeps on progressing, many positions that we would

353
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

today consider safeguarded from mechanization will ultimately be

supplanted by man-made intelligence.
To address these human rights concerns, it is important to
ensure that AI technologies are developed and used in a way that is
consistent with human rights principles. This includes ensuring that
AI systems are transparent, accountable, and subject to appropriate
oversight mechanisms. It also requires promoting diversity and
inclusivity in the development and deployment of AI technologies
to ensure that they do not reinforce existing biases and
discrimination.

CYBER SECURITY VS. CYBER SURVEILLANCE

Cybersecurity and cyber surveillance are two related but
distinct concepts in the field of information technology and security.
Cyber security11 refers to the measures and practices taken to protect
computer systems, networks, and digital information from
unauthorized access, theft, and damage. This includes implementing
firewalls, encryption, and other security protocols, as well as
educating users about safe browsing and email practices. The goal
of cybersecurity is to ensure the confidentiality, integrity, and
availability of digital assets and information. On the other hand,
cyber surveillance refers to the use of digital technology to monitor
and track individuals' activities online, often without their
knowledge or consent. This can include the collection of personal
data, the tracking of browsing history, and the monitoring of
communications. The goal of cyber surveillance is often to gather
intelligence or to identify potential threats to national security.
Cyber security and cyber surveillance are related as, both
involve the use of digital technology to protect or monitor
information. They have different goals and implications for privacy
and civil liberties. Cybersecurity is focused on protecting
information and systems from unauthorized access and damage,
while cyber surveillance is focused on gathering information about
individuals or groups. Cyber surveillance can raise concerns about
privacy, civil liberties, and government overreach, while

11Why Cybersecurity is Important for a Modern-day Society, available at

https://enhalo.co/must-know-cyber/why-cybersecurity-important-for-modern-day-so
ciety/. (Visited on December 5, 2022).

354
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

cybersecurity is generally seen as a necessary aspect of protecting

sensitive information in the digital age.
So, cybersecurity and cyber surveillance are two distinct
concepts that play important roles in the field of information
technology and security. While both are related to the use of digital
technology to protect or monitor information, they have different
goals and implications for privacy and civil liberties. It is important
for individuals and organizations to understand these differences
and to implement appropriate measures to protect their digital assets
and information while respecting privacy and civil liberties.

CYBER SURVEILLANCE: THE GLOBAL PHENOMENON

Cyber surveillance12 is a global issue that affects individuals
and organizations around the world. While the extent and nature of
surveillance activities can vary depending on the country and the
specific context, there are a number of trends and developments that
are worth noting. One of the most significant developments in
recent years has been the increased use of surveillance technologies
by governments and law enforcement agencies. This has been
driven in part by concerns about terrorism and other national
security threats, as well as by the increasing availability and
sophistication of digital technologies. Many governments have
established surveillance programs and laws that allow them to
monitor and intercept digital communications, track online activity,
and collect personal data.
Another trend in cyber surveillance has been the growing
involvement of private companies in the collection and analysis of
personal data. Social media platforms, search engines, and other
online services routinely collect vast amounts of data about their
users, which can be used for targeted advertising, market research,
and other purposes. This has raised concerns about the use of
personal data for commercial purposes, as well as the potential for
such data to be accessed by governments or other actors for
surveillance purposes.

12 Cybersecurity And Cyber Laws Around The World And India: Major Thrust
Highlighting Jharkhand For Concerns, available athttps://thelawbrigade.com/general-
research/cybersecurity-and-cyber-laws-around-the-world-and-india-major-thrust-
highlighting-jharkhand-for-concerns/. (Visited on March 7, 2023).

355
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

In addition to these trends, there are also a number of specific

examples of cyber surveillance activities around the world. For
example, the National Security Agency (NSA) in the United States
has been implicated in a number of high-profile surveillance
programs, including the collection of phone records and the
monitoring of online activity. China has also been accused of
extensive cyber surveillance and censorship, particularly with
regard to political dissidents and minority groups. In the Middle
East, countries such as Saudi Arabia and Iran have been criticized
for their use of surveillance technologies to monitor and suppress
political opposition. Cyber surveillance is a complex and evolving
issue that raises important questions about privacy, security, and
human rights. While there is no easy solution to these challenges, it
is clear that greater transparency, accountability, and oversight are
needed to ensure that surveillance activities are consistent with
international law and human rights norms.
The United Nations (UN) has taken a strong stance on the
issue of cyber surveillance, particularly with regard to its impact on
human rights and civil liberties.
In 2013, the UN General Assembly adopted a resolution on
the right to privacy in the digital age, which recognized the
importance of protecting privacy and personal data in the context of
rapidly evolving digital technologies. The resolution emphasized the
need for governments and other actors to ensure that their
surveillance activities are consistent with international human rights
law and principles. In addition, the UN Human Rights Council has
established a Special Rapporteur on the right to privacy, whose
mandate includes monitoring and reporting on the impact of
surveillance technologies on privacy and human rights. The Special
Rapporteur has issued a number of reports and recommendations on
this issue, highlighting the importance of ensuring that surveillance
activities are necessary, proportionate, and subject to appropriate
safeguards and oversight. The UN has also been involved in efforts
to develop international norms and standards for cyber security and
cyber surveillance. In 2015, the UN Group of Governmental Experts
on Developments in the Field of Information and
Telecommunications in the Context of International Security (UN
GGE) released a report on cyber security, which included
recommendations on issues such as the use of cyber surveillance
and the protection of critical infrastructure. The report emphasized

356
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

the importance of respecting international law and human rights

norms in all aspects of cyber security, including surveillance
activities.
Overall, the UN has been actively engaged in efforts to
address the challenges posed by cyber surveillance, particularly with
regard to its impact on human rights and civil liberties. Through its
various bodies and initiatives, the UN has sought to promote a
balanced approach to cyber security and surveillance that respects
individual rights and freedoms while also ensuring the security and
stability of cyberspace.
Personal data is particularly important in the age of AI
because AI algorithms require vast amounts of data in order to learn
and make accurate predictions or decisions. AI systems are designed
to recognize patterns and make connections between seemingly
unrelated data points, and this process is most effective when there
is a large and diverse dataset to draw from. Personal data is
particularly valuable to AI systems because it often includes
information about individuals' preferences, behaviours, and
interactions with other people and systems. This data can be used to
train AI algorithms to make predictions about future behaviours or
preferences, which can be used for a variety of purposes, such as
targeted advertising, personalized recommendations, or fraud
detection. However, the collection and use of personal data by AI
systems also raises significant privacy concerns. Personal data is
often sensitive and private, and individuals may be uncomfortable
with the idea of their data being used for commercial or other
purposes without their explicit consent. In addition, there is always
a risk of data breaches or other security incidents, which can lead to
the exposure of personal data and other sensitive information.
To address these concerns, it is important to have robust data
protection laws and regulations in place, as well as clear guidelines
for the collection and use of personal data by AI systems. This can
help to ensure that individuals' privacy rights are respected and that
personal data is used in a responsible and transparent manner.
The question arises, what can be done to robust the data
protection laws?
There are several key steps that can be taken to strengthen
data protection laws and ensure that individuals' privacy rights are
respected in the age of AI:

357
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

• Governments can define clear data protection standards that

outline what constitutes personal data, how it can be collected,
stored, and used, and under what circumstances it can be
shared with third parties. These standards can be incorporated
into national laws and regulations and enforced through
penalties and other measures.
• Governments can establish strong enforcement mechanisms to
ensure that data protection laws are effectively enforced and
that organizations that violate these laws are held accountable.
This can include the creation of independent regulatory
bodies, such as data protection authorities, and the provision
of resources and tools to investigate and prosecute data
protection violations.
• Organizations that collect and use personal data should be
required to provide clear and concise information about their
data collection practices and to obtain explicit consent from
individuals before collecting or using their data. They should
also be required to provide individuals with access to their
personal data and to allow them to request corrections or
deletions of this data.
• As data protection is a global issue, it is important to promote
international cooperation and coordination in the development
and enforcement of data protection laws and regulations. This
can include the creation of international data protection
standards and the establishment of mechanisms for cross-
border data transfers and enforcement.
• Governments and other stakeholders should invest in research
and development to explore new approaches and technologies
for protecting personal data and ensuring privacy in the age of
AI. This can include the development of new encryption
methods, the use of decentralized data storage systems, and
the exploration of emerging technologies such as
homomorphic encryption and differential privacy.
By taking these steps, governments and other stakeholders can
help to create a more robust and effective data protection framework
that protects individuals' privacy rights and supports responsible and
ethical AI development and use because your personal data is at risk
and you never know how and when your data got leaked. One of the
best examples can be taken from our day-to-day life when we use
search engines on our phones and computers. Search engines can

358
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

leak personal data in several ways for example, they may retain
information about users' search queries, which can include personal
information such as names, addresses, and other identifying
information. If this information is not properly protected, it can be
vulnerable to data breaches or other security incidents. This data can
be used to build detailed profiles of users, which can be sold to
advertisers or other third parties. Some search engines may use geo
location data to track users' location, which can be used to deliver
more targeted advertising or other content. This data can also be
used to identify users' physical locations, which can be a privacy
concern if this information is shared or sold without the user's
consent. This can result in the user's personal information being sold
or used for purposes that they did not intend or consent to. To
address these concerns, users can take steps to protect their personal
data, such as using privacy-focused search engines that do not track
user behaviour or using privacy tools such as virtual private
networks (VPNs) and browser extensions that block tracking scripts.
In addition, governments can enact laws and regulations that protect
users' privacy and require companies to obtain explicit consent
before collecting or using personal data. Finally, companies that
operate search engines can take steps to enhance the security and
privacy of their systems, such as implementing encryption and data
protection measures, and being transparent about their data
collection practices.

VPN: BYPASSING THE LEGAL PATH

Virtual Private Networks (VPNs)13 have become increasingly
important in today's digital age due to the growing concerns
surrounding online privacy and security. VPNs provide users with a
secure and private connection to the internet, allowing them to protect
their personal data, access information freely, and communicate
anonymously. VPNs are designed to provide privacy and security to
internet users, protecting them from cyber threats, hacking attempts,
and other online attacks. By encrypting internet traffic and masking
IP addresses, VPNs make it difficult for hackers, government
agencies, and other third parties to monitor online activity. VPNs are
increasingly popular among individuals, businesses, and

13How Does A VPN Work? Forbes, available at https://www.forbes.com/sites/tjmccue/

2019/06/20/how-does-a-vpn-work/?sh=d7fa01470cd8. (Visited on January 14, 2023).

359
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

organizations that prioritize privacy and security. In addition to

providing privacy and security, VPNs also enable users to access
information and online services that may be restricted or censored in
certain countries or regions. VPNs can be used on a variety of
devices, including desktop and laptop computers, smartphones, and
tablets. They can be accessed through VPN software or apps, or
through a browser extension. Overall, VPNs are an important tool for
anyone who wants to protect their online privacy and security. It can
help protect our privacy by encrypting our internet traffic and
preventing our internet service provider (ISP), government, or any
other third party from monitoring our online activity. This helps
ensure that our online behaviour, including our personal information
and communication, remains private. Even, by connecting to a VPN
server located in a different country, we can bypass these restrictions
and access the information freely, which is important for the
protection of free speech and the right to information. It protects us
from cyber-attacks, which can compromise our personal data and
violate our human rights. By encrypting our online traffic and
masking our IP address, VPNs can prevent hackers and other
malicious actors from intercepting our data and accessing our
personal information. By making anonymous communication, it
protects our freedom of speech and protects individuals who may be
vulnerable to persecution or discrimination for their beliefs or
opinions. It is important to note, however, that not all VPNs are
created equal and some may have their own privacy concerns or
vulnerabilities. It is important to choose a reputable VPN provider
that has a strong privacy policy and security measures in place to
ensure that our human rights are protected.

CONCLUSION
Artificial intelligence (AI) has the potential to revolutionize
many aspects of our lives, from healthcare to transportation to
entertainment. However, as with any new technology, there are also
concerns and dilemmas that must be addressed as AI continues to
develop and become more integrated into our lives. One of the main
dilemmas surrounding AI is the potential impact it could have on the
job market. As AI becomes more advanced, it may be able to replace
human workers in many industries, which could lead to widespread
unemployment and economic instability. This could create a difficult
balancing act between the potential benefits of AI and the need to

360
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

ensure that it does not cause harm to individuals and society as a

whole. AI is the ethical implications of its use. There are concerns
that AI could be used to create autonomous weapons or to carry out
surveillance or other activities that infringe upon human rights.
Additionally, there are concerns about the potential for AI to be
biased or to perpetuate existing inequalities in society. There is also
the question of who will be responsible for ensuring that AI is
developed and used in an ethical and responsible manner. While AI
developers have a responsibility to ensure that their systems do not
cause harm, there may also be a need for government regulation and
oversight to ensure that AI is used for the benefit of society as a
whole.
Overall, while AI has the potential to bring about many
positive changes, there are also concerns and dilemmas that must be
addressed as it continues to develop. It is important that we work to
develop AI in a responsible and ethical manner, with a focus on
ensuring that it benefits everyone and does not pose a threat to our
future. This requires collaboration between policymakers, AI
developers, and society as a whole, as we navigate the challenges
and opportunities that lie ahead.

361
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

ANECDOTES OF CYBER CRIME IN EVERYDAY LIFE

Internet crime stories are dime a dozen but these examples

will show you why online security is essential. From credit card
fraud to financial fraud and creating a fake website to woo
investors, these true stories depict how one must act to secure
his/her well-being in the digital space. We carefully compiled these
fascinating cyber crime real life stories that highlight the risks
involved in any online activity.

STORY NO. 1
One day, a girl named Anushka, who lived in Lajpat Nagar,
Noida, (India), received a mail from her credit card company,
informing her that somebody has tried to obtain a credit card using
her name, address and other credentials. Before telling the police,
Anushka decided to assess the damage and look over her credit card
reports.
The impersonator had gotten so deep into the system that, she
managed to answer all the questions put across by the system before
login. Eventually, as she somehow logged in herself she witnessed
the extent of the damage caused. The impersonator had created
more than 50 accounts in her name, and got credit for utilities such
as heat, cable, electricity and even a newspaper subscription.
Payments were made all over the world in different accounts and
Anushka had zero knowledge about it.
What’s more, the companies went after the girl in order to get
their money back. After notifying the police and tracking down the
impersonator, Anushka got a court order passed against the
impersonator and managed to retrieve her credit card with the help
of cyber experts, she was also able to delete the trail of fake
information created by the perpetrator. All this ordeal has both
physically and mentally exhausted her. While Anushka was
fortunate enough to secure the information back and was able to
delete the fake information, few are lucky enough to get justice.
This story should act as a reminder to always safeguard one’s
personal information.

362
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

STORY NO. 2
A man named Alok Singh Chauhan, residing in Hazratganj
area of Lucknow (India) was shopping at a showroom of Allen
Solly. He purchased clothes worth seven thousand, and received the
bill, the employee of the showroom requested Alok to fill in the
feedback form that he would receive on his phone through short
message service (SMS). Alok ignored the message and went home,
later he received a phone call stating that the person was calling
from the Allen Solly showroom and requested him to fill in the
feedback form. Alok who was irritated with these constant
reminders filled in the feedback form, as soon as he filled in his
details, he received a One Time Password (OTP). The person called
Alok to confirm the OTP which Alok did.
Later Alok found out that his account was debited with three
lakh rupees, he was shocked and could not understand the situation,
later he realised that the amount was debited from the same account
through which he made the payment at the showroom. He
immediately filed a complaint in the cyber wing of his nearest
police station, the cops were able to track the culprits as one of them
was employed at the Allen Solly showroom.
Alok was lucky to have received his money back as he did not
waste time and informed the police immediately. Cyber-crimes have
become one of the easiest crimes, which are difficult to track, as the
culprit is not supposed to be physically present to commit such
crimes, a crime is just a call or click away. Therefore in such
situations it is of paramount importance that the victims
immediately inform the agencies so that further damage can be
prevented.

STORY NO. 3
A small company in a small town with easy hubris in the form
of people to fool, the nearly perfect premise for a heist, even better
if we involve technology in the scenario. A housing company
named Speak Asia made a room in a corporate building it's office
and had 5 members in their working in a proper office space. They
asked people to invest in their venture with an initial payment of
50,000 or 1 lakh, or even 20,000 for those who just wouldn't budge
on a higher amount. There was an office, an app, a website, just
about enough for people to believe the legitimacy of the company.
The amount was to be paid through the application after which the

363
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

receipt was received through the official mail id provided. Because

of several people being involved with the company and also
investing in the venture, it gained popularity in a short while, which
in turn, highly influenced others which made them also invest in the
venture.. This was the perpetrators’ main goal which was engaging
people to invest in their bogus project. It’s also a major reason that
why the company contacted major businesses in the city to garner
influences which would make an interesting portfolio.
After around four to five months, around 100 something
people had invested their money. But, after a year when there were
no visible signs of construction work, people became curious and
initiated enquiry. There was no sign of the agents and no contact
could be established, this led to the investors becoming suspicious.
After some time, people complained to the authorities, and they
were surprised to know that the company was nowhere to be found.
This revelation was surprising enough, and the people were shocked
to know that the company was gone and so was their money. A
classic fraud yet, the people did find respite in the courts, but their
money was nowhere to be found. Even after so many years, there
has been no solutions for the people, and no clue as to how do they
get back their hard-earned money.
These stories demonstrate that how these cyber criminals live
amongst us and still no one could ever point towards the nefarious
activities they engage in. all these stories reinforce the point that it is
very important for the general population to be aware about the
immediate steps that needs to be initiated, as soon as one is aware
that he/she is a victim of cyber fraud. These frauds/crimes not only
leads to losses faced by the victim but also breaches the
fundamental rights guaranteed to every citizen by the Constitution
as they breach a person’s privacy, liberty in the virtual space.
Then these stories depicted that how the law enforcement
agencies were proactive in responding to the crimes, the
investigation lead to tracking down and eventually punishing the
accused thus, ensuring justice to the victim. Therefore it also of
pertinent importance that the governments pay more attention to the
infrastructural needs that one needs to tackle cyber crimes. Then as
these crimes/frauds become more sophisticated in nature with each
passing day, it’s the responsibility of the governments, all around
the world to make laws or amend the present laws which address
these contemporary issues.

364
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

Its also very important that the people are made more aware
of how to prevent these crimes and if unfortunately one falls into the
trap of these criminals then what further steps he/she needs to take
to safeguard his/her interests.

365
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

PRACTICAL APPROACHES TO TACKLING CYBER-CRIME

The crime related to cyberspace is rising daily along with

internet usage and technical improvement. The number of cases
solved, is quite small in number as compared to the number of cases.
There are number of legal solutions available to victims in which
they can also approach the judicial court to guarantee their
fundamental and legal rights. The Information Technology Act, 2000
was amended in 2008, is popularly referred to as the Cyber Law, was
enacted to safeguard victims and punish the violators who commit
such crimes.
The Act includes penalties and compensation for offences
involving the virtual space. When someone is the victim of a
cybercrime, he or she has the option of going to court to file a
lawsuit against the offender. Some other important sections are
discussed below.
Under section 43A of the Information Technology Act, 2000
the victim can appeal in the court of law asking for compensation
against the crime, this section guarantees penalties and the
compensations which comprise of offences like “damaging the
computer, the whole system or even network etc.” Any organization
which is dealing with sensitive data, of its own or of other’s,
compromises any such data or information then the organisation will
be prosecuted under the provision and will pay an amount which
would be determined by the court.
Section 65 defines, punishment for the offences which involve
“tampering with computer source documents”, which reads as,
“Whoever knowingly or intentionally conceals, destroys or alters or
intentionally or knowingly causes another to conceal, destroy, or
alter any computer source code used for a computer, program,
system or network, when the code is to be stored or maintained by
law in force at that point of time, shall be punishable with
imprisonment up to three years, or with fine which may extend up to
two lakh rupees, or both”.
There are still various loopholes in this Act of 2008, as there
are a plethora of discovered and undiscovered offences taking place
in the cyber space for which the law needs to be stringent. Also there
are offences which are not governed by the IT Act as there are
already provisions in the IPC, 1860, like the term “Defamation”, the

366
 CYBER LAW: EMERGING TRENDS AND CHALLENGES

punishment for which is defined under this code therefore, no other

act defines the impact of such online offence which is similar to an
offline offence.

STEPS TO BE TAKEN POST A CYBERATTACK

1. Disconnect and Detach: In case of a continuing attack on your
device, the first step being disconnecting the device from the
Internet as it is the most effective way to prevent loss of data.
In the event of a phishing attack where you are being conned
into revealing private information, one should immediately
initiate steps like:
• Freezing bank accounts and credit cards
• Altering Internet and mobile banking passwords
2. Take Legal Action: Do not delay the process, even as you try
to minimize the negative consequences of the cybercrime.
Contact the nearest Cyber Crime Cell and file a written
complaint crime. Provide detailed information about:
• Nature of the crime
• Extent of damage
• Relevant documents, data, and other information relevant to
the compliant

Never be ignorant to presume that cyber criminals cannot be

caught. Provisions under the Information Technology Act and the
Indian Penal Code define cybercrime as a punishable offence. Don’t
delay filing the complaint as it can lead to crucial time being lost.
3. Inform your Contacts: Your virtual ID can be misused by the
cyber criminals and can lead to the data being compromised by
your online connections. Use social media to advertise the
incident. These steps will reduce the risk of your identity being
misused and prevent commission further crimes.
4. Take Preventive Steps: Install latest Anti-Virus software and
use a strong password (can be a combination of alpha numeric
characters) and never reveal your bank account details to
anyone.

While cyber thefts continue to remain a challenge and no one

is immune to it, however the right decisions at the right time and
being informed will definitely go along way in preventing
cybercrimes.

367