CYBER TERRORISM AND ITS SOLUTIONS: AN INDIAN PERSPECTIVE

By

PRAVEEN DALAL*

 The aim of this article is to analyse the adverse impact of "Cyber Terrorism" on the national interest of India. Cyber terrorism is a catastrophic phenomenon that has not yet attracted the attention of the Indian Legislature. The law in this regard is not sufficient and the problem of cyber terrorism can be tackled properly either by making a separate law in this regard or by making suitable amendments in the already existing Information Technology Act, 2000. In the absence of the political and legislative will to fill in this lacuna, the judiciary has to play a proactive role and construe the provisions of existing laws in a liberal and purposive manner.

 Introduction

 The traditional concepts and methods of terrorism have taken new dimensions, which are more destructive and deadly in nature. In the age of information technology the terrorists have acquired an expertise to produce the most deadly combination of weapons and technology, which if not properly safeguarded in due course of time, will take its own toll. The damage so produced would be almost irreversible and most catastrophic in nature. In short, we are facing the worst form of terrorism popularly known as "Cyber Terrorism".  The expression "cyber terrorism" includes[1]an intentional negative and harmful use of the information technology for producing destructive and harmful effects to the property, whether tangible or intangible, of others. For instance, hacking of a computer system and then deleting the useful and valuable business information of the rival competitor is a part and parcel of cyber terrorism. The definition of "cyber terrorism" cannot be made exhaustive as the nature of crime is such that it must be left to be inclusive in nature. The nature of "cyberspace[2] " is such that new methods and technologies are invented regularly; hence it is not advisable to put the definition in a straightjacket formula or pigeons hole. In fact, the first effort of the Courts should be to interpret the definition as liberally as possible so that the menace of cyber terrorism can be tackled stringently and with a punitive hand. The law dealing with cyber terrorism is, however, not adequate to meet the precarious intentions of these cyber terrorists and requires a rejuvenation in the light and context of the latest developments all over the world. The laws of India have to take care of the problems originating at the international level because the Internet, through which these terrorist activities are carried out, recognises no boundaries. Thus, a cyber terrorist can collapse the economic structure of a country from a place with which India may not have any reciprocal arrangements, including an "extradition treaty". The only safeguard in such a situation is to use the latest technology to counter these problems. Thus, a good combination of the latest security technology and a law dealing with cyber terrorism is the need of the hour.

 Forms of cyber terrorism

 It is very difficult to exhaustively specify the forms of cyber terrorism. In fact, it would not be a fruitful exercise to do the same. The nature of cyber terrorism requires it to remain inclusive and open ended in nature, so that new variations and forms of it can be accommodated in the future. The following can be safely regarded as the forms of cyber terrorism applying the definition and the concepts discussed above: 

(I) Privacy violation:

             The law of privacy is the recognition of the individual's right to be let alone and to have his personal space inviolate. The right to privacy as an independent and distinctive concept originated in the field of Tort law, under which a new cause of action for damages resulting from unlawful invasion of privacy was recognised. In recent times, however, this right has acquired a constitutional status[3], the violation of which attracts both civil as well as criminal consequences under the respective laws. The intensity and complexity of life have rendered necessary some retreat from the world. Man under the refining influence of culture, has become sensitive to publicity, so that solitude and privacy have become essential to the individual. Modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury[4]. Right to privacy is a part of the right to life and personal liberty enshrined under Article 21 of the Constitution of India. With the advent of information technology the traditional concept of right to privacy has taken new dimensions, which require a different legal outlook. To meet this challenge recourse of Information Technology Act, 2000 can be taken. The various provisions of the Act aptly protect the online privacy rights of the netizens. Certain acts have been categorised as offences and contraventions, which have tendency to intrude with the privacy rights of the netizens. These rights are available against private individuals as well as against cyber terrorists. Section 1 (2) read with Section 75 of the Act provides for an extra-territorial application of the provisions of the Act. Thus, if a person (including a foreign national) contravenes the privacy of an individual by means of computer, computer system or computer network located in India, he would be liable under the provisions of the Act. This makes it clear that the long arm jurisdiction[5] is equally available against a cyber terrorist, whose act has resulted in the damage of the property, whether tangible or intangible.

 (II) Secret information appropriation and data theft:

 The information technology can be misused for appropriating the valuable Government secrets and data of private individuals and the Government and its agencies. A computer network owned by the Government may contain valuable information concerning defence and other top secrets, which the Government will not wish to share otherwise. The same can be targeted by the terrorists to facilitate their activities, including destruction of property. It must be noted that the definition of property is not restricted to moveables or immoveables alone. In R.K. Dalmia v Delhi Administration[6] the Supreme Court held that the word "property" is used in the I.P.C in a much wider sense than the expression "movable property". There is no good reason to restrict the meaning of the word "property" to moveable property only, when it is used without any qualification. Whether the offence defined in a particular section of IPC can be committed in respect of any particular kind of property, will depend not on the interpretation of the word "property" but on the fact whether that particular kind of property can be subject to the acts covered by that section. Thus, if any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -  

(a) accesses or secures access to such computer, computer system or computer network.

(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;

(c) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

            he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected[7]. The expression "Computer Database" means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network[8]. The expression "Damage" means to destroy, alter, delete, add, modify or re-arrange any computer resource by any means[9]. These provisions make it clear that secret information appropriation and data theft by the cyber terrorists will be dealt with punitive sting and monetary impositions[10]. 

 (III) Demolition of e-governance base:

 The aim of e-governance is to make the interaction of the citizens with the government offices hassle free and to share information in a free and transparent manner. It further makes the right to information a meaningful reality. In a democracy, people govern themselves and they cannot govern themselves properly unless they are aware of social, political, economic and other issues confronting them. To enable them to make a proper judgment on those issues, they must have the benefit of a range of opinions on those issues. Right to receive and impart information is implicit in free speech. This, right to receive information is, however, not absolute but is subject to reasonable restrictions which may be imposed by the Government in public interest. In P.U.C.L. V U.O.I[11] the Supreme Court specified the grounds on which the government can withhold information relating to various matters, including trade secrets. The Supreme Court observed: " Every right- legal or moral- carries with it a corresponding objection. It is subject to several exemptions/ exceptions indicated in broad terms. Generally, the exemptions/ exceptions under those laws entitle the Govt to with hold information relating to the following matters:

(1) International relations;

(2) National security (including defiance) and public safety;

(3) Investigation, detection and prevention of crime;

(4) Internal deliberations of the Govt;

(5) Information received in confidence from a source outside the Govt;

(6) Information, which, if disclosed, would violate the privacy of the individual;

(7) Information of an economic nature (including Trade Secrets) which, if disclosed, would confer an unfair advantage on some person or concern, or, subject some person or Govt, to an unfair disadvantage;

(8) Information, which is subject to a claim of legal professional privilege, e.g. communication between a legal adviser and the client; between a physician and the patient;

(9) Information about scientific discoveries".

It must be noted that the primary aim of all cyber terrorist activities is to collapse a sound communication system, which includes an e-governance base. Thus, by a combination of virus attacks and hacking techniques, the e-governance base of the government can be caused to be collapsed. This would be more deleterious and disastrous as compared to other tangible damages, which were caused by the traditional terrorist activities. Similarly, the terrorists to the common detriment of the nation at large can illegally obtain information legitimately protected from public scrutiny by the government in the interest of security of the nation. Thus, a strong e-governance base with the latest security methods and systems is the need of the hour.

  (IV) Distributed denial of services attack:

             The cyber terrorists may also use the method of distributed denial of services (DDOS) to overburden the Government and its agencies electronic bases. This is made possible by first infecting several unprotected computers by way of virus attacks and then taking control of them. Once control is obtained, they can be manipulated from any locality by the terrorists. These infected computers are then made to send information or demand in such a large number that the server of the victim collapses. Further, due to this unnecessary Internet traffic the legitimate traffic is prohibited from reaching the Government or its agencies computers. This results in immense pecuniary and strategic loss to the government and its agencies. It must be noted that thousands of compromised computers can be used to simultaneously attack a single host, thus making its electronic existence invisible to the genuine and legitimate netizens and end users. The law in this regard is crystal clear. If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -  

(a) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;

(b) disrupts or causes disruption of any computer, computer system or computer network;

(c) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;

            he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected [12]. The expression "Computer Contaminant" means any set of computer instructions that are designed -

 (a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or

(b) by any means to usurp the normal operation of the computer, computer system, or computer network[13]. Thus, distribute denial of services by the cyber terrorists will be tackled by invoking the provisions of sections 43,65 and 66 collectively.

 (V) Network damage and disruptions:

 The main aim of cyber terrorist activities is to cause networks damage and their disruptions. This activity may divert the attention of the security agencies for the time being thus giving the terrorists extra time and makes their task comparatively easier. This process may involve a combination of computer tampering, virus attacks, hacking, etc. The law in this regard provides that if any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -  

(a) accesses or secures access to such computer, computer system or computer network

(b) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;

(c) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

(d) disrupts or causes disruption of any computer, computer system or computer network;

(e) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;

            he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected[14]. The expression "Computer Virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource[15]. The person tampering with such computer source documents shall be punishable with imprisonment up to 3 years or with fine, which may extend up to Rs.2 lakhs, or with both[16]. Further, if a person causes wrongful loss or damage to any person, by destroying, deleting or altering any information residing in his (owner’s) compute resource or diminishes its value or utility or affects it injuriously by any means, he commits hacking and thus, violates the privacy of the owner. The person hacking shall be punishable with imprisonment up to 3 years or with fine, which may extend up to Rs.2 lakhs, or with both. However, an innocent infringer will not be liable if he proves that he committed the act without any intention or knowledge[17]. A network service provider will be liable for various violations and contraventions mentioned under the Act if he makes available any third party information or data to a person for the commission of an offence or contravention. However, a network service provider will not be liable if he proves that the offence or contravention was committed without his knowledge or he had exercised all due diligence to prevent such commission[18]. Thus, these provisions can be safely invoked for meeting challenges posed by network damage and disruptions caused by cyber terrorists.

 The roads ahead

             The menace of cyber terrorism can be effectively curbed, if not completely eliminated, if the three sovereign organs[19] of the Constitution work collectively and in harmony with each other. Further, a vigilant citizenry can supplement the commitment of elimination of cyber terrorism.

 (1) Legislative commitment:

 The legislature can provide its assistance to the benign objective of elimination of cyber terrorism by enacting appropriate statutes dealing with cyber terrorism. It must be noted that to give effect to the provisions of Information Technology Act, 2000 appropriate amendments have been made in the I.P.C, 1860, the Indian Evidence Act, 1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934. On the same lines a new chapter dealing with “Cyber terrorism” can be added to the already existing criminal statues to make them compatible with modern forms of terrorisms. Similarly, a new chapter dealing with cyber terrorism can be incorporated in the Information Technology Act, 2000 by way of its amendment to bring harmonization among various laws. The repealment of POTA and its likely replacement with a new ordinance is an opportunity for the legislature to make the terrorist law effective to deal with cyber terrorism.  

(2) Executives concern: 

The Central Government and the State Governments can play their role effectively by making various rules and regulations dealing with cyber terrorism and its facets from time to time. The Central Government can, by notification in the Official Gazette and in the Electronic Gazette, makes rules to carry out the provisions of the Information Technology Act[20]. Similarly, the State Government can, by notification in Official Gazette, makes rules to carry out the provisions of the Act[21]. In exercise of the powers conferred by section 90 of the Information Technology Act, 2000 (Central Act 21 of 2000), the Government of Karnataka has made the Information Technology (Karnataka) Rules 2004[22]. The Rules define "Cyber Café" as premises where the Cyber Café Owner/Network Service Provider provides the computer services including Internet access to the public[23]. Rule 3 (1) provides that the owner of the Cyber Café shall take sufficient precautions so that computers and computer systems in the Cyber Café are not used for any illegal or criminal activity. Rule 3 (2) mandates that the Cyber Café Owner/Network Service Provider shall not allow any User to use his Computer, Computer System and/or Computer Network without the identity of the User being established before him before use. The Rule provides that the intending User may establish his Identity by producing any Photo Identity Card issued by any School or College or a Photo Credit Card of any Bank or Passport or Voters Identity Card or PAN Number Card issued by Income-Tax authorities or Photo Identity Card issued by the Employer or Driving License to the satisfaction of Cyber Café Owner. Rule 4(1) provides that after the identity of the User is established, the owner of the Cyber Café or the manager or the attendant or on his behalf any authorised person managing the Cyber Café shall obtain and maintain the following information in the Log Register for each user: (i) Name of the User, (ii) Age and Sex of the User, (iii) Present residential address of the User, (iv) Log in time, and (v) Log out time. Rule 4 (2) provides that if a User cannot produce any Photo Identity Card to establish his identity to the satisfaction of the Cyber Café Owner/Network Service Provider, he may be photographed by the Cyber Café Owner/Network Service Provider after obtaining his consent using a 'Web Camera' hooked onto one of the computers or computer systems in the Cyber Café and the User shall be explained that his photograph will be taken and stored in the hard disk of the computer, for verification by Law enforcement authorities, whenever required.  This is in addition to the entries made in the log register. The Rule further provides that in case the User does not agree for storing his photograph he shall not be allowed to use any computer, computer system and /or computer network or access to the Internet in the Cyber Café. Rule 4(3) provides that all time clocks in Cyber Cafes must be regularly checked and synchronized with Indian Standard Time (IST). Rule 4(4) provides that maintaining proper account of the User as explained shall be the responsibility of the Cyber Café Owner/Network Service provider. Rule 5(5) provides that the Log Register and the Photograph of the User shall be maintained by the Cyber Café Owner/Network Service Provider for a minimum period of ONE YEAR and the same shall be provided to Law enforcement agencies as and when required. Rule 4(6) provides that the Cyber Police authorities may on complaint inspect Cyber Cafes at all reasonable time to ensure compliance of these rules.  If any Cyber Café Owner/Network Service Provider fails to maintain Log Register and records he shall be liable for penalties as provided in the Act or any other Law, for the time being in force. These provisions are sufficient to take care of illegal use of cyber café for terrorist activities.

Further, the government can also block web sites propagating cyber terrorism. It must be noted that the Indian Computer Emergency Response Team (CERT-In) has been designated as the single authority for issuing of instructions in the context of blocking of web sites[24]. CERT-In has to instruct the Department of Telecommunications to block the web sites after verifying the authenticity of the complaint and satisfying that action of blocking of website is absolutely essential. There is no explicit provision in the IT Act, 2000 for blocking of websites. In fact, blocking is considered to be censorship; hence it can be challenged if it restricts the freedom of speech and expression. But websites promoting hate, contempt, slander or defamation of others, promoting gambling, promoting racism, violence and terrorism, pornography and violent sex can reasonably be blocked since all such websites cannot claim the Fundamental Right of free speech and expression. The blocking of such website may be equated to "balanced flow of information" and not censorship. If the blocking of a website is arbitrary, unreasonable and unfair and is based on extraneous and irrelevant materials and reasons, then it would be vulnerable to the attack of unconstitutionality, being in violation of Articles 14, 19 and 21 of the Constitution of India[25].  

(3)Judicial response:

 The judiciary can play its role by adopting a stringent approach towards the menace of cyber terrorism. It must, however, first tackle the jurisdiction problem because before invoking its judicial powers the courts are required to satisfy themselves that they possess the requisite jurisdiction to deal with the situation. Since the Internet "is a cooperative venture not owned by a single entity or government, there are no centralized rules or laws governing its use. The absence of geographical boundaries may give rise to a situation where the act legal in one country where it is done may violate the laws of another country. This process further made complicated due to the absence of a uniform and harmonised law governing the jurisdictional aspects of disputes arising by the use of Internet. It must be noted that, generally, the scholars point towards the following "theories" under which a country may claim prescriptive jurisdiction:

(a) a country may claim jurisdiction based on "objective territoriality" when an activity takes place within the country,

(b) a "subjective territoriality" may attach when an activity takes place outside a nation's borders but the "primary effect" of the action is within the nation's borders,

(c) a country may assert jurisdiction based on the nationality of either the actor or the victim,

(d) in exceptional circumstances, providing the right to protect the nation's sovereignty when faced with threats recognised as particularly serious in the international community.

In addition to establishing a connecting nexus, traditional international doctrine also calls for a "reasonable" connection between the offender and the forum. Depending on the factual context, courts look to such factors, as whether the activity of individual has a "substantial and foreseeable effect" on the territory, whether a "genuine link" exists between the actor and the forum, the character of the activity and the importance of the regulation giving rise to the controversy, the extent to which exceptions are harmed by the regulation, and the importance of the regulation in the international community. The traditional jurisdictional paradigms may provide a framework to guide analysis for cases arising in cyberspace[26]. It must be noted that by virtue of section 1(2) read with section 75 of the Information Technology Act, 2000 the courts in India have “long arm jurisdiction” to deal with cyber terrorism.

 (4) Vigilant citizenry:

 The menace of cyber terrorism is not the sole responsibility of State and its instrumentalities. The citizens as well as the netizens[27] are equally under a solemn obligation to fight against the cyber terrorism. In fact, they are the most important and effective cyber terrorism eradication and elimination mechanism. The only requirement is to encourage them to come forward for the support of fighting against cyber terrorism. The government can give suitable incentives to them in the form of monetary awards. It must, however, be noted that their anonymity and security must be ensured before seeking their help. The courts are also empowered to maintain their anonymity if they provide any information and evidence to fight against cyber terrorism. 

Conclusion

 The problem of cyber terrorism is multilateral having varied facets and dimensions. Its solution requires rigorous application of energy and resources. It must be noted that law is always seven steps behind the technology. This is so because we have a tendency to make laws when the problem reaches at its zenith. We do not appreciate the need of the hour till the problem takes a precarious dimension. At that stage it is always very difficult, if not impossible, to deal with that problem. This is more so in case of offences and violations involving information technology. One of the argument, which is always advanced to justify this stand of non-enactment is that “the measures suggested are not adequate to deal with the problem”. It must be appreciated that “something is better then nothing”. The ultimate solution to any problem is not to enact a plethora of statutes but their rigorous and dedicated enforcement. The courts may apply the existing laws in a progressive, updating and purposive manner. It must be appreciated that it is not the “enactment” of a law but the desire, will and efforts to accept and enforce it in its true letter and spirit, which can confer the most strongest, secure and safest protection for any purpose. The enforcement of these rights requires a “qualitative effort” and not a “quantitative effort”[28]. Thus, till a law dealing expressly with cyber terrorism is enacted, we must not feel shy and hesitant to use the existing provisions.