Sometime back I was pondering about surrogate criminal
activity that happens in the absence of incident disclosure by corporate
bodies. While pondering whether the regulators will act to bring in any form of control I
realized that it is not just the corporate but others too who are engaging in
To illustrate I present an example ... I have a pistol and
shoot a friend accidentally. We take the injured person to a hospital where
he/she will be refused treatment by the doctor until a police compliant is
registered. A police complaint will lead to my arrest and confiscation of my
gun. I shall be in a lockup I get bail and then even if my friend stands by me
the cops will interrogate and investigate and may not drop the case.
Now we come to a cybercrime scenario - a company or
government department is breached (they get hacked / data is stolen / phished / financial fraud). The CISO is the first to respond and advises the CxO. Then they call in a
forensic/security consultant who provides his/her analysis with remediation advice. Now they go to the Police Cybercrime cell and ask for an investigation. At the end of the Police investigation, they cops are told
"we do not want to file a case" and the whole thing is dropped because they "know" who or what happened.
So we have the victim company (organization, bank,
department..), CISO, Forensic/Security consultant, and Police investigators who
have all colluded to close a criminal case (theft, hacking, piracy, porn...
Does this make all these people / institutions party to the
crime of abetting a criminal act ?
If yes then can the various banks, government departments
and organizations be taken to court along with the police departments of all
states? I understand Sec 120 b or Section 34 of the IPC establishes guilt for
Will the ITA be amended soon for 66A and can the mandarins
add "disclosure" as an obligation under the act.
The moot question is whether everyone is a criminal now? The
consultant who found out the modus operandi and advised on new controls, the
cybercrime police who did not register the case and advised closure thus
(possibly) causing loss to shareholders and the exchequer.
Labels: abetment, cybercrime, LEA