When 580 senior executives and CEOs of leading global companies were asked in a survey conducted by Lloyd’s of London as to what the risks confronting global business were, they listed the top three in this order: high taxation, loss of customers and cyber crime.
Indeed, a June 2014 study by Georgetown University’s Center for Strategic and International Studies (CSIS) estimates the global annual cost of cyber crime as being between $375–575 billion. This represents a staggering 15-20 per cent of the global share of business conducted over the internet or using the internet. Similarly internet security firm MacAfee’s annual report Net Losses: Estimating the Global Cost of Cyber Crime published in June 2014 stats that the cost to the global economy from cybercrime is more than $400 billion.
One common definition describes cybercrime as any activity in which computers or networks are a tool, a target or a place of criminal activity. Computer-mediated activities which are either illegal or considered illicit by certain parties and which can be conducted through global electronic networks are also treated as cyber crime. In general there are multiple facets of cyber crimes ranging from violation of privacy, hacking, impersonation/exploitation on social networks, cyber attacks on information infrastructure, cyber terrorism, criminal access, obscene messages / emails, threatening messages / emails, unauthorised (criminal) data access, phishing, pharming and grey traffic, etc.
Our national legal framework regarding cyber crimes includes the Electronic Transaction Ordinance (ETO) 2002 and the Pakistan Telecommunication Re-Organisation Act 1996 as enacted laws.
The Prevention of Electronic Crimes Ordinance (PECO 2009) is not an enacted law as it lapsed in 2009.
The major offences covered under the enacted laws include hacking, unauthorised access (e.g. email account hacking), sniffing, interception, unauthorised vulnerability assessment, penetration testing, violation of privacy, Denial of Service attacks, operations impairment, damage to electronic / telecom infrastructure, spoofing(identity impersonation) and grey traffic (illegal VoIP) set-ups. Major types of cyber crimes not covered in enacted laws but were covered in lapsed law (PECO 2009) includes obscene messages / emails, threatening messages / emails, cyber stalking, spamming, malicious code, electronic fraud, cyber terrorism and misuse of encryption.
So what can you do if you are a victim of cyber crime? Cyber crimes can be reported to the National Response Center for Cyber Crimes (NR3C) at this email address: email@example.com with all requisite documents sent as an attachment.
Frequently Asked Questions (FAQs) about the procedure for reporting and so on are accessible at http://www.nr3c.gov.pk/faq.html
The NR3C has received complaints in all categories of cyber crimes since it began operations in 2007.
Cyber crime is one of the three risks confronting global business
The top three complaints received by the NR3C, in descending order, are: criminal data access, threatening calls and electronic fraud. The process to lodge a complaint at NR3C starts with the submission of a complaint, either in written or electronic form. Incomplete and anonymous complaints are not entertained at NR3C, therefore submitted complaint must be complete in all respects so that it may not be rejected at the initial stage.
The next step in this process is legal scrutiny conducted by the NR3C to determine whether the submitted complaint is attracting any section(s) of the enacted laws or not. In case submitted application attracts any section(s) of enacted law, verification of received complaint will be initiated at field office. If the received application does not fall in the purview of enacted law then closure orders will be issued. In the verification phase, the complainant is contacted through multiple modes of communication, which include written summons, email or telephone. In this phase, the complainant is normally enquired regarding the information contained in his / her complaint to ascertain the validity and authenticity of that reported information. Failure in the verification phase will result in closure orders but if verification is successful it will qualify for enquiry phase.
At this point an Investigation Officer (IO) is normally deputed to process the enquiry. In this phase the Enquiry Officer (EO) evaluates the verified information on standard principles of investigation. Normally culprits are identified and located in this phase. Generally enquiries are closed due to multiple reasons including plea bargaining, unavailability of evidence or the complainant no longer being interested in pursuing his complaint due to any reason. The successful end of the enquiry phase results in registration of an FIR.
Technical and Digital Forensic Reports are normally required during the enquiry phase and also after registration of FIR. In a nutshell, the process starts with a complaint and then follows through verification, enquiry and FIR in sequential order.
The writer is the Deputy Director of the NR3C
Published in Dawn, Sunday Magazine, January 11th, 2015