India is sitting on a big threat balloon of cyber security that could burst at any moment, noted cyber law expert Pavan Duggal said in an interview with News Nation.
The government's November 8 demonetisation move, and the subsequent cash crunch, has led to a multi-fold surge in digital payments.
According to the government data, the number of daily mobile transactions through e-wallets like Oxigen, Paytm and MobiKwik have shot up from 17 lakh (on Nov 8) to 63 lakh as on December 7 (a growth of 271%). In terms of value, the surge has been 267%, from Rs 52 crore daily to Rs 191 crore now. But as India moves from less-cash economy to cashless economy, there are some serious challenges that need to be tackled more prudently to safeguard against cyber espionage cases and phishing attempts.
“Cashless economy is Prime Minister’s futuristic approach but India is still not prepared to become cashless economy. We have major loopholes that need to filled like the country needs a dedicated legislature on digital payment,'' says Pavan Duggal.
Explaining the loopholes, Duggal says that still there is no dedicated legal framework that embodies digital payment transaction in India. Presently, digital ecosystem is governed by cosmetic changes that was done in RBI Act for the regulation of payment systems in India and regulate and supervise these systems. Digital wallet payment is still a contractual payment between the two clients and it can always be repudiated. (mobile wallet company and its customers) .
For fintech companies in India like Paytm, Mobilwik etc, security compliance falls under Section 43 A of the IT Act. But, our ISPs (internet service providers) and telcos don’t comply with Section 43 A. We have a minimal data protection law in our IT Act. But, our ISPs (internet service providers) and telcos still do not comply with Section 43 A. So compliance is still lower in the fintech sector. There has been 350 per cent rise in cases in cyber-crimes under IT Act 2000 between 2011 to 2014.
From a legal prism, it is mandatory to address indemnity and liability, data security and other contractual obligations among the parties. Duggal says that strong tripartite agreements (between e-wallet firm, gateway and customers) and strong agreements have to be frame worked. The second challenge is to bring robust changes in IT Act 2000. India through enacted the information technology act way back in 2000, but due to lack of amendments now the IT Act proves to be ineffective with growing digital payment traction.
Only cosmetic changes amendments were being made in 2008. Even National Cyber Policy -2013 that postulated some important points needs to be implemented. National Cyber Policy talked about beefing up cyber security infrastructure, research and responsibility.
Duggal says, 'As per National cyber policy it has remained to be just a collection of statements. It was aimed that India will boost manpower in cyber security by 10 lakh employee per year for development and research but on contrary we hire have just 20,000 employee. There exists a huge gap in National Cyber Policy implementation.
Stressing on the secure encrypted data services, and SSL (Secure Socket Layer) encrypted websites, Duggal says that cyber security need to talks about data retrieval at a lightening speed in case of phishing attempts. He said that when around 65 lakh cards were cloned in October 2016, banks denied the cyber security breach for four-day. He said that cyber ecosystem needs to be more mature to acknowledge the security breach attempts.
Duggal also stressed on cyber-crime laws should get more teeth. According to ASSOCHAM report, cyber crime in India will rise by 60%-65% in 2017. Currently, cyber-crimes fall under bailable offences and small fines are imposed on cyber-crimes. Duggal quips for hard and rigorous punishments and fines upto 5-7 lakhs.
India also lacks in technological advancement. Duggal pitching for more updates software and operating system said that with commencement of bitcoins and paradigm shift to digital payment, cyber security laws have to become more topical. With 50 billion devices connected to internet by 2025, secure encryption, updated operating system and prudent anti-virus software have to be put in place. In India around
Around 70 per cent of the country’s 200,000-plus ATMs run on outdated software of Microsoft. Since April 2014, Microsoft has not been offering support for machines running on its Windows XP platform, making devices vulnerable to cyber-attacks by hackers.
But, banks are still operating on ATMs running on the defunct software putting to risk the banking ecosystem, besides data and money of crores of customers.
“The absence of cyber security framework for ATMs is like a dream come true for hackers. Updating the software of ATMs and beefing up the cyber security framework should be a mandatory provision, not an optional exercise,” says Pavan Duggal, a cyber law expert.
“The country needs a cyber-security law that defines the duties of the stakeholders, starting from the banker to users,” he added.
He says that IT Act needs to be amended with changing situation. Talking about India policy on cyber security globally, Duggal says that India is lacking at quantum miles behind its counterparts like China and Germany. China on July 2015 adopted new information act but it amended it in November 2016 with current situation. He Germany also adopted cyber policy in July 2015 and then started amending it with changing scenario. But India amended its IT Act way back in 2008 that hold no ground with current situation.
Talking about steps to link all accounts to Aadhaar, Duggal said that accesses to Aadhaar card are thrown open to public. He further said that India needs to build strong ecosystem on legal complexities and its ramification of biometric card.