After a report uncovering one of the biggest hack-for-hire operations yet named an obscure Indian firm based in Delhi, cybersecurity officials and experts point towards lacunae in the Indian Information Technology Act that treats hacking as a bailable offence.
A fresh expose by Toronto-based internet watchdog Citizen Lab had earlier made global headlines, revealing that BellTrox InfoTech Services, a small IT firm based in West Delhi, allegedly targeted thousands of powerful individuals and organisations across six continents under an operation codenamed 'Dark Basin'.
Whether it was commercial espionage on behalf of a few clients or if there was more to it than meets the eye, is not clear yet.
But, the Citizens Lab expose has revealed how cyber mercenaries in the national capital are available at low-cost, and can spy on behalf of their clients on a range of targets including investors, politicians, lawyers and environmental groups across the world—hiding the real consumers of that information.
Cyber security officials are now demanding action against small domestic IT companies acting as “digital mercenaries” in the garb of providing IT services by indulging in hacking. They want the government to make them accountable and send out a message to the global community that it does not support the “hack-for hire” culture .
Dr Prashant Mali, a Mumbai-based lawyer and cyber crime policy expert, says that the availability of cyber mercenaries for hire at low cost is a growing concern as these desperate hacker companies are falling prey to larger interests at play and are used to shift the blame. He said these companies can be made accountable under the laws that govern cross-border transactions.
"It should also be noted that any unauthorised access of computers or networks is a punishable offence under Section 43(a) read with Section 66 of The IT Act,2000 in the country,'' he added.
Pavan Duggal, founder and chairman of International Commission on Cyber Security Law, however, pointed out that there are no direct provisions for regulating the activities of these companies .
“The problem lies in the IT Act. While section 66 of the IT Act makes hacking a punishable offence with three years imprisonment and Rs 5 lakh fine , the amended act (in 2008) makes hacking a bailable offence,” he said.
This means that as soon as a case of hacking is registered, the accused can get bail .
“The deterrence in the legal provision is not there. We have also noticed that since 2008 when the law was amended, there have hardly been any convictions,” Duggal said, adding that the accused persons, on bail, could even use their time to destroy the digital evidence, leading to an outcome with no conviction.
“Offences like hacking have become very rampant as there is a policy vacuum. It’s a grey area and these companies are acting with impunity,” he said .
Cyber security officials feel that it is time for India to make its cyber laws stringent to act as a deterrent to the growing hack for hire industry .
The fact that these IT companies are making a quick buck in the garb of IT services is also raising an alarm for cyber security agencies as they are making use of the dark web.
Duggal said the government needs to immediately launch a probe into the allegations.
“These companies use the dark web to hack into accounts and Dark web gives them anonymity. But, now that this case has been exposed, the government needs to act strongly to give a message to the global community that it does not support the hack for hire culture," he said .