Strategic Cybersecurity Thinking

Strategic Cybersecurity Thinking

The ability to come up with effective plans in line with an organization's objectives within a particular cybersecurity situation. Strategic thinking helps cybersecurity managers review policy issues, perform long term planning, set goals and determine priorities, and identify potential risks and opportunities.

Clearly, there needs to be a clear strategy as to what needs to be done with respect to security. Such a strategy should determine the policies and procedures. However in practice rarely a strategy for security is created. Most emphasis is placed on policies, implementation of which is generally relegated to the lowest levels. Rather it is assumed that most people will follow the policy that is created. 

A strategic cybersecurity programme does not begin with tools and tactics, but with an articulation of one or more programme goals. Sun Tzu once said in The Art of War: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Essentially this means that before you start with strategic planning you have to know what you are and what you are not because the way you operate can either make or break a successful execution. First, the strategy-minded CISO gets executive buy-in to those goals. To that end, the CISO must incorporate all levels of strategic thought, starting with the board and CEO – everyone must feel ownership and participation. 

The smart CISO recognises that security is a journey, not a destination, and that relationship building requires an ability to translate between technical and non-technical vocabularies. The CISO ensures that the programme goals accurately govern the objectives of the enterprise’s digital security programme. In our scenario, the CISO, board, and CEO all agree that, with respect to intellectual property, trade secrets, and sensitive data, the new policy goal is to minimise loss due to intrusion. 

This statement implies that everyone understands that stopping all adversaries and all attacks is simply not possible, especially when dealing with nation-state actors and some advanced criminal groups. The primary objective of this exercise is to achieve consensus on a simply stated, non-technical programme goal. No in-depth technical discussion is needed to achieve consensus, although the CISO must ensure that all goals, policies, and strategies are technically feasible. With a mandate in hand, the CISO can confidently work with his or her security team to plan the necessary operations and campaigns and, if necessary, acquire new tools and tactics to facilitate them. Together, they decide to implement a network security monitoring (NSM) operation, defined as the collection and escalation of indications and warnings to detect and respond to intruders. 

The security team begins the long-term, strategic process of hunting for hostile cyberattack campaigns, encompassing both known and unknown intrusion patterns. The CISO, board, and CEO all agree that a second programme goal is a rapid detection, response, and containment of cyber threats. This goal helps to ensure that when intruders breach the perimeter defences, the game is far from over. 

Defenders can still win, so long as they contain the threat before the attacker can accomplish his or her ultimate mission. Therefore, the security team will develop strategies to identify compromises quickly, determine their nature, give them some level of attribution, and above all develop a plan to stop the attacker from accomplishing his or her mission. At the tactical level of individual engagements with the adversary – the equivalent of battles in war – the security team will have myriad decisions to make, including whether to dislodge the intruder immediately or whether to watch the intruder for a time in order to collect valuable intelligence.

Some tactics govern how specific tools or techniques can be used, such as when Star Trek personnel switch their hand phasers between ‘stun’ and ‘kill’. As always, the adversary gets a say in what happens, but from the enterprise’s point of view, programme goals, policies, and guidelines should be written to govern this entire process.

Section 65B Certificate under Evidence Act is Compulsory for Admission of Electronic evidence : Case Law

Certificate Under Section 65B(4) Evidence Act Is Compulsory for Admissibility of Electronic Evidence: Three Judge Bench of SC - 14 July 2020

Case Law : Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, 2020 SCC OnLine SC 571  , decided on 14.07.2020

The Indian Supreme Court has held in the above case that the certificate required under Section 65B(4) is a condition precedent to the admissibility of evidence by way of an electronic record. The bench headed by Justice RF Nariman further held that, in a fact-circumstance where the requisite certificate has been applied for from the person or the authority concerned, and the person or authority either refuses to give such certificate or does not reply to such demand, the party asking for such certificate can apply to the Court for its production under the provisions aforementioned of the Evidence Act, CPC or CrPC.

The bench has also clarified that the required certificate under Section 65B(4) is unnecessary if the original document itself is produced. The court said that the judgment in Anvar P.V. v. P.K. Basheer & Ors. (2014) 10 SCC 473 need not be revisited, subject to the above clarifications.

"Is requirement of certificate U/s 65-B(4) Evidence Act mandatory for production of electronic evidence?" before the three judge bench of SC

Earlier, a two-Judge Bench of Justices Ashok Bhushan and Navin Sinha had referred the question in view of the conflict between Shafhi Mohammad Vs. The State Of Himachal Pradesh SLP (Crl.)No.2302 of 2017 and Anvar P.V. v. P.K. Basheer and Others, (2014) 10 SCC 473. It was held in Shafhi Mohammad vs. State of Himachal Pradesh that, a party who is not in possession of a device from which the electronic document is produced, cannot be required to produce a certificate under Section 65B (4) of the Evidence Act. In that case, the bench was considering the issue of whether videography of the scene of crime or scene of recovery during the investigation should be necessary to inspire confidence in the evidence collected. In Anvar P.V. vs. P.K. Basheer , it was observed that an electronic record by way of secondary evidence shall not be admitted in evidence unless the requirements under Section 65B are satisfied. Thus, in the case of CD, VCD, chip, etc., the same shall be accompanied by the certificate in terms of Section 65-B obtained at the time of taking the document, without which, the secondary evidence pertaining to that electronic record, is inadmissible.

 

Application Can Be Made To Court When Requisite Person Refuses To Issue Such Certificate

The court observed that the major premise of Shafhi Mohammad (supra) that such certificate cannot be secured by persons who are not in possession of an electronic device is wholly incorrect. An application can always be made to a Judge for the production of such a certificate from the requisite person under Section 65B(4) in cases in which such person.

In a fact-circumstance where the requisite certificate has been applied for from the person or the authority concerned, and the person or authority either refuses to give such certificate or does not reply to such demand, the party asking for such certificate can apply to the Court for its production under the provisions aforementioned of the Evidence Act, CPC or CrPC. Once such application is made to the Court, and the Court then orders or directs that the requisite certificate be produced by a person to whom it sends a summons to produce such certificate, the party asking for the certificate has done all that he can possibly do to obtain the requisite certificate.

In Anvar P.V. (supra), it was observed that such a certificate must accompany the electronic record when the same is produced in evidence. In this regard, the Court clarified thus:

"We may only add that this is so in cases where such certificate could be procured by the person seeking to rely upon an electronic record. However, in cases where either a defective certificate is given, or in cases where such certificate has been demanded and is not given by the concerned person, the Judge conducting the trial must summon the person/persons referred to in Section 65B(4) of the Evidence Act, and require that such certificate be given by such person/persons. This, the trial Judge ought to do when the electronic record is produced in evidence before him without the requisite certificate in the circumstances aforementioned. This is, of course, subject to discretion being exercised in civil cases in accordance with law, and in accordance with the requirements of justice on the facts of each case. When it comes to criminal trials, it is important to keep in mind the general principle that the accused must be supplied all documents that the prosecution seeks to rely upon before commencement of the trial, under the relevant sections of the CrPC. "

 Sec. 65B(4) of the Evidence Act of furnishing certificate is to be applied when such electronic evidence is produced by a person who is in a position to produce such certificate being in control of the said device and not of the opposite party. In a case where electronic evidence is produced by a party who is not in possession of a device, the party asking for such a certificate can apply to the Court for its production under the provisions aforementioned of the Evidence Act, CPC or CrPC.

Conclusion : Section 65B(4) stands compulsory for admission of Electronic evidence 

A man from Odisha gets six years of Jail in cyber pornography Section 67A: A Revenge Porn Case

Judgement Dowload link

A Judicial Magistrate in Puri today sentenced a man to six years of imprisonment in a cyber pornography (A revenge Porn) case, stated to be the first such case.

Puri Sub-Divisional Judicial Magistrate Shibasis Giri also slapped a Rs-9,000 fine on the convict, Jayanta Kumar Das an alleged RTI activist, A fake profile was created by the accused in the name of the victim woman from Puri Township in a pornographic site, who then had uploaded the woman’s name, address, photo and phone number on a pornographic website in 2012 to take revenge against her husband.After her personal info was posed on the site, the victim started receiving calls from numerous persons enquiring about her interest in paid sex and wife swapping.

The husband of the woman, a local journalist, had written about several cases involving the convict.

The crime branch had arrested Das on September 18, 2012, following a complaint filed by the victim in July.He was booked under several sections of the Indian Penal Code and Information Technology Act, 2000. Sections 292, 465, 469, 500 of the Indian Penal Code and 66(C) and 67A of the Information Technology Act,2000(cyber law of India) were applied

The conviction was procured on evidence, including crucial witness statements of scientists from the Central Forensic Science Laboratory, Kolkata.

My Views:

I highly appreciate the conviction upheld as India is short of convictions for cyber crimes committed. This remains first of a kind of conviction in odisha state and could be a first serious conviction of a revenge porn in India. Maligning and destroying a girls life by defaming her online often kills a ladies zeal to live. 

I feel if the convict moves for appeal, his punishment under sections of IPC would be set aside by the High Court in the light of decision made under Sharat Babu Digumarti Vs State Govt of NCT of Delhi but punishment under Sections 66(c) & 67A could be confirmed on merits of the case.

Online impersonation and Sending bomb hoax email - Section 66D Cybercrime

Section 66(D) Cyber Crime - THE MYSTERY BEHIND HOAX MAIL SOLVED –ONE HELD

                         On 20-04-2017, the sleuths of Commissioner’s Task Force, West Zone team with the assistance of S.R Nagar police, on credible information made sustained efforts and solved the mystery behind hoax mail which was generated from Hyderabad.

  Details of apprehended Accused :-

Motaparthi Vamshi Krishna @ vamshi chowdary S/o. M.A.sV. Prasad, age. 32 yrs, Occ. Transport agent  R/o. Flat no.G-1, TP Sanjana  Amrutha Residency, Miyapur, R.R.Dist, N/o.  Dendullur (village & Mandal), West Godavari Dist, A.P.

 Brief facts

On 15-04-2017 at 1647 hours commissioner of police,Mumbai received a mail from a mail ID ununn0801@gmail.com  claimed to be woman in the email and stated that she overheard six men chating in a hotel and stating that all 23 people have to split from here and board flights in three cities i.e Hyderabad, Chennai and Mumbai to hijack planes at a time tomorrow. 

On the tip of Mumbai Police alerted and sent the information to the concerned Airport Security agencies about a gang planning to hijack flights from three Airports.

  Basing on the information CISF pressed into service and quick reaction commando teams under taken sanitisation drill at Airport and Airlines have been asked to remain extra vigilant. Extra care has been given to passenger checks, baggage scanning, pre embarkation checks and started special patrols to thwart any bid to storm the Airport.    

As a mail generated from Hyderabad, considering the seriousness and sensitivity of the issue, the Commissioner of Police, Hyderabad instructed the Task Force team to   check the veracity of the mail. 

During the enquiry traced the IP address and found it is a net cafe at Madhura Nagar, S.R.Nagar styled as “E netzone” and enquired with the owner of net cafe and found the register of the visitors and filtered eight persons at the time of generating mail. Since the net cafe did not have CCTV footages and there were no proper records maintained at net cafe centre, The Task Force Police made sustained efforts based on the available of CC footage nearby net cafe and lead to the identification of   accused by name Vamsi Krishna.

During the interrogation the accused revealed that he used to chat with his girlfriend who stays at Chennai. Few days back she proposed a trip to Mumbai & Goa. As he is facing financial problems, he unable to bare expanses for their tour,  he requested her to withdraw the trip proposal, but she denied his request, forced him to go to trip to Mumbai & Goa.   In this process to cancel the trip, he hatched a plan to make her believe that flights have been cancelled because of High Alert at airports.

                            In this connection he created a fake flight booking Ticket on her name dt. 16-04-2017 from Chennai to Mumbai, sent the fake ticket to his girl friend through his mail Id my3softcreations@gmail.com to her mail id on 15-04-2017 to believe her.  If she knows about the fake ticket, she will avoid him.  On that he went to one internet centre styled as “E Net zone” at Madhura Nagar, SR.Nagar on 15-04-2017 at about 1600 hrs. In this net zone he created a fake mail id “ununn0801@gamil.com”  and secured the Mail Ids of Mumbai police commissioner and others and prepared fake message as ‘’hi sir am female here am doing this mail frim Hyderabad as i don’t want to revel my details couse am a female and scared of issues, and mailing u this couse in the after noon around 2pm while having lunch there were 6 guys talking those guys are musclims, they were talking abt plane hijack tommarrow in Hyderabad chennai and Mumbai airport they were talking very slowly but unfortunately i heard few conversations abt this, they were saying all us 23 people have to split from here and have to board flights in 3 cities and hijack them at a time. They spoke some other things also but i couls not hear them as i heard only these few sentences from them, i dont know do am i doing correct or not and they are true or not but heard this so kindly go through this and as i informed this as a duty and a citizen of india and pls dont make me to get into issues’’

On further questioning he revealed that   previously he  was involved in two cases Cr.No. 411/2010, U/s. 420, 458,506 R/w. 34 IPC of S.R.Nagar PS & Cr.No. 32/2013, U/s. 66(D) of ITA Act-2008 & 420 IPC of CCS, Cyber crimes.

The apprehended accused along with seized material being handover to SHO, S.R.Nagar PS for taking further action under 66D of IT act and sec 419, 182 IPC.

Is Credit or Debit Card PIN a Electronic Signature as per the Law ?

Is Credit or Debit Card  PIN a Electronic Signature as per the Law ?

For Lawyers across the world, click and wrap agreement i.e. the act of ticking an icon in the shape of a box to accept the terms of a contract can hardly count as a form of signature. In the physical world, that must be right. Similarly, it might be questioned that a personal identity number (PIN) can also be considered to be an electronic signature.

Arguably, the PIN combines two functions. Before considering the two functions, consider the requirements of the bank. The bank needs to satisfy itself that:

1. The card is legitimate (this is difficult to achieve, as the reports about fraud demonstrate), and

2. The card is in the possession of the customer to whom it was issued, or a person authorised by the customer to use the card.

If the bank satisfies itself that its computer systems are interacting with the card issued to the customer (which is not always the case), then the computer system requests the purported customer to undertake one further act to confirm they (or a person authorised by them) have physically inserted the card into the ATM or the point of sale terminal, by keying in the correct PIN. Generally, if the computer systems receive positive results from both interactions, then the bank will permit the person at the ATM or the point of sale terminal to undertake whatever activity they are permitted to do within the terms of the mandate.

The first function of the PIN acts as a means of authentication. The PIN purports to demonstrate that the person that keyed in the PIN knew the correct PIN (there are some forms of attack that do

The first function of a PIN

Prefacenot need the correct PIN – any combination of numbers will act vii to deceive the card issuer that the correct PIN has been keyed in).

Once the computer systems of the bank are satisfied that the card is legitimate and the PIN is the correct PIN of the customer, then the person at the ATM or the point of sale terminal can undertake any activity on the account that is permitted within the mandate and within the limitations of the technology.

The second function of a PIN

The PIN, even though it is offered to the machine before a transaction is effected, acts as a signature to verify a payment or other form of transaction. This means that the presentation of a card to an ATM, and the input of a PIN, is similar to a cheque that is written out by the account holder, signed, and then presented to the cashier at the bank. The customer completes the action necessary to request a payment in advance of the payment being made by the cashier, and then signs the cheque in the presence of the cashier – all before receiving acknowledgment that a transaction has been authorised. This means the PIN is a form of electronic signature.

It might be considered that the action of clicking the ‘I accept’ icon or box, or typing in a PIN are merely a means by which the person agrees to conclude the contract, but the act is not that of appending their electronic signature.
This analysis might be right, but we must recall that the digital world is different to the physical world. Conceptually, some of the forms of electronic signature may not strictly be considered ‘signatures’ in the physical world. Nevertheless, it is a convenient shorthand to refer to some forms of agreeing to enter a contract as an ‘electronic signature’ – at least we can all understand the meaning behind these words, even if the form is not quite what we expect.

Case Law:

Standard Bank London Ltd v. Bank of Tokyo Ltd [1995] CLC 496; [1996] 1 C.T.L.R. T-17 and Industrial & Commercial Bank Ltd v. Banco Ambrosiano Veneto SpA [2003] 1 SLR 221, where a message using an authentication code sent through the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system has the legal effect of binding the sender bank according to its contents, and where a recipient bank undertakes further checks on credit standing or other aspects, it does not detract from this proposition. 

What is ones responsibility as a cardholder?

You, and all your supplementary cardholders, must take all reasonable precautions to prevent the card and the card number, the PIN, or any other security details for the card or account (the “card security details”) from being misused or being used to commit fraud. These precautions include:

• sign the card as soon as it is received and comply with any security instructions;
• protect the card, the PIN, and any card security details;
• do not allow anyone else to have or use the card;
• do not write down the PIN or the card security details nor disclose them to anyone else including the police and/or banks staff;
• do not allow another person to see your PIN when you enter it or it is displayed;
• do not tamper with the card;
• regularly check that you still have your card;
• keep card receipts securely and dispose of them carefully; and
• contact bank about any suspicious matter or problem regarding the use of the card at a terminal.

You must notify bank immediately if:

• your card is lost or stolen; or
• your PIN may have been disclosed; or
• your card is retained by an ATM; or
• your address or contact details have changed

Definition of Electronic Signature in various Countries

USA:
Electronic Signatures in Global and National Commerce Act, 15 U.S.C. §§ 7001-7003. 
ELECTRONIC SIGNATURE. – The term “electronic signature” means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. 

CANADA:
The Uniform Electronic Commerce Act provides a single, media neutral, definition of an electronic signature in s1(b):

(b) “electronic signature” means information in electronic form that a person has created or adopted in order to sign a document and that is in, attached to or associated with the document.

 China:

Order No. 24 of the President of the People’s Republic of China, promulgated on and effective since 4 April 2015, amending the 2004 law.  

Electronic Signatures Law of the People’s Republic of China of 2015. Article 2 provides a definition of electronic signature and data message, both of which are widely drafted:

“Electronic signature” in this law means data in electronic form in or affixed to a data message, which may be used to identify the signatory in relation to the data message and to indicate the signatory’s approval of the information contained in the data message.

“Data message” means information generated, sent, received or stored by electronic, optical, magnetic or similar means.
EU:

The Regulation provides the definition of an electronic signature in article 3(10)
‘electronic signature’ means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign;

India:

Sec 2 (ta) of Information Technology Act 2000 had defines electronic signature as
“Authentication of any electronic record by a subscriber by means of the electronic technique specified in the second schedule and includes digital signature.”
The definition of electronic signature includes digital signature and other electronic technique which may be specified in the second schedule of the Act, thus an electronic signature means authentication of an electronic record by a subscriber by means of electronic techniques. The adoption of ‘electronic signature’ has made the Act technological neutral as it recognizes both the digital signature method based on cryptography technique and electronic signature using other technologies.

Navy man in Jail for 2 years for Child Pornography, cyber crime in India

Navy man gets 2 years Jail for Child Pornography, cyber crime in India : Cyber crime conviction
By Prashant Mali

In the case of Dilip Kumar Vs State of Telangana 

the accused (who is working in Navy then) is convicted for two years rigorous imprisonment and Rs 15,000 fine.

The story:

Accused has same Family name "Sinha" as the Victim from Hyderabad. Accused, a Navy Personnel belong to State of Bihar and was posted on INS Shikra, Mumbai. Accused had sent a facebook request to this victim minor girl, who also happens to be a child of high ranking defence personnel . The victim after finding the same surname was obliged to accept the facebook friend request. Accused then proposes the victim minor girl for a online relationship, to which she refuses. Accuses starts enticing and harassing the victim by sending her obscene, vulgar, abusing and insulting chat messages. Victim then confides this to her parent, who also tries to persuade the accused not to repeat such actions, but the accused remains adamant. The complaint is filed with the police and the cyber crime wing, CID of Telangana Police (Then AP Police) investigates the crime, to find the accused to be an Indian Navy man.

The Court Proceedings and Order :

Pronouncing judgment today, after examining 11 prosecution witnesses, including outstation witnesses, FSL experts etc., Hon,ble I^st Addl Chief Metropolitan Magistrate, Hon’ble Moka Suvarna Raju (I/c VI ACMM Court) at Nampally convicted the accused to undergo rigorous imprisonment (RI) for 2 years concurrently and Rs. 15,000/- fine for the offences punishable under Sections 67, 67-B (c) (d) of The Information Technology Act 2000 (Cyber Law) and Section 509 of The Indian Penal Code.The case was investigated and trial was monitored by B. Ravi Kumar Reddy, Inspector of Police, Cyber Crimes, CID.

Other Facts of the Case :

1. Certificate under Section 65B was not used in the said case, instead of this prosecution an court relied on confession of accused under section 313 of CRPC. The confession was that the facebook account belongs to himself.

Prosecution relied on forensics report of Victims computer where enticing and abusing text was found in the facebook conversation.

2. There was sexually explicit pictures or videos sent (transmitted), it was pure text messages.

3. Accused by himself went to High Court and got a order to expedite the matter, it was his mistake and why was he misguided ? still remains the Question.

4.This was a rare case where in 2010, evidence was asked from California office of Facebook and they had responded positively to Indian police.

5. This is 24th conviction in a cyber crime matter, in the state of Telangana in India.

My comments & Analysis of the Judgement :

I congratulate the team of Telangana police and Government Lawyers for the conviction, as getting more convictions in cyber crime matter is the need of the hour. I would also congratulate Mr. U.Ramamohan Superintendent of Police, Cyber Crimes in CID AP Hyderabad.  As a defence lawyer, i would say that if lower judiciary only has acted under pressure of the higher courts order, then appreciation of the evidence would not have been done satisfactorily and the accused can be left scot free if he goes in appeal. I also see this is not an isolated case from defence forces, where some sexually frustrated defence personnel try to find relationships online. They feel they are behind the secure wall of defence organisations. An awareness training in the defence induction with example of such cases is the need of the hour. Personnel from Navy may be separated on a high sea from civilians on land, but they should remember cyber space has no boundary and cyber crimes today are investigated by sophisticated police officers. So Janata should not go on their uniform or the old perception about them.
Advice for Common Man : Don't talk Dirty Online with Girls below age of 18 Years.

Analysis of The Judgement Delivered : (This Para added on 6th April)
While Analysing the judgment some startling revelations happened to me about the judge being naive or not updated.
1. The Hon. Court has erred in punishing the accused under a section 66A of The IT Act,2000 which was stuck down by the Hon. Supreme Court in Shreya Singhal v. Union Of India [AIR 2015 SC 1523]
2. The Hon. Court has not appreciated the fact that prosecution 
had failed to confiscate Hard Disk from the computer allegedly 
used by the accused in the cyber cafe and thus was not 
available for further digital forensics examination.
3. The Hon. Court in order to ascertain the location of the 
accused on the date of crime has not appreciated the evidence
of "Call Data Record" of the accused mobile phone number , 
which the prosecution has failed to produce 
4. The Hon. Court has failed to appreciate the fact the facebook 
thou have replied to prosecution, but have not revealed 
the ip address, which binds the computer to the accused 
or his location.
5. Certificate under Section 65(B) as required by The Indian 
Evidence Act was not furnished by the prosecution. 
The effect of the same on the evidence thus produced 
was not appreciated the Hon. Court.
6. In my personal view in the age of Information Technology
concluding that the accused was present on the crime location 
only based on statements of witness doesnt sound fair and 
still raises doubts,
7. Accused agreeing that the profile and email belongs to him 
doesn't bind to crime, it just binds him to the weapon of crime.
8. Hon. Court has failed to appreciate the fact that The screenshot of the girl's Facebook profile shows the birthday written there is 19 Aug 1990, which makes her Adult at the time of Crime, whoever wants to send her friend request or chat. She May have faked her Birthday. This gives benefit of doubt in the favour of the accused 
Laws and Sections used
Offences under Information Technology Act 2000.

 67A. Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form. – Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.

67B. Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form.- Whoever,-

(a) publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children engaged in sexually explicit act or conduct or

(b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or

(c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or
(d) facilitates abusing children online or
(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:
Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or
(ii) which is kept or used for bonafide heritage or religious purposes
Explanation: For the purposes of this section, “children” means a person who has not completed the age of 18 years.

Section 509 of The IPC.  Word, gesture or act intended to insult the modesty of a woman

Whoever, intending to insult the modesty of any woman, utters any word, makes any sound or gesture, or exhibits any object, intending that such word or sound shall be heard, or that such gesture or object shall be seen, by such woman, or intrudes upon the privacy of such woman, shall be punished with simple imprisonment for a term which may extend to three years, and also with fine

Section 313 of The Code Of Criminal Procedure, 1973

313. Power to examine the accused.

(1) In every inquiry or trial, for the purpose of enabling the accused personally to explain any circumstances appearing in the evidence against him, the Court-

(a) may at any stage, without previously warning the accused, put such questions to him as the Court considers necessary;

(b) shall, after the witnesses for the prosecution have been examined and before he is called on for his defence, question him generally on the case: Provided that in a summons- case, where the Court has dispensed with the personal attendance of the accused, it may also dispense with his examination under clause (b).

(2) No oath shall be administered to the accused when he is examined under sub- section (1).

(3) The accused shall not render himself liable to punishment by refusing to answer such questions, or by giving false answers to them.

(4) The answers given by the accused may be taken into consideration in such inquiry or trial, and put in evidence for or against him in any other inquiry into, or trial for, any other offence which such answers may tend to show he has committed.