Prashant Mali Interview in Business Standard Newpaper

Ransom-payers are also the cause of ransomware proliferation: Prashant Mali

The ransom to retrieve files was reportedly $300, to be paid in virtual currency bitcoins

Nikita Puri July 1, 2017 Last Updated at 21:20 IST

Operations at a terminal of the country’s largest container port, Jawaharlal Nehru Port Trust in Mumbai, came to a standstill earlier this week. The process of loading and unloading containers was halted as the port’s computers shut down after a major cyber attack that swept across the globe. The aggressiveness of the malware showed that such attacks were capable of bringing both corporate and government networks to a sudden halt. The ransom to retrieve files was reportedly $300, to be paid in virtual currency bitcoins. Cyber law expert Prashant Mali, also an advocate at the Bombay High Court, tells Nikita Puri how to prevent mass-scale civil disruptions that future cyber attacks can result in. Edited excerpts:
 
First we had individual companies and high-networth individuals who were targets of ransomware, then WannaCry hit servers across the globe. Now another malware, which some are identifying as Petya, has sent corporations into a tizzy. Do you foresee more such threats?

 
To date, financial cyber crime has only grown and it is yet to peak, so I would say it’s written on the wall that many more such attacks are expected in the near future. Such threats loom large as the ransom is paid in bitcoins, so the criminals aren’t caught. One thing the police and the government can do is to ensure that citizens make compulsory declarations of purchase of bitcoins and other cryptocurrencies (like ethereum) when they file their income tax returns. This can help the government see who pays and how much because, I feel, ransom-payers are also the cause of ransomware proliferation.
 
Security experts confirm that the malware isn't really a ransomware, but a wiper designed to destroy data. Reportedly, because of “ its aggressive features,” the malware makes it impossible to retrieve certain files leading many to believe that this attack may not have been for money. Can this be seen as an attempt to test how far companies will go to protect data?
 
Even if cyber attacks don’t cause financial damage, they definitely throw open defences. Identifying fortresses that have holes in their system can be of interest to the state and non-state actors. This data of the number of loopholes is in demand and is sold at a premium price. There are different types of people involved in the dark world: many a time those who look for such holes, those who attack, and those who intend to get ransoms are all different.
 
Companies are often wary of making such attacks public. Security firm Symantec has said that India is the worst hit in Asia, but we have confirmation only from Mumbai’sJawaharlal Nehru Port Trust. Do you think information sharing could actually help build a better defence against such attacks?
 
By not reporting such attacks, companies are depriving the nation of a knowledge database that can help other companies develop better defences. Symantec and other (security) vendors also cannot be fully relied upon because fear is what they harp on. The more fear they put in Indians, the more they sell security products. The Insurance Regulatory and Development Authority of India and insurance companies should make it compulsory for clients to file a First Information Report (FIR) before claiming cyber insurance. Once reporting to some government agency becomes mandatory to claim insurance, companies would be motivated.
 
What are the security measures that one must take to avoid such attacks? 
 
No one can be immune in cyber space and that's the reality. Only cyber awareness in organisations can bring in cyber resilience. I would advise organisations to have multi-prong policies to establish a cyber security culture. I feel the highest level of cyber safety can be achieved by establishing a cyber security culture in the company, and a country can be cyber resilient by cultivating a culture of cyber security in society. Government should quadruple its budget for digital literacy programmes. For the government to be ahead of hackers, we need cyber spies: our law and enforcement agencies should implant cyber spies among cyber criminals. The chatter within their group helps the state to be ready for what is coming: we need cyber intelligence. 
 
Do you think companies should have ethical hackers on their pay rolls? 
 
I have an issue with the term “ethical hackers” because legally this isn’t right: those are two contradictory terms put together. People who use these terms are either doing it for branding purpose or are students. Companies should opt for services by cyber security researchers. 
 
Are India’s cyber laws equipped to handle such large-scale attacks?
 
No. Laws can be invoked when prima facie evidence is found against criminals and investigation can be completed if attribution to a criminal is possible. The legal framework to help enforcement agencies in India has serious flaws. Large-scale cyber attacks need multiple law and enforcement agencies to work together along with CERT-In (Indian Computer Emergency Response Team), but the protocol for this is yet to be developed. 
 
In the future, cyber attacks are going to affect government facilities meant for citizens: like centres for health, water etcetera. Even municipalities should coordinate with the aforementioned agencies to avoid mass scale civil disruption from cyber attacks.

Can a Complainant or Victim fight his own cyber crime case or appoint his own Lawyer?

Can a Complainant or Victim fight his own cyber crime case in Magistrates Court or appoint his own lawyer?
Note: Normally when one files a police FIR, the case is represented free of cost by the STATE in the courts i.e By Public Prosecutor.

Yes !!! He can by himself or through his Expert Legal Counsel or a Lawyer.
But he has to file a written application making out a case, so that the magistrate can exercise the jurisdiction as vested in him and form the requisite opinion.

A plain reading of Section 301 reveals that though oral submissions before the court cannot be independent of the Prosecutor, a pleader instructed by a private person can definitely file written submissions before the court independent of the Public Prosecutor, if the court so permits. That apart, Sections 301 and 302 cover two different situations. Section 301 envisages a situation where the Public Prosecutor is in charge of a case and a private person instructs his pleader to intervene. In such cases, as has been rightly held, it is the Public Prosecutor under whose overall conduct and supervision the prosecution is carried on. However, Section 302 is concerned with a situation where any person not being a police officer below the rank of inspector, can prosecute a case, with the permission of the court, either himself or through his pleader. This amply signifies that CrPC contemplates a situation where the whole conduct of the case is with a private person. Thus two levels of intervention by private persons are envisaged under CrPC. One is under the supervision and control of the Public Prosecutor and the other independent of the Prosecutor. Thus clearly, in a case where a private person seeks the permission of the court to intervene, it is the discretion of the court to decide which level of intervention should be allowed in any given case.

The difference between Section 301 and Section 302 of the Code of Criminal Procedure (CrPC) is examined by the Hon. Supreme Court in Dhariwal Industries Ltd. vs. Kishore Wadhwani & Ors. It was held that Section 302 CrPC confers power on a magistrate to grant permission to the complainant to conduct the prosecution independently. The court also made it clear that the said provision applies to every stage, including the stage of framing charge (This means when the court finalises the sections of law to be applied to the accused by passing a charge framing Order) 

A Bench comprising Justice Dipak Mishra and Justice Adarsh Kumar Goel also clarified that when a complainant wants to take the benefit as provided under Section 302 CrPC, he has to file a written application making out a case, so that the magistrate can exercise the jurisdiction as vested in him and form the requisite opinion.

The private complainant, who is the appellant before the Supreme Court, was permitted by the magistrate to be heard at the stage of framing of charge. However, the high court modified the said order by expressing the view that the role of the complainant is limited under Section 301 CrPC and he cannot be allowed to take over the control of prosecution by directly addressing the court, but has to act under the directions of the assistant public prosecutor in charge of the case.

Magistrate Can Permit The Complainant To Conduct Prosecution Independently

Referring to a three-judge Bench decision in J.K. International vs. State, the court observed: “It has been opined that the private person who is permitted to conduct prosecution in the magistrate’s court can engage a counsel to do the needful in the court in his behalf. If a private person is aggrieved by the offence committed against him or against any one in whom he is interested, he can approach the magistrate and seek permission to conduct the prosecution by himself. This court further proceeded to state that it is open to the court to consider his request and if the court thinks that the cause of justice would be served better by granting such permission the court would generally grant such permission. Clarifying further, it has been held that the said wider amplitude is limited to the magistrate’s court, as the right of such private individual to participate in the conduct of prosecution in the sessions court is very much restricted and is made subject to the control of the public prosecutor. “ 

The court further observed: “Role of the informant or the private party is limited during the prosecution of a case in a Court of Session. The counsel engaged by him is required to act under the directions of public prosecutor. As far as Section 302 CrPC is concerned, power is conferred on the magistrate to grant permission to the complainant to conduct the prosecution independently.”

Written Application Must

However, the Bench added: “When a complainant wants to take the benefit as provided under Section 302 CrPC, he has to file a written application making out a case in terms of J.K. International (supra) so that the magistrate can exercise the jurisdiction as vested in him and form the requisite opinion.”

Section 302 CrPC Applies To Every Stage

Allowing the appellant to file an application under Section 302 CrPC before the magistrate, the Bench said: “It may be clearly stated here that the said provision applies to every stage including the stage of framing charge in as much as the complainant is permitted by the magistrate to conduct the prosecution. We have said so to clarify the position of law. If an application in this regard is led, it shall be dealt with on its own merits. Needless to say, the order passed by the learned magistrate or that of the high court will not be an impediment in dealing with the application to be led under Section 302 CrPC.“ 

Role of Public Prosecutor

The other challenge in general public mind is the Public Prosecutor is an officer of the court, and not the counsel of the State, and hence she should be absolutely impartial, and should not work towards a conviction, but should strive to uphold the truth and assist the court in doing the same. This is an idealistic position, and practice has shown that the Prosecutor has basically become the counsel of the State. This is because, ultimately, the Prosecutor is appointed and removed by the State. Hence, she has no choice, but to be briefed by the State and to put forth the views of the State in the court of law. This has very clearly come through in the Best Bakery case, wherein the Public Prosecutors seem to have followed the instructions of the State Government at every step.
Conclusion

To conclude, one of the major aims of punishment under criminal law is deterrence. With abysmal rates of conviction in cyber crime matters, deterrence is becoming meaningless. The criminal-justice system is becoming overburdened and unreliable due to lack of awareness amongst judges and lawyers about cyber crime and electronic evidence. Hence, in my opinion, it makes sense to permit the complainant to represent himself or through his expert legal counsel intervene in criminal cases.