With 7 lac resource gap in cybersecurity, more experts needed: Amit Dubey, National Security Expert

Amit Dubey, Crime Investigator & Deputy CTO at Tech Mahindra speaks to Careers360 about the career prospects of cybersecurity in law. He is a renowned National Security Expert and a Crime Investigator on Cyber Forensics and Ethical Hacking to various Investigation Agencies like (NIA, CBI, Punjab Police, STF Lucknow, STF Noida etc.). He lends his mentorship to several law enforcement agencies and has authored a book named ‘Return of The Trojan Horse, Tales of Criminal Investigation’.

Every day cyber financial crimes are costing India more than 2 billion dollars. If we can save even 10% of it, it will be a huge saving, tells Dubey. Underlining authorities’ and consumers’  unawareness about the procedure, he says, an experienced cyber lawyer plays a pivotal role in acting as a hustler, pushing the right buttons with right documents and connecting all the dots together. Given below is the full interview.

INTERVIEW

Careers360: What is the status of cybercrime protection laws in India?

Amit Dubey: I think from an awareness point of view, we are still quite behind. Though we are coming up with new laws and regulations every year. Recently, the NITI Aayog released the paper on data protection law, IT Act 2008 was also updated, but then from the law enforcement perspective, I think police isn’t as aware of the laws. From the investigation point of view, they are not trained well. So, when a victim of cybercrime approaches them, especially financial crimes, they don’t entertain well. You say somebody has hacked your account, or taken money from your bank account, that’s very difficult for them to pursue as they don’t themselves understand how to start an investigation, to whom should they approach. Here we are lacking. We need to build that capacity in our law enforcement departments.

Careers360: Beside capacity building, what aspects of cyber law we still need to build on like blockchain technology, etc.? We still don’t have any laws on that...

Amit Dubey: Yes we are still evolving. If you see, 5 years earlier we started with the concept of data privacy and from there, now, we are talking of data sovereignty. This is a long journey. We are evolving everyday and trying to pitch in new prospects. Recently, WhatsApp and Ministry of IT went into communication and they are pushing WhatsApp to keep all of their data in India. They sort of agreed to the proposition to some extent. Though WhatsApp is a very tough guy as the technology they use is complex. Its peer-to-peer encryption. So, it’s very difficult to share this data with anybody else because it cannot be decrypted. It can be decrypted only at the peer end. However, the catch lies, whenever you take backup of your data and it is retained on some server, that data or analysis of that data can be shared with someone. Now that is something which law enforcement agencies are trying to get for investigations as most criminals use WhatsApp for communication due to its encrypted communication and since nobody can put surveillance on it. We also need to build support from other social media too as all these channels are being used for various criminal activities.

Careers360: Why is it so important for data to be protected?

Amit Dubey: Many times people ask me what will happen if my data is leaked. What is so big deal about it! Will I get some sort of threat? What sort of real tangible criminal activity possible to do with that? It is not clear to many people. For that, I will give you an example. Recently I was investigating a case. Somebody put in a complaint of their faulty RO system with the company and a person came to fix that. After examination, this person produced a list of items, gave the lady at home a better plan for 3 years including free AMC and replacements in INR 12,000. He duped the family; took the money and never turned up. Upon realization, this couple approached the company to only find out that they never sent a person like that. When I investigated the case, I found that the complaint department of the company was selling this data to third-parties at a mere 500 rupees. So, their complaint was sold to somebody else to commit any sort of crime they deem fit. Data protection certainly is a big issue. When you put in your data, you put in a lot of trust on there. You are as good as giving entry to an unknown in your home and personal space. Any sort of data leak can damage a person to a large extent, whether it be via social media or LIC payment details or call data records or bank details, anything.

Careers360: How can law students take benefit of these changing times?

Amit Dubey: This is a great opportunity especially from cyber law perspective. We have very few expert cyber lawyers. With coming of data protection laws, I believe there will arise new posts of Chief Data Protection Officer, Chief Data Officer, financial fraud investigator, etc. as those unable to protect their department data will be penalised and for that, we will need accountable positions just like that of CEO, CTO, etc. With investigators, they will need expert lawyer to frame the right procedure and protocols from law perspective in case of a breach. So, the victim company/person can gain maximum out of it. These lawyers will need to understand how much damage and more can be recovered by convincing the judge that this data leak could have damaged the person to an extent to paralyze one’s life. That's the beauty of a lawyer who can put the case forward in a right and creative manner. I am sure in future to come there will be a huge demand for these lawyers. Whoever is there in cyber security right now, be it cyber lawyer, data protection and investigation people, they are already earning hell lot of money.

Careers360: Can you give an example...

Amit Dubey: I got a complaint recently where through a phishing attack on a person’s email, the criminal transferred 15 lacs to a Germany account. The victim approached the police department but was turned down as they didn’t know how to investigate the case, their jurisdiction and what not. He started looking for a cyber lawyer, as a normal lawyer couldn't make a case to the police. I found one freelance cyber lawyer who was in Mumbai at that time and he travelled all the way to Delhi as it was a big amount. He worked on it, investigated the case and eventually helped him to get this money back. This was a lawyer who could convince police as to what should be done, what sort of complaint should be filed to the bank. The bank had to push as there are RBI guidelines about this. Ultimately, it was the bank who had to return the money as it was within three days that the complaint was filed. Though the money was already transferred to some bank in Germany, but bank had to follow the rules. On lawyer’s advice, he also had to approach the embassy. The pivotal role played by this lawyer’s knowledge is interesting to see. All these laws connect. He pushed the right buttons at right time with right documents. This was vital to the case.. He played a hustler and connected all these dots together. I think everyday India is losing more than 2 billion dollars in these digital financial crimes. This starts from as small as 500 rupees to 50 lacs. If we can save even 10% of it, it will be a huge saving. Active lawyers can help polish existing rules.

Careers360: What skills and knowledge a law student should develop to become a cyber law expert?

Amit Dubey: In cyber law, a person who doesn’t have a technical background, sometimes it becomes difficult for them to understand the jargons and consequently it becomes difficult for them to work on the cases. If a particular IP is leaked or a firewall is breached or the network system which is there to ensure the security is compromised, the lawyer should be able to understand who could be accountable for that and to whom he/she should approach. That sort of understanding is possible only when one gains required technical understanding of it. So, I think all cyber lawyers need to learn some technicalities, these jargons, their real meanings and importance. Secured HDLC, secured by design, all these things may look simple but encompasses a lot when are used in reality. Merely knowing the IT acts would not be sufficient unless you know the system and its working.

Careers360: Do we have enough law institutions to produce such lawyers?

Amit Dubey: There are traditional law institutions, but as per the new knowledge they need to upgrade their teaching. Every year we come up with new laws and regulations and the update becomes necessary. Not just in IT and Cyber law, all other domains as well. You don’t need new courses per se, but we need to upgrade the existing facilities with these new norms.

Careers360: Could you shed light on the research domain of cyber law?

Amit Dubey: In UK, for instance, if a police officer is investigating you and he/she asks for your passport, you have to give it by law, but in India, you have all the liberty to deny. The reason being the low trust level with law enforcement. In other countries, it’s really high. People are losing trust with the system mainly because our system doesn’t know how to solve the issues. In fact, within the organizations there are insiders leaking the data and damaging the system. Here comes the need for researchers to find and fill these gaps by beginning communication on right pedestal.

There are a lot of think tanks working closely with government. Recently I was in an event organized by ORF, The Dialogue, etc. So, they worked with NITI Ayog and other government agencies to propose new regulations and laws which are required pertaining to new crimes. The work of these think tanks requires a lot of research effort. You have to study the laws applicable in other countries, how they are evolving and then only you can propose laws for Indian context right for our geography and demography. 

Careers360: Students with cyber law understanding, where can they find employment?

Amit Dubey: All corporate companies are already hiring the cyber law experts, including Tech Mahindra. We have a good number of positions for them. Every mid size company need at least 10-15 such professionals. And if a company is having 3,000-4,000 resources, they will need at least 2-3 cyber law experts. That is the ratio right now as companies are playing safe, but eventually, we will need a lot more as there will be more exposure to this media, more crime cases and more complaints. With BYOD (Bring your own device) culture the level of complexity will rise. It will go to the lawyer first, as to whether it is a criminal offence, if it can be waived off as per Indian system. Then, of course, the government departments will be opening such positions very soon because they are the most affected organizations in case of any data-leak or hacking. They need to defend, not only with cyber experts but judicially too. The third, I am sensing that there are and will arise many freelance law experts as well to offer these services to common people, similar to the example of Mumbai lawyer I laid above.

Careers360: Any final message for students...

Amit Dubey: I will only say that there is about 7,00,000 resource gap in the cyber security domain today and we will need a lot more law experts and investigators. The starting positions would range from security analyst to Chief Security Officer, Chief fraud investigator, Chief data security officer, and so on. The need for this will increase exponentially in banks, government, private, etc. I am sure none of the companies has yet been able to speculate the right figures for these professionals, but it's sure that security will become a key concern for every industry with the coming of smart cities, be it automobile, logistics, healthcare, anything. It's not a hidden fact I am telling but I am reiterating that we should explore and exploit this opportunity. I hope that our educational institutions will take these opportune times forward and will be able to supply the right security experts.