Is the Law prepared to handle Cyber Murder?

By D. Prem Kamath

Published On: September 27,2021 at 14:45 IST

The 19th and 20th centuries were referred to as “the age of machines”, thereafter came the age of information which was the early period of computerisation and now we are in the age of “Internet of things” and if I could say so, very soon it could be “Internet of Everything”. In today‟s hyper- connected world, the use and dependence on the World Wide Web or the Internet could be surely referred to have percolated to and revolutionised almost all aspects of our lives.

It is a fact that we netizens use various facilities, platforms and services provided by the Internet being lured by the convenience it offers thereby relying a little bit too much on the Internet, which does not have any centralised governance in either the technological aspects or the regulatory aspect; it neither has geographical nor political boundaries. Certain statistics available in the public domain predict that, by 2025 there would be 75 billion Internet-of-things or IoT devices in the world. These unique features provide enough and more scope and ground to commit various types of crimes via the Internet.

It is reality that many traditional crimes such as cheating, defamation, criminal breach of trust etc have seen an upscale sophistication in its modus operandi with various innovative skills enhanced by the use of Internet, being perpetrated by cyber criminals. We are also aware of terms like Internet homicide. So it won‟t be inappropriate to state that cyber criminals use the Internet as a hunting ground, as a platform, as a trigger as well as an organised tool. However, I wish to share more worrisome crime, which is„Online Murder‟-via compromised Internet connected device (IoT).

It had been predicted by the Europol that the first murder via a compromised internet connected device would happen by the end of 2014, although it seems that the same is yet to happen (atleast on record), but there could be a possibility that the same as happened and not discovered or reported. I wish to say so because there is research material available in the public domain which state that several deaths involving people who wore pacemakers have occurred and that no cases were opened for any of these deaths since they were considered to be of natural causes.

There are reported incidents of cyber security researchers like Mr Barnaby Jack who had demonstrated, how he was able to deliver a deadly 830 V jolt to a pacemaker by logging into it remotely after cracking the device credentials. Could we visualise for a moment that a cyber-criminal observes a crowd of people from a distance, thereafter presses a button on his laptop and scores of people in the crowd clasp their hands to their chests and drop dead. The perpetrator of the crime coolly walks away from the scene after probably committing mass murder.

Such danger is not limited to pacemakers alone. In 2008 a schoolboy is said to have breached and taken control of the trains of Lodz in Poland as a prank whereby they made several trains change tracks thereby causing multiple derailments and injuries.

Imagine an instance where the cyber-criminal could alter the sensor readings on the IOM to device data or the cyber-criminal may alter the device to state false readings, resulting in the patient being administered medications inappropriate to the patient‟s actual medical condition resulting in physical injury or death of the patient. Such type of cyber attacks is termed as medical device hijack or “medjack”.

Imagine a self-driving / autonomous vehicle (AV) car is taken control of by cyber criminals remotely and thereafter increases the speed of the moving vehicle resulting in an accident killing the passengers of the car.

Imagine a situation where attacks on healthcare facilities to force doctors to cancel scheduled/ emergency surgeries due to a cyber attack as a result of which patients‟ records could not be accessed, which could result in death of patients.

An incident which happened in September 2020, wherein, a ransomware cyber attack on hospital in Düsseldorf, Germany, forced the hospital turn away emergency patients as a result of which a woman in a life-threatening condition was directed to another hospital 20 miles away in Wuppertal, died due to treatment delays.

The prosecution had opened an investigation into negligent homicide against unknown persons in this case and it was later revealed that the attackers actually meant to extort money by targeting computer systems of the Düsseldorf University and not the hospital. This instance brought out a glaring fact that death could be deliberately caused in this manner and is certainly possible.

The BBC reported in February 2021 that a person gained access of the treatment software of the water system of a city in Florida and increased the sodium hydroxide content from 100 ppm to 11,100 ppm.

However, since the alert operator immediately noticed this attempt, he restored the level to normal. Imagine how the situation could have become disastrous, if the breach had gone unnoticed bearing in mind the fact that hydrogen peroxide is very corrosive and cause irritation to the skin and eyes along with damage to the mouth throat and stomach, inducing vomiting nausea and diarrhoea along with temporary loss of hair.

These instances which are realistically possible, brings to light serious challenges regarding the IoT devices which include IoMT devices, compromising which could result in fatally injuring or causing death of an individual.

Hence we see that with these IoT devices, which certainly provides more convenience, but expose humans to new and untested varieties of cyber threats and risks.

It is another reality that cyber-crime as a service is in vogue and the law enforcement in various parts of the world are grappling and challenged by such new forms of crime.

IoT devices are complex and are unfortunately not made with „security‟ in mind. IoT are exposed to the dangers of security vulnerabilities and are at the risk of being compromised with very little way to know when the IoT devices have been compromised. There is a looming peril where IoT devices could have been compromised and their normal parameters been altered and yet function as intended originally, leaving little room to understand that it has been compromised.

The challenges which come to limelight with such incidents are with regard to the possibilities of the cyber criminals remotely accessing the device connected to the Internet and committing such crimes from any part of the world, surely stem out the primary question of identifying who is the perpetrator. However, it also throws up issues unique to an electronic crime scene, which provide very little leads unlike physicals crime scene and complex issues of multiple jurisdiction or cross jurisdiction issues that could be involved.

The perpetrator/s could either be individual/s or organised crime syndicates or a business entity or a foreign Govt agency. Amidst these obscurities, complexities, challenges, confusion and limitations, anonymizing technology surely adds further woes for the law enforcement.

Thus, the key question that arises with the incidents/examples just spoken of is, whether the current legal regime effectively covers this new threat?

The Information Technology Act, 2000 is the relevant law that caters to such offences. The Information Technology Act, 2000 certainly has provisions under chapter XI of the Act covering such breaches or unauthorised access to Internet connected devices. However, the tricky part would be in attracting the I.P.C provisions relating to culpable homicide or murder in such cases. The even more complicated, challenging and cumbersome process for the prosecution which has to follow the cardinal principle of common law „to prove beyond reasonable doubt‟, coupled with the principle that if two views are possible on the evidence, one pointing to the guilt and the other towards innocence, then the view which is favourable to the accused must be accepted.

The ransomware cyber-attack like the one that happened in Germany, if happens in India, from a medical perspective, be plausible that the cyber- attack did indeed contribute to the victim‟s death, even if minimally or trivially, but that would probably not be enough to establish legal causativeness required to prosecute for culpable homicide, attempt to muder or murder.

These are some serious thoughts with which I leave all of you with food for thought to tickle your brain about the challenges that exist in investigating, tracing, identifying, prosecuting and bringing the perpetrators of such crimes to justice.

Author: D. Prem Kamath is an Advocate at High Court of Kerala

Related Post