Kanwaljeet Kaur founded Kapp Edge Solutions in 2012. The startup offers fraud prevention services and anti-money laundering training to corporates, MNCs, banks, government departments such as the CBI, SFIO, Customs and NARCO.

She later launched a second venture, Krish Consulting. The boutique firm specialises in anti-money laundering, anti-corruption corporate fraud investigation, forensic accounting and cyber security. Kaur, born in a small town in Ajmer, Rajasthan, is a chartered accountant by training.  

Kaur is currently a member of the PHD chamber of commerce, and is also on the MSME advisory forum of India and the Delhi government’s business blaster scheme.

AIM: What are the lessons you have learned from being in fraud investigation for 20 odd years? How did the domain evolve over the years?

Kanwaljeet: As per the Global Economic Crime and Fraud Survey 2022 conducted by PwC, cybersecurity breaches have caused a total loss of USD 42 billion.

The last 20 years have been both exciting as well as challenging for the industry. With technological development, we see new types of frauds almost on a daily basis. Newer frauds push the role of fraud investigators and security experts like myself on a routine basis. Businesses, on their part, strive to stay one step ahead by adopting new methods of fraud prevention and detection. Corporates are trying to foresee new threats before they occur and to create multi-layered solutions which address the complexities of a rapidly changing and highly flexible business  environment. As an investigator, I continuously support the companies against fraud prevention and build a deterrence.

AIM: According to a recent Trellix report, ransomware attacks in India have increased by 70 percent. What role can the government play to prevent such attacks? 

Kanwaljeet: There are an alarming number of recent examples where state utilities in India were attacked. There was a recent instance of Russian hackers targeting India’s (OIL)  system in Assam and demanding a ransom of USD 75,00,000. Last year, Telangana and AP Power Utilities were hacked. Another attack was on the state-owned telecom operator BSNL where a major malware attack impacted approximately 2000 broadband modems.

While India does not have dedicated cybersecurity laws, there are several legislations and sector-specific regulations that promote the maintenance of cybersecurity standards. One of the  primary legislations dealing with cybersecurity, data protection and cybercrime is the Information Technology Act, 2000 which has laws against hacking, denial-of-service attacks, phishing, malware attacks, identity fraud and electronic theft. However, in my view, India needs to work on having dedicated cybersecurity law now and enforcement should be stricter. 

AIM: Can the new guidelines issued by CERT-In for VPN be a threat to user privacy since it will continue to collect data even after a customer cancels their subscription? 

Kanwaljeet: Under the new directions, Virtual Private Network (VPN) providers will need to store validated customer names, their physical addresses, email ids, phone numbers for five years. 

CERT is also asking VPN providers to keep a record of the IP and email addresses that the customer uses to register the service, along with the timestamp of registration. This may pose a new threat to privacy of user’s data. This directive may push few users to use the dark web as they fear that enforcement agencies and  governments can easily misuse such a rule. To overcome this issue, the government needs to have strong regulations in place so that users’ personal data is not compromised. 

AIM: How strictly will these guidelines be followed considering the government has stated that VPN firms failing to comply with the new rules will have to pull out?

Kanwaljeet: Many top VPN operators offer a “no logging” service—at least for paid users. They do not keep logs of the user’s history or the IP addresses of the servers. Many providers keep a log of users’ browsing data, metadata on a person’s usage, websites they have visited and the IP addresses. Some VPNs are in fact now shutting down their operations in India as they do not want to collect user data.  

How successful these guidelines will be depends upon two factors: Firstly, the government needs to inspire enough confidence that user data be protected from potential misuse. Secondly, the government has to be flexible. It should only collect the data of users in case of a genuine reason. In my opinion, the five-year clause should be removed. 

AIM: The pandemic and the resultant digital transformation has put the focus on cybersecurity. How do you deal with the rising threat of hacking? 

Kanwaljeet: The last two years of the pandemic have resulted in a heavier dependence on technology. On the flipside, it has also made us more digitally vulnerable than ever before. Just within a year, the Indian government has recorded 1.16 million cyber security cases in 2020, a three times jump compared to the year before. 

In 2021, some government websites got trapped in a COVID-19 lab test results leak involving thousands of Indian citizens. And in May 2021, a cyberattack was directed at an airline data service provider and resulted in a leak of personal data of 4.5 million passengers. In order to tackle an increase in cyber threats, a policy titled ‘National Cyber Security Strategy 2020’ is being formulated by the Office of National Cyber Security Coordinator at the National Security Council Secretariat. Meanwhile, the National Cyber Policy, 2013 is also under review. The idea is to improve cyber awareness through more stringent cyber audits of financial institutions and  government departments. 

AIM: How can you minimise exposure of young children to dangerous & addictive algorithms?

Kanwaljeet: We use algorithms to model, to understand and process things, be it a baseball  game, an oil company’s supply chain, a government’s actions, or a film’s collections. AI algorithms use large amounts of data to automate an increasing number of tasks. As useful as AI algorithms are, they too can make errors every once in a while.

When it comes to AI for children, a distinct strategy and set of ethical guidelines is required since children nowadays are growing up with AI around them. They can interact with Alexa or Google Assistant, asking the questions that their parents won’t answer. Children are more exposed to adult content now than ever before.

The way children interact with the world can have long-lasting consequences for their growth and future. Every time a child interacts with a digital service, their data profile becomes more fleshed out and these data profiles are precisely how AI algorithms make decisions.