Delhi bomb threats: Should central agencies take over probe? Here’s what experts say

On Saturday as well, several city schools reported bomb threats — the latest such incident in a month. Even in 2022 and 2023, schools faced several bomb threats — every single one was declared a hoax.

The Delhi Police has made no headway in its probe to ascertain the origin of these emails.

According to experts, a major challenge in solving these cases is the use of VPN (Virtual Private Network), TOR, or proxy servers to send the emails. These are encrypted connections over the Internet that help the sender hide their identity.

The Indian Express spoke to officials, cyber experts, and several top former police officers on how the issue could be tackled. While some said the case needs to be handed over to a central probe agency, others believe that a single centralised agency is the need of the hour.

According to Delhi Police officers, they have exhausted all available mechanisms — from collecting the full email headers, identifying servers and service providers, reaching out to them, contacting the country where the VPN is based, and finally seeking assistance from that country’s security agencies for technical investigations.

The officer said, “One of the main reasons for the road block is mutual legal assistance treaties (MLATs) with other countries or non-cooperation from service providers. To communicate with these entities, Delhi Police seek help from central agencies, but the process again gets delayed,” the officer said.

Former Delhi Police Commissioner S N Srivastava said central security agencies are definitely in a better position to coordinate with their counterparts in other countries. While legal limitations may arise, they can help expedite the process to some extent.

According to a cyber expert, who wished to remain anonymous, it is not just a national problem but has become a global issue. “Definitely, the involvement of central investigative agencies in probing these cases would certainly help.”

In India, according to the CERT-In (Indian Computer Emergency Response Team) guidelines for VPN apps, a KYC registration is mandatory. However, in many other countries, this is not the case. “They follow a no-log policy. So, whenever someone sends an email using a VPN, the service provider does not keep a log of the IP address,” the expert said.

Earlier this year, the i4C (Indian Cybercrime Coordination Centre), which operates under the Ministry of Home Affairs, asked Google to remove 11 VPN apps and two Chrome extensions as they were not providing information to Indian law-enforcement agencies, he said.

Central agencies, however, can collaborate with their counterparts in other countries to address these global issues, as similar fake bomb threats are being faced by other nations as well, he added.

Another cyber expert, who did not wish to be named, said the issue is not just about tracing the culprits. “Anyone with knowledge of using a VPN can do this from anywhere in the country, or even the world. But what we question is why service providers like Microsoft and Google don’t restrict such emails or content when it is being typed by the user,” he said.

“Besides mandating a KYC policy, service providers can use firewall techniques too to restrict such threat emails, especially when objectionable words like ‘bomb’, ‘explosives’, or ‘blast’ are used,” the officer said.

A senior officer of the Delhi Police’s Cyber Crime investigation unit, however, disagreed. He said every agency will hit the same roadblock.

Lt General Rajesh Pant, an expert in the field of cyber security, who previously served as the National Cyber Security Coordinator in the Prime Minister’s Office, said the need of the hour is to set up a central agency to probe and investigate such critical matters.

“Agencies like i4C, CERT-In, NCSC (National Cyber Security Coordinator) have different roles, but (we need) a centralised agency, which can be responsible and accountable for dealing with such critical cyber security threats,” he said.

The senior Delhi Police officer also said the only way ahead is to set up an umbrella organisation of cyber experts and cyber officials who could exchange information to counter this threat.

“The Delhi Police already seeks assistance from central security and intelligence agencies in solving such technical cases. While some cases might be expedited slightly, these agencies also face similar limitations and cannot do much beyond that,” the officer said.