Computer Systems Of DRDO And Security Officials Breached And Sensitive Files Leaked

Indian critical infrastructures and sensitive computer systems are regularly targeted by crackers. In many cases they are also successfully compromised and in many cases their compromise is also not known for a considerable period of time.

This has happened in the past and it would happen in the future as well. Although there is no absolute mechanism to ensure their security yet we must develop offensive and defensive cyber security capabilities of India.

There are many glaring cyber security problems of India that must be addressed on a priority basis. We must formulate the cyber security policy of India as soon as possible. Similarly, we must also ensure cyber security skills and capabilities development in India. In short, Indian cyber security problems, issues and challenges management must be properly appreciated and adequately taken care of.

In a recent media report, it has been alleged that a successful Chinese cracking attack has caused one of the biggest security breaches in India. The cyber security breach has compromised systems of hundreds of key DRDO and other security officials. The breach has also resulted in leakage of sensitive files related to the cabinet committee on security (CCS), the highest decision-making body for security issues of the government of India.

The leak was detected in the first week of March as officials from India’s technical intelligence wing, National Technical Research Organisation (NTRO), working with private Indian cyber security experts cracked open a file called “army cyber policy”. The file had been attached to hacked email accounts of senior DRDO officials that quickly spread through the system in a matter of seconds.

As Indian security experts began to track its origin they discovered, for the first time, that all the sensitive files stolen from the infected systems were being uploaded on a server in the Guangdong province of China.

On further and detailed probe of the breach, it was discovered that thousands of top secret CCS files, and other documents related to surface-to-air missile and radar programmes from DRDL, a DRDO laboratory based in Hyderabad, among many other establishments. Even the e-tickets of the scientists who had travelled to Delhi in the last week of February were found on the server.

The intelligence officials also discovered documents of deals struck between DRDO and Bharat Dynamics Ltd, a defence PSU which manufactures strategic missiles and components. Some other recovered files were related to price negotiations with MBDA, a French missile manufacturing company.

At Perry4Law and Perry4Law’s techno Legal Base (PTLB) we believe that this clearly is a cyber security lapse and cyber security due diligence failure on the part of organisations and computers involved. Let us hope that Indian government would learn lessons from this episode and plug in the loopholes existing in the security of these systems.

Source: CECSRDI.

Regulations And Guidelines For Effective Investigation Of Cyber Crimes In India

Cyber crimes are increasing at a rapid speed in India. However, cyber crimes investigation in India has still to be developed to tackle these cyber crimes effectively. As on date the cyber crime investigation capabilities of law enforcement agencies of India is still deficient and they need proper training in this regard.

The legal and judicial systems of India also need to adapt as per the contemporary information technology oriented society. However, a majority of cyber crimes in India are not reported at all. Even if some cyber crimes are reported, they are not properly investigated and very few such cyber crime cases reach to the court level.

In the absence of scientific evidence and knowledge and proper cyber crime investigation, there are very few cyber crimes convictions in India. In fact, the Supreme Court of India is hearing many Public Interest Litigations (PILs) in this regard.

In one such PIL the Supreme Court of India has issued notice to Centre to seek its views in this regard. The Supreme Court has sought response from the Centre on a PIL seeking its direction to the government to frame regulations and guidelines for effective investigation of cyber crimes in India.

The notice has been issued by a Three Judge Bench of Supreme Court headed by Chief Justice Altamas Kabir. The PIL alleges that the common people are being harassed by police due to lack of procedural safeguards in the prevalent system of cyber laws.

The PIL originated out of the allegations of Pune-based businessman Dilip Kumar Tulsidas Shah who claimed that he was harassed by the police in a cyber crime case in which he was not involved.

 The petitioner seeks the remedy of issuing a writ of Mandamus, order or direction to the Centre to frame an appropriate regulatory framework of rules, regulations and guidelines for effective investigation of cyber crimes, keeping in mind the fundamental rights of citizens.

The Petitioner also contends that there is a near total lack of procedural safeguards in the prevalent system of cyber crime investigation. Police harassment of citizens, whether out of intention or ignorance, is rampant, says the Petitioner.

The Bench after hearing his arguments issued notice and clubbed his plea along with other similar PIL pending before it.

At Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) we have been working in the direction of spreading public awareness regarding cyber law on the one hand and cyber crimes investigation on the other. PTLB is managing the exclusive techno legal Centre of Excellence for Cyber Crimes Investigation in India.

PTLB is also managing the exclusive techno legal Cyber and Hi-Tech Crimes Investigation and Training Centre (CHCIT) of India. A special emphasis upon preventing and punishing cyber crimes against women in India has been undertaken by PTLB. 

PTLB has also launched a techno legal initiative named Intelligence Agencies and Law Enforcement Technology in India. The aim of this initiative is to develop the techno legal capabilities of law enforcement and intelligence agencies of India.

Intelligence agencies and law enforcement agencies of India are actively looking towards adoption and use of information and communication technology (ICT) for their functioning.

Ambitious projects like Crime And Criminal Tracking Network and Systems (CCTNS) Project Of India, National Intelligence Grid (Natgrid) Project Of India, National Counter Terrorism Centre (NCTC) Of India, Central Monitoring System (CMS) Project of India, National Cyber Coordination Centre (NCCC) Of India, etc require techno legal expertise. Law enforcement agencies of India must be aware of both technical as well as legal requirements in order to derive maximum benefits out of these projects.

If either the Supreme Court or the Centre needs our assistance regarding formulating regulations and guidelines for effective investigation of cyber crimes in India, Perry4Law and PTLB would be glad to extend the same.

Source: CECSRDI.

Cyber Security Policy Of India Would Be Formulated

Cyber security in India has now become a policy issue where top governmental official have endorsed about its importance and adoption. In fact, Indian government would soon come up with the cyber security policy of India.

As on date we have no implementable national cyber security policy of India. Even research and development in the field of cyber security is missing in India. Perry4Law Organisation is managing the exclusive techno legal cyber security research and development centre of India (CSRDCI).

Further, Perry4Law Organisation is also managing the exclusive techno legal centre of excellence for cyber security research and development in India (CECSRDI).

Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) welcome the efforts of Indian government to streamline the cyber security of the nation. At the same time we wish to stress upon the importance of critical infrastructure protection in India. Similarly, critical ICT infrastructure protection policy of India is also required to be formulated.

Presently the Indian critical infrastructures are vulnerable to cyber attacks. There are many challenges and issues that remain unredressed till date in this regard. The glaring cyber security problems of India need urgent attention of Indian government and security agencies.

The offensive and defensive cyber security capabilities of India must also be ensured to tackle growing cases of cyber attacks, cyber warfare, cyber espionage and cyber terrorism.

For those interested in further research and discussions on these topics, they may register with the cyber security forum of India and other techno legal forums of India managed by Perry4Law Organisation. We would discuss cyber security policy related issues of India at these forums.

Source: CECSRDI.

Cyber Security Forums Of India And Techno Legal Forums In India

Perry4Law Organisation has been discussing Techno Legal and Cyber Security related aspects for long. Perry4Law Law Firm is the chief Legal Division of Perry4Law Organisation that has been providing Techno Legal Services in India and abroad.

Perry4Law Organisation is managing many Blogs and Websites that are providing General and Specialised Expertise to various stakeholders. For instance, Perry4Law Organisation’s Blog is covering the general discussions whereas the blog titled Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) is covering domain specific Cyber Security related discussions.

Perry4Law Organisation is also managing many good Techno Legal Forums. Perry4Law Organisation’s Forum is the Parent Forum whereas domain specific Forums are also managed by Perry4Law Organisation. For instance, the Cyber Security Forum of Perry4Law Organisation is covering Techno Legal Aspects of cyber Security in India and abroad.

Along with the Cyber Security Forum, there are numerous other techno Legal Forums that are providing Domain Specific and Highly Expertise based discussions. These are:

(1) Cyber Security Forum Of Perry4Law Organisation

(2) Cyber Law Of India And International Cyber Law

(3) Cyber Security News And Views

(4) Techno Legal Think Tank of India

(5) Techno Legal Centre Of Excellence For Cyber Forensics In India (TLCECFI)

(6) National Cyber Security Database of India (NCSDI)

(7) Intelligence Agencies And Law Enforcement Technology In India

(8) Cyber Security Research Centre Of India (CSRCI)

(9) International Critical ICT Infrastructure Protection In India

(10) National Critical ICT Infrastructure Protection In India

(11) International Cyber Law Treaty And Cooperation

(12) International Cyber Security Treaty And Cooperation

(13) International Legal Aspects Of Cyber Security 
 
(14) National Legal Aspects Of Cyber Security In India

(15) Cyber Crimes Investigation In India

We would keep on updating on this topic from time to time. Further, we would also add more Forums and Sub Forums as well.

Perry4Law Organisation is also managing many Discussion Groups. These include:

(1)  Cyber Law Revisited

(2) Cyber Security Research Centre Of India (CSRCI)

(3) Intelligence Agencies And Law Enforcement Technology In India

(4) National Cyber Security Database of India (NCSDI)

(5) Techno Legal Centre Of Excellence For Cyber Forensics In India (TLCECFI)

(6) Techno Legal Think Tank of India

(7) Websites, Blogs And News Censorship By Google And India

Perry4Law Organisation hopes that these Forums and Discussion Groups would prove useful to all concerned.

Source: Perry4Law Organisation’s Blog.

Mobile Service Providers Of India Shall Use Indian Made SIM Cards

Cyber security issues in India are increasingly becoming part of Indian policy decisions. The cyber security policy of India is also witnessing this change. One significant shift in this regard can be found in the way India has been planning to use various hardware and software.

India has been pushing use of indigenously made hardware and software. Further, India has also declared its intention to make cyber security awareness brochures in India mandatory for hardware sale. It is clear that India is becoming serious about its national security and cyber security.

There is no second opinion that mobile banking cyber security in India and mobile cyber security in India are absolutely required. Similarly, the decision of Indian government to ban import of mobiles or cell phones in India with fake IMEI numbers is also justified.

We have no dedicated cell phone laws in India or mobile phone laws in India though they are very much required. However, some solace can be found in the form of governmental directions given from time to time.

Taking another step in ensuring mobile cyber security in India, the Indian government has now shown its concern that SIM cards, used by more than 900 million mobile users in the country, can be a major threat to national security as these might have been produced with malicious embedded software.

To ensure security, the Department of Telecommunications (DoT) has recommended that mobile service providers should manufacture the SIM cards in India with indigenously designed chips incorporating specific laid down standards. The DoT has also recommended that the clause should also be included in the proposed Cyber Security Policy.

The DoT has also proposed imposition of tax on imports of SIM cards till complete indigenous production is ensured. However, mobile companies will have to seek security clearances for such procurements.

Mobile Banking Cyber Security Is Required In India

Mobile banking in India is moving towards an acceptance level. However, till now very few people and institutions are comfortable in using mobile banking in India. Mobile banking in India is still not popular according to RBI. There are certain shortcomings of mobile banking in India that are still left unaddressed.

For instance, mobile governance in India is still not well established. M-governance in India is essential before mobile banking can be successfully implemented in India. We have no regulatory framework for m-governance in India. Even the proposed electronic delivery of services bill 2011 of India has failed to provide a mandatory legal framework for electronic delivery of services in India, including for mobile banking. In short, India is still not ready for m-governance and cloud computing especially in the absence of dedicated e-commerce laws in India.

Mobile banking in India is risky due to absence of mobile cyber security in India. Further, online banking system of India is not secure. In the absence of adequate cyber security safeguards, e-banking in India is not safe. The cyber security trends in India 2011 have also proved that Internet banking cyber security in India is in poor shape and it needs to be strengthened. Even data security, privacy and cyber security in Indian banking industry is not satisfactory.

Online banking risks in India are increasing and this is also shaking the confidence of customers in the same. Even RBI has acknowledged risks of e-banking in India. ATM frauds in India are increasing. In fact, Reserve Bank of India (RBI) has recently released the report of its working group on securing card present transaction that covers ATM security and credit card security issues as well. Internet banking risks in India cannot be effectively tackled till we have dedicated Internet banking laws in India.

Although an integrated banking law of India has been proposed yet it may take some years before it is actually enacted. In an interesting development, the RBI removed limits from mobile banking transactions limits in India. This is good for the development of mobile banking in India but is bad for the interests of mobile banking customers who have almost no safeguards against cyber crimes and technology assisted financial frauds happening in the mobile banking field.

The cyber law in India has prescribed cyber law due diligence for various stakeholders. Cyber due diligence for banks in India is just a part of the same. Cyber due diligence for Indian companies including banks operating in India is very stringent. However, Indian banks are not following the guidelines of RBI prescribing mandatory cyber security requirements for banks of India. Further, banks are also liable

Even on the policy front, mobile banking has received a bad response form Indian government. For instance, absence of effective encryption laws in India and non use of robust encryption in India has made the mobile security very weak in India. Instead of making the encryption requirements redundant and weak, India must concentrate upon further strengthening the same for better and secure mobile communications. Governments of most developed countries allow the usage of strong encryption standards ranging from 128 bits to 256 bits or more to ensure the security of sensitive information exchanged via Internet and other networks. However, India is still clinging to 40 bits encryption standards for the simple reason that intelligence and security agencies of India are not capable enough to break strong encryptions.

A weak mobile banking infrastructure would also affect other projects and schemes as well. For instance, recently the Securities and Exchange Board of India (SEBI) has declared about its intentions to introduce electronic initial public offer (E-IPO) in India. This is a good step but E-IPO cannot succeed in the absence of strong mobile banking and Internet banking infrastructure. Online payments mechanisms in India must also be suitable strengthened to make such proposals workable.

India must give these considerations some serious thoughts if it wishes to encash the benefits of technology. Otherwise, concepts like Internet banking and mobile banking are more nuisance than luxury in India.

Source: ICTPS Blog.

Mobile Cyber Security In India Is Needed

Mobile phones have become ubiquitous these days. They are used for multiple purposes ranging from personal use to mobile banking. Cyber criminals have also realised the importance of mobile phones for committing cyber crimes and financial frauds. This is also the reason why malware writers are also writing mobile phone specific malware to steal confidential and sensitive information.

Mobile cyber security in India has become a cause of concern these days. Mobile phones are now proposed to be used for mobile banking and mobile governance in India. Naturally, we must ensure robust mobile cyber security in India. An electronic authentication policy of India can help in more active and secure mobile usages in India. Mobile governance and e-authentication in India are also closely related and with the proposed electronic delivery of services in India this is also a must have requirement.

For the time being we have no implementable electronic delivery of services policy of India though it may be in pipeline. Indian government is working in the direction of ensuring electronic delivery of services in India. In fact a legal framework titled electronic delivery of services bill 2011 (EDS Bill 2011) has also been proposed by Indian government.

Once the EDS Bill 2011 becomes an applicable law, governments across the India would provide electronic services through various modes, including mobile phones. This requires putting a robust and reliable mobile security infrastructure in India.

However, using of mobile phones for commercial and personal transactions in India is also risky. For instance, the mobile banking in India is risky as the present banking and other technology related legal frameworks are not conducive for mobile banking in India. Similarly, we do not have a well developed e-governance infrastructure in India. As a result India is still not ready for m-governance.

We at Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that the biggest hurdles before the mobile related uses in India pertain to use of weak encryption standards and non use of mobile cyber security mechanisms in India. Absence of encryption laws in India has further made the mobile security very weak in India.

The ever evolving mobile malware are further increasing the woes of mobile users’ world wide. Recently 50 applications within Google’s official Android Market were found to be contaminated with DroidDream malware. The malware stole sensitive information like phone’s International Mobile Equipment Identity (IMEI) Number and the SIM card’s International Mobile Subscriber Identity (IMSI) number. It then sent it to a command-and-control server. Similarly, other spyware and bugs are also infecting mobile phones worldwide.

It is high time for India to seriously work upon mobile cyber security aspects as soon as possible. The policy decisions in this regard must be taken urgently and must be implemented as soon as possible.

Source: ICTPS Blog.

Mobile Cyber Security In India

Mobile phone has become an important aspect of our daily lives. We use mobile phone for multi purposes including mobile banking and mobile governance. With the use of third generation spectrum, even better, speedier and more productive use of mobile phones is now possible.

However, of all the benefits of use of mobile, we cannot ignore the risks associated with it. For instance, the mobile banking in India is risky as the present banking and other technology related legal frameworks are not conducive for mobile banking in India.

Similarly, we do not have a well developed e-governance infrastructure in India. Naturally, India is still not ready for m-governance. India does not have any infrastructure, legal framework, policies and strategies and most importantly expertise to implement these ambitious projects.

The biggest hurdles before the mobile related uses in India pertain to use of weak encryption standards and non use of mobile cyber security mechanisms in India, informs Praveen Dalal, managing partner of New Delhi based law firm Perry4Law. Absence of encryption laws in India has further made the mobile security very weak in India, says Dalal.

Mobile viruses and worms are further increasing the woes of mobile users’ world wide, claims Dalal. Recently 50 applications within Google’s official Android Market were found to be contaminated with DroidDream malware. The malware stole sensitive information like phone’s International Mobile Equipment Identity (IMEI) Number and the SIM card’s International Mobile Subscriber Identity (IMSI) number. It then sent it to a command-and-control server, informs Dalal. Similarly, other spyware and bugs are also infecting mobile phones worldwide

Instead of making the encryption requirements redundant and weak, India must concentrate upon further strengthening the same for better and secure mobile communications. Governments of most developed countries allow the usage of strong encryption standards ranging from 128 bits to 256 bits or more to ensure the security of sensitive information exchanged via Internet and other networks. However, India is still clinging to 40 bits encryption standards for the simple reason that intelligence and security agencies of India are not capable enough to break strong encryptions.

In fact, threats have been issued by Indian government to services providers providing encrypted mobile, e-mail and VOIP services. Gmail and Skype have been asked to provide the encryption keys to Indian government and its security agencies. However, neither Google nor Skype have admitted of receiving any such communication. India is also indirectly pressurising Blackberry to help India in its e-surveillance activities. These actions of Indian government would only make mobile security weaker.

Indian population is still not interested in mobile cyber security and if the default encryption protection is also taken away, mobile usage in India is definitely going to be suffered from malware attacks and cyber attacks. India must urgently concentrate upon mobile security so that these infected mobile cannot be used by criminals.

Source: Cjnews India.

Cyber Security Policy Of India

Cyber Security is an issue that tries to protect and preserve the Information Technology Infrastructure (ITI) of a Nation. Since Cyberspace is boundary less it is possible to attack the ITI of any Nation from any place.

We are still dealing with the Cyber Security issues in India. Although India has formulated the Cyber Security Strategy but it is more on the side of prescribed guidelines alone. The practical and actual implementation of the same is still missing.

Policies and Strategies issues are best implemented practically and effectively if they are made part of the National Policies. Till now we have not formulated a National Cyber Security Policy of India that is implantable at National level.

The Cyber Security Policy of India must cover areas like Cyber Laws, Cyber Crimes, Transnational Technological Crimes, Cyber Attacks, Cyber Warfare, Cyber Terrorism, Cyber Espionage, Human Rights Protection in Cyberspace, Critical Infrastructure Protection Plan, Critical ICT Infrastructure Protection, Crisis Management Plan, etc.

Till now there is no National Cyber Security Policy of India that covers these issues and is implementing the same. Our websites are frequently defaced, strategic computers are often compromised, sensitive defence documents are occasionally stolen and cyber espionage against India is frequently committed.

I also understand that it is not possible to have an absolute Cyber Security. The notion of having an absolute Cyber Security is a “Myth” as we cannot ensure absolute Cyber security anywhere. There are exploits and vulnerabilities, both hardware and software based, that cannot be anticipated and tackled in advance. In fact, “Zero Days Exploits” are the most difficult one to anticipate and handle. In these types of exploits all Cyber Security Measures proves ineffective and futile.

Further, human beings are usually the weakest link in the Cyber Security infrastructure and Social Engineering is the easiest way to break into a Computer System. Besides being easy, Social Engineering can be incredibly cheap. Social Engineering is the hardest form of attack to defend against because an individual or organisation cannot protect itself with hardware or software alone.

Both Government Departments and Private Companies must have good employee’s awareness activities and information dealing policies in place and the employees must strictly follow these policies. The employees must be willing to ask relevant questions while dealing with a request to provide sensitive information.

Indian Government must also focus upon Techno Legal Cyber Security Skill Development for its employees and departments. Suitable Techno Legal Cyber Security Courses must be made available to Government departments and employees. All these issues must be made part of the Cyber Security Policy of India that should be formulated and implemented as soon as possible.

Source: ICTPS Blog.

Cyber Security Of Indian Satellites And Critical Infrastructure

We are living in a technology era where technology is both a friend and foe. It is up to us to work in this direction and ensure on which side technology should be. If technology is used for delivery of public services, we have the benefits of concepts like e-governance and e-commerce. On the other hand if the technology is used for causing wrong or harm to others we face concepts like cyber crimes, cyber attacks, cyber warfare and cyber terrorism.

Cyber warfare, in its basic form as well, is now a well accepted cyber threat. Cyber warfare against India is also well known and we must formulate a cyber warfare policy for India to counter such threats. Indian defense and security against cyber warfare needs to be upgraded and strengthened.

Similarly, terrorism and cyber terrorism are also posing big security problems for India. Indian counter terrorism capabilities are not sufficient and there is an urgent need to strengthen the same. Similarly, cyber espionage and cyber terrorism against India is also well known.

To start with we must have a robust and effective cyber security in India. We must also have an implementable cyber security policy of India. The cyber security policy must keep in mind both the preventive as well as offensive cyber attacks and cyber defense capabilities.

Critical infrastructure protection in India needs to be undertaken on a priority basis. We must have a critical infrastructure protection policy of India that must be strenuously followed by all governmental departments, organisations and even by private service providers.

For instance, supervisory control and data acquisition (SCADA) systems are a favourite target for cyber criminals and cyber terrorists. By targeting SCADA these cyber miscreants can damage the critical infrastructure of India. We must ensure sufficient cyber protection of SCADA systems in India in general and critical infrastructure in particular.

Malware like Stuxnet and Duqu have already shown how critical infrastructures and SCADA systems are vulnerable to cyber attacks. Indian critical infrastructures have also been targeted by these Malware. It is believed that Stuxnet was responsible for shutting down an Indian communication satellite. Similarly, these Malware have also been targeting Indian nuclear systems and facilities.

Even the government computers have been comprised successfully in India in the past. Recently Indian National Informatics Centre’s (NIC) server were compromised and used to attack computers of other nations. Even satellites of various nations have been compromised and taken control of by terrorists and enemy nations.

These developments are serious enough and they must be sufficient for Indian government to formulate an implementable cyberspace crisis management plan of India. Of course, national security policy of India, cyber security policy of India, critical infrastructure protection policy of India, cyber warfare policy of India, etc must be integral part of the same. The sooner these steps are taken the better it would be for the larger interest of India.

Source: ICTPS Blog.

DARPA Would Develop Offensive And Preventive Cyber Capabilities

The Defense Advanced Projects Research Agency (DARPA) has been working hard to develop its cyber capabilities. It includes both offensive and defensive cyber capabilities. The seriousness of United States in this regard is also apparent from the fact that the US government’s advanced research unit has decided to increase its funding for cyber research by 50 percent over the next 5 years. This has been decided in response to the increased threat of cyber terrorism and cyber warfare that US is facing.

The DARPA, held it’s first-ever symposium to discuss how the U.S. military can better protect itself from foreign-backed hackers. DARPA’s director, Regina Dugan, told conference members the agency will work to develop offensive cyber capabilities as well as maintaining defensive lines.

Recent cyber attacks on multinational firms and institutions, ranging from Google, Citigroup, U.S. Senate's website to the International Monetary Fund, have raised fears that governments and the private sector are ill-prepared to beat off hackers. To tackle these sophisticated cyber criminals there is an urgent need to beef up offensive cyber capabilities.

DARPA’s conference would follow several months of discussion among security experts and military personnel as to how the U.S. should balance its offensive and defensive cyber weapons.

In a typical cyber attack by an enemy State, the critical infrastructure is the first choice. Estonia witnessed this truth in the past. Further, in cases of cyber warfare and cyber terrorism also critical infrastructure is the chief target of cyber attack. An international cyber security treaty can be a good solution for dealing with this problem at the international level.

Source: ICTPS Blog.

National Counter Terrorism Centre Of India: The Problems And Solutions

This is the research analysis of Perry4Law and Perry4Law Techno Legal Base (PTLB) regarding the legality, constitutionality, requirements, etc of establishment of national counter terrorism centre of India. Perry4Law and PTLB have outlined all the legal constitutional and administrative issues at a single place so that parliament of India, home ministry and Indian government can consider the same. Perry4Law and PTLB hope that this analysis would be useful for all concerned.

National counter terrorism centre (NCTC) of India has been facing many ups and downs. This is despite the fact that national counter terrorism centre (NCTC) of India is required to meet the growing national security requirements of India.

However, there are many constitutional, legal and administrative challenges that NCTC is facing. In the past the NCTC of India was downsized in its nature, scope and functions. Now NCTC of India is facing stiff oppositions from various States that consider establishment of NCTC as an encroachment upon their law and enforcement powers and federalism features of Indian constitution.

However, these objections and oppositions are mostly politically motivated and are not truly striking at the real problem from which NCTC has been suffering. The real issue that must be demanded by political parties is that parliamentary oversight of intelligence agencies of India is needed. Till now there is no parliamentary scrutiny of the intelligence agencies in India.

Indian Government is too reluctant to ensure parliamentary oversight for intelligence agencies and law enforcement agencies of India. If this is not enough, Indian government has been launching new projects having serious “constitutional ramifications” and “civil liberties violation” effects.

For instance, the national counter terrorism centre (NCTC) project of India, national intelligence grid (Natgrid) project of India, Aadhar project of India, crime and criminal tracking network and system (CCTNS), etc are not governed by any legal framework and parliamentary oversight. Indian government is not willing to understand and accept that intelligence work is not an excuse for non accountability.

For some strange reasons intelligence infrastructure of India has become synonymous for non accountability and mess. There is neither any parliamentary oversight nor and transparency and accountability of the working of intelligence agencies of India.

Even a basic level effort to enact a legal framework for intelligence agencies of India is missing in India. The first and foremost challenge to such parliamentary oversight mechanism comes from the intelligence agencies themselves that do not wish to be governed by any rules and norms at all. Then we have “bureaucratic hurdles” in India that do not allow such a legal framework to be proceeded with. Finally, the parliament of India itself is not interested in bringing these intelligence agencies within the fold of parliamentary oversight.

Take the example of the recent private bill titled intelligence services (powers and regulation) bill, 2011. It was shelved out by none other than the Indian Prime Minister Dr. Manmohan Singh who announced that law on intelligence agencies would be formulated soon. However, it proved nothing but a “time gaining tactics” and so far intelligence agencies of India are not governed by any legal framework and parliamentary oversight. Interestingly, even the central bureau of investigation (CBI) is riding the same boat. The draft central bureau of investigation act, 2010 is another example where the Indian government is just interested in making “declaration” with no actual “intention” to implement the same.

In these circumstances, can the States trust the Centre regarding the establishment of National Counter Terrorism Centre (NCTC) of India? The answer is definitely negative even if States keep their “political interests” aside. Of course, there are “practical difficulties” and “internal turf war” among various agencies and ministries of Central government a well. It seems the obvious but unsolvable terrorism dilemma in India would continue as national interest of India and fighting terrorism is not a “national priority”.

Till now the constitutionality of the national investigation agency act 2008 (NIAA 2008) has not been accepted by States and now NCTC has been launched through an “executive order”. The practice of clubbing new projects, agencies and institutions with existing laws is a bad approach. So NCTC without a legal framework is definitely unconstitutional and even tagging it with the Unlawful Activities (Prevention) Act, 1967 would not save it from the patent and apparent unconstitutionality with which it is suffering.

The NCTC project of India is also “very significant” for the national security of India. Terrorist attacks against India are on increase and we need a “specilaised institution” like NCTC to provide and analyse valuable intelligence inputs and leads.

The real problem seems to be “lack of coordination and harmonisation” between the Centre and States. The Constitution of India has made a clear demarcation between the legislative, executive and judicial powers of Centre and State. The NIAA 2008 and NCTC are sitting at the “border line” of the legislative and executive powers of Centre that can be challenged by various States.

The intentions of Home Minister of India are good but the concerns of States are also of equal force. Further, the turf war between multiple intelligence agencies operating under different government ministries is also causing problem for the successful establishment of NCTC. Even there is a lack of proper planning and management on the part of Union Home Ministry that is causing delayed implementation of projects like Natgrid, NCTC, CCTNS, etc.

If the Home Minister really wants his projects to become successful, he has to think well beyond the present “parameters and objectives” set by Indian government in general his own ministry in particular. A good starting point can be formulation of a “constitutionally sound legal framework” that can confer legitimacy and constitutionality to projects like NATGRID, NCTC, CCTNS, etc. Obviously, States must be taken into confidence before starting any such legislative exercise.

This must be supplemented by sound planning and management. The projects of Home Ministry are neither simple nor easy to execute. They required dedicated efforts from all directions. Experts from diverse fields must be on panel of Home Ministry so that these Projects can be successfully implemented. We are sure Home Minister would have already considered these aspects and we wish all the best to him in this regard.

Source: ICTPS Blog.

National Critical Information Infrastructure Protection Centre (NCIPC) Of India

In the recent times, there is an increasing stress upon cyber security at the international level. This is so because cyber attacks are happening at the international level and all the countries are facing this threat.

Countries are trying to coordinate cyber security initiatives at national and international levels. However, cyber security in India is still not up to the mark. India is increasingly facing cyber attacks and cyber threats from foreign nationals.

The cyber laws and cyber security trends of India 2011 by Perry4Law and Perry4Law Techno Legal Base (PTLB) has clearly showed the cyber security vulnerabilities of India. The cyber law trends of India 2012 have also projected an increased rate of cyber crimes in India and cyber attacks against India in the year 2012.

For instance, cyber terrorism against India, cyber warfare against India, cyber espionage against India and cyber attacks against India have increased a lot. Presently, we do not have a strong cyber law to deter cyber attacks and cyber crimes. Further, we have no cyber security laws in India as well.

Cyber security is also crucial to protect critical infrastructure protection of India. Critical infrastructure protection in India requires a well formulated policy. Presently we have no critical infrastructure protection policy of India. Even critical ICT infrastructure protection in India is required.

A national critical information infrastructure protection centre (NCIPC) of India has been proposed. It intends to ensure critical infrastructure protection and critical ICT infrastructure protection in India.

There are few prerequisites that can make the NCIPC of India successful. Firstly, there must be a centralised ICT command centre of India that can coordinate various cyber security issues. Secondly, specialised agencies and authorities must be constituted for critical infrastructure areas like power, telecom, defense, etc. These agencies and authorities must coordinate with the centralised command centre for cyber security related issues.

Ministry of communication and information technology (MCIT) has already taken certain initiatives in this regard. For instance, a central monitoring system (CMS) project of India has been launched by MCIT to monitor and intercept electronic communications, messages and information. Further, a national telecom network security coordination board (NTNSCB) of India has also been proposed to strengthen the national telecom security of India.

Similarly, the home ministry of India has also launched national intelligence grid (Natgrid) project of India, crime and criminal tracking networks and systems (CCTNS) project of India, national counter terrorism centre (NCTC) of India, etc. These projects intend to strengthen the intelligence gathering and counter terrorism capabilities of India.

However, there is a big problem in the successful implementation of all the abovementioned projects and initiatives as well as the NCIPC of India. Indian government has been avoiding parliamentary oversight of these projects. This is a bad precedent that needs to be urgently taken care of. We need urgent parliamentary oversight for e-surveillance in India, Internet censorship in India, intelligence gathering in India, intelligence authorities of India, central bureau of Investigation, law enforcement agencies of India, Aadhar project of India, etc.

Even privacy laws in India, data security laws in India, data protection laws in India, etc are urgently required to be formulated. The cyber law of India must be suitably amended, perhaps repealed, to make a more robust and stringent cyber law of India. We need dedicated cyber security legal framework in India and cyber forensics laws in India.

For too long Indian parliament has been ignoring its crucial legislative business and it is high time for Indian parliament to do the needful in this regard. Contemporary techno legal issues cannot be left at the mercy and indifference of Indian parliament and Indian government as that may have serious adverse effects upon Indian economy and national security of India.

Source: ICTPS Blog

National Cyber Coordination Centre (NCCC) Of India

Cyber law issues, cyber security and national security are on agenda of Indian government these days. However, till now cyber security in India is not upto the mark and cyber law of India requires an urgent repeal. This is because the entire approach and attitude of India government is defective.

Indian government has failed to understand that e-surveillance is not a substitute for cyber security capabilities. Instead of developing cyber security capabilities of India, the Indian government is stressing upon growing use of e-surveillance in India and Internet censorship in India.

All these exercises of India government have been done without any legal framework supporting these initiatives of Indian government. Phones are tapped in India without a constitutionally valid phone tapping laws in India. The central monitoring system project of India (CMS Project of India) is also not supported by any legal framework. Surveillance of Internet traffic in India is also another area that requires a sound legal framework. Various authorities with far reaching powers have been created without any legal backing.

Now the government has proposed setting up of National Cyber Coordination Centre (NCCC) of India. The NCCC would provide actionable alerts to government departments in cases of perceived security threats. It is hoped that this would help in fighting terrorists and other cyber criminals.

The NCCC will scan whole cyber traffic flowing at the point of entry and exit at India’s international Internet gateways. The web scanning centre will provide actionable alerts for proactive actions to be taken by government departments. All government departments will now talk to the Internet Service Providers (ISPs) through NCCC for real time information and data on threats. Presently, the monitoring of web traffic is done by Centre for Development of Telematics (C-DoT) which has installed its equipments at the premises of ISPs and gateways.

All tweets, messages, emails, status updates and even email drafts will now pass through the new scanning centre. The centre may probe further into any email or social media account if it finds a perceived threat.

India’s National Security Council Secretariat (NCSC) has asked various departments to assess their needs for officials, who will coordinate with the scanning agency. The National Security Council handles the political, nuclear, energy and strategic security concerns of the country.

This can be another agency without a legal framework. Creating agencies without legal framework is counter productive as it violates civil liberties and human rights. The Indian government must keep this in mind while creating NCCC.

Source: ICTPS Blog

Cyber Security Of Banks In India And RBI

Reserve Bank of India (RBI) has in the past constituted a Working Group on Information Security. The Working Group submitted its initial report a few months back. RBI invited public comments upon that report and after analysing these comments, it issued a “Notification” asking the banks of India to comply with its recommendations.

Multiple deadlines were demarcated by RBI for implementation of its recommendation by banks of India. While not all these recommendations are mandatory some of them are and banks of India must comply with the same till October 31, 2011. These mandatory recommendations pertain to policies and procedures which do not require extensive investment.

For instance, RBI has directed that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. This is a policy decision that may be required by RBI to be implemented till October 31, 2011.

However, it seems the recommendations of the RBI have still not been implemented. Till now there are no signs that cyber security of banks has been streamlines. ATM frauds, credit card frauds, phishing frauds, Internet banking frauds, etc are increasing in India. In fact, RBI ombudsman office is flooded with ATM frauds related complaints.

Recently RBI imposed penalty upon 19 banks for non compliance of prescribed standards. Similarly, RBI has also directed that any strictures passed against directors of a bank by any financial sector regulators must be reported to it. Non compliance of the recommendations of RBI Working group may attract both penalty and strictures.

Banks need to adopt techno legal measures to prevent ATM and other similar frauds. Further, cyber due diligence trainings for bank employees can also be beneficial in this regard. Banks must also appoint steering committees and CIOs as soon as possible.

Source: ICTPS Blog.

Managing India’s Cyber Security Problems, Issues and Challenges

One area where lot of stress and importance is given these days is cyber security of India. India remained indifferent towards cyber security for long hence it has to work really hard to make its cyber security infrastructure proper, effective and robust. There are many cyber security issues of India that have still been left unattended. The cyber security issues and challenges in India require urgent attention of Indian government as we have already delayed this process.

India is facing cyber threats from cyber terrorism, cyber warfare, cyber espionage, etc and we must develop both offensive and defensive cyber security capabilities in India. India is also facing continuous and serious cyber threats that have been endangering the critical infrastructures of India. In these circumstances, there is an urgent need to strengthen critical infrastructure protection in India. We cannot achieve this task without ensuring cyber security skills development in India.

Concerns regarding insufficient cyber security in India have been raised for long but the Indian government remained indifferent to cyber security of India for long. However, some committed and dedicated private players have been playing a pro active role in strengthening the cyber security of India.

We at Perry4Law, Perry4Law Techno Legal Base (PTLB) and Perry4Law Techno Legal ICT Training Centre (PTLITC) have launched exclusive techno legal Cyber Forensics Research Centre Of India, Cyber Security Research Centre Of India And Cyber Crimes Investigation Centre Of India To Strengthen Indian Cyber Security And Cyber Forensics Capabilities.

Another major lacuna in the cyber security field is absence of implementable cyber security policy of India. Till various cyber security declarations and promises are actually implemented, they are of no use. As on date we have no implementable national cyber security policy of India.

Even basic level techno legal frameworks are missing in India. For instance, we have no dedicated cyber security laws in India. We also do not have dedicated encryption laws and regulations in India. Even Legal Framework For Mandatory E-Governance In India And Legal Framework For Cloud Computing In India are missing. The Mandatory E-Delivery Of Services In India is also missing.

India has to cover a long road in order to make its cyber security effective. It is high time to move beyond declarations and promises as they would not serve any purpose in the present times.

Source: CSRDCI.