Ads

Ads
Center Of Excellence (CoE) For Internet Of Things (IoT) In India

Monday, November 16, 2015

Cyber Security Breaches Are Increasing World Over And India Must Be Cyber Prepared

Cyber attacks have not only become sophisticated but they have also increased significantly in terms of numbers. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc are example of the contemporary Malware that are far beyond the reach of present cyber security mechanisms. These Malware are stealth in nature and till the time they are discovered the damage is already done.

It has been reported by the ICS-CERT of United States that a U.S. public utility was cyber attacked and its control system network were compromised. Similarly, E-Bay has asked for change of passwords after breach of its database containing account information. Before that Target Corporation was targeted by cyber criminals and as a result of that Target Corporation faced litigation threats around the world.

The cyber attack scenario has shifted its nature and territorial scope from being fun and regional to become a potential tool of cyber warfare and cyber espionage. We have no globally acceptable international legal regimes for cyber attacks as on date. Thus, international legal issues of cyber attacks are yet to be resolved.

Cyberspace also put forward complex problems of authorship attribution for cyber attacks and anonymity. Cyberspace also gives rise to conflict of laws in cyberspace where multiple laws of different jurisdictions may be applicable at the same time. Thus, cyber security and international cooperation cannot be separated in these circumstances.

Meanwhile, nations around the world are streamlining their respective cyber security capabilities. We must also develop offensive and defensive cyber security capabilities of India. As per the cyber security trends and developments of India 2013 (PDF) India is lagging far behind than required cyber security initiatives.  Cyber security in India is still not upto the mark in the absence of a dedicated cyber security law of India.

Even compulsory cyber security breaches notification norms are missing in India. Recently the National Security Council Secretariat (NSCS) requested Reliance Jio Infocomm to share potential cyber security threats on India’s telecom networks. India has announced that cyber security breach disclosure norm would be formulated very soon. However, till now no such disclosure norms are applicable in India against companies/telecom companies/ISPs of India and this could raise serious cyber security issues for India in the near future.

These cyber security breach disclosures are important as critical infrastructures of India like automated power grids, thermal plants, satellites, etc are vulnerable to diverse forms of cyber attacks. This is the reason why NTRO has been assigned the task of protecting the critical infrastructure of India. Till the national cyber coordination centre (NCCC) is put into place, national level cyber security coordination would be missing. The cyber crisis management plan of India and the cyber security policy of India must also be made operational as soon as possible.

Strict enforcement of the license conditions (PDF) against telecom companies operating in India and the proposed national telecom security policy of India 2014 may strengthen the cyber security infrastructure of India. However, nothing is better than formulating a good cyber security law of India that can establish a regulatory regime for compulsory cyber security breach notifications on the part of companies/telecom companies/ISPs.  Let us hope that the new Indian government would do the needful as soon as possible.

Cyber Security Challenges Before The Narendra Modi Government

As Mr. Narendra Modi is all set to swear to the post of Prime Minister of India he has to face unlimited challenges that have accumulated over a period of time. Thanks to our bureaucratic set up and all pervasive corruption, public reforms have always been kept at bay. There was no dearth of money and skilled people to accomplish the projected targets but still a dominant majority of projects in the last decade have failed to materialise.

Now that Mr. Modi has asked for a brief but accurate report and analysis of the situation, our bureaucrats are sweating and are in high stress. Even if they may somehow justify their non action and national reforms massacre still they would not be in a position to accomplish the mammoth tasks that have yet to be achieved. Decades of corrupt practices, incompetencies and indifference cannot be defeated in few years especially by retaining the same bureaucratic and ministerial structure.

Although there are hundreds of issues of national importance yet I would like to confine myself to a single issue that is closely and intrinsically related to our national security. The issue that I am talking about is the cyber security of India that is in a really bad shape (PDF). For decades our bureaucrats and Indian government did not consider cyber security as an essential part of national security policy of India. As a result cyber security has been grossly neglected and this has created a situation of high alert.

Even on the legislation front, India has failed to do the needful. For instance, we need to repeal the laws like Information Technology Act, 2000 (IT Act 2000), Indian Telegraph Act, 1885, etc but for some strange reasons our bureaucrats and Indian government kept them intact. I have been suggesting this recourse for the past five years but till now nothing concrete has happened in this regard. Similarly, crucial laws are absent from Indian statute books. These include law regarding privacy, data protection (PDF), telecom security, encryption, cloud computing, etc.

Mr. Modi would be required to not only overhaul his cabinet structure but also cleanse the bureaucratic circles that have been plaguing Indian reforms. Bureaucrats and politicians with clean image, hard working reputation and reforms oriented approach must alone be part and parcel of the Prime Minister’s Office (PMO) that may emerge as a “centralised national reforms point” of India. The approach regarding the proposed PMO is much required as that may be a game changer for India.

The previous PMO of India has already sanctioned a plan to spend 1,000 crore over the next four years to strengthen the cyber security capabilities of India. All Mr. Modi has to do is to make it sure that this may not be another proposal with no actual implementation. It must also be ensured that the allocated money is not only utilised but corrupt practices must also not take place while executing the cyber security project.

Obviously India needs to establish both offensive and defensive cyber security capabilities. This is important to protect the critical infrastructures (PDF) of India that are dependent upon information technology. A cyber warfare policy of India (PDF) must also be formulated as Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc are far beyond the reach of present cyber security mechanisms. These Malware are stealth in nature and till the time they are discovered the damage is already done.

Skilled workforce is also need of the hour and for this purpose cyber security courses must be introduced at the university level. Online education must be encouraged so that online cyber security courses can be imparted in India.

In short, the cyber security challenges before the Modi Government are institutional, skills driven, time sensitive and urgent in nature. We have already delayed strengthening of our cyber security capabilities and any further delay should not be tolerated by him.

Sunday, November 15, 2015

Indian Cyberspace Must Be Protected On A Priority Basis

A robust cyber security is essential to protect critical infrastructures (PDF) and public services rendered through information technology. If world wide events are some hints then India must seriously think in the direction of ensuring effective cyber security for Indian IT infrastructures and cyberspace. However the new Government would face many cyber security challenges as India has ignored cyber security for decades.

Meanwhile, Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc have been written to subvert the cyber security of Nations around the world. They are clearly made with the objective to indulge in cyber espionage, cyber warfare and cyber terrorism. If India establishes a counter terrorism centre, cyber security would be integral part of the same. In fact, the intelligence agencies of India have been working in the direction of acquiring a legal immunity for themselves while indulging in cyber deterrent acts.

India would revise her national security priorities now as the new Government is more committed towards that. The same would be techno legal in nature as considering traditional security alone would be counter productive in the long run. Cyberspace has emerged as a new security frontier and the new Government is well equipped to deal with the same.

However, companies, business houses, Government departments, public utility service providers and defence forces must also change the way they are presently managing their cyber security affairs. The cyber security obligations of stakeholders like law firms, e-commerce websites, directors of companies, Government departments, thermal power sector, power and energy utilities, etc must be properly understood and effectively implemented in India.

In order to achieve this, the Government must take pro active steps. For instance, there is an urgent need to formulate and actually implement cyber security breach disclosure norms and cyber crisis management plan. Similarly, National Critical Information Infrastructure Protection Centre (NCIPC) of India, National Cyber Coordination Centre (NCCC) of India, Tri Service Cyber Command for Armed Forces of India, etc. must also be constituted and made active immediately.

The cyber security trends of India (PDF) have shown that Indian cyber security initiative and efforts are grossly inadequate and poorly coordinated. There is no centralised coordination between various cyber security projects of India and all are operating in an independent manner. At times this creates a conflict situation between them and the end result is very disappointing.

There are little efforts towards modernisation of law enforcement and intelligence agencies of India. Cyber forensics methods and techniques are also not widely used (PDF) by our law enforcement and intelligence agencies like Enforcement Directorate (ED), Central Bureau of Investigation (CBI), etc in the absence of techno legal expertise. Even investigations into the cases of IPL match fixing, Nokia’s software download, etc was not upto the mark. The regulations and guidelines for effective investigation of cyber crimes in India are still awaited and many cyber criminals are not prosecuted effectively.

All these lacuna and shortcomings have created a vicious circle of problems that is detrimental to Indian cyberspace. We have to systematically cure these defects and shortcomings one by one as they are interrelated in nature. While doing so we must keep in mind the fragile and precarious nature of Internet and cyberspace that would create troubles for India in the near future.

Intelligence Community, Social Media And Open Source Intelligence

Intelligence Community has been engaged in “Intelligence Gathering Activities” for long. This may be covert or overt, technological or non technological, legal or illegal and so on. But this gathering exercise was there and it is going to be there in future as well.

However, modern practice of Intelligence Gathering is crucially different from traditional practices. Traditional Intelligence Gathering was more on the side of Human Intelligence (HUMINT) whereas the contemporary one is based more upon Information and Communication Technology (ICT).

As far as Technological Intelligence Gathering is concerned, Social Media is a “Favourite Destination” for Intelligence and Security Agencies. Social Media is a favourite destination because it is a “Gold Mine” of valuable and voluntary information available for ready reference. Social Media also provides the best platform for Open Source Intelligence (OSINT).

Social Media also, in majority of cases, provides a “Legally Obtainable” and “Legally Relevant” Evidence. Since the “Information” or “Evidence” is available “Openly” and to “Public at Large” and in a “Non Confidential” manner, generally any such acquired Information or Evidence can be “Relied Upon” in a Court of Law. However, “Admissibility” of such Evidence is subject to the “Discretion” of the Court and well established “Legal Principles”.

Besides Intelligence Agencies, Military Forces are also using Social Media to gain Information relevant to their uses. Military and Intelligence Agencies have been using “Fake Profiles” to get such Information. The aim may be to get a “Predictive Behaviour or Trend” or to obtain any other Information that is of “Strategic Importance”.

Getting Information from Social Media requires good Communication and Data Mining Skills. However, while doing so, one must not violate any Civil Liberties or Laws Protecting such Information. Although many countries have Social Media Laws, we have no dedicated Social Media Laws in India. Even we do not have any Social Media Policy of India.

Social Networking Laws in India are urgently required. To start with, we must have a Social Networking Policy of India. Open Source Intelligence through Social Media Platforms would raise a number of Techno Legal Issues, especially Civil Liberty Issues. For instance, questions like what constitutes “Public Data”, how can a Person Legally obtains Data, what is the “Relevancy” of such Information/Data, how the “Admissibility” of such Information/Data would be decided, etc would be asked.

Similarly, Privacy Issues, Speech and Expression Issues, scope and nature of E-Surveillance, etc would also be required to be resolved in future. This is a new field for both Law makers and Law Enforcers and needs an “Urgent Attention” of Parliament of India.

Techno Legal Analysis Of Gameover Zeus Or GOZ Botnet And P2P Malware

The present era belongs to highly sophisticated and accurately targeting malware that are compromising computer systems at will. Not only they have the capabilities to infect even the most secured and sophisticated systems, they are also designed to remain under the radar and work in a stealth mode. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc just few examples that we are aware of and there are many more still operating that we are not aware of at all. Some of them are operating in the hidden Internet or deep web using encryption and anonymous systems.

Financial institutions and financial credentials are widely targeted by Malware for obvious reasons. Besides targeting financial organisation, botnet are used for all sorts of illegal activities over the Internet. For instance, for online advertisement industry alone, botnet are causing losses upto the extent of $6 million a month.

One such Malware is known as Zeus that is well known for stealing banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads, spam and phishing techniques. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. The latest variant of Zeus is known as Gameover Zeus, or GOZ botnet.

According to a good research analysis (PDF) of GOZ botnet, Zeus is a family of credential-stealing trojans which originally appeared in 2007. The first two variants of Zeus are based on centralized command servers. These command servers are now routinely tracked and blocked by the security community. In an apparent effort to withstand these routine countermeasures, the second version of Zeus was forked into a peer-to-peer variant in September 2011. Compared to earlier versions of Zeus, this peer-to-peer variant is fundamentally more difficult to disable.

Due to its lack of centralized C2 servers, P2P Zeus is not susceptible to traditional anti-Zeus countermeasures, and is much more resilient against takedown efforts than centralized Zeus variants. The main P2P network is divided into several virtual sub-botnets by a hardcoded sub-botnet identifier in each bot binary. While the Zeus P2P network is maintained and periodically updated as a whole, the sub-botnets are independently controlled by several botmasters.

The Zeus P2P network serves two main purposes. These are: (1) Bots exchange binary and configuration updates with each other and (2) Bots exchange lists of proxy bots, which are designated bots where stolen data can be dropped and commands can be retrieved. Additionally, bots exchange neighbor lists (peer lists) with each other to maintain a coherent network. As a backup channel, P2P Zeus also uses a Domain Name Generation Algorithm (DGA), in case contact with the regular P2P network is lost.

According to researchers, P2P Zeus has evolved into a complex bot with attack capabilities that go beyond typical banking trojans. They believe that P2P Zeus is used for activities as diverse as DDoS attacks, malware dropping, Bitcoin theft, and theft of Skype and banking credentials. Researchers have also found that till recently bot traffic was encrypted using a rolling XOR algorithm, known as “visual encryption” from centralized Zeus, which encrypts each byte by XORing it with the preceding byte. Since June 2013, Zeus uses RC4 instead of the XOR algorithm, using the recipient’s bot identifier as the key. Rogue bots used by analysts to infiltrate the network typically use continuously changing bot identifiers to avoid detection. The new RC4 encryption is a problem, because a rogue bot may not always know under which identifier it is known to other bots, thus preventing it from decrypting messages it receives. In addition, RC4 increases the load on botnet detection systems which rely on decrypting C2 traffic.

Zeus uses RSA-2048 to sign sensitive messages originating from the botmasters, such as updates and proxy announcements. In all P2P Zeus variants researchers studied, update exchanges and C2 messages feature RC4 encryption over an XOR encryption layer. For these messages, either the identifier of the receiving bot or a hardcoded value is used as the RC4 key, depending on the message type. Each Zeus bot runs a passive thread, which listens for incoming requests, as well as an active thread, which periodically generates requests to keep the bot up-to-date and well-connected.

The researchers have concluded (PDF) that P2P Zeus is a significant evolution of earlier Zeus variants. Compared to traditional centralized versions of Zeus, P2P Zeus is much more resilient against takedown attempts. Potential countermeasures against P2P Zeus are complicated by its application of RSA-2048 signatures to mission critical messages, and rogue bot insertion is complicated by the Zeus message encryption mechanism which makes the use of random bot identifiers impossible. Poisoning attempts are forced to use widely distributed IPs due to a per-bot IP filter which only allows a single IP per /20 subnet. The network’s resilience against takedown efforts is further increased by its use of a Domain Generation Algorithm backup channel, and by an automatic blacklisting mechanism. P2P Zeus demonstrates that modern P2P botnets represent a new level of botnet resilience, previously unseen in centralized botnets.

On the legal side, the creator and users of Gameover Zeus are difficult to prosecute. This is because the cyber attack scenario has shifted its nature and territorial scope from being fun and regional to become a potential tool of cyber warfare and cyber espionage. We have no globally acceptable international legal regimes for cyber attacks as on date. Thus, international legal issues of cyber attacks are yet to be resolved.

Cyberspace also put forward complex problems of authorship attribution for cyber attacks and anonymity. Cyberspace also gives rise to conflict of laws in cyberspace where multiple laws of different jurisdictions may be applicable at the same time. Thus, cyber security and international cooperation cannot be separated in these circumstances. Nevertheless international cooperation among law enforcement agencies of different Nations and entering of extradition treaty among themselves can be a good beginning. Some success has already been achieved in this regard and more international cooperation is expected very soon in the cyber law and cyber security fields.

Intelligence Agencies Reforms In India Are Urgently Needed

Intelligence Agencies play an important role in protecting National Security of a country. They help in maintaining Internal and External Security of a Nation. The very nature of their functioning and work requires some degree of Anonymity, Secrecy and Confidentiality. However, this must not be confused with “Non Accountability” and “Lack of Transparency”. Unfortunately, Indian Intelligence Agencies have become synonymous to Non Accountability and Lack of Transparency.

World over it has been accepted that there must be a balance between National Security and Civil Liberties Protection. The United Nations (UN) Third Committee has also approved a text titled Right to Privacy in the Digital Age. This is in recognition of the Privacy Right in the Information Era that has gained prominence off late. It also means that the Big Brother must not “Exceed its Limits” as prescribed by the Human Rights and Civil Liberties Protection in Cyberspace.

India is clearly inclined to become an “Endemic E-Surveillance State” with no respect for Constitutional Rights and Civil Liberties. The journey of India “From Welfare State to E-Police State” began in 2009 with the notification of Information Technology Amendment Act, 2008 and it became complete in the year 2014 with the introduction of E-Surveillance Projects like Central Monitoring System (CMS) and Internet Spy System Network And Traffic Analysis System (NETRA) of India. I even suggested in May 2013 that Indian CMS must be subject to Prime Minister Office (PMO) “Scrutiny and Intervention”.

Nevertheless, the Big Brother Initiatives in India remained unaffected. In fact, the Congress Government made it “Absolutely Sure” that various E-Surveillance Projects are not only “Kept Alive” but they should also be “Made Immune from Judicial Scrutiny”. Our Constitutional Courts also did not consider it necessary to interfere and take appropriate actions.

To make the matter worst, we have no E-Surveillance Policy of India. It is now well known that Indian Government forced Telecom Companies like Vodafone to install “Secret Wires” to indulge in Unconstitutional E-Surveillance and Phone Tapping. Similarly, Indian Telecom Infrastructures have been constantly used for indulging in Unconstitutional E-Surveillance Practices as we have no implementable Telecom Security Policy in India.

In other jurisdictions, new methods of E-Surveillance are devised on regular basis. For instance, use of Radio Waves and Malware United State’s NSA for World Wide E-Surveillance is well known. The Department of Justice (DOJ) has recently announced a New Reporting Methods for National Security Orders. India on the other hand, is not at all interested in making its Intelligence Agencies and E-Surveillance Projects “Accountable to the Parliament”. This is a situation that needs to be urgently changed as it “Undermining the Constitution” and “Rule of Law” has no meaning and significance in these circumstances.

Indian Government does not understand and accept that Law Enforcement and Intelligence Work is “Not an Excuse for Non Accountability”. For some strange reasons Intelligence Infrastructure of India has become synonymous to Unaccountability and Mess. There is neither any Parliamentary Oversight nor and Transparency and Accountability of the working of Intelligence Agencies of India.

Perry4Law has already provided a “10 Point Legal Framework for Law Enforcement and Intelligence Agencies in India” (PDF) to the Government of India in September 2009. However, the Indian Government failed to act upon the same and to formulate a Techno Legal Framework accordingly.

In a Recent Landmark Judgment (PDF), the constitution of CBI was held Unconstitutional by Gauhati High Court. In my personal opinion, the decision of Gauhati High Court declaring CBI unconstitutional is “Legally Sustainable”. Although almost all have criticised this decision of Gauhati High Court yet it is “Neither Absurd nor an Uncalled One”. Parliamentary Oversight of any Law Enforcement Agency is the “Core Requirement” under Indian Constitution. However, our Intelligence Agencies and many Law Enforcement Agencies, including CBI, are not governed by any sort of Parliamentary Oversight.

Unfortunately, the Supreme Court of India stayed this decision. This may be for a good cause if the Modi Government utilises this opportunity to formulate suitable Law for CBI and other Intelligence Agencies of India. However, this exercise of Supreme Court would be the “Most Unfortunate One” if there is no action in this regard by the Modi Government. So what should be the Modi Government’s next step?

Firstly, there is an urgent need to repeal draconian laws like Telegraph Law and Indian Cyber Law. Secondly, there is a dire need to formulate dedicated Telephone Tapping Law of India as soon as possible. Thirdly, India “Must Reconcile” the Civil Liberties and National Security Requirements but the same is presently missing. Indian Government is also “Not Serious” about formulating a dedicated Privacy Law for India. Data Protection and Privacy Rights in India are in real bad shape.

Fourthly, India’s own Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), NETRA, etc are violative of Civil Liberties Protection in Cyberspace. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. In short, Intelligence Infrastructure of India needs Transparency and Strengthening to make it “Effective and Accountable”.

With the new Government some action in this regard is expected but only time would tell whether Modi Government would “simply step into the shoes of Congress” or actually protect the Constitutional Rights of Indian Citizens.

Saturday, November 7, 2015

India Opposes Proposal To Include Cyber Security Technologies Under The Wassenaar Arrangement

One of the ways to prevent technologies and weapons from falling into wrong hands is to restrict and regulate their export out of the jurisdictions possessing the same. By putting export restrictions, weapons and technologies can be exported according to set norms and under scrutiny.  The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (Wassenaar Arrangement) is one such arrangement between many western countries.

The Wassenaar Arrangement has been established in order to contribute to regional and international security and stability. Participating States seek, through their national policies, to ensure that transfers of restricted items do not contribute to the development or enhancement of military capabilities. The decision to transfer or deny transfer of any item is the sole responsibility of each Participating State. All measures with respect to the Arrangement are taken in accordance with national legislation and policies and are implemented on the basis of national discretion.

The Wassenaar Arrangement is focusing primarily on the transparency of national export control regimes and not granting veto power to individual members over organisational decisions. It is not a treaty, and therefore is not legally binding. However, through its collective decision making process, it can prohibit the transfer of a particular technology to non member nation(s). India is one such non member Nation and she has keen interests in import of technologies like cyber security software and hardware.

UK, France have now proposed amendments to Wassenaar Arrangement to include cyber security technologies. Naturally, India has expressed her concerns regarding this attempt as India is primarily dependent upon foreign nations for her cyber security related requirements. Changes were made to the Wassenaar Arrangement in December 2013 at a plenary meeting held at Vienna following the Snowden revelations.

"These changes could have severe impact on India’s cyber security programme — both software and hardware — as these would come under export control regime, the entire inventory of high-end cyber technology is with the Western countries like the US and they may deny products to Indian organisation,” said a senior Government official.

A high level meeting of the National Security Council was recently held to discuss the next course of action. The problem is that the products included in the control list have not yet been made public and the next round of plenary meeting to be held at the end of this month is expected to see the formal adoption of this agreement.  Since India is not part of the agreement, it does not have access to the decisions or means to influence the proceedings. Therefore, Indian may seek membership to the exclusive club.

“The best way to deal with this would be to have our own technologies and invest in R&D but that would take time. We would like to engage with countries like US and UK to take our view on board before listing out products under export control,” said a Government official directly dealing with the issue.

The official also said that as a pre-emptive move India was looking to purchase critical technology before the new arrangement is finalised. An expert committee has been set up to figure out the future course of action, including negotiating with six countries — the US, the UK, Israel, Germany, France and Canada.

CERT-In has claimed that some softwares supplied to India are tweaked which become prone to hacking. India was given a solution of the “Heart Bleed” malware, which impacted security of softwares, by vendors after a year of its discovery. Software companies under the product sale agreement are bound to provide solution of any vulnerability found in their product(s) immediately after detection.

Sources said Ministry of External Affairs was of the view that high technology items are always an issue for the US but India could influence the decision by seeking membership of the Wassenaar Arrangement.

Cyber Crimes And Cyber Attacks Insurance In India: A Techno Legal Perspective

Insurance business is well structured and well established in India. Even the regulatory framework in the traditional insurance sector is well managed by Indian government. With the passage of time, new avenues are now available for the insurance business. One such avenue comes from the adoption of information and communication technology (ICT) in our daily lives and the misuse of the same by criminal elements.

Perry4Law has been advocating use of cyber insurance since 2004 and from that year onwards we have been keeping a close watch upon the developments in this field at both national and international levels. Cyber insurance was adopted by developed nations earlier than India as it is only now that Indian insurance companies and Indian companies and other individuals have realised the importance of cyber insurance.

Information Technology Act, 2000 (IT Act 2000) prescribes adoption of adequate cyber security practices and cyber law due diligence (PDF) by Indian companies and individuals. Even technology companies, financial institutions and e-commerce websites are required to observe cyber due diligence in India and this requirement cannot be ignored anymore. A special attention must be given to the Information Technology (Intermediaries Guidelines) Rules 2011 (PDF) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (PDF) by those engaged in technology related business in India.

Regulatory compliance requirements under the Indian Companies Act 2013 (PDF) have added many legal obligations on the part of Indian companies and their directors. These include the liability of directors for cyber law and cyber security breaches and a liability for not following cyber law and cyber security legal obligations while conducting the functions of their respective companies.

Foreign companies and e-commerce websites having a business presence in India would now be required to register in India. This would also make them amendable to Indian laws and to face legal obligations for their non compliances. For instance, the recent cyber breach at Target Corporation has exposed it to litigation in multiple jurisdictions around the world.

Cyber breaches in India would raise complicated cyber law issues in the near future. For instance, cyber security issues of e-commerce business in India need to be discussed and implemented by Indian government and insurance companies. Similarly, cyber due diligence must also be outlined and implemented for online payment makers. Maintenance and inspection of document in digital form under corporate laws of India would also raise privacy, data protection (PDF) and cyber security issues.

All these aspects need a dedicated techno legal framework that is presently missing in India. Similarly, corporate frauds investigations in India would need scientific technologies and methods like e-discovery, cyber forensics, etc. If cyber security (PDF) and cyber forensics (PDF) trends in India are considered, this is a big challenge for Indian government, insurance companies and other corporate stakeholders. If cyber insurance has to be considered to be a potential source of revenue by insurance companies and adequate protection by Indian company ies, they have to work hard in their respective fields.

Merely entering into an insurance agreement for cyber insurance purposes would create more trouble than solutions as complicated techno legal issues are involved in international cyber crime and cyber attack cases. For instance, insurance companies and affected companies may also face and have to tackle conflict of laws in cyberspace, authorship attribution for cyber crime and cyber attacks, refusal and non cooperation by foreign governments and companies in cyber crimes investigations, etc.

In these circumstances, not only the cyber insurance agreements must be properly drafted by insurance companies but techno legal investigation skills must also be used for investigating cyber crimes and cyber attacks cases by both the affected companies and insurance companies.

International Legal Issues Of Cyber Attacks Must Be Resolved

Internet has become a necessity for all Countries of the World. Internet has also connected the virtual territories of different Countries to a collective area known as Cyberspace. This connectivity element has provided many opportunities and benefits to Cyberspace Netizens and stakeholders at large. However, this connectivity has also given rise to the possibilities and opportunities for committing wrongs and crimes by various criminal elements.

Newer concepts like Cyber Terrorism, Cyber Warfare, Cyber Espionage, etc have also emerged that have disastrous effects if not properly safeguarded and tackled. As on date there is no globally acceptable Cyber Law or Cyber Security Treaty.  Similarly, there is also no full proof and absolutely certain way to ascertain Authorship Attribution for Cyber Crimes and Cyber Attacks. Presence of Conflict of Laws in Cyberspace and absence of Civil Liberties Protection in Cyberspace has further complicated the international Cyber Law and Cyber Security related issues. Privacy Protection in the Information Era has also become an invincible task for Governments around the world.

In these circumstances, International Legal Issues of Cyber Attacks are not easy to manage. This is more so for India that is still not Cyber Prepared for International Cyber Attacks. Take the example of recent episode of hacking of Sony’s systems. Despite the strong statements of United States and its Agencies, it is very difficult to accept that North Korea was behind the hack. This is because United States has failed to prove authorship Attribution in a “Convincing and Proper Manner”. Thus, despite all allegations, counter allegations and other materials, it may not be possible to trace back the true attacker.

There is no “Neutral Authority” that can analyse the claims of both United States and North Korea in this regard. Both Countries may stick to their respective stands but in the end not much could be achieved through the same. Of course, this episode may give impetus to revive the lapsed or suspended Laws in United States that would have serious Civil Liberties Issues.

At a time when “Net Neutrality” is in grave danger, imposing own Standards and Measures against Potential, Actual and Invented Cyber Attacks by any Country should be sternly discouraged. It is also high time to resolve International Legal Issues of Cyber Attacks at a global scale.

Monday, November 2, 2015

Smart Cities Cyber Security In India: The Problems And Solutions

Smart cities are the future of urbanisation and population sustainability. The aim of smart cities is to provide a conductive environment for living, commercial activities, healthcare and overall development. Smart cities also predominantly rely upon use of information and communication technologies (ICT) to render public services. Wherever applicable, Internet of Things (IoT) (PDF), cloud computing and virtualisation and machine to machine (M2M) system usage is also there. However, this omnipresent usage of ICT, IoT, M2M, cloud computing, etc has a potential drawback as well in the form of indifference towards smart cities cyber security.

It is not difficult to visualise a scenario of cyber attacks against the critical infrastructures of the smart cities that are run by ICT and technology. Such a cyber attack can cripple the entire smart city if properly executed. Critical infrastructure protection in India (PDF) is still at nascent stage. The national cyber security policy of India 2013 is also very weak and even that has not been implemented by Indian government so far. The much awaited cyber security policy of India 2015 is also missing so far.

A strong cyber security infrastructure of India is need of the hour especially when there is no well settled international legal issues of cyber attacks that can be invoked in the case of a cyber incidence. It is very important that international legal issues of cyber attacks must be resolved by various government and non government stakeholders. There is no globally acceptable cyber law treaty and cyber security treaty (PDF) that can govern the relationships between various countries.  Even the Tallinn Manual on the International Law Applicable to Cyber Warfare  (PDF) is just an academic document with no legal binding obligations. The truth is that Tallinn Manual is not applicable to international cyber warfare attacks and defence and countries are free to take measures as per their own choices.

This has necessitated that cyber security related projects in India must be not only expedited but they must also be successfully implemented as soon as possible. Unfortunately, cyber projects like National Cyber Coordination Centre (NCCC) of India, National Critical Information Infrastructure Protection Centre (NCIPC) of India, Grid Security Expert System (GSES) of India, National Counter Terrorism Centre (NCTC) of India, Cyber Attacks Crisis Management Plan of India, Crisis Management Plan Of India For Cyber Attacks And Cyber Terrorism, Cyber Command For Armed Forces Of India, Tri Service Cyber Command for Armed Forces of India, Central Monitoring System (CMS) Project of India, National Intelligence Grid (Natgrid) Project of India, Internet Spy System Network And Traffic Analysis System (NETRA) of India, Crime and Criminal Tracking Network and Systems (CCTNS) Project of India, etc have still not been implemented successfully by Indian government.

This raises the pertinent question as to how Indian government would ensure cyber security of smart cities in India. We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must take cyber security seriously. The cyber security challenges in India would increase further and India must be cyber prepared to protect its cyberspace. CECSRDI believes that the starting point is to draft the cyber security policy of India 2015 as the 2013 policy is highly defective and of little significance. We also believe that a dedicated cyber security law of India is need of the hour. The same must be a techno legal framework keeping in mind contemporary cyber security threats. Further cyber security disclosure norms in India must be formulated by Modi government. The cyber security awareness in India must be further improved so that various stakeholders can contribute significantly to the growth and implementation of cyber security initiatives of Indian government.

Advertisement Space- Bid Now

Advertisement Space- Bid Now