Ads

Ads
Center Of Excellence (CoE) For Internet Of Things (IoT) In India

Saturday, November 21, 2015

Digital India Project Of India Lacks Cyber Security Infrastructure

In this article, Praveen Dalal, Managing Partner and CEO of Perry4Law Organisation (P4LO) and PTLB, is discussing shortcomings of Digital India project of Indian government. Digital India and cyber security issues in India have been ignored by Indian government so far and this article is addressing that aspect as well.

The success or failure of any project depends upon it due research and analysis. Without a proper homework and due diligence, a project may face many shortcomings, lacuna and limitations. One such project is known as Digital India. As on date, the Digital India project of India government is heading towards rough waters and problems. This is because Digital India project is suffering from many shortcomings and limitations that Indian government has failed to remove.

For instance, the cyber security infrastructure of India is not in a good shape. Take the example of smart grids cyber security in India. India is contemplating using of smart meters but the same has become a headache for the power companies. Even a Grid Security Expert System (GSES) of India was suggested by Indian government in the past but the same has not been implemented till now.

The Digital India Project of India Government is the classic example of use of Information and Communication Technology (ICT) for delivery of public services. Like any great project, Digital India is also suffering from some “Shortcomings”. The chief among them are lack of Cyber Security, ineffective Civil Liberties Protection, absence of Data Protection (PDF) and Privacy Protection, unregulated E-Surveillance in India, absence of Intelligence Agencies Reforms in India, etc.

Unfortunately, the initial objective of public delivery of services through use of ICT seems to be fading away day by day. Instead of public services the focus has now been shifted towards e-surveillance and data mining. To make this work, Indian Government has been using e-surveillance projects like Aadhaar, Central Monitoring System, Network and Traffic Analysis System (NETRA), National Intelligence Grid (NATGRID), National Cyber Coordination Centre (NCCC), etc. None of them is supported by any “Legal Framework” and “Parliamentary Oversight”.

In fact, Vodafone has confirmed that India has been using “Secret Wires” in the Telecom Infrastructure to indulge in e-surveillance. Indian Department of Telecommunications suppressed the whole incidence with a mere assurance of “Investigation” that never took place. As per my personal information, no “Public Report” was made available in this regard by Indian Government so far.

In a latest twist, the Indian Government clubbed its latest Project named Digital Locker with Aadhaar. Essentially it means that Digital Locker is a legal project based upon illegal technology named Aadhaar. I have serious doubts that Digital Locker would serve its or Digital India’s purpose in these circumstances. The matter does not end here. Indian Government has claimed before the Supreme Court that Aadhaar is not mandatory for availing public services. However, this stand of Indian Government is not correct as Aadhaar has already been made compulsory for many public services and many more are added on regular basis.

Surprisingly, Supreme Court has not invoked either the Contempt or the Perjury proceedings against Central Government and States for making false claims and giving incorrect statements. Is not it the duty of Supreme Court to protect the Fundamental and Human Rights of Indian Citizens and residents? It is difficult to believe that Supreme Court is not aware of the ground situation that is actually happening in India. How can the Supreme Court simply rely upon false and misleading statements and allow the Central Government and States to operate in a manner that is clearly prejudicial to the Constitutional Protections and Principles?

It would be really unfortunate if Digital India Project is made the biggest Panopticon of Human History and an endemic E-Surveillance Instrumentality for the Indian Government where every bit of “Digital Information” can be accessed and manipulated by Indian Government. If this is the intention of Indian Government then Digital India Project is heading for rough waters.

Source: ICTPS Blog.

Smart Grids Cyber Security In India

Cyber security is no more an ignored area for governments around the world. India has also recognised the significance of cyber security but its efforts in this direction are still scatterd, unstructured and inadequate. Perry4Law Organisation (P4LO) has been advocating for establishing a strong, robust and resilient cyber security infrastructure in India for almost a decade.

P4LO also believes that international legal issues of cyber security must be resolved on mutual cooperation basis among various countries. Countries may work in the direction of formulating international cyber law treaty and international cyber security treaty (PDF). Similarly, international legal issues of cyber security and conflict of laws in cyberspace must also be resolved by Indian government.

These days most of the public utilities are managed and coordinated by information and communication technology (ICT). In many cases, these utilities are managed through remote administration as well. This is also the stage and process that makes these utilities vulnerable to cyber attacks.

Keeping this fact in mind, critical infrastructure protection in India in general and cyber security of automated power grids of India in particular must be ensured with latest technology and international best practices.

Cyber security issues in India are emerging day by day. Similarly, the cyber security awareness in India is also increasing. However, cyber security capabilities of India are still not up to the mark. Cyber security skills developments in India are urgently required.

There would be many cyber security challenges for future smart grids of India. The evolution of SCADA system, deficiencies and shortcomings of existing power devices and vulnerabilities of software managing SCADA systems are areas of special concern for India.

These days power grids are centrally connected and integrated in nature from the stage of power generation to it transmission and distribution. A compromise of such power grids   can lead to power outages/blackout or even damage to power system devices and thereby huge loss to the utilities.

Further, renewable energy/distributed generation demands are the added feature of smart grid and due to networked control future power system will be much more vulnerable to cyber terrorism attacks, cyber warfare activities and cyber espionage attempts. Therefore, before switching to smart grids, India must consider cyber security challenges for them as well.

Perry4Law and Perry4Law Techno Legal Base (PTLB) are in the process of drafting of cyber security best practices for smart grids in India. We invite professional collaborations and cooperation in this regard from various smart grid stakeholders. If interested, kindly send your proposals while communicating with us so that we can consider collaborative aspects of such proposals.

Friday, November 20, 2015

Hacked USB Can Damage Computer’s Circuit And Crucial Components

USBs have been used for long to infect systems and to steal data. This is done by first infecting the concerned USB with a customised malware and then running the same on the target computer or system. Wherever physical access to the target system is not available, the USB can be simply left within the visibility and reach of the person managing such system. This social engineering tactics is very effective even today and in majority of cases the system administrator runs such infected USB upon his system.

Some users also allow autorun option for the media outputs including USBs. This is a serious cyber security risk as the malware would automatically start running and installing with such an option. By default autorun must be disabled by the users for security reasons.

For long, USBs have been used for corporate and cyber espionage. Now USB has also become a tool of cyber warfare as it can be customised to create damage rather than corrupting the system. A Russian hacker/researcher created a USB that can crash the victim system once the modified/hacked USB is plugged into it.

The researcher, nicknamed Dark Purple, hacked a standard USB stick, and installed an inverting DC-DC converter and some capacitors bought from a Chinese website. When the USB is plugged in, it charges the capacitors to -110V before shutting down. Next, a transistor discharges the stored electricity through the USB port’s data pins. This continues until the capacitors are down to -7V, at which point the DC-DC converter is switched back on, and begins to charge the capacitor back for the next cycle.

The basic idea of the USB drive is quite simple. When we connect it up to the USB port, an inverting DC/DC converter runs and charges capacitors to -110V. When the voltage is reached, the DC/DC is switched off. At the same time, the filed transistor opens. It is used to apply the -110V to signal lines of the USB interface. When the voltage on capacitors increases to -7V, the transistor closes and the DC/DC starts. The loop runs till everything possible is broken down.

USB ports are typically well protected from electrical attacks, but the inverting DC-DC converter gets around these defenses – and eventually overloads them to damage the PC’s sensitive inner electronics. Clearly cyber security and the defence against cyber warfare have to be moved to the next level as present day’s safeguards are not enough to ward off these customised and stealth cyber attacks.

Grid Security Expert System (GSES) Of India Proposed To Ensure Cyber Security Of Power Grids

Present days critical infrastructures are connected to information and communication technology (ICT) for portability, convenience and remote control purposes. Although this process brings many advantages yet this usage of ICT for critical infrastructures also exposes them for potential cyber attacks.

According to the Cyber Security Trends of India 2015 by Perry4Law Organisation (P4LO), Critical Infrastructure Protection in India (PDF) would be required in the year 2015 as India has launched projects like Digital India and Internet of Things (IoT) (PDF). Indian Government needs to work hard in this regard as cyber security challenges in India are very daunting in nature.

The cyber security challenges before the Narendra Modi government are more demanding than its predecessor government due to heavy reliance upon ICT and technology. However, India is not yet prepared to deal with the same. We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must urgently formulate the Cyber Security Policy of India 2015 as the previous policy is just a paper work with no actual benefits.

Now here lies the real problem. Formulation of a techno legal framework and robust cyber security policy of India 2015 require tremendous techno legal acumen. Further, the actual implementation of the proposed 2015 policy would be even more difficult. This may be the reason that Modi government is shy in bringing any change in the otherwise outdated and redundant 2013 cyber security policy of India. Nevertheless, a call has to be made in this regard and immediate action is need of the hour.

It is not the case the Modi government has not taken pro cyber security initiatives in India. Firstly, Modi government has appointed Dr. Gulshan Rai as the first chief information security officer (CISO) of India. Secondly, Narendra Modi has suggested to Nasscom that a task force be set up to solve the growing cyber security menace in India. According to Nasscom the taskforce would be constituted within a period of one month. Now it has been reported that the Grid Security Expert System (GSES) of India has been proposed to be developed by Powergrid.

GSES would involve installation of knowledge based Supervisory Control and Data Acquisition (SCADA) system, numerical relays and Remote Terminal units upto 132 kV stations and the reliable Optical fibre Ground wire (OPGW) communication system at an estimated cost of around Rupees 1200 crores. The objective of the GSES is implementation of the Automatic Defense mechanism to facilitate reliable and secure grid operation.

CECSRDI welcomes this move of Indian government. We have been advocating that a robust cyber crisis management plan of India is need of the hour. A crisis management plan for preventing cyber attacks on the power utilities in India has also been suggested by CECSRDI. We have also suggested that crisis management plan of India for cyber attacks and cyber terrorism is required. Power grids cyber security in India and its challenges are not much known as on date but awareness about the same is fast increasing. The present decision of Indian government to establish GSES is an example of the same.

It has also been stated that the Computer Emergency Response Team-India (CERT-IN), Department of Information Technology, Ministry of Communication and Information Technology, Government of India has prepared a Crisis Management Plan (CMP) for countering cyber attacks and cyber terrorism. The CMP intends to prevent large scale disruption in the functioning of critical information systems of Government, public and private sector resources and services. A framework has also been outlined for dealing with cyber related incidents for rapid identification, swift response and remedial actions to mitigate and recover from cyber related incidents impacting critical national processes.

In December 2010, Ministry of Power had constituted CERTs (Computer Emergency Response Teams) for power sector. At CECSRDI we welcome establishment of these dedicated CERTs as they can manage cyber security issues in a better manner. For instance, CERT-Thermal (nodal agency- National Thermal Power Corporation (NTPC)), CERT-Hydro (nodal agency- National Hydroelectric Power Corporation (NHPC)) and CERT-Transmission (nodal agency- Power Grid Corporation of India Limited (PGCIL) can take necessary action to prevent cyber attacks in their domains. The State Power Utilities have also been advised to prepare their own sectorial Crisis Management Plan (CMP) and align themselves with the Nodal Agencies i.e. NTPC, NHPC & PGCIL and CERT-In for the necessary actions.

Cyber security of automated power grids of India is need of the hour. It is only after a massive power blackout in 2012 that Indian government has woken up to the dangers of cyber attacks against Indian power sector. Based on the recommendations of the Enquiry Committee, constituted by Ministry of Power to enquire into the causes of the grid collapse of 2012, several measures like third party protection audit, review of Unscheduled Interchange mechanism, review of Central Electricity Authority transmission planning criterion, tightening of frequency band, coordinated planning of outages, development of islanding schemes, proper maintenance of under frequency relays etc. have been taken by the Government to prevent grid failures. We welcome these pro active efforts on the part of Indian government.

However, it would be really interesting to observe what actual steps would be taken by Modi government to strengthen Indian cyber security. Till now Modi government has not come out with even a single cyber security related policy decision or initiative. These policy decisions and projects, with their own merits and demerits, are the legacy of Congress government. What Modi government would do in this regard is yet to be seen. We wish all the best to Modi government in the field of cyber security and other related projects.

PMO Appoints Dr. Gulshan Rai As The First Chief Information Security Officer (CISO) Of India

India has been pushing for delivery of public services through e-governance for long. However, India failed to consider the cyber security aspects of e-governance and this is a dangerous situation. When everything is connected to the Internet or cyberspace, the risks of cyber attacks are very real and significant. Now India has once again adopted an ambitious technology driven project named Digital India.

Even Digital India has been heading towards rough waters due to lack of clear policies and implementation plan. Besides civil liberties protection in cyberspace, Indian Government must also keep in mind the cyber security aspects of Digital India project. As on date India is a sitting duck in cyberspace and civil liberties protection fields.

The Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) has provided the cyber security trends and developments in India in 2013 (PDF), 2014 and 2015. These trends have proved that India has failed on the front of developing offensive and defensive cyber security capabilities. At CECSRDI we believe that cyber security challenges in India would increase many folds in the near future and India must be prepared to deal with the same effectively and efficiently.

The cyber security challenges before the Narendra Modi Government are both complicated and voluminous in nature. Unlike other readymade and almost completed projects and schemes that the Congress Government has left for the BJP Government, the cyber security related issues were not properly dealt with by the Congress Government. Even the National Cyber Security Policy of India 2013, as formulated by Congress Government, is grossly defective and useless. BJP Government has the challenge of managing the cyber security related issues on its own and from the very beginning.

In a significant move, the Prime Minister’s Office (PMO) has appointed Gulshan Rai as the first Chief Information Security Officer (CISO) of India. We at Perry4Law Organisation (P4LO) and CECSRDI welcome this pro active move of PMO and Indian Government. This would go a long way in ensuring critical infrastructure protection in India (PDF). We also strongly recommend that a revised Cyber Security Policy of India 2015 must be drafted by Modi Government that must address cyber security issues in a more comprehensive and holistic manner.

This CISO position would operate directly under the PMO and this is a good move. We believe that issues of cyber security and national security must be managed at the highest levels and nothing is better than the present PMO. Gulshan Rai has been heading the computer emergency response team (CERT-IN) at the department of electronics and information technology (DeitY) and he has done a wonderful job at CERT-IN. Appointing him as the CISO is a good move of Modi Government as he is already well aware of the cyber threats landscape in India. He would now take charge as special secretary for cyber security.

Rai has been working since 1998 in the area of evolving legal framework to address issues arising out of cyberspace. He is also expected to head the national cyber coordination centre (NCCC) that the Government is also setting up with a budget of Rs 1,000 crore. Since Rai’s expertise and services would be required as a CISO, DeitY has already posted a vacancy for the post of director general for CERT-IN.

We wish all the best to Indian Government and Dr. Gulshan Rai for this challenging job.

Monday, November 16, 2015

RBI To Establish An IT Subsidiary For Managing Banking Related Cyber Security Issues In India

Reserve Bank of India (RBI) has been taking many pro active steps to strengthen cyber security for banking sector of India. Despite its best intentions, cyber security in banks is still a distant dream. Banks in India are too slow to adopt and use cyber security mechanisms for banking related business.

Whether it is phishing or social engineering, bank customers are continuously loosing money to cyber fraudsters. There is an urgent need on the part of Indian Government and RBI to spread information and awareness about cyber law and cyber security among various stakeholders.

India is treading on the digital highway and very soon most of the public services would be delivered through use of information and communication technologies (ICT). This is clear from the enthusiastic implementation of Digital India project that needs some fine tuning to get the best results. Nevertheless there is no escape from the reality that Digital India would be the face of Indian economy and culture very soon.

With this increased and omnipresent digital culture, cyber crimes and cyber security breaches would be the norm in future. This is the reason why the Delhi Police has decided to launch a mobile application that would help in filing of online FIR for economic frauds and cyber crimes. Now the RBI has also showed its commitment to fight against cyber crimes and financial frauds by declaring that an information technology driven subsidiary would be established by it to deal with cyber nuisances. This IT subsidiary of RBI would also deal with cyber security and related issues with a special focus upon banking related technology issues. The IT subsidiary of RBI would also evaluate the technical capabilities of banks that is almost missing as on date.

We at Perry4Law Organisation (P4LO) welcome this move of RBI and extend our full techno legal support and expertise in this regard. As per the cyber security trends of India 2015 by P4LO cyber security related issues must be taken care of by various stakeholders including banks in India. Although RBI has announced many effective cyber security related initiatives for banks in India yet cyber security for banks in India is still not in good shape. Some of the initiatives already undertaken by RBI in this direction include formulation and implementation of Internet banking guidelines, formation of a RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, RBI Recommendation on Information Security and its implementation in India, etc.

RBI has also prescribed establishment of Steering Committees on Information Security by Banks in India and appointment of Chief Information Officers (CIOs) for all banks in India.  However, banks in India have failed to comply with the directions of RBI so far. As on date there is neither a legal framework nor any compulsion to ensure cyber security of banks in India. This gives little incentive to the banks to ensure cyber security of online banking system of India. On top of it, banks in India are not following cyber security due diligence and cyber law due diligence (PDF) despite RBI’s directions.

If we take the example of western countries, sophisticated malware are targeting banks of these countries. These countries are heavily relying upon ICT for their functioning and this makes them vulnerable to cyber crimes and cyber attacks. India has not faced this heat so far because till now India did not adopt technology to that extent. However, after the adoption of Digital India, cyber security and cyber crimes investigation would become major issues for not only the law enforcement agencies but also banks of India. RBI seems to be aware of this reality and has taken a good step by deciding to establish an IT subsidiary that would take care of all these issues. However, we at P4LO believe that this IT subsidiary of RBI should not be a mere paper tiger but must actually work towards establishing a robust and resilient cyber security environment for banks of India.

Sophisticated botnet and malware like Dump Memory Grabber has been targeting Indian banks and POS Terminals. Similarly, the Gameover Zeus or GOZ botnet is also capable of stealing sensitive banking and financial information and details. Recently, the US Justice Department even charged a Russian national for creation of Gameover Zeus (GOZ) Botnet.

In these circumstances we must consider the proposal of India to adopt and use mobile banking, Internet banking and other online banking and financial transactions methods. So far India and RBI has not considered the issues of mobile banking cyber security, internet banking cyber security, legal aspects of Internet banking, cyber security of e-governance services, etc. In these circumstances, Indian online banking transactions are vulnerable to cyber attacks.

The cyber security for banking and financial sectors of India must be ensured as soon as possible. Online payment market of India and e-commerce and online business legal compliances have further increased the requirements of banking cyber security in India. Similarly, cyber due diligence for Paypal and online payment transferors of India must also be ensured by these stakeholders. These are some of the suggestions that P4LO has shared with Indian Government and RBI through this platform. More detailed suggestions would also be shared by P4LO at appropriate stage and platform.

Smart Cities Cyber Security In India

Cyber security in an interconnected world is a difficult task to manage. This is more so when the enemy is almost invisible and anonymous. Perry4Law Organisation (P4LO) has been working in the direction of cyber security research, education and training in India and world wide. P4LO has already covered many techno legal issues of cyber security that can affect Indian cyberspace.

It has been a considerable time since India has been using e-governance for various public services. However, cyber security of e-governance services in India is still missing to a large extent. This is equally true regarding critical infrastructures that require resilient and robust cyber security.

For instance, India is planning to build smart cities. There is no doubt that India must have made suitable policies and strategies regarding the proposed smart cities. However, till now the Indian Government has not made public a smart city policy that meets the cyber security and civil liberties requirements.

India is embracing the concept of Digital India and electronic delivery of services to its citizens. This is a noble intention but its actual implementation requires strong and effective techno legal framework. Digital India and initiatives based upon it cannot be successful till the foundation of Digital India itself is strong, legal and flexible. Unfortunately, Digital India project is not only suffering from many shortcomings but it is also heading towards rough waters.

Digital India is also closely related to the Internet of Things (IoT) concept. India has issued the Draft Policy on Internet of Things (IoT) (PDF) and a Revised Draft Policy on Internet of Things (IoT) (PDF). The IoT Policy of India is yet to be finalised and implemented after analysing and incorporating the public suggestions and inputs.

Smart Cities is another promising project of Indian Government to make urban cities technology oriented. While this is a fancy idea yet its implementation is not free from challenges. For instance, India has been using e-governance for delivery of public services for long. However, cyber security of e-governance services in India is still not upto the mark. This would make the proposed Smart Cities also vulnerable to sophisticated cyber attacks and cyber crimes. So before establishing Smart cities in India, Indian Government must take care of various techno legal challenges that are still not managed by India.

There are many cyber security challenges before the Narendra Modi Government that have to be addressed on a priority basis. A quick analysis of the National Cyber Security Policy of India 2013 reveals that it is suffering from many shortcomings. There are no Cyber Security Disclosure Norms in India that may require individuals and companies to share details of cyber attacks and cyber breaches. There is also an urgent need to formulate the Cyber Security Policy of India 2015 as the Cyber Security Trends are very alarming in India. Even there is no implementable Telecom Security Policy of India as on date and telecom related issues are getting complex day by day.

However, Indian Government and other stakeholders have also initiated many good projects to facilitate public delivery of services through e-governance and use of information and communication technologies (ICT). For instance, an E-Police Station in Delhi has been established that would register online FIR for motor vehicle theft cases of Delhi. The Reserve Bank of India (RBI) has also decided to set up an IT Subsidiary to deal with technology related banking issues. The Technical Advisory Committee (TAC) of SEBI would address cyber security issues as well. The Grid Security Expert System (GSES) of India has also been proposed by Indian Government. Indian Government has also banned private e-mail services for official communications in Government Departments. Indian Government would also launch Internet Safety Campaign very soon to spread awareness about cyber security among various stakeholders. However, the best effort of Indian Government via-a-vis cyber security is the appointment of Dr. Gulshan Rai as the first Chief Information Security Officer (CISO) of India by the Prime Minister Office (PMO) of India. This would definitely strengthen the cyber security infrastructure of India.

Another area of concern regarding Smart Cities would be protection of Civil Liberties in Cyberspace where India is lagging far behind than its International and Constitutional Obligations. Recently the Supreme Court of India has asked for a clarification from the Central Government regarding Privacy Invasive Software and Mobile Applications. India has no dedicated Privacy and Data Protection (PDF) laws. Privacy protection in the information era has to be ensured by Narendra Modi Government for the success of Smart Cities in India. Privacy Right is a Human Rights and not a Government Charity that must be protected by the Narendra Modi Government. Narendra Modi Government has made Digital India the “Biggest Panopticon of Human History” by clubbing it with Illegal and Unconstitutional Aadhaar Project. The Indian Government is making the Aadhaar Compulsory even if the Supreme Court has clearly declared on multiple occasions that Aadhaar cannot be made mandatory. Even the Indian Parliament and Judiciary are indifferent and submissive to these Illegalities of Digital India and Aadhaar Projects.

The Smart Cities project of Indian Government has both negative and positive aspects. It is for the Narendra Modi Government to remove the negative aspects and stress more upon the positive and development aspects. I hope and wish that this would be the approach of Narendra Modi Government regarding Smart Cities in India.

New Cyber Espionage Malware Named Uroburos/Snake Detected By Cyber Security Researchers

The traditional Cold War Era may be over but the Technology Assisted Cold War is still in vogue. Developed Nations have been making and using Sophisticated Malware that is well beyond traditional and modern Cyber Security Mechanisms. Even well trained Cyber Security Professionals cannot detect them till these Malware have already achieved their Surveillance and Espionage tasks.

For instance, Malware like Stuxnet, Duqu and Flame have simply proved this point. They kept on creating havoc for many years in an undetectable and covert manner. They were detected only recently and since then their variants have been making rounds in the Cyberspace.

These Malware are not the tasks of a group or company but expert malware makers that are supported by Developed Nations. The United States has been accused of making these Malware in the past and it is also believed that U.S. is the biggest buyer of Malware in the World. U.S. has also been accused of using a combination of Radio Waves and Malware to spy upon other Countries. It is well known that Global Cyber Espionage Networks are being actively and covertly used to Spy on other Nations. This is evident from the fact that the Command and Control Servers of Malware FinFisher were also found in 36 Countries, including India.

Countries across the World have started to strengthen their Cyber Security Capabilities. While protecting their own Cyberspace domain, various Countries must understand that Cyber Security is an International Issue (PDF) and not a National one. Therefore, an International Cyber Security Treaty is Required (PDF). In the absence of international harmonisation in this crucial field, countries would keep on attacking one another in the Cyberspace.

In the latest news in this regard, G Data Security experts have analysed (PDF) a very complex and sophisticated piece of malware, designed to steal confidential data. G Data refers to it as Uroburos, in correspondence with a string found in the malware’s code and following an ancient symbol depicting a serpent or dragon eating its own tail.

According to G Data Uroburos is a rootkit, composed of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities. It can steal information (most notably: files) and it is also able to capture network traffic. Its modular structure allows extending it with new features easily, which makes it not only highly sophisticated but also highly flexible and dangerous. Uroburos’ driver part is extremely complex and is designed to be very discrete and very difficult to identify.

BAE systems have labelled it as “Snake” (PDF) and it has identified two distinct variants, both highly flexible but with two different techniques for establishing and maintaining a presence on the target system. In general, its operation relies on kernel mode drivers, making it a rootkit. It is designed to covertly install a backdoor on a compromised system, hide the presence of its components, provide a communication mechanism with its command and control (C&C) servers, and enables an effective data exfiltration mechanism. At the same time, Snake exposed a flexibility to conduct its operations by engaging these noticeably different architectures.

According to media reports, ‘Uroburos’ has been stalking its victims since as far back as 2005 and large enterprises and governments need to pay urgent attention to the threat it. It now transpires that Snake has been slithering silently around networks in the U.S. and its NATO allies and former Soviet states for almost a decade, stealing data, getting ever more complex and modular and remaining almost invisible.

Culling data from malware research sites (i.e. those to which suspected malware samples are submitted for inspection), it has been spotted 32 times in the Ukraine since 2010, 11 times in Lithuania, 4 times in the UK, and a handful of times altogether from the US, Belgium, Georgia, Romania, Hungary and Italy.

These are very small numbers but cyber security firm(s) believes that on past experience they are highly indicative. While they represent a tiny fraction of the number of infections that will have occurred in these countries and beyond, they can be used to reliably infer that Snake has been aimed at Western and Western-aligned countries pretty much exclusively. While none have specifically named Russia as the originator for this malware yet some have put the country under suspicion.

Hints of the malware’s provenance have surfaced from time to time. In 2008, the U.S. Department of Defense (DoD) reported that something called, Agent.btz had attacked its systems, an incident later attributed on more than one occasion to the Russian state without further elaboration. Beyond that the evidence is circumstantial and it is very difficult to attribute Cyber Criminality with great certainty.

National Security Policy Of India Some Techno Legal Suggestions

National Security is a very vast and complicated field to manage as it encompasses various facets of security. It includes traditional security of borders and infrastructure to Cyber Security of the Indian Infrastructure and Cyberspace. India has been lax on the front of National Security in general and Cyber Security in particular. The National Cyber Security Policy of India 2013 has been drafted recently and its actual and full implementation is still missing.

Further, various components of National Security are still operating in vacuum and independent of each other making the entire concept of National Security a façade. For instance, the Cyber Security Policy of India is still not a part of the National Security Policy of India. In fact, we have no National Security Policy of India that is presently implemented by Indian Government. The Cyber Security Policy of India must be an “Essential and Integral Part” of the National Security Policy of India.

DNA India has reported that the current UPA Government led by Prime Minister Manmohan Singh is set to unveil a draft of National Security Policy for public debate. The National Security Advisor Shiv Shankar Menon has already started working in this regard so that a well defined strategic policy framework can be adopted by the new Government after a public debate. It seems the intention is to make the National Security Policy of India operational after the 2014 Elections are over. This is logical as well as such crucial policies cannot be implemented at time of uncertainties. The National Security Council (NSC) has already proposed three pronged Cyber Security Action Plan for India.

The UPA Government has its own share of successes like securing Indian borders and avoiding any big threat from outside, getting the non-permanent member status of the UN Security Council, obtaining a permanent seat at the Arctic Council and a chair at G-8 negotiations, etc. So the “Failures and Achievements” of the present UPA Government are somewhat balanced in nature.

India already has a doctrine for its defence as well as strategic forces, both for conventional and sub-conventional wars. But the new doctrine will be over-arching, comprehensive and will incorporate elements of foreign and internal security policies.

Though the proposed draft of the Policy is still at the infancy stage yet it may act as a resource guide to deal with Indian National Security issues. The proposed Policy would look at all aspects of National Security including the Economic, Technological, Political, Cyber as well as Scientific. It would also streamline the Security Strategy and address the systemic lacunae in the absence of a clear and comprehensive policy.

A “Special Focus” upon Cyber Security is need of the hour. To start with a dedicated Cyber Security Law of India must be formulated. A robust and comprehensive Telecom Security Policy of India must also be immediately formulated. Further, Draconian and Disabling Laws like Information Technology Act, 2000 and Indian Telegraph Act, 1885 must be “Repealed” as soon as possible. Civil Liberties and National Security Requirements must be “Reconciled”. A dedicated Privacy Law of India must also be formulated immediately to strengthen Privacy Rights in India.

During the exposure of engagement of E-Surveillance by the National Security Agency (NSA) of U.S., James Clapper confirmed that NSA is targeting Foreign Citizens for Surveillance. This E-Surveillance is further “Combined” with Tactics and Techniques of Cyber Warfare, Cyber Espionage and Cyber Terrorism, etc. The traditional Cold War Era may be over but the Technology Assisted Cold War is still in vogue. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, etc have simply proved this point.

These Malware are not the tasks of a group or company but expert malware makers that are supported by Developed Nations. The United States has been accused of making these Malware in the past and it is also believed that U.S. is the biggest buyer of Malware in the World. U.S. has also been accused of using a combination of Radio Waves and Malware to spy upon other Countries. It is well known that Global Cyber Espionage Networks are being actively and covertly used to Spy on other Nations. This is evident from the fact that the Command and Control Servers of Malware FinFisher were also found in 36 Countries, including India.

These Malware used Cyber Attack Methods and Vectors that are far beyond the Capacity of Traditional Cyber Security Mechanisms to Trace and Prevent. This becomes a serious Cyber Security Issue when Critical ICT infrastructures are at stake. For instance, the critical Infrastructure Protection in India and its Problems, Challenges and Solutions (PDF) are still to be looked into with Great Priority by Indian Government. It is only now that India has declared that NTRO would protect the Critical ICT Infrastructures of India. Similarly, a Tri Service Cyber Command for Armed Forces of India is in Pipeline. Nevertheless, the Cyber Security Infrastructure of India is Weak and it must be improved as soon as possible.

Countries across the World have started to strengthen their Cyber Security Capabilities. While protecting their own Cyberspace domain, various Countries must understand that Cyber Security is an International Issue (PDF) and not a National one. Therefore, an International Cyber Security Treaty is Required (PDF). As far as India is concerned, the Cyber Warfare Policy of India (PDF) and E-Surveillance Policy of India (PDF) must be urgently drafted and implemented. Similarly, Self Defence and Privacy Protection in India must be ensured.

India’s own Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc are violative of Civil Liberties Protection in Cyberspace. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. The proposed National Security Policy of India must address this issue as well on a priority basis.

Intelligence Agencies Of India Demand Legal Immunity Against Cyber Deterrent Acts

India has been working in the direction of strengthening its Cyber Security Capabilities. As India is a late entrant in this field, Cyber Security in India is still not upto the mark. The Cyber Security Trends and Developments in India 2013 (PDF) provided by Perry4Law’s Techno Legal Base (PTLB) have proved that India is weak in the field of Cyber Security. The Offensive and Defensive Cyber Security Capabilities of India are yet to be achieved.

We have no dedicated Cyber Security Laws in India as on date. The Information Technology Act, 2000 (IT Act 2000) is the sole Cyber Law of India that also indirectly talks about Cyber Security.  The IT Act 2000 is silent on the issue of conferring legal immunity to hackers and other Law Enforcement Agencies while countering cyber attacks and this is a cause of concern for the Intelligence Agencies of India. It is also true that the Intelligence Agencies of India are also not subject to Parliamentary Oversight that is need of the hour.

International Legal Issues of Cyber Attacks are a cause of concern for India and India need to upgrade her Cyber Security Capabilities. Intelligence Agencies of India are planning to acquire such capabilities with “No Legal Obligation Attached Whatsoever”. This is a draconian power that cannot be conferred to them as that would violate the Civil Liberties Protection in Cyberspace of Indian Citizens. To make the matter worst, we have no dedicated Privacy Laws in India and Data Protection Laws in India (PDF). Even the Right to Information Act, 2005 is not applicable to Intelligence Agencies and many Law Enforcement Agencies of India. India “Must Reconcile” the Civil Liberties and National Security Requirements that is presently not happening.

It has been reported that following security agencies’ demand for legal immunity in cyber deterrence cases, the Deputy National Security Adviser is working on setting up An Inter-Ministerial Group to look into the issue. The Intelligence Bureau has said legal authority for cyber deterrence is very important for agencies in dealing with matters like terrorism. Citing the example of some countries, which have oversight mechanism, agencies have demanded legal immunity.

For example, the United States has a mechanism in place to monitor foreign accounts. However, U.S. is also making its Intelligence Agencies “Accountable” to the Parliament and there are many Statutory Protections against “Abuse of Powers” of these Intelligence Agencies. In India there is no such “Procedural Safeguards” and Intelligence Agencies are openly violating various “Constitutional Protections” and Civil Liberties.

India’s own Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc are violative of Civil Liberties Protection in Cyberspace. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny.

Now the Intelligence Agencies are demanding the power of “Hack at Will” without any “Legal Ramifications”. National security is not a “Blanket Protection” against Illegal and Unconstitutional E-0Surveillance and Eavesdropping. It seems the Intelligence Agencies of India are asking for this “Illegal and Unconstitutional Power” that “No Sensible Government in its Right Mind” would allow.

In a recent meeting on Cyber Security, a representative of the Department of Telecommunication (DOT) said the Department could make some provisions in the Calling Line Identification (CLI) Guidelines that will enable monitoring of at least Foreign Nationals in the country.

The Deputy National Security Adviser, Nehchal Sandhu, is working on setting up an Inter-Ministerial Group comprising the Law Ministry, the Department of Electronics and IT, the Department of Telecom (DOT), IB and the Home Ministry to identify gaps in existing legislation and regulations as well as measures to bridge them.

However, there are “No Such Gaps” as are contemplated by the Deputy National Security Adviser. In effect, the Group is considering how to “Further Confer” Illegal and Unconstitutional Powers upon the Intelligence Agencies. This is really unfortunate as the Group must consider how to make the Intelligence Agencies and Law Enforcement Agencies of India Accountable to the Parliament and how to “Safeguard” the “Constitutional Rights” of India Citizens that are openly violated by these Agencies.

Advertisement Space- Bid Now

Advertisement Space- Bid Now