Cyber Crimes And Cyber Attacks Insurance In India: A Techno Legal Perspective

Insurance business is well structured and well established in India. Even the regulatory framework in the traditional insurance sector is well managed by Indian government. With the passage of time, new avenues are now available for the insurance business. One such avenue comes from the adoption of information and communication technology (ICT) in our daily lives and the misuse of the same by criminal elements.

Perry4Law has been advocating use of cyber insurance since 2004 and from that year onwards we have been keeping a close watch upon the developments in this field at both national and international levels. Cyber insurance was adopted by developed nations earlier than India as it is only now that Indian insurance companies and Indian companies and other individuals have realised the importance of cyber insurance.

Information Technology Act, 2000 (IT Act 2000) prescribes adoption of adequate cyber security practices and cyber law due diligence (PDF) by Indian companies and individuals. Even technology companies, financial institutions and e-commerce websites are required to observe cyber due diligence in India and this requirement cannot be ignored anymore. A special attention must be given to the Information Technology (Intermediaries Guidelines) Rules 2011 (PDF) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (PDF) by those engaged in technology related business in India.

Regulatory compliance requirements under the Indian Companies Act 2013 (PDF) have added many legal obligations on the part of Indian companies and their directors. These include the liability of directors for cyber law and cyber security breaches and a liability for not following cyber law and cyber security legal obligations while conducting the functions of their respective companies.

Foreign companies and e-commerce websites having a business presence in India would now be required to register in India. This would also make them amendable to Indian laws and to face legal obligations for their non compliances. For instance, the recent cyber breach at Target Corporation has exposed it to litigation in multiple jurisdictions around the world.

Cyber breaches in India would raise complicated cyber law issues in the near future. For instance, cyber security issues of e-commerce business in India need to be discussed and implemented by Indian government and insurance companies. Similarly, cyber due diligence must also be outlined and implemented for online payment makers. Maintenance and inspection of document in digital form under corporate laws of India would also raise privacy, data protection (PDF) and cyber security issues.

All these aspects need a dedicated techno legal framework that is presently missing in India. Similarly, corporate frauds investigations in India would need scientific technologies and methods like e-discovery, cyber forensics, etc. If cyber security (PDF) and cyber forensics (PDF) trends in India are considered, this is a big challenge for Indian government, insurance companies and other corporate stakeholders. If cyber insurance has to be considered to be a potential source of revenue by insurance companies and adequate protection by Indian company ies, they have to work hard in their respective fields.

Merely entering into an insurance agreement for cyber insurance purposes would create more trouble than solutions as complicated techno legal issues are involved in international cyber crime and cyber attack cases. For instance, insurance companies and affected companies may also face and have to tackle conflict of laws in cyberspace, authorship attribution for cyber crime and cyber attacks, refusal and non cooperation by foreign governments and companies in cyber crimes investigations, etc.

In these circumstances, not only the cyber insurance agreements must be properly drafted by insurance companies but techno legal investigation skills must also be used for investigating cyber crimes and cyber attacks cases by both the affected companies and insurance companies.

Source: International Legal Issues Of Cyber Attacks.

International Legal Issues Of Cyber Attacks Must Be Resolved

Internet has become a necessity for all Countries of the World. Internet has also connected the virtual territories of different Countries to a collective area known as Cyberspace. This connectivity element has provided many opportunities and benefits to Cyberspace Netizens and stakeholders at large. However, this connectivity has also given rise to the possibilities and opportunities for committing wrongs and crimes by various criminal elements.

Newer concepts like Cyber Terrorism, Cyber Warfare, Cyber Espionage, etc have also emerged that have disastrous effects if not properly safeguarded and tackled. As on date there is no globally acceptable Cyber Law or Cyber Security Treaty.  Similarly, there is also no full proof and absolutely certain way to ascertain Authorship Attribution for Cyber Crimes and Cyber Attacks. Presence of Conflict of Laws in Cyberspace and absence of Civil Liberties Protection in Cyberspace has further complicated the international Cyber Law and Cyber Security related issues. Privacy Protection in the Information Era has also become an invincible task for Governments around the world.

In these circumstances, International Legal Issues of Cyber Attacks are not easy to manage. This is more so for India that is still not Cyber Prepared for International Cyber Attacks. Take the example of recent episode of hacking of Sony’s systems. Despite the strong statements of United States and its Agencies, it is very difficult to accept that North Korea was behind the hack. This is because United States has failed to prove authorship Attribution in a “Convincing and Proper Manner”. Thus, despite all allegations, counter allegations and other materials, it may not be possible to trace back the true attacker.

There is no “Neutral Authority” that can analyse the claims of both United States and North Korea in this regard. Both Countries may stick to their respective stands but in the end not much could be achieved through the same. Of course, this episode may give impetus to revive the lapsed or suspended Laws in United States that would have serious Civil Liberties Issues.

At a time when “Net Neutrality” is in grave danger, imposing own Standards and Measures against Potential, Actual and Invented Cyber Attacks by any Country should be sternly discouraged. It is also high time to resolve International Legal Issues of Cyber Attacks at a global scale.

Subject: International Legal Issues Of Cyber Attacks.

Smart Cities Cyber Security In India: The Problems And Solutions

Smart cities are the future of urbanisation and population sustainability. The aim of smart cities is to provide a conductive environment for living, commercial activities, healthcare and overall development. Smart cities also predominantly rely upon use of information and communication technologies (ICT) to render public services. Wherever applicable, Internet of Things (IoT) (PDF), cloud computing and virtualisation and machine to machine (M2M) system usage is also there. However, this omnipresent usage of ICT, IoT, M2M, cloud computing, etc has a potential drawback as well in the form of indifference towards smart cities cyber security.

It is not difficult to visualise a scenario of cyber attacks against the critical infrastructures of the smart cities that are run by ICT and technology. Such a cyber attack can cripple the entire smart city if properly executed. Critical infrastructure protection in India (PDF) is still at nascent stage. The national cyber security policy of India 2013 is also very weak and even that has not been implemented by Indian government so far. The much awaited cyber security policy of India 2015 is also missing so far.

A strong cyber security infrastructure of India is need of the hour especially when there is no well settled international legal issues of cyber attacks that can be invoked in the case of a cyber incidence. It is very important that international legal issues of cyber attacks must be resolved by various government and non government stakeholders. There is no globally acceptable cyber law treaty and cyber security treaty (PDF) that can govern the relationships between various countries.  Even the Tallinn Manual on the International Law Applicable to Cyber Warfare  (PDF) is just an academic document with no legal binding obligations. The truth is that Tallinn Manual is not applicable to international cyber warfare attacks and defence and countries are free to take measures as per their own choices.

This has necessitated that cyber security related projects in India must be not only expedited but they must also be successfully implemented as soon as possible. Unfortunately, cyber projects like National Cyber Coordination Centre (NCCC) of India, National Critical Information Infrastructure Protection Centre (NCIPC) of India, Grid Security Expert System (GSES) of India, National Counter Terrorism Centre (NCTC) of India, Cyber Attacks Crisis Management Plan of India, Crisis Management Plan Of India For Cyber Attacks And Cyber Terrorism, Cyber Command For Armed Forces Of India, Tri Service Cyber Command for Armed Forces of India, Central Monitoring System (CMS) Project of India, National Intelligence Grid (Natgrid) Project of India, Internet Spy System Network And Traffic Analysis System (NETRA) of India, Crime and Criminal Tracking Network and Systems (CCTNS) Project of India, etc have still not been implemented successfully by Indian government.

This raises the pertinent question as to how Indian government would ensure cyber security of smart cities in India. We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must take cyber security seriously. The cyber security challenges in India would increase further and India must be cyber prepared to protect its cyberspace. CECSRDI believes that the starting point is to draft the cyber security policy of India 2015 as the 2013 policy is highly defective and of little significance. We also believe that a dedicated cyber security law of India is need of the hour. The same must be a techno legal framework keeping in mind contemporary cyber security threats. Further cyber security disclosure norms in India must be formulated by Modi government. The cyber security awareness in India must be further improved so that various stakeholders can contribute significantly to the growth and implementation of cyber security initiatives of Indian government.

Source: International Legal Issues Of Cyber Attacks.

Cyber Security Of Banks In India Needs Strengthening

Indian Cyber Security has been ignored for many years by the previous Governments making Indian computer systems and critical infrastructures vulnerable to sophisticated cyber attacks. One of the critical infrastructures is banking sector of India that has miserable cyber security infrastructure. The Cyber Security Trends and Developments in India (PDF) have proved this point very well.

We have no dedicated cyber security laws in India and this is creating numerous troubles for various stakeholders. The banking sector of India is also neglecting cyber security in the absence of stern and effective cyber security regulatory norms in India. Some basic level guidelines and recommendations have been issued by Reserve Bank of India (RBI) but they are far from satisfactory and being effective. These include Internet banking guidelines, formation of a RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, RBI Recommendation on Information Security and its implementation in India, etc.

RBI has also mandated establishment of Steering Committees on Information Security by Banks in India and appointment of Chief Information Officers (CIOs) for all banks in India.  However, banks in India have failed to comply with the directions of RBI so far and even RBI has allowed them to take this liberty. In effect, this means that there is neither a legal framework nor any compulsion to ensure cyber security of banks in India. Naturally, the online banking system of India is not at all cyber secure and banks in India are not following cyber security due diligence and cyber law due diligence (PDF) at all.

Sophisticated malware are targeting banking industry around the world. For instance, Malware Dump Memory Grabber has been targeting Indian banks and POS Terminals. Similarly, the Gameover Zeus or GOZ botnet is also capable of stealing sensitive banking and financial information and details. Recently, the US Justice Department even charged a Russian national for creation of Gameover Zeus (GOZ) Botnet.

India is considering wide scale adoption of mobile banking, Internet banking and other online banking and financial transactions methods. However, India has not considered the issues of mobile banking cyber security, internet banking cyber security, legal aspects of Internet banking, cyber security of e-governance services, etc.

There is no doubt that Indian online banking transactions are vulnerable to cyber attacks. The cyber security for banking and financial sectors of India must be ensured as soon as possible. Online payment market of India and e-commerce and online business legal compliances have further increased the requirements of banking cyber security in India. Similarly, cyber due diligence for Paypal and online payment transferors of India must also be ensured by these stakeholders. The sooner this is done the better it would be for the larger interest of banking sector of India.

Source: International Legal Issues Of Cyber Attacks.

International Legal Issues Of Cyber Attacks: Research Works Of Perry4Law

Cyber security is no more a science fiction but has become a much needed reality. World over regulatory and technical issues have vexed the legislators as cyber security is a techno legal issue. In order to effectively deal with cyber security, the legislators need to adopt a techno legal approach. Cyber security community and stakeholders are unanimous on the opinion that the international legal issues of cyber security must be resolved. Indian response vis-a-vis cyber attacks is also clear and India endorses international cooperation regarding cyber security.

Perry4Law Organisation (P4LO) has been managing a dedicated blog on international legal issues of cyber attacks and cyber security. It is the exclusive techno legal blog on the topic not only in India but in entire world. The blog has covered many techno legal aspects like use of cyber espionage malwares, need for the national security policy of India, legal immunity against cyber deterrent acts in India, open source intelligence through social media websites, protection of Indian cyberspace, national counter terrorism centre (NCTC) of India, cyber security challenges of India, cyber preparedness of India, the Wassenaar Arrangement and cyber security issues, intelligence agencies reforms in India, banking cyber security, techno legal analysis of Gameover Zeus, cyber crimes insurance in India, smart cities cyber security in India, etc.

The problem with cyber law and cyber security issues is that they not only involve multiple jurisdictions but they are also governed by different set of laws. A single act of cyber crime may have legal ramifications in more than one jurisdictions. It is also possible that an act or omission may be cyber crime in one jurisdiction whereas it may be allowed in another. In short, conflict of laws in cyberspace are very difficult to manage in the absence of a true global cyber law and cyber security treaty (PDF).

As far as India's readiness regarding cyber security capabilities are concerned, India is still concered a sitting duck in the cyberspace and civil liberties fields. We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must take cyber security very seriously. The cyber security challenges in India would increase further and India must be cyber prepared to protect its cyberspace. CECSRDI believes that the starting point is to draft the cyber security policy of India 2015 as the 2013 policy is highly defective and of little significance.

We also believe that a dedicated cyber security law of India is need of the hour. The same must be a techno legal framework keeping in mind contemporary cyber security threats. Further cyber security disclosure norms in India must be formulated by Modi government. The cyber security awareness in India must be further improved with a special emphasis upon clearly specifying the cyber security obligations of directors of Indian companies.

As on date Indian laws, policies and efforts are not sufficient enough to curb the menace of cyber crimes. Cyber attacks, etc happening at the global level. In the absence of global harmonisation of laws in the fields like cyber law and cyber security, India has no other option but to strengthen its own cyber law and cyber security capabilities.

A particular cause of concern is that many developed countries have been engaging in illegal and unconstitutional e-surveillance not only on their own citizens but upon Indian citizens as well. They would not be interested in a harmonised global legal framework for cyber law and cyber security. Unfortunately, India has also adopted the e-surveillance methods and have launched many illegal and unaccountable e-surveillance projects like Aadhaar, Natgrid, Central Monitoring System (CMS), etc. The worst has come in the form of unaccountable and unregulated Digital India project of Modi government that has become the digital panopticon of India. Instead of concentrating upon information security and data protection, Indian government is actively working against civil liberties protection in India. Till now there is no encryption policy of India (PDF) that can ensure information and data security.

In these circumstances it is really difficult for Indian government to effectively mange the international legal issues of cyber attacks. Nevertheless, a start must be made by Indian government as soon as possible. We hope Indian government would realise the importance of cyber security very soon.

Cyber Security Policy Of India 2015 Must Be Formulated By Narendra Modi Government: CECSRDI

Narendra Modi government has been trying its level best to manage the affairs of India. However, not much success has been achieved by it till now. The worst performance of Modi government pertains to cyber security field where Modi government seems to have lost the track.

If we analyse the projects already implemented by Modi government it is clear that the present BJP government seems to be suffering from “policy bankruptcy”. Till now not even a single policy decision has been taken by Modi government that has proved to be effective. All the Modi government has been able to achieve is continuance of the already left Congress government’s policies and projects.

For instance, projects and policies like National Cyber Coordination Centre (NCCC) of India, National Critical Information Infrastructure Protection Centre (NCIPC) of India, Grid Security Expert System (GSES) of India, National Counter Terrorism Centre (NCTC) of India, Aadhaar Project of India, National Cyber Security Policy of India 2013 (NCSP 2013), Cyber Attacks Crisis Management Plan of India, Crisis Management Plan Of India For Cyber Attacks And Cyber Terrorism, Cyber Command For Armed Forces Of India, Tri Service Cyber Command for Armed Forces of India, Central Monitoring System (CMS) Project of India, National Intelligence Grid (Natgrid) Project of India, Internet Spy System Network And Traffic Analysis System (NETRA) of India, Crime and Criminal Tracking Network and Systems (CCTNS) Project of India, e-mail policy of India, etc were launched by Congress government.  

On the other hand Modi government has taken few steps that are “low hanging fruits” at the maximum. For instance, appointment of Dr. Gulshan Rai as India’s first CISO and asking Nasscom to constitute a task force to solve the growing cyber security menace in India are the two steps taken by Modi government so far. Both these steps are “declarations only" so far as their actual implementation and impact is yet to be seen.

We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must take cyber security seriously. The cyber security challenges in India would increase further and India must be cyber prepared to protect its cyberspace. CECSRDI believes that the starting point is to draft the cyber security policy of India 2015 as the 2013 policy is highly defective and of little significance. If Modi government cannot formulate even the basic cyber security policy of India 2015 there are little chances that it would be capable of protecting Indian cyberspace from sophisticated cyber attacks and malware.

We also believe that a dedicated cyber security law of India is need of the hour. The same must be a techno legal framework keeping in mind contemporary cyber security threats. Further cyber security disclosure norms in India must be formulated by Modi government. The cyber security awareness in India must be further improved with a special emphasis upon clearly specifying the cyber security obligations of directors of Indian companies. 

CECSRDI wishes all the best to Modi government in its cyber security initiatives and projects and hopes that Modi government would actually start working in this direction as soon as possible.

Cyber Security And Related Issues: Comprehensive Coverage

Qualitative cyber security literature is a real treat for cyber security enthusiastics.  INSIGHTS has published one such qualitative cyber security related article that is both comprehensive and well written. The article can be accessed here that is covering both national and international perspectives.  

The scheme of the article comprises of introduction, types of security threats, conventional cyber crimes, cyber warfare and its examples, cyber terrorism and its examples, the need to regulate cyber space, tool to protect against cyber threats, cyber laws in India, ongoing efforts in India, stakeholder agencies in India, intergovernmental organizations and initiatives and much more.

Civil liberties issues like e-surveillance and accountability of intelligence agencies of India have also been covered. A very good read for all those interested in cyber security of India.

National Cyber Coordination Centre (NCCC) Of India In Pipeline

National Cyber Coordination Centre (NCCC) of India is a promising initiative of India that would help in dealing with adverse cyber activities in India. The Congress Government started this project and now it seems to have been picked up by BJP Government. As per media reports, the National Cyber Coordination Centre (NCCC) of India may finally see the light of the day and may become functional very soon.

However, BJP Government has to take a firm stand in this regard as we have already seen many promises in the cyber security field in the past. The Cyber Security Trends and Development in India 2013 (PDF) provided by Perry4Law and Perry4Law’s Techno Legal Base (PTLB) have marked many shortcomings of Indian cyber security initiatives.

The policy paralysis in cyber security field has continued even in the BJP Government. For instance, the cyber security policy of India 2013 is still not implemented. Similarly, neither the NCCC nor the National Critical Information Infrastructure Protection Centre (NCIPC) of India has become fully functional till now.

However, the biggest failure of both Congress and BJP Government is lack of a dedicated cyber security law of India. In addition, BJP Government has also failed to take care of outdated and draconian laws like cyber law and telegraph Act of India.

Many cyber security related projects are managed by Indian security and intelligence agencies without any parliamentary approval and oversight. The intelligence infrastructure of India needs transparency and reforms. Without this cyber immunity cannot be granted to these agencies. India must also reconcile civil liberties and national security requirements while protecting Indian cyberspace.

The ultimate solution is to formulate a techno legal framework that can safeguard Indian cyberspace in the best possible manner.

Cyber Security Compliances For Doing E-Commerce Business In India

Legal and regulatory compliances are sine quo non for the performance of any business in a legal manner. In the present times, these legal compliances have become very technical and cumbersome. This is more so when e-commerce business sis involved.

E-commerce business involves information and communication technology (ICT) for its conduct and operation. ICT introduces additional challenges like conflict of laws in cyberspace for various e-commerce stakeholders and law enforcement agencies. Cyber security challenges are also faced while doing e-commerce business.

E-commerce business is flourishing at a great speed in India. Most of the e-commerce entrepreneurs are concentrating upon commercial aspects with an eye upon profit motive. In this race they are ignoring techno legal requirements that may affect their rights in the long run.

For instance, e-commerce laws in India are spread across multiple legal frameworks and they are seldom followed by Indian e-commerce stakeholders. Even foreign e-commerce players and portals are required to be registered in India and comply with Indian laws.

Similarly, e-commerce players are required to comply with cyber law and cyber security regulatory compliances in India. A dedicated law for cyber security breaches disclosures is also in pipeline that would impose stringent obligations upon e-commerce players operating in India. Companies that would fail to comply with the cyber law due diligence requirements in India may be punished according to Indian laws.

The cyber security challenges for Indian companies are very difficult to manage in the absence of proper planning and management. Directors of Indian companies and e-commerce websites can be held liable for improper cyber security dealings in India.

Thus, cyber security regulatory compliances issues of e-commerce businesses in India cannot be ignored by various stakeholders except at the risk of litigations and heavy monetary compensations.

China Plans To Enact National Security Law

China is planning to formulate a comprehensive national security law amid rapidly changing circumstances in online and off line worlds. However, like other countries, China has also stressed too much upon regulation and intelligence dependence than balancing the national security and civil liberties requirements. China has also decided to launch its own operating system to remove dependence upon foreign operating systems.

The proposed law seeks to punish companies and individuals engaged in spying and espionage activities. It also includes provisions pertaining to sealing, seizure and confiscation of device, money, venue, supplies and other properties that are related to espionage activities. Illegal income attributable to such activities can also be confiscated.

On the other hand, the national security policy of India is grossly deficient on numerous counts. The biggest lacuna is that it lacks a techno legal orientation and implementation. There are certain essential components of national security policy of India that are still missing. Even the national cyber security policy of India is defective and is still not implemented.

India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. The Telecom Commission Cellular Loop’s Proposal would also strengthen mobile based surveillance on national security grounds in India. However, absence of a techno legal national security law of India is the biggest hurdle.