Cyber Security Of Indian Satellites Needs War Level Strategy

Satellite Cyber Security

We need satellites for communications round the year in an uninterrupted and qualitative manner. We also need them for military and space research purposes. But satellites are not cheap to built, launch and maintain. Also satellites, like other communication systems, are also prone to cyber attacks. Just imagine a country has done all the hard work to put a satellite in the orbit and some rouge nation or cyber criminal cracks it and takes its complete control. Such person/nation can do whatever he/it decides to do with it. So cyber security of Indian satellites is of paramount importance and it is good that Indian government has been protecting them as critical infrastructures.

However, India is not doing enough as per its potential. We are not doing enough on the front of cyber law and cyber security legislation, we are not doing enough on the front of cyber security policy, we do not have dedicated cyber warfare and cyber espionage policies, etc. There is tremendous scope in these fields and what is encouraging is that Indian government has decided to formulate the Cyber Security Strategy of India 2020.

We have been suggesting since long that we need dedicated and highly specialised initiatives in these fields. We should stop merging everything into a single code and try to make it workable. That is a highly defective strategy and Indian government must abandon this practice as soon as possible.

We are not saying this thing for the sake of saying and we are also willing to act in this regard. We are not only working in the direction of providing international cyber security legal services but we have also launched dedicated portal for online skills development in the fields like cyber law, cyber security, cyber forensics, artificial intelligence, machine learning, big data, privacy and data protection, etc. Our TeleLaw Project is managing the cyber security related legal services globally while our online skills development portal is managing the training and skills development aspects.

Now coming back to the aspect of cyber security of Indian satellites. To get a robust and resilient cyber security of Indian satellites we must understand that claiming that anything is hack proof is a big mistake. It is not enough that a particular system is not connected to the Internet and is air gapped. It is also not enough that such a system is additionally using end to end encryption. No matter whatever cyber security and security system we may use, a system can be breached and taken control of.

The safest bet is to let the white hat community attack a dummy satellite or system and plug any weaknesses in the security of the same, if discovered. India is a land of coders and technical experts. They have been testing foreign platforms and are also earning handsomely as booty for exposing weaknesses in these portals. We can use the same intelligent community to strengthen Indian cyber security. But that is a difficult thing to implement as we lack a political will in this regard and there is also a policy vacuum. Let us change this for the betterment of all and if that is already implemented by Indian government, we welcome such a pro active step.

As far as our contribution and role is concerned, we recently launched two legal entities named PTLB Projects LLP (EduTech) and TeleLaw Private Limited (LegalTech and TechLaw). We were amazed to see the level of commitment that Indian government is showing to Indian startups. Both our entities have been recognised as startups by not only DPIIT but also MeitY. So there is an absolute commitment by Indian government to help startups in every possible manner. Be it technical assistance or taxation and regulatory benefits, Indian government has done the best it could have done. The only difficulty that we faced is that the portals meant to help MSMEs and startups in getting financial assistance and other facilities are completely out of the sync with the present working conditions and realities of MSMEs and startups. They must be better managed by a committed team of support and once that is done India would be number one in the startups and unicorn creations.

So whether it is enactment of cyber law and cyber security laws or inculcating skills among various stakeholders in techno legal fields, we are committed to contribute our level best. But the final call is for the Indian government to take as we have already done what possibly could have been done in this regard. Let us hope for the best.

Posted in Uncategorized | Comments Off

National Cyber Security Strategy 2020 Of India Must Be Techno Legal

Cyber Security Strategy 2020

Cyber law and cyber security fields need continuous updation and upgradation. They are not one time solutions and they need to accommodate contemporary threats from cyber crimes and cyber attacks. India has enacted both Information Technology Act, 2000 (IT Act 2000) and the Cyber Security Policy. However, both of them have fallen well short of the desired policies and initiatives.

What is good is that Indian government is well receptive to the inputs from industry and various stakeholders. It has been amending the IT Act 2000 from time to time using guidelines and rules. That is something that we do not endorse as using delegated legislations or piecemeal approach to a matter that requires holistic and comprehensive approach is not good. Nevertheless, India may soon enact dedicated legislations for cyber crimes, e-commerce, cyber security, privacy and data protection.

What has emerged from various media reports is that India is considering formulation of the Cyber Security Strategy 2020. As in the past we are reiterating that such a policy must be techno legal in nature. It must amalgamate both technological and legal aspects to be most effective. We cannot add too much technology to it and at the same time we cannot force too much regulations too.

What is required is an optimum combination of technology and law and we at Perry4Law Organistation (P4LO) have been dealing in the same for more than 17 years. We have also launched a LegalTech and TechLaw portal named TeleLaw Project that is now helping global stakeholders in techno legal fields. The TeleLaw Project would be happy to engage with Indian government for various techno legal requirements, including the proposed Cyber Security Strategy 2020.

We at P4LO welcome this step of Indian government and irrespective of whether we are part of this process or not, we would always help India in this regard in one form or another.

Posted in Uncategorized | Comments Off

Cyber Security Trends Of India 2017 By PTLB

Cyber Security Trends Of India 2017 By PTLBCyber security has attracted attention of various stakeholders in India. These include Indian government, companies, individuals, banks, etc. Perry4Law Organisation (P4LO) has already provided the Indian Cyber Security Trends 2017 and interested stakeholders may read the same for in-depth analysis of cyber security position that may emerge in India in 2017.

In this article, Perry4Law’s Techno Legal Base (PTLB)would provide a summary of cyber security trends of India 2017 that may emerge in the year 2017.

(1) Digital India Security: Security of digital India project is of utmost importance as many online services are based upon it. The year 2016 did not see much work in this regard and digital India remained an insecure project that lacked cyber security capabilities. It has now become indispensable for the Indian government to ensure cyber security for digital India in 2017 as without cyber security most of government’s projects would create more trouble than solution.

(2) Digital Payments: The thrust upon digital payments without adequate cyber security is a really troublesome notion. The entire digital payment and online banking system of India is vulnerable to cyber attacks and cyber thefts. Whether it is debit/credit cards, mobile wallets, online banking or any other proposed e-banking option; they are very much vulnerable to sophisticated cyber attacks. Indian banks and digital payment providers are clearly not equipped to deal with the cases of cyber attacks and cyber crimes that are going to increase in 2017.

(3) Ransomware: Ransomware emerged as one of the top nuisances in the year 2016. Ransomware attacks would further increase in 2017 in India. As India is moving towards a data nation, locking of the same would be catastrophic.  We have little defense against ransomware in India as on date and businesses may feel helpless and prone to litigations once they are hit by it.

(4) Smart Cities Security: Indian government is all set to establish smart cities in India. Many smart cities were approved in the year 2016 and work upon them may start in 2017. Indian government has considered all aspects of smart cities managements and PTLB hopes that cyber security of smart cities in India must also have been considered along with possible legal issues that may arise.

(5) IoT Security: Internet of things (IoT) received positive response in India in 2016. Many national and international stakeholders have shown interest in IoT driven services. Of course, at this stage most of them are just exploring as techno legal issues are still not clear. However, what is clear is that IoT services require strong cyber security and civil liberties protection that was missing in 2017. That may be natural as well as IoT is still evolving in India and PTLB hopes that IoT would be able to manage cyber security, civil liberties and data security aspects in the year 2017.

(6) Cloud Computing Security: Cloud computing is comparatively well received concept in India. In fact, companies and individuals have been investing in cloud computing ventures even before 2016. However, many of our clients were apprehensive in launching a full fledged cloud computing business. This is largely due to the fact regulatory and technological aspects are still not clear to them. In the absence of clarity about these aspects, cloud computing witnessed a limited growth in 2016. The year 2017 may see better growth for cloud computing businesses.

(7) Aadhaar: Aadhaar project was pushed very rigorously by Indian government in the year 2016 even by indulging in contempt of court. However, little efforts were undertaken by Indian government to protect civil liberties and cyber security issues of Aadhaar. For projects like digital India and Aadhaar, cyber security laws are urgently needed but they remained missing in 2016. The year 2017 may see some positive development in this regard.

(8) Critical Infrastructure Protection: Indian government has hinted towards launch of botnet and malware cleaning centers in the year 2017. This is a positive development as it would help in critical infrastructure protection (Pdf) in India. Indian government has also been formulating guidelines and regulations ensuring protection of protected systems and critical infrastructures from time to time. The National Critical Information Infrastructure Protection Centre (NCIIPC) has also been working in the direction of protecting Indian critical infrastructures. PTLB strongly recommend that NCIIPC must be formally launched by Indian government with clear cut functions and responsibilities. This did not happen in 2016 and 2017 may see some development in this regard.

(9) Healthcare Security: With increasing use of ICT for healthcare, India needs a robust healthcare cyber security. This must be supplemented with adequate privacy safeguards and effective data protection. In 2016 Indian government failed to ensure cyber security, data protection and privacy protection for healthcare industry. They year 2017 may also see little efforts in this direction from government’s side.

(10) Banking Security: Banking cyber security is an area where Indian government must work a lot. Financial transactions and digital payments in India are vulnerable to diverse cyber attacks and cyber crimes. Banks are ill equipped to deal with sophisticate cyber crimes and cyber attacks. Bank customers have little recourse against the guilty banks and digital payment service providers who have neglected in ensuring cyber security. This is happening even after a cyber security framework has been prescribed by Reserve Bank of India (RBI) that is mandatory to follow by Indian banks. However, despite the passing of the September 2016 deadline, banks have not made their systems cyber secure. Indian government may force banks to follow cyber breach disclosure norms and put in place adequate cyber security in 2017.

(11) Cyber Litigations: Cyber litigations are going to increase in the year 2017 in India. Increase in cyber crimes and cyber attacks in 2016 are a hint of the same. Till now cyber awareness among people is not high. Once they are aware of their cyber rights, they would enforce the same. However, law enforcement agencies of India must be modernised and they must develop good cyber crime investigation and cyber forensics capabilities.

(12) Cyber Insurance: Cyber insurance business would see a big growth in the year 2017 due to increased cyber crimes and cyber attacks. Already many businesses have opted for cyber liability insurance in the year 2016. However, there are certain techno legal issues of cyber liability insurance that must be kept in mind by both insurance companies and insured. The year 2017 may also see entry of new players, startups, entrepreneurs, etc in the field of cyber insurance.

(13) Blockchain: Many stakeholders explored use of blockchain and bitcoin in the year 2016. Indian government and Reserve Bank of India (RBI) are also analysing blockchain and bitcoin and its possible usages. However, no clear picture emerged in the year 2016 in this regard. Also issues of techno legal regulatory compliances and legality of bitcoin in India are still unresolved. The year 2017 may see some positive developments built around blockchain and bitcoin.

We hope our readers and various stakeholders would find the cyber security trends of India 2017 by PTLB useful.

Posted in Uncategorized | Comments Off

Cyber Espionage Policy Of India

The traditional methods of espionage are things of the past. Now most of the crucial and sensitive information and data are stored on computers and electronic devices. Naturally, computers and information and communication technology (ICT) associated with government and companies are the primary target of those seeking espionage in the modern era. This process of infiltration and breach of sensitive and top secret government and corporate computers is known as cyber espionage.

Cyber espionage in India is not a new concept but has been in existence since last decade. Further, cyber espionage may be done by an insider or an outsider by exploiting the vulnerabilities in the cyber security of an organisation. The real problem is that cyber espionage is inexpensive and relatively easy to commit and it is also very difficult to prove with absolute certainty. In short, without a conclusive “authorship attribution” cyber espionage is largely a lost battle. This is the reason why the Defense Advanced Research Projects Agency (DARPA) of United States is soliciting innovative research proposals in the area of cyber attribution.

If we analyse the cyber attacks trends against India for the past few years it would be apparent that the frequency and sophistication of various cyber attacks has significantly increased. This has been well analysed and documented by the cyber security developments of India 2015 and cyber security trends in India 2016 by Perry4Law Organisation (P4LO). Sophisticated cyber espionage malware like Uroburos/Snake, FinFisher, etc are easily defeating the cyber security safeguards. The global cyber espionage operation named SafeNet was discovered in the year 2013 that infected computers across the globe.

Recently it was reported in the media that a cyber espionage group named Danti could have breached the computer of top ranking bureaucrats in the government. Cyber espionage groups like Danti usually sends an e-mail carrying a malware or a malicious link, which seems to be originating from a government official mail or an e-mail from some government department. Once such malware is activated by either opening of the malicious downloaded file or by clicking at the malicious link, the malware is silently installed upon the victim’s system. It works in a stealth manner and keeps on stealing the sensitive information and sending it to the designated server in an encrypted and coded manner.

India has neither a dedicated cyber security law nor a mandatory cyber breach disclosure norms as on date. Even the cyber security infrastructure of India is grossly deficient as it cannot tackle sophisticated cyber attacks and malware. We do not have any cyber warfare policy of India (pdf), cyber terrorism policy of India, critical infrastructure protection policy of India (pdf) and cyber espionage policy of India. Even the important encryption policy of India (pdf) is missing till now. Constitution of the Tri Service Cyber Command for Armed Forces of India has skipped many deadlines and it is yet to be established. All we have is a defective and outdated cyber security policy formulated in the year 2013 that needs urgent reformulation.

As far as Indian cyber law is concerned, it has become almost redundant and it needs an urgent amendment, preferably a re-enactment. Even Indian Telegraph Act needs to be repealed as it carries many draconian e-surveillance and phone tapping related provisions that have no place in a modern democratic society like India. However, the worst blow came from Indian Supreme Court that has virtually killed the cyber law due diligence (pdf) instead of strengthening the same. Clearly, India lacks the required techno legal framework that alone can help it in fighting against cyber crimes and sophisticated national and international cyber attacks.

Another area of concern is the absence of adequate cyber security of e-governance services in India. Indian government is pushing its Digital India project without any civil liberties and cyber security safeguards. For instance, we have inadequate cyber security for smart grids, smart cities, critical infrastructures, nuclear facilities, satellites, governmental informatics infrastructures, defense networks, etc and Digital India cannot succeed in the absence of a robust and resilient cyber security for these critical infrastructures. We do not have an implementable cyber attacks crisis management plan of India that can be relied upon in case of a sophisticated cyber attack.

At a time when US law enforcement and intelligence agencies have acquired trans border hacking powers, it would be naive to assume that the same would not be used against Indian computers. The truth is that US is pushing other nations towards cyber warfare and cyber espionage race. In this background it is imperative that Indian government must not only enact dedicated and techno legal cyber security laws for India but also insulate Indian cyberspace and computers from foreign cyber attacks and cyber espionage attempts. We at Perry4Law Organisation (P4LO) strongly recommend that a dedicated cyber espionage policy of India must be urgently formulated by Indian government in these circumstances. P4LO would be happy to assist Indian government and other national and international stakeholders in formulation of cyber espionage policy in general and amended cyber law and cyber security laws in particular.

As per media reports, Indian government is contemplating to frame a comprehensive policy to deal with cyber espionage and other threats related to it. The policy that may enable setting up of a panel of experts who can work closely with the security establishment is being closely monitored by the Prime Minister’s Office. Indian government is also working in the direction of bringing suitable changes in the existing laws to make them more compatible and contemporary to the present time requirements. The cyber security manpower would also be strengthened along with upgrading the cyber security infrastructure to tackle cyber attacks. P4LO welcomes these positive developments and wishes all the best to Indian government in this regard.

Source: International Cyber Security.

Posted in Uncategorized | Comments Off

Are Present Day Malware Beyond The Reach Of Cyber Security Products And Services?

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLBMalware are a big cyber security nuisance for long. Cyber security vendors have been trying to contain various sophisticated malware that come up from time to time. As the nations and state actors have become interested in these malware and some of them are even funding their development and exploitation, cyber security products and services are finding it difficult to match their capabilities.

Till the time a cyber security product or service is launched to contain a sophisticated malware, the havoc and damage is already done. In this article titled “Malware Are Defeating Cyber Security Safeguards With Ease“, this fight between malware and cyber security products has been aptly described.

Presently malware are clearly winning the fight between security and system infections as security products are inherently incapable of tackling zero day vulnerabilities and state sponsored cyber attacks.

In the research article titled “Prospective Cyber Security Trends In India 2015“, Perry4Law Organisation (P4LO) predicted that state sponsored cyber attacks would increase. This actually happened and even Twitter and Google issued warnings that state sponsored cyber attacks may be there for their products and services. The “Cyber Security Trends In India 2016” have also predicted the rise of botnet, malware and cyber attacks against critical infrastructures around the world.

It is a wake up call for the cyber security vendors to either improve their security products and services or become redundant and ready to be exiled. What is the purpose of an anti virus that cannot detect and remove a malware?

At the same time there is a need to change the attitude towards cyber security by individuals, companies and governments. At the organisation level, there must be a techno legal policy for cyber security that should be religiously followed. Any lapse in the policy may be lethal for the financial and brand value of the organisation.

As far as India is concerned, India is still struggling to establish the Chief Information Security Officer (CISO) culture. Even at the government level, CISO culture is still missing. For instance, recently the Prime Minister Office (PMO) of India appointed Dr. Gulshan Rai as the first CISO of India. Although this is a very good and pro active move yet we have seen little development in this regard so far. Similarly, appointing the Chief Information Officers (CIOs) was made mandatory for all banks in India in 2012 yet till 2016 banks have not done so. In fact, cyber security of banks in India is in a very poor condition.

Even the government projects like National Critical Information Infrastructure Protection Centre (NCIIPC), National Cyber Coordination Centre (NCCC), etc have failed to achieve for what they were contemplated. There are no cyber breach disclosure norms in India as well. As a result we have almost missing cyber security infrastructure in India that needs to be revamped and strengthened immediately. This is more so when India has introduced the “Digital India” project that would make Indian infrastructure vulnerable to sophisticated cyber attacks from around the world. When everybody is passing the buck who is going to bell the cat named malware.

Posted in Uncategorized | Comments Off

Blog On International Legal Issues Of Cyber Attacks

Blog On International Legal Issues Of Cyber AttacksAnybody who has dealt with international cyber law and cyber security related issues must be aware that it is really tough to solve such cases. Being transnational in nature, cyber law and cyber security issues require international cooperation among various nations and law enforcement agencies.

For instance, if a simple exercise of internet protocol tracking is undertaken, it takes months before any information is received from a foreign jurisdiction. Even in such cases, these are exceptional cases and not a general practice. In this process, the crucial digital evidence is lost forever and the cyber crimes investigation becomes a cold trail.

As there is a severe conflict of laws in cyberspace, it is very important to be aware of various technology related laws of various jurisdictions. However, it is not possible to be aware of all the laws of various jurisdictions. In order to spread public awareness in this regard, Perry4Law Organisation (P4LO) has been managing a dedicated blog on international legal issues of cyber attacks and cyber security. It is the exclusive techno legal blog on the topic not only in India but in entire world.

The blog has covered many techno legal aspects like use of cyber espionage malwares, need for the national security policy of India, legal immunity against cyber deterrent acts in India, open source intelligence through social media websites, protection of Indian cyberspace, national counter terrorism centre (NCTC) of India, cyber security challenges of India, cyber preparedness of India, the Wassenaar Arrangement and cyber security issues, intelligence agencies reforms in India, banking cyber security, techno legal analysis of Gameover Zeus, cyber crimes insurance in India, smart cities cyber security in India, etc.

As on date we have no dedicated cyber security laws in India. This is the reason why cyber security is more ignored than complied with in India. Even the blooming e-commerce industry of India is devoid of required cyber security practices and requirements. Cyber security of banks in India is also not upto the mark. This has forced the Reserve Bank of India to constitute a IT subsidiary that would consider, monitor and prescribe cyber security related rules, regulations and practices for banks in India. Even the Companies Act 2013 has prescribed cyber security obligations for the directors of companies. This is in addition to the cyber law obligations of banks and directors of Indian companies.

It is well understood that international legal issues of cyber attacks are not easy to handle. Nevertheless, Indian government cannot afford to ignore this situation and it must urgently work towards making Indian cyber security robust, resilient and effective. P4LO hopes that our readers would find our blog on international legal issues of cyber attacks, cyber law and cyber security useful.

Posted in Uncategorized | Comments Off

School Children In India Must Be Suitably Educated About Cyber Issues

School Children In India Must Be Suitably Educated About Cyber IssuesProtecting children in cyberspace is a collective responsibility of all stakeholders, including Indian government. At a time when Indian government is adopting Digital India project, our society at large is required to take care of our children while they use Internet and information and communication technology (ICT).

There is no second opinion that children dealing with cyberspace require special attention and safeguards. Indian government and various stakeholders are required to adopt and use both legal and technical measures to safeguard interests of children. On the legal side we must have strong cyber law to punish the offender. On the technical side we must have effective technology, including hardware and software, which can prevent potential abuse of children in cyberspace.

While dealing with cyberspace, children may be either perpetrator or victim of cyber crimes, cyber bullying, pornography, etc. They must be made suitably aware as well as protected from these cyber threats. After all, human rights protection in cyberspace also includes protection of children’s human rights.

Child pornography is an area that requires special attention of Indian government. As per the cyber law trends of India 2013 (PDF) by Perry4Law’s Techno Legal Base (PTLB), child pornography in India is becoming a big nuisance. An Advisory (PDF) by Home Ministry of India on Preventing and Combating Cyber Crime against Children in India has also been issued. Recently Interpol helped India in tracking child porn surfers. We also need such Techno Legal Framework so that child pornography can be curbed to the maximum possible extent in India.

Cyber law and cyber security awareness must also be made available to children at the school level itself. Schoolchildren must be made aware about the provisions of Information technology Act, 2000 (IT Act 20000 and other laws of India so that they are well aware of the consequences of their acts or omissions in the cyberspace. Similarly, cyber security related aspects must also be taught to them to keep their cyberspace behaviour and activities cyber safe.

At PTLB Virtual Campus we believe that online skills development and education initiatives can play a significant role in educating our young generation. Virtual campus and e-learning platforms can provide “learn as you wish models” to school students that they can access from both school and their homes.

PTLB’s Online Skills Development and Training Platform has dedicated separate skills development, education and training courses for school students in the fields like cyber law, cyber security, etc. More details and the enrollment procedure would be announced by us very soon. Till then please visit the website and its segments on a regular basis.

Posted in Uncategorized | 1 Comment

Cyber Security Challenges In India Would Increase

Cyber Security Challenges In India Would IncreaseCyber security is a complicated process to manage. It requires both technological expertise and legal compliances. Some developed nations have enacted cyber security regulations but they have outlived their natural lives. The present day cyber security regulations require a techno legal orientation that is a big challenged for legislators around the world.

India has enacted the information technology act, 2000 that governs legal issues of e-commerce, e-governance, cyber crimes, etc. However, techno legal experts believe that Indian laws like IT Act 2000 and telegraph act require urgent repeal and new and better techno legal laws must be enacted to replaces these laws.

There are no dedicated cyber security laws in India. Indian government has drafted the cyber security policy of India 2013 but the same has not been implemented so far. Further, the policy is also suffering from many shortcomings including lack of privacy and civil liberties protection and absence of cyber security breaches disclosure norms. The cyber security trends of India (PDF) have also shown poor cyber security preparedness of India to protect its cyberspace and critical infrastructures.

India has still to take care of issues like critical infrastructure protection (PDF), cyber warfare policy (PDF), cyber terrorism, cyber espionage, e-governance cyber security, e-commerce cyber security, cyber security of banks, etc. Companies and individuals are also required to cyber insure their businesses from cyber threats.

A cyber crime prevention strategy of India may be formulated very soon by Indian government. This has come in the wake of a public interest litigation (PIL) filed at the Supreme Court of India that has asked the centre to frame regulations and guidelines for effective investigation of cyber crimes in India. Simultaneously, the cyber crime investigation trainings in India are also needed.

The offensive and defensive cyber security capabilities of India are also required to be developed. A cyber attacks crisis management plan of India must also be formulated to tackle cyber attacks and cyber terrorism against India. The proposed National Cyber Coordination Centre (NCCC) of India is a good initiative regarding strengthening of Indian cyber security capabilities. The National Critical Information Infrastructure Protection Centre (NCIPC) of India would also come handy in protecting Indian cyberspace.

The ambitious project named Digital India would also required very robust and effective cyber security infrastructure and capabilities on the part of Indian government and its agencies. There is no international cyber security treaty (PDF) or cyber law treaty that can help in resolving conflict of laws in cyberspace. Even a simple task of obtaining digital information from foreign companies like Google takes months to achieve. Till that time the crucial evidence is already gone and the received information proves worthless.

We at Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) believe that the cyber security breaches have significantly increased world over.  The cyber security challenges in India are not easy to manage especially when India is a late entrant in this field. There is no doubt that Indian cyberspace must be protected on a priority basis as India would be relying more and more on digital services in the near future.

Posted in Uncategorized | Comments Off

India Is A Sitting Duck In The Cyberspace And Civil Liberties Protection Regime

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLBIndian Citizens, Political Organisations and Government Departments have been systematically targeted for Cyber Attacks for long. India was least bothered about these issues as India lacked Cyber Security Capabilities to tackle these sophisticated cyber attacks. The Cyber Security Trends in India 2013 (PDF) and Global Cyber Security Trends and Updates 2014 by Perry4Law and PTLB have highlighted many “Shortfalls and Weaknesses” of Indian Cyber Security Efforts and Initiatives.

Amid all these chaos the Indian Government introduced the National Cyber Security Policy of India 2013 (NCSP 2013). The NCSP 2013 can be accessed Here (PDF) and an analysis of the same makes it clear that it failed to address many crucial Techno Legal Issues including Privacy and Data Protection.  We have no dedicated Privacy and Data Protection Laws (PDF) in India as on date despite the pressing requirement for the same.

India is a Sitting Duck in the Cyberspace and Civil Liberties Protection Regime. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, Gameover Zeus (GOZ), etc cannot be tackled by India due to lack of Offensive and Defensive Cyber Security Capabilities. Cyber Security Breaches are increasing World over and India must be “Cyber Prepared” to deal with the same. The Cyber Security Challenges before the Narendra Modi Government are not easy to manage and Indian Cyberspace must be protected on a “Priority Basis”.

Civil Liberties like Privacy Rights must be respected by all. However, US FISA Court is a big trouble for Indian Privacy and Civil Liberties. For too long issues like Privacy Laws have been ignored in India and the Narendra Modi Government must ensure Privacy to Indians on a “Priority Basis”. The Policies in this regard must be changed urgently and work in the direction of enactment of dedicated Privacy and Data Protection Laws of India must be started as soon as possible. Intelligence Agencies Reforms in India must also be placed on the “Priority List” of Modi Government.

India must also stress upon “Indigenous Cyber Capabilities” to neutralise any isolation attempts through mechanisms like Wassenaar Arrangement. India has recently opposed the proposal to include Cyber Security Technologies under the Wassenaar Arrangement.

But the ultimate test for Modi Government is to “Stand Up” and show that India is not a Sitting Duck in the fields of Cyber Security, Civil Liberties Protection and Cyber Security Capabilities. Of course, India must make her “Own House in Order” before proving that “Character and Strength”.

Posted in Uncategorized | Comments Off

US Justice Department Charges Russian National For Creation Of Gameover Zeus (GOZ) Botnet

US Justice Department Charges Russian National For Creation Of Gameover Zeus (GOZ) BotnetThe Gameover Zeus or GOZ botnet is a well known malware that is capable of stealing sensitive banking and financial information and details. It fist appeared in the year 2007 and then changed its form from time to time. The second version of Zeus malware shifted its base from a centralised command and control server to peer-to-peer in September 2011. This has made it very difficult to apply countermeasures against Zeus that is now known as Gameover Zeus (GOZ) botnet.

It has been reported that the US Justice Department has indicted a Russian national with writing computer code used to compromise banking systems and assist others in stealing banking credentials. The government has unsealed a 14-count indictment accusing Russian national Evgeniy Mikhaylovich Bogachev, who authorities said is known online as Lucky12345, of involvement in the creation of the Gameover Zeus, or GOZ botnet. Authorities claim Bogachev and his group infected thousands of business computers with software that captured passwords, account numbers, and other information.

An international operation disrupted the crime ring. The European Cybercrime Centre also participated in the operation, along with Australia, Canada, France, Germany, Italy, Japan, Luxembourg, New Zealand, Ukraine and the United Kingdom. Intel, Microsoft, security software companies F-secure, Symantec, and Trend Micro, and Carnegie Mellon University also supported the operation.

Authorities used technical and legal tactics to interrupt the so-called botnet’s operations, shutting down the servers the criminals used to control infected machines and causing those machines to “phone home” to servers controlled by law enforcement.  As part of the cleanup effort, federal agents have redirected infected computers to Homeland Security servers to identify victims and provide information about how to remove the malware. Victims can head over to the DHS’s Computer Emergency Readiness Team (US-CERT) website for assistance.

In a separate action, U.S. and foreign law enforcement officials also seized control of the malware known as Cryptolocker, which locks victims out of their computer files until they pay a ransom.

“This operation disrupted a global botnet that had stolen millions from businesses and consumers as well as a complex ransomware scheme that secretly encrypted hard drives and then demanded payments for giving users access to their own files and data,” said Deputy Attorney General James M. Cole.   “We succeeded in disabling Gameover Zeus and Cryptolocker only because we blended innovative legal and technical tactics with traditional law enforcement tools and developed strong working relationships with private industry experts and law enforcement counterparts in more than 10 countries around the world”.

The Gameover Zeus botnet operates silently on victim computers by directing those computers to reach out to receive commands from other computers in the botnet and to funnel stolen banking credentials back to the criminals who control the botnet.  For this reason, in addition to the criminal charges announced today, the United States obtained civil and criminal court orders in federal court in Pittsburgh authorizing measures to redirect the automated requests by victim computers for additional instructions away from the criminal operators to substitute servers established pursuant to court order.   The order authorizes the FBI to obtain the Internet Protocol addresses of the victim computers reaching out to the substitute servers and to provide that information to US-CERT to distribute to other countries’ CERTS and private industry to assist victims in removing the Gameover Zeus malware from their computers.   At no point during the operation did the FBI or law enforcement access the content of any of the victims’ computers or electronic communications.

Posted in Uncategorized | Comments Off