Three U.S. States Are Investigating EBay’s Cyber Security Standards And Cyber Security Breach Disclosure Practices

Three U.S. States Are Investigating EBay’s Cyber Security Standards And Cyber Security Breach Disclosure PracticesCyber security breaches are very common and are increasing world over these days. Cyber criminals are targeting companies possessing and storing sensitive information about people. These include banks, law firms, e-commerce companies and many more such institutions that are retaining other’s sensitive information.

However, these institutions are also required to ensure robust cyber security and effective data protection of the information and data submitted to them. We at Perry4Law believe that these institutions hold the information about their customers/clients in a fiduciary capacity and they are under legal obligation to protect this information as far as and as much as possible.

We also believe that not only the obligation is regarding protecting the information but there is also an obligation to report any potential and actual cyber security breach that has taken place and that has endangered or had the potential to endanger the information of the customers/clients.

World over companies are not complying with the cyber security breach notification requirements. For instance, Target Corporation was attacked by cyber criminals and as a result of that Target Corporation faced litigation threats around the world. Similarly, EBay was also attacked recently and it has asked its customers to change their passwords.

Now it has been reported that three U.S. states has initiated investigation about EBay’s cyber security practices.  Connecticut, Florida and Illinois said they are conducting a joint investigation of the matter. New York Attorney General Eric Schneiderman requested eBay provide free credit monitoring for everyone affected, according to a person familiar with the matter.

Details about what happened are still unclear because eBay has provided few details about the attack, which is under investigation by the FBI and a cyber forensics firm. It is also unclear what legal oversight the states had to respond to eBay`s handling of matter.

The states` quick move to investigate the attack shows that authorities are serious about holding companies accountable for securing consumer data following high-profile breaches at other companies, including retailers Target Corp, Neiman Marcus and Michaels Stores and the credit monitoring bureau Experian Plc. Congress and the Federal Trade Commission are already investigating the Target breach, which resulted in the firing of the company’s chief executive and chief information officer.

The investigation by the three states will focus on eBay`s measures for securing personal data, the circumstances that led to the breach, how many users were affected and the company’s response to the breach, said Jaclyn Falkowski, a spokeswoman for Connecticut Attorney General George Jepsen. His office, which is also investigating breaches at Target Corp, Neiman Marcus and Experian, has already contacted eBay.

Several security experts said the best practices in responding to a breach of this type would be for eBay to have a message pop up when victims log in, telling them about it and forcing them to change their passwords.

EBay spokeswoman Amanda Miller declined to comment on the investigation by the three states or Schneiderman’s request for credit monitoring, but said the company was working with governments around the globe in the wake of the attack. “We have relationships with and proactively contacted a number of state, federal and international regulators and law enforcement agencies”, she said. “We are fully cooperating with them on all aspects of this incident”.

Indian customers of EBay can also take appropriate action against EBay under Indian laws especially under the Information Technology Act, 2000. Indian regulatory authorities and law enforcement agencies must also initiate their own investigations in this regard to safeguard Indian customer’s interests.

Posted in Uncategorized | 2 Comments

U.S. Public Utility Cyber Attacked And Its Control System Network Compromised Reports ICS-CERT

U.S. Public Utility Cyber Attacked And Its Control System Network Compromised Reports ICS-CERTMalware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc have been targeting virtually everything worth money or strategic importance. They are also been used to indulge in cyber warfare and cyber espionage activities. They are stealth in nature and till they are detected much damage is already been done.

The supervisory control and data acquisition (SCADA) systems may be the new cyber attack priority for cyber criminals and rouge nations. Internet is full of unprotected and unsafe devices, SCADA systems and computers. India is also required to protect critical ICT infrastructure (PDF) and SCADA systems.

The Department of Homeland Security (DHS) has reported that a sophisticated hacking group recently attacked a U.S. public utility and compromised its control system network, but there was no evidence that the utility’s operations were affected. The DHS also warned public utilities and critical infrastructure operators about the dangers of not using a firewall and allowing remote access to Internet facing devices.

As per the ICS-CERT report (PDF), the public utility was penetrated by a group of hackers that gained access to its control system network; although it found no evidence that the utility’s operations were affected. The agency said the utility was using a simple password mechanism, which hackers can easily bypass using a standard brute-forcing technique by trying on various passwords until they hit the right one.

“It was determined that the systems were likely exposed to numerous security threats and previous intrusion activity was also identified. This incident highlights the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring and detection capabilities” the ICS-CERT report claims.

The second threat involved an Internet-connected control system attached to a “mechanical device”, which was accessed by a hacker using SCADA protocol. ICS-CERT said the device can be accessed directly through the Internet and is not protected by a firewall or authentication access controls. The device, however, was disconnected for maintenance at the time of the attack, said the report.

ICS-CERT said that the use of tools such as SHODAN, Google and other search engines to look for and identify devices that were not meant to be Internet facing, as well as the emergence of vulnerabilities such as Heartbleed continue to provide a threat to the Internet.

Posted in Uncategorized | Comments Off

Cyber Security Obligations Of Directors Of Indian Companies Under Indian Companies Act, 2013

Cyber Security Obligations Of Directors Of Indian Companies Under Indian Companies Act, 2013Recently the Ministry of Corporate Affairs (MCA) notified many provisions of the Indian Companies Act, 2013 (PDF) and corresponding rules under the same. Most of the corporate stakeholders have considered the new company law of India as a purely corporate regulatory framework. However, this is not true as the Indian Companies Act 2013 has prescribed legal obligations that are far more complicated than the traditional company law.

The truth is that the new company law of India has prescribed many techno legal compliance requirements that very few companies and their directors are capable of managing. As a result cyber law and cyber security related legal violations would be in abundant in the coming times.

With the formulation of the proposed cyber security breach disclosure norms of India and possible cyber security laws in India, Indian companies and their directors would find themselves in a legal fix. The powers of Serious Frauds Investigation office (SFIO) have also been significantly increased by the Companies Act 2013. SFIO has become very active in prosecuting Indian companies and their directors in the recent past. With the notification of the Companies (Inspection, Investigation and Inquiry) Rules, 2014 (PDF) SFIO would become more active in this regard.

The legislature made it sure that the regulatory compliances under Indian Companies Act 2013 should cover cyber law and cyber security compliances as well. The directors’ liabilities under the Indian Companies Act 2013 also cover cyber law due diligence (PDF), cyber security due diligence, e-discovery compliances, cyber forensics, etc on their part. Even the cyber security obligations of law firms in India has significantly increased and various stakeholders, including companies and law firms, must keep in mind the international  legal issues of cyber security.

The Companies (Management and Administration) Rules, 2014 (PDF) also prescribe many techno legal and cyber security obligations upon the directors of a company. The directors must be well versed with the techno legal regulatory provisions under the Companies Act 2013 and other technology laws of India.

The cyber security trends and development in India 2013 (PDF), provided by Perry4Law’s Techno Legal Base (PTLB), have also indicated that various corporate stakeholders would be required to comply with cyber law and cyber security related obligations in the near future. As on date, companies and directors are not complying with the cyber law and cyber security obligations as prescribed by Indian laws and regulations.

As the cyber law and cyber security obligations of the directors of companies operating in India have been clearly mandated by various laws of India, it is in their own interest to ensure their due compliance.

Posted in Uncategorized | Comments Off

Law Firms Cyber Security Obligations Are Increasing

Law Firms Cyber Security Obligations Are IncreasingCyber criminals target banks and financial institutions because that is where the money is. This traditional theory has now been expanded to other segments as well as either money or money worth information and data is available at multiple platforms and locations. Law firms are one such place where money worth information is available. The potential buyers for information extracted from laws firms range from competitors to cyber criminals. This is the reason why law firms are facing increasing and incessant cyber attacks and in most of the cases cyber criminals successfully get the information they are looking for.

There are no universally acceptable cyber security treaties or convention as on date. This is a problematic situation as cyber security is an international issue (PDF) and not a national one. Therefore, an international cyber security treaty is required (PDF). In the absence of such globally acceptable cyber security treaty, the conflict of laws in cyberspace would continue to make the things difficult. International legal issues of cyber attacks must be addressed by all nations as soon as possible. India must also safeguard its critical infrastructures and other utilities from global cyber attacks and cyber threats.

Cyber security in India is still maturing and the cyber security trends and developments in India 2013 (PDF) projected many shortcomings of the same. The cyber security policy of India 2013 has still not been implemented by Indian government and various stakeholders like banks have ignored the same as mere non obligatory guidelines.

Companies and individuals are still not much concerned about ensuring a robust cyber security. Even cyber security best practices in India have not been formulated by most stakeholders, including Indian government. There are very few law firms that are practicing in the field of cyber security and who understand the complexities and requirements of cyber security at national and international levels.

Law firms have not only the cyber security obligations but they also have obligations arising out of e-discovery and cyber forensics legal mandates. Indian government is planning to formulate the e-mail policy of India that would be implemented by government officials around the India. Such a policy may be required to be followed by all stakeholders, including law firms, in future. The cyber security laws in India may also be formulated very soon that would impose obligations upon law firms to protect the data and information of their clients.

Even at the international level, law firms are not managing cyber security related obligations in a proper manner. Most of the times cyber breaches are not reported at all and this puts sensitive data of clients at risks. A well planned cyber security strategy for law firms is need of the hour that every law firm must put in place and implement the same effectively and dedicatedly.

Posted in Uncategorized | 1 Comment

International Legal Issues Of Cyber Attacks And Indian Perspective

International Legal Issues Of Cyber Attacks And Indian PerspectiveCyber security threats are global in nature due to the very nature of Internet and multifaceted stakeholders. Cyberspace also put forward complex problems of authorship attribution for cyber attacks and anonymity. Cyberspace also gives rise to conflict of laws in cyberspace where multiple laws of different jurisdictions may be applicable at the same time. Take the example of Target Corporation that is facing litigation in multiple jurisdictions as it failed to take cyber law due diligence despite becoming aware of the cyber attack and data breach. Similarly, cyber attacks are targeting Bitcoin users and Bitcoin Exchanges world over. Sophisticated Malware like Uroburos/Snake have been making the rounds undetected for years before they are found.

As the cyberspace and Internet has become very hostile and vulnerable to cyber attacks, countries across the world have started to strengthen their cyber security capabilities. While protecting their own cyberspace domain, various countries must understand that cyber security is an international issue (PDF) and not a national one. Therefore, an international cyber security treaty is required (PDF). In the absence of such globally acceptable cyber security treaty, the conflict of laws in cyberspace would continue to make the things difficult.

Of course, we have mutual legal assistance treaties (MLATs) between different nations that can help in collaborating and cooperating regarding an international cyber attack. However, these treaties are not always very helpful. For instance, the United States has not only refused to serve Indian summons upon US websites including Facebook and Google but has also blocked a MLAT attempt to make Google, Facebook, etc comply with Indian Laws. Similarly,  an Indo-American alert, watch and warn network for real time information sharing in cyber crime cases has been proposed between U.S. and India but its establishment and effectiveness is yet to be tested.

This would force India to search for alternatives where it has more direct and effective control over cyber incidences having Indian connections and effect. The cyber warfare policy of India (PDF) and e-surveillance policy of India (PDF) must be urgently drafted and implemented. Similarly, self defence and privacy protection in India must be ensured. To strengthen these efforts, cyber security laws in India are required to be formulated urgently. The cyber security of e-governance infrastructure of India is need of the hour. Recently, India announced that it would constitute a tri service cyber command for armed forces of India. However, the ultimate solution is to formulate a techno legal national security policy of India that covers cyber security aspects as well.

You may see International Legal Issues of Cyber Attacks if you are interested in reading more on this aspect.

Posted in Uncategorized | 1 Comment

National Security Council (NSC) Proposes Three Pronged Cyber Security Action Plan For India

National Security Council (NSC) Proposes Three Pronged Cyber Security Action Plan For IndiaIndian government has always been very slow regarding ensuring robust cyber security in India. Most of the actions of India government are either knee jerk reactions or just ill suited super imposing of foreign models to Indian conditions. The National Cyber Security Policy of India 2013 (NCSP 2013) was formulated very late and till now it has been not implemented properly. Similarly, there is no dedicated cyber security law in India that can be pressed for punishing cyber attacks against Indian cyber space and critical infrastructures.

The conflict of laws in cyberspace has further complicated the Indian scenario. Foreign companies keep on operating from their home land and openly flout Indian laws. Law enforcement agencies of India are finding it really difficult to investigate cases relating to social media and foreign websites. The Supreme Court of India is presently hearing the Google’s online defamation case and this is a good opportunity for India to make these foreign companies and websites accountable to Indian laws.

We at Perry4Law have been suggesting for long that all Subsidiary/Joint Ventures Companies in India, especially those dealing in Information Technology and Online Environment, must mandatorily establish a server in India. Otherwise, such Companies and their Websites should not be allowed to operate in India. The Ministry of Home Affairs, India and Intelligence Bureau (IB) are already exploring this possibility.

We have also been suggesting that a “Stringent Liability” for Indian Subsidiaries dealing in information technology, online advertisement and online environment must be established by laws of India. More stringent online advertisement and e-commerce provisions must be formulated for Indian subsidiary companies of foreign companies and their websites.

Foreign e-mail service providers like Gmail are also working in active violating of Indian laws and they must be banned in India as they abet and encourage commission of cyber crimes in India. In fact, an advisory has already been issued by the Maharashtra government to use official e-mails, Indian cloud based services and routing of traffic through National Internet Exchange of India (NIXI). Further, the e-mail policy of India is already in pipeline.

It has now been reported that to protect data of Indian Internet users, the National Security Council (NSC) has proposed a three-pronged action plan. This includes asking all email providers to set up local servers, creating an Indian email service and making it mandatory for government officials to use the email provided by the National Informatics Centre (NIC).  The NSC wants all data related to communication between two users in India to remain within the country. This is a logical move and is also the need of the hour.

“All email service providers may be mandated to host servers for their India operations in India. All data generated from within India should be hosted in these India-based servers and this would make them subject to Indian laws,” said an internal NSC note. The National Security Advisor has asked the Department of Telecom to look at the possibility of making it mandatory for all telecom and Internet companies to route local data through the NIXI.

For example, an e-mail sent from Delhi to Mumbai may now be routed through servers in the US for which the ISPs need to buy international bandwidth. If all ISPs connect to the National Internet Exchange, this data can be kept within the country.

However, foreign email service providers such as Google are not required to connect to exchange or keep data within India as they are governed by the laws of their respective home countries. It seems NSC failed to understand the requirement to regulate foreign e-mail service provides in India. This would also defeat the entire purpose of these suggestions. In the larger interest of India, foreign e-mail service providers like Gmail, Yahoo, Hotmail, etc must also be forced to establish servers in India. Alternatively, the Indian traffic of these foreign e-mail services must be mandatorily routed through NIXI or other infrastructure.

In addition to this, the NSC paper said that the Government must facilitate the establishment of an Indian email service that would compete in terms of quality and technical sophistication with foreign players. The objective is to wean users from companies that do not conform to the requirements of India’s security. This is a good suggestion and Perry4Law welcomes the same.

Posted in Uncategorized | 1 Comment

Has Target Failed To Observe Cyber Law And Cyber Security Due Diligence After The Cyber Attack?

Has Target Failed To Observe Cyber Law And Cyber Security Due Diligence After The Cyber AttackCyber security breaches are common these days. It is also well understood that none can ensure 100 per cent cyber security for their cyber infrastructures. However, with prudence and due diligence, cyber incidences can be minimised to maximum possible extent. Similarly, coordinating with the national and international cyber security authorities is an essential requirement whenever a serious cyber attack or cyber threat is detected.

The requirement of cyber security breach notification originates out of this condition that needs a good legislative backing to make it effective. Countries around the world are formulating laws to make cyber security breaches disclosures mandatory. India has also proposed mandatory cyber security disclosure norms but till now they have not been formulated. However, sooner or later cyber security breach disclosures would become mandatory in India and companies must be prepared for the same in advance.

For instance, recently National Security Council Secretariat (NSCS) requested Reliance Jio Infocomm to share potential cyber security threats on India’s telecom networks. Almost all telecom companies of India are complying with this requirement by creating the Information Sharing and Analysis Centre (ISAC). This (ISAC) is an agency that will collate all classified industry feedback on potential cyber threats and vulnerabilities in telecom networks across technology platforms.

Recently Target was targeted by cyber attackers and consumer information of mass proportion was leaked and stolen. According to Slate, 40 million credit card numbers and personal data from 70 million customers were stolen during an attack on Target that lasted from Nov. 27 to Dec. 18, when the big box store finally shut it down. Now the crucial question is whether Target failed to observe cyber law and cyber security due diligence?

Bloomberg Businessweek reports that Target officials could have been made aware of the attack on Nov. 30 and again on December 2. On both days malware detection software sent an alert to Target’s security monitors in Bangalore, India, who then contacted Target’s security team in Minneapolis. But for some reason, they apparently didn’t respond to either alert.

Congress is now investigating the situation, and congressional testimony shows that federal law enforcement officials got in touch with Target about the breach on December 12. Businessweek spoke to 18 people who either worked on Target’s cybersecurity in the past or have specific internal knowledge of the breach. Target’s chief financial officer, John Mulligan, told a congressional committee in February that the company began investigating December 12, when the U.S. Justice Department warned the company about suspicious activity involving payment cards.

“With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different,” company spokeswoman Molly Snyder said in a statement.

When asked to respond to a list of specific questions about the incident and the company’s lack of an immediate response to it, Target Chairman, President, and Chief Executive Officer Gregg Steinhafel issued an e-mailed statement: “Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security and are committed to learning from this experience. While we are still in the midst of an ongoing investigation, we have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards. However, as the investigation is not complete, we don’t believe it’s constructive to engage in speculation without the benefit of the final analysis.”

Let us wait for the final outcome of all investigations and how/whether target would be held accountable for the loss of consumer data and personal information.

Posted in Uncategorized | 3 Comments

National Infrastructure Protection Plan In Thermal Power Sector Of India Proposed

National Infrastructure Protection Plan In Thermal Power Sector Of India ProposedCyber security issues in India have gradually started gaining attention of our government departments and ministries.  However, till now cyber security has not been given the priority and importance that it deserves. The cyber security trends and developments in India 2013 (PDF) have proved this point. We still lack an implementable techno legal cyber attacks crisis management plan of India.  We have no dedicated cyber security laws in India. It is only now that the national cyber security policy of India 2013 (NCSP 2013) has been declared by Indian government. However, the actual implementation of the NCSP 2013 has yet to take place.

Cyber security legal practice in India is still maturing and there are very few law firms that can take up cyber security related cases. As a result most of the cyber attacks and cyber contraventions are either not detected or they are not reported and properly prosecuted. This position may change very soon as Indian government has proposed to introduce the cyber security disclosure norms in India.

The cyber security of automated power grids of India is still not upto the mark and the cyber security challenges for the smart grids in India are still unresolved. Indian government must ensure robust and effective cyber security for power energy and utilities in India. Thus, a robust crisis management plan for preventing cyber attacks on the power utilities in India is need of the hour.

The supervisory control and data acquisition (SCADA) has been in limelight these days. This is because malware are specifically designed these days to target SCADA systems. It is not the case that malware were not used in the recent past to target SCADA systems but their sophistication and intensity has increased tremendously these days. The critical infrastructure protection in India (PDF) needs to be strengthened to prevent such cyber attacks upon the SCADA systems of India.

As per the media reports, the increasing cyber attacks targeting and paralysing key thermal power infrastructures has forced the Union power ministry to grade such installations as sensitive or hypersensitive, and asked state governments, officials of state-owned and private electricity generation stations to ensure physical, technological and cyber security of their units.

The Ministry of Power has also formed a panel for development of National Infrastructure Protection Plan in thermal power sector. The committee will be headed by a member of the Central Electricity Authority and members drawn from CISF, IB, NIC and power utilities. The panel has already prepared guidelines for physical, technological and IT security of thermal power stations. However it is yet to be seen how effective such guidelines are and when those guidelines would be actually implemented.

In Orissa, the 460 megawatt thermal power station of NTPC at Talcher and 3000 megawatt Super Thermal Power Station in Kaniha have been labelled hypersensitive by the ministry, while the upcoming 1800 megawatt thermal power station by Jindal India Thermal Power Ltd at Derang of Angul district was termed sensitive. Similarly, the upcoming 350 megawatt thermal Power Station of KVK Neelachal at Cuttack has been marked as hypersensitive, while Jindal India Thermal Power and Monnet ISPAT Thermal Power Station at Angul was labelled sensitive.

Sources in the NTPC said the guidelines suggested creation of a nodal agency at central level to carry out classification of the projects based on threat perception and intelligence inputs. The nodal agency would prepare standard security manual with graded security guidelines, coordinate security response requirements with the power stations and law enforcement agencies, prepare roadmap and contingency response plans, develop guidelines for security audits and establish procedures for dealing with bomb threats.

They also said the guidelines contain physical security measures to be provided at the thermal power stations, such as boundary walls, biometric/iris-based access control systems, CCTV surveillance as well as operational measures to be taken by the stations like evacuation plan, record keeping, engagement of security agencies, segregation of security sensitive areas. The panel has also suggested cyber security measures.

Posted in Uncategorized | Comments Off

National Cyber Coordination Centre (NCCC) Of India May Become Functional

National Cyber Coordination Centre (NCCC) Of India May Become FunctionalIndia has started many good initiatives and formulated far reaching policies in the field of cyber security. However, their actual implementation is still missing and thereby making all these efforts futile. For instance, the Cyber Security Policy and the National Security Policy of India have been declared but their actual implementation in the cyber field is still missing. As a result, the cyber security of India is at great peril. These cyber security shortcomings have been well articulated by the Cyber Security Trends and Development in India 2013 (PDF) provided by Perry4Law and Perry4Law’s Techno Legal Base (PTLB).

So what cyber security projects have not become implementable projects till now? The list is long but sufficient is to talk about the projects like National Critical Information Infrastructure Protection Centre (NCIPC) of India, National Cyber Coordination Centre (NCCC) of India, Tri Service Cyber Command for Armed Forces of India, Cyber Attacks Crisis Management Plan Of India, etc. None of them are “Coordinating” with each other and all of them are operating in different and distinct spheres.

Recently, the National Technical Research Organisation (NTRO) was entrusted with the responsibility to protect the critical ICT infrastructures of India. The critical infrastructure protection in India and its problems, challenges and solutions (PDF) are still not looked into with great priority. Now it has been reported by Hindustan Times that the National Cyber Coordination Centre (NCCC), which received an in-principle approval from the cabinet committee of security in May last year – is about to become a reality. A 125-page report on the R500-crore project has been sent to the ministry of finance for clearance. Once cleared, it would go to the Cabinet Committee for Economic Affairs for a final nod.

“The new body comes under the National Information Board and would be responsible for all forms of cyber intelligence and cyber security issues,” said a senior intelligence official on condition of anonymity. The NCCC is expected to screen all forms of meta-data, ensure better coordination between various intelligence agencies and “streamline” intelligence gathering. To that end, it expands the charter of the Computer Emergency Response Team, India, (CERT-IN), which has the bulk of the government, public-private and private sectors under its jurisdiction. It is also the duty of the NCCC alert all relevant agencies during a cyber-attack and ensure better cyber intelligence sharing.

India has already launched e-surveillance projects like National Intelligence Grid (NATGRID), Central Monitoring System (CMS), Internet Spy System Network and Traffic Analysis System (NETRA) of India, etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. Thus, these projects are violative of Civil Liberties Protection in Cyberspace and provisions of Indian Constitution.

But though the NCCC would be concentrating on meta data and not personal data, the fact that it would actively coordinate cyber intelligence and improve information sharing, makes citizens more vulnerable to the government. What worsens the situation is the lack of a privacy law and data protection laws (PDF) and transparency in the measures being taken, said officials from the ministry of communications & IT. Further, there is no E-Surveillance Policy in India (PDF) as well. Let us see how effective the NCCC would be in the absence of any legal framework supporting its functioning.

Posted in Uncategorized | Comments Off

Cyber Attacks Crisis Management Plan Of India

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLBCyber Security must be an “Essential Part of the National Security” of all Nations. Further, the Cyber Security Policy must also be “Integrated with the National Security Policy” of all Nations. In India, we have “Not Integrated” the Cyber Security Policy with the National Security Policy. As a result we have “Isolated and Uncoordinated Polices and Authorities” where each acts Independently and without any Coordination with the other. This fact has been reiterated by the Cyber Security Trends and Development in India 2013 (PDF) provided by Perry4Law and Perry4Law’s Techno Legal Base (PTLB).

For instance, we have proposed National Critical Information Infrastructure Protection Centre (NCIPC) of India, National Cyber Coordination Centre (NCCC) of India, Tri Service Cyber Command for Armed Forces of India, etc. However, none of them are “Coordinating” with each other and all of them are operating in different and distinct spheres.

Meanwhile, Cyber Crimes, Cyber Attacks, Cyber Security Incidences, Cyber Warfare, Cyber Terrorism, Cyber Espionage, etc are on rise World over. India is no exception to these Cyber Threats. The Cyber Security Infrastructure in India needs to be “Strengthened” with both Offensive and Defensive Cyber Security Capabilities to tackle these CyberAttacks that have become “Really Sophisticated”.  Malware like Stuxnet, Duqu and Flame have simply proved that Traditional Cyber Security Protections are “Irrelevant and Useless”. Similarly, the combined use of Radio Waves and Malware, as used by United State’s NSA for World Wide E-Surveillance, is also well outside the Tradition Cyber Security Capabilities to prevent.

These Malware used Cyber Attack Methods and Vectors that are far beyond the Capacity of Traditional Cyber Security Mechanisms to Trace and Prevent. This becomes a serious Cyber Security Issue when Critical ICT infrastructures are at stake. For instance, the Critical Infrastructure Protection in India and its Problems, Challenges and Solutions (PDF) are still to be looked into with Great Priority by Indian Government. It is only now that India has declared that NTRO would protect the Critical ICT Infrastructures of India. Similarly, a Tri Service Cyber Command for Armed Forces of India is in Pipeline. Nevertheless, the Cyber Security Infrastructure of India is Weak and it must be Improved as soon as possible.

Countries across the World have started to strengthen their Cyber Security Capabilities. While protecting their own Cyberspace domain, various Countries must understand that Cyber Security is an International Issue (PDF) and not a National one. Therefore, an International Cyber Security Treaty is Required (PDF). As far as India is concerned, the Cyber Warfare Policy of India (PDF) and E-Surveillance Policy of India (PDF) must be urgently drafted and implemented. Similarly, Self Defence and Privacy Protection in India must be ensured.

India has taken a “Totally Defective Stand” in this regard. India has decided to use E-Surveillance instead of creating Sound Cyber Security Capabilities. For instance,  India’s own Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc are violative of Civil Liberties Protection in Cyberspace. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. The Privacy Rights in India in the Information Age and Data Protection Laws in India and Privacy Rights in India (PDF) need to be ensured by Indian Government as well.

We also lack an “Implementable” Crisis Management Plan of India for Cyber Attacks and Cyber Terrorism. Recently, Huawei was accused of Breaching National Security of India by Hacking Base Station Controller in Andhra Pradesh. Similarly, Cyber Security of E-Governance Services in India is needed. We have no Cyber Crisis Plan that can be “Set into Motion” the moment an “Adverse Cyber Event” occurs. Of course, “On Papers” we may have the best Cyber Crisis Management Plan of the World.

There is an urgent need to have an “Implementable” Cyber Attacks Crisis Management Plan of India. The same must be “Holistic” in nature and must have “Coordinative Capabilities” so that various Policies and Authorities can “Act at Once” the moment an “Adverse Cyber Event” occurs against India.

Posted in Uncategorized | 1 Comment