Monthly Archives: October 2011

India Is Investigating Duqu Malware

Of late sophisticated Malware have entered into the cyber crime market place. Whether it is state sponsored or private profiting, Malware is becoming a good choice for all. The evolution of Malware is also happening in an innovative, constant and quick manner.

From Stuxnet to the latest Malware Duqu the trend in this regard is absolutely clear. If nations are not well prepared on the front of cyber security, critical infrastructures would be vulnerable. While this is not a situation that requires a paranoid reaction yet this is at the least a wake up call for ensuring strong and robust cyber security.

In order to analyse the Duqu Malware, Indian officials from department of information technology (DIT) have recently seized computer equipment from a data center in Mumbai. They took several hard drives and other components from a server that was communicating with computers infected with Duqu.

While detailed investigation is still going on yet preliminary examination suggests that Duqu was developed by sophisticated cyber criminals to help lay the groundwork for attacks on critical infrastructure such as power plants, oil refineries and pipelines, etc. It is suspected to be another incidence of state sponsored cyber attack tactics to test future cyber capabilities.

Duqu, so named because it creates files with “DQ” in the prefix, was designed to steal secrets from the computers it infects. The target includes design documents from makers of highly sophisticated valves, motors, pipes and switches.

Privacy Rights And Laws In India

Privacy laws in India are virtually missing and Indian government seems to be in no rush to have suitable privacy and data protection laws in India. Even the national privacy policy of India is missing. However, recent developments pertaining to cyberspace and ICT, has forced Indian government to think about privacy issues in India.

Indian government has been launching projects without proper procedural safeguards and parliamentary scrutiny. These projects and authorities are openly violating the human rights in cyberspace but Indian government is not deterred by this issues.

It is only after the United Nations has declared that access to Internet is a human right that Indian government is thinking about civil liberty issues in cyberspace. In order to confer legitimacy to projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), etc, they must be supported by a techno legal framework. Presently, none of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny.

While lack of privacy law has already stalled Natgrid yet other projects like unique identification project of India or Aadhar project of India are simply unconstitutional by their very existence and being violative of privacy rights as conferred under Indian constitution.

For some strange reasons, Indian government has been ignoring enactment of good techno legal privacy laws in India. Various governmental ministries have started the exercise of enacting the privacy law for India time to time but ultimately none of them materialised. These exercises proved to be futile and till now we are still waiting for the enactment of sufficient and strong privacy laws in India.

National Privacy Policy Of India

Right to privacy bill of India 2011 has been suggested for many times in the year 2011. However, till now we do not have any conclusive draft in this regard that can be introduced in that parliament of India. In fact, we are still waiting for a final and conclusive proposed draft right to privacy bill 2011 of India that can be discussed in the parliament.

Privacy rights in India in the information age are too important to be ignored. Surprisingly, Indian government is deliberately keeping privacy protection at distance even if the constitution of India protects privacy rights of Indian citizens/persons.

For instance, India has launched Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny.

Lack of privacy law has already stalled Natgrid whereas other projects like unique identification project of India or Aadhar project of India are simply unconstitutional by their very existence and being violative of privacy rights as conferred under Indian constitution.

Right to privacy bill of India 2011, along with a dedicated data protection law in India is needed. We already have an anti consumer telemarketing policy of India that openly allows violation of consumers privacy and peace.

In short, the unwritten, but widely followed, national privacy policy of India is not only negative in nature but is also violative of various provisions of Indian constitution. Time has come to enact a good techno legal national privacy policy of India.

Legal Framework For Cyber Security In India

Cyber security in India needs top attention of our policy makers. Till now cyber security in India has been neglected to a great extent. Even India’s national cyber security policy is missing that can be implemented at the government department levels.

Even basic level cyber security awareness in India is missing. Government employees use governmental computers with great casualness. In many cases this results in installation of Malware on the governmental computers and thereby compromises the national security and cyber security of such computers.

Social engineering has proved to be the weakest link in the cyber security chain of India. Another reason for poor performance of cyber security in India is lack of good techno legal cyber security skills development in India. Cyber security skills development and trainings are essentially techno legal in nature and mere technological or legal approach towards cyber security is not enough.

Unfortunately, India lacks initiatives on both technical as well as legal fronts. India is not only technologically unsound in this regard but there are no cyber security laws in India as well.

Similarly, other important issues have also been ignored in India. For instance, we have no cyber warfare protection in India and no cyber warfare policy in India. The incidences of cyber attacks, cyber terrorism, cyber espionage, cyber warfare, etc are increasing against India. We must urgently develop cyber warfare capabilities in India to thwart growing cyber attacks against India.

A legal framework for cyber security in India is also required for effective critical infrastructure protection in India and critical ICT infrastructure protection in India. In fact the growing cyber attacks are affecting Indian critical infrastructure. Similarly, a cyber crisis management plan of India also cannot be implemented in the absence of proper legal framework.

There are many good open source tools that can help in ensuring good cyber security in India and investing in commercial software is an option and not compulsion. Still India needs expertise to use these open source software and in the absence of the same cyber security has been neglected to a great extent. Let us hope Indian government would wake up to this much needed reality very soon.

Cyber Warfare Against India

Cyber warfare is a concept that is still haunting the international community. The situation is so serious that north atlantic treaty organisation (NATO) has sought stronger cooperation with India to counter growing cyber threats.

Cyber warfare is still a murky area as different countries deal with cyber attacks and cyber warfare attacks differently. While countries like US are considering it as an act of aggression on the footing of war yet other countries are taking divergent views. However, all countries are willing to use every possible cyber capabilities as preventive and curative cyber methods.

Till United Nations (UN) steps in and enacts “universally acceptable” international cyber law treaty and international cyber security treaty, this problem would remain murky and difficult to resolve. Further, nothing can benefit more than an international cyber security cooperation that is urgently required.

The incidences of cyber attacks, cyber terrorism, cyber espionage, cyber warfare, etc are increasing against India. However, in the absence of India’s national cyber security policy, cyber security in India is a neglected field. We must urgently develop cyber warfare capabilities in India to thwart growing cyber attacks against India. Further, we must also formulate a cyber warfare policy in India that is presently missing.

Cyber warfare is also the reason why we need to ensure critical infrastructure protection in India and critical ICT infrastructure protection in India. In fact the growing cyber attacks are affecting Indian critical infrastructure. Thus, cyber security capabilities through techno legal cyber security trainings in India must be strengthened. We must stress upon cyber security skills development in India.

The situation is equivalent to a wake up call and Indian government must take urgent steps to strengthen Indian cyber security. The sooner it is adopted the better it would be for a safe and secure cyberspace of India.

India’s National Cyber Security Policy

Cyber security is an area that cannot be ignored by India. Cyber security in India has still not been paid enough attention. As a result important departments and computers of Indian governments are frequently breached and compromised.

India is poor at cyber security for numerous reasons. First and foremost being that cyber security policy of India is still missing. Till cyber security is considered at the policy level not much can be achieved.

However, politicians in India have no time for cyber security. Lack of political will towards a crucial topic like cyber security is evident when we have no national cyber security policy of India.

Indian national cyber security policy is also suffering on the count of legal enablement. Till now we have no legal enablement of ICT systems in India. We have no legal framework for cyber security in India. Even the cyber law of India is grossly deficient and is ineffective in tackling the growing cyber crimes and cyber attacks.

Naturally, the fronts like cyber warfare against India, cyber espionage against India, cyber terrorism against India, etc are still wide open for anybody and everybody to exploit.

Another factor that has resulted in poor cyber security in India is the growing incidences of industrial lobbying in India. Industrial lobbying is not allowing a strong cyber law and cyber security framework in India. Companies that may be required to follow stringent cyber law and cyber security practices are lobbying to make them redundant and powerless and Indian government is obliging the same.

India has waited for too long for an effective, robust and implementable cyber security policy. A national cyber security policy of India must be implemented as soon as possible for the larger interest of India and ignoring the same any further would only be counter productive.