Monthly Archives: November 2011

Online Dispute Resolution And International Response

Online dispute resolution (ODR) is growingly seen as an effective alternative dispute resolution mechanism world over. Traditional litigation methods are time consuming, expensive and unproductive. ODR is not only speedier but is also economical and effective.

Online dispute resolution in India is still in its infancy stage. This is so because even the alternative dispute resolution in India is not free from troubles and procedural formalities.

However, success of ODR in India is still doubtful. To be successful, ODR in India needs urgent rejuvenation. This has happened because legal enablement of ICT systems in India is missing. ADR and ODR services in India are still evolving. There are very few ODR service providers in India.

Naturally, online dispute resolution services in India are still evolving. We have very few online dispute resolution centers in India. Further, Perry4Law Techno Legal Base (PTLB) is the sole techno legal ADR and ODR services provider in India.

Techno legal ODR services have become necessary due to growing use of information technology for business and commercial purposes world over. For instance, ODR and cross border e-commerce transactions are also interrelated. Similar is the case regarding dispute resolution of cross border technology transactions.

Similarly Online dispute resolution in Asia is still evolving. Online dispute resolution in Asian countries is largely confined to a single or two countries that also to a limited extent. Clearly online dispute resolution standards of practice for India and Asia need to be developed urgently.

However, nothing can strengthen ODR more than international efforts and international coordination activities. International legal standards for online dispute resolution (ODR) and international harmonisation of ODR is urgently required.

United Nations can play am important role in international development and international harmonisation of ODR. United Nations and online dispute resolution are closely related in this regard. In fact, UNCITRAL, ODR and India are interconnected.

Thus, it is clear that whether it is India, Asia, Europe, United States or any other international country or territory, ODR would play a very important role in effective, economical and speedier dispute resolution. Of course, United Nations has to play a more pro active role in this regard at the international level.

Cyber Security Of Automated Power Grids Of India

Power sector reforms in India are in the pipeline. Among many suggested measures, some of them pertain to use of automated systems through IT intervention for sustained collection of accurate baseline data and automation of some electricity functions. The idea is good but is not free from problems like lack of expertise and inadequate cyber security in India.

Malware like Stuxnet and Duqu have already proved that critical infrastructures like power grids, nuclear facilities, satellites, defense networks, governmental informatics infrastructures, etc are vulnerable to sophisticated cyber attacks.

In the Indian context, the critical infrastructure protection of India is not in good shape. There is neither an implementable cyber security policy of India nor there is any critical ICT infrastructure protection policy of India.

In these circumstances, use of automated power grids in India should be undertaken only after making cyber security of India robust, reliable and effective. For instance, the supervisory control and data acquisition (SCADA) systems are used world over for managing automated water utilities and power grids. However, successful cyber attacks against these SCADA systems have result in great loss and productivity of these utilities.

SCADA may be the new cyber attack priority for cyber criminals and rouge nations. We must ensure sufficient cyber protection of SCADA systems in India in general and critical infrastructure in particular.

Consider a real life situation in India. The Restructured Accelerated Power Development and Reform Programme (R-APDRP) of UT electricity department will soon be implemented as the Joint Electricity Regulatory Commission ( JERC) has accorded its approval to the department for availing the funds from the central government through the Power Finance Corporation (PFC). These funds will be used towards the implementation of Part-A of R-APDRP scheme for creation of reliable and automated systems with IT intervention for sustained collection of accurate baseline data.

R-APDRP will have projects which would be undertaken in two parts – part A and part B. Part-A includes the projects for establishment of baseline data and IT applications for energy accounting/auditing and setting up IT based consumer service centres. Part-B shall include regular distribution strengthening projects. Part-A also covers SCADA implementation which facilitates centralised control of power supply position in Chandigarh. PFC has been appointed as a nodal agency for this Central Government funded scheme.

If cyber security aspects of automated electricity grids in India are taken care of, this e-governance drive would prove very useful and productive for power sector of India. We hope Indian government would consider all these aspects for the larger interest of power industry of India.

Cyber Security Of Indian Satellites And Critical Infrastructure

We are living in a technology era where technology is both a friend and foe. It is up to us to work in this direction and ensure on which side technology should be. If technology is used for delivery of public services, we have the benefits of concepts like e-governance and e-commerce. On the other hand if the technology is used for causing wrong or harm to others we face concepts like cyber crimes, cyber attacks, cyber warfare and cyber terrorism.

Cyber warfare, in its basic form as well, is now a well accepted cyber threat. Cyber warfare against India is also well known and we must formulate a cyber warfare policy for India to counter such threats. Indian defense and security against cyber warfare needs to be upgraded and strengthened.

Similarly, terrorism and cyber terrorism are also posing big security problems for India. Indian counter terrorism capabilities are not sufficient and there is an urgent need to strengthen the same. Similarly, cyber espionage and cyber terrorism against India is also well known.

To start with we must have a robust and effective cyber security in India. We must also have an implementable cyber security policy of India. The cyber security policy must keep in mind both the preventive as well as offensive cyber attacks and cyber defense capabilities.

Critical infrastructure protection in India needs to be undertaken on a priority basis. We must have a critical infrastructure protection policy of India that must be strenuously followed by all governmental departments, organisations and even by private service providers.

For instance, supervisory control and data acquisition (SCADA) systems are a favourite target for cyber criminals and cyber terrorists. By targeting SCADA these cyber miscreants can damage the critical infrastructure of India. We must ensure sufficient cyber protection of SCADA systems in India in general and critical infrastructure in particular.

Malware like Stuxnet and Duqu have already shown how critical infrastructures and SCADA systems are vulnerable to cyber attacks. Indian critical infrastructures have also been targeted by these Malware. It is believed that Stuxnet was responsible for shutting down an Indian communication satellite. Similarly, these Malware have also been targeting Indian nuclear systems and facilities.

Even the government computers have been comprised successfully in India in the past. Recently Indian National Informatics Centre’s (NIC) server were compromised and used to attack computers of other nations. Even satellites of various nations have been compromised and taken control of by terrorists and enemy nations.

These developments are serious enough and they must be sufficient for Indian government to formulate an implementable cyberspace crisis management plan of India. Of course, national security policy of India, cyber security policy of India, critical infrastructure protection policy of India, cyber warfare policy of India, etc must be integral part of the same. The sooner these steps are taken the better it would be for the larger interest of India.

India’s National Informatics Centre Servers Compromised

Attacking and compromising the servers located in various countries has become a common practice for cyber criminals. By compromising the servers of various nations, these cyber criminals can launch general and sophisticated cyber attacks, without much chances of their identity being known to the victim individuals, organisations and nations.

Cyberspace is boundary less and it is very difficult to prevent cyber attacks from different jurisdictions. Essentially cyber security is an international aspect that must be dealt with at the international level. An international cyber security cooperation and treaty is required that can take care of various issues like cyber attacks, cyber warfare, cyber terrorism, cyber espionage, etc.

For instance, even if a cyber attack can be located to a particular jurisdiction, “attributing” the same to a single individual or organisation/nation is really difficult. This means we cannot pinpoint with absolute certainty that a particular nation is behind a particular cyber attack. This raises a very complicated jurisdictional and attribution problem.

The starting point to gather sufficient information pertaining to cyber attacks existing simultaneously at various jurisdictions is to have an internationally acceptable cyber security cooperation. An internationally acceptable cyber crimes/law treaty is also required in this regard.

Cyber attacks against India as well as from India are increasing. For instance, the servers of the Indian National Informatics Centre (NIC) have been attacked and compromised successfully in recent months and were used to launch attacks on countries including China.

Indian critical infrastructure protection is already in bad shape. Further, we also do not have any critical ICT infrastructure protection policy in India. Indian nuclear facilities are vulnerable to cyber attacks from Malware like Stuxnet. It is also believed that Stuxnet was also responsible for the destruction of an Indian broadcasting satellite.

India is already investigation the Duqu Malware that used the command and control servers located in India. Fortunately Stuxnet virus removal tools and Duqu virus removal tools are already available free of cost that can be used to test various systems for these Malware. Perhaps time has come for a cyber command and control authority of India that can take care of these cyber threats.

Turf War In India Is Compromising Indian National Security

Indian national security is vulnerable from many angles and regarding many aspects. Whether it is internal security, external security, cyber security, anti terrorism capabilities, etc, India has to cover a long gap before Indian national security can be considered to be robust and effective.

It is not the case that India has not tried to work in this direction. But almost all the initiatives undertaken in this regard have either created multiple authorities and systems or they have been stalled for one reason or another.

For instance, Indian government launched projects like Aadhar, national intelligence grid (Natgrid), crime and criminal tracking network and systems (CCTNS), national counter terrorism centre (NCTC), central monitoring system (CMS), centre for communication security research and monitoring (CCSRM), etc. None of them are governed by any legal framework and none of them are under parliamentary scrutiny.

Similarly, a majority of these projects are simply overlapping with one another. They are supported by different ministries and departments of Indian government and their main purpose is to serve the concerned ministry or department alone. This has resulted in the emergence of a turf war between these ministries and departments.

For instance, while projects like NCTC, Natgrid, etc are essential for national security of India yet both Natgrid and NCTC have already been downsized. Turf war is preventing various ministries and departments in cooperating and collaborating various national security related projects.

For instance, the intelligence bureau (IB) director Nehchal Sandhu is not keen on the Natgrid and NCTC initiatives of home minister of India P. Chidambaram. Sandhu believes the two will dilute the IB’s vast charter.

A few days after the Delhi blasts in September this year, Sandhu shot off a missive to his senior-most officers seeking concrete suggestions on how to improve the agency’s counter-terrorism efforts. He was worried that the IB had failed to anticipate the terror attacks. More so, after Chidambaram admitted that “there was no prior intelligence” available.

Sandhu views NATGRID with suspicion. According to senior officials, NATGRID would be a major encroachment on the IB’s established terrain and also put fetters on its free access to sensitive data such as phone call records, intercepted emails, financial data, etc., that the agency currently enjoys complete access to. NATGRID will place elaborate protocols in place that seeks authentication of those who seek the information and also bars them from seeking anything that is beyond the set parameters.

It is high time to consider national interest first rather than own self interests that are jeoparadising the national security of India.

Indian Counter Terrorism Capabilities Needs Rejuvenation

Terrorism is a serious problem for India and so far Indian counter terrorism responses are far from satisfactory. Whether it is traditional terrorism or cyber terrorism, India is lagging far behind. Unfortunately, a tragedy is always needed in India to wake up Indian government temporarily.

Once the tragedy is over, the concerns for national security and cyber security also subsides. On the contrary, in the name of national security and cyber security, corruption, myopic vision and e-surveillance are the only chosen options by Indian government. If you add the fact of turf war between various Indian ministries and departments, the chaotic picture of Indian national security in general and counter terrorism capabilities in particular emerges very clearly.

There is no second opinion about the fact that intelligence gathering is an essential part of national security of India. However, intelligence gathering skills developments in India are far from satisfactory. Naturally, India cannot fight with terrorism and cyber attacks with the present intelligence infrastructure of India. The present intelligence infrastructure of India is in big mess.

The intelligence infrastructure of India needs urgent rejuvenation. It is high time to move away from mere lips services and political statements and to move ahead in the direction of developing counter terrorism capabilities. We have an obvious but unresolvable terrorism dilemma in India.

With the growing use of social media by cyber criminals and terrorists, the intelligence agencies world over are engaging in open source intelligence through these social media and platforms.

Indian intelligence agencies must develop not only open source intelligence capabilities in India but they must also learn how to deal with highly sophisticated encryption usages. By limiting their capabilities to a weak encryption usage limited 40 bits encryption alone, this aim is absolutely frustrated. We must formulate a well drafted encryption policy of India that covers all the possible uses and prevention of the abuses of encryption.

India has been ignoring all these issues for many decades. It is high time to think about these issues and do some actual and hard core work in this regard.

Free Stuxnet Malware Removal Toolkits And Software

Stuxnet and Duqu Malware have shown the vulnerabilities of our critical infrastructures. Critical infrastructure protection in India is also required to be analysed from the point of view of these sophisticated Malware. In fact, we must urgently formulate a critical ICT infrastructure protection policy of India.

While the destruction of an Indian broadcasting satellite by Stuxnet Malware is still a mystery yet India is investigating Duqu Malware that had a command and control server in India. Meanwhile, open source Duqu Malware removal toolkits and software have also been released by the open source community.

Undoubtedly, Stuxnet is the most sophisticated Malware that has come to notice so far. There are few good tools and software that can be used to deal with Stuxnet Malware. They can be used for a specific purpose or for checking the entire computer system.

These tools and software are providing curative protection against Stuxnet Malware in the following forms:

(1) Computer: The Stuxnet Removal Tool can be used to scan an entire computer for Stuxnet Malware.

(2) USB: The Stuxnet Remover for USB can be used for analysing a USB for Stuxnet infection.

(3) LNK Shortcut: Stuxnet also utilises the shortcut vulnerabilities of various versions of Windows operating systems. Microsoft has released Microsoft Fix it tools to fix this vulnerability. For Microsoft Fix it to disable .LNK and .PIF file functionality you can use this tool. If you want to disable workaround offered by Fix it than use this tool. You need to restart your computer after using this workaround to take affect on your computer. Another good tool is the Sophos Windows Shortcut Exploit Protection tool to block Stuxnet rootkit from exploiting LNK Shortcut vulnerability in all versions of Windows.

It is worth while to give these tools and software a try.

Open Source Duqu Malware Removal Toolkits And Software

Stuxnet and Duqu Malware have started a new wave of cyber crimes and cyber attacks. They are sophisticated Malware that cannot be a task of random or average skilled cracker or cyber criminal. These Malware have been written by very sophisticated Malware writers.

Stuxnet and Duqu Malware have also affected Indian computer systems. For instance, it is believed that the Stuxnet Malware was responsible for destroying an Indian broadcasting satellite. Similarly, the command and control server of the Duqu Malware was also traced to India.

While India is presently investigating the Duqu Malware yet it is clear that Indian nuclear facilities may not be cyber secure. There is an urgent need on the part of India to strengthen its cyber security capabilities in general and cyber warfare capabilities in particular. In US, the Defense Advanced Projects Research Agency (DARPA) has been working hard to develop its cyber capabilities.

While India has not yet come up with solutions to fight Malware like Stuxnet and Duqu yet open source community has done a good job. A new scanning tool has been released by engineers at independent security testing firm NSS Labs that can be used to detect Duqu drivers installed on a system. The tool was developed with the goal of discovering any additional drivers and enable researchers to learn more about the functionality, capabilities and ultimate purpose of the Duqu Malware.

Similarly, the Laboratory of Cryptography and System Security (CrySyS) in Hungary has released an open-source toolkit that can find traces of Duqu infections on computer networks. It contains signature- and heuristics-based methods that can find traces of Duqu infections where components of the Malware are already removed from the system. Duqu deactivates after a time limit and removes itself from the computer, but some temporary files could still indicate that the computer was affected by a former Duqu infection. The toolkit might identify these traces.

If you wish to analyse your computer or network for Duqu Malware, it is worth giving these tools a try.

Is Ultra Surf Providing Anonymous Surfing And Ensuring Cyber Security?

Privacy and anonymity are very important aspects of protecting civil liberties in cyberspace. They also strengthen cyber security to some extent. However, maintaining good level of privacy, anonymity and cyber security has become a daunting challenge these days.

Further, endemic e-surveillance and blatant privacy violations have become the norm theses days. Even the United Nations (UN) has not been able to control the growing desires and adopted designs of various national governments to curb privacy and anonymity rights of their citizens.

For instance, Indian Government launched projects like Aadhar, national intelligence grid (Natgrid), crime and criminal tracking network and systems (CCTNS), national counter terrorism centre (NCTC), central monitoring system (CMS), centre for communication security research and monitoring (CCSRM), etc. None of them are governed by any legal framework and none of them are under parliamentary scrutiny.

India needs strong privacy rights and anonymity protection in these circumstances. Self defence in cyberspace is a concept whose time has come at both national and international level. At the national level of India self defence is required not only against cyber criminals but also against our own over zealous and e-surveillance oriented Indian government. Proactive self defence in cyberspace against our own governments has become a necessity. Of course there is a limit where self defence in cyberspace ceases to exist.

When it comes to anonymity, the onion routing (Tor) is the universal standard. However, there are certain extra steps that Tor users must take to get maximum benefit our of Tor infrastructure. If used properly, ToR can provide good levels of privacy, anonymity and cyber security.

Another good tool for maintaining privacy is ultra surf. Ultrasurf is a product of Ultrareach Internet Corporation. Originally created to help internet users in China find security and freedom online, Ultrasurf has now become popular pro-privacy, anti-censorship software, with millions of people using it to bypass firewalls and protect their identity online.

However, for some strange reasons ultra surf is not working fine for us as it is leaking our internet protocol address even after we use it properly. While some sites show the IP address of ultra surf yet some other show the real IP address. If real IP address is visible, there is little use of any privacy/anonymity software.

We also sent an e-mail to ultra surf in this regard and till the time of writing this article we did not get any response. May be our analysis is wrong and we apologise in advance for any misunderstanding or wrong reporting. We would appreciate the inputs of public at large and encourage them to use any search engine with suitable query, including what is my IP. If the search engine shows the real IP address, ultra surf need to do some serious work in this regard.

Privacy and anonymity is also necessary to enhance cyber security as many cyber attacks are specifically linked to IP address. If a different IP address is publicly available that can reduce the risks of many cyber attacks.

We hope anonymity, privacy and security enthusiastic would enlighten us with their correct, accurate and technical analysis and inputs in this regard.

DARPA Would Develop Offensive And Preventive Cyber Capabilities

The Defense Advanced Projects Research Agency (DARPA) has been working hard to develop its cyber capabilities. It includes both offensive and defensive cyber capabilities. The seriousness of United States in this regard is also apparent from the fact that the US government’s advanced research unit has decided to increase its funding for cyber research by 50 percent over the next 5 years. This has been decided in response to the increased threat of cyber terrorism and cyber warfare that US is facing.

The DARPA, held it’s first-ever symposium to discuss how the U.S. military can better protect itself from foreign-backed hackers. DARPA’s director, Regina Dugan, told conference members the agency will work to develop offensive cyber capabilities as well as maintaining defensive lines.

Recent cyber attacks on multinational firms and institutions, ranging from Google, Citigroup, U.S. Senate’s website to the International Monetary Fund, have raised fears that governments and the private sector are ill-prepared to beat off hackers. To tackle these sophisticated cyber criminals there is an urgent need to beef up offensive cyber capabilities.

DARPA’s conference would follow several months of discussion among security experts and military personnel as to how the U.S. should balance its offensive and defensive cyber weapons.

In a typical cyber attack by an enemy State, the critical infrastructure is the first choice. Estonia witnessed this truth in the past. Further, in cases of cyber warfare and cyber terrorism also critical infrastructure is the chief target of cyber attack. An international cyber security treaty can be a good solution for dealing with this problem at the international level.

Brazilian ISPs Faced DNS Cache Poisoning Attack

Malware makers are using novel and every possible method to trick innocent users in either downloading the same or redirecting them to websites that encourage them to do so. Recently, it was reported that Malware writers used IP cloaking method to circumvent web Malware detection techniques of Google.

Similarly, it was also reported that a number of Google Images are actually infected with Malware that misdirects users to pages that try to sell fake anti-virus scareware and to makes users believe they must download the program to avoid viruses. Of course, Google is doing its level best to minimise the threats of these Malware.

Malware writers have also been targeting the Domain Name System (DNS) to spread Malware through methods like DNS cache poisoning. In this method, malicious code/data is introduced into a DNS name server’s cache database that did not originate from authoritative DNS sources. Sometimes DNS cache poisoning also occurs unintentionally and without malicious intentions due to misconfiguration of a DNS cache or from improper software design of DNS applications.

A similar DNS cache poisoning attacks against several Brazilian ISPs has exposed large numbers of their subscribers to Malware attacks when they attempt to visit Hotmail, Gmail, and other trusted websites. According to the report, the attacks work by poisoning the DNS cache that the service providers use to translate domain names such as google.com into internet protocol numbers such as 74.125.224.144. By replacing legitimate IP addresses with ones leading to servers controlled by attackers, the attack is causing end users to be surreptitiously directed to sites that exploit software vulnerabilities on their computers or trick them into installing Malware.

DNS cache poisoning is frequently carried out by exploiting long-standing security vulnerabilities in the DNS, but at least some of the recent attacks in Brazil appear to be the result of a rogue insider at one of the targeted ISPs. In fact, a 27-year-old employee of a medium-sized provider in the south of the country has been arrested and accused of participating in the malicious scheme. Over a 10-month period the accused employee had changed the DNS cache of the ISP, redirecting all users to phishing websites.

Companies are reporting attacks that are changing the DNS configurations of their routers and modems. As a result, when employees try to visit websites, they encounter displays that instruct them to install a malicious Java applet.

It is not the case that ICANN is not aware of these threats and concerns. In fact, ICANN has been considering use of Domain Name System Security Extensions (DNSSEC) for securing domain name system (DNS). DNSSEC is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

Although people browsing the Internet often take it for granted that the sites they visit are created and operated by their purported owners, it is possible for criminals with knowledge of the Internet’s addressing system to create counterfeit websites that look like the real thing but capture users’ private information. DNSSEC guards against this cyber threat.

National Counter Terrorism Centre Of India Downsized

National Counter Terrorism Centre of India is an ambitious project that aims at fighting the growing menace of terrorism in India. However, from the very beginning it is in doldrums. Fears of it becoming an all powerful and centralised point for terrorism related issues have never allowed it to take a start.

Besides there are many “practical difficulties” that may prevent the actual implementation of the much needed NCTC of India. Presently intelligence agencies of India are operating under different Department/Ministries and there would be a “reluctance” to submit to the centralised NCTC of India.

Another problem pertaining to intelligence agencies of India in general and projects like NCTC, National Intelligence Grid (Natgrid) Project of India, etc in particular is that in India we have no “parliamentary oversight” over intelligence and law enforcement agencies.

In this background, it has now been reported that the proposed NCTC of India may not be an umbrella organisation having control over various arms of intelligence agencies in India.

The Union home ministry is re-working its proposal to allay the concerns of the Prime Ministers Office (PMO) and various ministries and agencies in this regard. The PMO has not given its consent to the concept of the NCTC as drawn out in the discussion paper submitted by the MHA in 2010, but has orally conveyed to the MHA that it has agreed to discuss the setting up of the counter-terrorism centre.

The MHA is preparing a brief note to approach the Cabinet Committee on Security (CCS) to get an in principle approval for the setting up of the NCTC by the year-end, promising to go back to the CCS at every stage.

Taking lessons from its recent bad experience that has put the National Intelligence Grid of India in doldrums, the MHA is planning to suggest the NCTC will act as a “‘fusion” centre where all “terror-related” information will flow in and would be “analysed” by a group of experts.

The NCTC will work not only to “pre-empt” terror attacks but also help in “post blast” analysis and seamless sharing of information between various agencies. The Natgrid will not be subsumed by the NCTC but would provide the critical information to the centre, when required, and the task of intelligence gathering will remain with the various agencies which would work as usual.

The MHA is planning to hold meetings with experts and retired officials, including former home secretaries and chiefs of intelligence agencies to hear their views and proceed step by step.

Are Indian Nuclear Facilities Cyber Secure?

Nuclear facilities are part of the critical infrastructure of India that need robust protection. The critical infrastructure protection policy of India must protect them on priority basis. Similarly, critical ICT infrastructure protection in India is required to be taken seriously.

Malware writers have been increasingly targeting critical infrastructures world over. Their latest targets seem to be nuclear installations and facilities. Stuxnet is a classic example of this Malware attack upon nuclear facilities.

The addition of Duqu Malware into the league is a hint where cyber crimes and cyber attacks game is going. India is presently investigating the Duqu Malware. While the task has not been accomplished yet news about possible cyber attack against India’s lone uranium enrichment facility at Rattehalli, near Mysore, has surfaced.

According to the news, the facility may become the target of the gravest act of cyber war against India to date, attacking no less than its strategic nuclear programme. The sources said computers at the Rattehalli facility, euphemistically called Rare Materials Plant (RMP), were possibly infected by the deadly Stuxnet, or a Stuxnet-derived Malware, as a precursor to an attack to destroy thousands of centrifuges installed there.

This situation has once again reiterated the need for India to develop cyber warfare capabilities. In the past, similar attacks on Iran’s Natanz enrichment plant destroyed over 1,000 centrifuges and set its alleged nuclear bomb programme back at least 12-18 months.

An official response from Indian authorities in this regard is still awaited. But one thing is for sure that India is still not yet ready for the new Malware game that is producing serious cyber threats in the form of Stuxnet, Duqu, etc.

Are Indian Bank Complying With RBI’s Cyber Due Diligence Requirements?

Cyber crimes against banks are very common. For example Citigroup had recently confirmed cyber attack upon bank’s network. It is also well known that a timely and appropriate cyber due diligence could have prevented such attacks and various cyber frauds that are growing in the banking sector of India.

Reserve Bank of India (RBI) has recently directed that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. This has been suggested so that cyber due diligence for banks in India can be ensured.

Few more areas that Indian banks must keep in mind include cyber security due diligence for banks in India, e-discovery for due diligence for banks in India, cyber law compliances, ATM frauds and phishing attacks, etc. However, the big question is are Indian banks ready for cyber due diligence?

As per RBI’s guidelines and recommendations, Indian banks need to ensure implementation of basic organisational framework and put in place policies and procedures which do not require extensive budgetary support, infrastructural or technology changes, by October 31, 2011.

The rest of the guidelines need to be implemented within period of one year unless a longer time-frame is indicated in the RBI’s circular. There are also a few provisions which are recommendatory in nature, implementations of which are left to the discretion of banks.

RBI is becoming more and more serious regarding defaults committed by Indian banks. In the past, RBI imposed penalty upon 19 banks for non compliance of prescribed standards. Similarly, RBI has also directed that any strictures passed against directors of a bank by any financial sector regulators must be reported to it. Non compliance of the recommendations of RBI working group may attract both penalty and strictures.

Banks are required to follow cyber due diligence and cyber security due diligence requirements in their own interests. The sooner it is done the better it would be for all the stakeholders.