Center Of Excellence (CoE) For Internet Of Things (IoT) In India

Wednesday, December 16, 2015

Indian Cyber Security Developments In 2015

Perry4Law Organisation (P4LO) has been providing cyber security trends and developments in India for many years. This year as well, we have discussed both cyber security trends in India 2015 and cyber security developments in India. We have provided a research report on cyber security related events in the year 2015. The report is titled Cyber Security Developments in India 2015 and it outlined major cyber security related events that took place in the year 2015. A dedicated blog on international cyber security related legal issues titled International Legal Issues of Cyber Attacks and Cyber Security, Cyber Terrorism and Cyber Warfare was also launched by P4LO on this occasion. The purpose of this blog is to discuss techno legal issues pertaining to international cyber attacks and cyber security.

Cyber security environment in India is fast changing due to growing realisation of threats of cyber attacks and cyber crimes. India is presently facing many sophisticated cyber security problems and challenges that need attention of our policy makers. It is equally important to establish a strong, robust and resilient cyber security infrastructure in India on priority basis. This must include creation of offensive and defensive cyber security capabilities of India. India must also develop indigenous software and hardware so that dependence upon foreign imports can be minimised. Recently, India opposed the proposal to include cyber security technologies under the Wassenaar Arrangement as India is still dependent upon foreign countries for import of cyber security products and services. Sooner or later we would be forced to use Indian cyber security products and services and P4LO recommends that the Electronic System Design and Manufacturing (ESDM) Policy and Regulations in India 2014 must be suitably modified and implemented in India.

According to the report of P4LO, cyber security witnessed many ups and downs in Indian cyberspace in the year 2015. The report has stressed upon formulation of a techno legal framework for India by Indian government that can tackle the challenges arising out of growing cyber crimes in and cyber attacks against India. These techno legal cyber security safeguards can be incorporated into a proposed cyber security policy of India 2015. Similarly, cyber security breach disclosure norms must also be formulated by Indian government for enhanced participation by all stakeholders. The report has also stressed upon strengthening of Indian cyber security infrastructure so that sophisticated cyber attacks can be prevented and eliminated.

There is no second opinion that Narendra Modi government must protect Indian cyberspace on a priority basis. It is high time for the Modi government to be serious about cyber security of India. This is more so when the Supreme Court of India has virtually killed cyber law due diligence in India that could have kept Internet intermediaries and other stakeholders cyber disciplined.

The report has also stressed upon need for smart cities cyber security and smart grids cyber security in India. Similarly, stress has been given for cyber security of Digital India project of Modi government that is presently suffering from various shortcomings. In a welcome move, Modi government appointed Dr. Gulshan Rai as the first chief information security officer (CISO) of India. This is very important as India is facing serious cyber threats from private individuals as well as agencies of other nations.

For instance, it has been revealed that hardware based stealth malware were used by US intelligence agencies against various targets. Recently, Twitter has warned some users that their Twitter accounts were compromised by state sponsored actors. It is clear that cyber attackers are no more script kiddies but state supported crackers who work under a cyber immunity clause. This is also the reason why Indian intelligence agencies are also insisting upon legal immunity against cyber deterrent acts. Besides cyber attacks and planting of malware, intelligence agencies are also using open source intelligence (OSINT) to gather sensitive and personal information.

Banks related cyber security is another area of concern in India. Cyber security of banks in India need to be strengthened by Indian government. In a good move, Reserve Bank of India (RBI) has decided to establish an IT subsidiary to meet cyber security challenges of banks in India.

As per the report, the year 2015 also envisaged an increased interest in cyber liability insurance in India. The major reason for the growth of cyber insurance policies in India is the increased numbers of cyber crimes and cyber attacks in India. However, cyber insurance stakeholders in India have still to understand the technicalities of techno legal aspects of cyber insurance. This is more so as the year 2016 would witness an increased focus upon cyber crimes insurance in India.

Perry4Law Organisation (P4LO) hopes that cyber security stakeholders of India and other jurisdictions would find this research report useful.

Tuesday, December 8, 2015

Electronic System Design And Manufacturing (ESDM) Policy And Regulations In India 2014

Electronic System Design and Manufacturing in India is the upcoming field for telecom and electronics companies’ world over. The Department of Electronics and Information Technology (DeitY), India has formulated many pro active and reformative policies and strategies in this regard.

The laws, rules and regulations in India are also reformulated to accommodate the growing demands of ease of doing business in India and foreign direct investments (FDI) in Indian telecom sector. For instance, the FDI Policy in Telecom Sector of India 2014 (PDF) has allowed 100% FDI subject to FIPB approval and other national security requirements. Similarly, approval to establish two semiconductor wafer fabrication manufacturing facilities in India (PDF) has also been granted by Indian Government.

Both domestic and international telecom companies and electronic system design and manufacturing (ESDM) stakeholders must comply with national security and cyber security laws, policies and regulations of India in order to do business in India. The National Cyber Security Policy of India 2013 (NCSP 2013) was recently declared by Indian Government. Indian Government is also planning a legislation mandating strict cyber security disclosure norms in India. Indian Government is also investigating the alleged breach of national security of India by Huawei by hacking base station controller in AP.

Of late, Huawei and ZTE are in telecom security tangle of India and other nations like United States. India even made telecom security a part and parcel of its national telecom policy of India 2012. Other nations are also restricting market access to Chinese telecom equipments and India is not alone. The cyber security concerns excluded Huawei from Australian broadband project. Further, the US house intelligence committee is investigating Huawei cyber espionage angle. Media reports have also speculated that ZTE facilitated e-surveillance in Iran. Now Huawei is trying to inculcate trust among US government over telecom security issues. Companies like Huawei and ZTE are also in constant talks with other nations, including India, in this regard. More such companies can be brought under the legal and national security scrutiny in the near future.

The merger and acquisition rules and regulations in India for telecom sector of India have also been streamlined to provide a level playing field for both national and international telecom companies and ESDM stakeholders. The Guidelines for Merger and Acquisitions of Telecom Companies in India 2014 (PDF) have also been issued and many international telecom companies have shown their interest in this regard.

The estimated production of electronic products will reach USD 104 billion by the year 2020. However, the supply part would not be able to meet this demand curve as domestic companies and stakeholders alone cannot meet this demand. Thus, foreign companies and stakeholders dealing in ESDM have golden chance to capatilise this opportunity.

In fact, the Indian Government has already initiated several initiatives for the development of electronics sector in the country. The Government has recently approved National Policy on Electronics (NPE) 2012 (PDF). One of the important objectives of the NPE is to achieve a turnover of about USD 400 Billion by 2020 involving investment of about USD 100 Billion and employment to around 28 million by 2020. This interalia, includes achieving a turnover of USD 55 Billion of chip design and embedded software industry, USD 80 Billion of exports in the sector. Moreover, the policy also proposes setting up of over 200 Electronic Manufacturing Clusters. Another important objective of the policy is to significantly upscale high-end human resource creation to 2500 PhDs annually by 2020 in the sector.

Several other policy initiatives have been approved in last few months. These include providing very attractive financial investment in electronics manufacturing and providing preference to domestically manufactured electronic goods in all Government procurement as well as all those electronic goods whose use has security implications for the country.

While the opportunities are ample yet techno legal compliances cannot be ignored by both domestic and international telecom players and ESDM stakeholders. Issues like cyber security due diligence, cyber law due diligence (PDF), technology related due diligence, etc cannot be ignored by these stakeholders if they wish to do hassle free business in India.

Telecom Commission Cellular Loop’s Proposal Would Strengthen Mobile Based Surveillance On National Security Grounds

Recently the National Cyber Security Policy of India 2013 (NCSP 2013) (PDF) was released by Department of Electronics and Information Technology (DeitY). However the same was not made part and parcel of the National Security Policy of India. Further, the cyber security policy of India itself was insufficient and weak on many counts including lack of privacy safeguards. The cyber security policy is also not at all framed to cover the telecom security aspects as well.

India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. It would also be interesting to see what types of telecom security policies would be implemented for border regions of India. Telecom security in India is not in a good shape and Indian telecom infrastructures are vulnerable to numerous cyber attacks. Recently it was reported that Huawei was accused of breaching national security of India by hacking base station controller in AP.

We have no implementable cyber attacks crisis management plan of India. The critical ICT infrastructure of India (PDF) is in a poor shape.  The cyber security trends of India 2013 (PDF) proved that India has still to cover a long field before cyber security can be effectively implemented in India. Thus, telecom infrastructures and equipments located at borders of India would be more vulnerable to cyber attacks than general telecom infrastructures of India.

The Telecom Commission may clear an Rs 7,103-crore rollout of Greenfield 2G networks in regions close to the Chinese and Bangladesh borders. These regions are presently outside the mobile loop. There are 8621 villages in locations of strategic importance across the northeast that are proposed to be brought under the cellular loop for the first time to bolster mobile-based surveillance on national security grounds.

Universal Services Obligation Fund (USOF), which will fund the project, will shortly invite bids from telcos for rolling out nearly 6,700 base stations in these regions. The USOF is the Department of Telecommunication’s (DOT) rural network infrastructure financing arm.

But it remains to be seen whether USOF will tweak tender norms to ensure any future cost escalations triggered by India’s spectrum reframing policy are shouldered by telecom operators. It would also be relevant to observe how the telecom security and cyber security aspects would be managed by Indian government in the near future.

National Security Council Secretariat (NSCS) Wants Reliance Jio Infocomm To Share Potential Cyber Security Threats On India’s Telecom Networks

Governments around the world are stressing upon stringent cyber security breach disclosures norms but telecom companies are opposing the same on cost and other burdensome regulatory reasons. Nevertheless the governments across the globe are working in the direction of forcing the telecom companies to disclose the cyber security breaches.

There is no universally acceptable international cyber security treaty (PDF) and countries across the globe have adopted a national approach toward cyber security. However, the way sophisticated malware are developed by nations as a cyber warfare and cyber espionage weapon, this national approach is of little help and significance.

India has also decided to formulate a cyber security breach disclosure norm in the past. However, keeping in mind the slow pace at which Indian government works in the field of cyber security, this may take few more years before this much required security practice is actually implemented in India.  The cyber security trends in India 2013 (PDF) have underlined many crucial cyber security lapses of India.

Indian government has already formulated the cyber security policy of India that intends to cover some of the crucial cyber security aspects of the nation. However, the cyber security policy has not been implemented till now and it may take few more years before some action can be expected in this regard from Indian government.

Indian government has also tried to spread cyber security awareness in India. It has mandated that a cyber security brochure must be essentially supplied along with hardware to spread cyber security awareness among Indian consumers. However, telecom and hardware vendors are not happy with this direction and they are postponing this requirement for one reason or other.

Meanwhile, the National Security Council Secretariat (NSCS) has urged the Reliance Jio Infocomm to become part of an industry platform which shares information with the government on potential cyber security threats to the country’s telecom networks. The NSCS says “it is important to involve Reliance Jio in sharing information on potential cyber threats, trends and incidents to enable the government to take suitable counter measures”.

The matter was recently discussed at an internal meeting of the Joint Working Group on cyber security chaired by NSCS secretary and Deputy National Security Advisor Nehchal Sandhu. The NSCS is the apex agency looking into India’s political, economic, energy and strategic security concerns and works closely with the Prime Minister’s Office (PMO).

India’s security establishment wants regular leads on potential cyber security threats from Reliance Jio as it is the sole holder of a pan-India 4G permit and is slated to roll out high-speed broadband services later this year on the long term evolution (LTE) technology standard. Last month, Jio also entered the voice segment by buying 1800 MHz band spectrum in 14 regions for nearly Rs 11,000 crore as a precursor to launching 4G services on the frequency band.

In the meeting, the telecom department’s security chief Ram Narain said that Jio is mandated by license conditions (PDF) to share information on potential cyber threats. Besides, the national telecom security policy of India 2014 may impose more stringent obligations than the licence conditions. As the foreign telecom companies are facing the heat of cyber security and telecom security in India, this is a good opportunity for Indian telecom companies to extend their commercial base in India. India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. The Telecom Commission Cellular Loop’s Proposal would also strengthen mobile based surveillance on national security grounds in India.

Clearly, the intentions to ensure critical infrastructure protection in India (PDF) are taking a concrete shape. The National Technical Research Organisation (NTRO) has been assigned the task of protecting the critical infrastructure of India.

As Reliance Jio is still not part of any of the telecom industry bodies like the GSM’s Cellular Operators Association of India or the CDMA’s Association of Unified Telecom Service Providers of India (Auspi) who have both supported creation of the Information Sharing and Analysis Centre (ISAC), the agency that will collate all classified industry feedback on potential cyber threats and vulnerabilities in telecom networks across technology platforms.

The latest developments come at a time when the telecom department is framing testing standards for telecom gear to shield networks from potential cyber attacks. India is also readying a cyber security framework, a cyber security policy and a National Cyber Coordination Centre (NCCC) that will monitor metadata on cyber traffic flows.

DOT India Asks ISPs To Adopt New Cyber Security Measures Including Securing Home ADSL And Broadband

Router and modems insecurity is a major cause of concern for governments around the world. Cyber criminals are targeting routers and modems used by home users’ for a broadband connection. In most of the case the routers and modems come with standard login and password credential for practical reasons and convenience. The manufacturers of routers and modems expect the end user to change their login credentials and password. However, a majority of home users do not change such crucial information and this make the routers and modems vulnerable to various cyber attacks.

Amid growing threats of cyber attacks and hacking of websites, the Department of Telecommunications (DoT) has prescribed the security measures to be adopted in ADSL Modems to safeguard against misuse (PDF). These security measures must be adhered to by internet service providers (ISPs) of India within 60 days of the formulation of these measures. This is asking too little from the ISPs as there are other major telecom security issues in India that are still not redressed properly. The truth is that Indian telecom networks are highly vulnerable to cyber security threats.

DoT has noted that crackers have been exploiting vulnerabilities in the asymmetric digital subscriber line (ADSL) modems. The ADSL modems are usually installed by broadband service providers at homes and offices. DoT has written to all ISPs to “assist customers to change the password, including by physical visits”. It has also come out with a new set of guidelines for ISPs that must be implemented by May 2014 to ensure security of almost 1.5 crore fixed-line broadband users.

The ADSL modems are presently supplied by vendors with default set up of user ID and password as “admin’. The default password needs to be changed to a strong password by customer at the time of installation of modem to avoid unauthorised access to modem. The ISP executive visiting customer for installation of modem should ensure this.

The protocol ports in ADSL modem on WAN side [for example, FTP, TELNET, SSH, HTTP, SNMP, CWMP, UPnP] be disabled. These ports may be used by the hackers to enter into the ADSL modem to misuse/compromise the ADSL modems by way of implanting the malware, changing the DNS entries in the modem.

In other instructions, the ISPs have been asked to devise a “mechanism to upgrade the firmware of the ADSL modems remotely by ISPs”. For this, the ISPs need to have separate login password, which is not possible in the present system of ADSL modem design. The DoT has asked the ISPs to tell their customers to check their online daily usage, and if any unexpected high usage of data is noticed, they may bring it to the notice of the ISP concerned. Customers should also be advised to switch off their modem when not in use. Readers of this blog may see the document (PDF) for a detailed analysis.

Encryption Laws In India

Encryption has become an indispensable technology these days. Whether it is online banking, e-commerce or e-governance services, encryption is commonly used in all these services. Encryption ensures authenticity and legality to various transactions provided the same is done within permissible limits and in accordance with the applicable laws of India.

Unfortunately, we have no dedicated encryption law of India and encryption policy of India (PDF) as on date. This has made the entire scenario very complicated. In fact, as on date most of the online service providers in India are in active violations of the encryption related laws, regulations and compliance requirements.

Cloud computing and virtualisation service providers are also violating the laws of India relating to encryption and cyber law due diligence (PDF) requirements. Even the telecom security policy of India has failed to address the encryption related issues properly. The cyber security trends of India (PDF) have also highlighted the inadequacies of cyber security of India and a part of the same is attributable to inadequate encryption and decryption capabilities of India.

Provisions pertaining to encryption usages in India can be found in the by license conditions (PDF) of telecom service providers. Thus, telecom companies and internet service providers (ISPs) cannot used more than the prescribed limits of encryption in India unless certain regulatory conditions are duly complied with. Similarly, the Information Technology Act, 2000 (IT Act 2000) also incorporates some provisions pertaining to encryption but they have remained dormant and ineffective till date.

Any individual or company that wishes to deploy encryption levels beyond the permitted ones would be potentially making himself/itself liable to legal action in India. It would be a good idea to ensure techno legal compliances in this regard before launching a project based upon encryption in India.

Monday, December 7, 2015

Cyber Security Problems And Challenges in India: Report By Perry4Law Organisation (P4LO)

Cyber security is a techno legal field that requires patience and techno legal expertise to practice. India has been a late entrant in the cyber security field and a robust and resilient cyber security infrastructure in India is still missing. We have a national cyber security policy of India (NCSP) 2013 but the same has remained on paper only so far. An analysis of the existing cyber security policy of India would reveal that India has still to do its homework in the cyber security field. We at Perry4Law Organisation (P4LO) believe that a new and proper cyber security policy of India 2015 must be urgently formulated by Narendra Modi government.

With fast urbanisation and stress upon establishment of smart cities, which mainly depends on information and communication technologies (ICT) to provide public services, we can expect increased number of cyber attacks upon critical infrastructure of India. The critical infrastructure protection in India (PDF) has its own challenges and issues. Similarly, smart cities cyber security in India would have their own problems and solutions. There is no second opinion that cyber attacks are going to increase further and this would raise complicated international legal issues of cyber attacks and cyber security.

For instance it was reported in 2014 that there was a 136% increase in cyber threats and attacks against Indian government organisations as compared to the previous year. Similarly, there was 126% increase in attacks targeting financial services organisations. There is no doubt that a strong cyber security infrastructure is need of the hour in India. Even the national cyber security policy of 2013 must be substituted with the new cyber security policy of India 2015.

Perry4Law Organisation (P4LO) has been suggesting formulation of the encryption policy of India (PDF) for long. As a result Indian government tried to bring an encryption policy recently under Section 84A of the Information Technology Act, 2000 (IT Act 2000) but it was highly defective. The government ultimately scrapped the encryption policy but it need to be formulated in a proper manner again.

As on date we are facing the following cyber security challenges in India:

(1) Cyber security is not a very easy process to manage. It requires both technological expertise and legal compliances which are lacking in the country.

(2) There are no dedicated cyber security laws in India, except one or two sections in the the IT Act 2000 which also has its shortcomings such as lack of privacy, lack of civil liberties protection, absence of cyber security breaches disclosure norms etc.

(3) The IT Act 2000 was passed to govern legal issues of e-commerce, e-governance, cyber crimes, etc. But, according to experts, new and better techno-legal laws must be enacted in place of the old law. Techno legal experts believe that Indian laws like IT Act 2000 and telegraph act require urgent repeal and new and better techno legal laws must be enacted to replaces these laws.

(4) On 13 April 2015, the government announced that the Ministry of Home Affairs would form a committee of officials from the Central Bureau of Investigation, Intelligence Bureau, Delhi Police, National Investigation Agency and ministry itself to produce a new legal framework similar to the erstwhile Section 66A of IT Act 2000. However, it is still to be enacted as per the information available with Perry4Law Organisation (P4LO).

(5) Many critical cyber security related issues need to be taken care of such as critical infrastructure protection, cyber warfare policy (PDF), cyber terrorism, cyber espionage, e-governance cyber security, e-commerce cyber security, cyber security of banks, etc.

(6) The cyber security obligations of stakeholders like law firms, e-commerce websites, directors of companies, Government departments, thermal power sector, power and energy utilities, etc must be properly understood and effectively implemented in India.

India is presently facing many type of cyber security threats. Thease include sophisticated cyber attacks, cracking, child pornography, cyber stalking, denial of service (DoS) attacks, distributed denial of service (DdoS) attack, malware infections, zero day vulnerabilities, phishing attacks, data theft, etc. In June 2012, cyber attacks were reported on the Indian Navy’s Eastern Command systems. On July 12, 2013, just few days after the release of the National Cyber Security Policy, several high-level GOI officials reported their emails had been hacked. A report later on revealed that almost 12,000 systems were hacked which included systems from the Ministry of External Affairs, Defence Research and Development Organisation, Ministry of Home Affairs, National Informatics Centre etc. There are also few reports of Pakistan indulging in threatening cyber warfare. Hacker groups based out of Karachi and Lahore have in recent years managed to hack the websites of the Central Bureau of Investigation (CBI) and the Bharat Sanchar Nigam Limited (BSNL) mostly to leave hate mail. It is widely believed that regional terrorist outfits, like the Indian Mujahideen (IM) have also made use of social media sites to communicate effectively.

Perry4Law Organisation (P4LO) has provided the following suggestions to Indian government from time to time:

(1) The Narendra Modi government must take cyber security of the country seriously considering the ever-increasing cyber security challenges in India.

(2) It is high time that India must be cyber prepared to protect its cyberspace.

(3) Draft of the National cyber security policy of India 2015 should be formulated as soon as possible.

(4) There must be a dedicated cyber security law of India keeping in mind contemporary cyber security threats.

(5) Cyber security disclosure norms in India must be formulated as soon as possible.

(6) The cyber security awareness in India must be further improved and spread so that various stakeholders can also effectively take part to the implementation of cyber security initiatives of Indian government.

Perry4Law Organisation (P4LO) hopes that this research report would be useful to all cyber security stakeholders in India and foreign jurisdictions.

Friday, November 27, 2015

Indian Govt To Launch Internet Safety Campaign Soon

Internet safety is a serious requirement these days when everything has been connected to Internet. Form education to healthcare, everything depends upon information and communication technology (ICT). It is natural to seek measures to protect various infrastructures and digital assets that are connected with Internet or cyberspace.

Indian government has announced that an Internet safety campaign would be started very soon in India. Perry4Law Organisation (P4LO) welcomes this move of Indian government. From the media reports it seems that the awareness drive would cover all stakeholders ranging from school level to government departments.

By covering school children, Indian government has taken a significant step in the direction of making Indian cyberspace decent and law abiding. Many times school students are not even aware that they are committing something wrong. If they are suitably made aware, many cyber violations would not take place at the very beginning itself.

At Perry4Law’s Techno Legal Base (PTLB) we believe that school children in India must be suitably educated about cyber issues. These may include areas like cyber law, cyber security awareness, etc. Further, we also believe that online skills development methods must be widely used in India for better results. We have launched the PTLB Virtual Campus in this regard that may be helpful for providing online education, skills development and training in various techno legal fields.

Indian government would also issue directions to various departments to formulate cyber security best practices that must be used across various departments. However, the real problem is the actual implementation of cyber security initiatives in India that are missing so far. Now the stakes are very high and Indian government cannot afford to be lax in the cyber security field.

We at PTLB believe that there is an urgent need to rejuvenate our education system that has failed to keep a pace with the contemporary times. We need to shed our academic preferences and stress more upon skills and training based education in India. Internet has become a better education system than our universities and most of the people who have learned from Internet perform better than those who have graduated from universities across the world. Some of these geniuses are not even graduate or formally educated yet they are much more skilled than formally educated people.

While launching the Internet safety campaign, Indian government must keep in mind the skills oriented and problem solving approach rather than launching another academic project of low value. We wish Indian government and its partners all the best in this regard and hope that they would be successful in their endeavours.

Saturday, November 21, 2015

Lenovo Accused Of Pre Installing Adware In Laptops Compromising Their Security

Spyware and malicious software has become a big nuisance for companies and individuals alike. While these companies and individuals can ensure cyber security as per their best judgment yet they have little control over pre installed malware and malicious software or codes in hard disks and operating systems.

Recently Kaspersky revealed that hardware based stealth spyware were used by. intelligence agencies to indulge in selective and targeted e-surveillance. Similarly, malicious firmware and BIOS are also big security threats for all stakeholders. Persistent BIOS infection using hidden rootkit is especially annoying and a major cyber security threat.

It has been reported that China’s Lenovo Group Ltd, the world’s largest PC maker, had pre-installed virus-like software on laptops that makes the devices more vulnerable to hacking. Users have complained that a programme called Superfish pre-installed by Lenovo on consumer laptops was “Adware”, or software that automatically displays adverts.

According to Robert Graham, CEO of U.S.-based security research firm Errata Security, Superfish was malicious software that hijacks and throws open encrypted connections, paving the way for hackers to also commandeer these connections and eavesdrop. This can give rise to a man-in-the-middle attack.

Lenovo had installed Superfish on consumer computers running Microsoft Corp’s Windows, he added. “This hurts Lenovo’s reputation,” Graham told Reuters. “It demonstrates the deep flaw that the company neither knows nor cares what it bundles on their laptops”. “The way the Superfish functionality appears to work means that they must be intercepting traffic in order to insert the ads,” said Eric Rand, a researcher at Brown Hat Security. “This amounts to a wiretap.”

An administrator on Lenovo’s official web forum said on Jan. 23 that Superfish has been temporarily removed from consumer computers. Lenovo has also promised that the allegations regarding Superfish will be investigated and the problem would be fixed.

Concerns about cyber security have dogged Chinese firms, including telecoms equipment maker Huawei Technologies Ltd over ties to China’s government and smartphone maker Xiaomi over data privacy. Huawei and ZTE are already in telecom security tangle of India. Huawei has also been accused of breaching national security of India by hacking base station controller in Andhra Pradesh. Cyber security concerns have already excluded Huawei from Australian broadband project. US House Intelligence Committee is also investigating Huawei cyber espionage angle.

These episodes prove that countries are becoming more and more aware about use of malware in software and hardware and companies must be wary of using anything that make the hardware/software potentially risky for cyber security purposes.

Telecom Security Policy Of India 2014 And Unconstitutional E-Surveillance Issues

India literally borrows a majority of Security and Intelligence related ideas from United States (U.S.). This creates many unique problems for India. Firstly, these projects and ideas are meant for western countries and they are not at all suitable for a country like India. Secondly, if something goes wrong with the U.S. model, the “Infirmity and Irregularity” automatically creeps into Indian Projects and Initiatives as well.

In U.S., Civil Liberty Activists have started challenging U.S. Government’s E-Surveillance Projects and Policies. Even U.S. Courts have started taking a strict note of these E-Surveillance Activities of U.S. Agencies. Recently, the Massachusetts Supreme Judicial Court declared that phone users have Legitimate Expectation of Privacy while using their phones. Similarly, the Texas Appeals Court ruled that law enforcement officials do need a warrant to search an arrested person’s cell phone he/she has been jailed.  

The U.S. Government is also facing many lawsuits regarding illegal and excessive gathering and retention of phone details and metadata. The White House is also facing limited and difficult options to restructure National Security Agency’s phone surveillance program.

Now let us come to India that “Dedicatedly and Blindly Follows” these U.S. Models. The Cell Site Data Location Laws in India and Privacy Issues are still ignored by Indian Law Makers. The Cell Site Location Based E-Surveillance in India is rampant “without any Regulatory Checks and Judicial Scrutiny”. We have no dedicated Data Protection and Privacy Rights Laws in India.  Even the Fifty-Second Report of Standing Committee on Information Technology (2013-14) titled Cyber Crime, Cyber Security and Right to Privacy (PDF) has slammed Indian Government for poor Privacy Laws in India. The Cyber Law of India and the Indian Telegraph Act, 1885 also deserve an “Urgent Repeal”.

India has also launched E-Surveillance and Privacy Violating Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. Even the essential E-Surveillance Policy of India is missing till now.

Now it has been reported that Indian Government plans to put in place systems and regulations that will allow Law Enforcement Agencies to trace cellular phone users and provide access to targeted communication, text messages, information data and even value added services on a real-time basis, according to the draft guidelines of the country’s Telecom Security Policy.

The Department of Telecommunication (DOT) has proposed comprehensive norms in the draft policy after the Ministry of Home Affairs expressed strong reservations since the department had not created provisions for law enforcement agencies to intercept communication.

In a version of the draft policy that addresses National Security concerns, the DOT has said that the policy would “put in place effective systems, processes and regulations to ensure the traceability of telecom users or devices in terms of identity, permanent address and current location with specified accuracy and resolution in the case of need”. India intends to deal with Telecom Security issues in an in-depth manner as the open telecom environment has made it easier to intrude on networks and cause damage to information they contain. The recent allegation of hacking by Huawei of Indian Telecom Infrastructure proves this point. India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. The Telecom Commission’s cellular loop’s proposal would strengthen Mobile Based Surveillance in India on National Security Grounds.

Techno Legal Compliances like Privacy Law Compliances, Data Protection Requirements (PDF), Cloud Computing Compliances, Encryption Related Compliances, Cyber Law Due Diligence (PDF), etc are not followed by the Law Enforcement Agencies of India. The Telecom Security Policy of India must address all these issues while keeping in mind the Telecom and National Security of India. Further, India must Reconcile Civil Liberties and National Security Requirements as well.

The proposed policy also envisages providing analysis of information and data including decrypted messages, flowing through the telecom network, stored in systems and devices. Abilities of security agencies to analyse information quicker will be enhanced by making latest technology and systems available which will cut down delays and minimise information leakage.

However, security agencies will uphold privacy rights of Indian citizens, the draft norms said. This is difficult to believe as the proposed Privacy Law of India is already facing Intelligence Agencies Obstacles. Even the National Cyber Security Policy of India has failed to protect Privacy Rights in India.

A Telecom Security Directorate (TSD) has been proposed for implementing and updating the proposed Telecom Policy. Meanwhile, security certification centre for testing telecom equipment, centralised monitoring system for interception and monitoring and emergency response team for detecting and analysing cyber attacks, internet traffic hijacks and telecom sectoral frauds would be created.

DOT is of the opinion that the sector requires a separate security policy since the cybersecurity policy is not sufficient to deal with security issues specific to the telecom industry that has created critical information infrastructure.

The Government will largely depend on mobile phone companies that will implement the security instructions as a key stakeholder and also share the cost with the government. Telecom operators would have to build systems, procedures and methods to make their network resilient so that any damage has a minimum impact on the network and it can be revived quickly.

Telcos would have to share information on attacks on their networks, intrusion and frauds with Government agencies, including telecom sectoral CERT, the national CERT and the National Cyber Coordination Centre, that may monitor all web traffic passing through internet service providers in the country and issue ‘actionable alerts’ to government departments in cases of perceived security threats. Indian Government is also planning a legislation mandating strict Cyber Security Disclosure Norms in India.

These Proposals, Policies and Initiative are not only “Controversial and Unconstitutional” in nature but they are also far from being actually implemented. At the time of their implementation, they must be supported with “Constitutionally Sound Laws” to avoid “Constitutional Attacks”. Otherwise this would only increase unnecessary and unproductive litigations in India.

Kaspersky Reveals Hardware Based Stealth Spyware Used By Intelligence Agencies

Cyber espionage is not a new game but it has become more apparent and visible these days. World over intelligence agencies have been using various techniques and methods to infiltrate and track users of their interest. These methods include hardware and software based spyware. The National Security Agency (NSA) of United States has even used radio waves to do e-surveillance.

As per the Cyber Security Trends in India 2015 by Perry4Law Organisation (P4LO), Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, Gameover Zeus (GOZ), Carbanak, etc would further increase in the year 2015. These are sophisticated and customised malware that remained in operation for decades without being tracked by the victims.

Traditional hardware and software based security mechanisms have failed to protect crucial assets and sensitive information of various organisations and nations. An out of the box solution is need of the hour to tackle present day malware. For instance, the Moscow-based security software maker Kaspersky Lab has recently discovered hidden spyware in hard drives of computers. Kaspersky called the authors of the spying program “the Equation group,” named after their embrace of complex encryption formulas. More details can be found at the documents titled Equation Group- Questions and Answers (PDF) released by Kaspersky.

These hard drives are manufactured by Western Digital, Seagate, Toshiba and other top manufacturers, thereby making their use a potential cyber hazard. Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.

Although Kaspersky has not publicly named the country or organisation behind this spyware yet it has claimed that the work is attributed to the same people who are behind Stuxnet malware. Some claim that Stuxnet is a product of National Security Agency (NSA) of U.S. This view has been affirmed by a former NSA employee who told Reuters that Kaspersky’s analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it. NSA spokeswoman Vanee Vines declined to comment.

Kaspersky believes that this sort of cyber espionage is possible only if a person or organisation has access to source code of the hardware known as firmware. Once the access is there, the source code can be manipulated the way it has been alleged to be done by NSA. The spyware is activated the moment a computer with infected hard drive is switched on. Since the spyware/malware is booting from the firmware, antivirus and ant malware products cannot detect the same and the malware keep on working stealthily.

A firmware infection is the second most sought after method by crackers and cyber criminals to infect and compromise a system. Obviously, BIOS infection through rootkit is the favourite methods of such cyber criminals. No matter how many times a user disinfects his computer, the hardware/BIOS based malware would keep on infecting it again and again. This is so even if a user reinstalls the operating system as the infection is not at the OS level but at the root level itself.

Kaspersky has informed that the owner of this still-active malware could have taken complete control of the systems that were using the infected hard drives but they preferred to target selective few of high interest. According to Kaspersky, the malware owner also used other methods of cyber espionage and cyber spying like compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny. There seems to be collaboration between the authors of Fanny and Stuxnet as both exploit two of the same undisclosed software flaws, known as zero days. Kaspersky believes that it is quite possible that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.

Carbanak Steals About A Billion US Dollars From Financial Institutions Worldwide

The legendary bank robber Willie Sutton was once asked why he robbed the banks to which he replied “because that is where the money is”. Although this famous answer was disputed by the Willie subsequently yet it has become Sutton’s law that is relied upon by many people and institutions while giving examples and explaining various principles. This is so because the legendary answer may be of 1934 period but its core principle still applies to banks and financial institutions of present era.

Banks and financial institutions of India and other jurisdictions are still struggling to secure their financial assets and infrastructure. Sophisticated malware are targeting banks and financial institutions and with good success rate as well. For instance, the Vskimmer Trojan capable of stealing credit card information from Windows systems is already in circulation. Similarly, the Malware Dump Memory Grabber is also targeting POS systems and ATMs of major U.S. banks. These malware are creating havoc in India and international levels.

Now it has been reported that a multi-national gang of cyber-criminals known as Carbanak has stolen about a billion US dollars from financial institutions worldwide over the past two years. The gang is alleged to have operatives from Russia, Ukraine, Europe and China who are using various techniques to steal the money. The gang’s activities have been uncovered by the combined efforts of INTERPOL and Europol working with Kaspersky lab as well as authorities from several other countries.

Kaspersky reports that since 2013, the criminals sought to attack 100 banks, e-payment systems and other financial institutions in some 30 countries and that attacks remain active. Targets included financial organisations in Russia, USA, Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, the UK, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, Czech Republic, Switzerland, Brazil, Bulgaria, and Australia.

The gang used the commonly prevalent technique of compromising the systems of banks and financial institutions through installing malware using spear phishing mails. The attackers stole money directly from banks, rather than targeting end users, signifying use of spear phishing instead of simple phishing. The attackers must have studied the banking system of concerned bank or financial institution before siphoning the money.

The attackers used online banking or international e-payment systems to transfer money from the victim banks’ accounts to their own. For transfers, the stolen money was deposited with banks in China or America – and others may have also been used. In some cases the attackers compromised the key accounting systems and inflated account balances before taking the extra funds via a fraudulent transaction. By changing an account with 1,000 pounds to 10,000 pounds, the criminals then transfer 9,000 to themselves. And the account holder doesn’t suspect a problem because the original 1,000 pounds is still there.

The cyber-thieves also seized control of banks’ ATMs and ordered them to dispense cash at a pre-determined time. When the payment was due, one of the gang was waiting beside the machine to collect the ‘voluntary’ payment.

Indian Govt Enforces Ban On Private E-Mails For Official Communications

E-mails are important mode of communications these days. With the increasing webspace most of us also store crucial data, information and documents in our e-mail accounts. Obviously the access to these information and documents is available to the e-mail service providers and the law enforcement agencies of the countries where such e-mail service providers are located. This access can be legal as well as illegal though unlawful e-surveillance and eavesdropping methods.

Indian government has been struggling long to formulate and implement the e-mail policy of India. This is important for India as sensitive documents cannot be transferred out of India as per Indian laws like Public Records Act, 1993. Even Delhi High Court is analysing the e-mail policy of India and has shown its displeasure over slow action on the part of Indian government in this regard.

The Delhi High Court has also directed central government to issue notification regarding electronic signature under Information Technology Act 2000. An advisory by Maharashtra Government to use official e-mails has already been issued.

Now its has been reported that Indian government has decided to ban the use of Gmail or any other private email for official communication across all its organisations, and make it mandatory for them to migrate to email services provided by the National Informatics Centre (NIC). This is a good step in the right direction and Perry4Law Organisation (P4LO) welcomes this move.

As per the e-mail policy of Indian government, notified on February 18, each employee of the government of India or any state/UT government staff using e-mail services of GoI will be provided two e-mail IDs, one based on designation for use in official communication and the other based on name for both official and personal communication. Not only will the employees be barred from using email services provided by any other service provider for official communication, but they also cannot provide details of the GoI email account to private e-mail service providers.

P4LO believes that this is a significant policy decision as it would allow not only keeping the government documents within Indian territories but would also help in cyber security initiatives. If details of the GoI email accounts are not made public, there are much lesser chances of spam, spear phishing, cyber attacks through malicious links, etc.

As per the email policy notified by the department of electronics and IT (DeitY), forwarding of email from the official GoI ID to the official’s personal ID outside the GoI e-mail service will not be allowed. Though official email ID provided can be used to communicate with any other user, whether private or public, the users must exercise due discretion on the contents being sent as part of the email.

For emails deemed as classified or sensitive, the policy mandates use of digital signature certificate and encryption. This would increase the authenticity and integrity of e-mail communications using digital signature certificate and encryption. It would also means that any eavesdropping or e-surveillance would not be easy as the contents of the e-mail would not be in plain text but in encrypted format.

The user will have to update their current mobile numbers under their personal profile. The phone number will be used as alternative means to reach the user and send alerts. In case a user ID is compromised and this impacts a large user base or data security of the deployment, the NIC shall reset the password of the user ID without prior notice to the user. In normal circumstances, where the compromise of an email user ID is detected, an SMS alert will be sent to the user with details of the action to be taken by him/her. If no action is initiated after five such alerts, the NIC would reserve the right to reset the password. Auto-save of password in the government email service will not be permitted due to security reasons.

The email policy lists the examples of “inappropriate use of the email service”, including in it the creation and exchange of harassing, obscene or threatening emails; transmission of emails involving language derogatory to religion, caste or ethnicity; unauthorized exchange of confidential information; distribution of anonymous emails from another officer’s ID; masking of identity of the sender of email and willful transmission of an email containing a computer virus.

The NIC will maintain email logs for all user IDs for two years. Any security incident, or an adverse event that can impact availability, integrity, confidentiality of government data, must immediately be reported to the computer emergency response team (CERT-IN).

In case of a threat to security of the government service, the NIC may de-activate or suspend the email ID used to impact the service. The security audit of NIC email services and other organizations maintaining their own mail service shall be conducted periodically by an organization approved by the department of electronics and IT.

SC Has Killed Cyber Law Due Diligence In India To A Great Extent

Cyber law due diligence in India (PDF) for Internet Intermediaries is incorporated in the Information Technology Act 2000 (IT Act 2000). Section 79 read with Information Technology (Intermediaries Guidelines) Rules, 2011 (PDF) deals with cyber law due diligence obligations of Internet Intermediaries of India.

There has been lots of confusion and protests against the Internet Intermediary liability applicable to the Intermediaries. Although internet intermediary liability in India has been clarified yet doubts and problems persisted in this regard. As a result cyber law due diligence requirements in India is neglected with impunity.

According to the cyber law developments of India 2014 provided by Perry4Law Organisation (P4LO) and Cyber Crimes Investigation Centre of India (CCICI), some serious cyber law related issues deserve immediate attention of Indian government. We were waiting for a positive response from Indian government but meanwhile the judgment of Shreya Singhal v. Union of India (24th March 2015), Writ Petition (Criminal) No.167 Of 2012 (PDF) was delivered by Indian Supreme Court.

This judgement has come as a big blow to the cyber law due diligence obligations of Intermediaries in India. The main problem seems to be reading down of Section 79(3) (b) and Rule 3(4) By Supreme Court in a manner that would be counter productive in the long run. In fact, reading down of Section 79(3) (b) and Rule 3(4) is more problem than solution as the Supreme Court erred in adopting this approach.

Now it has become necessary for Modi government to urgently bring suitable amendments in the IT Act 2000. Unfortunately, Indian Parliament and Indian government are not capable of enacting effective techno legal legislations. This is the reason why even the most draconian and unconstitutional rules are simply approved by Indian Parliament without any analysis, debate and application of mind. Once approved, such rules become part of the parent Act and this creates serious law and order enforcement problems.

Even worst is constitution of authorities and projects by mere Executive orders. For instance, Aadhaar project is an unconstitutional project that has been created by an Executive order. Indian Parliament has not deemed it fit to dissolve the same and come up with a robust law in this regard. Supreme Court if India has directed on multiple occasions that Aadhaar is not compulsory for government services but Indian government is not paying any heed towards those directions. Aadhaar has been made compulsory by direct and indirect means and very soon even the Aadhaar project would be declared to be unconstitutional by Indian Supreme Court.

Even Modi government is following the steps of Congress government and is very indifferent towards ensuring Parliamentary oversight of various projects and initiatives. For instance, promising projects like Digital India and Internet of Things (IoT) (PDF) are still not governed by any legislative process. Naturally, there is no accountability and transparency for these projects as on date. In fact, Digital India project of India is heading for rough waters in these circumstances.

Indian cyber law has not been appropriate since its inception. Too much stress is given to suppress civil liberties and enhance e-surveillance. However, it has now reached a stage where immediate steps must be taken to protect civil liberties in cyberspace on the one hand and projects like Digital India on the other. This is also the high time to leave politics and do positive things for Indian masses.

Advertisement Space- Bid Now

Advertisement Space- Bid Now