Ads

Ads
Center Of Excellence (CoE) For Internet Of Things (IoT) In India

Wednesday, April 27, 2016

With Projects Like Digital India And Aadhaar Cyber Security Laws In India Are Urgently Needed

India has generously adopted technology driven projects like Digital India, Aadhaar, etc. Technology can enable proper and timely management of issues pertaining to these projects. However, technology would also give rise to cyber security, cyber law and other techno legal issues in India.

For instance, smart cities have unique and techno legal cyber security and civil liberties issues that are still not managed by Indian government. Similarly, Digital India project of Indian government is also suffering from many shortcomings and absence of cyber security infrastructure is one of them. As a matter of fact, cyber security infrastructure of India is missing and starting technology oriented projects in these circumstances is a big risk and gamble.

The cyber security trends in India 2016 by Perry4Law Organisation (P4LO) have predicted an increased number of cyber attacks against India. The trends have also outlined that there would be an increase in use of malware and ransomware against various stakeholders in India in the year 2016. As on date, malware are defeating cyber security products and services world wide and India is no exception to this situation. What is most alarming is absence of legal frameworks and guidelines regarding cyber security issues in India.

The correlation between a legal framework and cyber security is not difficult to anticipate and conceptualise. Cyber security compliances require adherence to certain well established legal principles. The moment a cyber security breach occurs; many legal issues and compliance requirements are automatically invoked.

For instance, in a typical cyber attack, it becomes imperative to ascertain and find the originator of such attack. The requirements to engage in first instance analysis, e-discovery and cyber forensics also arise due to such cyber attack. The reporting requirement to the compliance and regulatory authorities also arise.

However, none of this applies to Indian companies and individuals that are facing cyber attacks no matter howsoever sophisticated and damaging such cyber attack are. In India companies and individuals are not reporting cyber security breaches and attacks to the government and its agencies. The cyber security developments in India 2015 by P4LO short listed all these shortcomings of Indian cyber security initiatives.

The Indian government has in the past declared that cyber security breach disclosure norms of India would be formulated very soon. However, till now no action has been taken in this regard and companies and individuals are still not reporting cyber security breached to Indian government and its agencies.

For instance, cyber crimes and cyber attacks against banks of India is a very common phenomenon in India. However, banks of India are not only lax while maintaining cyber security but they are also not disclosing such cyber crimes and cyber attacks due to fear of adverse publicity and regulatory penalties. This is creating more problems for the bank customers in general and banking cyber security in India in particular.

The Information Technology Act, 2000 (IT Act 2000) is the sole cyber law of India. However, it is not capable of forcing the companies and individuals to disclose cyber security breaches and cyber crimes. Nevertheless, the rules under the IT Act, 2000 prescribe cyber law due diligence (PDF), internet intermediary liability, reasonable cyber security practices, etc. they indirectly cover some aspects of cyber security disclosure norms. But they are not sufficient to meet the demands of present times.

Indian Parliament needs to enact a dedicated cyber security law of India that can cater all these regulatory and compliance requirements. Such a law needs to take into consideration techno legal requirements of cyber security. The sooner such a law is enacted the better it would be for the national interest of India as cyber security is an essential and integral part of the national security policy of India.

Tuesday, April 26, 2016

Cyber Security Obligations Of Directors Of Indian Companies Under Indian Companies Act, 2013 Are Ignored By Them

Cyber security is no more a problem of technology people of an organisation. Now the top management is equally concerned and responsible for various cyber law and cyber security related issues. Recently the Reserve Bank of India (RBI) declared that it would constitute an IT subsidiary for managing cyber security issues of banks in India. Even the Indian government has appointed Dr. Gulshan Rai as the first Chief Information Security Officer (CISO) of India.

It has been long felt that we need a dedicated cyber security law of India. Presently few provisions pertaining to cyber security can be found in information technology act, 2000. However, the IT Act 2000 is not sufficient to address the complex and techno legal issues of cyber security especially those arising at the international level. International legal issues of cyber security are still not clear as there is no universally acceptable cyber law treaty and cyber security treaty (pdf). The position has become really alarming as malware are easily defeating cyber security products and services these days.

Recently the Ministry of Corporate Affairs (MCA) notified many provisions of the Indian Companies Act, 2013 (PDF) and corresponding rules under the same. Most of the corporate stakeholders have considered the new company law of India as a purely corporate regulatory framework. However, this is not true as the Indian Companies Act 2013 has prescribed legal obligations that are far more complicated than the traditional company law.

The truth is that the new company law of India has prescribed many techno legal compliance requirements that very few companies and their directors are capable of managing. As a result cyber law and cyber security related legal violations would be in abundant in the coming times.

With the formulation of the proposed cyber security breach disclosure norms of India and possible cyber security laws in India, Indian companies and their directors would find themselves in a legal fix. The powers of Serious Frauds Investigation office (SFIO) have also been significantly increased by the Companies Act 2013. SFIO has become very active in prosecuting Indian companies and their directors in the recent past. With the notification of the Companies (Inspection, Investigation and Inquiry) Rules, 2014 (PDF) SFIO would become more active in this regard.

The legislature made it sure that the regulatory compliances under Indian Companies Act 2013 should cover cyber law and cyber security compliances as well. The directors’ liabilities under the Indian Companies Act 2013 also cover cyber law due diligence (PDF), cyber security due diligence, e-discovery compliances, cyber forensics, etc on their part. Even the cyber security obligations of law firms in India has significantly increased and various stakeholders, including companies and law firms, must keep in mind the international legal issues of cyber security.

The Companies (Management and Administration) Rules, 2014 (PDF) also prescribe many techno legal and cyber security obligations upon the directors of a company. The directors must be well versed with the techno legal regulatory provisions under the Companies Act 2013 and other technology laws of India.

The cyber security trends in India 2016, provided by Perry4Law Organisation (P4LO), have also indicated that various corporate stakeholders would be required to comply with cyber law and cyber security related obligations in the near future. As on date, companies and directors are not complying with the cyber law and cyber security obligations as prescribed by Indian laws and regulations.

As the cyber law and cyber security obligations of the directors of companies operating in India have been clearly mandated by various laws of India, it is in their own interest to ensure their due compliance.

Wednesday, April 13, 2016

Honeypot Launched Offensive Cyber Attack Upon Crackers And Cyber Miscreants

Offensive and defensive cyber security capabilities are in much demand these days. While defensive cyber security capabilities can keep the cracker at bay to great extent yet offensive cyber security strikes can eliminate the possibilities of continuous cyber attacks by such crackers to a greater extent.

If we adopt defensive cyber security capabilities alone, that would not serve the purpose at all. For instance, malware are comfortably evading anti viruses as browser based malware are growing. In fact, we cannot rule out the use of anti virus updates as a potential tool to install malware, steal information and launch cyber warfare attacks. 
 
A basic analysis of cyber security vulnerability has revealed that internet is full of unprotected and unsafe devices, SCADA systems and computers. Anybody can take advantage of these unsecured systems and it is very difficult to pin point to a particular individual, company or nation behind such cyber attack.

We cannot label China as the cyber attacks and cyber crimes villain of the world for every sophisticated cyber attack that takes place in the cyberspace. The issues of cross border cyber attacks, authorship attribution and cyber crimes convictions must be resolved first before blaming a person, organisation or nation.
In the absence of any  international harmonisation and regulatory framework for areas like cyber law, cyber security, cyber terrorism, cyber warfare, cyber espionage, etc. Even the Tallinn manual on the international law is not applicable to international cyber warfare attacks and defence.

In these circumstances, offensive cyber security or counterstrike through aggressive defence becomes a good option. One such idea was recently implemented by a Russian researcher who built an aggressive honeypot to test the ability to hack back and reverse penetrate the cyber attackers. The researcher found that it is not only easy to build a honeypot that attacks back but it was also relatively simple to gather the attackers’ network adapter settings, trace routes, and login names.

The trap was specifically set for SQL injection attacks. The researcher used two basic lures for potential attackers on the site: a PHP-based honeypot server that included a social engineering element and an automated attack that grabbed the attackers’ email addresses if he or she used two Russian email services, mail.ru and yandex.ru, exploiting now-patched vulnerabilities in those services.

While it is possible to grab the attackers’ internal IP addresses and resources, scan for his files, BSSIDs, and make audio and video recordings from his laptop, among other things, is also possible with the attacking honeypot.

At Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) we believe that the concepts of counterstrike through aggressive defence and private defence in cyberspace presupposes the adoption and use of information technology to produce legitimate and legalised disabling and reasonably destructive effects. Some adopted measures completely destroys the functioning of the offending computer while others simply disable the computer for the time being by either shutting it down or making it temporarily non-functional.

Thus, the adopted measure to gain public support and legitimacy must be “proportionate” to the harm that could have caused had that measure not been adopted. For instance, the shutting down of the computer of the person using the malware is permissible whereas the destruction or procurement of data and information stored in such computer, having no connection and association with that malware, may not be commensurate with the protection requirements.

Such destruction or procurement of data may be unlawful and perhaps exceed the limits of self-defence. Thus, technology adopted must not only be safe and effective, but it must also be “legal and law-abiding”.

A countermeasure, which is not very accurate, and law abiding would be a remedy worst than the malady and hence it should be avoided. For instance, if a virus has been launched by using a public server, then by disabling that server the genuine and legitimate users will be unnecessarily harassed and they would be denied the services which they are otherwise entitled to. Thus, the countermeasure measure adopted must be job specific and not disproportionate to the injury sought to be remedied.

Source: CECSRDI.

Dynamic DNS, Fast Flux, Bullet Proof Servers And Botnet: A Paradise For Cyber Criminals

A domain name server (DNS) helps the users to reach a particular website hosted on a particular server. With the advance in technology, the DNS service has been upgraded to dynamic DNS service. The dynamic DNS service helps a domain name to point to Internet resources hosted on changing public IP addresses. However, dynamic DNS service has both advantages and disadvantages just like all other technologies.

On the positive side, the dynamic DNS service helps small scale businesses who need to provide consistent content or services to their customers. These small scale businesses use the IP assigned to them by their ISP, and every time their IP changes, they notify their dynamic DNS provider to update its name servers so that the customer’s domain points now to the new IP.

On the negative side, the dynamic DNS service, especially the free dynamic DNS service, are being abused by cyber criminals for various cyber crimes and cyber attacks. Some of the nefarious activities of cyber criminals abusing dynamic DNS service include malware implants in websites, targeted spear phishing, establishing of C&C for botnet, spamming, etc.

Abusing dynamic DNS service helps the cyber criminals escape the authorship attribution for their cyber crimes. It provides a layer of anonymity and anti forensics to the criminal activities of those abusing dynamic DNS service. This is more so when IP address cannot be solely relied upon to secure a conviction in a cyber crime case.

Further, using dynamic DNS services can also help in bypassing the IP blacklisting deployed by various service providers to prevent DNS abuses. The malware can be continued to be used to infect the computers of end users by using constantly-changing hosting IP addresses.

These IP addresses usually belong to law abiding and innocent users whose computers are compromised and made part of the botnet. These IP addresses may also belong to compromised public websites where the malicious payloads may be installed.

There may be a situation where domains themselves may be blacklisted. To circumvent domain blacklisting, cyber criminals can also use randomly-generated disposable sub-domains under the dynamic DNS domain to point to the next hop in a redirection chain or to the final malware hosting IP.

This behaviour seems similar to fast flux method but in practice dynamic DNS and fast flux are different concepts. Dynamic DNS operates at a micro level whereas fast flux operates at a macro level. Dynamic DNS operates at a regional level whereas fast flux operates at international level. Further, the authoritative name servers for a dynamic DNS domain physically belong to the dynamic DNS provider, whereas with fast flux, double fluxing is possible where the name servers can be made point to constantly changing IP address of physical hosts located in different countries. In practice, dynamic DNS domains map to a much smaller set of IP addresses than fast flux.

So what is the purpose of using the fast flux method?  Fast flux is a DNS technique used by cyber criminals to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts (botnets) acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. Fast flux may be a single-flux or double-flux.

Some of these phishing and malware delivery websites are hosted on bullet proof server with mirrored hosting facilities. Mirrored hosting is a powerful mirrored web hosting management platform that uses multiple specially designed virtual servers to host website with 100% uptime. This is supported by powerful automated control panels. No one is able to trace original IP of the server or the place where the files are hosted so the websites/domains hosted have a 100% Uptime.

The security vendors must have been working on this issue and they may come up with state of the art and innovative methods to deal with this situation.

Source: CECSRDI.

Monday, April 4, 2016

Malware Nuisance Would Increase In 2016

Cyber security is a complicated field that requires updated information to manage cyber threats. There are many forms of cyber threats that cyber security professionals are required to tackle. These include malware, virus, social engineering attacks, etc.

Cyber criminals have vast resources these days. Some of them are even supported by state actors and this allows them to make customised malware that cannot be detected and eliminated by traditional anti virus and security products. As a result the contemporary cyber security products and services are ineffective in preventing such malware from causing damage.

We have seen sophisticated malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, Gameover Zeus (GOZ), etc that were detected much after they infected the targeted systems.

Similarly, malware targeting financial sector are also in circulation for long. These include Carbanak, Vskimmer Trojan, Malware Dump Memory Grabber, etc that cause tremendous financial loss world over.

Perry4Law Organisation (P4LO) has provided the “Cyber Security Trends In India 2016” that have predicted that use of botnet and malware would increase in the year 2016. The trends has also predicted that critical infrastructure, cloud computing and e-health would also be on the receiving end.

The year 2016 would witness an increased use of malware for various purposes like cyber terrorism, cyber warfare and cyber espionage. It is for us to develop both offensive and defensive cyber security capabilities and a robust cyber security infrastructure so that the impact of these malware can be minimised if not eliminated.

Wednesday, December 16, 2015

Indian Cyber Security Developments In 2015

Perry4Law Organisation (P4LO) has been providing cyber security trends and developments in India for many years. This year as well, we have discussed both cyber security trends in India 2015 and cyber security developments in India. We have provided a research report on cyber security related events in the year 2015. The report is titled Cyber Security Developments in India 2015 and it outlined major cyber security related events that took place in the year 2015. A dedicated blog on international cyber security related legal issues titled International Legal Issues of Cyber Attacks and Cyber Security, Cyber Terrorism and Cyber Warfare was also launched by P4LO on this occasion. The purpose of this blog is to discuss techno legal issues pertaining to international cyber attacks and cyber security.

Cyber security environment in India is fast changing due to growing realisation of threats of cyber attacks and cyber crimes. India is presently facing many sophisticated cyber security problems and challenges that need attention of our policy makers. It is equally important to establish a strong, robust and resilient cyber security infrastructure in India on priority basis. This must include creation of offensive and defensive cyber security capabilities of India. India must also develop indigenous software and hardware so that dependence upon foreign imports can be minimised. Recently, India opposed the proposal to include cyber security technologies under the Wassenaar Arrangement as India is still dependent upon foreign countries for import of cyber security products and services. Sooner or later we would be forced to use Indian cyber security products and services and P4LO recommends that the Electronic System Design and Manufacturing (ESDM) Policy and Regulations in India 2014 must be suitably modified and implemented in India.

According to the report of P4LO, cyber security witnessed many ups and downs in Indian cyberspace in the year 2015. The report has stressed upon formulation of a techno legal framework for India by Indian government that can tackle the challenges arising out of growing cyber crimes in and cyber attacks against India. These techno legal cyber security safeguards can be incorporated into a proposed cyber security policy of India 2015. Similarly, cyber security breach disclosure norms must also be formulated by Indian government for enhanced participation by all stakeholders. The report has also stressed upon strengthening of Indian cyber security infrastructure so that sophisticated cyber attacks can be prevented and eliminated.

There is no second opinion that Narendra Modi government must protect Indian cyberspace on a priority basis. It is high time for the Modi government to be serious about cyber security of India. This is more so when the Supreme Court of India has virtually killed cyber law due diligence in India that could have kept Internet intermediaries and other stakeholders cyber disciplined.

The report has also stressed upon need for smart cities cyber security and smart grids cyber security in India. Similarly, stress has been given for cyber security of Digital India project of Modi government that is presently suffering from various shortcomings. In a welcome move, Modi government appointed Dr. Gulshan Rai as the first chief information security officer (CISO) of India. This is very important as India is facing serious cyber threats from private individuals as well as agencies of other nations.

For instance, it has been revealed that hardware based stealth malware were used by US intelligence agencies against various targets. Recently, Twitter has warned some users that their Twitter accounts were compromised by state sponsored actors. It is clear that cyber attackers are no more script kiddies but state supported crackers who work under a cyber immunity clause. This is also the reason why Indian intelligence agencies are also insisting upon legal immunity against cyber deterrent acts. Besides cyber attacks and planting of malware, intelligence agencies are also using open source intelligence (OSINT) to gather sensitive and personal information.

Banks related cyber security is another area of concern in India. Cyber security of banks in India need to be strengthened by Indian government. In a good move, Reserve Bank of India (RBI) has decided to establish an IT subsidiary to meet cyber security challenges of banks in India.

As per the report, the year 2015 also envisaged an increased interest in cyber liability insurance in India. The major reason for the growth of cyber insurance policies in India is the increased numbers of cyber crimes and cyber attacks in India. However, cyber insurance stakeholders in India have still to understand the technicalities of techno legal aspects of cyber insurance. This is more so as the year 2016 would witness an increased focus upon cyber crimes insurance in India.

Perry4Law Organisation (P4LO) hopes that cyber security stakeholders of India and other jurisdictions would find this research report useful.

Tuesday, December 8, 2015

Electronic System Design And Manufacturing (ESDM) Policy And Regulations In India 2014

Electronic System Design and Manufacturing in India is the upcoming field for telecom and electronics companies’ world over. The Department of Electronics and Information Technology (DeitY), India has formulated many pro active and reformative policies and strategies in this regard.

The laws, rules and regulations in India are also reformulated to accommodate the growing demands of ease of doing business in India and foreign direct investments (FDI) in Indian telecom sector. For instance, the FDI Policy in Telecom Sector of India 2014 (PDF) has allowed 100% FDI subject to FIPB approval and other national security requirements. Similarly, approval to establish two semiconductor wafer fabrication manufacturing facilities in India (PDF) has also been granted by Indian Government.

Both domestic and international telecom companies and electronic system design and manufacturing (ESDM) stakeholders must comply with national security and cyber security laws, policies and regulations of India in order to do business in India. The National Cyber Security Policy of India 2013 (NCSP 2013) was recently declared by Indian Government. Indian Government is also planning a legislation mandating strict cyber security disclosure norms in India. Indian Government is also investigating the alleged breach of national security of India by Huawei by hacking base station controller in AP.

Of late, Huawei and ZTE are in telecom security tangle of India and other nations like United States. India even made telecom security a part and parcel of its national telecom policy of India 2012. Other nations are also restricting market access to Chinese telecom equipments and India is not alone. The cyber security concerns excluded Huawei from Australian broadband project. Further, the US house intelligence committee is investigating Huawei cyber espionage angle. Media reports have also speculated that ZTE facilitated e-surveillance in Iran. Now Huawei is trying to inculcate trust among US government over telecom security issues. Companies like Huawei and ZTE are also in constant talks with other nations, including India, in this regard. More such companies can be brought under the legal and national security scrutiny in the near future.

The merger and acquisition rules and regulations in India for telecom sector of India have also been streamlined to provide a level playing field for both national and international telecom companies and ESDM stakeholders. The Guidelines for Merger and Acquisitions of Telecom Companies in India 2014 (PDF) have also been issued and many international telecom companies have shown their interest in this regard.

The estimated production of electronic products will reach USD 104 billion by the year 2020. However, the supply part would not be able to meet this demand curve as domestic companies and stakeholders alone cannot meet this demand. Thus, foreign companies and stakeholders dealing in ESDM have golden chance to capatilise this opportunity.

In fact, the Indian Government has already initiated several initiatives for the development of electronics sector in the country. The Government has recently approved National Policy on Electronics (NPE) 2012 (PDF). One of the important objectives of the NPE is to achieve a turnover of about USD 400 Billion by 2020 involving investment of about USD 100 Billion and employment to around 28 million by 2020. This interalia, includes achieving a turnover of USD 55 Billion of chip design and embedded software industry, USD 80 Billion of exports in the sector. Moreover, the policy also proposes setting up of over 200 Electronic Manufacturing Clusters. Another important objective of the policy is to significantly upscale high-end human resource creation to 2500 PhDs annually by 2020 in the sector.

Several other policy initiatives have been approved in last few months. These include providing very attractive financial investment in electronics manufacturing and providing preference to domestically manufactured electronic goods in all Government procurement as well as all those electronic goods whose use has security implications for the country.

While the opportunities are ample yet techno legal compliances cannot be ignored by both domestic and international telecom players and ESDM stakeholders. Issues like cyber security due diligence, cyber law due diligence (PDF), technology related due diligence, etc cannot be ignored by these stakeholders if they wish to do hassle free business in India.

Telecom Commission Cellular Loop’s Proposal Would Strengthen Mobile Based Surveillance On National Security Grounds

Recently the National Cyber Security Policy of India 2013 (NCSP 2013) (PDF) was released by Department of Electronics and Information Technology (DeitY). However the same was not made part and parcel of the National Security Policy of India. Further, the cyber security policy of India itself was insufficient and weak on many counts including lack of privacy safeguards. The cyber security policy is also not at all framed to cover the telecom security aspects as well.

India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. It would also be interesting to see what types of telecom security policies would be implemented for border regions of India. Telecom security in India is not in a good shape and Indian telecom infrastructures are vulnerable to numerous cyber attacks. Recently it was reported that Huawei was accused of breaching national security of India by hacking base station controller in AP.

We have no implementable cyber attacks crisis management plan of India. The critical ICT infrastructure of India (PDF) is in a poor shape.  The cyber security trends of India 2013 (PDF) proved that India has still to cover a long field before cyber security can be effectively implemented in India. Thus, telecom infrastructures and equipments located at borders of India would be more vulnerable to cyber attacks than general telecom infrastructures of India.

The Telecom Commission may clear an Rs 7,103-crore rollout of Greenfield 2G networks in regions close to the Chinese and Bangladesh borders. These regions are presently outside the mobile loop. There are 8621 villages in locations of strategic importance across the northeast that are proposed to be brought under the cellular loop for the first time to bolster mobile-based surveillance on national security grounds.

Universal Services Obligation Fund (USOF), which will fund the project, will shortly invite bids from telcos for rolling out nearly 6,700 base stations in these regions. The USOF is the Department of Telecommunication’s (DOT) rural network infrastructure financing arm.

But it remains to be seen whether USOF will tweak tender norms to ensure any future cost escalations triggered by India’s spectrum reframing policy are shouldered by telecom operators. It would also be relevant to observe how the telecom security and cyber security aspects would be managed by Indian government in the near future.

National Security Council Secretariat (NSCS) Wants Reliance Jio Infocomm To Share Potential Cyber Security Threats On India’s Telecom Networks

Governments around the world are stressing upon stringent cyber security breach disclosures norms but telecom companies are opposing the same on cost and other burdensome regulatory reasons. Nevertheless the governments across the globe are working in the direction of forcing the telecom companies to disclose the cyber security breaches.

There is no universally acceptable international cyber security treaty (PDF) and countries across the globe have adopted a national approach toward cyber security. However, the way sophisticated malware are developed by nations as a cyber warfare and cyber espionage weapon, this national approach is of little help and significance.

India has also decided to formulate a cyber security breach disclosure norm in the past. However, keeping in mind the slow pace at which Indian government works in the field of cyber security, this may take few more years before this much required security practice is actually implemented in India.  The cyber security trends in India 2013 (PDF) have underlined many crucial cyber security lapses of India.

Indian government has already formulated the cyber security policy of India that intends to cover some of the crucial cyber security aspects of the nation. However, the cyber security policy has not been implemented till now and it may take few more years before some action can be expected in this regard from Indian government.

Indian government has also tried to spread cyber security awareness in India. It has mandated that a cyber security brochure must be essentially supplied along with hardware to spread cyber security awareness among Indian consumers. However, telecom and hardware vendors are not happy with this direction and they are postponing this requirement for one reason or other.

Meanwhile, the National Security Council Secretariat (NSCS) has urged the Reliance Jio Infocomm to become part of an industry platform which shares information with the government on potential cyber security threats to the country’s telecom networks. The NSCS says “it is important to involve Reliance Jio in sharing information on potential cyber threats, trends and incidents to enable the government to take suitable counter measures”.

The matter was recently discussed at an internal meeting of the Joint Working Group on cyber security chaired by NSCS secretary and Deputy National Security Advisor Nehchal Sandhu. The NSCS is the apex agency looking into India’s political, economic, energy and strategic security concerns and works closely with the Prime Minister’s Office (PMO).

India’s security establishment wants regular leads on potential cyber security threats from Reliance Jio as it is the sole holder of a pan-India 4G permit and is slated to roll out high-speed broadband services later this year on the long term evolution (LTE) technology standard. Last month, Jio also entered the voice segment by buying 1800 MHz band spectrum in 14 regions for nearly Rs 11,000 crore as a precursor to launching 4G services on the frequency band.

In the meeting, the telecom department’s security chief Ram Narain said that Jio is mandated by license conditions (PDF) to share information on potential cyber threats. Besides, the national telecom security policy of India 2014 may impose more stringent obligations than the licence conditions. As the foreign telecom companies are facing the heat of cyber security and telecom security in India, this is a good opportunity for Indian telecom companies to extend their commercial base in India. India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. The Telecom Commission Cellular Loop’s Proposal would also strengthen mobile based surveillance on national security grounds in India.

Clearly, the intentions to ensure critical infrastructure protection in India (PDF) are taking a concrete shape. The National Technical Research Organisation (NTRO) has been assigned the task of protecting the critical infrastructure of India.

As Reliance Jio is still not part of any of the telecom industry bodies like the GSM’s Cellular Operators Association of India or the CDMA’s Association of Unified Telecom Service Providers of India (Auspi) who have both supported creation of the Information Sharing and Analysis Centre (ISAC), the agency that will collate all classified industry feedback on potential cyber threats and vulnerabilities in telecom networks across technology platforms.

The latest developments come at a time when the telecom department is framing testing standards for telecom gear to shield networks from potential cyber attacks. India is also readying a cyber security framework, a cyber security policy and a National Cyber Coordination Centre (NCCC) that will monitor metadata on cyber traffic flows.

DOT India Asks ISPs To Adopt New Cyber Security Measures Including Securing Home ADSL And Broadband

Router and modems insecurity is a major cause of concern for governments around the world. Cyber criminals are targeting routers and modems used by home users’ for a broadband connection. In most of the case the routers and modems come with standard login and password credential for practical reasons and convenience. The manufacturers of routers and modems expect the end user to change their login credentials and password. However, a majority of home users do not change such crucial information and this make the routers and modems vulnerable to various cyber attacks.

Amid growing threats of cyber attacks and hacking of websites, the Department of Telecommunications (DoT) has prescribed the security measures to be adopted in ADSL Modems to safeguard against misuse (PDF). These security measures must be adhered to by internet service providers (ISPs) of India within 60 days of the formulation of these measures. This is asking too little from the ISPs as there are other major telecom security issues in India that are still not redressed properly. The truth is that Indian telecom networks are highly vulnerable to cyber security threats.

DoT has noted that crackers have been exploiting vulnerabilities in the asymmetric digital subscriber line (ADSL) modems. The ADSL modems are usually installed by broadband service providers at homes and offices. DoT has written to all ISPs to “assist customers to change the password, including by physical visits”. It has also come out with a new set of guidelines for ISPs that must be implemented by May 2014 to ensure security of almost 1.5 crore fixed-line broadband users.

The ADSL modems are presently supplied by vendors with default set up of user ID and password as “admin’. The default password needs to be changed to a strong password by customer at the time of installation of modem to avoid unauthorised access to modem. The ISP executive visiting customer for installation of modem should ensure this.

The protocol ports in ADSL modem on WAN side [for example, FTP, TELNET, SSH, HTTP, SNMP, CWMP, UPnP] be disabled. These ports may be used by the hackers to enter into the ADSL modem to misuse/compromise the ADSL modems by way of implanting the malware, changing the DNS entries in the modem.

In other instructions, the ISPs have been asked to devise a “mechanism to upgrade the firmware of the ADSL modems remotely by ISPs”. For this, the ISPs need to have separate login password, which is not possible in the present system of ADSL modem design. The DoT has asked the ISPs to tell their customers to check their online daily usage, and if any unexpected high usage of data is noticed, they may bring it to the notice of the ISP concerned. Customers should also be advised to switch off their modem when not in use. Readers of this blog may see the document (PDF) for a detailed analysis.

Advertisement Space- Bid Now

Advertisement Space- Bid Now