EMV Chip Based Card Cloning Resulted In Loss Of Rs. 18000 Of A Retired Judge

EMV Card I

EMV originally stood for “Europay, Mastercard, and Visa”, the three companies that created the standard. The standard is now managed by EMVCo, a consortium of financial companies. However, in India people and banking institutions are still using the EMV nomenclature and standards. Despite the contrary view, EMV are slightly better secure than traditional magnetic strip based cards. We would cover this aspect in detail in our subsequent articles and share our views with Reserve Bank of India (RBI) and other banks of India.

Recently a media report claimed that a retired district judge lost Rs 18,000 in a suspected case of debit card fraud within 12 hours gap. One of the three transactions was affected after the judge, G T Wategaonkar, had blocked his card. In a related and previous event, he was travelling to Kothurd and his wallet was misplaced in an autorickshaw. It contained Rs 35,000, his old debit card and Aadhaar card.

“They misused my new EMV chip that was replaced by the bank on December 29. He said his old card was deactivated after he activated the new one. Such cards are supposed to be protected from skimming and stolen card frauds,” he told TOI.

The judge approached the cyber crime police station of the Pune police and gave a complaint application about his loss. “I have also blocked my account to avoid any further fraudulent transactions,” he added.

First he received an SMS stating that Rs 3,000 had been withdrawn from his account. “Before I could contact the bank, another Rs 10,000 was debited. I sent an SMS to the bank to block my card, but it was not delivered. So I called the bank’s number and told the person to block my card.” Wategaonkar said he received an SMS that the card had been blocked and he decided to approach the bank next day. But next day in morning he saw another debit message for Rs 5,000 from his account.

“Along with my daughter, I went to the bank and blocked my account. I told the bank official that I did not share details of my debit card and yet money was siphoned from my account,” Wategaonkar said.

Wategaokar said, “In comparison with huge amounts of recent bank frauds, the amount I have lost is less. But, I am a pensioner and that little amount is important for me. On one hand the government is insisting on using plastic money instead of cash transactions and on the other hand fraudsters are misusing it. I will have to rethink whether to use debit card or not.”

An officer from the cyber police station told TOI that it could be a case of card cloning. “The suspect withdrew the amount from an ATM kiosk in Thane. We will get the CCTV footage from the bank to identity the suspect,” the officer said.

Cyber Attacks And Cyber Crimes Fighting Portal Of PTLB Is Strengthening Indian Cyber Security And Cyber Law

Cyber Security Portal

 

Cyber attacks and cyber crimes have significantly increased in India. But the cyber security infrastructure of India is lagging far behind. So far we are not even able to manage basic level cyber crimes. To fill this gap, we at Perry4Law Techno Legal Base (PTLB) have launched an online portal where national and international stakeholders can lodge their complaints.

Once the complaint is lodged, we would analyse the same and take appropriate action. We would analyse the case and extend our techno legal expertise to national and international governments and authorities. We would also coordinate with national and international law enforcement agencies so that the case can be resolved in least possible time.

Filing of complaint is very simple. Choose the right category and create a ticket. For instance, if you have faced any cyber crime, select cyber crime category and create the ticket. Similarly, if you have faced any cyber attack, choose the cyber attack option and file the ticket/complaint.

For sensitive information and data, we have created a separate procedure so that privacy, confidentiality and integrity of the information is maintained in best possible manner.

To support this initiative, we are managing few blogs that are spreading cyber law and cyber security awareness in India. We are making people aware about threats of phishing, credit card frauds, customer rights in digital times, etc. We are also managing dedicated blogs in fields like cyber law, cyber security, privacy, cyber forensics, e-discovery, etc.

We encourage all stakeholders to use the online portal as much as possible as silently suffering cyber crimes and cyber attacks is not good for our national in long run. Let us collectively fight against cyber crimes and cyber attacks and make Indian cyber infrastructure robust, resilient and secure.

Hacking Of Aadhaar Is Hacking Of Life Of A Person And Not Just His Identity

PRAVEEN-DALAL-MANAGING-PARTNER-OF-PERRY4LAW-CEO-PTLB3Aadhaar is a unique project not only in India but also worldwide. This is because nowhere in the world a biometric database has been created at such a mammoth scale. However, the mere concept of Aadhaar and using biometric in an omnipresent present manner is very dangerous and undesirable.

Firstly, creating a biometric database of entire country is a serious national security threat. When such a large scale exercise is done, many loopholes and shortcomings are natural. This happened with Aadhaar as well and many criminals, terrorists and undesirable elements have also obtained Aadhaar. Many people in India are openly making fake Aadhaar cards that are in use for various types of government and private services in India like purchasing SIM cards, making passports, etc. No time in the history of India, national security was jeoparadised so much.

Secondly, clubbing Aadhaar biometric database and non biometric data with virtually everything is a sure recipe for disaster. When a database like Aadhaar is used everywhere no technology of the world can keep it safe. I used the words keep it safe because Aadhaar database is not safe and this is a reality whether we like it or not. The only question is for how long we can hide Aadhaar and its biometric database from the eyes of crackers and ransomware gang?

Thirdly, cyber security of Aadhaar and its biometric database is not at all adequate. Indian Government has already surrendered before the data breaches that have been happening in the Aadhaar ecosystem. Sensitive personal information, including Aadhaar numbers, phone numbers, bank account numbers, etc, are already in public domain as Government departments and agencies have no idea about cyber security and data security.

Fourthly, India has no dedicated laws on privacy and data protection. Indian Government is deliberately avoiding formulation of privacy and data protection laws. On the contrary, Indian Government pleaded before Supreme Court of India that Indians do not have a right to privacy as a Fundamental Right. However, this claim of Indian Government kick backed as now in the proceedings against WhatsApp, Supreme Court cannot do much. Indian Government and Supreme Court have no basis whatsoever to make WhatsApp liable for privacy and data breaches as far as they are concerned with Indians and their data.

Fifthly, we have no dedicated law for cyber security in India. Indian Government has been using guidelines/rules as a substitute for full fledged laws and these guidelines/rules are clearly not enough. Some guidelines/rules have been issued regarding privacy, data protection and some aspects of cyber security but the legislative vacuum remains in the cyber security field.

Sixthly, we have no cyber security breach disclosure norms in India. Government departments, agencies, etc have no obligation to report to a Government appointed authority about cyber attacks and cyber breaches. UIDAI is also under no obligation to disclose cyber breaches of biometric database and is the sole investigation and prosecution agency for breaches affecting Aadhaar CIDR or Aadhaar ecosystem. Naturally, we do not have even a single CIDR and biometric breach of Aadhaar so far though Aadhaar based biometric authentication notifications are flooding the e-mails of Aadhaar holders.

Let us analyse the cyber security infrastructure of India as well. Cyber security infrastructure in India is in bad condition. In fact, it has yet to make a beginning. It is really surprising that for such bad cyber security infrastructure, UIDAI and Government are claiming that Aadhaar and its biometric database are fully secure. India is the only country in the world that believes that it can achieve 100% cyber security for even a single project. That would have been a great achievement if this fact was true. Unfortunately, this claim is far from reality and the truth is that Aadhaar is a highly vulnerable system from cyber security, data security and privacy perspectives.

Cyber security is only as strong as is the weakest link. In case of Aadhaar it is very difficult to find its weakest link as all links are competing themselves to be the weakest one. From the design of Aadhaar to acquisition of biometric to their safe custody to their authentication, everything is insecure. Biometric can be leaked from any part of this weakest cyber security chain that is suffering from both a design flaw as well as classic example of bad cyber security practices. Who needs a bug or cyber security vulnerability when the flawed design itself is both a front door and backdoor entry as a feature?

For instance, more than 75% of biometrics collected by private agencies engaged by UIDAI used plain form/text acquisition and storing in the past. It is only now that UIDAI has asked them to encrypt the same while acquiring the biometric. Still it is not clear how much this direction has been followed by Aadhaar enrolment agencies as they are poorly paid by UIDAI. It would be safe to presume that they are still not using encryption methods while acquiring biometric as their due are still to be cleared by UIDAI. They have not been able to even get back their investments and are using all available methods to earn money so that the capital initially invested can be recovered. But even presuming that Aadhaar enrollments are now secured by encryption, still more than 75% of biometric acquired by enrollment agencies was managed in unencrypted and plain text form. Nothing can be done about those people whose biometric have been compromised for life and can be abused at any point of time in future.

This is not the end of the story. In many cases biometrics were directly stored on pen drives and in some cases hard disks containing biometrics of crore of Indians were gone missing. Outsourcing of work by UIDAI to private players and foreign companies has also resulted in migration of biometric of Indians even beyond India to foreign jurisdictions. Abuse of Aadhaar and its biometric cannot be ruled out even when rouge service providers authorised to conduct EKYC would manipulate the systems to retain a copy of authenticated EKYC and biometric prints. Besides there are diverse methods to break encryption and other security protocols as deployed by UIDAI.

So the claims of UIDAI and Indian Government that Aadhaar, its CIDR database and biometric of Indians are absolutely secure is novice at the best. Let us proceed further with the reality that Aadhaar is vulnerable to diverse forms of cyber attacks, ransomware attacks and other forms of attacks and would be compromised in near future.

Now once compromised, it would create serious life and security problems for Indians. This is because hacking of Aadhaar is hacking of the life of an individual and not just his identity. An identity theft or simple cyber crime can be reversed but not theft of biometric of a person. Once biometric of an individual are gone, they cannot be changed or reversed unlike a password or other system. Now if biometric of an individual have been associated with a single or two services, the loss of such biometric is insignificant. But when the biometric of an individual are associated with or seeded with virtually everything, this creates a serious problem for life and liberty of the concerned individual. This is more so when such biometrics are set to be used for Digital India and other E-Governance projects of Indian Government.

In the Indian context, this means forcibly putting the life, liberty, cyber security, data security, Fundamental Rights and virtually everything of an Indian Citizen/resident in the hands of a technology savvy criminal. Of course, these dangers are very real and fatal when our own Government and Intelligence Agencies would use various centralised database of which Aadhaar is the obvious key.

NSDL’s Negligence In Reporting Cyber Breach Irks SEBI

NSDL’s Negligence In Reporting Cyber Breach Irks SEBICyber security as a part of Indian policy is still not widely recognised. This is true regarding not only drafting of cyber security policies and laws in India but also the actual implementation of whatever scarce provisions we have in this regard. For instance, we have no cyber breach disclosure norms in India as on date and the cyber law of India is grossly deficient on this front. Different regulators and authorities have specified their own guidelines and rules in this regard that have further complicated this situation. Companies and individuals do not find these guidelines and regulations deterrent enough to even take notice of the same. Of course, actual compliance with these regulations is expecting moving of a mountain by companies and individuals.

Recently there were many media reports that the website of Ministry of Home Affairs was cracked by unknown crackers. Website defacement is a very common phenomenon in India and is not a very serious threat. The real threat is use of stealth malware by our cyber adversaries that cannot be detected for months and years. Contemporary cyber security products and services are ineffective against such malware. And till the time we react against such malware and corresponding cyber breaches, the irreparable damage is already done.

Indian companies and their directors are notoriously insincere in reporting cyber crimes and cyber breaches. As a result remedial cyber actions cannot be taken on time and consumer interests are jeoparadised. Take the recent example in this regard.  On 10 October 2016, it was reported that the website of the National Securities Depository Limited (NSDL) had been hacked. A detailed inquiry by SEBI into the attack on India’s biggest depository reveals that NSDL has not been fully compliant with SEBI’s policies and several specific circulars on audit and risk containment were ignored. In fact, even the recovery effort did not meet SEBI’s specifications.

This lax attitude is not acceptable in contemporary times and under the digital India project that is already insecure. On the one hand Indian government is contemplating separate CERT for financial sector and on the other hand we see this attitude of NSDL. Perry4Law Organisation (P4LO) strongly recommends that Indian government must investigate this issue and take appropriate action against those guilty of non compliance with the cyber breach disclosure requirements of SEBI and other laws. We also recommend that cyber security infrastructure of India must be strengthened.

Since NSDL holds most of our shares and investments in dematerialised form and its sister entity handles our tax information and other data, it was important for NSDL to immediately inform SEBI in this regard. However, NSDL failed to do so not only in a timely manner but also in great disregard of the cyber security and cyber law due diligence (pdf) requirements. NSDL has told SEBI that only the public website was affected and it only contains information about the organisation, its products and services and downloadable forms. NSDL also informed that no confidential data was compromised by the attack, nor was any service provided by NSDL to clients affected.

This assertion of NSDL may be true but the problem, according to SEBI and its technical advisory committee (TAC), is with the many flaws and lapses that have been thrown up by the incident which indicate that NSDL is not taking SEBI’s circulars as seriously as it should.  There are also inconsistencies in the versions of NSDL regarding cyber breach reporting to CERT-In and SEBI respectively. For instance, although NSDL reported the incident as a “major cyber attack” to CERT-In yet it decided to wait and conduct a detailed review of the incident and reported the attack to SEBI only on 19th October, after a lapse of nine days.

Of course, NSDL has given an explanation for this delayed reporting to SEBI. NSDL claims that this cyber breach was not considered a cyber attack on its own system, and there was no impact on the information of any client held by NSDL or the services provided by NSDL to its clients. Hence NSDL did not report the incidence to SEBI immediately and reported the same only after a detailed investigation conducted in association with the hosting provider.

What NSDL has failed to understand in this case is that NSDL must choose an outsourcing or hosting service provider that must comply with the cyber security standards as prescribed by SEBI. According to the guidelines issued by SEBI on 6 July 2015, market intermediaries like NSDL must ensure similar level of IT security measures as its own data centre, at outsourcing entities such as hosting service providers. However, SEBI has found that the hosting service provider in this case had “very weak securities controls”. The report of the cyber attack incident revealed basic issues such as weak passwords and improper hardening of systems among the reasons for the hacking incident. This is a direct violation of the SEBI guidelines.

Further, a circular issued by SEBI on 9 December 2015, which specifically deals with “outsourcing by depositories”, required NSDL to ensure that a risk impact analysis is undertaken before outsourcing any activity and appropriate risk mitigation measures, like a back-up and restoration system, are in place. It also had to ensure real-time monitoring of outsourced activities with a clear policy framework and audit of outsourced activities. NSDL, reportedly, failed to ensure these standards of IT and cyber security at hosting service provider level which had been outsourced the job of maintaining NSDL’s website.

The SEBI circular requires market intermediaries to ensure that a cyber security and resilience policy document is prepared which is approved by the board of directors and reviewed, at least, annually. Further, an IT strategy committee of depositories is expected to review this policy on a quarterly basis and set goals for improving and strengthening cyber resilience.

SEBI says that “a critical element of the cyber security and resilience framework, i.e., risk emanating from the outsourced activity of third-party service providers/vendors, was not appropriately assessed and mitigated” by NSDL, at the level of its chief information security officer, or the management, the IT strategy committee or the board of directors. Further, there has to be an annual system audit of the depository is supposed to audit ‘access policy and controls as well as general access controls’. However, SEBI has discovered that the hosting service provider, which hosted NSDL’s website, was not even covered by the annual system audit process.

Above all, a SEBI circular, dated 22 July 2012, mandates a very specific recovery time objective (RTO) and a recovery point objective of not more than 30 minutes. On 4 September 2013, SEBI issued a circular which says that intermediaries should have a business continuity plan in place including a secondary site that incorporates all critical IT systems and can resume operations within two hours following a disruptive incident. This system should be designed to ensure that the intermediary can “complete settlement at the end of the day of disruption, even in the case of extreme circumstances.” And these back-up arrangements need to be regularly tested and be in order.

NSDL’s own submission indicates that it failed in this regard. NSDL has confirmed that the cyber attack started at 7.30pm on 10 October 2016 and the website was completely restored on 11 October 2016. This would mean that it failed the RTO specified by SEBI, in this particular incident. NSDL may be supremely confident about its technology prowess and ability to deal with cyber attacks, but the utter disregard for SEBI regulations, especially the fact that NSDL did not bother to report the incident for nine days, should be a matter of concern.

In the past it was decided that the Technical Advisory Committee (TAC) of SEBI would address cyber security issues as well. This move of SEBI aims at securing the data, applications, database, operating systems and network layers of (FMIs) from various forms of cyber attacks such as Denial of Service (DoS) attacks, phishing, hacking, man-in-the-middle attack, sniffing, spoofing, key-logging and malware attacks.

Cyber security and cyber resilience for financial market infrastructures is one of the core priority issues for governments and nations around the world. However, this is not an easy task to manage as it requires tremendous techno legal expertise that very few individuals and organisations possess these days. Even the regulatory and governing framework in this regard is still evolving at the international level. Indian government and SEBI are slow in this regard and the episode of NSDL shows that we are still far away from achieving this goal.

CIA Has Been Issuing Computer Security And Cyber Security Warnings Since 1968

CIA Has Been Issuing Computer Security And Cyber Security Warnings Since 1968Cyber security is not an easy task to manage especially in the contemporary times. Cyber security is not just technical part but it also includes the legal aspects as well. This is the reason why cyber security is a techno legal field. We have been treating cyber security as mere technical field for long and this is not producing any productive results.

For instance, the Central Intelligence Agency (CIA) of United States has been struggling to deal with cyber security and computer security since 1968 and much before. At least the official records about CIA’s involvement in the cyber security fields goes back to 1968 where CIA issued a cyber security warning to US government. This makes it almost 50 years of concern and expertise for CIA in the field of cyber security.

So it would be safe to conclude that US government is seized with cyber security related issues at least since 1968. And if US government is still concerned about cyber security, it means that by and large our cyber security efforts have failed to achieve the required goals. Meanwhile, President Donald Trump is about to sign an executive order to strengthen US cyber security capabilities. This is in addition to the transborder hacking and search powers of the Federal Bureau of Investigation (FBI) that gives the US law enforcement agency long arm jurisdiction. Despite all cyber power, US still believe that cyber warfare is undermining its traditional defenses.

The problem with a sophisticated and global cyber attack is that we cannot ascertain the authorship attribution with certainty in almost all cases. For instance, US has accused Russia of manipulating its elections results through cyber attacks whereas Russia has accused that CIA has hacked the Kremlin. Who is speaking truth and who is speaking falsehood is not easy to ascertain in these circumstances.

As per the media report, the U.S. government has been in the cyber security business for many decades. In 1968, the CIA added a computer security subcommittee to the U.S. Intelligence Board, a government wide body convened by the CIA to coordinate intelligence efforts. The US intelligence community has been dealing with many of the problems of access control, physical security, contractor access, data verification and other issues that continue to plague government agencies even today. So the cyber security problems are persistent and ever evolving and this is the reason why laws of various countries are not even close to resolve such complicated cyber issues.

In February 1969, subcommittee participants were instructed to list in order of priority their computer security problem areas. The NSA member said that access control topped the list, followed by computer malfunctions, information classification and physical security. An Air Force member wanted to prioritise the development of a method to securely erase the drums of magnetic storage tape containing highly classified information, when those tapes needed to be decommissioned. The Navy concurred in this judgement. The Defense Intelligence Agency sought to come up with a working definition of a system and its components as a first step to developing a computer security standard.

In one memo, the group examined the security threats posed by the possibility of hostile exploitation of weak points in the computer operations of the intelligence community. In assigning this task to the Subcommittee, the Security Committee requested that the Counterintelligence Staff of CIA be asked to report any known cases where hostile services had attempted to exploit the security vulnerabilities of the computer operations. In addition, the Subcommittee was asked to study any possible threat of hostile penetration of the computer operations.

The memorandum also warned about the Soviet Bloc that had interest in the American computing technology. This means US was on loggerheads with Russia regarding computing technology and cyber security at least since 1968. So cyber espionage and cyber warfare are not new concepts but just new definitions for the old forms of computing espionage and cyber attacks.

The Subcommittee asked CIA counterintelligence personnel to look for possible examples of intrusion or exploitation by rivals. According to the memo’s findings, the CIA and the FBI “were able to provide information on several cases involving hostile attempts to exploit either personnel associated with Community computer operations or personnel employed by American computing manufacturers having potential contact with government operations.”

Additionally, that report confirmed the existence of vulnerabilities in intelligence community systems that were postulated as possible threats in a draft of a classified Defense Science Bureau Task Force report from January 1970 — including one flaw that allowed for system-wide memory dumps to be initiated by programmers who were only supposed to have limited access. Another bug from back in the days of magnetic tape storage allowed users to bypass storage protection features of the IBM 360 system to access program data.

Information and communication technology (ICT) has significantly changed since 1968 and many more layers of complications and complexities have been added. This discussion by CIA is a hint how the future of computers, Internet and ICT can be changed by States and State actors forever.

Source: IoT And Smart Cities Forum Of India.

National Critical Information Infrastructure Protection Centre (NCIIPC) Of India Needs Rejuvenation

National Critical Information Infrastructure Protection Centre (NCIIPC) Of India Needs RejuvenationThese days more and more critical services are connected with and controlled by computers and other information and communication technology (ICT). As a result they are also vulnerable to sophisticated cyber attacks from around the world. Malware have evolved to such an extent that many times they are not traced for years and the cyber attacks keep on stealing sensitive and crucial information. This is a troublesome notion when critical information infrastructures are involved as the stakes are very high there.

We at Perry4Law Organisation (P4LO) believe that critical infrastructure protection in India (pdf) needs a more focused and extensive cyber security protection. We have recently provided cyber security trends of India 2017 here and here and even there we have mentioned the significance of critical infrastructure protection (CIP) in India. Indian government has still to do extensive work regarding ensuring cyber security in general and critical infrastructure protection in particular.

But in a very positive development, Indian government has already established the National Critical Information Infrastructure Protection Centre (NCIIPC) of India. The NCIIPC is also working to ensure robust cyber security for Indian critical infrastructure. However, for reasons best known to Indian government, NCIIPC seems to be a half hearted approach so far. Even the website of NCIIPC has little to offer regarding scope, nature, expertise and purpose of NCIIPC. We at Perry4Law Organisation (P4LO) believe that NCIIPC needs to play a more pro active and extensive role in present cyber security scenario of India.

Till the end of 2016, the cyber security infrastructure of India is not in a good shape. We have to cover a long road before India can be considered to be even moderately cyber secure. While India can afford to be little bit lax regarding general cyber security yet cyber security of CIP needs urgent attention of Indian government. For instance, using telemedicine and online healthcare systems without robust cyber security is inviting troubles of all sorts. In fact, healthcare industry and its infrastructure can safely be considered to be a critical infrastructure. Similarly, banks in India must be treated as critical infrastructure and cyber security must be accordingly managed. Mass usage of digital payments without cyber security would create lots of trouble for India in the long run. In these circumstances, role of NCIIPC must be more pro active than the present one.

There are many startups and entrepreneurs that would explore fintech and critical infrastructure related business activities in 2017. They would need strong cyber law and cyber security laws on the one hand and an authority to protect their critical infrastructures on the other. Similarly, cyber security breach disclosure norms would also be required so that CERT-In and NCIIPC can protect Indian infrastructures and systems in a better manner.

Perry4Law Organisation (P4LO) requests Indian government to consider these suggestions on priority basis.

Guidance On Cyber Resilience For Financial Market Infrastructures

Guidance On Cyber Resilience For Financial Market InfrastructuresCyber security has become indispensable for all business activities these days and financial market infrastructures (FMIs) are no different in this regard. FMI is defined as a multilateral system among participating institutions, including the operator of the system, used for the purposes of clearing, settling, or recording payments, securities, derivatives, or other financial transactions. FMIs play a critical role in the financial system and the broader economy and contribute to maintaining and promoting financial stability and economic growth. At the same time, the FMIs also concentrate the risk and, if not properly managed, FMIs can be sources of financial shocks or a major channel through which these shocks are transmitted across financial markets.

Therefore, it is imperative that cyber security of financial market infrastructures (FMIs) must be ensured by all stakeholders including Indian government, Reserve Bank of India (RBI) and Securities and Exchange Board of India (SEBI). Recently, the RBI has prescribed a cyber security framework for banks of India that has to be implemented till 30-09-2016. However, RBI is well known for its lax implementation of cyber security related issues in India and this deadline could prove to be another paper deadline only. Similarly, the SEBI has expanded the ambit of its Technical Advisory Committee (TAC) to include cyber security of the markets. Indian government is also working in the direction of ensuring cyber security in India but its efforts are too slow and too late in this regard.

In a latest international development in this regard, the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) have published the Guidance on cyber resilience for financial market infrastructures (pdf) (“Cyber Guidance”). This builds on an earlier version of the report that underwent a three-month public consultation.

The safe and efficient operation of FMIs is essential to maintaining and promoting financial stability and economic growth. The Cyber Guidance aims to add momentum to and instil international consistency in the industry’s ongoing efforts to enhance its cyber resilience. This includes the ability of FMIs to pre-empt cyber attacks, respond rapidly and effectively to them, and achieve faster and safer target recovery objectives if the attacks succeed. In addition, the Cyber Guidance provides authorities with a set of internationally agreed guidelines to support consistent and effective oversight and supervision of FMIs in the area of cyber risk.

At its core, the Cyber Guidance requires FMIs to instil a culture of cyber risk awareness and to demonstrate ongoing re-evaluation and improvement of their cyber resilience posture at every level within the organisation. Furthermore, while the guidance is directly aimed at FMIs, it is important for them to take on an active role in reaching out to their participants and other relevant stakeholders to promote understanding and support of resilience objectives and their implementation. Effective solutions may require collaboration between FMIs and their stakeholders as they seek to strengthen their own cyber resilience.

The Cyber Guidance does not establish additional standards for FMIs beyond those already set out in the Principles for Financial Market Infrastructures (PFMI). Instead, the document is intended to be supplemental to the PFMI, primarily in the context of governance (Principle 2), the framework for the comprehensive management of risks (Principle 3), settlement finality (Principle 8), operational risk (Principle 17) and FMI links (Principle 20).

Healthcare Cyber Security Issues In India For Businesses And Entrepreneurs

Healthcare industry of India is facing novel techno legal issues that were absent few years back. These include issues like techno legal regulatory compliances, cyber security requirements, cyber breach disclosure requirements, obligations of directors of healthcare companies for cyber law and cyber security, privacy compliance, data protection requirements (pdf), etc. This article is discussing the cyber security issues of healthcare industry of India that is equally applicable to healthcare industry of other jurisdictions.

As healthcare industry has started using information and communication technology (ICT) in the form of telemedicine, online pharmacies, e-health, m-health, etc, cyber criminals have found that this industry is a goldmine and a money minting industry. Sophisticated malware are now targeting healthcare industry in the form of ransomware and information stealing malware. These malware are so sophisticated that even cyber security products and services are ineffective against the same.

There is no doubt that ICT has enabled the healthcare industry but at the same time it is also true that there is an increasingly high risk of healthcare cyber security attacks. Healthcare companies of all sizes need to ensure that they are not only regularly reviewing policies and procedures when it comes to privacy protection and data security but also that they are implementing the right cyber security best practices to keep healthcare related information secure. Ransomware is of particular concern to healthcare industry as sensitive healthcare information is encrypted and decrypted only once the ransom is paid.

Healthcare industry is not spending adequate amount on cyber security and is also not good at acquiring cyber law and cyber crimes related knowledge. This has made the healthcare organisations vulnerable to sophisticated cyber attacks. The overall impact of cyber attacks on the hospitals and healthcare systems is estimated to be nearly six billion per year. Furthermore, these organisations face internal threats due to factors such as the use of cloud services, insecure networks, employee negligence, bring your own device (BYOD), lack of internal identification and security systems, stolen devices with unencrypted files, etc. Human beings are the weakest link in the cyber security environment and healthcare organisations are no exception to this rule.

Presently, healthcare cyber security market consists of protection against malware, ddos, advanced persistent threat, spyware, lost and stolen devices, etc. However, the list is just illustrative and the cyber security requirements are as vast as are the options available to the cyber criminals.

Perry4Law Organisation (P4LO) strongly recommends that the healthcare industry must work on three fronts i.e. formulation of techno legal policies, adoption of best cyber security practices and a mechanism to ensure cyber breach disclosure and coordination with the statutory and government authorities. If any of these three stages is missing, then the concerned healthcare organisation is at graver risk of cyber attacks and loss of sensitive healthcare information.

Cyber Security Infrastructure In India

PRAVEEN-DALAL-MANAGING-PARTNER-OF-PERRY4LAW-CEO-PTLB3Infrastructure is the backbone of any nation. Infrastructure’s shape and nature has been changing from time to time. With the advancement in technology, infrastructure is also dependent upon many facets of information and communication technology (ICT). This has made the task both easier and dangerous. Infrastructure utilisation has become easier with use of sophisticated technology whereas this use of technology has also made these infrastructures vulnerable to various forms of cyber attacks.

At Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) we believe that the Cyber Security Infrastructure of India must be urgently established by Indian Government. We also recommend that a Cyber Attack Crisis Management Plan of India must also be formulated as soon as possible. Further, the Cyber Security Policy of India 2015 must also be formulated by Indian Government on a priority basis as the 2013 policy is highly defective in nature.

This Cyber Security Policy must address the issues of Cyber Attacks and Cyber Terorrism, prventing Cyber Attacks on Power Utilities, Cyber Security of Indian Satellites and Critical Infrastructure, International Legal Issues of Cyber Security, Conflict of Laws in Cyberspace, formulation of a Techno Legal Framework, Cyber Security Disclosure Norms, etc.

We are living in an era of Cyber Warfare, Cyber Terrorism, Cyber Espionage, etc. To make the matter worst, we have no International Harmonisation and Regulatory Framework for areas like Cyber Law, Cyber Security, Cyber Terrorism, Cyber Warfare, Cyber Espionage, etc. Even the Tallinn Manual on the International Law is not Applicable to International Cyber Warfare Attacks and Defence. In the absence of International Harmonisation and this “Great Legal Void”, Nations are free to Interpret and Apply their own “Norms and Regulations” to International Cyber Security Issues.

As far as India is concerned, Cyber Security in India has now become an essential part of Indian Polity and Economic Affairs. For instance, the Cyber Security Policy of India would be formulated very soon. However, Cyber Security has still not been understood and applied in true perspective. We have to think about Cyber Security beyond Anti Virus, Firewalls and Hardware and Software Procurements.

To start with, Cyber Security Skills Development in India must be ensured. Without a “Capable Cyber Security Workforce”, India cannot have an Effective Cyber Security. Similarly, in the absence of adequate Skills, Offensive and Defensive Cyber Security Capabilities of India cannot be achieved.

Malware have become “Sophisticate and State Sponsored” these days. Take the examples of malware like Stuxnet, Duqu, Flame, etc that are not works of Script Kiddies but Professional Programmers and Coders hired by various Nations. Clearly, the face of Cyber Attacks and Cyber Security is changing rapidly and firewalls and Anti Virus Software stands nowhere in this scenario.

Signatures based Anti Virus Software are “Long Dead” and so are simple Firewalls. Ironically, Anti Virus Updates are Potential Tool to Install Malware, Steal Information and Launch Cyber Warfare Attacks. We need a totally different Cyber Security Infrastructure for India as on date.

Today the Malware game has reached a totally different level. Malware are not used for Fun anymore. Neither are they used for merely stealing information. Malware today are also used for rendering Computer Systems and Devices useless. The Wiper Malware overwrites the Master Boot Record (MBR) and corrupt relevant portion of the Hard Disk. When the Computer cannot be booted, it cannot serve any purpose.

Critical Infrastructure Protection in India is another aspect that must be considered “Very Seriously” by Indian Government. The National Critical Information Infrastructure Protection Centre (NCIPC) of India must be made “Operational” as soon as possible. The Internet is Full of Unprotected and Unsafe Devices, SCADA Systems and Computers. Further, SCADA has become the new Cyber Attack Battlefield for India. The Cyber Security of Power Sector in India needs to be streamlined. Power Grids Cyber Security in India and its Challenges are now well known. Similarly, Healthcare and Medical/Life Sciences Industries are under Cyber Attack thereby risking the Lives of millions.

India must also “Absolutely Ensure” Human Rights Protection in Cyberspace. While doing so Civil Liberties and National Security Requirements Must be Reconciled by India. Issues like E-Surveillance in India, Cell Site Location Based E-Surveillance in India, Surveillance of Internet Traffic in India,  Central Monitoring System (CMS) for Telephone Tapping in India, etc must be “Thoroughly Analysed” before implementing them. E-Surveillance Tools like FinFisher must be avoided at all costs.

Some “Positive Developments” have already been undertaken by Indian Government in this direction. For instance, a National Cyber Coordination Centre (NCCC) of India has been proposed to be established by Indian Government. Similarly, Regulations and Guidelines for Effective Investigation of Cyber Crimes in India may also be formulated very soon. The Indian Cyber Security Policy would be formulated very soon. The Critical Information Infrastructure Protection Agency of India may also be constituted soon. Finally, Indian Government is planning a Legislation Mandating Strict Cyber Security Disclosure Norms in India. As on date we have no dedicated Cyber Security Laws in India.

We at P4LO and PTLB wish Indian Government all the best for its Cyber Security Endeavours.

Cyber Security Disclosure Norms In India Needed: CECSRDI

Cyber Security Disclosure Norms In India Needed CECSRDICyber security is a very crucial priority of nations around the world. India is also in the process of streamlining of its cyber security infrastructure but its efforts in this regard are neither coordinated nor sufficient. For instance, we do not have a dedicated cyber security law of India that is need of the hour. Further, there is also a dire need to bring a techno legal framework keeping in mind contemporary cyber security threats and challenges.

Almost 2 years back, Indian Government decided to formulate a legislation that would ensure strict cyber security disclosure norms. As per the then proposed legislation, if a company faced cyber attack or cracking incidence, the company would be required to disclose to its clients the impact of such an incident on the safety of their data and information. The company may also be required to inform government or its agency about such incidence.

At that time there was no chief information security officer (CISO) of India and this position has been recently created by Modi Government by appointing Dr. Gulshan Rai for this post. This may be the first step towards creating a more robust cyber security regime in India. This may also be the base for introducing cyber security breaches disclosure norms in India that can be reported to the CISO or any other designated authority in this regard.

We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must take cyber security seriously. The cyber security challenges in India would increase further and India must be cyber prepared to protect its cyberspace. CECSRDI believes that the starting point is to draft the cyber security policy of India 2015 as the 2013 policy is highly defective and of little significance.

CECSRDI also strongly recommends formulating the cyber security breaches disclosure norms in India by Indian Government as soon as possible. We also suggest that a dedicated cyber security law of India must also be enacted by India as India has launched policy initiatives like Digital India and Internet of Things (PDF) that would require strong cyber laws. CECSRDI believes that cyber security best practices must be formulated by Indian Government that must be followed in true letter and spirit by all stakeholders.

In the absence of a coordinated and holistic policy implementation, Digital India is already heading towards rough waters. There are many shortcomings of Digital India, Aadhaar and IoT policy initiatives of Indian Government and they must be removed as soon as possible. Absence of adequate cyber security is a common problem for Digital India, Aadhaar and IoT projects. It seems the worst performance of Modi Government pertains to cyber security field where Modi Government seems to have lost the track.

Recently Target Corporation faced a cyber breach and this exposed it to litigations in multiple jurisdictions. The moot question is whether target has failed to observe cyber due diligence regarding this particular breach. The cyber law due diligence (PDF) is neglected in India with impunity. Indian Government is also not pro active in taking such neglected obligations very seriously and this has made the entire concept of cyber law due diligence in India a joke only.

No body takes Indian cyber law seriously and e-commerce websites are openly flouting the cyber law of India by not following the cyber law due diligence and cyber security best practices requirements.  In order to effectively enforce cyber security relations obligations, cyber security awareness in India must be further improved with a special emphasis upon clearly specifying the cyber security obligations of directors of Indian companies.

Cyber law and cyber security awareness at the schools level must also be ensured. School children in India must be suitably educated about cyber issues. Recently the Central Board of Secondary Education (CBSE) issued directions to curb bullying/cyber bullying and sexual abuses at schools. Without actual implementations these are mere guidelines that are issued every year with little impact. CECSRDI strongly recommends that not only these guidelines/directions must be stringently implemented by CBSE but even cyber law and cyber security awareness must be spread by CBSE among school students. Schools must also be required to notify about any cyber security breaches at their premises.

The task is difficult but not impossible to achieve. CECSRDI wishes all the best to Modi Government in its cyber security initiatives and projects and hopes that Modi government would actually start working in this direction as soon as possible.