Author Archives: Praveen Dalal

Cyber Security Infrastructure In India

PRAVEEN-DALAL-MANAGING-PARTNER-OF-PERRY4LAW-CEO-PTLB3Infrastructure is the backbone of any nation. Infrastructure’s shape and nature has been changing from time to time. With the advancement in technology, infrastructure is also dependent upon many facets of information and communication technology (ICT). This has made the task both easier and dangerous. Infrastructure utilisation has become easier with use of sophisticated technology whereas this use of technology has also made these infrastructures vulnerable to various forms of cyber attacks.

At Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) we believe that the Cyber Security Infrastructure of India must be urgently established by Indian Government. We also recommend that a Cyber Attack Crisis Management Plan of India must also be formulated as soon as possible. Further, the Cyber Security Policy of India 2015 must also be formulated by Indian Government on a priority basis as the 2013 policy is highly defective in nature.

This Cyber Security Policy must address the issues of Cyber Attacks and Cyber Terorrism, prventing Cyber Attacks on Power Utilities, Cyber Security of Indian Satellites and Critical Infrastructure, International Legal Issues of Cyber Security, Conflict of Laws in Cyberspace, formulation of a Techno Legal Framework, Cyber Security Disclosure Norms, etc.

We are living in an era of Cyber Warfare, Cyber Terrorism, Cyber Espionage, etc. To make the matter worst, we have no International Harmonisation and Regulatory Framework for areas like Cyber Law, Cyber Security, Cyber Terrorism, Cyber Warfare, Cyber Espionage, etc. Even the Tallinn Manual on the International Law is not Applicable to International Cyber Warfare Attacks and Defence. In the absence of International Harmonisation and this “Great Legal Void”, Nations are free to Interpret and Apply their own “Norms and Regulations” to International Cyber Security Issues.

As far as India is concerned, Cyber Security in India has now become an essential part of Indian Polity and Economic Affairs. For instance, the Cyber Security Policy of India would be formulated very soon. However, Cyber Security has still not been understood and applied in true perspective. We have to think about Cyber Security beyond Anti Virus, Firewalls and Hardware and Software Procurements.

To start with, Cyber Security Skills Development in India must be ensured. Without a “Capable Cyber Security Workforce”, India cannot have an Effective Cyber Security. Similarly, in the absence of adequate Skills, Offensive and Defensive Cyber Security Capabilities of India cannot be achieved.

Malware have become “Sophisticate and State Sponsored” these days. Take the examples of malware like Stuxnet, Duqu, Flame, etc that are not works of Script Kiddies but Professional Programmers and Coders hired by various Nations. Clearly, the face of Cyber Attacks and Cyber Security is changing rapidly and firewalls and Anti Virus Software stands nowhere in this scenario.

Signatures based Anti Virus Software are “Long Dead” and so are simple Firewalls. Ironically, Anti Virus Updates are Potential Tool to Install Malware, Steal Information and Launch Cyber Warfare Attacks. We need a totally different Cyber Security Infrastructure for India as on date.

Today the Malware game has reached a totally different level. Malware are not used for Fun anymore. Neither are they used for merely stealing information. Malware today are also used for rendering Computer Systems and Devices useless. The Wiper Malware overwrites the Master Boot Record (MBR) and corrupt relevant portion of the Hard Disk. When the Computer cannot be booted, it cannot serve any purpose.

Critical Infrastructure Protection in India is another aspect that must be considered “Very Seriously” by Indian Government. The National Critical Information Infrastructure Protection Centre (NCIPC) of India must be made “Operational” as soon as possible. The Internet is Full of Unprotected and Unsafe Devices, SCADA Systems and Computers. Further, SCADA has become the new Cyber Attack Battlefield for India. The Cyber Security of Power Sector in India needs to be streamlined. Power Grids Cyber Security in India and its Challenges are now well known. Similarly, Healthcare and Medical/Life Sciences Industries are under Cyber Attack thereby risking the Lives of millions.

India must also “Absolutely Ensure” Human Rights Protection in Cyberspace. While doing so Civil Liberties and National Security Requirements Must be Reconciled by India. Issues like E-Surveillance in India, Cell Site Location Based E-Surveillance in India, Surveillance of Internet Traffic in India,  Central Monitoring System (CMS) for Telephone Tapping in India, etc must be “Thoroughly Analysed” before implementing them. E-Surveillance Tools like FinFisher must be avoided at all costs.

Some “Positive Developments” have already been undertaken by Indian Government in this direction. For instance, a National Cyber Coordination Centre (NCCC) of India has been proposed to be established by Indian Government. Similarly, Regulations and Guidelines for Effective Investigation of Cyber Crimes in India may also be formulated very soon. The Indian Cyber Security Policy would be formulated very soon. The Critical Information Infrastructure Protection Agency of India may also be constituted soon. Finally, Indian Government is planning a Legislation Mandating Strict Cyber Security Disclosure Norms in India. As on date we have no dedicated Cyber Security Laws in India.

We at P4LO and PTLB wish Indian Government all the best for its Cyber Security Endeavours.

National Cyber Security Policy Of India 2013 (NCSP 2013)

PRAVEEN-DALAL-MANAGING-PARTNER-OF-PERRY4LAW-CEO-PTLBThe National Cyber Security Policy of India 2013 (NCSP 2013) (PDF) was recently declared by Indian Government. It is a Good Policy on many counts but it also failed to address many crucial aspects as well. For instance, the National Cyber Security Policy of India has failed to protect Privacy Rights in India. Nevertheless, this is a good step in the right direction and it must be updated and improved as the time passes

A sound Cyber Security Policy must be Techno Legal and Holistic in nature. It must be Techno Legal in nature so that it can accommodate both Technological and Legal aspects. It must be Holistic as it should cover as much areas as possible. It must be realistic as well as a single Policy cannot be considered to be Panacea for all Cyber Crimes and Cyber Attacks against India.

Thus, the Indian Cyber Security Policy must be supplemented by other Techno Legal Policies. For instance, the E-Mail Policy of India must supplement the Cyber Security Policy. The Cyber Security Policy must also be supplemented with the Telecom Security Policy of India and National Telecom Policy of India 2012 (NTP 2012). In fact, the National Security Policy of India must have the Cyber Security Policy as an essential component.

This NCSP 2013 intends to protect information and information infrastructure in Cyberspace, build capabilities to prevent and respond to cyber threat, reduce vulnerabilities and minimise damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation.

The NCSP 2013 aims at facilitating creation of Secure Computing Environment and enabling adequate trust and confidence in electronic transactions and also guiding stakeholders’ actions for protection of Cyberspace. It outlines a road-map to create a framework for comprehensive, collaborative and collective response to deal with the issue of Cyber Security at all levels within the country. It also recognises the need for objectives and strategies that need to be adopted both at the National level as well as International level.

The NCSP 2013 envisages a vision and mission statement aimed at building a secure and resilience Cyberspace for citizens, businesses and Government. It strives to enable goals aimed at reducing national vulnerability to cyber attacks, preventing cyber attacks and cyber crimes, minimising response and recover time and effective cyber crime investigation and prosecution. It intends to facilitate monitoring key trends at the national level such as trends in cyber security compliance, cyber attacks, cyber crime and cyber infrastructure growth.

The Objectives of the NCSP 2013 include to create a secure cyber ecosystem in the country, generate adequate trust and confidence in IT system and transactions in cyberspace and thereby enhance adoption of IT in all sectors of the economy,  to create an assurance framework for design of security policies and promotion and enabling actions for compliance to global security standards and best practices by way of conformity assessment (Product, process, technology and people), to strengthen the Regulatory Framework for ensuring a Secure Cyberspace Ecosystem, to enhance and create National and Sectoral level 24X7 mechanism for obtaining strategic information regarding threats to ICT infrastructure, creating scenarios for response, resolution and crisis management through effective predictive, preventive, protective response and recovery actions, to improve visibility of integrity of ICT products and services by establishing infrastructure for testing & validation of security of such product, to create workforce for 5,00,000 professionals skilled in next 5 years through capacity building skill development and training, to provide fiscal benefit to businesses for adoption of standard security practices and processes, to enable Protection of information while in process, handling, storage and transit so as to safeguard privacy of citizen’s data and reducing economic losses due to cyber crime or data theft, to enable effective prevention, investigation and prosecution of cyber crime and enhancement of low enforcement capabilities through appropriate Legislative Intervention.

Although the Objectives and Aims of the NCSP 2013 are Laudable yet their “Actual Implementation” is the real problem. India has not been able to achieve these Cyber Security Objectives so far. Since India is a late entrant in the Cyber Security field, it would only be fair to give it some more time to implement these Objectives successfully.

National Security Policy Of India Needs Techno Legal Boost

PRAVEEN-DALAL-MANAGING-PARTNER-OF-PERRY4LAW-CEO-PTLBNational Security has undergone a see change these days. It is wrong to assume that the National Security Policy is confined to traditional threats alone. National Security of India is facing many challenges these days that are mainly attributable to the use and abuse of Information and Communication Technology (ICT).

For instance, Cyber Crimes, Cyber Attacks, Cyber Security Incidences, Cyber Warfare, Cyber Terrorism, Cyber Espionage, etc are some of the problems that are peculiar to the contemporary times. These threats are intimidating the National Security of India by striking at the Financial, Economic, Social and Political Environment of India.

An implementable Techno Legal Crisis Management Plan of India for Cyber Attacks and Cyber Terrorism is need of the hour. The National Cyber Coordination Centre (NCCC) of India must also be made operational immediately.

Critical Infrastructure Protection in India must also be ensured by Indian Government. For instance, Supervisory Control and Data Acquisition (SCADA) Systems is a favourite target for Cyber Criminals and Cyber Terrorists. By targeting SCADA these cyber miscreants can damage the Critical Infrastructure of India. We must ensure sufficient Cyber Protection of SCADA Systems in India in general and Critical Infrastructure in particular.

Malware like Stuxnet and Duqu have already shown how Critical Infrastructures and SCADA systems are vulnerable to Cyber Attacks. Indian Critical Infrastructures have also been targeted by these Malware. It is believed that Stuxnet was responsible for shutting down an Indian Communication Satellite. These Malware have also been targeting Indian Nuclear Systems and Facilities.

The National Critical Information Infrastructure Protection Centre (NCIIPC) of India, established under the guidance and control of Defence Research and Development Organisation (DRDO) must also play a more pro active role in this regard.

Although NCIIPC has issued the Guidelines For Protection of National Critical Information Infrastructure in India (PDF) yet the role of NCIIPC in India is still not clear due to absence of a Gazette Notification by the Government of India under section 70A of the Information Technology Act, 2000.

Recently DRDO sought Penal Provisions in National Telecom Security Policy of India for Telecom Companies violating the norms. However, recently the Computer Systems of DRDO and Security Officials were breached and Sensitive Files were leaked. Thus, DRDO must also enhance its own Cyber Security besides managing the Cyber Security of other Institutions.

We must develop Offensive and Defensive Cyber Security capabilities of India. A Cyber Command for Armed Forces of India is already in pipeline. The Cyber Command has also become necessary as Countries across the world have started utilising Cyber Attacks and Malware against others. As per a recent report, U.S. is the Biggest Buyer of Malware in the world.  Similarly, Global Cyber Espionage Networks are being actively used to spy and engage in E-Surveillance on other Countries. The command and control servers of Malware FinFisher were also found in 36 countries, including India.

Indian Government must Reconcile Civil Liberties and National Security Requirements in India. While protecting the National Security, Civil Liberties Protection in Cyberspace must also be ensured. Recently, United Nations passed a resolution approving Right to Privacy in the Digital Age.

However, India is in no mood of complying with that resolution. India has launched Illegal and Unconstitutional Projects like Aadhar, Central Monitoring System (CMS), National Intelligence Grid (Natgrid), Crime and Criminal Tracking Networks and Systems (CCTNS), etc without any Parliamentary Oversight and Legal Frameworks. In fact, the Internet Spy System Network and Traffic Analysis System (NETRA) of India has been proposed by Indian Government without any Legal Framework.

There is also a lack of Cyber Security Legal Practice in India. Not many Law Firms are providing Legal Services in the field of Cyber Security as it requires Techno Legal Expertise. Indian Government is planning a Legislation mandating strict Cyber Security Disclosure Norms in India. Further, Cyber Law Due Diligence requirements in India are also going to increase in India.

Cyber Security is an essential part and component of National Security of India. Indian Government must keep this fact in mind and draft a suitable Techno Legal National Security Policy of India.

National Cyber Security Policy Of India Has Failed To Protect Privacy Rights In India

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLBThe National Cyber Security Policy (NSCP), 2013 has listed many Objectives that Indian Government wishes to pursue to protect the Cyber Security Interests of India. However, from the very beginning the NCSP is facing Implementation Hurdles. The NCSP is also not holistically drafted as it is in active conflict with other Projects and Initiatives of Indian Government.

For instance, consider the example of the Central Monitoring System (CMS) Project of India. The CMS Project has been launched without any Parliamentary Oversight and Legal Framework. The problem has been further aggravated due to absence of Lawful Interception Law and Privacy Laws in India. The net effect of this situation is that Indian Government and its Agencies can do willful e-surveillance and phone tapping without any Parliamentary Oversight and Judicial Scrutiny.

Similarly, the Unconstitutional Aadhaar Project has already been Challenged before various High Courts in India. Aadhaar Project has serious Cyber Security and Data Security Issues that are still unresolved. The truth is that Biometric Collection in India is done in an Illegal and Unconstitutional Manner as on date.

So we have all sorts of private and sensitive personal and biometric information lying openly with Indian Government and its Agencies without any sort of Check and Balances. In these circumstances the claims of Privacy Protection by the NCSP of India have to be judged.

The NCSP claims that it aims at enabling protection of information while in process, handling, storage and transit so as to safeguard privacy of citizen’s data and for reducing economic losses due to cyber crime or data theft. The Policy is silent as to how it would be able to do so. The Policy is also silent as to how it would Balance the Civil Liberty and National Security Requirements while enforcing Indian Cyber Security.

The present Mental Framework of Indian Government as well as the Regulatory Regime of India is “Anti Privacy” and “Anti Civil Liberty” in nature. Despite contrary media claims, the NSCP has maintained this position and Status Quo.

In nutshell, the NCSP of India has failed to protect Privacy Right of Indian Citizens. Rather, accompanied with Projects like CMS, Aadhaar, etc it would be actually violating the same. Let us wait for its actual implementation to see its true effect upon Civil Liberties Protection in Cyberspace.