Author Archives: CECSRDI

NSDL’s Negligence In Reporting Cyber Breach Irks SEBI

NSDL’s Negligence In Reporting Cyber Breach Irks SEBICyber security as a part of Indian policy is still not widely recognised. This is true regarding not only drafting of cyber security policies and laws in India but also the actual implementation of whatever scarce provisions we have in this regard. For instance, we have no cyber breach disclosure norms in India as on date and the cyber law of India is grossly deficient on this front. Different regulators and authorities have specified their own guidelines and rules in this regard that have further complicated this situation. Companies and individuals do not find these guidelines and regulations deterrent enough to even take notice of the same. Of course, actual compliance with these regulations is expecting moving of a mountain by companies and individuals.

Recently there were many media reports that the website of Ministry of Home Affairs was cracked by unknown crackers. Website defacement is a very common phenomenon in India and is not a very serious threat. The real threat is use of stealth malware by our cyber adversaries that cannot be detected for months and years. Contemporary cyber security products and services are ineffective against such malware. And till the time we react against such malware and corresponding cyber breaches, the irreparable damage is already done.

Indian companies and their directors are notoriously insincere in reporting cyber crimes and cyber breaches. As a result remedial cyber actions cannot be taken on time and consumer interests are jeoparadised. Take the recent example in this regard.  On 10 October 2016, it was reported that the website of the National Securities Depository Limited (NSDL) had been hacked. A detailed inquiry by SEBI into the attack on India’s biggest depository reveals that NSDL has not been fully compliant with SEBI’s policies and several specific circulars on audit and risk containment were ignored. In fact, even the recovery effort did not meet SEBI’s specifications.

This lax attitude is not acceptable in contemporary times and under the digital India project that is already insecure. On the one hand Indian government is contemplating separate CERT for financial sector and on the other hand we see this attitude of NSDL. Perry4Law Organisation (P4LO) strongly recommends that Indian government must investigate this issue and take appropriate action against those guilty of non compliance with the cyber breach disclosure requirements of SEBI and other laws. We also recommend that cyber security infrastructure of India must be strengthened.

Since NSDL holds most of our shares and investments in dematerialised form and its sister entity handles our tax information and other data, it was important for NSDL to immediately inform SEBI in this regard. However, NSDL failed to do so not only in a timely manner but also in great disregard of the cyber security and cyber law due diligence (pdf) requirements. NSDL has told SEBI that only the public website was affected and it only contains information about the organisation, its products and services and downloadable forms. NSDL also informed that no confidential data was compromised by the attack, nor was any service provided by NSDL to clients affected.

This assertion of NSDL may be true but the problem, according to SEBI and its technical advisory committee (TAC), is with the many flaws and lapses that have been thrown up by the incident which indicate that NSDL is not taking SEBI’s circulars as seriously as it should.  There are also inconsistencies in the versions of NSDL regarding cyber breach reporting to CERT-In and SEBI respectively. For instance, although NSDL reported the incident as a “major cyber attack” to CERT-In yet it decided to wait and conduct a detailed review of the incident and reported the attack to SEBI only on 19th October, after a lapse of nine days.

Of course, NSDL has given an explanation for this delayed reporting to SEBI. NSDL claims that this cyber breach was not considered a cyber attack on its own system, and there was no impact on the information of any client held by NSDL or the services provided by NSDL to its clients. Hence NSDL did not report the incidence to SEBI immediately and reported the same only after a detailed investigation conducted in association with the hosting provider.

What NSDL has failed to understand in this case is that NSDL must choose an outsourcing or hosting service provider that must comply with the cyber security standards as prescribed by SEBI. According to the guidelines issued by SEBI on 6 July 2015, market intermediaries like NSDL must ensure similar level of IT security measures as its own data centre, at outsourcing entities such as hosting service providers. However, SEBI has found that the hosting service provider in this case had “very weak securities controls”. The report of the cyber attack incident revealed basic issues such as weak passwords and improper hardening of systems among the reasons for the hacking incident. This is a direct violation of the SEBI guidelines.

Further, a circular issued by SEBI on 9 December 2015, which specifically deals with “outsourcing by depositories”, required NSDL to ensure that a risk impact analysis is undertaken before outsourcing any activity and appropriate risk mitigation measures, like a back-up and restoration system, are in place. It also had to ensure real-time monitoring of outsourced activities with a clear policy framework and audit of outsourced activities. NSDL, reportedly, failed to ensure these standards of IT and cyber security at hosting service provider level which had been outsourced the job of maintaining NSDL’s website.

The SEBI circular requires market intermediaries to ensure that a cyber security and resilience policy document is prepared which is approved by the board of directors and reviewed, at least, annually. Further, an IT strategy committee of depositories is expected to review this policy on a quarterly basis and set goals for improving and strengthening cyber resilience.

SEBI says that “a critical element of the cyber security and resilience framework, i.e., risk emanating from the outsourced activity of third-party service providers/vendors, was not appropriately assessed and mitigated” by NSDL, at the level of its chief information security officer, or the management, the IT strategy committee or the board of directors. Further, there has to be an annual system audit of the depository is supposed to audit ‘access policy and controls as well as general access controls’. However, SEBI has discovered that the hosting service provider, which hosted NSDL’s website, was not even covered by the annual system audit process.

Above all, a SEBI circular, dated 22 July 2012, mandates a very specific recovery time objective (RTO) and a recovery point objective of not more than 30 minutes. On 4 September 2013, SEBI issued a circular which says that intermediaries should have a business continuity plan in place including a secondary site that incorporates all critical IT systems and can resume operations within two hours following a disruptive incident. This system should be designed to ensure that the intermediary can “complete settlement at the end of the day of disruption, even in the case of extreme circumstances.” And these back-up arrangements need to be regularly tested and be in order.

NSDL’s own submission indicates that it failed in this regard. NSDL has confirmed that the cyber attack started at 7.30pm on 10 October 2016 and the website was completely restored on 11 October 2016. This would mean that it failed the RTO specified by SEBI, in this particular incident. NSDL may be supremely confident about its technology prowess and ability to deal with cyber attacks, but the utter disregard for SEBI regulations, especially the fact that NSDL did not bother to report the incident for nine days, should be a matter of concern.

In the past it was decided that the Technical Advisory Committee (TAC) of SEBI would address cyber security issues as well. This move of SEBI aims at securing the data, applications, database, operating systems and network layers of (FMIs) from various forms of cyber attacks such as Denial of Service (DoS) attacks, phishing, hacking, man-in-the-middle attack, sniffing, spoofing, key-logging and malware attacks.

Cyber security and cyber resilience for financial market infrastructures is one of the core priority issues for governments and nations around the world. However, this is not an easy task to manage as it requires tremendous techno legal expertise that very few individuals and organisations possess these days. Even the regulatory and governing framework in this regard is still evolving at the international level. Indian government and SEBI are slow in this regard and the episode of NSDL shows that we are still far away from achieving this goal.

CIA Has Been Issuing Computer Security And Cyber Security Warnings Since 1968

CIA Has Been Issuing Computer Security And Cyber Security Warnings Since 1968Cyber security is not an easy task to manage especially in the contemporary times. Cyber security is not just technical part but it also includes the legal aspects as well. This is the reason why cyber security is a techno legal field. We have been treating cyber security as mere technical field for long and this is not producing any productive results.

For instance, the Central Intelligence Agency (CIA) of United States has been struggling to deal with cyber security and computer security since 1968 and much before. At least the official records about CIA’s involvement in the cyber security fields goes back to 1968 where CIA issued a cyber security warning to US government. This makes it almost 50 years of concern and expertise for CIA in the field of cyber security.

So it would be safe to conclude that US government is seized with cyber security related issues at least since 1968. And if US government is still concerned about cyber security, it means that by and large our cyber security efforts have failed to achieve the required goals. Meanwhile, President Donald Trump is about to sign an executive order to strengthen US cyber security capabilities. This is in addition to the transborder hacking and search powers of the Federal Bureau of Investigation (FBI) that gives the US law enforcement agency long arm jurisdiction. Despite all cyber power, US still believe that cyber warfare is undermining its traditional defenses.

The problem with a sophisticated and global cyber attack is that we cannot ascertain the authorship attribution with certainty in almost all cases. For instance, US has accused Russia of manipulating its elections results through cyber attacks whereas Russia has accused that CIA has hacked the Kremlin. Who is speaking truth and who is speaking falsehood is not easy to ascertain in these circumstances.

As per the media report, the U.S. government has been in the cyber security business for many decades. In 1968, the CIA added a computer security subcommittee to the U.S. Intelligence Board, a government wide body convened by the CIA to coordinate intelligence efforts. The US intelligence community has been dealing with many of the problems of access control, physical security, contractor access, data verification and other issues that continue to plague government agencies even today. So the cyber security problems are persistent and ever evolving and this is the reason why laws of various countries are not even close to resolve such complicated cyber issues.

In February 1969, subcommittee participants were instructed to list in order of priority their computer security problem areas. The NSA member said that access control topped the list, followed by computer malfunctions, information classification and physical security. An Air Force member wanted to prioritise the development of a method to securely erase the drums of magnetic storage tape containing highly classified information, when those tapes needed to be decommissioned. The Navy concurred in this judgement. The Defense Intelligence Agency sought to come up with a working definition of a system and its components as a first step to developing a computer security standard.

In one memo, the group examined the security threats posed by the possibility of hostile exploitation of weak points in the computer operations of the intelligence community. In assigning this task to the Subcommittee, the Security Committee requested that the Counterintelligence Staff of CIA be asked to report any known cases where hostile services had attempted to exploit the security vulnerabilities of the computer operations. In addition, the Subcommittee was asked to study any possible threat of hostile penetration of the computer operations.

The memorandum also warned about the Soviet Bloc that had interest in the American computing technology. This means US was on loggerheads with Russia regarding computing technology and cyber security at least since 1968. So cyber espionage and cyber warfare are not new concepts but just new definitions for the old forms of computing espionage and cyber attacks.

The Subcommittee asked CIA counterintelligence personnel to look for possible examples of intrusion or exploitation by rivals. According to the memo’s findings, the CIA and the FBI “were able to provide information on several cases involving hostile attempts to exploit either personnel associated with Community computer operations or personnel employed by American computing manufacturers having potential contact with government operations.”

Additionally, that report confirmed the existence of vulnerabilities in intelligence community systems that were postulated as possible threats in a draft of a classified Defense Science Bureau Task Force report from January 1970 — including one flaw that allowed for system-wide memory dumps to be initiated by programmers who were only supposed to have limited access. Another bug from back in the days of magnetic tape storage allowed users to bypass storage protection features of the IBM 360 system to access program data.

Information and communication technology (ICT) has significantly changed since 1968 and many more layers of complications and complexities have been added. This discussion by CIA is a hint how the future of computers, Internet and ICT can be changed by States and State actors forever.

Source: IoT And Smart Cities Forum Of India.

Cyber Security Disclosure Norms In India Needed: CECSRDI

Cyber Security Disclosure Norms In India Needed CECSRDICyber security is a very crucial priority of nations around the world. India is also in the process of streamlining of its cyber security infrastructure but its efforts in this regard are neither coordinated nor sufficient. For instance, we do not have a dedicated cyber security law of India that is need of the hour. Further, there is also a dire need to bring a techno legal framework keeping in mind contemporary cyber security threats and challenges.

Almost 2 years back, Indian Government decided to formulate a legislation that would ensure strict cyber security disclosure norms. As per the then proposed legislation, if a company faced cyber attack or cracking incidence, the company would be required to disclose to its clients the impact of such an incident on the safety of their data and information. The company may also be required to inform government or its agency about such incidence.

At that time there was no chief information security officer (CISO) of India and this position has been recently created by Modi Government by appointing Dr. Gulshan Rai for this post. This may be the first step towards creating a more robust cyber security regime in India. This may also be the base for introducing cyber security breaches disclosure norms in India that can be reported to the CISO or any other designated authority in this regard.

We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must take cyber security seriously. The cyber security challenges in India would increase further and India must be cyber prepared to protect its cyberspace. CECSRDI believes that the starting point is to draft the cyber security policy of India 2015 as the 2013 policy is highly defective and of little significance.

CECSRDI also strongly recommends formulating the cyber security breaches disclosure norms in India by Indian Government as soon as possible. We also suggest that a dedicated cyber security law of India must also be enacted by India as India has launched policy initiatives like Digital India and Internet of Things (PDF) that would require strong cyber laws. CECSRDI believes that cyber security best practices must be formulated by Indian Government that must be followed in true letter and spirit by all stakeholders.

In the absence of a coordinated and holistic policy implementation, Digital India is already heading towards rough waters. There are many shortcomings of Digital India, Aadhaar and IoT policy initiatives of Indian Government and they must be removed as soon as possible. Absence of adequate cyber security is a common problem for Digital India, Aadhaar and IoT projects. It seems the worst performance of Modi Government pertains to cyber security field where Modi Government seems to have lost the track.

Recently Target Corporation faced a cyber breach and this exposed it to litigations in multiple jurisdictions. The moot question is whether target has failed to observe cyber due diligence regarding this particular breach. The cyber law due diligence (PDF) is neglected in India with impunity. Indian Government is also not pro active in taking such neglected obligations very seriously and this has made the entire concept of cyber law due diligence in India a joke only.

No body takes Indian cyber law seriously and e-commerce websites are openly flouting the cyber law of India by not following the cyber law due diligence and cyber security best practices requirements.  In order to effectively enforce cyber security relations obligations, cyber security awareness in India must be further improved with a special emphasis upon clearly specifying the cyber security obligations of directors of Indian companies.

Cyber law and cyber security awareness at the schools level must also be ensured. School children in India must be suitably educated about cyber issues. Recently the Central Board of Secondary Education (CBSE) issued directions to curb bullying/cyber bullying and sexual abuses at schools. Without actual implementations these are mere guidelines that are issued every year with little impact. CECSRDI strongly recommends that not only these guidelines/directions must be stringently implemented by CBSE but even cyber law and cyber security awareness must be spread by CBSE among school students. Schools must also be required to notify about any cyber security breaches at their premises.

The task is difficult but not impossible to achieve. CECSRDI wishes all the best to Modi Government in its cyber security initiatives and projects and hopes that Modi government would actually start working in this direction as soon as possible.

NSA May Have Used Equation Group To Indulge In Illegal E-Surveillance: Kaspersky Lab

NSA May Have Used Equation Group To Indulge In Illegal E-Surveillance Kaspersky LabHardware and software based malware are very common these days. They have also become the favourite tool of intelligence agencies around the world to snoop upon their targets. Kaspersky Lab recently revealed that intelligence agencies used hardware based stealth malware to do eavesdropping upon targets of interest. Similarly, it has also been reported that the pre installing of Adware in laptops by Lenovo compromised the cyber security of these infected laptops.

Now Kaspersky Lab has further reveled that the U.S. National Security Agency (NSA) may have been planting surveillance software into hard drives and other essential computer equipment sold around the world for more than a decade through Equation Group. The Equation Group manipulated hard drives manufactured by Toshiba, Seagate, IBM, Western Digital and others dating back as far as 2001.

This has serious national security, telecom security and civil liberties implications around the world. For instance, Indian government has still not notified the norms for import of telecom equipments in India and has been postponing the same from time to time. This means such malware ridden hardware can be easily imported into India and they can be dangerously deployed for critical infrastructures (PDF). In fact, Huawei was accused of breaching national security of India by hacking base station controller in AP. Even the national cyber security policy of India 2013 is not at all effective in meeting the cyber security requirements of India.

Costin Raiu, Kaspersky’s lead researcher on the project, informed that while the Equation Group was able to steal files on any of the infected computers, they assumed full control only of computers used by high-value targets. Malicious firmware and BIOS are also big security threats for all stakeholders. Persistent BIOS infection using hidden rootkit is especially annoying and a major cyber security threat for India.

India needs to develop both offensive and defensive cyber security capabilities to tackle sophisticated cyber attacks. Cyber security breaches are increasing world over and India has its own share of the same. In this inter connected world, cyber security has become a major challenge for all countries. As on date the international legal issues of cyber attacks have yet to be resolved.

There are many cyber security challenges before the Narendra Modi Government. As per the cyber security trends of India 2015 by Perry4Law Organisation (P4LO), India needs to take urgent steps to strengthen its cyber security infrastructure. We believe that cyber security should be an integral part of the national security of India.

Narendra Modi Government has already started working in this direction. The Prime Minister Office (PMO) has already appointed Dr. Gulshan Rai as the first chief information security officer (CISO) of India. This is a significant step in the direction of strengthening of cyber security infrastructure of India.

Secondly, Narendra Modi has suggested to Nasscom that a task force be set up to solve the growing cyber security menace in India. According to Nasscom the taskforce would be constituted within a period of one month. We believe such a task force would provide valuable suggestions and implementation plans to strengthen Indian cyber security.

However, it would not be an easy task to ward off sophisticated and stealth malware that are the real problem for India. We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) strongly recommend that indigenous capabilities in the hardware and software development must be developed by India to avoid possible malware and backdoors. We also recommend that a new cyber security policy of India 2015 must be urgently formulated by Indian Government keeping in mind the requirement and need of a techno legal framework in India.