Monthly Archives: March 2015

Cyber Security Disclosure Norms In India Needed: CECSRDI

Cyber Security Disclosure Norms In India Needed CECSRDICyber security is a very crucial priority of nations around the world. India is also in the process of streamlining of its cyber security infrastructure but its efforts in this regard are neither coordinated nor sufficient. For instance, we do not have a dedicated cyber security law of India that is need of the hour. Further, there is also a dire need to bring a techno legal framework keeping in mind contemporary cyber security threats and challenges.

Almost 2 years back, Indian Government decided to formulate a legislation that would ensure strict cyber security disclosure norms. As per the then proposed legislation, if a company faced cyber attack or cracking incidence, the company would be required to disclose to its clients the impact of such an incident on the safety of their data and information. The company may also be required to inform government or its agency about such incidence.

At that time there was no chief information security officer (CISO) of India and this position has been recently created by Modi Government by appointing Dr. Gulshan Rai for this post. This may be the first step towards creating a more robust cyber security regime in India. This may also be the base for introducing cyber security breaches disclosure norms in India that can be reported to the CISO or any other designated authority in this regard.

We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must take cyber security seriously. The cyber security challenges in India would increase further and India must be cyber prepared to protect its cyberspace. CECSRDI believes that the starting point is to draft the cyber security policy of India 2015 as the 2013 policy is highly defective and of little significance.

CECSRDI also strongly recommends formulating the cyber security breaches disclosure norms in India by Indian Government as soon as possible. We also suggest that a dedicated cyber security law of India must also be enacted by India as India has launched policy initiatives like Digital India and Internet of Things (PDF) that would require strong cyber laws. CECSRDI believes that cyber security best practices must be formulated by Indian Government that must be followed in true letter and spirit by all stakeholders.

In the absence of a coordinated and holistic policy implementation, Digital India is already heading towards rough waters. There are many shortcomings of Digital India, Aadhaar and IoT policy initiatives of Indian Government and they must be removed as soon as possible. Absence of adequate cyber security is a common problem for Digital India, Aadhaar and IoT projects. It seems the worst performance of Modi Government pertains to cyber security field where Modi Government seems to have lost the track.

Recently Target Corporation faced a cyber breach and this exposed it to litigations in multiple jurisdictions. The moot question is whether target has failed to observe cyber due diligence regarding this particular breach. The cyber law due diligence (PDF) is neglected in India with impunity. Indian Government is also not pro active in taking such neglected obligations very seriously and this has made the entire concept of cyber law due diligence in India a joke only.

No body takes Indian cyber law seriously and e-commerce websites are openly flouting the cyber law of India by not following the cyber law due diligence and cyber security best practices requirements.  In order to effectively enforce cyber security relations obligations, cyber security awareness in India must be further improved with a special emphasis upon clearly specifying the cyber security obligations of directors of Indian companies.

Cyber law and cyber security awareness at the schools level must also be ensured. School children in India must be suitably educated about cyber issues. Recently the Central Board of Secondary Education (CBSE) issued directions to curb bullying/cyber bullying and sexual abuses at schools. Without actual implementations these are mere guidelines that are issued every year with little impact. CECSRDI strongly recommends that not only these guidelines/directions must be stringently implemented by CBSE but even cyber law and cyber security awareness must be spread by CBSE among school students. Schools must also be required to notify about any cyber security breaches at their premises.

The task is difficult but not impossible to achieve. CECSRDI wishes all the best to Modi Government in its cyber security initiatives and projects and hopes that Modi government would actually start working in this direction as soon as possible.

NSA May Have Used Equation Group To Indulge In Illegal E-Surveillance: Kaspersky Lab

NSA May Have Used Equation Group To Indulge In Illegal E-Surveillance Kaspersky LabHardware and software based malware are very common these days. They have also become the favourite tool of intelligence agencies around the world to snoop upon their targets. Kaspersky Lab recently revealed that intelligence agencies used hardware based stealth malware to do eavesdropping upon targets of interest. Similarly, it has also been reported that the pre installing of Adware in laptops by Lenovo compromised the cyber security of these infected laptops.

Now Kaspersky Lab has further reveled that the U.S. National Security Agency (NSA) may have been planting surveillance software into hard drives and other essential computer equipment sold around the world for more than a decade through Equation Group. The Equation Group manipulated hard drives manufactured by Toshiba, Seagate, IBM, Western Digital and others dating back as far as 2001.

This has serious national security, telecom security and civil liberties implications around the world. For instance, Indian government has still not notified the norms for import of telecom equipments in India and has been postponing the same from time to time. This means such malware ridden hardware can be easily imported into India and they can be dangerously deployed for critical infrastructures (PDF). In fact, Huawei was accused of breaching national security of India by hacking base station controller in AP. Even the national cyber security policy of India 2013 is not at all effective in meeting the cyber security requirements of India.

Costin Raiu, Kaspersky’s lead researcher on the project, informed that while the Equation Group was able to steal files on any of the infected computers, they assumed full control only of computers used by high-value targets. Malicious firmware and BIOS are also big security threats for all stakeholders. Persistent BIOS infection using hidden rootkit is especially annoying and a major cyber security threat for India.

India needs to develop both offensive and defensive cyber security capabilities to tackle sophisticated cyber attacks. Cyber security breaches are increasing world over and India has its own share of the same. In this inter connected world, cyber security has become a major challenge for all countries. As on date the international legal issues of cyber attacks have yet to be resolved.

There are many cyber security challenges before the Narendra Modi Government. As per the cyber security trends of India 2015 by Perry4Law Organisation (P4LO), India needs to take urgent steps to strengthen its cyber security infrastructure. We believe that cyber security should be an integral part of the national security of India.

Narendra Modi Government has already started working in this direction. The Prime Minister Office (PMO) has already appointed Dr. Gulshan Rai as the first chief information security officer (CISO) of India. This is a significant step in the direction of strengthening of cyber security infrastructure of India.

Secondly, Narendra Modi has suggested to Nasscom that a task force be set up to solve the growing cyber security menace in India. According to Nasscom the taskforce would be constituted within a period of one month. We believe such a task force would provide valuable suggestions and implementation plans to strengthen Indian cyber security.

However, it would not be an easy task to ward off sophisticated and stealth malware that are the real problem for India. We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) strongly recommend that indigenous capabilities in the hardware and software development must be developed by India to avoid possible malware and backdoors. We also recommend that a new cyber security policy of India 2015 must be urgently formulated by Indian Government keeping in mind the requirement and need of a techno legal framework in India.