Access To Knowledge (A2K)

Cybersecurity and the Internet of Things

praskrishna — 2015-03-13T02:14:59Z

US Consulate Chennai formally Invite you for a talk by David F.Heyman on March 19, 2015 in Hotel Atria, Palace Road, Bangalore. The event is being organized by the US Consulate, Chennai, Cyber Security & Privacy Foundation (CSPF) and the Centre for Internet & Society (CIS).

Note: Please register to come to the event, if you are not attending please inform us.

David Heyman, former Assistant Secretary for Policy at the U.S. Department of Homeland Security and retired Software Engineer Reimagining and Transforming Cities, Governments, and Lives with the Internet of Things For the first time in human history more people live in cities than anywhere else.

By 2050 three-fourths of the world’s population will live in cities. As more and more people move to cities, more of the world’s challenges, from emerging infectious diseases, crime, economic growth, and environmental degradation, will be concentrated in cities. Citizens will expect and demand more from their leaders; and governments will face greater pressure to provide services better, faster, cheaper to more and more, potentially with less and less resources.

More than any other force driving change over the horizon, the Internet of Things (IoT) holds the potential to connect and infuse devices, business assets, infrastructures, and other elements of a city with greater intelligence and efficiencies to drive a new era of innovation and performance. And yet, this potential is juxtaposed against a backdrop of an explosion in cybercrimes and threats facilitated by the increased linkages between the physical and cyber world that is at the heart of IoT, and which affords malicious actors anywhere in the world the potential to disrupt services and lives on a far more consequential level than ever before.

In his remarks, David Heyman, former Assistant Secretary for Policy at the U.S. Department of Homeland Security, and retired software engineer, will discuss the extraordinary potential of the IoT, the barriers to adoption, and how governments and businesses can navigate this new frontier, work together, and re-imagine and transform cities—and nations—for tomorrow.

David F. Heyman

David F. Heyman has over two decades of experience as a leader in spurring innovation, risk management, and strategy development in the public and private sector. He is a leading expert in national security and international affairs, counterterrorism, cybersecurity, building resilience, and critical infrastructure protection, with broad experience in the U.S., Europe, Middle East and Asia. Heyman’s career includes service at the highest levels of the U.S. government, working in senior positions at the White House, the U.S. Department of Energy, the U.S. Department of Homeland Security, as well as in the private sector.

Most recently, Heyman concluded five years of service as Assistant Secretary of Policy (operating as an Under Secretary equivalent) at the U.S. Department of Homeland Security (DHS). As a member of the senior management team at DHS, Heyman was responsible for the Department’s strategic planning, risk and decision analysis, policy development, and thought leadership across all five departmental mission areas: counterterrorism, border security, immigration,
cybersecurity, and building resilience to disasters. During his tenure, Heyman helped transform the Department from a budget-driven to a strategydriven organization, and instituted an enterprise risk-management architecture for managing the Department’s $60 billion budget. He oversaw and initiated the Department’s largest expansion in global engagement, and in this role, led efforts to build new strategic partnerships with the World Customs Organization, the World Economic Forum, and some of the most consequential and complicated geopolitical relationships facing the United Stated today, including China, India, the European Union, and others. Heyman designed and launched multiple domestic, bilateral, and global initiatives to bolster U.S. security and prosperity. He was the chief architect of the nation’s first National Strategy for Homeland Security—the Quadrennial Homeland Security Review—which elevated and established cyber security and building national resilience as core homeland security missions. He led efforts around five Presidential Initiatives
to: empower communities to counter violent extremism; strengthen global supply chain security; expand travel and tourism to the United States; streamline and modernize the U.S. import and export system; and develop and implement a new perimeter approach to North American Security which resulted in the Beyond the Border Initiative signed by President Obama and Canadian Prime Minister Carper.

He led the creation of the Resilient STARTM program and the Rick Rescorla National Award for Resilience, and is wellknown for drafting the policy to eliminate the color-code Homeland Security Advisory System and replace it with a more disciplined National Terrorism Advisory System, now used by the U.S. government. Previously, Heyman founded and directed the Homeland Security Program at the Center for Strategic and International Studies (CSIS), one of the nation’s leading and most influential think tanks in international security and taught security studies and science and technology policy as an adjunct professor at Georgetown University. Heyman also served as a senior advisor to Energy Secretary Bill Richardson and oversaw development and implementation of a number of energy, infrastructure and technology initiatives, including leading and establishing a new portfolio approach to manage DOE’s $7 billion in research and development (R&D) investments.

Earlier in his career, Heyman was a senior policy advisor in national security and international affairs at the White House Office of Science and Technology Policy (OSTP), and was responsible for providing science, technology, and foreign policy advice to the President’s Science Advisor and the Vice President’s National Security Advisor. Before entering government, Heyman worked for nearly a decade as a computer systems software engineer, and head of international operations for a firm developing and deploying industrial automation, robotics, and supply-chain management systems for Fortune 100 companies. Heyman holds a Bachelor’s degree in biology from Brandeis University and a Master’s in international relations and economics from the Paul H. Nitze School of Advanced International Studies at Johns Hopkins University, where he graduated with the highest level of distinction. He is currently a member of the Aspen Homeland Security Strategy Group, Aspen’s U.S.-India Strategic Dialogue, and serves as co-chair of its Cyber Task Force.

For more details visit https://cis-india.org/internet-governance/events/talk-on-cybersecurity-and-internet-of-things

Cyberscholars Working Group at MIT

praskrishna — 2014-01-09T06:41:31Z

Malavika Jayaram is giving a talk on Biometrics or Bust - India’s Identity Crisis at this event organised by Berkman Center for Internet & Society on December 12 at 6.00 p.m.

Read the original published by Harvard University here.

The Cyberscholar Working Group is a forum for fellows and affiliates of MIT, Yale Law School Information Society Project, Columbia University, and the Berkman Center for Internet & Society at Harvard University to discuss their ongoing research. Each session is focused on the peer review and discussion of current projects submitted by a presenter. Meeting alternatively at Harvard, MIT, Yale, the working group aims to expand the shared knowledge of young scholars by bringing together these preeminent centers of thought on issues confronting the information age. Discussion sessions are designed to facilitate advancements in the individual research of presenters and in turn encourage exposure among the participants to the multi-disciplinary features of the issues addressed by their own work.

This month's presentations include:
(1) "Lines of Control: Networks of Imperialism and Independence in India (1840-1947)"
Abstract: This paper examines the history of communications networks in India and the relationship between communications and second-order networks. It draws attention to the wave of colonial network development that took place in India between 1840 and 1948. During these years, Britain constructed a series shipping, rail and telegraph networks to achieve a set of military and commercial goals. This paper studies how first- and second-order networks developed, and the intended and unintended effects of these networks on Indiaʼs economics, politics, and identity. The paper draws on economic and social studies of colonial communications networks in India, original reports by British officials and the Colonial Office, and the literature focusing on the role of technology in British imperialism. It shows how Indiaʼs colonial communication networks, built to augment and extend British control over the subcontinent, became conduits for Indian resistance and nationalism.
Keywords: shipping, telegraph, railroads, imperialism, nationalism, network theory, India

Colin Agur is a PhD candidate at Columbia University and Visiting Fellow at Yale Law School's Information Society Project. His research examines India's telecommunications, focusing on mobile network formation and second-order effects of network growth. He spent the 2012-13 academic year in Delhi and Chennai, conducting document analysis, interviews with industry figures and participant observation related to mobile phone usage. He has published articles about Indian media and culture in Harvard's Nieman Lab, the Journal of Asian and African Studies and Journalism (forthcoming), and about telecommunications history in Information and Culture.

(2) Big Data Dramas in the 1960s and 1970s
Abstract: The recent frenzy in discussing NSA activities and the collecting of Big Data show a widespread critical concern for the current practice of gathering and using personal data. These concerns have their history. In my presentation, I track the beginnings of a growing public awareness and sensitivity towards the societal handling of personal data. I argue that the early computerization phase during the 1960s and 1970s played a crucial role in discussing these issues. Media reports, popular books, scientific publications, and political hearings all of a sudden began – often in quite different ways – to address and question contemporary practices of collecting, sharing, and storing of personal data. Their authors explored and negotiated all kind of societal settings where personal data played a significant role at that time. There have been concerns about these issues with personal data before, but – as I will show in my presentation – not on this broad societal level and to this extent as in the late 1960s and early 1970s. I argue that during that time, the usage of personal data became a highly controversial matter not only of public, but also of private interest.My inquiry examines how the term “data“ and in particular the collection of personal data became loaded with cultural and emotional significance in scientific and media discussions in the 1960s and 1970s in the United States and in Germany. Furthermore, it explores how the early computerization affected our societal handling of data long before the personal computer entered our private lives.

Julia Fleischhack is a visiting postdoctoral research fellow in the program in Science, Technology, and Society at the Massachusetts Institute of Technology. She holds a PhD in anthropology from Zürich University. Her current research is on data centers from the private sector and funded by the Fritz Thyssen foundation.

(3) Biometrics or Bust - India’s Identity Crisis
Abstract: India's identity juggernaut - the Unique Identity (UID) project that has registered around 500 million people and is yet to be fully realized - is already the world's largest ever biometrics identity scheme. Grounded in the premise that centralized de-duplication and authentication will uniquely identify people and eliminate fraud, it is hailed as a game changer and a silver bullet that will solve myriad socio-economic problems, yet its conception and architecture raise significant concerns. Its implementation as a techno-utopian project in a legal vacuum, despite the potential for abuse and exclusion, give pause to the much-vaunted claims of transforming welfare delivery and galvanizing financial inclusion. I will provide an overview of the identity project and highlight some of the key implications for privacy and free speech, and more broadly, democracy and openness. I will also unpack some of the narratives being constructed, describe the current public discourse and legal developments, and locate the project within the broader surveillance state and database nation that India is morphing into.

Malavika Jayaram is a Fellow at the Berkman Center for Internet and Society at Harvard, focusing on privacy, identity and free expression. A Fellow at the Centre for Internet and Society, Bangalore, she is one of 10 Indian lawyers in The International Who's Who of Internet e-Commerce & Data Protection directory. In August 2013, she was voted one of India's leading lawyers - one of only 8 women to be featured in the "40 under 45" survey conducted by Law Business Research, London.

For more details visit https://cis-india.org/news/cyberscholars-working-group-mit

Cybercrime and Privacy

praskrishna — 2010-09-14T13:21:20Z

Elonnai Hickok examines privacy in the context of India’s legal provisions on cybercrime. She picks up the relevant provisions of the Information Technology Act as amended in 2008 dealing with cyber crimes and provides a fair analysis of the pros and cons of the amended Act.

What is Cybercrime?

Looking at the recent Facebook ‘break in’ where 100,000 of users’ information was downloaded and made accessible through a simple search engine, , and the new Microsoft virus that attacked 10,000 machines, it is clear that cybercrime is no longer an issue to be taken lightly. Cybercrime is defined as an unlawful act committed using a computer either as a tool or as a target (or both) for facilitating a crime. Although there is an overlap, some are more likely to use the computer as a tool, and others use it as a target. Examples of the former include: fraud, forgery, DOS, consumption of limited resources, cyberterrorism, IPR violations, software piracy, copyright infringement, trademarks violations, patent violations, cyber squatting, credit card frauds, forgery, EFT frauds, pornography, banking/credit card related crimes, sale or purchase of illegal articles, cyberstalking, phishing, theft, and breaches in privacy, and gambling. Crimes where the computer is made a target include: computer theft, physical destruction or alteration of network components, theft of computer source code, hacking, defacing websites, creation of viruses, destruction or alteration of configuration information and email spamming.

What is India's current legislation on cybercrime?

The Information Technology Act 2000 (amended in 2008)

The Information Technology Act was first drawn up in 2000, and has been revised most recently 2008. The Information Technology (Amendment) Bill, 2008 amended sections 43 (data protection), 66 (hacking), 67 (protection against unauthorised access to data), 69 (cyberterrorism), and 72 (privacy and confidentiality) of the Information Technology Act, 2000, which relate to computer/cybercrimes.

Section 43 [Penalty and Compensation for damage to computer, computer system, etc.] amended vide Information Technology Amendment Act 2008 reads as under:

If any person without permission of the owner or any other person who is in-charge of a computer, computer system or computer network:

accesses or secures access to such computer, computer system or computer network or computer resource (ITAA2008)
downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
disrupts or causes disruption of any computer, computer system or computer network;
denies or causes the denial of access to any person authorized to access any computer, computer system or computer network by any means;
provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made there under;
charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network;
destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means (Inserted vide ITAA-2008); and
Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, (Inserted vide ITAA 2008) he shall be liable to pay damages by way of compensation to the person so affected. (change vide ITAA 2008)

Critique: In comparison to the laws enacted in other countries, this provision still falls short of a strong data protection law. In most other countries data protection laws specify:

the definition and classification of data types;
the nature and protection of the categories of data;
that equal protection will be given to data stored offline and data stored manually;
that data controllers and data processors have distinct roles;
clear restrictions on the manner of data collection;
clear guidelines on the purposes for which the data can be put and to whom it can be sent;
standards and technical measures governing the collection, storage, access to, protection, retention, and destruction of data;
that providers of goods or services must have a clear opt - in or opt - out option; and
in addition, most countries provide strong safeguards and penalties against breaches of any of the above

Section 66 [Computer Related Offences] amended vide Information Technology Amendment Act 2008 reads as under:

If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to five lakh rupees or with both.

Explanation: For the purpose of this section,-

the word "dishonestly" shall have the meaning assigned to it in section 24 of the Indian Penal Code;
the word "fraudulently" shall have the meaning assigned to it in section 25 of the Indian Penal Code.

[Section 66 A] [Punishment for sending offensive messages through communication service, etc.]

(Introduced vide ITAA 2008):

Any person who sends, by means of a computer resource or a communication device,-

any information that is grossly offensive or has menacing character; or
any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by making use of such computer resource or a communication device;
any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages (Inserted vide ITAA 2008) shall be punishable with imprisonment for a term which may extend to three years and with fine.

Explanation: For the purposes of this section, terms "Electronic mail" and "Electronic Mail Message" means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, image, audio, video and any other electronic record, which may be transmitted with the message.

[Section 66 B] [Punishment for dishonestly receiving stolen computer resource or communication device] (Inserted Vide ITA 2008):
Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.

[Section 66C] [Punishment for identity theft] (Inserted Vide ITA 2008):

Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

[Section 66D] [Punishment for cheating by personation by using computer resource] (Inserted Vide ITA 2008):
Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.

[Section 66E] [Punishment for violation of privacy] (Inserted Vide ITA 2008):
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both

Explanation - For the purposes of this section--

“transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;
“capture”, with respect to an image, means to videotape, photograph, film or record by any means;
“private area” means the naked or undergarment clad genitals, pubic area, buttocks or female breast;
“publishes” means reproduction in the printed or electronic form and making it available for public;
“under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that:

he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or
any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.

[Section 66F] [Punishment for cyber terrorism]:
(1) Whoever,-

(A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by –

denying or cause the denial of access to any person authorized to access computer resource; or
attempting to penetrate or access a computer resource without authorisation or exceeding authorized access; or
introducing or causing to introduce any Computer Contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70, or

(B) knowingly or intentionally penetrates or accesses a computer resource without authorization or exceeding authorized access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.

(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life’.

Critique: We find the terminology in multiple sections too vague to ensure consistent and fair enforcement. The concepts of ‘annoyance’ and ‘insult’ are subjective. Clause (d) makes it clear that phishing requests are not permitted, but it is not clear that one cannot ask for information on a class of individuals.

Section 67 [Publishing of information which is obscene in electronic form] amended vide Information Technology Amendment Act 2008 reads as under:

Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to two three years and with fine which may extend to five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.

[Section 67 A] [Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form] (Inserted vide ITAA 2008):
Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.

Exception: This section and section 67 does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

the publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing, drawing, painting, representation or figure is in the interest of science, literature, art, or learning or other objects of general concern; or
which is kept or used bona fide for religious purposes.

[Section 67 B] Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form:

Whoever,-

(a) publishes or transmits or causes to be published or transmitted material in any electronic

form which depicts children engaged in sexually explicit act or conduct or

(b) creates text or digital images, collects, seeks, browses, downloads, advertises,

promotes, exchanges or distributes material in any electronic form depicting children in

obscene or indecent or sexually explicit manner or

and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or

(d) facilitates abusing children online or

(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:

Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bonafide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

[Section 67 C] [Preservation and Retention of information by intermediaries]:

(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.

(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Critique: This provision adequately protects both the corporate and the citizen in a positive way.

Section 69 [Powers to issue directions for interception or monitoring or decryption of any information through any computer resource] amended vide Information Technology Amendment Act 2008 reads as under:

(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be

intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.

(2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.

(3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to –

(a) provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or

(b) intercept or monitor or decrypt the information, as the case may be; or

(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.

[ Section 69B] Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security:

(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.

(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating, transmitting, receiving or storing such traffic data or information.

(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.

(4) Any intermediary who intentionally or knowingly contravenes the provisions of subsection

(2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Explanation: For the purposes of this section,

(i) "Computer Contaminant" shall have the meaning assigned to it in section 43

(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.

Critique: Though we recognize how important it is for a government to protect its citizens against cyberterrorism, we are concerned at the friction between these provisions and the guarantees of free dialog, debate, and free speech that are Fundamental Rights under the Constitution of India.

Specifically:

a) there is no clear provision of a link between an intermediary and the information or resource that is to be monitored.

c)the penalties laid out in the clause are believed to be too harsh, and when read in conjunction with provision 66, there is no distinction between minor offenses and serious offenses.

e) the ITA is too broad in its categorization of acts of cyberterrorism by including information that is likely to cause: injury to decency, injury to morality, injury in relation to contempt of court, and injury in relation to defamation.

Section 72 [Breach of confidentiality and privacy] amended vide Information Technology Amendment Act 2008 reads as under:

Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuant of any of the powers conferred under this Act, rules or regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

[Section 72 A] Punishment for Disclosure of information in breach of lawful contract (Inserted vide ITAA-2008):

Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.

General Notes and Critiques:

As general notes on the ITA and data protection we find that the Act is lacking in many ways, including:

there is no definition of “sensitive personal data or information” and that term is used indiscriminately without.
the provisions and protections cover only electronic data and not stored data or non-electronic systems of media
in the absence of a data controller, liability is often imposed on persons who are not necessarily in a position to control data
civil liability for data breach arises where negligence is involved
criminal liability only applies to cases of information obtained in the context of a service contract.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-ita2008

Cyberattacks a significant threat to democracy: Modi

Admin — 2017-11-24T13:29:17Z

We have to ensure that cyberspace does not become a playground for dark horses of radicalism, says PM Narendra Modi at the fifth Global Conference on Cyber Space in Delhi.

The article by Komal Gupta was published in Livemint on November 24, 2017.

Prime Minister Narendra Modi on Thursday said creating a safe and secure cyberspace is on the primary agenda of the government as cyberattacks were a threat to democracy.

Modi’s assurance of decisively dealing with cyberattacks comes at a time when policymakers are making an unprecedented push to popularize digital transactions and cut down use of cash in order to have a more transparent and accountable economic environment. The government is at present working on a draft policy for tackling ransomware, a malicious software.

“We have to ensure that cyberspace does not become a playground for dark horses of radicalism,” Modi said, while inaugurating the fifth Global Conference on Cyber Space (GCCS) in the national capital.

A total of 50 incidents of cyberattacks affecting 19 financial organizations were reported from 2016 until June 2017, PTI reported in August.

With multiple cyberattacks affecting key infrastructure assets like ports and major payment companies recently, the government has decided to come out with a draft policy for tackling ransomware, a senior government official told Mint during the conference. “CERT-In (The Indian Computer Emergency Response Team) is working on a draft policy for tackling ransomware which will be put up for consultation by various stakeholders, including organized enterprise users of IT (Information Technology), solution providers and internet service providers (ISPs),” Ajay Kumar, additional secretary in the ministry of electronics and information technology said.

Kumar said the draft policy will focus on the proprietary steps the country will take in case of a ransomware attack. This will include the steps for the sharing of information to try and restrict the loss as much as possible. A centre of excellence will be set up to find solutions to attacks or neutralise the malware, he added.

The need to set up a safe and secure cyberspace is one the major concerns of the government as it is moving to create a ‘less-cash’ economy. Earlier this year, the government announced the “DigiDhan Mission” to achieve a 25 billion digital transactions target, outlined in the Union budget for this fiscal.

Modi said empowerment through digital access is the aim of the government and digital technology has saved around $10 billion so far by eliminating middlemen.

The MyGov platform is a prime example of how technology strengthens offices. PRAGATI has resulted in faster governance decisions through general consensus, he added.

PRAGATI (Pro-Active Governance And Timely Implementation) is an interactive platform aimed at addressing the common man’s grievances and monitoring and reviewing programmes and projects of the central and state governments.

Umang stands for Unified Mobile Application for New-age Governance. It provides all pan India e-Gov services ranging from central to local government bodies and other citizen-centric services like Aadhaar and Digilocker on one single platform or mobile app.

Modi said, “the app will provide over hundred citizen-centric services. It will automatically add pressure among peers and result in a better performance.”

Law and IT minister Ravi Shankar Prasad, speaking at the event, said privacy of individuals was of utmost importance but “privacy cannot withhold innovation.” He further said the citizens’ right of accessing the internet is “non-negotiable” and the government will not allow any company to restrict people’s entry to the worldwide web.

Speaking on Facebook’s Free Basics programme, Prasad said the government did not allow social networking giant’s programme because it offered access to select internet services. Facebook had introduced its Free Basics programme in India in 2015 to offer free basic internet access to people in partnership with telecom operators. Prasad said the idea behind Free Basics was that everything will be free, namely eduction, health, entertainment and others, if one enters the Net through one gate (Facebook’s).

“I said India is a democracy, we don’t believe in one gate. We believe in multiple gates. Therefore, this gate locking for India will not be accepted and I did not allow it. This stems (from) our commitment that internet must be accessible to all,” he added.

Sri Lankan Prime Minister Ranil Wickremesinghe, who was present at the event, said there was no legal framework on cyberspace and he hoped the conference would lead to a consensus to finalize the terms of the framework. “Our government has a lot more to do in net neutrality but we have taken progressive and revolutionary step in this regard,” added Wickremesinghe.

Wickremesinghe is on a four-day visit to India with the aim of boosting bilateral ties.

On the first day of the conference, India agreed to establish a joint working group with Iran to work in different IT areas.

India will provide technical advice to Mauritius for setting up the digilocker infrastructure. An MoU has been signed with Denmark for future cooperation in the IT sector.

“While a policy on ransomware is welcome, there is much more to be done. Implementation of the 2014 National Cybersecurity Policy has been very slow. Even the simplest bits, such as a secure process for receiving vulnerability disclosure has been lacking,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.

PTI contributed to this story.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-24-2017-komal-gupta-cyberattacks-a-significant-threat-to-democracy-modi

Cyber-Security in the Age of Smart Manufacturing

Admin — 2018-10-02T00:23:45Z

Arindrajit Basu attended the event 'Cyber-security in the age of Smart Manufacturing.' The event 'BTS - CyberComm 2018' was organised by the Federation of Indian Chamber of Commerce & industry (FICCI) in association with Karnataka Innovation and Technology Society, and Government of Karnataka at The Lalit Ashok, Bengaluru on September 26, 2018.

The event was aimed at understanding the cyber security threats revolving around Industry 4.0 and smart manufacturing. The speakers included Mr. Gaurav Gupta, Principal Secretary, IT, BT and S&T Department, Government of Karnataka;Mr. Sanjay Mujoo, Vice President, Pointnext Global Centre Bangalore, Hewlett Packard Enterprise, India;Mr. Yogesh Andlay, Founder, Nucleus Software & Polaris Financial Technology and Mr. Ambrish Bakaya, Co-Chair, ICT and Digital Economy Committee FICCI.

Apart from discussing how to cover the threat vectors as businesses increasingly become digitised and use digital supply chains,the event was also useful in terms of obtaining an understanding of how the Karnataka government is approaching the digital ecosystem. The Centres of Excellence aim to bring on board academics, industry bodies and practitioners to develop best practices. FICCI, which was co-hosting this event indicated that they will continue to work with the government to further this agenda.

For more details visit https://cis-india.org/internet-governance/news/cyber-security-in-the-age-of-smart-manufacturing

Cyber security, surveillance and the right to privacy: country perspectives

praskrishna — 2013-01-23T12:10:23Z

This blog post is fourth in a series of eight blog posts to report on the “Third South Asian Meeting on the Internet and Freedom of Expression” recently concluded in Dhaka, Bangladesh.

This post was published in the Internet Democracy Project Website on January 22, 2013. All the blog posts in this series are written by Richa Kaul Padte, the official rapporteur at the meeting.

'The best way to protect people’s rights is to enable people to protect their rights themselves' – Chinmayi Arun

Pranesh Prakash, CIS India	Opening the session on cyber security, surveillance and privacy, moderator Pranesh Prakash from the Centre for Internet and Society (India) frames the debate by talking about how the principles raised by discussions on security, privacy and surveillance are always in tension with each other. ‘The boundaries that have been drawn in a pre-digital era don’t apply online always [and] the classic model of state-controlled surveillance is not as relevant [today].’

Taking forward the discussion by setting both a global and national framework around the issue, Assistant Professor at the Delhi-based National Law University Chinmayi Arun brings to light the ways in which cyber security is consistently tabled on several global agendas; however, with little to no meaningful parallel discussions around the right to privacy. She also connects the idea of surveillance to notions of censorship vis a vis freedom of expression, and poignantly states: ‘surveillance is a lot more insidious than censorship – [so much] more can take place before people realise it is happening.’ Prakash furthers this idea in his transition between country perspectives by highlighting the ways in which surveillance measures are already established and heavily pervasive, with both Prakash and Arun advocating greater transparency in areas where these measures are in place. As Arun says, ‘it’s not true that every instance of surveillance needs to be secret until it’s done’, and distinguishing between necessary surveillance measures (in the case of crime investigations, for example) and those that position all people as criminals who must be monitored, is key to taking the discussion forward.

Chinmayi Arun, National Law University Delhi, India

Mohammed Nazmuzzaman Bhuian, Dhaka University

Mohammad Nazmuzzaman Bhuian, an Associate Professor from the University of Dhaka, opens a Bangladeshi country perspective with the question, ‘how does a cyber security act become a surveillance act?’ A cyber crime refers to any crime that involves a computer or a network, and the crimes under this can play out in two ways. The computer itself may be a target, or it may be used to carry out a crime. It is when it is used to carry out a crime that the question of online surveillance arises

Offering another perspective from Bangladesh, Head of the Centre for IT Security and Privacy and Assistant Professor, University of Asia Pacific, Mohammad Shahriar Rahman, discusses the manipulation of security and surveillance laws by the State in order to create greater security for itself. He cites the ban of YouTube in the country in response to a US-produced video ridiculing the Prophet Mohammed and the attacks on bloggers who have advocated for free speech on the Internet, including speech that may be anti-authoritarian or anti-religious. These examples echo Mariyath Mohamed’s perspectives on the interplay between religion, politics and censorship from the previous session, which clearly resound through many South Asian countries.

Mohammad Shahriar Rahman, University of Asia Pacific, Bangladesh

Kailash Prasad Neupane, Nepal Telecommunications Authority	Perspectives from Nepal, offered by speaker Kailash Prasad Neupane from the Nepal Telecommunications Authority, highlight the acute similarities between the laws in different South Asian countries, which all position the freedom of expression as ‘subject to certain restrictions’, where the subjectivity of the clause tends to be interpreted by a powerful and majority State against its minority citizens, thus undermining both democracy and citizens’ rights. As Rahman says, ‘if the government wants to be seen as democratic in these times, they need to realise you can’t jail everyone who is critical of the Prime Minister.’

Speaking from the floor, Bishakha Datta, from Mumbai-based women’s media organisation Point of View, expands on the speakers’ views by highlighting the ways in which, given the extensive measures of State security and surveillance, societies themselves become structured around a culture of surveillance that citizens in turn internalise and see as a necessary part of their lives. She asks, ‘when we talk about the right to privacy, are we saying that we are willing to accept surveillance as long as our privacy is maintained, or are we opposing it on the grounds of privacy?’ Echoing Prakash’s idea that ‘the way in which security and privacy are portrayed as being at loggerheads is false’, Arun responds to Datta by advocating privacy as the starting point for all discussions surrounding security. In summary she states, ‘we must underline our right to privacy,and that right must always dominate. One must always start with that right, and then narrow the circumstances in which, only when it is absolutely necessary and to the extent absolutely necessary, it may be violated.’ And it is through this consistent demand for the right to privacy, and the placing of citizens and individuals (rather than the interests of the State) at the heart of these conversations, that we can see security and privacy as co-existing notions that work to ensure, rather than suppress, freedom of expression.	Bishakha Datta, Point of View, India

For more details visit https://cis-india.org/news/internet-democracy-richa-kaul-padte-jan-22-2013-cyber-security-surveillance-and-the-right-to-privacy

Cyber security tips for small businesses

Theres Sudeep — 2019-12-05T23:35:59Z

It is important to have good cyber security practices, experts recommend.

The article by Theres Sudeep was published in the Deccan Herald on December 1, 2019. Arindrajit Basu was quoted.

Many times small businesses don’t allocate any of their budgets to cybersecurity. This is due to the common misconception that it’s only larger companies and governments that need to worry about attacks by hackers and the like.

This is not the case as Arindrajit Basu of The Centre for Internet and Society explains, “The kind of risks that smaller players are vulnerable to may not be on the scale of threats that larger companies encounter, but it is equally important for them to have good cybersecurity practices,” he says.

Phishing, an attempt to obtain sensitive information by disguising oneself as a trustworthy entity, and ransomware, a type of malware that threatens to publish the victim’s data or block access to it unless a ransom is paid, are the two most common kinds of attacks on small business according to Basu.

He adds that many hackers see small businesses as an easy way into a larger network. Once the smaller nodes are breached, they can easily get to the bigger players on the network.

Bengaluru, the startup capital of the country, has many such small businesses that need to better their cybersecurity practices.

The first and foremost step recommended by Basu is to create a strategy within your business plan and revise it periodically. This must include employee training and guidelines on what to if there is a breach.

Apart from this owners and employees are advised to routinely change passwords and back up their data on a device that doesn’t connect to the internet.

Owners are also advised to monitor access to admin accounts.

Many small businesses and startups don’t have offices of their own, which means employees end up working at a cafe or the like.

When working at these venues, make sure to carry your own WiFi or use the hotspot from your phone. Open WiFi networks are vulnerable to attacks.

Basu concludes by saying that small businesses must be periodically audited by an independent cybersecurity firm.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-december-1-2019-theres-sudeep-cyber-security-tips-for-small-businesses

Cyber Security Summit 2015

praskrishna — 2015-12-16T02:10:24Z

The Government of Karnataka in association with Biz Wingz Production House organized this Summit on November 27, 2015 at JW Marriott, Bangalore from 10.30 a.m. to 5.30 p.m. Sunil Abraham was a panelist.

Cloud-based applications are often the darling of the CFO and the nemesis of the CISO & CIOs. How can an organization migrate to the cloud, thus relinquishing control, but still maintain security? Are we sacrificing security and robustness in exchange for other priorities? How do ‘Snowden’ disclosures change the legal and risk nature of cloud decision making and governance? What can proactive cloud providers do to capture the opportunity in the disruption? The panel explored these topics and more to provide the cutting edge thinking and perspectives you need to shape your own cloud strategies in ways that balance multiple priorities.

Panelists

Parag Deodhar, Chief Risk Officer, Bharti AXA General Insurance & Chief Operational Risk Officer India
Sunil Abraham, Executive Director, Centre for Internet and Society
Atul kumar, GM IT, Syndicate Bank
Lopa Mudra Basu, AVP & Head of Enterprise Security & Risk Governance, SLK Global
Sagar Karan, Chief Information Security Officer, Fullerton India Credit Co. Ltd.
R Vijay, CISO –Technology, Mahindra & Mahindra Financial Services Limited
Sanjivan S Shirke, Senior Vice President-Information Technology, Head -Information Security, UTI Asset Management Company Limited.
Sanjay Sahay, IPS, ADGP, Grievances & Human Rights, Police Dept, Govt of Karnataka (moderator).

More information about this event

For more details visit https://cis-india.org/internet-governance/news/cyber-security-summit-2015

Cyber Security Policy Research

praskrishna — 2015-10-16T16:47:12Z

Tim Maurer will give a presentation on cybersecurity policy research at the Centre for Internet & Society's New Delhi office on October 18, 2015, from 2 p.m. to 5 p.m. Geetha Hariharan and Sunil Abraham will participate in this event.

Tim Maurer's talk will give an outline of the definitional issues involved, the various threats to the confidentiality, integrity, and availability of information and underlying infrastructure, the actors involved and international efforts to address cybersecurity. The talk will also provide an overview of existing and ongoing cyber security policy research.

Tim Maurer

Tim Maurer is an associate at the Carnegie Endowment for International Peace. His work focuses on cyberspace and international affairs, with a concentration on global cybersecurity norms, human rights online, Internet governance, and their interlinkages. He is writing a book on cybersecurity and proxy actors.

Maurer serves as a member of the Research Advisory Network of the Global Commission on Internet Governance, the Freedom Online Coalition’s cybersecurity working group “An Internet Free and Secure,” and co-chaired the Civil Society Advisory Board of the Global Conference on CyberSpace. In 2014, he developed the Global Cyber Definitions Database for the chair of the OSCE to support the implementation of the OSCE’s cyber confidence-building measures. In 2013 and 2014, Maurer spoke about cybersecurity at the United Nations in New York and Geneva and co-authored “Tipping the Scale: An Analysis of Global Swing States in the Internet Governance Debate,” published by the Global Commission on Internet Governance. His work has also been published by Jane’s Intelligence Review, TIME, Foreign Policy, CNN, Slate, and other academic and media venues.

Prior to joining Carnegie, Maurer was the director of the Global Cybersecurity Norms and Resilience Project at New America and head of research of New America’s Cybersecurity Initiative. He also gained experience with the United Nations in Rwanda, Geneva, and New York focusing on humanitarian assistance and the coordination of the UN system.

For more details visit https://cis-india.org/internet-governance/events/cyber-security-policy-research

Cyber Security of Smart Grids in India

Elonnai Hickok and Vanya Rakesh — 2016-04-28T15:34:17Z

An integral component of the ambitious flagship programme of the Indian Government- Digital India, which paves way for a digital data avalanche in the country, is a well-designed digital infrastructure ensuring high connectivity and integration of services, the potential areas being smart cities, smart homes, smart energy and smart grids, to list a few. Likewise, the 100 Smart Cities Mission envisions changing the face of urbanization in India, to manage the exponential growth of population in the cities by creating smart cities with ICT driven solutions, along with big data analytics. Smart grid technologies are key for both these schemes.

The article by Elonnai Hickok and Vanya Rakesh was published by Dataquest on April 25, 2016

Smart grid is a promising power delivery infrastructure integrated with communication and information technologies which enables monitoring, prediction and management of energy usages. Establishment of smart grids becomes highly important for the Indian economy, as the present grid losses are one of the highest in the world at upto 50% and costing India upto 1.5% of its GDP. India operates one of the largest synchronous grids in the world – covering an area of over 3 million sq km, 260 GW capacity and over 200 million customers with the estimated demand of India increasing 4 times by the year 2032.

In the year 2013, the Ministry of Power (MoP), in consultation with India Smart Grid Forum and India Smart Grid Task Force released a smart grid vision and roadmap for India, a key policy document aligned to MoP’s overarching objectives of “Access, Availability and Affordability of Power for All”. It lays plans for a framework to address cyber security concerns in smart grids as well. To achieve goals envisaged in the roadmap, the Government of India established the National Smart Grid Mission in the year 2015 for planning, monitoring and implementation of policies and programs related to Smart Grid activities.

A number of smart grid projects have been introduced, and are currently underway. KEPCO in Kerala has established smart meter/intelligent power transmission and distribution equipment system in the year 2011 and the smart grid operations focus on peak reduction, load standardization, reduction in power transmission/distribution loss, response to new/renewable energy and reduction in black-out time. Gujarat was introduced to India’s first modernized electrical grid in the year 2014, to study consumer behaviour of electricity usage and propose a tariff structure based on usage and load on the power utility by installing new meters embedded with SIM card to monitor the data. The Bangalore Electricity Supply Company Ltd. (BESCOM) project in Bangalore envisaged the Smart Grid Pilot Project for integration of renewable and distributed energy resources into the grid, which is vital to meet growing electricity demands of the country, curb power losses, and enhance accessibility to quality power.

Cybersecurity challenges

At the same time, the introduction of a smart grid brings with it certain security risks and concerns, particularly to a nation’s cyber security. Increased interconnection and integration may render the grids vulnerable to cyber threats, putting stored data and computers at great risk.With sufficient cyber security measures, policies and framework in place, a Smart Grid can be made more efficient, reliable and secure as failure to address these problems will hinder the modernization of the existing power system. Smart Grids, comprising of numerous communication, intelligent, monitoring and electrical elements employed in power grid, have a greater exposure to cyber-attacks that can potentially disrupt power supply in a city.

Cyber security and data privacy are some of the key challenges for smart grids in India, as establishment of digital electricity infrastructure entails the challenge of communication security and data management. Digital network and systems are highly prone to malicious attacks from hackers which can lead to misutilisation of consumers’ data, making cyber security the key issue to be addressed. Vulnerabilities allow an attacker to break a system, corrupt user privacy, acquire unauthorized access to control the software, and modify load conditions to destabilize the grid. Hackers or attackers, who compromise a smart meter can immediately alter their energy costs or change generated energy meter readings to monetize it by help of remote PCs. Also, inserting false information could mislead the electric utility into making incorrect decisions about the local usage and capacity.

Initiatives in India

As cybersecurity is critical for Digital India and the Smart City Concept note highlights a smart grid to be resilient to cyber attacks, a National Cyber Coordination Centre is being established by the Indian Government. Also, National Cyber Safety and Security Standards has been started with a vision to safeguard the nation from the current threats in the cyberspace, undertaking research to understand the nature of cyber threats and Cyber Crimes by facilitating a common platform where experts shall provide an effective solution for the complex and alarming problems in the society towards cyber security domain. Innovative strategies and compliance procedures are being developed to curb the increasing complexity of the Global Cyber Threats faced by countries at large.

The National Cyber Security Policy 2013 was released with an umbrella framework for providing guidance for actions related to security of cyberspace, by the Department of Electronics and Information Technology (DeitY). The Working Group on Information Technology established under the Planning Commission has also published a 12 year plan on IT development in India with a road map for cyber security, stating six key priority and focus areas for cyber security including:Enabling Legal Framework ; Security Policy, Compliance and Assurance; Security R&D; Security Incident – Early Warning and Response ; Security awareness, skill development and training, and Collaboration.

In case of Bangalore, to ensure smooth implementation of BESCOM’s vision, the company realised the need to put a cyber-security system in place to protect the smart grid installations in Bangalore city. To ensure security, BESCOM has come out with a separate IT security policy and dedicated trained IT cadre to safeguard its data and servers, becoming one of the few Discoms in India to take such measures for safeguarding the servers and data network from cyber crimes and threats.

Way forward

An electric system like Smart grids has enormous and far-reaching economic and social benefits. However, increased interconnection and integration tends to introduce cyber-vulnerabilities into the grid. With the evolution of cyber threats/attacks over time, it can be said that there are a lot of challenges for implementing cyber security in Indian smart grid. Considering importance of secure smart grid networks for flagship projects in India, the existing regulatory framework does not seem to adequately take into consideration the cyber security implications.

In light of this, the government must aim to develop and adopt high level cybersecurity policy to withstand cyber-attacks. Also, India must focus on skills development in this domain and have a capable workforce to achieve the targets set by Indian Government. The country must look up to develop an overall intelligence framework that brings together industry, governments and individuals with specific capabilities for this purpose.

The National Cyber Security Policy 2013, protecting public and private infrastructure from cyber attacks, along with all kinds of information, such as personal information of web users, banking and financial information,etc. is yet to be implemented by the Government properly. In the Indian Power sector, the cyber security regulations or mandates are absent in the National Electricity Policy (NEP) as well as the Electricity Act 2003 and its amendment in 2007, with no reference to cyber security concerns. These key legislations must be amended to take into account the growing challenges due to increased use of ICT in the power sector.

As the concept of smart grids is still evolving in India, professional intervention from various domains has pushed for adoption and development of standard process and products. Many international standard setting organisations like IEC, IEEE, NIST, CENELEC are engaged in standardization activities of Smart Grids and in India, the Bureau of Indian Standards (BIS) has been rolling out several varieties of standards targeting various technologies. Therefore, BIS must develop standards taking into account the security challenges in the cyberspace as well.

Apart from policy and regulatory measure, the system on which the smart grids are built and networked must be made architecturally strong and secure.One of the areas where due attention is required is making the Supervisory Control and Data Acquisition (SCADA) secure, a system that operates with coded signals to provide control of remote equipment and is entirely based on computer systems and network. Numerous systems also employ the Public Key Infrastructure (PKI) to secure the Smart Grids and address the security challenges by enabling identification, verification, validation and authentication of connected meters for network access. This can be leveraged for securing data integrity, revenue streams and service continuity. The key vulnerable areas prone to cyber attacks on information transmission are network information, data integrity and privacy of information. The information transmission networks must be well-designed as the network unavailability may result in the loss of real-time monitoring of critical smart grid infrastructures and power system disasters.

Addressing these fast growing challenges and cyber security needs of the country by adopting suitable regulatory, policy and architectural steps would help achieve the objectives of Digital India and Smart Cities enabling “Access, Availability and Affordability for All”.

For more details visit https://cis-india.org/internet-governance/blog/dataquest-april-25-2016-vanya-rakesh-and-elonnai-hickok-cyber-security-of-smart-grids-in-india

Cyber Policy Centres Meeting in Sri Lanka

Admin — 2019-01-21T23:50:45Z

Elonnai Hickok, Sunil Abraham and Ambika Tandon participated in this event organized by IDRC in Sri Lanka on January 11 - 14, 2019.

Download the agenda here

See the presentation here

For more details visit https://cis-india.org/internet-governance/news/cyber-policy-centres-meeting-in-sri-lanka

Cyber Policy 2.0

Admin — 2019-08-19T14:18:13Z

National Law University organized an executive education program in Bangalore on August 17, 2019. Arindrajit Basu was a speaker. He spoke on Deconstructing the India regulatory approach to data governance and cyber security.

For more details about the program, click here

For more details visit https://cis-india.org/internet-governance/news/cyber-policy-2.0

Cyber law experts asks why CERT-In removed advisory warning about WhatsApp vulnerability

Megha Mandavia — 2019-11-15T00:48:00Z

On the missing web page note, CERT-In had provided a detailed explanation of the vulnerability, which could be exploited by an attacker by making a decoy voice call to a target.

The article by Megha Mandavia was published in ET Tech.com on November 4, 2019. Pranesh Prakash was quoted.

Cyber law experts have asked the government to explain why the Indian computer emergency response team (CERT-In) removed from its website two days ago an advisory it had put out in May warning users of a vulnerability that could be used to exploit WhatsApp on their smartphones.

“This is merely further evidence that the explanation is to be provided by GoI (Government of India) instead of blame shifting and politicizing the issue,” said Mishi Choudhary, the legal director of the New York-based Software Freedom Law Center. “India is a surveillance state with no judicial oversight.”

On the missing web page note, CERT-In had provided a detailed explanation of the vulnerability, which could be exploited by an attacker by making a decoy voice call to a target.

It had warned WhatsApp users that the vulnerability could allow an attacker to access information on the system, such as logs, messages and photos, and could further compromise it. CERT-In rated the severity “high” and asked users to upgrade to the latest version of the app.

It also listed links to hackernews and cyber security firm Check Point Software that pointed to the alleged involvement of Israeli cyber software firm NSO Group in the hacking of WhatsApp messenger.

CERT-In Director-General Sanjay Bahl did not respond to ET’s mails or calls seeking clarity on why the advisory was pulled from its website.

The Times of India reported first the development.

The government had blamed WhatsApp for not informing it about the attack and asked the Facebook-owned company to respond by November 4.

In response, WhatsApp sources pointed out that it had informed CERT-in in May about the vulnerability and updated in September that 121 Indian nationals were targeted using the exploit, ET reported on Sunday.

“We should not read too much into it. It could just be bad website management. The vulnerability was public knowledge. It was reported by the Common Vulnerabilities and Exposures (CVE) organization in May,” said Pranesh Prakash, fellow at the Centre of Internet and Society, a non-profit organisation.

The government has also questioned the timing of the disclosure, as it comes amid a request by it to the Supreme Court seeking three months to frame rules to curb misuse of social media in the country.

The government has categorically told WhatsApp that it wants the platform to bring in a mechanism that would enable tracing of the origin of messages, a demand that the instant messaging platform has resisted citing privacy concerns.

For more details visit https://cis-india.org/internet-governance/news/et-tech-megha-mandavia-november-4-2019-cyber-law-experts-asks-why-cert-in-removed-advisory-warning-about-whatsapp-vulnerability

Cyber experts suggest using open source software to protect privacy

praskrishna — 2013-07-03T04:32:48Z

Big Brother is watching. With the Central Monitoring System (CMS) at home and PRISM from the US, millions of users worldwide have become vulnerable to online surveillance by state agencies without even realizing it. No surprise, several cyber security experts feel that building one's own personal firewall is a good way of fortifying online privacy.

The article by Kim Arora was published in the Times of India on June 22, 2013. Sunil Abraham is quoted.

One enterprising netizen has compiled a list of services, from social networks to email clients, and even web browsers, that offer better protection from surveillance. They are listed on a web page called prism-break.org.

When asked about steps that a digital native can take to protect his privacy and online data, Sunil Abraham, executive director of Bangalore-based non-profit Center for Internet and Society said, "Stop using proprietary software, shift to free/open source software for your operating system and applications on your computer and phone. Android is not sufficiently free; shift to CyanogenMod. Encrypt all sensitive Internet traffic and email using software like TOR and GNU Privacy Guard. Use community based infrastructure such as Open Street Maps and Wikipedia. Opt for alternatives to mainstream services. For example, replace Google Search with DuckDuckGo."

Use of licensed or proprietary software, which bind users legally when it comes to use and distribution, seems to be losing favour among an informed niche. While alternative software cannot offer absolute protection, it is being seen as a "better-than-nothing" option. Anonymisers like TOR, though also not entirely foolproof, are also a popular option among those who wish to keep their web usage untraceable. Once installed on a browser, anonymisers can hide the route that digital traffic takes when sent from your computer over a network before emerging at an end node.

There is one caveat, though. Some websites can deny service to users operating on certain anonymising networks. Also, anonymisers are known to reduce browsing speeds. In India, where broadband speeds are already abysmally low, anything that slows one down even further would find popularity hard to come by.

Computer and network security expert Aseem Jakhar too recommends open source software since they offer the convenience of customization to suit one's encryption needs and are able to verify the source code. For laypersons, there are other tools. "One can use anonymisers like TOR which encrypt your communication and hide your identity. With these it becomes very difficult to exactly locate the source. For email clients, it is best to use ones that offer end-to-end strong encryption," he says. Jakhar, co-founder of open security community "null", also recommends the use of customized and Linux systems for more advanced users. Default Linux distributions, he points out, may have free online services which can again be analysed by the governments.

The home-bred CMS programme seeks to directly procure data pertaining to call records and internet usage for intelligence purposes without going through telecom service providers. There were fears of abuse when information about the programme, kept under strict wraps by the government, trickled in. Department of Telecom and Ministry of IT and Communication have been reticent about the state of implementation of the 400-crore rupees programme.

PRISM, a similar, international monitoring programme mounted by the US and revealed to the world by the US National Security Authority whistleblower Edward Snowden, has raised concerns of safeguarding digital information the world over.

For more details visit https://cis-india.org/news/times-of-india-june-22-2013-kim-arora-cyber-experts-suggest-open-source-software-to-protect-privacy

Cyber experts say 'playground open' for influencing elections

Admin — 2018-05-03T03:17:33Z

Cyber experts said that under the provisions provided by 43 (A) of Indian IT Act, two types of data collection are completely legal: first, the data shared by the user in the public domain and secondly, the data published by the social platforms, like Facebook.

This article was published in the Economic Times on May 2, 2018. Sunil Abraham was quoted.

With the Karnataka Assembly elections round the corner, the cyber experts have said that it is quite possible to influence elections in India.

Talking to ANI, cyber expert Sunil Abraham did not rule out the possibility of influencing the voters as India does not have data protection law in place.

He said under the provisions provided by 43 (A) of Indian IT Act, two types of data collection are completely legal: first, the data shared by the user in the public domain and secondly, the data published by the social platforms, like Facebook and Twitter, which was shared by the user for his/her friends.

"Both these types of data are not considered sensitive personal data. Under Indian law, if they are collecting your biometrics, passwords and health information only then they need your consent," Abraham told in an exclusive interview.

Replying a question about the chances of political parties influencing elections, Abraham said, "One cannot answer this question with a clear yes or no. But, the more a political party has in its database about you; the more they can micro-target you for various types of advertising."

He, however, said with the literacy level of Indian internet users, the chances are high that they can be manipulated.

"Once they do this, especially in a country where 30 percent of the public is illiterate and only 10 percent of public knows English and many-many users have just come online, there is a high chance that these users can be manipulated," the cyber expert said.

When asked can it be termed influence, he said, "It will definitely be an influence. Most of the internet users in India have just come online, they don't have media literacy; they have not consumed older technologies like television and broadcast media like radio sufficiently enough so it is easy for these users to get fooled by the content that is propaganda and fake news etcetera."

Abraham said it is unlikely that India will have a data protection law before 2019 general elections, which means the playground is open for people with a clever idea to manipulate voters.

"India is working on data protection laws from last eight years. With the existing laws; all the political parties, social media companies, and search engine optimization companies etcetera can do what they want and they won't get into trouble. So, it is very unlikely that this data protection law is going to be approved by Parliament the 2019 elections. So for the 2019 elections, it is going to be very exciting times because anybody who has any clever idea when it comes to manipulating voters, they will definitely try it. Because, there is no law to stop them from trying those tricks," the cyber expert said.

Replying to another question about India's position in data security, he said, 'India is lagging as per the global trend across the world. The European Union's world-class data protection law called 'General Data Protection Regulation' is being followed by all the countries with the exception of the US. About 108 countries have the data protection laws which look similar to the EU's General Data Protection Regulation."

He, however, added, "We shouldn't be upset because making a law in a big country like India takes time. Shri Krishna Committee is going to present the draft of the Indian data protection law and hopefully, within one or two years India will have data protection law."

Another expert Shubhamangala Sunil told ANI that "In India, our data is not secure today. Be it politicians or businesses, they want the database of people. Many data breaches have already happened and they are being used for different propagandas".

She said the union government and state governments should come forward and tell people about data security measures instead of people complaining about the data breach.

She also said India is at least 10 years behind in comparison with the world in the cyber security domain.

The comments of the experts have come in the backdrop of recently data breach in the Facebook wherein its CEO Mark Zuckerberg faced US Congress for two days over the data theft. The Facebook-Cambridge Analytica data scandal involves the collection of personally identifiable information of up to 87 million Facebook users and almost certainly a much greater number that Cambridge Analytica began collecting in 2014.

For more details visit https://cis-india.org/internet-governance/news/economic-times-may-2-2018-cyber-experts-say-playground-open-for-influencing-elections