The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 31 to 37.
Pre-Budget Consultation 2016 - Submission to the IT Group of the Ministry of Finance
https://cis-india.org/openness/pre-budget-consultation-2016-submission-to-the-ministry-of-finance
<b>The Ministry of Finance has recently held pre-budget consultations with different stakeholder groups in connection with the Union Budget 2016-17. We were invited to take part in the consultation for the IT (hardware and software) group organised on January 07, 2016, and submit a suggestion note. We are sharing the note below. It was prepared and presented by Sumandro Chattapadhyay, with contributions from Rohini Lakshané, Anubha Sinha, and other members of CIS.</b>
<p> </p>
<p>It is our distinct honour to be invited to submit this note for consideration by the IT Group of the Ministry of Finance, Government of India, as part of the pre-budget consultation for 2016-17.</p>
<p>The Centre for Internet and Society is (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. We receive financial support from Kusuma Trust, Wikimedia Foundation, MacArthur Foundation, IDRC, and other donors.</p>
<p>We have divided our suggestions into the different topics that our organisation has been researching in the recent years.</p>
<p> </p>
<h3>Free/Libre and Open Source Software (FLOSS) is the Basis for Digital India</h3>
<p> </p>
<p>We congratulate the policies introduced by the government to promote use of free/libre and open source software and that of open APIs for all e-governance projects and systems. This is not only crucial for the government to avoid vendor lock-in when it comes to critical software systems for governance, but also to ensure that the source code of such systems is available for public scrutiny and do not contain any security flaws.</p>
<p>We request the government to empower the implementation of these policies by making open sharing of source code a necessity for all software vendors hired by government agencies a necessary condition for awarding of tenders. The 2016-17 budget should include special support to make all government agencies aware and capable of implementing these policies, as well as to build and operate agency-level software repositories (with version controlling system) to host the source codes. These repositories may function to manage the development and maintenance of software used in e-governance projects, as well as to seek comments from the public regarding the quality of the software.</p>
<p>Use of FLOSS is not only important from the security or the cost-saving perspectives, it is also crucial to develop a robust industry of software development firms that specialise in FLOSS-based solutions, as opposed to being restricted to doing local implementation of global software vendors. A holistic support for FLOSS, especially with the government functioning as the dominant client, will immensely help creation of domestic jobs in the software industry, as well as encouraging Indian programmers to contribute to development of FLOSS projects.</p>
<p>An effective compliance monitoring and enforcement system needs to be created to ensure that all government agencies are Strong enforcement of the 2011 policy to use open source software in governance, including an enforcement task force that checks whether government departments have complied with this or not.</p>
<p> </p>
<h3>Open Data is a Key Instrument for Transparent Decision Making</h3>
<p> </p>
<p>With a wider set of governance activities being carried out using information systems, the government is increasingly acquiring a substantial amount of data about governance processes and status of projects that needs to be effectively fed back into the decision making process for the same projects. Opening up such data not only allows for public transparency, but also for easier sharing of data across government agencies, which reduces process delays and possibilities of duplication of data collection efforts.</p>
<p>We request the 2016-17 budget to foreground the National Data Sharing and Accessibility Policy and the Open Government Data Platform of India as two key enablers of the Digital India agenda, and accordingly budget for modernisation and reconfiguration of data collection and management processes across government agencies, so that those processes are made automatic and open-by-default. Automatic data management processes minimise the possibility of data loss by directly archiving the collected data, which is increasingly becoming digital in nature. Open-by-default processes of data management means that all data collected by an agency, once pre-recognised as shareable data (that is non-sensitive and anonymised), will be proactively disclosed as a rule.</p>
<p>Implementation of the National Data Sharing and Accessibility Policy has been hindered, so far, by the lack of preparation of a public inventory of data assets, along with the information of their collection cycles, modes of collection and storage, etc., by each union government agency. Specific budgetary allocation to develop these inventories will be crucial not only for the implementation of the Policy, but also for the government to get an extensive sense of data collected and maintained currently by various government agencies. Decisions to proactively publish, or otherwise, such data can then be taken based on established rules.</p>
<p>Availability of such open data, as mentioned above, creates a wider possibility for the public to know, learn, and understand the activities of the government, and is a cornerstone of transparent governance in the digital era. But making this a reality requires a systemic implementation of open government data practices, and various agencies would require targeted budget to undertake the required capacity development and work process re-engineering. Expenditure of such kind should not be seen as producing government data as a product, but as producing data as an infrastructure, which will be of continuous value for the years to come.</p>
<p>As being discussed globally, open government data has the potential to kickstart a vast market of data derivatives, analytics companies, and data-driven innovation. Encouraging civic innovations, empowered by open government data - from climate data to transport data - can also be one of the unique initiatives of budget 2016-17.</p>
<p>For maximising impact of opened up government data, we request the government to publish data that either has a high demand already (such as, geospatial data, and transport data), or is related to high-net-worth activities of the government (such as, data related to monitoring of major programmes, and budget and expenditure data for union and state governments).</p>
<p> </p>
<h3>Promotion of Start-ups and MSMEs in Electronics and IT Hardware Manufacturing</h3>
<p> </p>
<p>In line with the Make in India and Digital India initiatives, to enable India to be one of the global hubs of design, manufacturing, and exporting of electronics and IT hardware, we request that the budget 2016-17 focus on increasing flow of fund to start-ups and Medium and Small-Scale Manufacturing Enterprises (MSMEs) in the form of research and development grants (ideally connected to government, especially defense-related, spending on IT hardware innovation), seed capital, and venture capital.</p>
<p>Generation of awareness and industry-specific strategies to develop intellectual property regimes and practices favourable for manufacturers of electronics and IT hardware in India is an absolutely crucial part of promotion of the same, especially in the current global scenario. Start-ups and MSMEs must be made thoroughly aware of intellectual property concerns and possibilities, including limitations and exceptions, flexibilities, and alternative models such as open innovation.</p>
<p>We request the budget 2016-17 to give special emphasis to facilitation of technology licensing and transfer, through voluntary mechanisms as well as government intervention, such as compulsory licensing and government enforced patent pools.</p>
<p> </p>
<h3>Applied Mathematics Research is Fundamental for Cybersecurity</h3>
<p> </p>
<p>Recent global reports have revealed that some national governments have been actively involved in sponsoring distortion in applied mathematics research so as to introduce weaknesses in encryption standards used in for online communication. Instead of trying to regulate key-length or mandating pre-registration of devices using encryption, as suggested by the withdrawn National Encryption Policy draft, would not be able to address this core emerging problem of weak cybersecurity standards.</p>
<p>For effective and sustainable cybersecurity strategy, we must develop significant expertise in applied mathematical research, which is the very basis of cybersecurity standards development. We request the budget 2016-17 to give this topic the much-needed focus, especially in the context of the Digital India initiative and the upcoming National Encryption Policy.</p>
<p>Along with developing domestic research capacity, a more immediately important step for the government is to ensure high quality Indian participation in global standard setting organisations, and hence to contribute to global standards making processes. We humbly suggest that categorical support for such participation and contribution is provided through the budget 2016-17, perhaps by partially channeling the revenues obtained from spectrum auctions.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/openness/pre-budget-consultation-2016-submission-to-the-ministry-of-finance'>https://cis-india.org/openness/pre-budget-consultation-2016-submission-to-the-ministry-of-finance</a>
</p>
No publishersumandroOpen StandardsOpen SourceCybersecurityOpen DataIntellectual Property RightsOpen Government DataFeaturedPatentsOpennessOpen InnovationEncryption Policy2016-01-12T13:34:41ZBlog EntryGuest post: Before cyber norms, let’s talk about disanalogy and disintermediation
https://cis-india.org/internet-governance/blog/guest-post-before-cyber-norms-let2019s-talk-about-disanalogy-and-disintermediation
<b>In a guest post in relation to CIS’s recently held roundtable onIndia’s cyber defense strategy, Pukhraj Singh looks at the critical fissures – at the technical and policy levels – in global normative efforts to secure cyberspace. By charting out the key vectors and power asymmetries among key stakeholders – both leading state actors and private actors like Microsoft – Singh posits that there is much to be done before we circumscribe cyber operations within legal strictures.</b>
<p> </p>
<p>By: <strong>Pukhraj Singh</strong><br />Reviewed and Edited by: <strong>Elonnai Hickok, Arindrajit Basu, </strong>and<strong> Karan Saini</strong></p>
<h3 id="docs-internal-guid-91bbb0b3-7fff-f86d-2f0c-43dae1a21a49" dir="ltr">The ongoing decoupling of norms </h3>
<p style="text-align: justify;" dir="ltr">In September 2019, the French ministry of defense <a href="https://www.defense.gouv.fr/content/download/565895/9750877/file/Droit+internat+appliqu%C3%A9+aux+op%C3%A9rations+Cyberespace.pdf">published</a> a document stating its views on the applicability of international law to cyber operations. While it makes an unequivocal espousal of the rules-based order in cyberspace, some of the distinctions made by the paper within the ambit of international law could be of interest to technical experts. </p>
<p style="text-align: justify;" dir="ltr">The document makes two key contributions. First, it <a href="https://www.justsecurity.org/66318/an-overview-of-international-humanitarian-law-in-frances-new-cyber-document/">addresses</a> two modes of power projection within cyberspace: cyber operations acting as a force multiplier in a hot war that is strictly delineated by kinetic and geographical redlines; and below-threshold, single-domain “dematerialized” operations leveraging cyber intrusions. Secondly, the document has made an attempt to gently <a href="https://blog.lukaszolejnik.com/french-application-of-international-rules-to-cyberwarfare/">decouple</a> itself from the Tallinn Manual on some aspects.</p>
<p style="text-align: justify;" dir="ltr">In an unrelated development, Microsoft joined hands with a group of peers within the technology industry, civil society and government to set up the <a href="https://blogs.microsoft.com/on-the-issues/2019/09/26/cyberpeace-institute-fills-a-critical-need-for-cyberattack-victims/">CyberPeace Institute</a> – a private sector initiative to strengthen the rules-based order. </p>
<p style="text-align: justify;" dir="ltr">It is an outcome of the sustained, unrelenting effort of Microsoft in thwarting what it believes to be the unchecked weaponization of cyberspace. Suffering a major reputational loss after the Snowden leaks, the company has <a href="https://www.wired.com/story/us-vs-microsoft-supreme-court-case-data/">gradually cultivated</a> fiercely <a href="https://www.irishtimes.com/business/technology/microsoft-s-brad-smith-talks-privacy-snowden-and-international-law-1.2816460">contrarian</a> <a href="https://www.cyberscoop.com/microsoft-cyber-peace-institute-hewlitt-foundation-brad-smith/">positions</a> on issues like state-enabled surveillance. </p>
<p style="text-align: justify;" dir="ltr">Microsoft’s daring contests and cases against the US government have been intimately recorded in the recently released book <a href="https://news.microsoft.com/on-the-issues/tools-and-weapons/">Tools and Weapons</a>, authored by its chief legal officer Brad Smith.</p>
<p style="text-align: justify;" dir="ltr">Seen through the lens of the future, the aforementioned developments highlight the ongoing readjustment of the legal discourse on cyber operations to account for its incongruous technical dynamics. </p>
<p style="text-align: justify;" dir="ltr">As the structures of cyber power are peeled layer-by-layer, the need to address this technical divergence in the overly legal interpretations of cyber norms would only increase.</p>
<h3 style="text-align: justify;" dir="ltr">Disanalogy & disintermediation</h3>
<p style="text-align: justify;" dir="ltr">Take the case of two fundamental dimensions – disanalogy and disintermediation – which have the potential to alter our understanding of how power is wedded with cyberspace.</p>
<p style="text-align: justify;" dir="ltr">Disanalogy is a logical postulation that challenges the primacy of “reasoning by analogy” using which international law is mapped to cyber conflict. Disintermediation highlights how the power dynamics of cyberspace have disrupted statism. </p>
<p style="text-align: justify;" dir="ltr">Understanding when and how the realization that international law is reasonably applicable to cyber operations dawned upon the international community leads one to an unending maze. It becomes a cyclical process where one set of initiatives only cross-reference the others, in a self-fulfilling sort of way. </p>
<p style="text-align: justify;" dir="ltr">The <a href="https://www.unidir.org/files/medias/pdfs/developments-in-the-field-of-information-and-telecommunications-in-the-context-of-international-security-2012-2013-a-68-98-eng-0-518.pdf">notes</a> of the 2013 session of the United Nations’ Governmental Group of Experts, affirming the sanctity of international law in cyberspace, look like an exercise in teleology. </p>
<p style="text-align: justify;" dir="ltr">Not to be distracted by the deeply philosophical nature of war, Kubo Mačák of the University of Exeter did <a href="https://ccdcoe.org/uploads/2018/10/Art-09-The-Impact-of-the-Development-of-the-Cyber-Law-of-War-on-General-International-Law.pdf">point out</a> that “the unique teleological underpinning of the law of war” should be considered before it is exported to new normative frameworks.</p>
<p style="text-align: justify;" dir="ltr">The deductive process inspired by reasoning by analogy that lies at the heart of the cyber norms discourse has not undergone much scrutiny. </p>
<p style="text-align: justify;" dir="ltr">In his 2013 <a href="https://www.youtube.com/watch?v=NdhhZcDk6aw">talk</a> at NATO’s CCDCOE, Selmer Bringsjord, cognitive sciences professor at the Rensselaer Polytechnic Institute, introduced the idea of disanalogy. Citing the <a href="https://plato.stanford.edu/entries/reasoning-analogy/">general schema of an analogical argument</a>, Bringsjord arrived at a disproof divorcing the source domain (the just war theory for conventional war) and target domain (just war theory for cyberwar). </p>
<p style="text-align: justify;" dir="ltr">He mapped jus in bello in a conventional war across the dimensions of Control, Proportionality, Accessibility, and Discrimination. </p>
<p style="text-align: justify;" dir="ltr">Bringsjord further added that these source attributes would not be evident in the target domain for two reasons: the inevitable digitization of every analog object and its interfaces; and the inherent propensity of artificial intelligence to wage attacks on its own.</p>
<p style="text-align: justify;" dir="ltr">In a supporting <a href="http://kryten.mm.rpi.edu/SB_JL_cyberwarfare_disanalogy_112113IT.pdf">paper</a>, he exhorts that while “Augustine and Aquinas (and their predecessors) had a stunningly long run…today’s world, based as it is on digital information and increasingly intelligent information-processing, points the way to a beast so big and so radically different, that the core of this duo’s insights needs to be radically extended.”</p>
<p style="text-align: justify;" dir="ltr">Celebrated malware reverse engineer Thomas Dullien, too, is of the <a href="https://www.youtube.com/watch?v=BWFdxAG_TGk">opinion</a> that machine learning and artificial intelligence are more suited for cyber offence as it has remained a “stable-in-time distribution.”</p>
<p style="text-align: justify;" dir="ltr">Brandon Valeriano of the Marine Corps University has drawn upon the case of incendiary balloons to <a href="https://www.cfr.org/blog/reasoning-analogy-cyberspace-deadly-balloons-and-avoiding-digital-doom">question</a> the overreliance on reasoning by analogy. Sadly, such viewpoints remain outliers.</p>
<p style="text-align: justify;" dir="ltr">Senior computer scientist David Aucsmith wrote in <a href="https://www.brookings.edu/book/bytes-bombs-and-spies/">Bytes, Bombs and Spies</a> that “one of the major challenges in cyberspace is the disintermediation of government.” He adds that while cyberspace has become the “global center of gravity for all aspects of national power,” it further removes the government from the “traditional functions of safety and security.”</p>
<p style="text-align: justify;" dir="ltr">The commercialized nature of the Internet is obvious to many. But steadily over the years, the private sector has also acquired vast swathes of cyber power in a manner that strangely mirrors the military concepts of counterintelligence, defense and deterrence. </p>
<p style="text-align: justify;" dir="ltr">In Tools and Weapons, Brad Smith recalls a meeting of top technology executives at the White House. As the executives pushed for surveillance reform after the Snowden leaks, Obama defensively retorted that “the companies at the table collectively had far more data than the government.” The “<a href="https://cybersecpolitics.blogspot.com/2016/06/can-google-do-cyber-deterrence.html">signals intelligence</a>” capabilities of <a href="https://www.wsj.com/articles/inside-googles-team-battling-hackers-11548264655">Google</a> and <a href="https://www.youtube.com/watch?v=OpTGFcJXL8g">Microsoft</a> rival that of a nation state. </p>
<p style="text-align: justify;" dir="ltr">Former deputy director of the NSA Chris Inglis writes in Bytes, Bombs and Spies: </p>
<p style="text-align: justify;" dir="ltr">In cyberspace, a small change in configuration of the target machine, system, or network can often negate the effectiveness of a cyber weapon against it. This is not true with weapons in other physical domains…The nature of target-weapon interaction with kinetic weapons can usually be estimated on the basis of physics experimentation and calculation. Not so with cyber weapons. For offensive cyber operations, this extreme “target dependence” means that intelligence information on target characteristics must be precise, high-volume, high-quality, current, and available at the time of the weapon’s use.</p>
<p style="text-align: justify;" dir="ltr">Inglis argues that fielding “ubiquitous, real-time and persistent” intelligence, surveillance and reconnaissance (ISR) frameworks is crucial for mustering the ability to produce cyber effects at a place and time of choosing. </p>
<p style="text-align: justify;" dir="ltr">Daniel Moore of King’s College London broadly <a href="https://ccdcoe.org/uploads/2018/10/Art-05-Targeting-Technology.-Mapping-Military-Offensive-Network-Operations.pdf">categorizes</a> cyber operations into event-based and presence-based.</p>
<p style="text-align: justify;" dir="ltr">The ISR framework envisioned by Inglis pre-positions implants with presence-based operations to make sure that the adversarial infrastructure -- perpetually in a state of flux -- remains primed for event-based operations. Falling prey to an analogy, this is as challenging as a group of river-rafters trying to keep their raft still at one position in a raging torrent of water.</p>
<p style="text-align: justify;" dir="ltr">However, it is worthy to note that a major component of such an ISR framework would manifest over privately-owned infrastructure. </p>
<p style="text-align: justify;" dir="ltr">It is exactly why the commercial threat intelligence industry lead by the likes of Fireeye, Kaspersky and Crowdstrike has flourished the way it has. </p>
<p style="text-align: justify;" dir="ltr">Joe Slowik, principal adversary hunter at Dragos, Inc., <a href="https://pylos.co/2019/09/28/cyber-leviathan/">corroborates</a> it: “An entire ecosystem of defense and security developed within the private space…essentially, private (defensive) ‘armies’ grew up and proliferated in the cyber security space over the course of many years.”</p>
<p style="text-align: justify;" dir="ltr">Jason Healey of Columbia’s School of International and Public Affairs has <a href="https://twitter.com/Jason_Healey/status/1181961759155994624">another way</a> of looking at it: “In counterinsurgency, host nation must take lead & U.S. role is to provide aid & support. USG not seen as legitimate, may lack the local & cultural knowledge, & lack sufficient resources. In cyberspace, the private sector, esp tech & security companies, are the host nation (sic)”.</p>
<p style="text-align: justify;" dir="ltr">Initiatives like the CyberPeace Institute and Cybersecurity Tech Accord are to be seen as emerging geopolitical formations pivoted around the power vacuum created by growing disintermediation.</p>
<p style="text-align: justify;" dir="ltr">While Microsoft avows the applicability of international law, the decreasing technological dependence on it to enforce the rules-based order may herald data-driven normative frameworks solely originating from the private sector.</p>
<p style="text-align: justify;" dir="ltr">Take the specific case of fashionable “black-letter rules” – like barring cyber actors from hacking into adversary’s election infrastructure – variedly promulgated by the <a href="https://www.wired.com/2013/03/the-tallinn-manual-on-the-international-law-applicable-to-cyber-warfare/">Tallinn Manual</a>, <a href="https://www.microsoft.com/en-us/cybersecurity/content-hub/a-digital-geneva-convention-to-protect-cyberspace">Microsoft</a> and <a href="https://cyberstability.org/news/global-commission-introduces-six-critical-norms-towards-cyber-stability/">Global Commission on the Stability of Cyberspace</a>. They could very well act as impediments to the success of the norms process.</p>
<p style="text-align: justify;" dir="ltr">Cyber actors can be variedly be divided into various <a href="https://cybersecpolitics.blogspot.com/2016/09/the-chinese-get-real.html">capability tiers</a>: A, B, C or D Teams, etc. Such categorizations could be derived from multiple <a href="https://cybersecpolitics.blogspot.com/2017/08/strategic-plateaus-in-cyber-domain.html">variables</a> like operational structure, concept of operations, capabilities and toolchains, and operating budget, etc. </p>
<p style="text-align: justify;" dir="ltr">In what may sound paradoxical, mindless enforcement of such rules creates an inherently inequitable environment where actors would be compelled to flout them. Targeting and target discrimination are possibly the most expensive components of the cyber offensive toolchain. As intelligence analyst Grugq <a href="https://www.youtube.com/watch?v=wP2J9aYM6Oo">said</a>, “You need a lot of people to have a small numbers of hackers hacking.”</p>
<p style="text-align: justify;" dir="ltr">The ability to avoid a vulnerable target or an attack surface without sacrificing the initiative is a luxury that only an A-team could afford, further disincentivizing smaller players from participating in confidence-building measures.</p>
<p style="text-align: justify;" dir="ltr">In such cases, the private sector could lead the way in the neutral and transparent interpretation of the dynamics and thresholds of power projection in cyberspace. Companies, not countries, have the vantage point and commercial interest to create a level playing field. </p>
<p style="text-align: justify;" dir="ltr">Taking the original case of France’s new dossier on cyber operations, its gradual rollback from the strictly black-and-white world of, say, the Tallinn Manual hints at a larger devolution of legally interpreted cyber operations, influenced by technical incongruities like disanalogy and disintermediation. </p>
<p style="text-align: justify;" dir="ltr">While the said document answers many questions relating to the applicability of international law to cyber operations with uncanny confidence, the devil still lies in the details. </p>
<p style="text-align: justify;" dir="ltr">For example, it talks about creating militaristic cyber effects by altering the confidentiality and availability of data on adversarial systems, but skirts around integrity – as if the three dimensions of data security are not symbiotic. Such picket-fencing may be trying to carefully avoid the legal ambiguity on information operations, post-ICJ US vs Nicaragua. </p>
<p style="text-align: justify;" dir="ltr">Ask any cyber operator, can a cyber operation proceed <a href="https://grugq.github.io/presentations/short%20course.pdf">without sabotaging</a> the integrity of log artifacts or other such stealthy or deceptive maneuvering?</p>
<p style="text-align: justify;" dir="ltr">It also postulates the export of “non-international armed conflict” to the territory of consenting nation states, as if such factors are completely controllable. </p>
<p style="text-align: justify;" dir="ltr">Discussed earlier, a majority of the cyber-ISR frameworks manifest over globally scattered private infrastructure. And almost every layer of the computing architecture is now network-enabled. </p>
<p style="text-align: justify;" dir="ltr">In cyberspace, the ‘territory’ of a nation state expands and contracts in real time. It may exist online as the sum of all the global information flows, across the many millions of interfaces, associated with it at any given moment. The sheer <a href="http://geer.tinho.net/geer.secot.7v14.txt">emergent complexity</a> of this organism has baffled many.</p>
<p style="text-align: justify;" dir="ltr">The adversarial environment fluxes at such a rapid pace that taking “territorial” sanctity into account during an ongoing operation is nigh impossible. This, in fact, is the <a href="https://www.justsecurity.org/67079/top-dod-lawyer-stresses-u-s-compliance-with-the-rule-of-law-in-military-operations/">very premise</a> of Defend Forward.</p>
<p style="text-align: justify;" dir="ltr">The French document is a good attempt at decoupling cyber operations from legal strictures, but it should be seen as the mere beginning of that process.</p>
<h3 style="text-align: justify;" dir="ltr">Cognitive cyber offence</h3>
<p style="text-align: justify;" dir="ltr">Lastly, the complete absence of the cognitive dimension in the norms process is something that should be outrightly addressed. </p>
<p style="text-align: justify;" dir="ltr">Keith Dear, a research fellow at Oxford’s Changing Character of War Program, <a href="https://www.youtube.com/watch?v=Nl_shMx8Yrs">feels</a> that war – as “a continuation of politics by other means” – is essentially persuasive and has predominantly psychological effects. They get aggravated more so by the scale and speed of cyber-enabled behavioral modelling.</p>
<p style="text-align: justify;" dir="ltr">The threat landscape is at a stage where we are going to see the increasing exploitation of <a href="https://www.teachthought.com/critical-thinking/the-cognitive-bias-codex-a-visual-of-180-cognitive-biases/">cyber-cognitive attack surfaces</a> – the cost-benefits are now heavily tilted towards their side. It is like what conventional cyber operations used to be 20 years ago: cheap and easy over scale and speed.</p>
<p style="text-align: justify;" dir="ltr">The cyber norms community only considers the first or second order effects of cyberattacks. The reality is that causation could be separated by many, many degrees – also missing out on the fact that a cyberattack is generally an indiscernible mixture of not just effects, but also perceptions. Every cyber operation could be <a href="https://dl.acm.org/citation.cfm?id=3316742&dl=ACM&coll=DL">deemed</a> as an information operation even after full denouement. </p>
<p style="text-align: justify;" dir="ltr">We have only begun to understand the significance of the cognitive dimension. Leading thinkers like former Secretary of the Navy Richard Danzig had for long proposed perceptive instead of spatial redlines for cyber conflict, aptly capturing its emergent properties.</p>
<p style="text-align: justify;" dir="ltr">His <a href="https://s3.amazonaws.com/files.cnas.org/documents/CNAS_PoisonedFruit_Danzig.pdf?mtime=20161010215746">suggested</a> baseline was: “The United States cannot allow the insecurity of our cyber systems to reach a point where weaknesses in those systems would likely render the United States unwilling to make a decision or unable to act on a decision fundamental to our national security.”</p>
<p style="text-align: justify;" dir="ltr">Danzig’s paradigm neatly fits into the Defend Forward philosophy of the US Cyber Command. Former director of the NSA Michael Hayden once <a href="https://www.usnews.com/news/articles/2013/02/20/former-cia-director-cyber-attack-game-changers-comparable-to-hiroshima">said</a> that Stuxnet had the “whiff of August 1945,” while former NSA exploitation engineer Dave Aitel <a href="https://cybersecpolitics.blogspot.com/2016/09/the-stern-stewart-summit-germany-and.html">labelled</a> it as the “announcement of a team.” The theatres of war, <a href="https://www.cfr.org/blog/not-cyber-deterrence-united-states-wants">frameworks</a> for deterrence and <a href="https://www.cfr.org/blog/sony-hack-north-koreas-toughest-counteraction-obamas-proportional-response">parameters</a> for proportional response may turn out to be purely perceptive in nature.</p>
<p style="text-align: justify;" dir="ltr">As the cyber option gets increasingly expended by militaries, we have <a href="https://www.washingtonpost.com/gdpr-consent/?destination=%2fpolitics%2f2019%2f10%2f01%2fare-cyber-operations-us-retaliatory-option-september-oilfield-strikes-would-this-deter-iran%2f%3f">come to understand</a> that the esoteric cognitive parameters of digital conflict could be crucial enough to decide victory or defeat.</p>
<h3 style="text-align: justify;" dir="ltr">Conclusion</h3>
<p style="text-align: justify;" dir="ltr">As the United Nations’ Governmental Group of Experts’ dialogue came to a grinding halt in 2016, Michelle Markoff, former deputy coordinator for Cyber Issues in the US State Department, gave a <a href="https://www.youtube.com/watch?v=nAuehrVCBBU&feature=youtu.be&t=4m10shttps://www.youtube.com/watch?v=nAuehrVCBBU&feature=youtu.be&t=4m10s">candid account</a> of what went wrong. </p>
<p style="text-align: justify;" dir="ltr">She also went on to recommend “interleaving strategies” like defence, declaratory policies, alliance activities, and norms of behaviour. It is interesting to note all the four dimensions proffered by her neatly fit into the remit of the private sector when it comes to fostering cyber stability. </p>
<p style="text-align: justify;" dir="ltr">The threat intelligence industry, by its indirect participation in the great power play, is already carving a rudimentary framework for declaratory signaling. Private sector alliances – by being more open and neutral about attack attribution, adversarial intent and capabilities, and targeting criteria – may lower the incentives while increasing the costs of cyber actions. That may force various actors to the negotiating table.</p>
<p style="text-align: justify;" dir="ltr">The emergence of customary international law in cyberspace, as a precursor to effective normative frameworks, is a necessity that may squarely fall on the shoulders of corporations. In that sense, diplomatic initiatives and alliance activities by Microsoft and others must be keenly observed.</p>
<p style="text-align: justify;" dir="ltr"> </p>
<hr />
<p> </p>
<p><em><strong>Pukhraj Singh is a cyber threat intelligence analyst who has worked with the Indian government and security response teams of global companies. He blogs at www.pukhraj.me. Views posited are the author’s alone.</strong></em></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/guest-post-before-cyber-norms-let2019s-talk-about-disanalogy-and-disintermediation'>https://cis-india.org/internet-governance/blog/guest-post-before-cyber-norms-let2019s-talk-about-disanalogy-and-disintermediation</a>
</p>
No publisherPukhraj SinghCybersecurityNorms Formulation2019-11-18T10:14:07ZBlog EntryCIS Cybersecurity Series (Part 9) - Saikat Datta
https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-9-saikat-datta
<b>CIS interviews Saikat Datta, Resident Editor of DNA, Delhi, as part of the Cybersecurity Series.
</b>
<p><em>"Anonymous speech, in countries which have extremely severe systems of governments, which do not have freedom, etcetera, is welcome. But in a democracy like India, I do not see the need for anonymous speech because it is anyways guaranteed by the Constitution of India. So, no, I do not see the need for anonymity in an open and democratic state like India and I would be seriously worried if such a requirement comes up. Shouldn't I strive to be ideal? The ideal suggests that the constitution has guaranteed freedom of speech. Anonymity, for a time being may be acceptable to some people but I would like a situation where a person, without having to seek anonymity, can speak about anything and not be prosecuted by the state, or persecuted by society. And that is the ideal situation that I would like to strive for." - Saikat Datta, Resident Editor, DNA, Delhi.</em></p>
<p>Centre for Internet and Society presents its ninth installment of the CIS Cybersecurity Series. </p>
<p>The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.</p>
<p>Saikat Datta is a journalist who began his career in December 1996 and has worked with several publications like The Indian Express, the Outlook magazine and the DNA newspaper. He is currently the Resident Editor of DNA, Delhi. Saikat has authored a book on India's Special Forces and presented papers at seminars organized by the Centre for Land Warfare Studies, the Centre for Air Power Studies and the National Security Guards. He has also been awarded the International Press Institute Award for investigative journalism, the National RTI award in the journalism category and the Jagan Phadnis Memorial Award for investigative journalism.</p>
<p> </p>
<iframe src="//www.youtube.com/embed/Fn2tqVU5mGg" frameborder="0" height="315" width="560"></iframe>
<div> </div>
<div><strong><em>This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.</em></strong></div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-9-saikat-datta'>https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-9-saikat-datta</a>
</p>
No publisherpurbaCybersecurityCyberspaceCyberculturesCyber Security Interview2013-08-05T05:24:35ZBlog EntryCIS Cybersecurity Series (Part 10) - Lawrence Liang
https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-10-lawrence-liang
<b>CIS interviews Lawrence Liang, researcher and lawyer, and co-founder of Alternative Law Forum, Bangalore, as part of the Cybersecurity Series.</b>
<p><em>"The right to privacy and the right to free speech have often been understood as distinct rights. But I think in the ecology of online communication, it becomes crucial for us to look at the two as being inseparable. And this is not entirely new in India. But, interestingly, a lot of the cases that have had to deal with this question in the Indian context, have pitted one against the other. Now, India doesn't have a law for the protection of whistle-blowers. So how do we now think of the idea of whistle-blowers being one of the subjects of speech and privacy coming together? How do we use the strong pillars that have been established, in terms of a very rich tradition that Indian law has, on the recognition of free speech issues but slowly start incorporating questions of privacy?" - Lawrence Liang, researcher and lawyer, Alternative Law Forum. </em></p>
<p>Centre for Internet and Society presents its tenth installment of the CIS Cybersecurity Series. </p>
<p>The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.</p>
<p>Lawrence Liang is one of the co-founders of the Alternative Law Forum where he works on issues of intellectual property, censorship, and the intersection of law and culture. He is also a fellow with the Centre for Internet and Society and serves on its board. </p>
<iframe src="//www.youtube.com/embed/odQajlxcLLA" frameborder="0" height="315" width="420"></iframe>
<div> </div>
<div><strong><em>This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.</em></strong></div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-10-lawrence-liang'>https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-10-lawrence-liang</a>
</p>
No publisherpurbaCybersecurityCyber SecurityCyberculturesCyber Security Interview2013-09-10T08:31:31ZBlog EntryNASSCOM-DSCI Annual Information Security Summit 2015 - Notes
https://cis-india.org/internet-governance/blog/nasscom-dsci-annual-information-security-summit-2015-notes
<b>NASSCOM-DSCI organised the 10th Annual Information Security Summit (AISS) 2015 in Delhi during December 16-17. Sumandro Chattapadhyay participated in this engaging Summit. He shares a collection of his notes and various tweets from the event.</b>
<p> </p>
<h2>Details about the Summit</h2>
<p>Event page: <a href="https://www.dsci.in/events/about/2261">https://www.dsci.in/events/about/2261</a>.</p>
<p>Agenda: <a href="https://www.dsci.in/sites/default/files/Agenda-AISS-2015.pdf">https://www.dsci.in/sites/default/files/Agenda-AISS-2015.pdf</a>.</p>
<p> </p>
<h2>Notes from the Summit</h2>
<blockquote class="twitter-tweet">
<p dir="ltr">Mr.G.K.Pillai ,Chairman DSCI addressing the audience @ 10th Annual Information Security Summit '15 <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/JVcwct3HSF">pic.twitter.com/JVcwct3HSF</a></p>
— DSCI (@DSCI_Connect) <a href="https://twitter.com/DSCI_Connect/status/676979952277987328">December 16, 2015</a></blockquote>
<p>Mr. G. K. Pillai, Chairman of Data Security Council of India (DSCI), set the tone of the Summit at the very first hour by noting that 1) state and private industries in India are working in silos when it comes to preventing cybercrimes, 2) there is a lot of skill among young technologists and entrepreneurs, and the state and the private sectors are often unaware of this, and 3) there is serious lack of (cyber-)capacity among law enforcement agencies.</p>
<p>In his Inaugural Address, Dr. Arvind Gupta (Deputy National Security Advisor and Secretary, NSCS), provided a detailed overview of the emerging challenges and framework of cybersecurity in India. He focused on the following points:</p>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/India?src=hash">#India</a> Dy NSA Dr Arvind Gupta calls 4 <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a> by <a href="https://twitter.com/hashtag/design?src=hash">#design</a> in <a href="https://twitter.com/hashtag/ICT?src=hash">#ICT</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/79kq9lWGtk">pic.twitter.com/79kq9lWGtk</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/676980799347023872">December 16, 2015</a></blockquote>
<ul>
<li>Security is a key problem in the present era of ICTs as it is not in-built. In the upcoming IoT era, security must be built into ICT systems.</li>
<li>In the next billion addition to internet population, 50% will be from India. Hence cybersecurity is a big concern for India.</li>
<li>ICTs will play a catalytic role in achieving SDGs. Growth of internet is part of the sustainable development agenda.</li>
<li>We need a broad range of critical security services - big data analytics, identity management, etc.</li>
<li>The e-governance initiatives launched by the Indian government are critically dependent on a safe and secure internet.</li>
<li>Darkweb is a key facilitator of cybercrime. Globally there is a growing concern regarding the security of cyberspace.
</li><li>On the other hand, there exists deep divide in access to ICTs, and also in availability of content in local languages.</li>
<li>The Indian government has initiated bilateral cybersecurity dialogues with various countries.</li>
<li>Indian government is contemplating setting up of centres of excellence in cryptography. It has already partnered with NASSCOM to develop cybersecurity guidelines for smart cities.</li>
<li>While India is a large global market for security technology, it also needs to be self-reliant. Indian private sector should make use of government policies and bilateral trust enjoyed by India with various developing countries in Africa and south America to develop security technology solutions, create meaningful jobs in India, and export services and software to other developing countries.</li>
<li>Strong research and development, and manufacturing base are absolutely necessary for India to be self-reliant in cybersecurity. DSCI should work with private sector, academia, and government to coordinate and realise this agenda.</li>
<li>In the line of the Climate Change Fund, we should create a cybersecurity fund, since it is a global problem.</li>
<li>Silos are our bane in general. Bringing government agencies together is crucial. Trust issues (between government, private sector, and users) remain, and can only be resolved over time.</li>
<li>The demand for cybersecurity solutions in India is so large, that there is space for everyone.</li>
<li>The national cybersecurity centre is being set up.</li>
<li>Thinktanks can play a crucial role in helping the government to develop strategies for global cybersecurity negotiations. Indian negotiators are often capacity constrained.</li></ul>
<p>Rajendra Pawar, Chair of the NASSCOM Cyber Security Task Force, NASSCOM Cybersecurity Initiative, provided glimpses of the emerging business opportunity around cybersecurity in India:</p>
<ul>
<li>In next 10 years, the IT economy in India will be USD 350 bn, and <a href="https://blogs.dsci.in/building-usd-35-billion-cyber-security-industry-how-do-we-do-it/">10% of that will be the cybersecurity pie</a>. This means a million job only in the cybersecurity space.</li>
<li>Academic institutes are key to creation of new ideas and hence entrepreneurs. Government and private sectors should work closely with academic institutes.
<blockquote class="twitter-tweet">
<p dir="ltr">'Companies+Govt+Academia= High growth of the cybersecurity industry' - Rajendra Pawar at <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a></p>
— Shivangi Nadkarni (@shivanginadkarn) <a href="https://twitter.com/shivanginadkarn/status/676995090955530246">December 16, 2015</a></blockquote>
</li>
<li>Globally, cybersecurity innovation and industries happen in clusters. Cities and states must come forward to create such clusters.</li>
<li>2/3rd of the cybersecurity market is provision of services. This is where India has a great advantage, and should build on that to become a global brand in cybersecurity services.</li>
<li>Everyday digital security literacy and cultures need to be created.</li>
<li>Publication of cybersecurity best practices among private companies is a necessity.
<blockquote class="twitter-tweet">
<p dir="ltr">Corporate disclosures of breaches being considered with Nasscom under cybersec task force: Rajendra Pawar <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a> <a href="https://twitter.com/ETtech">@ETtech</a></p>
— Neha Alawadhi (@NehaAlawadhiET) <a href="https://twitter.com/NehaAlawadhiET/status/676994553799417856">December 16, 2015</a></blockquote>
</li>
<li>Dedicated cybersecurity spending should be made part of the e-governance budget of central and state governments.</li>
<li>DSCI should function as a clearing house of cybersecurity case studies. At present, thought leadership in cybersecurity comes from the criminals. By serving as a use case clearing house, DSCI will inform interested researchers about potential challenges for which solution needs to be created.</li></ul>
<p>Manish Tiwary of Microsoft informed the audience that India is in the top 3 positions globally in terms of malware proliferation, and this ensures that India is a big focus for Microsoft in its global war against malware. Microsoft India looks forward to work closely with CERT-In and other government agencies.</p>
<blockquote class="twitter-tweet">
<p dir="ltr">RSA's Kartik Shahani <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> Adopt a Deep & Pervasive Level of True Visibility Everywhere <a href="https://t.co/2U8J8WkWsI">pic.twitter.com/2U8J8WkWsI</a></p>
— Debjani Gupta (@DebjaniGupta1) <a href="https://twitter.com/DebjaniGupta1/status/676999786722156544">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Data localization; one of the stumbling blocks that undermine investments in <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a>. <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/vrff3Amcv0">pic.twitter.com/vrff3Amcv0</a></p>
— Appvigil (@appvigil_co) <a href="https://twitter.com/appvigil_co/status/677043180731301888">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Trust verification 4 embedded devices isnt complex bt much desired as people lives r dependent on that-cld cause physical damage <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677057992831860736">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">"Most compromised OS in 2k15: iOS"-Riyaz Tambe, Palo Alto Networks <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Indira Sen (@drealcharbar) <a href="https://twitter.com/drealcharbar/status/677015382356533249">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Security by default in IOS architecture tho' can't verify code as noṭ open - is it security by obscurity? <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/kbPZgH8oA0">pic.twitter.com/kbPZgH8oA0</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677055086611173376">December 16, 2015</a></blockquote>
<p>The session on <strong>Catching Fraudsters</strong> had two insightful presentations from Dr. Triveni Singh, Additional SP of Special Task Force of UP Police, and Mr. Manoj Kaushik, IAS, Additional Director of FIU.</p>
<p>Dr. Singh noted that a key challenge faced by police today is that nobody comes to them with a case of online fraud. Most fraud businesses are run by young groups operating BPOs that steal details from individuals. There exists a huge black market of financial and personal data - often collected from financial institutions and job search sites. Almost any personal data can be bought in such markets. Further, SIM cards under fake names are very easy to buy. The fraudsters are effective using all fake identity, and is using operational infrastructures outsourced from legitimate vendors under fake names. Without a central database of all bank customers, it is very difficult for the police to track people across the financial sector. It becomes even more difficult for Indian police to get access to personal data of potential fraudsters when it is stored in a foreign server. which is often the case with usual web services and apps. Many Indian ISPs do not keep IP history data systematically, or do not have the technical expertise to share it in a structured and time-sensitive way.</p>
<blockquote class="twitter-tweet">
<p dir="ltr">Mr. Triveni Singh talks about raiding fake call centres in Delhi NCR that scam millions every year <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/EmE4y3jux2">pic.twitter.com/EmE4y3jux2</a></p>
— pradyumn nand (@PradyumnNand) <a href="https://twitter.com/PradyumnNand/status/677063276442738689">December 16, 2015</a></blockquote>
<p>Mr. Kaushik explained that no financial fraud is uniquely committed via internet. Many fraud begin with internet but eventually involve physical fraudulent money transaction. Credit/debit card frauds all involve card data theft via various internet-based and physical methods. However, cybercrime is continued to be mistakenly seen as frauds undertaken completely online. Further, mobile-based frauds are yet another category. Almost all apps we use are compromised, or store transaction history in an insecure way, which reveals such data to hackers. FIU is targeting bank accounts to which fraud money is going, and closing them down. Catching the people behind these bank accounts is much more difficult, as account loaning has become a common practice - where valid accounts are loaned out for a small amount of money to fraudsters who return the account after taking out the fraudulent money. Better information sharing between private sector and government will make catching fraudsters easier.</p>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/AkhileshTuteja">@AkhileshTuteja</a> With data overload and big data being prevalent are we considering privacy elements <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/hashtag/KpmgIndiaCyber?src=hash">#KpmgIndiaCyber</a></p>
— Atul Gupta (@AtulGup15843145) <a href="https://twitter.com/AtulGup15843145/status/677082045701488640">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">'Tech solns today designed to protect security - solns for privacy need to evolve'- <a href="https://twitter.com/Mayurakshi_Ray">@Mayurakshi_Ray</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a></p>
— Shivangi Nadkarni (@shivanginadkarn) <a href="https://twitter.com/shivanginadkarn/status/677066470325534721">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">In-house tools important but community collaboration critical to fight security threats <a href="https://twitter.com/tata_comm">@tata_comm</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/ZjbCnaROXC">pic.twitter.com/ZjbCnaROXC</a></p>
— aparna (@aparnag14) <a href="https://twitter.com/aparnag14/status/677067260268187648">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">'Orgns in India have a long way to go b4 they internalise privacy principles' Subhash S, CISO ICICI <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a></p>
— Shivangi Nadkarni (@shivanginadkarn) <a href="https://twitter.com/shivanginadkarn/status/677066928880410624">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Prof PK giving an interesting brief on Academia role in Cyber Security. <a href="https://twitter.com/ponguru">@ponguru</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a> at <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/MEiO6sCJwu">pic.twitter.com/MEiO6sCJwu</a></p>
— Vikas Yadav (@VikasSYadav) <a href="https://twitter.com/VikasSYadav/status/677088566871101440">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Potential for interaction between Academia, Government and Industry but not an established reality yet. <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/hashtag/MappingCyberEducation?src=hash">#MappingCyberEducation</a></p>
— Indira Sen (@drealcharbar) <a href="https://twitter.com/drealcharbar/status/677089590717517824">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">I have figured out why information security is not in any boardroom discussions. Cause there are no good speakers / orators . <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Virag Thakkar (@viragthakkar) <a href="https://twitter.com/viragthakkar/status/677078491699871745">December 16, 2015</a></blockquote>
<p>The session on <strong>Smart Cities</strong> focused on discussing the actual cities coming up India, and the security challenges highlighted by them. There was a presentation on Mahindra World City being built near Jaipur. Presenters talked about the need to stabilise, standardise, and securitise the unique identities of machines and sensors in a smart city context, so as to enable secured machine-to-machine communication. Since 'smartness' comes from connecting various applications and data silos together, the governance of proprietary technology and ensuring inter-operable data standards are crucial in the smart city.</p>
<p>As Special Purposed Vehicles are being planned to realise the smart cities, the presenters warned that finding the right CEOs for these entities will be critical for their success. Legacy processes and infrastructures (and labour unions) are a big challenge when realising smart cities. Hence, the first step towards the smart cities must be taken through connected enforcement of law, order, and social norms.</p>
<p>Privacy-by-design and security-by-design are necessary criteria for smart cities technologies. Along with that regular and automatic software/middleware updating of distributed systems and devices should be ensured, as well as the physical security of the actual devices and cables.</p>
<p>In terms of standards, security service compliance standards and those for protocols need to be established for the internet-of-things sector in India. On the other hand, there is significant interest of international vendors to serve the Indian market. All global data and cloud storage players, including Microsoft Azure cloud, are moving into India, and are working on substantial and complete data localisation efforts.</p>
<blockquote class="twitter-tweet">
<p dir="ltr">Session - Why should you hire Women Security Professionals?... Balancing gender diversity
<a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/hashtag/DSCI_Connect?src=hash">#DSCI_Connect</a> <a href="https://t.co/uIMfG9PvAb">pic.twitter.com/uIMfG9PvAb</a></p>
— Jagan Suri (@jsuri90) <a href="https://twitter.com/jsuri90/status/677109792679157760">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">gender Diversity in cybersecurity critical 4 India's future. <a href="https://twitter.com/symantec">@symantec</a> partnered with <a href="https://twitter.com/nasscom">@nasscom</a> via 1000 women scholarships <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677118674197602304">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Dialogue with CERT-In
.. Starting 2nd Day of <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a>
.. B J Srinath, DG, CERT
<a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a> <a href="https://twitter.com/hashtag/security?src=hash">#security</a> <a href="https://twitter.com/hashtag/privacy?src=hash">#privacy</a> <a href="https://t.co/cvDcrgkein">pic.twitter.com/cvDcrgkein</a></p>
— Vinayak Godse (@godvinayak) <a href="https://twitter.com/godvinayak/status/677342972170493952">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">New <a href="https://twitter.com/hashtag/problems?src=hash">#problems</a> can't b solved w old <a href="https://twitter.com/hashtag/solutions?src=hash">#solutions</a>: <a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT DG BJ Srinath <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677341246281539585">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">17 entities within <a href="https://twitter.com/hashtag/Indian?src=hash">#Indian</a> <a href="https://twitter.com/hashtag/government?src=hash">#government</a> engaged in <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a>: <a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT head <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677341728282533888">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Scope of activities by CERT in <a href="https://twitter.com/hashtag/India?src=hash">#India</a> way more than its counterparts elsewhere <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677342193854451712">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT looks 8 prediction & <a href="https://twitter.com/hashtag/prevention?src=hash">#prevention</a> <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a> <a href="https://twitter.com/hashtag/emergency?src=hash">#emergency</a> not just <a href="https://twitter.com/hashtag/response?src=hash">#response</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677343140630540288">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT willing to <a href="https://twitter.com/hashtag/share?src=hash">#share</a> <a href="https://twitter.com/hashtag/information?src=hash">#information</a> rather than just receiving <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677343512833101824">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Savita CERTin outlines drill initiatives taken 4 preparedness-detect (protect), defend attacks wth response <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/wXrkgoLzr2">pic.twitter.com/wXrkgoLzr2</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677346822449303553">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">CERTin also offers incident predicatibility,Crisis mgmt plans, <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a> assurance ladder (7 levels) besides 24 x 7 prevention <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677348506869239809">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/India?src=hash">#India</a> has 7.2 million bot infected <a href="https://twitter.com/hashtag/machines?src=hash">#machines</a>: <a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT DG Srinath <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677355051308871680">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Seizure & protection of electronic devices as admissible evidence (certificate u Sec 65B) imperative under Forensics investigation <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677364713005576192">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">'Law enforcement agency&corporate world must collaborate to fight cybercrime'-Atul Gupta,Partner-Risk Adv. @ <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/GwAQWhYMmK">pic.twitter.com/GwAQWhYMmK</a></p>
— KPMG India (@KPMGIndia) <a href="https://twitter.com/KPMGIndia/status/677373217711919104">December 17, 2015</a></blockquote>
<p>Mr. R. Chandrasekhar, President of NASSCOM, foregrounded the recommendations made by the Cybersecurity Special Task Force of NASSCOM, in his Special Address on the second day. He noted:</p>
<ul>
<li>There is a great opportunity to brand India as a global security R&D and services hub. Other countries are also quite interested in India becoming such a hub.</li>
<li>The government should set up a cybersecurity startup and innovation fund, in coordination with and working in parallel with the centres of excellence in internet-of-things (being led by DeitY) and the data science/analytics initiative (being led by DST).</li>
<li>There is an immediate need to create a capable workforce for the cybersecurity industry.</li>
<li>Cybersecurity affects everyone but there is almost no public disclosure. This leads to low public awareness and valuation of costs of cybersecurity failures. The government should instruct the Ministry of Corporate Affairs to get corporates to disclose (publicly or directly to the Ministry) security breeches.</li>
<li>With digital India and everyone going online, cyberspace will increasingly be prone to attacks of various kinds, and increasing scale of potential loss. Cybersecurity, hence, must be part of the core national development agenda.</li>
<li>The cybersecurity market in India is big enough and under-served enough for everyone to come and contribute to it.</li></ul>
<p>The Keynote Address by Mr. Rajiv Singh, MD – South Asia of Entrust Datacard, and Mr. Saurabh Airi, Technical Sales Consultant of Entrust Datacard, focused on trustworthiness and security of online identities for financial transactions. They argued that all kinds of transactions require a common form factor, which can be a card or a mobile phone. The key challenge is to make the form factor unique, verified, and secure. While no programme is completely secure, it is necessary to build security into the form factor - security of both the physical and digital kind, from the substrates of the card to the encryption algorithms. Entrust and Datacard have merged in recent past to align their identity management and security transaction workflows, from physical cards to software systems for transactions. The advantages of this joint expertise have allowed them to successfully develop the National Population Register cards of India. Now, with the mobile phone emerging as a key financial transaction form factor, the challenge across the cybersecurity industry is to offer the same level of physical, digital, and network security for the mobile phone, as are provided for ATM cards and cash machines.</p>
<p>The following Keynote Address by Dr. Jared Ragland, Director - Policy of BSA, focused on the cybersecurity investment landscape in India and the neighbouring region. BSA, he explained, is a global trade body of software companies. All major global software companies are members of BSA. Recently, BSA has produced a study on the cybersecurity industry across 10 markets in the Asia Pacific region, titled <a href="http://cybersecurity.bsa.org/2015/apac/">Asia Pacific Cybersecurity Dashboard</a>. The study provides an overview of cybersecurity policy developments in these countries, and sector-specific opportunities in the region. Dr. Ragland mentioned the following as the key building blocks of cybersecurity policy: legal foundation, establishment of operational entities, building trust and partnerships (PPP), addressing sector-specific requirements, and education and awareness. As for India, he argued that while steady steps have been taken in the cybersecurity policy space by the government, a lot remains to be done. Operationalisation of the policy is especially lacking. PPPs are happening but there is a general lack of persistent formal engagement with the private sector, especially with global software companies. There is almost no sector-specific strategy. Further, the requirement for India-specific testing of technologies, according to domestic and not global standards, is leading to entry barrier for global companies and export barrier for Indian companies. Having said that, Dr. Ragland pointed out that India's cybersecurity experience is quite representative of that of the Asia Pacific region. He noted the following as major stumbling blocks from an international industry perspective: unnecessary and unreasonable testing requirements, setting of domestic standards, and data localisations rules.</p>
<blockquote class="twitter-tweet">
<p dir="ltr">The Policy Makers' panel in <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> in progress. Arvind Gupta, Head, BJP IT cell (<a href="https://twitter.com/buzzindelhi">@buzzindelhi</a>) speaks. <a href="https://t.co/9yWR0gMwf5">pic.twitter.com/9yWR0gMwf5</a></p>
— Nandkumar Saravadé (@saravade) <a href="https://twitter.com/saravade/status/677437443356798977">December 17, 2015</a></blockquote>
<p>One of the final sessions of the Summit was the Public Policy Dialogue between <a href="https://twitter.com/rajeevgowda">Prof. M.V. Rajeev Gowda</a>, Member of Parliament, Rajya Sabha, and <a href="https://twitter.com/buzzindelhi">Mr. Arvind Gupta</a>, Head of IT Cell, BJP.</p>
<p>Prof. Gowda focused on the following concerns:</p>
<ul>
<li>We often freely give up our information and rights over to owners of websites and applications on the web. We need to ask questions regarding the ownership, storage, and usage of such data.</li>
<li>While Section 66A of Information Technology Act started as a anti-spam rule, it has actually been used to harass people, instead of protecting them from online harassment.</li>
<li>The bill on DNA profiling has raised crucial privacy concerns related to this most personal data. The complexity around the issue is created by the possibility of data leakage and usage for various commercial interests.</li>
<li>We need to ask if western notions of privacy will work in the Indian context.</li>
<li>We need to move towards a cashless economy, which will not only formalise the existing informal economy but also speed up transactions nationally. We need to keep in mind that this will put a substantial demand burden on the communication infrastructure, as all transactions will happen through these.</li></ul>
<p> Mr. Gupta shared his keen insights about the key public policy issues in <em>digital India</em>:</p>
<ul>
<li>The journey to establish <em>the digital</em> as a key political agenda and strategy within BJP took him more than 6 years. He has been an entrepreneur, and will always remain one. His approached his political journey as an entrepreneur.
</li><li>While we are producing numerous digitally literate citizens, the companies offering services on the internet often unknowingly acquire data about these citizens, store them, and sometimes even expose them. India perhaps produces the greatest volume of digital exhaust globally.</li>
<li>BJP inherited the Aadhaar national identity management platform from UPA, and has decided to integrate it deeply into its digital India architecture.</li>
<li>Financial and administrative transactions, especially ones undertake by and with governments, are all becoming digital and mostly Aadhaar-linked. We are not sure where all such data is going, and who all has access to such data.</li>
<li>Right now there is an ongoing debate about using biometric system for identification. The debate on privacy is much needed, and a privacy policy is essential to strengthen Aadhaar. We must remember that the benefits of Aadhaar clearly outweigh the risks. Greatest privacy threats today come from many other places, including simple mobile torch apps.</li>
<li>India is rethinking its cybersecurity capacities in a serious manner. After Paris attack it has become obvious that the state should be allowed to look into electronic communication under reasonable guidelines. The challenge is identifying the fine balance between consumers' interest on one hand, and national interest and security concerns on the other. Unfortunately, the concerns of a few is often getting amplified in popular media.</li>
<li>MyGov platform should be used much more effectively for public policy debates. Social media networks, like Twitter, are not the correct platforms for such debates.</li></ul>
<p> </p>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a>: <a href="https://twitter.com/rajivgowda">@rajivgowda</a> & <a href="https://twitter.com/buzzindelhi">@buzzindelhi</a> are talking abt proactive disclosure as a key part of <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a> strategy <a href="https://twitter.com/hashtag/openData?src=hash">#openData</a> <a href="https://twitter.com/DataPortalIndia">@DataPortalIndia</a></p>
— sumandro (@ajantriks) <a href="https://twitter.com/ajantriks/status/677447609502445568">December 17, 2015</a></blockquote>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/nasscom-dsci-annual-information-security-summit-2015-notes'>https://cis-india.org/internet-governance/blog/nasscom-dsci-annual-information-security-summit-2015-notes</a>
</p>
No publishersumandroCybersecurityNASSCOMDSCIInformation SecurityCyber Security2016-01-19T07:58:56ZBlog EntryCIS Cybersecurity Series (Part 24) – Shantanu Ghosh
https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-24-2013-shantanu-ghosh
<b>CIS interviews Shantanu Ghosh, Managing Director, Symantec Product Operations, India, as part of the Cybersecurity Series.</b>
<p><em>“Remember
that India is also a land where there are a lot of people who are beginning to
use computing devices for the first time in their lives. For many people, their
smartphone is their first computing device because they have never had
computers in the past. For them, the challenge is how do you make sure that
they understand that that can be a threat too. It can be a threat not only to
their bank accounts, with their financial information, but even to their
private lives.”</em></p>
<p>Centre for Internet and Society presents its twenty fourth
installment of the CIS Cybersecurity Series.”</p>
<p>The CIS Cybersecurity Series seeks to address hotly
debated aspects of cybersecurity and hopes to encourage wider public discourse
around the topic.</p>
<p>Shantanu Ghosh is the Managing Director of Symantec
Product Operations, India. He also runs the Data Centre Security Group for
Symantec globally.</p>
<iframe src="https://www.youtube.com/embed/dFN2_R0HzbA" frameborder="0" height="315" width="560"></iframe>
<p><strong>This work was carried out as part of the Cyber
Stewards Network with aid of a grant from the International Development Research
Centre, Ottawa, Canada.</strong></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-24-2013-shantanu-ghosh'>https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-24-2013-shantanu-ghosh</a>
</p>
No publisherpurbaPrivacyCybersecurityInternet GovernanceCyber Security FilmCyber SecurityCyber Security Interview2015-07-15T14:58:50ZBlog EntryCIS Cybersecurity Series (Part 7) - Jochem de Groot
https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-7-jochem-de-groot
<b>CIS interviews Jochem de Groot, former policy advisor to the Netherlands government, as part of the Cybersecurity Series</b>
<p><em>"The basic principle that I think we must continue to embrace is that rights online are the same as rights offline... The amount of information that is available online is so enormous that it would be easy for governments to abuse that information for all kinds of purposes... And we are at a stage right now where we are really experimenting with how much information the govt or law enforcement can take to ensure the rule of law." - Jochem de Groot</em></p>
<p>Centre for Internet and Society presents its seventh installment of the CIS Cybersecurity Series. </p>
<p>The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.</p>
<p>In this installment, CIS interviews Jochem de Groot. Jochem has worked on the Netherlands government’s agenda to promote Internet freedom globally since 2009. He initiated and coordinated the founding conference of the Freedom Online Coalition in The Hague in December 2011, and advised the Kenyan government on the second Freedom Online event in Nairobi in 2012. Jochem represents the Dutch government in the EU, UN, OSCE and other multilateral fora, and oversees a project portfolio for promoting internet freedom globally. </p>
<iframe src="//www.youtube.com/embed/EU-PV2bmECg" frameborder="0" height="315" width="560"></iframe>
<div> </div>
<div><strong><em>This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.</em></strong></div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-7-jochem-de-groot'>https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-7-jochem-de-groot</a>
</p>
No publisherpurbaCybersecurityCyberspaceCyberculturesCyber Security Interview2013-07-30T09:26:28ZBlog Entry