Centre for Internet and Society

People Driven and Tech Enabled – How AI and ML are Changing the Future of Cyber Security in India

Shweta Mohandas — 2018-03-11T15:30:50Z

On the 27th of February, Peter Sparkes the Senior Director, Cyber Security Services, Symantec conducted a webinar on the ‘5 Essentials of Every Next-Gen SOC’. In this webinar, he evaluated the problems that Security Operations Centers (SOCs) are currently facing, and explored possible solutions to these problems. The webinar also put emphasis on AI and ML as tools to improve cyber security. This blog draws key insights from the webinar, and explains how AI and ML can improve the cyber security process of Indian enterprises.

Introduction

In a study conducted by Cisco, it was found that in the past 12-18 months, cyber attacks have caused Indian companies to incur financial damages amounting to USD 500,000.

There is a need to strengthen the nodal agencies in an enterprise that can deal with these threats to prevent irreparable damage to enterprises and their customers. An SOC within any organization is the team responsible for detecting, monitoring, analyzing, communicating and remedying security threats. The SOC technicians employ a combination of technologies and processes to ensure that an enterprise’s security is not compromised. As instances of cyber attacks increase both in number and sophistication, SOCs need to use state of the art technologies to stay one step ahead of the attackers. Presently, SOCs face a number of infrastructural problems such as the low priority given to a cyber security budget, slower and passive response to threats, dearth of skilled technicians, and the absence of a global intelligence network for cyber-threats. This is where technologies such as Artificial Intelligence and Machine learning are helping, by monitoring the system to identify cyber attacks, and analyse the severity of the threat, and in some cases by blocking such threats.

Evolution of Security Operations Centers

In the same study, Cisco looked at the evolution of cyber threats and how companies were using technologies such as AI and ML to ameliorate those threats. Another key insight the study brought out was that 53 and 51 percent of the subject companies were reliant on ML and AI respectively. One of the reasons behind AI and ML’s effectiveness in cyber security is their capacity not only to detect known threats but also to use their learnings from data to detect unknown threats. In his webinar, Peter Sparkes also stated that SOCs were evolving into a ‘people driven and tech enabled’ system.

People Driven and Tech Enabled

In the case of cyber security, which in itself is a relatively new field, technologies such as AI and ML are helping companies to not only overcome infrastructural barriers but also to respond proactively to threats. A study conducted by the Enterprise Strategy Group, revealed that one-third of the respondents believed that ML technology could detect new and unknown malware.

The study also stated that the use of machine learning to detect and prevent threats from unknown malware reduced the number of cases the cyber security team had to investigate.

Similarly, the tasks of monitoring and blocking which were earlier conducted by entry level analysts were now done by systems, using machine learning. Typically, the AI acts as the first monitoring system after which the threat is examined by the company’s technicians who possess the requisite skill set and experience. By delegating the time consuming task of continuous monitoring to an ML system, the technicians now have time to look at serious threats. In this way AI and humans are working together to build a stronger and responsive security protocol.

Detecting the Unknown

Cyber criminals are becoming increasingly sophisticated, and in order to prevent attacks the monitoring systems (both human and automated) need to be able to detect them before the security is compromised. The detection of threats through AI and ML is done in a similar way as it is done for the identification of spam, where the system is trained on a large amount of data which teaches the algorithm to identify right from wrong.

There have been numerous cases of stealthy cyber attacks such as wannacry and ransomware, that have evaded detection by conventional security firewalls and caused crippling damage. There is also the need to use deception technology which involves automatic detection and analysis of attacks. This technology then tricks the attackers and defeats them to bring back normalcy to the system.

The systems that can handle threats by themselves do so by following a predetermined procedure, or playbook where the AI detects activities that go against the procedure/playbook. This is more effective compared to the earlier system where the technicians would analyse the attacks on a case by case basis.

AI and ML can help in reducing the time required to detect threats enabling technicians to act proactively and prevent damage. As AI and ML systems are less prone to make mistakes compared to human beings, each threat is dealt with in a prompt and accurate manner. AI systems also help by categorising attacks based on their propensity for damage. These systems can use the large volumes of data collected about previous attacks and adapt over time to give enterprises a strong line of defence against attacks.

Passive to Active Defense

Threat to cyber security can emerge even in seemingly safe departments, such as Human Resources. It is therefore important to proactively hunt for threats across all departments uniformly.

In order to detect an anomaly, the AI and ML system will require both large volumes of data as well as a significant amount of processing power, which is difficult for smaller companies to provide. A possible solution to improve defense is to have a system of sharing SOC data between companies, and thereby creating a global database of intelligence. A system of global intelligence and threat data sharing could help smaller companies combat cyber threats without having to compromise on core business development.

Use of AI in Cyber Security in India

In 2017, Indian enterprises were infected by two lethal cyber attacks called Nyetya that crept through a trusted software - Ccleaner and infected computers

. These attacks may just be the tip of the iceberg , since there may be many other attacks that might have gone unreported, or worse, undetected. Cisco reported that less than 55 per cent of the Indian enterprises were reliant on AI or ML for combating cyber threats. Although the current numbers seem bleak, there are a number of Indian enterprises that have recently begun using AI and ML in cyber security.

One such example is HDFC bank which is in the process of introducing an AI based Cyber Security Operations Centre (CSOC).

This CSOC is based on a four point approach to dealing with threats - prevent, detect, respond and recover. The government of India has also taken its first step towards the use of AI in cyber security through a project that aims to provide cyber forensic services to the various agencies of the government including law enforcement.

Indian intelligence agencies have also entered into an agreement with tech startup Innefu, which utilizes AI, to process data and decipher threats by looking at the patterns of past threats.

As India is increasingly becoming data dense both private and public organizations need to consider cyber security with utmost seriousness and protect the data from crippling attacks.

Conclusion

Enterprises have become storehouses of user data and the SOCs have a responsibility to protect this data. The companies’ SOCs have been plagued with several problems such as lack of skilled technicians, delay in response time and the inability to proactively respond to attacks. AI and ML can help in a system of continuous monitoring as well as take over the more repetitive and time consuming tasks, leaving the technicians with more time to work on damage control. Although it must be kept in mind that AI is not a silver bullet, since attackers will try their best to confuse the AI systems through evasion techniques such as adversarial AI (where the attackers design machine learning models that are intended to confuse the AI model into making a mistake).

Hence, human intervention and monitoring of AI and ML systems in cyber security is essential to maintain the defence and protection mechanisms of enterprises.

A few topics that Indian SOCs need to consider while using AI and ML :

1. The companies need to understand that AI and ML need human expertise and supervision to be effective and hence substituting people for AI is not ideal.

2. The companies need to give equal if not more importance to data security.

3. The companies need to constantly upgrade their systems and re-skill their technicians to combat cyber security threats.

4. The AI and ML systems need to be regularly audited to ensure that they are not compromised by cyber attacks and also to ensure that they are not generating false positives.

[]. Cisco, (2018, February). Annual Cybersecurity Report. Retrieved March 8, 2018, from https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2

[]. Ibid.

[]. Enterprise Strategy Group (2017, March ). Top-of-mind Threats and Their Impact on Endpoint Security Decisions. Retrieved March 8, 2018 from https://www.cylance.com/content/dam/cylance/pdfs/reports/ESG-Research-Insights-Report-Summary-Cylance-Oct-2017.pdf

[]. Ibid.

[]. Vorobeychik,Y (2016). Adversarial AI. Retrieved March 8, 2018, from https://www.ijcai.org/Proceedings/16/Papers/609.pdf

[]. Quora. ( 2081, February 15). How Will Artificial Intelligence And Machine Learning Impact Cyber Security? Retrieved March 8, 2018, from https://www.forbes.com/sites/quora/2018/02/15/how-will-artificial-intelligence-and-machine-learning-impact-cyber-security/#569454786147

[]. Sparkes, P. (2018, February 27). The 5 Essentials of Every Next-Gen SOC. Retrieved March 8, 2018, from https://www.brighttalk.com/webcast/13389/303251/the-5-essentials-of-every-next-gen-soc

[]. PTI. ( 2018, February 21).Indian companies lost $500,000 to cyber.Retrieved March 8, 2018, from https://economictimes.indiatimes.com/tech/internet/indian-companies-lost-500000-to-cyber-attacks-in-1-5-years-cisco/articleshow/63019927.cms

[]. Raval, A. ( 2018,January 30). AI takes cyber security to a new level for HDFC Bank.Retrieved March 8, 2018, from http://computer.expressbpd.com/magazine/ai-takes-cyber-security-to-a-new-level-for-hdfc-bank/23580/

[]. “The Centre for Development of Advanced Computing (C-DAC) under the Ministry of Electronics and Information Technology (MeitY) is working on a project to provide cyber forensic services to law-enforcing and other government and non-government agencies.” Ohri, R. (2018, February 15. Government readies AI-muscled cyber security plan. Retrieved March 8, 2018, from https://economictimes.indiatimes.com/news/politics-and-nation/government-readies-ai-muscled-cyber-security-plan/articleshow/62922403.cms utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

[]. Chowdhury, P.A. (2017, January 30). Cyber Warfare at large in Southeast Asia, India leverages AI for the same cause Retrieved March 8, 2018, from https://analyticsindiamag.com/cyber-warfare-large-southeast-asia-india-leverages-ai-cause/

[]. Open AI.(2017 February 24). Attacking Machine Learning with Adversarial Examples. Retrieved March 8, 2018, from https://blog.openai.com/adversarial-example-research/

For more details visit https://cis-india.org/internet-governance/blog/people-driven-and-tech-enabled-2013-how-ai-and-ml-are-changing-the-future-of-cyber-security-in-india

Parsing the Cyber Security Policy

chinmayi — 2013-07-22T06:37:56Z

An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble, says Chinmayi Arun.

Chinmayi Arun's article was published in the Hoot on July 13, 2013 and later cross-posted in the Free Speech Initiative the same day.

We often forget how vulnerable the World Wide Web leaves us. If walls of code prevent us from entering each other’s systems and networks, there are those who can easily pick their way past them or disable essential digital platforms. We are reminded of this by the doings of Anonymous, which carried out a series of attacks, including the website run by Computer Emergency Response Team India (CERT-In) which is the government agency in charge of cyber-security. Even more serious, are cyber-attacks (arguably cyber warfare) carried out by other states, using digital weapons such as Stuxnet, the digital worm. More proximate and personal are perhaps the phishing attacks, which are on the rise.

We therefore run a great risk if we leave air-traffic control, defense resources or databases containing several citizens’ personal data vulnerable. Sure, there is no doubt that efforts towards better cyber-security are needed. A cyber-security policy is meant to address this need, and to help manage threats to individuals, businesses and government agencies. We need to carefully examine the government’s efforts to handle cyber-security, how effective it is and whether its actions do not have too many negative spillovers.

The National Cyber-Security Policy, unveiled last week, is merely a statement of intention in broad terms. Much of its real impact will be ascertainable only after the language to be used in the law is available. Nevertheless, the scope of the policy remains ambiguous so far, leading to much speculation about the different ways in which it might be intrusive.

One Size Fits All?

The policy covers very different kinds of entities: government agencies, private companies or businesses, non-governmental entities and individual users. These entities may need to be handled differently depending on their nature. Therefore, while direct state action may be most appropriate to secure government agencies’ networks, it may be less appropriate in the context of purely private business.

For example, securing police records would involve the government directly purchasing or developing sufficiently secure technology. However, different private businesses and non-governmental entities may be left to manage their own security. Depending on the size of each entity, each may be differently placed to acquire sophisticated security systems. A good policy would encourage innovation by those with the capacity to do this, while ensuring that others have access to reasonably sound technology, and that they use it. Grey-areas might emerge in contexts where a private party is manages critical infrastructure.

It will also be important to distinguish between smaller and larger organisations whilst creating obligations. Unless this distinction is made at the implementation stage, start-up businesses and civil society organisations may find requirements such as earmarking a budget for cyber security implementation or appointing a Chief Information Security Officer onerous. Additionally, the policy will need to translate into a regulatory solution that provides under-resourced entities with ready solutions to enable them to make their information systems secure, while encouraging larger entities with greater purchasing power to invest in procuring the best possible solutions.

Race to the Top

Security on the Internet works only if it stays one step ahead the people trying to break in. An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble.

The policy contemplates working with industry and supporting academic research and development to achieve this. However the actual manner in which resources are distributed and progress is monitored may make the crucial difference between a waste of public funds and acquisition of capacity to achieve a reasonable degree of cyber security.

Additionally the flow of public funds under this policy, particularly to purchase technology, should be examined very carefully to see whether it is justified. For example, if the government chooses to fund (even by way of subsidy) a private company’s cyber-security research and development rather than an equivalent public university’s endeavour, this decision should be scrutinized to see whether it was necessary. Similarly, if extensive public funds are spent training young people as a capacity-building exercise, we should watch to see how many of these people stay in India and how many leave such that other countries end up benefiting from the Indian government’s investment in them!

Investigation of Security Threats

Although much of the policy focuses on defensive measures that can be taken against security breaches, it is intended not only to cover investigation subsequent to an attack but also to pinpoint ‘potential cyber threats’ so that proactive measures may be taken.

The policy has outlined the need for a ‘Cyber Crisis Management Plan’ to handle incidents that impact ‘critical national processes or endanger public safety and security of the nation’. This portion of the policy will need to be watched closely to ensure that the language used is very narrow and allows absolutely no scope for misinterpretation or misuse that would affect citizens’ rights in any manner.

This caution will be necessary both in view of the manner in which restraints on freedom of speech permitted in the interests of public safety have been flagrantly abused, and because of the kind of paternalistic state intrusion that might be conceived to give effect to this.

Additionally, since the policy also mentions information sharing with internal and international security, defence, law enforcement and other such agencies, it will also be important to find out the exact nature of information to be shared. Of course, how the policy will be put into place will only become clear as the terms governing its various parts emerge. But one hopes the necessary internal direct action to ensure the government agencies’ information networks are secure is already well underway.

It is also to be hoped that the government chooses to take implementation of privacy rights at least as seriously as cyber-security. If some parts of cyber security involve ensuring that user data is protected, the decision about what data needs protection will be important to this exercise.

Additionally, although the policy discusses various enabling and standard-setting measures, it does not discuss the punitive consequences of failure to take reasonable steps to safeguard individuals’ personal data online. These consequences will also presumably form a part of the privacy policy, and should be put in place as early as possible.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-july-13-2013-chinmayi-arun-parsing-the-cyber-security-policy

National Seminar on Cyber Security & Cyber Laws - Issues and Concerns

praskrishna — 2014-12-31T02:04:37Z

Sharath Chandra Ram was a panelist at this seminar organized by the Advanced Centre for Research, Development & Training in Cyber Laws & Forensics on December 27 and 28, 2014 at the National Law School of India University in Bangalore.

Sharath was part of a plenary session on "Multi-Disciplinary Challenges in Ensuring Cyber Security". He spoke about 'multi-stakeholderim in cyber security and CERT programs of nations'.

PROGRAMME SCHEDULE

Day 1 - 27^th December 2014
09:00- 10:00	REGISTRATION
10:00- 11:00 INAUGURAL SESSION AT SHRI. KRISHNAPPA MEMORIAL HALL [ACADEMIC BLOCK]	Welcome & Introduction: Dr. Nagarathna. A., Seminar Director Inaugural Address: Shri. Pratap Reddy, IPS, IGP, Internal Security Division, Karnataka Police, Bangalore Key Note Address: Dr. R. Venkata Rao, Vice Chancellor, NLSIU Vote of Thanks: Dr. T. V. Subba Rao, Senior Professor, NLSIU
11:00-11:45	GROUP PHOTO & TEA BREAK
11:45-01:00 PLENARY SESSION AT SHRI. KRISHNAPPA MEMORIAL HALL [ACADEMIC BLOCK]	THEME: "MULTI-DISCIPLINARY CHALLENGES IN ENSURING CYBER SECURITY" Members of the Panel: 1. Mr. Subrahmanya Boda, CISO, GMR 2. Mr. Sunil Varkey, CISO, WIPRO 3. Mr. Ramesh Kauta , CISO, GE [India] 4. Mr. T T Thomas, CTO Synergia Technologies, 5. Mr. Rahul Matthan, Partner, Trilegal. 6. Sharath Chandra Ram (Sharathchandra Ramakrishnan), Researcher at Centre for Internet & Society 7. Mr. Srinivas P, CISO, Infosys & Anchor, DSCI Bangalore Chapter [Moderator of the session]
01:00-02:00	LUNCH BREAK
venue	Shri Krishnappa Memorial Hall (Academic Block)		International Training Centre
02:00-03:30	Technical Session 1		Technical Session 2
03:30-04:00	TEA BREAK
04:00-05:30	Technical Session 3		Technical Session 4
6:00 to 7. 00	CULTURAL EVENING Venue: Quad, Academic Block
Day 2 - 28^th December 2014
08:00-09:00	BREAK FAST
venue	Shri Krishnappa Memorial Hall (Academic Block)	International Training Centre		MPP Class Room (Academic Block)
09:30- 11:00	Technical Session 5	Technical Session 6		Technical Session 7
11:00- 11:30	TEA BREAK
	Shri Krishnappa Memorial Hall (Academic Block)	International Training Centre		MPP Class Room (Academic Block)
11:30-1:30	Technical Session 8	Technical Session 9		Technical Session 10
01:30-02:30	LUNCH BREAK
02:30-03. 45 PLENARY SESSION AT SHRI. KRISHNAPPA MEMORIAL HALL [ACADEMIC BLOCK]	THEME: "SECURING CYBER SPACE THROUGH INSTITUTIONAL INVOLVEMENT" Members of the Panel: 1. Dr. Kamble, Director, Computer Emergency Response Team [CERT] India, Dept of Electronics & IT, Ministry of IT, Government of India 2. Dr. S.B.N. Prakash, Senior Professor of Law, NLSIU 3. Mr. Naa Vijay Shankar, Cyber Law Consultant, Bangalore 4. Mr. Balasubramanya, Vice President, Tata Consultancy Services, Bangalore 5. Mr. Ranganath, Delivery Project Executive, IBM, Bangalore 6. Mr. Venkatesh Murthy, Senior Manager, Cyber Forensics, Data Security Council of India [DSCI], Bangalore. 7. Mr. M. D. Sharath, Dy. S. P., Cyber Police, Bangalore 8. Dr. Nagarathna. A., Senior Assistant Prof of Law, NLSIU [Moderator]
3. 45 to 4. 00	TEA BREAK
04:00-05:00 AT SHRI. KRISHNAPPA MEMORIAL HALL [ACADEMIC BLOCK]	VALEDICTORY SESSION Seminar Resolutions: Dr. T. V. Subba Rao, Senior Professor, NLSIU Valedictory Address & Distribution of Certificates: : Dr. R. Venkata Rao, Vice Chancellor, NLSIU Vote of thanks: Dr. Nagarathna. A., Seminar Director

For more details visit https://cis-india.org/internet-governance/news/national-seminar-cyber-security-and-cyber-laws

National Cyber Defence Summit 2016

praskrishna — 2016-10-10T12:54:29Z

National Cyber Defence Summit – 2016 was organized by the National Cyber Safety and Security Standards in association with State & Central Governments, Ministry of Defence, Government of India, AICTE & Anna University on 30 September and 1 October 2016 in Chennai. Vanya Rakesh attended the summit.

The Summit focused on multiple issues linked with the current use of cyberspace by the various stake holders and creating awareness of the responsibility associated with the judicious use of this significant and powerful tool, without endangering the fragile security and social framework. The mission of the Summit is to establish a multi-stakeholder consortium that brings together Industry, Government, and Academic interests in an effort to improve the state of Cyber Security on both a domestic and international level. Primarily, the Summit focuses on multiple issues linked with the current use of cyberspace by the various stake holders and creating awareness of the responsibility associated with the judicious use of this significant and powerful tool, without endangering the fragile security and social framework.

In fact this is the one and only High Level Summit which gathers the presence of Multi-Stakeholders from State/Central Governments, Defence, MNCs, PSUs, Academics, PSBs, Intelligence Agencies, Enforcement Agencies and etc. For more info see the website here. Agenda can be viewed here.

For more details visit https://cis-india.org/internet-governance/news/national-cyber-defence-summit-2016

NASSCOM-DSCI Annual Information Security Summit 2015 - Notes

sumandro — 2016-01-19T07:58:56Z

NASSCOM-DSCI organised the 10th Annual Information Security Summit (AISS) 2015 in Delhi during December 16-17. Sumandro Chattapadhyay participated in this engaging Summit. He shares a collection of his notes and various tweets from the event.

Details about the Summit

Event page: https://www.dsci.in/events/about/2261.

Agenda: https://www.dsci.in/sites/default/files/Agenda-AISS-2015.pdf.

Notes from the Summit

Mr.G.K.Pillai ,Chairman DSCI addressing the audience @ 10th Annual Information Security Summit '15 #AISS15 pic.twitter.com/JVcwct3HSF
— DSCI (@DSCI_Connect) December 16, 2015

Mr. G. K. Pillai, Chairman of Data Security Council of India (DSCI), set the tone of the Summit at the very first hour by noting that 1) state and private industries in India are working in silos when it comes to preventing cybercrimes, 2) there is a lot of skill among young technologists and entrepreneurs, and the state and the private sectors are often unaware of this, and 3) there is serious lack of (cyber-)capacity among law enforcement agencies.

In his Inaugural Address, Dr. Arvind Gupta (Deputy National Security Advisor and Secretary, NSCS), provided a detailed overview of the emerging challenges and framework of cybersecurity in India. He focused on the following points:

#India Dy NSA Dr Arvind Gupta calls 4 #cybersecurity by #design in #ICT #AISS15 pic.twitter.com/79kq9lWGtk
— Deepak Maheshwari (@dmcorpaffair) December 16, 2015

Security is a key problem in the present era of ICTs as it is not in-built. In the upcoming IoT era, security must be built into ICT systems.
In the next billion addition to internet population, 50% will be from India. Hence cybersecurity is a big concern for India.
ICTs will play a catalytic role in achieving SDGs. Growth of internet is part of the sustainable development agenda.
We need a broad range of critical security services - big data analytics, identity management, etc.
The e-governance initiatives launched by the Indian government are critically dependent on a safe and secure internet.
Darkweb is a key facilitator of cybercrime. Globally there is a growing concern regarding the security of cyberspace.
On the other hand, there exists deep divide in access to ICTs, and also in availability of content in local languages.
The Indian government has initiated bilateral cybersecurity dialogues with various countries.
Indian government is contemplating setting up of centres of excellence in cryptography. It has already partnered with NASSCOM to develop cybersecurity guidelines for smart cities.
While India is a large global market for security technology, it also needs to be self-reliant. Indian private sector should make use of government policies and bilateral trust enjoyed by India with various developing countries in Africa and south America to develop security technology solutions, create meaningful jobs in India, and export services and software to other developing countries.
Strong research and development, and manufacturing base are absolutely necessary for India to be self-reliant in cybersecurity. DSCI should work with private sector, academia, and government to coordinate and realise this agenda.
In the line of the Climate Change Fund, we should create a cybersecurity fund, since it is a global problem.
Silos are our bane in general. Bringing government agencies together is crucial. Trust issues (between government, private sector, and users) remain, and can only be resolved over time.
The demand for cybersecurity solutions in India is so large, that there is space for everyone.
The national cybersecurity centre is being set up.
Thinktanks can play a crucial role in helping the government to develop strategies for global cybersecurity negotiations. Indian negotiators are often capacity constrained.

Rajendra Pawar, Chair of the NASSCOM Cyber Security Task Force, NASSCOM Cybersecurity Initiative, provided glimpses of the emerging business opportunity around cybersecurity in India:

In next 10 years, the IT economy in India will be USD 350 bn, and 10% of that will be the cybersecurity pie. This means a million job only in the cybersecurity space.
Academic institutes are key to creation of new ideas and hence entrepreneurs. Government and private sectors should work closely with academic institutes.

'Companies+Govt+Academia= High growth of the cybersecurity industry' - Rajendra Pawar at #AISS15 @DSCI_Connect
— Shivangi Nadkarni (@shivanginadkarn) December 16, 2015
Globally, cybersecurity innovation and industries happen in clusters. Cities and states must come forward to create such clusters.
2/3rd of the cybersecurity market is provision of services. This is where India has a great advantage, and should build on that to become a global brand in cybersecurity services.
Everyday digital security literacy and cultures need to be created.
Publication of cybersecurity best practices among private companies is a necessity.

Corporate disclosures of breaches being considered with Nasscom under cybersec task force: Rajendra Pawar #AISS15 @DSCI_Connect @ETtech
— Neha Alawadhi (@NehaAlawadhiET) December 16, 2015
Dedicated cybersecurity spending should be made part of the e-governance budget of central and state governments.
DSCI should function as a clearing house of cybersecurity case studies. At present, thought leadership in cybersecurity comes from the criminals. By serving as a use case clearing house, DSCI will inform interested researchers about potential challenges for which solution needs to be created.

Manish Tiwary of Microsoft informed the audience that India is in the top 3 positions globally in terms of malware proliferation, and this ensures that India is a big focus for Microsoft in its global war against malware. Microsoft India looks forward to work closely with CERT-In and other government agencies.

RSA's Kartik Shahani @DSCI_Connect #AISS15 Adopt a Deep & Pervasive Level of True Visibility Everywhere pic.twitter.com/2U8J8WkWsI
— Debjani Gupta (@DebjaniGupta1) December 16, 2015

Data localization; one of the stumbling blocks that undermine investments in #cybersecurity. #AISS15 pic.twitter.com/vrff3Amcv0
— Appvigil (@appvigil_co) December 16, 2015

Trust verification 4 embedded devices isnt complex bt much desired as people lives r dependent on that-cld cause physical damage #AISS15
— Lokesh Mehra (@lokesh_mehra) December 16, 2015

"Most compromised OS in 2k15: iOS"-Riyaz Tambe, Palo Alto Networks #AISS15
— Indira Sen (@drealcharbar) December 16, 2015

Security by default in IOS architecture tho' can't verify code as noṭ open - is it security by obscurity? #AISS15 pic.twitter.com/kbPZgH8oA0
— Lokesh Mehra (@lokesh_mehra) December 16, 2015

The session on Catching Fraudsters had two insightful presentations from Dr. Triveni Singh, Additional SP of Special Task Force of UP Police, and Mr. Manoj Kaushik, IAS, Additional Director of FIU.

Dr. Singh noted that a key challenge faced by police today is that nobody comes to them with a case of online fraud. Most fraud businesses are run by young groups operating BPOs that steal details from individuals. There exists a huge black market of financial and personal data - often collected from financial institutions and job search sites. Almost any personal data can be bought in such markets. Further, SIM cards under fake names are very easy to buy. The fraudsters are effective using all fake identity, and is using operational infrastructures outsourced from legitimate vendors under fake names. Without a central database of all bank customers, it is very difficult for the police to track people across the financial sector. It becomes even more difficult for Indian police to get access to personal data of potential fraudsters when it is stored in a foreign server. which is often the case with usual web services and apps. Many Indian ISPs do not keep IP history data systematically, or do not have the technical expertise to share it in a structured and time-sensitive way.

Mr. Triveni Singh talks about raiding fake call centres in Delhi NCR that scam millions every year #AISS15 pic.twitter.com/EmE4y3jux2
— pradyumn nand (@PradyumnNand) December 16, 2015

Mr. Kaushik explained that no financial fraud is uniquely committed via internet. Many fraud begin with internet but eventually involve physical fraudulent money transaction. Credit/debit card frauds all involve card data theft via various internet-based and physical methods. However, cybercrime is continued to be mistakenly seen as frauds undertaken completely online. Further, mobile-based frauds are yet another category. Almost all apps we use are compromised, or store transaction history in an insecure way, which reveals such data to hackers. FIU is targeting bank accounts to which fraud money is going, and closing them down. Catching the people behind these bank accounts is much more difficult, as account loaning has become a common practice - where valid accounts are loaned out for a small amount of money to fraudsters who return the account after taking out the fraudulent money. Better information sharing between private sector and government will make catching fraudsters easier.

@AkhileshTuteja With data overload and big data being prevalent are we considering privacy elements #AISS15 #KpmgIndiaCyber
— Atul Gupta (@AtulGup15843145) December 16, 2015

'Tech solns today designed to protect security - solns for privacy need to evolve'- @Mayurakshi_Ray #AISS15 @DSCI_Connect
— Shivangi Nadkarni (@shivanginadkarn) December 16, 2015

In-house tools important but community collaboration critical to fight security threats @tata_comm #AISS15 pic.twitter.com/ZjbCnaROXC
— aparna (@aparnag14) December 16, 2015

'Orgns in India have a long way to go b4 they internalise privacy principles' Subhash S, CISO ICICI #AISS15 @DSCI_Connect
— Shivangi Nadkarni (@shivanginadkarn) December 16, 2015

Prof PK giving an interesting brief on Academia role in Cyber Security. @ponguru @DSCI_Connect at #AISS15 pic.twitter.com/MEiO6sCJwu
— Vikas Yadav (@VikasSYadav) December 16, 2015

Potential for interaction between Academia, Government and Industry but not an established reality yet. #AISS15 #MappingCyberEducation
— Indira Sen (@drealcharbar) December 16, 2015

I have figured out why information security is not in any boardroom discussions. Cause there are no good speakers / orators . #AISS15
— Virag Thakkar (@viragthakkar) December 16, 2015

The session on Smart Cities focused on discussing the actual cities coming up India, and the security challenges highlighted by them. There was a presentation on Mahindra World City being built near Jaipur. Presenters talked about the need to stabilise, standardise, and securitise the unique identities of machines and sensors in a smart city context, so as to enable secured machine-to-machine communication. Since 'smartness' comes from connecting various applications and data silos together, the governance of proprietary technology and ensuring inter-operable data standards are crucial in the smart city.

As Special Purposed Vehicles are being planned to realise the smart cities, the presenters warned that finding the right CEOs for these entities will be critical for their success. Legacy processes and infrastructures (and labour unions) are a big challenge when realising smart cities. Hence, the first step towards the smart cities must be taken through connected enforcement of law, order, and social norms.

Privacy-by-design and security-by-design are necessary criteria for smart cities technologies. Along with that regular and automatic software/middleware updating of distributed systems and devices should be ensured, as well as the physical security of the actual devices and cables.

In terms of standards, security service compliance standards and those for protocols need to be established for the internet-of-things sector in India. On the other hand, there is significant interest of international vendors to serve the Indian market. All global data and cloud storage players, including Microsoft Azure cloud, are moving into India, and are working on substantial and complete data localisation efforts.

Session - Why should you hire Women Security Professionals?... Balancing gender diversity #AISS15 #DSCI_Connect pic.twitter.com/uIMfG9PvAb
— Jagan Suri (@jsuri90) December 16, 2015

gender Diversity in cybersecurity critical 4 India's future. @symantec partnered with @nasscom via 1000 women scholarships #AISS15
— Lokesh Mehra (@lokesh_mehra) December 16, 2015

Dialogue with CERT-In .. Starting 2nd Day of #AISS15 .. B J Srinath, DG, CERT @DSCI_Connect #security #privacy pic.twitter.com/cvDcrgkein
— Vinayak Godse (@godvinayak) December 17, 2015

New #problems can't b solved w old #solutions: #India CERT DG BJ Srinath #AISS15
— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

17 entities within #Indian #government engaged in #cybersecurity: #India CERT head #AISS15
— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

Scope of activities by CERT in #India way more than its counterparts elsewhere #AISS15
— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

#India CERT looks 8 prediction & #prevention #cybersecurity #emergency not just #response #AISS15
— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

#India CERT willing to #share #information rather than just receiving #AISS15
— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

Savita CERTin outlines drill initiatives taken 4 preparedness-detect (protect), defend attacks wth response #AISS15 pic.twitter.com/wXrkgoLzr2
— Lokesh Mehra (@lokesh_mehra) December 17, 2015

CERTin also offers incident predicatibility,Crisis mgmt plans, #cybersecurity assurance ladder (7 levels) besides 24 x 7 prevention #AISS15
— Lokesh Mehra (@lokesh_mehra) December 17, 2015

#India has 7.2 million bot infected #machines: #India CERT DG Srinath #AISS15
— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

Seizure & protection of electronic devices as admissible evidence (certificate u Sec 65B) imperative under Forensics investigation #AISS15
— Lokesh Mehra (@lokesh_mehra) December 17, 2015

'Law enforcement agency&corporate world must collaborate to fight cybercrime'-Atul Gupta,Partner-Risk Adv. @ #AISS15 pic.twitter.com/GwAQWhYMmK
— KPMG India (@KPMGIndia) December 17, 2015

Mr. R. Chandrasekhar, President of NASSCOM, foregrounded the recommendations made by the Cybersecurity Special Task Force of NASSCOM, in his Special Address on the second day. He noted:

There is a great opportunity to brand India as a global security R&D and services hub. Other countries are also quite interested in India becoming such a hub.
The government should set up a cybersecurity startup and innovation fund, in coordination with and working in parallel with the centres of excellence in internet-of-things (being led by DeitY) and the data science/analytics initiative (being led by DST).
There is an immediate need to create a capable workforce for the cybersecurity industry.
Cybersecurity affects everyone but there is almost no public disclosure. This leads to low public awareness and valuation of costs of cybersecurity failures. The government should instruct the Ministry of Corporate Affairs to get corporates to disclose (publicly or directly to the Ministry) security breeches.
With digital India and everyone going online, cyberspace will increasingly be prone to attacks of various kinds, and increasing scale of potential loss. Cybersecurity, hence, must be part of the core national development agenda.
The cybersecurity market in India is big enough and under-served enough for everyone to come and contribute to it.

The Keynote Address by Mr. Rajiv Singh, MD – South Asia of Entrust Datacard, and Mr. Saurabh Airi, Technical Sales Consultant of Entrust Datacard, focused on trustworthiness and security of online identities for financial transactions. They argued that all kinds of transactions require a common form factor, which can be a card or a mobile phone. The key challenge is to make the form factor unique, verified, and secure. While no programme is completely secure, it is necessary to build security into the form factor - security of both the physical and digital kind, from the substrates of the card to the encryption algorithms. Entrust and Datacard have merged in recent past to align their identity management and security transaction workflows, from physical cards to software systems for transactions. The advantages of this joint expertise have allowed them to successfully develop the National Population Register cards of India. Now, with the mobile phone emerging as a key financial transaction form factor, the challenge across the cybersecurity industry is to offer the same level of physical, digital, and network security for the mobile phone, as are provided for ATM cards and cash machines.

The following Keynote Address by Dr. Jared Ragland, Director - Policy of BSA, focused on the cybersecurity investment landscape in India and the neighbouring region. BSA, he explained, is a global trade body of software companies. All major global software companies are members of BSA. Recently, BSA has produced a study on the cybersecurity industry across 10 markets in the Asia Pacific region, titled Asia Pacific Cybersecurity Dashboard. The study provides an overview of cybersecurity policy developments in these countries, and sector-specific opportunities in the region. Dr. Ragland mentioned the following as the key building blocks of cybersecurity policy: legal foundation, establishment of operational entities, building trust and partnerships (PPP), addressing sector-specific requirements, and education and awareness. As for India, he argued that while steady steps have been taken in the cybersecurity policy space by the government, a lot remains to be done. Operationalisation of the policy is especially lacking. PPPs are happening but there is a general lack of persistent formal engagement with the private sector, especially with global software companies. There is almost no sector-specific strategy. Further, the requirement for India-specific testing of technologies, according to domestic and not global standards, is leading to entry barrier for global companies and export barrier for Indian companies. Having said that, Dr. Ragland pointed out that India's cybersecurity experience is quite representative of that of the Asia Pacific region. He noted the following as major stumbling blocks from an international industry perspective: unnecessary and unreasonable testing requirements, setting of domestic standards, and data localisations rules.

The Policy Makers' panel in #AISS15 in progress. Arvind Gupta, Head, BJP IT cell (@buzzindelhi) speaks. pic.twitter.com/9yWR0gMwf5
— Nandkumar Saravadé (@saravade) December 17, 2015

One of the final sessions of the Summit was the Public Policy Dialogue between Prof. M.V. Rajeev Gowda, Member of Parliament, Rajya Sabha, and Mr. Arvind Gupta, Head of IT Cell, BJP.

Prof. Gowda focused on the following concerns:

We often freely give up our information and rights over to owners of websites and applications on the web. We need to ask questions regarding the ownership, storage, and usage of such data.
While Section 66A of Information Technology Act started as a anti-spam rule, it has actually been used to harass people, instead of protecting them from online harassment.
The bill on DNA profiling has raised crucial privacy concerns related to this most personal data. The complexity around the issue is created by the possibility of data leakage and usage for various commercial interests.
We need to ask if western notions of privacy will work in the Indian context.
We need to move towards a cashless economy, which will not only formalise the existing informal economy but also speed up transactions nationally. We need to keep in mind that this will put a substantial demand burden on the communication infrastructure, as all transactions will happen through these.

Mr. Gupta shared his keen insights about the key public policy issues in digital India:

The journey to establish the digital as a key political agenda and strategy within BJP took him more than 6 years. He has been an entrepreneur, and will always remain one. His approached his political journey as an entrepreneur.
While we are producing numerous digitally literate citizens, the companies offering services on the internet often unknowingly acquire data about these citizens, store them, and sometimes even expose them. India perhaps produces the greatest volume of digital exhaust globally.
BJP inherited the Aadhaar national identity management platform from UPA, and has decided to integrate it deeply into its digital India architecture.
Financial and administrative transactions, especially ones undertake by and with governments, are all becoming digital and mostly Aadhaar-linked. We are not sure where all such data is going, and who all has access to such data.
Right now there is an ongoing debate about using biometric system for identification. The debate on privacy is much needed, and a privacy policy is essential to strengthen Aadhaar. We must remember that the benefits of Aadhaar clearly outweigh the risks. Greatest privacy threats today come from many other places, including simple mobile torch apps.
India is rethinking its cybersecurity capacities in a serious manner. After Paris attack it has become obvious that the state should be allowed to look into electronic communication under reasonable guidelines. The challenge is identifying the fine balance between consumers' interest on one hand, and national interest and security concerns on the other. Unfortunately, the concerns of a few is often getting amplified in popular media.
MyGov platform should be used much more effectively for public policy debates. Social media networks, like Twitter, are not the correct platforms for such debates.

#AISS15: @rajivgowda & @buzzindelhi are talking abt proactive disclosure as a key part of #cybersecurity strategy #openData @DataPortalIndia
— sumandro (@ajantriks) December 17, 2015

For more details visit https://cis-india.org/internet-governance/blog/nasscom-dsci-annual-information-security-summit-2015-notes

Multinational Cyber Security Forum at University of Haifa

Admin — 2017-11-27T14:34:59Z

Sunil Abraham participated in a meeting in Israel on Multinational Cyber Security Forum hosted by Center for Cyber, Law and Policy and University of Haifa in collaboration with the Hewlett Foundation Cyber Initiative.

The workshop was held from November 5 to 7, 2017. The objective of the workshop was to facilitate a free and open exchange among participants under the Chatham House Rules. The workshop sought to identify areas of agreement and dissent pertaining to cyber security regulation and to explore issues that require further research, clarification and development.

For more details visit https://cis-india.org/internet-governance/news/multinational-cyber-security-forum-at-university-of-haifa

Most emerging firms low on cyber security: Experts

praskrishna — 2015-06-29T16:02:51Z

When Pavitra Badrinath saw that the upgrade to a shopping application on her smartphone asked access to her contacts and messages, she decided against it. "Laws on privacy are not clear in India. So I am doing what I can to protect my information," the 26-year-old technology firm employee said.

The article by Malavika Murali and Payal Ganguly was published in the Economic Times on June 24, 2015. Sunil Abraham gave his inputs.

Are users taking a risk by allowing applications to gain access to personal data shadowed by an upgrade? "Most definitely ," said Bikash Barai, cofounder and chief executive of security firm iViz Security .

With at least 10 alleged breaches and hacks into the databases of startups such as Ola and Gaana this year, the alarm bells are going off.

Experts warn that emerging businesses are lax with security frameworks, which is especially worrying as millions more Indians are shopping online, including on their phones, exposing crucial personal and financial data to fraud.

More than 70 per cent of Indian companies are under-prepared when it comes to cyber security, according to a report by CISO Platform, a social platform for security experts where Barai is chief adviser.

India's largest cab-hailing company, Ola denied hackers' claims in an email response to ET, stating that its data were not compromised.

Music service Gaana.com, in response to being hacked by a person in Pakistan calling himself MakMan, said it had strengthened its security team and offerings in recent weeks. "In addition, we are working on a `bug bounty' program, which will allow individuals to point out any potential vulnerability in a safe way," said Pawan Agarwal, business head at Gaana.com.

According to Google India, the number of online shoppers is expected to cross 100 million by the end of next year, from 35 million ear, from 35 million n 2014. But lack of roust regulations and ata privacy laws as ell as the fragmentd nature of the starup ecosystem, do not llow much scope for esearch on cyber seurity , said experts."Under the Indian "Under the Indian regime, there are no self-regulatory mechanisms for putting out breach notifications," said Sunil Abraham, executive director of the Centre for Internet and Society. "The numbers available with a central body like Data Security Council of India will be a gross underestimation of the cases of breach."

"Most of the startups in India want to do everything in-house. This can lead to a potential compromise or lack of expertise on the security front, even if it is made priority," said Harshit Agarwal, founder and chief executive of Singapore-based Appknox, which provides security services to Paytm, Freecharge and Myntra among other clients.

Jabong founder and managing director Praveen Sinha said the online fashion retailer spends 15-20 per cent of its revenue on cyber security. But other startups contended that budgets and teams sizes are not accurate indicators of security preparedness.

"We do not work with any external security firms as we have realised that the average report is as good as our internal team can make," said Mukesh Singh, chief executive officer of online grocer ZopNow.

For more details visit https://cis-india.org/internet-governance/news/economic-times-june-24-2015-malavika-murali-and-payal-ganguly-most-emerging-firms-low-on-cyber-security-experts

Mapping of Sections in India’s MLAT Agreements

Leilah Elmokadem and Saumyaa Naidu — 2016-12-31T06:52:46Z

This set of infographics by Leilah Elmokadem and Saumyaa Naidu maps out and compares the various sections that exist in the 39 MLATs (mutual legal assistance treaty) between India and other countries. An MLAT is an agreement between two or more countries, drafted for the purpose of gathering and exchanging information in an effort to enforce public or criminal laws.

Download: Infographic (PDF) and data (XLSX)

We have found that India’s 39 MLAT documents are worded, formatted and sectioned differently. At the same time, many of the same sections exist across several MLATs. This diagram lists the sections found in the MLAT documents and indicates the treaties in which they were included or not included. To keep the list of sections concise and to more easily pinpoint the key differences between the agreements, we have merged sections that are synonymous in meaning but were worded slightly differently. For example: we would combine “Entry into force and termination” with “Ratification and termination” or “Expenses” with “Costs”.

At the same time, some sections that seemed quite similar and possible to merge were kept separate due to potential key differences that could be overlooked as a result. For example: “Limitation on use” vs. “Limitation on compliance” or “Serving of documents” vs. “Provision of (publicly available) documents/records/objects” remained separate for further analysis and comparison.

These differences in sectioning can be analysed to facilitate a thorough comparison between the effectiveness, efficiency, applicability and enforceability of the various provisions across the MLATs. The purpose of this initial mapping is to provide an overall picture of which sections exist in which MLAT documents. There will be further analysis of these sections to produce a more holistic content-based comparison of the MLATs.

Aggregated Analysis of Sections of MLAT Agreements

For more details visit https://cis-india.org/internet-governance/blog/india-mlat-agreements-sections-map-dec-2016

Mapping cybersecurity in India: An infographic

Arindrajit Basu, Karan Saini, Aayush Rathi and Swaraj Barooah — 2018-12-23T16:57:24Z

This infographic maps the key stakeholder, areas of focus and threat vectors that impact cybersecurity policy in India. Broadly, policy-makers should concentrate on establishing a framework where individuals feel secure and trust the growing digital ecosystem. The infographic therefore serves as a ready reference point for the research that we have done and hope to continue through our cybersecurity work at CIS.

Infographic designed by Saumyaa Naidu

For more details visit https://cis-india.org/internet-governance/blog/arindrajit-basu-karan-saini-aayush-rathi-and-swaraj-paul-barooah-december-23-mapping-cyber-security-in-india-infographic

Lessons from US response to cyber attacks

Arindrajit Basu — 2018-11-01T05:53:42Z

Publicly attributing the attacks to a state or non-state actor is vital for building a credible cyber deterrence strategy.

The article was published in Hindu Businessline on October 30, 2018. The article was edited by Elonnai Hickok.

In September, amidst the brewing of a new found cross-continental romance between Kim Jong-Un and Donald Trump, the US Department of Justice filed a criminal complaint indicting North Korean hacker Park Jin Hyok for playing a role in at least three massive cyber operations against the US. This included the Sony data breach of 2014; the Bangladesh bank heist of 2016 and the WannaCry ransomware attack in 2017. This indictment was followed by one on October 4, of seven officers in the GRU, Russia’s military agency, for “persistent and sophisticated computer intrusions.” Evidence adduced in support included forensic cyber evidence like similarities in lines of code or analysis of malware and other factual details regarding the relationship between the employers of the indicted individuals and the state in question.

While it is unlikely that prosecutions will ensue, indicting individuals responsible for cyber attacks offers an attractive option for states looking to develop a credible cyber deterrence strategy.

Attributing cyber attacks

Technical uncertainty in attributing attacks to a specific actor has long fettered states from adopting defensive or offensive measures in response to an attack and garnering support from multilateral fora. Cyber attacks are multi-stage, multi-step and multi-jurisdictional, which complicates the attribution process and removes the attacker from the infected networks.

Experts at the RAND Corporation have argued that technical challenges to attribution should not detract from international efforts to adopt a robust, integrated and multi-disciplinary approach to attribution, which should be seen as a political process operating in symbiosis with technical efforts. A victim state must communicate its findings and supporting evidence to the attacking state in a bid to apply political pressure.

Clear publication of the attribution process becomes crucial as it furthers public credibility in investigating authorities; enables information exchange among security researchers and fosters deterrence by the adversary and potential adversaries.

Although public attributions need not take the form of a formal indictment and are often conducted through statements by foreign ministries, a criminal indictment is more legitimate as it needs to comply with the rigorous legal and evidentiary standards required by the country’s legal system. Further, an indictment allows for the attack to be conceptualised as a violation of the rule of law in addition to being a geopolitical threat vector.

Lessons for India

India is yet to publicly attribute a cyber attack to any state or non-state actor. This is surprising given that an overwhelming percentage of attacks on Indian websites are perpetrated by foreign states or non-state actors, with 35 per cent of attacks emanating from China, as per a report by the Indian Computer Emergency Response Team (CERT-IN), the national nodal agency under the Ministry of Electronics and Information Technology (MEITY) which deals with cyber threats.

Along with other bodies, such as the National Critical Information Protection Centre (NCIIPC) which is the nodal central agency for the protection of critical information infrastructure, CERT-IN forms part of an ecosystem of nodal agencies designed to guarantee national cyber security.

There are three key lessons that policy makers involved in this ecosystem can take away from the WannaCry attribution process and the Park indictment. First, there is a need for multi-stakeholder collaboration through sharing of research, joint investigations and combined vulnerability identification among the various actors employed by the government, law enforcement authorities and private cyber security firms.

The affidavit suggested that the FBI had used information from various law enforcement personnel, computer scientists at the FBI; Mandiant — a cyber security firm retained by the US Attorney’s Office and publicly available materials produced by cyber security companies. Second, the standards of attribution need to demonstrate compliance both with the evidentiary requirements of Indian criminal law and the requirements in the International Law on State Responsibility. The latter requires an attribution to demonstrate that a state had ‘effective control’ over the non-state actor.

Finally, the attribution must be communicated to the adversary in a manner that does not risk military escalation. Despite the delicate timing of the indictment, Park’s prosecution by the FBI did not dampen the temporary thaw in relations between US and North Korea.

While building capacity to improve resilience, detect attacks and improve attribution capabilities should be a priority, we need to remember that regardless of the breakthrough in both human and infrastructural capacities, attributing cyber attacks will never be an exercise in certainty.

India will need to marry its improved capacity with strategic geopolitical posturing. Lengthy indictments may not deter all potential adversaries but may be a tool in fostering a culture of accountability in cyberspace.

For more details visit https://cis-india.org/internet-governance/blog/hindu-businessline-arindrajit-basu-october-30-2018-lessons-from-us-response-to-cyber-attacks

IT companies in Bengaluru on high alert over WannaCry ransomware

praskrishna — 2017-05-19T09:05:46Z

In the wake of the ransomware attack triggered by WannaCry virus, IT firms in Bengaluru are racing against time to updating their security systems. At some firms, employees have been asked to stay away from work for a few hours, while many other companies have declared holiday for a day or two for their employees.

The article by Kiran Parashar K M & Shruthi H M was published in the New Indian Express on May 17, 2017. Pranesh Prakash was quoted.

Sources said IT teams in many firms are working overtime to ensure such attacks do not harm their systems. Employees have been communicated to be aware of unsolicited emails and were asked to stay away from work at a few places where the security systems update was in progress.

A network engineer of a secondary source software firm, who provides security solutions, said, “We were asked to work on weekend and monitor the servers. The monitoring process is likely to continue. Some of the outsourcing companies have declared holiday as network engineers are flooded with work.”
“Recent developments have affected work at IT firms but there is no report of any company getting affected,” a techie said.

Wipro Ltd officials told Express: “Wipro has not seen any impact. However, we remain vigilant and have strengthened security controls at all layers to detect and mitigate any such threat.”

Companies providing financial technology are struggling to ensure that all ATMs are running on updated software. “We are in touch with the original equipment manufacturers for the patches that may be required to be rolled out on the ATMs running on Windows XP and Windows 7, to make them additionally secure,” said Radha Rama Dorai (Country Head - ATM & Allied Services), FIS, a financial technology provider.
“Fortunately ATMs in India have not been affected by WannaCry ransomware,” said Dorai.

Sudesh Shetty, Partner, Forensics, KPMG in India, said: “Banks need to apply the patch which Windows has released for outdated operating systems. Organisations need to make use of it.”

WannaCry under reported

The Indian Cyber Army sources said that there has been under reporting of such incidents as many individuals use pirated version of the Windows software. Also, people have no idea whom to report if they fall prey to WannaCry.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-and-shruthi-hm-it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware

Is the new ‘interception’ order old wine in a new bottle?

Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare — 2018-12-29T16:02:00Z

The government could always authorise intelligence agencies to intercept and monitor communications, but the lack of clarity is problematic.

An opinion piece co-authored by Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare was published in Newslaundry.com on December 27, 2018.

On December 20, 2018, through an order issued by the Ministry of Home Affairs (MHA), 10 security agencies—including the Intelligence Bureau, the Central Bureau of Investigation, the Enforcement Directorate and the National Investigation Agency—were listed as the intelligence agencies in India with the power to intercept, monitor and decrypt "any information" generated, transmitted, received, or stored in any computer under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.

On December 21, the Press Information Bureau published a press release providing clarifications to the previous day’s order. It said the notification served to merely reaffirm the existing powers delegated to the 10 agencies and that no new powers were conferred on them. Additionally, the release also stated that “adequate safeguards” in the IT Act and in the Telegraph Act to regulate these agencies’ powers.

Presumably, these safeguards refer to the Review Committee constituted to review orders of interception and the prior approval needed by the Competent Authority—in this case, the secretary in the Ministry of Home Affairs in the case of the Central government and the secretary in charge of the Home Department in the case of the State government.

As noted in the press release, the government has always had the power to authorise intelligence agencies to submit requests to carry out the interception, decryption, and monitoring of communications, under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.

When considering the implications of this notification, it is important to look at it in the larger framework of India’s surveillance regime, which is made up of a set of provisions found across multiple laws and operating licenses with differing standards and surveillance capabilities.

- Section 5(2) of the Indian Telegraph Act, 1885 allows the government (or an empowered authority) to intercept or detain transmitted information on the grounds of a public emergency, or in the interest of public safety if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence. This is supplemented by Rule 419A of the Indian Telegraph Rules, 1951, which gives further directions for the interception of these messages.

- Condition 42 of the Unified Licence for Access Services, mandates that every telecom service provider must facilitate the application of the Indian Telegraph Act. Condition 42.2 specifically mandates that the license holders must comply with Section 5 of the same Act.

- Section 69(1) of the Information Technology Act and associated Rules allows for the interception, monitoring, and decryption of information stored or transmitted through any computer resource if it is found to be necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.

- Section 69B of the Information Technology Act and associated Rules empowers the Centre to authorise any agency of the government to monitor and collect traffic data “to enhance cyber security, and for identification, analysis, and prevention of intrusion, or spread of computer contaminant in the country”.

- Section 92 of the CrPc allows for a Magistrate or Court to order access to call record details.

Notably, a key difference between the IT Act and the Telegraph Act in the context of interception is that the Telegraph Act permits interception for preventing incitement to the commission of an offence on the condition of public emergency or in the interest of public safety while the IT Act permits interception, monitoring, and decryption of any cognizable offence relating to above or for investigation of any offence. Technically, this difference in surveillance capabilities and grounds for interception could mean that different intelligence agencies would be authorized to carry out respective surveillance capabilities under each statute. Though the Telegraph Act and the associated Rule 419A do not contain an equivalent to Rule 4—nine Central Government agencies and one State Government agency have previously been authorized under the Act. The Central Government agencies authorised under the Telegraph Act are the same as the ones mentioned in the December 20 notification with the following differences:

- Under the Telegraph Act, the Research and Analysis Wing (RAW) has the authority to intercept. However, the 2018 notification more specifically empowers the Cabinet Secretariat of RAW to issue requests for interception under the IT Act.

- Under the Telegraph Act, the Director General of Police, of concerned state/Commissioner of Police, Delhi for Delhi Metro City Service Area, has the authority to intercept. However, the 2018 notification specifically authorises the Commissioner of Police, New Delhi with the power to issue requests for interception.

That said, the IT (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 under 69B of the IT Act contain a provision similar to Rule 4 of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 - allowing the government to authorize agencies that can monitor and collect traffic data. In 2016, the Central Government authorised the Indian Computer Emergency Response Team to monitor and collect traffic data, or information generated, transmitted, received, or stored in any computer resource. This was an exercise of the power conferred upon the Central Government by Section 69B(1) of the IT Act. However, this notification does not reference Rule 4 of the IT Rules, thus it is unclear if a similar notification has been issued under Rule 4.

While it is accurate that the order does not confer new powers, areas of concern that existed with India’s surveillance regime continue to remain including the question of whether 69(1) and 69B and associated Rules are constitutionally valid, the lack of transparency by the government and the prohibition of transparency by service providers, heavy handed penalties on service providers for non-compliance, and a lack of legal backing and oversight mechanisms for intelligence agencies. Some of these could be addressed if the draft Data Protection Bill 2018 is enacted and the Puttaswamy Judgement fully implemented.

Conclusion

The MHA’s order and the press release thereafter have served to publicise and provide needed clarity with respect to the powers vested in which intelligence agencies in India under section 69(1) of the IT Act. This was previously unclear and could have posed a challenge to ensuring oversight and accountability of actions taken by intelligence agencies issuing requests under section 69(1) .

The publishing of the list has subsequently served to raise questions and create a debate about key issues concerning privacy, surveillance and state overreach. On December 24, the order was challenged by advocate ML Sharma on the grounds of it being illegal, unconstitutional and contrary to public interest. Sharma in his contention also stated the need for the order to be tested on the basis of the right to privacy established by the Supreme Court in Puttaswamy which laid out the test of necessity, legality, and proportionality. According to this test, any law that encroaches upon the privacy of the individual will have to be justified in the context of the right to life under Article 21.

But there are also other questions that exist. India has multiple laws enabling its surveillance regime and though this notification clarifies which intelligence agencies can intercept under the IT Act, it is still seemingly unclear which intelligence agencies can monitor and collect traffic data under the 69B Rules. It is also unclear what this order means for past interceptions that have taken place by agencies on this list or agencies outside of this list under section 69(1) and associated Rules of the IT Act. Will these past interceptions possess the same evidentiary value as interceptions made by the authorised agencies in the order?

For more details visit https://cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle

Is India Prepared for a Cyber Attack? Suckfly And Other Past Responses Say No

praskrishna — 2016-09-22T00:57:02Z

From mandatory disclosures to improving CERT-IN’s functioning and transparency, there is much to be done in the event of future cyber attacks.

The article by Sushil Kambampati was published in the Wire on September 21, 2016. Pranesh Prakash was quoted.

In early September, details about India’s top secret Scorpene submarine program were published online. This presumed data breach brought the issue of cyber security into the headlines.

However, earlier this year, news of potentially catastrophic breaches of Indian networks barely made a blip. On May 17, the cyber-security firm Symantec stated in a blog post that it had traced breaches of several Indian organisations to a cyber-espionage group called Suckfly. The targeted systems belonged to the central government, a large financial institution, a vendor to the largest stock exchange and an e-commerce company. The espionage activity began in April 2014 and continued through 2015, Symantec said. Based on the targets that were penetrated, Symantec speculated that the espionage was targeted at the economic infrastructure of India. Such allegations should be ringing alarm bells inside the government and amongst private businesses across the country. And yet, from the official public response, one would think nothing was amiss.

A week later, another cyber-security firm, Kaspersky Lab, announced that it too had tracked at least one cyberespionage group, called Danti, that had penetrated Indian government systems through India’s diplomatic entities.

Breaches of corporate and government networks are nothing new. Usually, these breaches come to light if the perpetrators reveal the attack, the target of the attack discloses the breach, or because the leaked data shows up on the Internet. The Suckfly and Danti breaches are unusual because they were reported by a third party while the targets (in this case, Indian organisations and the government) themselves have remained silent. The breaches reported by Symantec and Kaspersky of Indian organisations received tepid coverage in India. A few news organisations published the same wire story that basically rewrote information in the original posts, but there was very little follow-up as there was not much follow-up investigation to determine the targets or an analysis to gauge how much damage the leaks could cause.

Part of the reason there was no fallout may have to do with the reluctance of the parties involved to provide information. Symantec, in response to multiple requests for more details, kept referring to the original blog post. The government made no statement either confirming or denying the report. Several banks, e-commerce companies and government agencies were asked whether they were aware of Suckfly, whether they had been breached by the organisation and whether Symantec had contacted them. Only Yatra, Axis Bank and Flipkart responded, denying that they had been penetrated by Suckfly. The National Stock Exchange also said it had not been penetrated, although the questions asked were about whether any of the stock exchange’s vendors had been penetrated and if they had been, whether the NSE knew about such a breach.

This collective lack of response across the board indicates a mindset that shows unpreparedness for the cyber threats that are very real, existent and ongoing. Compare the Suckfly reaction to the threat of a terrorist infiltration. In that scenario, the government goes on high alert, resources are mobilised and the public is warned. The government then tries to identify the threat and stop it from doing any harm. Citizens demand that in the future the government take proactive steps to catch infiltrators and prevent any future threats.

Weak government response

One method that Suckfly uses to gain access, according to Symantec, is by signing its malware with stolen digital certificates. This is the same method that was used to infect and sabotage the Iranian nuclear centrifuges with the Stuxnet virus, so the potential for harm of these breaches cannot be understated. Several security experts confirmed the plausibility of such doomsday scenarios as two-factor authentication being turned off for credit card transactions, unauthorised money transfers, leakage of credit card details, stolen password hashes or personal information, massive numbers of fake e-commerce orders and the manipulation of the stock exchange.

All the targets taken together, the potential for economic damage that the Suckfly breach poses is immense. If another country or malevolent group wanted to wreak havoc in India, it could trigger banking panic by emptying accounts or a stock-market collapse by dumping stocks at fractional values.

Even more disturbing, though, is that if a foreign entity has access to government networks, it has the potential to collect passwords to critical systems using key-loggers and password scanners. From there the entity could steal national security data, disrupt control systems of electrical grids or nuclear facilities and gain access to everything the government knows about its citizens, including personal details, financial information and identity information. On an only slightly less dangerous level, the central bank’s funds could be stolen, like the recent attempt to heist $800 million from the central bank of Bangladesh.

A report on risks facing India, published in August by KPMG and the Confederation of Indian Industry said: “While traditionally cyber attacks were largely used for causing financial and reputational loss, today they have  a potential of posing a threat to human life. While the perpetrators behind these attacks traditionally were a few challenge loving ‘hackers’ with unbridled curiosity, we see an increasing number of state sponsored cyber terrorists and organised criminals behind the attacks today.”

In light of such serious threats, the government needs to take more action to mitigate the threat and reassure the public that it is on top of the situation. Reports of encounters between the armed forces and alleged terrorists are frequently relayed to the press. Similarly, the National Informatics Centre (NIC) or its parent organisation, the Department of Electronics and Information Technology, needs to make a public statement when breaches of government systems or of private organisations at this scale come to light. The investigative agencies need to open an enquiry into the matter.

In the Suckfly case, it took a right-to-information query from this author to get a response from the NIC. In the response, the NIC stated that it was unaware of any breach of its systems by Suckfly, that it did not use Symantec’s services and that Symantec had not notified NIC of any breach. Of course, the response also raises many more questions, which could be asked if the government took an attitude of openness and disclosure.

The government also needs to step up its efforts of identifying and neutralising the threat. The Indian government’s Computer Emergency Response Team (CERT-IN) is responsible, according to its website, for “responding to computer security incidents as and when they occur” and also collecting information on and issuing “guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.” Yet, as of September 12, its website does not mention the Backdoor.Nidoran exploit which Suckfly allegedly used to gain access during at least one of its attacks. The CVE-2015-2545 vulnerability that Danti used, according to Kaspersky, is also unlisted. Any organisation or person relying on CERT-IN to get notifications of vulnerabilities would be in the dark and exposed to a breach.

CERT-IN is a perfect example of where the government could really do so much more, starting with some very basic things. For example, by design, contact e-mail addresses listed on the site cannot be clicked on or copied, and so have to be retyped. Such a measure would barely stop even a novice hacker. E-mail messages sent to one of the contact email address bounce back. While it laudably posts its e-mail encryption hash on its contact page, one of the identifiers does not match what is registered in the public KeyStores (usually that would be a sign of a hack). Most glaringly, anyone searching for information on a vulnerability on the site will have to click in and out of every document because the site does not have a search function. Collectively, these flaws give the impression that while the government has thought about cyber-security, it is not putting enough resources and effort into making that a credible initiative.

The government’s regulatory agencies also need to get into the fray. For example, one of the organisations that Suckfly allegedly breached is a large financial institution. It makes sense, therefore that the Reserve Bank of India (RBI), which oversees all financial institutions, should make it mandatory that a bank notify the RBI whenever there is a security breach. The RBI did just that in a notification issued on June 2, 2016, after the Suckfly breach. However, the notification does not address the need to inform the public. The RBI itself also needs to be more forthcoming. In the Suckfly instance the RBI has not made any statements about whether financial institutions under its supervision are secure. It took an RTI query to get a statement from the RBI, and there it responded that it had no information on the matter.

The Securities and Exchange Board of India (SEBI), which oversees the country’s stock exchanges, initially did not respond directly as to whether it knew of the breach at any IT firm that supplies an Indian stock exchange. However, SEBI reacted to an RTI query by asking all the stock exchanges under its mantle to verify with each of their IT vendors whether there had been any breach. They all denied it. If any of them are being untruthful, they have made a false statement to SEBI. However, if taken at their word, the public can take comfort in the fact that the stock market was not compromised by this attack.

SEBI also issued a cyber-security policy framework for its stock exchanges in July 2015, around the time when Suckfly may have been actively attacking systems. Where the RBI asks financial institutions to report breaches within six hours of detection, SEBI requires the reports to be quarterly. Given how fast information travels and how many transactions can be done in mere minutes, that seems like too much time for SEBI to take any effective action. SEBI’s policy also does not address the need to inform the public.

What is needed is a coordinated, comprehensive and unified policy that applies to stock exchanges, financial institutions, government organisations and private companies. It doesn’t matter from where the data is being stolen, what matters is how quickly the organisation learns of it and lets people know so that they too can take any action they need to.

Right or wrong?

The across-the-board denials of any breach raise the question whether Symantec was mistaken. Skeptics could even wonder whether the company exaggerated the situation to increase sales of its products and services. For its part, Symantec refuses to provide any further information about the breach beyond what is in its initial post; crucial information in this regard would include more forensic details, which could identify whether the breach actually took place. Symantec also would not confirm whether it had notified the targets of the attacks, though the government says it has not been alerted by Symantec.

On the other hand, according to Sastry Tumuluri, a former Chief Information Security Officer for the state of Haryana, Symantec probably did correctly identify the breaches. Symantec collects vast amounts of information at every point where it has a presence, such as on individual computers, at internet interconnection points and web hosts globally. All that data can give a fairly accurate and reliable indication of systems being penetrated. Depending on their capabilities and level of sophistication, the target organisations could also truthfully say that they have not detected a breach.

If Symantec’s is correct in conjecturing that the Suckfly breach targeted India’s economic sector, its lack of further action is disturbing. India is one of the world’s ten largest economies and instability here would have ripple effects globally. Then there is the potential of catastrophic cyberterrorism. It is in everyone’s interest that Symantec reach out to the government and to let the public know which organisations may be compromised.

According to Pranesh Prakash, Policy Director at the Centre for Internet and Society and Bruce Schneier, a globally recognised security expert, the lack of knowledge regarding which organisations were targeted reduces people’s trust in the Internet across the board. In an email response, Schneier wrote, “Symantec has an obligation to disclose the identities of those attacked. By leaving this information out, Symantec is harming us all. We all have to make decisions on the Internet all the time about who to trust and who to rely on. The more information we have, the better we can make those decisions.”

Looking at it in the other direction, it is not apparent whether the government has asked Symantec and Kaspersky for more information and a disclosure of who the targets were. After all, if government systems were breached, it is a matter of national security. If the government has indeed reached out and received more information, it has an obligation to let the public know.

What other governments and private companies are belatedly learning is that it is better to proactively disclose the breaches before the information gets out through other parties. When US retailer Target came under attack, its data breach was first revealed by security reporter Michael Krebs. Target was criticised for not coming forth itself and faced several lawsuits. In the US, most states and jurisdictions have laws that require companies to disclose data breaches, although transparency advocates point out that there is great variation on how long companies can wait to disclose and what events trigger a mandatory disclosure. In Europe, telecoms and Internet Service Providers must report a breach within 24 hours and other organisations have 72 hours.

India has no mandatory disclosure law in the case of data breaches at government or private organisations, Prakash said. It is something that CIS supports and had proposed since 2011, he added.

According to Schneier, a mandatory disclosure law would also be valuable if confidentiality agreements would otherwise prevent a security firm such as Symantec from disclosing names of targets.

Finally, private companies need to understand that they are not doing themselves any favours by remaining silent on the matter. Even if Suckfly or its clients do not use the information they may have gained, the lack of disclosure by the targets will weaken trust in online commerce and financial transactions, says Prakash. For example, looking at e-commerce, while it is true that e-commerce has grown rapidly in India, a study in 2014 by YourStory and Kalaari Capital found that lack of trust and doubt about online security were hurdles for 80% of people who had never made an online purchase.

When an organisation lets the public know that it has been breached, users of the service or site can evaluate what action they need to take. For example if a person uses the same password across multiple sites, they would know they needed to change the password at the other sites. Depending on the breach they would also be able to alert credit card companies as well as friends and family.

As the KPMG report states, cyber attacks are only going to become more common. Despite multiple warnings, the response on the part of the Indian government and private organisations has been quite underwhelming. The government needs to proactively monitor and respond to attacks. Lawmakers need to pass laws establishing privacy policies and mandatory disclosures. Companies will also need to invest in better security practices as well as gain public trust by reacting to breaches promptly and letting the public know what they are doing to recover from them.

For more details visit https://cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks

International Cooperation in Cybercrime: The Budapest Convention

vipul — 2019-04-29T22:35:37Z

In today’s increasingly digitized world where an increasing volume of information is being stored in the digital format, access to data generated by digital technologies and on digital platforms is important in solving crimes online and offline.

Click to download the file here

However, the global nature of the internet challenges traditional methods of law enforcement by forcing states to cooperate with each other for a greater variety and number of cases than ever before in the past. The challenges associated with accessing data across borders in order to be able to fully investigate crimes which may otherwise have no international connection forces states to think of easier and more efficient ways of international cooperation in criminal investigations. One such mechanism for international cooperation is the Convention on Cybercrime adopted in Budapest (“Budapest Convention”). Drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America it is the first and one of the most important multilateral treaties addressing the issue of cybercrime and international cooperation.^{^[1]}

Extradition

Article 24 of the Budapest Convention deals with the issue of extradition of individuals for offences specified in Articles 2 to 11 of the Convention. Since the Convention allows Parties to prescribe different penalties for the contraventions contained in Articles 2-11, it specifies that extradition cannot be asked for unless the crime committed by the individual carries a maximum punishment of deprivation of liberty for atleast one year.^{^[2]} In order to not complicate issues for Parties which may already have extradition treaties in place, the Convention clearly mentions that in cases where such treaties exist, extradition will be subject to the conditions provided for in such extradition treaties.^{^[3]} Although extradition is also subject to the laws of the requested Party, if the laws provide for the existence of an extradition treaty, such a requirement shall be deemed to be satisfied by considering the Convention as the legal basis for the extradition.^{^[4]} The Convention also specifies that the offences mentioned in Articles 2 to 11 shall be deemed to be included in existing extradition treaties and Parties shall include them in future extradition treaties to be executed.^{^[5]}

The Convention also recognises the principle of "aut dedere aut judicare" (extradite or prosecute) and provides that if a Party refuses to extradite an offender solely on the basis that it shall not extradite their own citizens,^{^[6]} then, if so requested, such Party shall prosecute the offender for the offences alleged in the same manner as if the person had committed a similar offence in the requested Party itself.^{^[7]} The Convention also requires the Secretary General of the Council of Europe to maintain an updated register containing the authorities designated by each of the Parties for making or receiving requests for extradition or provisional arrest in the absence of a treaty.^{^[8]}

Mutual Assistance Requests

The Convention imposes an obligation upon the Parties to provide mutual assistance “to the widest extent possible” for investigations or proceedings of criminal offences related to computer systems and data.^{^[9]} Just as in the case of extradition, the mutual assistance to be provided is also subject to the conditions prescribed by the domestic law of the Parties as well as mutual assistance treaties between the Parties.^{^[10]} However, it is in cases where no mutual assistance treaties exist between the Parties that the Convention tries to fill the lacuna and provide for a mechanism for mutual assistance.

The Convention requires each Party to designate an authority for the purpose of sending and answering mutual assistance requests from other Parties as well as transmitting the same to the relevant authority in their home country. Similar to the case of authorities for extradition, the Secretary General is required to maintain an updated register of the central authorities designated by each Party.^{^[11]} Recognising the fact that admissibility of the evidence obtained through mutual assistance in the domestic courts of the requesting Party is a major concern, the Convention provides that the mutual assistance requests are to be executed in accordance with the procedures prescribed by the requesting Party unless such procedures are incompatible with the laws of the requested Party.^{^[12]}

Parties are allowed to refuse a request for mutual assistance on the grounds that (i) the domestic laws of the requested party do not allow it to carry out the request;^{^[13]} (ii) the request concerns an offence considered as a political offence by the requested Party;^{^[14]} or (iii) in the opinion of the requested Party such a request is likely to prejudice its sovereignty, security, ordre public or other essential interests.^{^[15]} The requested Party is also allowed to postpone any action on the request if it thinks that acting on the request would prejudice criminal investigations or proceedings by its own authorities.^{^[16]} In cases where assistance would be refused or postponed, the requested Party may consult with the other Party and consider whether partial or conditional assistance may be provided.^{^[17]}

In practice it has been found that though States refuse requests on a number of grounds,^{^[18]} some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state.^{^[19]} A case study of a true instance recounted below gives an idea of the effort and resources it may take for a requested state to carry out a mutual assistance request:

“In the beginning of 2005, a Norwegian citizen (let’s call him A.T.) attacked a bank in Oslo. He intended to steal money and he did so effectively. During his action, a police officer was killed. A.T. ran away and could not be found in Norway. Some days later, police found and searched his home and computer and discovered that A.T. was the owner of an email account from a provider in the United Kingdom. International co-operation was required from British authorities which asked the provider to put his email account under surveillance. One day, A.T. used his email account to send an email message. In the United Kingdom, police asked the ISP information about the IP address where the communication came from and it was found that it came from Spain.

British and Spanish authorities installed an alert system whose objective was to know, each time that A.T. used his email account, where he was. Thus, each time A.T. used his account, British police obtained the IP address of the computer in the origin of the communication and provided it immediately to Spanish police. Then, Spanish police asked the Spanish ISPs about the owner or user of the IP address. All the connexions were made from cybercafés in Madrid. Even proceeding to that area very quickly, during a long period of time it was not possible to arrive at those places before A.T. was gone.

Later, A.T. began to use his email account from a cybercafé in Malaga. This is a smaller town than Madrid and there it was possible to put all the cybercafés from a certain area permanently under physical surveillance. After some days of surveillance, British police announced that A.T. was online, using his email account, and provided the IP address. Very rapidly, the Spanish ISP informed Spanish police from the concrete location of the cybercafé what allowed the officers in the street to identify and arrest A.T. in place.

A.T. was extradited to Norway and prosecuted.”^{^[20]}

It is clear from the above that although the crime occurred in Norway, a lot of work was actually done by the authorities in the United Kingdom and Spain. In a serious case such as this where there was a bank robbery as well as a murder involved, the amount of effort expended by authorities from other states may be appropriate but it is unlikely that the authorities in Britain and Spain would have allocated such resources for a petty crime.

In sensitive cases where the requests have to be kept secret or confidential for any reason, the requesting Party has to specify that the request should be kept confidential except to the extent required to execute the request (such as disclosure in front of appropriate authorities to obtain the necessary permissions). In case confidentiality cannot be maintained the requested Party shall inform the requesting Party of this fact, which shall then take a decision regarding whether to withdraw the request or not.^{^[21]} On the other hand the requested Party may also make its supply of information conditional to it being kept confidential and that it not be used in proceedings or investigations other than those stated in the request.^{^[22]} If the requesting Party cannot comply with these conditions it shall inform the requested Party which will then decide whether to supply the information or not.^{^[23]}

In the normal course the Convention envisages requests being made and executed through the respective designated central authorities, however it also makes a provision, in urgent cases, for requests being made directly by the judicial authorities or even the Interpol.^{^[24]} Even in non urgent cases, if the authority of the requested Party is able to comply with the request without making use of coercive action, requests may be transmitted directly to the competent authority without the intervention of the central authority.^{^[25]}

The Convention clarifies that through these mutual assistance requests a Party may ask another to (i) either search, seize or disclose computer data within its territory,^{^[26]} (ii) provide real time collection of traffic data with specified communications in its territory;^{^[27]} and (iii) provide real time collection or recording of content data of specified communications.^{^[28]} The provision of mutual assistance specified above has to be in accordance with the domestic laws of the requested Party.

The procedure for sending mutual assistance requests under the Convention is usually the following:

Preparation of a request for mutual assistance by the prosecutor or enforcement agency which is responsible for an investigation.
Sending the request by the prosecutor or enforcement agency to the Central Authority for verification (and translation, if necessary).
The Central Authority then submits the request either, (i) to the foreign central authority, or (ii) directly to the requested judicial authority.

The following procedure is then followed in the corresponding receiving Party:

Receipt of the request by the Central Authority.
Central Authority then examines the request against formal and legal requirements (and translates it, if necessary).
Central Authority then transmits the request to the competent prosecutor or enforcement agency to obtain court order (if needed).
Issuance of a court order (if needed).
Prosecutor orders law enforcement (e.g. cybercrime unit) to obtain the requested data.
Data obtained is examined against the MLA request, which may entail translation or

using a specialist in the language.

The information is then transmitted to requesting State via MLA channels.^{^[29]}

In practice, the MLA process has generally been found to be inefficient and this inefficiency is even more pronounced with respect to electronic evidence. The general response times range from six months to two years and many requests (and consequently) investigations are often abandoned.^{^[30]} Further, the lack of awareness regarding procedure and applicable legislation of the requested State lead to formal requirements not being met. Requests are often incomplete or too broad; do not meet legal thresholds or the dual criminality requirement.^{^[31]}

Preservation Requests

The Budapest Convention recognises the fact that computer data is highly volatile and may be deleted, altered or moved, rendering it impossible to trace a crime to its perpetrator or destroying critical proof of guilt. The Convention therefore envisioned the concept of preservation orders which is a limited, provisional measure intended to take place much more rapidly than the execution of a traditional mutual assistance. Thus the Convention gives the Parties the legal ability to obtain the expeditious preservation of data stored in the territory of another (requested) Party, so that the data is not altered, removed or deleted during the time taken to prepare, transmit and execute a request for mutual assistance to obtain the data.

The Convention therefore provides that a Party may request another Party to obtain the expeditious preservation of specified computer data in respect of which such Party intends to submit a mutual assistance request. Once such a request is received the other Party has to take all appropriate measures to ensure compliance with such a request. The Convention also specifies that dual criminality is not a condition to comply with such requests for preservation of data since these are considered to be less intrusive than other measures such as seizure, etc.^{^[32]} However in cases where parties have a dual criminality requirement for providing mutual assistance they may refuse a preservation request on the ground that at the time of providing the data the dual criminality condition would not be met, although in regard to the offences covered under Articles 2 to 11 of the Convention, the requirement of dual criminality will be deemed to have been satisfied.^{^[33]} In addition to dual criminality a preservation request may also be refused on the grounds that (i) the offence alleged is a political offence; and (ii) execution of the request would likely to prejudice the sovereignty, security, ordre public or other essential interests of the requested Party.^{^[34]}

In case the requested Party feels that preservation will not ensure the future availability of the data or will otherwise prejudice the investigation, it shall promptly inform the requesting Party which shall then take a decision as to whether to ask for the preservation irrespective.^{^[35]} Preservation of the data pursuant to a request will be for a minimum period of 60 days and upon receipt of a mutual assistance request will continue to be preserved till a decision is taken on the mutual assistance request.^{^[36]} If the requested Party finds out in the course of executing the preservation request that the data has been transmitted through a third state or the requesting Party itself, it has a duty to inform the requesting Party of such facts as well as provide it with sufficient traffic data in order for it to be able to identify the service provider in the other state.^{^[37]}

Jurisdiction and Access to Stored Data

The problem of accessing data across international borders stems from the international law principle which provides that the authority to enforce (an action) on the territory of another State is permitted only if the latter provides consent for such behaviour. States that do not acquire such consent may therefore be acting contrary to the principle of non-intervention and may be in violation of the sovereignty of the other State.^{^[38]} The Convention specifies two situations in which a Party may access computer data stored in another Party’s jurisdiction; (i) when such data is publicly available; and (ii) when the Party has accessed such data located in another state through a computer system located in its own territory provided it has obtained the “lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system”.^{^[39]} These are two fairly obvious situations where a state should be allowed to use the computer data without asking another state, infact if a state was required to take the permission of the state in the territory of which the data was physically located even in these situations, then it would likely delay a large number of regular investigations where the data would otherwise be available but could not be legally used unless the other country provided it under the terms of the Convention or some other legal instrument. At the time of drafting the Convention it appears that Parties could not agree upon any other situations where it would be universally acceptable for a state to unilaterally access data located in another state, however it must be noted that other situations for unilaterally accessing data are neither authorized, nor precluded.^{^[40]}

Since the language of the Budapest Convention stopped shy of addressing other situations law enforcement agencies had been engaged in unilateral access to data stored in other jurisdictions on an uncertain legal basis risking the privacy rights of individuals raising concerns regarding national sovereignty.^{^[41]} It was to address this problem that the Cybercrime Committee established the “ad-hoc sub-group of the T-CY on jurisdiction and transborder access to data and data flows” (the “Transborder Group”) in November 2011 which came out with a Guidance Note clarigying the legal position under Article 32.

The Guidance Note # 3 on Article 32 by the Cybercrime Committee specifies that Article 32(b) would not cover situations where the data is not stored in another Party or where it is uncertain where the data is located. A Party is also not allowed to use Article 32(b) to obtain disclosure of data that is stored domestically. Since the Convention neither authorizes nor precludes other situations, therefore if it is unknown or uncertain that data is stored in another Party, Parties may need to evaluate themselves the legitimacy of a search or other type of access in the light of domestic law, relevant international law principles or considerations of international relations.^{^[42]} The Budapest Convention does not require notification to the other Party but parties are free to notify the other Party if they deem it appropriate.^{^[43]} The “voluntary and lawful consent” of the person means that the consent must be obtained without force or deception. Giving consent in order to avoid or reduce criminal charges would also constitute lawful and voluntary consent. If cooperation in a criminal investigation requires explicit consent in a Party, this requirement would not be fulfilled by agreeing to the general terms and conditions of an online service, even if the terms and conditions indicate that data would be shared with criminal justice authorities.^{^[44]}

The person who is lawfully authorized to give consent is unlikely to include service providers with respect to their users’ data. This is because normally service providers would only be holders of the data, they would not own or control the data and therefore cannot give valid consent to share the data.^{^[45]} The Guidance Note also specifies that with respect to the location of the person providing access or consent, while the standard assumption is that the person would be physically located in the requesting Party however there may be other situations, “It is conceivable that the physical or legal person is located in the territory of the requesting law enforcement authority when agreeing to disclose or actually providing access, or only when agreeing to disclose but not when providing access, or the person is located in the country where the data is stored when agreeing to disclose and/or providing access. The person may also be physically located in a third country when agreeing to cooperate or when actually providing access. If the person is a legal person (such as a private sector entity), this person may be represented in the territory of the requesting law enforcement authority, the territory hosting the data or even a third country at the same time.” Parties are also required to take into account the fact that third Parties may object (and some even consider it a criminal offence) if a person physically located in their territory is directly approached by a foreign law enforcement authority to seek his or her cooperation.^{^[46]}

Production Order

A similar problem arises in case of Article 18 of the Convention which requires Parties to put in place procedural provisions to compel a person in their territory to provide specified stored computer data, or a service provider offering services in their territory to submit subscriber information.^{^[47]} It must be noted here, that the data in question must be already stored or existing data, which implies that this provision does not cover data that has not yet come into existence such as traffic data or content data related to future communications.^{^[48]} Since the term used in this provision is that the data must be within the “possession or control” of the person or the service provider, therefore this provision is also capable of being used to access data stored in the territory of a third party as long as the data is within the possession and control of the person on whom the Production Order has been served. In this regard it must be noted that the Article makes a distinction between computer data and subscriber information and specifies that computer data can only be asked for from a person (including a service provider) located within the territory of the ordering Party even if the data is stored in the territory of a third Party.^{^[49]} However subscriber information^{^[50]} can be ordered only from a service provider even if the service provider is not located within the territory of the ordering Party as long as it is offering its services in the territory of that Party and the subscriber information relates to the service offered in the ordering Party’s territory.^{^[51]}

Since the power under Article 18 is a domestic power which potentially can be used to access subscriber data located in another State, the use of this Article may raise complicated jurisdictional issues. This combined with the growth of cloud computing and remote data storage also raises concerns regarding privacy and data protection, the jurisdictional basis pertaining to services offered without the service provider being established in that territory, as well as access to data stored in foreign jurisdictions or in unknown or multiple locations “within the cloud”.^{^[52]} Even though some of these issues require further discussions and a more nuanced treatment, the Cybercrime Committee felt the need to issue a Guidance Note to Article 18 in order to avoid some of the confusion regarding the implementation of this provision.

Article 18(1)(b) may include a situation where a service provider is located in one jurisdiction, but stores the data in another jurisdiction. Data may also be mirrored in several jurisdictions or move between jurisdictions without the knowledge or control of the subscriber. In this regard the Guidance Note points out that legal regimes increasingly recognize that, both in the criminal justice sphere and in the privacy and data protection sphere, the location of the data is not the determining factor for establishing jurisdiction.^{^[53]}

The Guidance Note further tries to clarify the term “offering services in its territory” by saying that Parties may consider that a service provider is offering services if: (i) the service provider enables people in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and (ii) the service provider has established a real and substantial connection that Party. Relevant factors to determine whether such a connection has been established include “the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party”.^{^[54]} A service provider will not be presumed to be offering services within the territory of a Party just because it uses a domain name or email address connected to that country.^{^[55]} The Guidance Note provides a very elegant tabular illustration of its requirements to serve a valid Production Order on a service provider:^{^[56]}

PRODUCTION ORDER CAN BE SERVED
IF The criminal justice authority has jurisdiction over the offence
AND The service provider is in possession or control of the subscriber information
AND
The service provider is in the territory of the Party (Article 18(1)(a))	Or	A Party considers that a service provider is “offering its services in the territory of the Party” when, for example: - the service provider enables persons in the territory of the Party to subscribe to its services (and does not, for example, block access to such services); and - the service provider has established a real and substantial connection to a Party. Relevant factors include the extent to which a service provider orients its activities toward such subscribers (for example, by providing local advertising or advertising in the language of the territory of the Party), makes use of the subscriber information (or associated traffic data) in the course of its activities, interacts with subscribers in the Party, and may otherwise be considered established in the territory of a Party. (Article 18(1)(b))
AND
		the subscriber information to be submitted is relating to services of a provider offered in the territory of the Party.

The existing processes for accessing data across international borders, whether through MLATs or through the mechanism established under the Budapest Convention are clearly too slow to be a satisfactory long term solution. It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;^{^[57]} or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.^{^[58]} Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality, specially in light of the recent developments in cloud computing where the location of the data may not be certain or data may be located in multiple locations,^{^[59]} and look at a connecting legal factor as an alternative such as the “power of disposal”. This option implies that even if the location of the data cannot be determined it can be connected to the person having the power to “alter, delete, suppress or render unusable as well as the right to exclude other from access and any usage whatsoever”.^{^[60]}

Language of Requests

It was found from practice that the question of the language in which the mutual assistance requests were made was a big issue in most States since it created problems such as delays due to translations, costly translations, quality of translations, etc. The Cybercrime Committee therefore suggested that an additional protocol be added to the Budapest Convention to stipulate that requests sent by Parties should be accepted in English atleast in urgent cases since most States accepted a request in English.^{^[61]} Due to these problems associated with the language of assistance requests, the Cybercrime Convention Committee has already released a provisional draft Additional Protocol to address the issue of language of mutual assistance requests for public comments.^{^[62]}

24/7 Network

Parties are required to designate a point of contact available on a twenty-four hour, seven-day-a week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence, in electronic form, of a criminal offence. The point of contact for each Party is required to have the capacity to carry out communications with the points of contact for any other Party on an expedited basis. It is the duty of the Parties to ensure that trained and properly equipped personnel are available in order to facilitate the operation of the network.^{^[63]} The Parties recognized that establishment of this network is among the most important means provided by the Convention of ensuring that Parties can respond effectively to the law enforcement challenges posed by computer-or computer-related crimes.^{^[64]} In practice however it has been found that in a number of Parties there seems to be a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.^{^[65]}

Drawbacks and Improvements

The Budapest Convention, whilst being the most comprehensive and widely accepted document on international cooperation in the field of cybercrime, has its own share of limitations and drawbacks. Some of the major limitations which can be gleaned from the discussion above (and potential recommendations for the same) are listed below:

Weakness and Delays in Mutual Assistance: In practice it has been found that though States refuse requests on a number of grounds,^{^[66]} some states even refuse cooperation in the event that the case is minor but requires an excessive burden on the requested state. Further, the delays associated with the mutual assistance process are another major hurdle, and are perhaps the reason by police-to-police cooperation for the sharing of data related to cybercrime and e-evidence is much more frequent than mutual legal assistance.^{^[67]} The lack of regulatory and legal awareness often leads to procedural lapses due to which requests do not meet legal thresholds. More training, more information on requirements to be met and standardised and multilingual templates for requests may be a useful tool to address this concern.

Access to data stored outside the territory: Access to data located in another country without consent of the authorities in that country poses another challenge. The age of cloud computing with processes of data duplication and delocalisation of data have added a new dimension to this problem.^{^[68]} It is precisely for that reason that the Cybercrime Committee has suggested alternatives to the existing mechanism such as granting access to data without consent in certain specific emergency situations;^{^[69]} or access to data stored in another country through a computer in its own territory provided the credentials for such access are obtained through lawful investigative activities.^{^[70]} Another option suggested by the Cybercrime Committee is to look beyond the principle of territoriality and look at a connecting legal factor as an alternative such as the “power of disposal”.

Language of requests: Language of requests create a number of problems such as delays due to translations, cost of translations, quality of translations, etc. Due to these problems, the Cybercrime Convention Committee has already released for public comment, a provisional draft Additional Protocol to address the issue.^{^[71]}

Bypassing of 24/7 points of contact: Although 24/7 points have been set up in most States, it has been found that there is often a disconnect between the 24/7 point of contact and the MLA request authorities leading to situations where the contact points may not be informed about whether preservation requests are followed up by MLA authorities or not.^{^[72]}

India and the Budapest Convention

Although countries outside the European Union have the option on signing the Budapest Convention and getting onboard the international cooperation mechanism envisaged therein, India has so far refrained from signing the Budapest Convention. The reasons for this refusal appear to be as follows:

India did not participate in the drafting of the treaty and therefore should not sign. This concern, while valid is not a consistent foreign policy stand that India has taken for all treaties, since India has signed other treaties, where it had no hand in the initial drafting and negotiations.^{^[73]}
Article 32(b) of the Budapest Convention involves tricky issues of national sovereignty since it allows for cross border access to data without the consent of the other party. Although, as discussed above, the Guidance Note on Article 32 clarified this issue to an extent, it appears that arguments have been raised in some quarters of the government that the options provided by Article 32 are too limited and additional means may be needed to deal with cross border data access.^{^[74]}
The mutual legal assistance framework under the Convention is not effective enough and the promise of cooperation is not firm enough since States can refuse to cooperate on a number of grounds.^{^[75]}
It is a criminal justice treaty and does not cover state actors; further the states from which most attacks affecting India are likely to emanate are not signatories to the Convention either.^{^[76]}
Instead of joining the Budapest Convention, India should work for and promote a treaty at the UN level.^{^[77]}

Although in January 2018 there were a number of news reports indicating that India is seriously considering signing the Budapest Convention and joining the international cooperation mechanism under it, there have been no updates on the status of this proposal.^{^[78]}

Conclusion

The Budapest Convention has faced a number of challenges over the years as far as provisions regarding international cooperation are concerned. These include delays in getting responses from other states, requests not being responded to due to various reasons (language, costs, etc.), requests being overridden by mutual agreements, etc. The only other alternative which is the MLAT system is no better due to delays in providing access to requested data.^{^[79]} This however does not mean that international cooperation through the Budapest Convention is always late and inefficient, as was evident from the example of the Norwegian bank robber-murderer given above. There is no doubt that the current mechanisms are woefully inadequate to deal with the challenges of cyber crime and even regular crimes (specially in the financial sector) which may involve examination of electronic evidence. However that does not mean the end of the road for the Budapest Convention, one has to recognize the fact that it is the pre-eminent document on international cooperation on electronic evidence with 62 State Parties as well as another 10 Observer States. Any mechanism which offers a solution to the thorny issues of international cooperation in the field of cyber crime would require most of the nations of the world to sign up to it; till such time that happens, expanding the scope of the Budapest Convention to address atleast some of the issues discussed above by leveraging the work already done by the Cybercrime Committee through various reports and Guidance Notes (some of which have been referenced in this paper itself) may be a good option as this could be an incentive for non signatories to become parties to a better and more efficient Budapest Convention providing a more robust international cooperation regime.

^{^[1]} Council of Europe, Explanatory Report to the Convention on Cybercrime, https://rm.coe.int/16800cce5b, para 304.

^{^[2]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(1)(a). Except in cases where a different minimum threshold has been provided by a mutual arrangement, in which case such other minimum threshold shall be applied.

^{^[3]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(5).

^{^[4]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(3).

^{^[5]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(2).

^{^[6]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 251.

^{^[7]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(6).

^{^[8]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 24(7).

^{^[9]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(1).

^{^[10]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(4).

^{^[11]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(2).

^{^[12]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(3) read with para 267 of the Explanatory Note to the Budapest Convention.

^{^[13]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 25(4).

^{^[14]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(4)(a).

^{^[15]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(4)(b).

^{^[16]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(5).

^{^[17]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(6).

^{^[18]} Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “Ne bis in idem”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[19]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[20]} Pedro Verdelho, Discussion Paper: The effectiveness of international cooperation against cybercrime: examples of good practice, 2008, pg. 5, https://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/T-CY/DOC-567study4-Version7_en.PDF, accessed on March 28, 2019.

^{^[21]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(8).

^{^[22]} However, disclosure of the material to the defence and the judicial authorities is an implicit exception to this rule. Further the ability to use the material in a trial (which is generally a public proceeding) is also a recognised exception to the right to limit usage of the material. See para 278 of the the Explanatory Note to the Budapest Convention.

^{^[23]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 28.

^{^[24]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(9)(a) and (b).

^{^[25]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 27(9)(d) read with para 274 of the Explanatory Note to the Budapest Convention.

^{^[26]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 31.

^{^[27]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 33.

^{^[28]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 34.

^{^[29]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 37.

^{^[30]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 123.

^{^[31]} Ibid at 124.

^{^[32]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(3) read with para 285 of the Explanatory Note to the Budapest Convention.

^{^[33]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(4).

^{^[34]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(5).

^{^[35]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(6).

^{^[36]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 29(7).

^{^[37]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 30.

^{^[38]} Anna-Maria Osula, Accessing Extraterritorially Located Data: Options for States, http://ccdcoe.eu/uploads/2018/10/Accessing-extraterritorially-located-data-options-for-States_Anna-Maria_Osula.pdf, accessed on March 28, 2019.

^{^[39]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 32.

^{^[40]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 293.

^{^[41]} Council of Europe, Cybercrime Convention Committee, Report of the Transborder Group, Transborder access and jurisdiction: What are the options?, December 2012, para 310.

^{^[42]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.2.

^{^[43]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.3.

^{^[44]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.4.

^{^[45]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.6.

^{^[46]} Council of Europe, Cybercrime Convention Committee Guidance Note # 3, Transborder access to data (Article 32), para 3.8.

^{^[47]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 18.

^{^[48]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 170.

^{^[49]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 173.

^{^[50]} Defined in Article 18(3) as “any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:

a. the type of communication service used, the technical provisions taken thereto and the period of service;

b. the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;

c. any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.

^{^[51]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 173.

^{^[52]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), at pg.3.

^{^[53]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.5 at pg. 7.

^{^[54]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.6 at pg. 8.

^{^[55]} Id.

^{^[56]} Council of Europe, Cybercrime Convention Committee Guidance Note #10, Production orders for subscriber information (Article 18 Budapest Convention), para 3.8 at pg. 9.

^{^[57]} Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.

^{^[58]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.

^{^[59]} Council of Europe, Cybercrime Convention Committee Cloud Evidence Group, Criminal justice access to data in the cloud: challenges (Discussion paper), May 2015, pgs 10-14.

^{^[60]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 9, 2013, pg. 50.

^{^[61]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 35.

^{^[62]} https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1

^{^[63]} Council of Europe, Convention on Cybercrime, 23 November 2001, Article 35.

^{^[64]} Council of Europe, Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b, para 298.

^{^[65]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 86.

^{^[66]} Some of the grounds listed by Parties for refusal are: (i) grounds listed in Article 27 of the Convention, (ii) the request does not meet formal or other requirements, (iii) the request is motivated by race, religion, sexual orientation, political opinion or similar, (iv) the request concerns a political or military offence, (v) Cooperation may lead to torture or death penalty, (vi) Granting the request would prejudice sovereignty, security, public order or national interest or other essential interests, (vii) the person has already been punished or acquitted or pardoned for the same offence “Ne bis in idem”, (viii) the investigation would impose an excessive burden on the requested State or create practical difficulties, (ix) Granting the request would interfere in an ongoing investigation (in which case the execution of the request may be postponed). Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 34.

^{^[67]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 7.

^{^[68]} Giovanni Buttarelli, Fundamental Legal Principles for a Balanced Approach, Selected papers and contributions from the International Conference on “Cybercrime: Global Phenomenon and its Challenges”, Courmayeur Mont Blanc, Italy available at ispac.cnpds.org/download.php?fld=pub_files&f=ispacottobre2012bassa.pdf

^{^[69]} Situations such as preventions of imminent danger, physical harm, the escape of a suspect or similar situations including risk of destruction of relevant evidence.

^{^[70]} Council of Europe, Cybercrime Convention Committee, Subgroup on Transborder Access, (Draft) Elements of an Additional Protocol to the Budapest Convention on Cybercrime Regarding Transborder Access to Data, April 2013, pg. 49.

^{^[71]} https://www.coe.int/en/web/cybercrime/-/towards-a-protocol-to-the-budapest-convention-further-consultatio-1

^{^[72]} Council of Europe, Cybercrime Convention Committee assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, December 2014, pg. 86.

^{^[73]} Dr. Anja Kovaks, India and the Budapest Convention - To Sign or not? Considerations for Indian Stakeholders, available at https://internetdemocracy.in/reports/india-and-the-budapest-convention-to-sign-or-not-considerations-for-indian-stakeholders/

^{^[74]} Alexander Seger, India and the Budapest Convention: Why not?, Digital Debates: The CyFy Journal, Vol III, available at https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/

^{^[75]} Id.

^{^[76]} Id.

^{^[77]} Id.

^{^[78]} https://indianexpress.com/article/india/home-ministry-pitches-for-budapest-convention-on-cyber-security-rajnath-singh-5029314/

^{^[79]} Elonnai Hickok and Vipul Kharbanda, Cross Border Cooperation on Criminal Matters - A perspective from India, available at https://cis-india.org/internet-governance/blog/cross-border-cooperation-on-criminal-matters

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-april-29-2019-international-cooperation-in-cybercrime-the-budapest-convention

India’s Role in Global Cyber Policy Formulation

basu — 2019-11-13T14:13:33Z

The past year has seen vigorous activity on the domestic cyber policy front in India. On key issues—including intermediary liability, data localization and e-commerce—the government has rolled out a patchwork of regulatory policies, resulting in battle lines being drawn by governments, industry and civil society actors both in India and across the globe.

The article by Arindrajit Basu was published in Lawfare on November 7, 2019. The article was reviewed and edited by Elonnai Hickok and Justin Sherman.

The onslaught of recent developments demonstrates how India can shape cyber policy debates. Among emerging economies, India is uniquely positioned to exercise leverage over multinational tech companies due to its sheer population size, combined with a rapid surge in users coming online and the country’s large gross domestic product. India occupies a key seat at the data governance table alongside other players like the EU, China, Russia and the United States — a position the country should use to promote its interests and those of other similarly placed emerging economies.

For many years, the Indian population has served as an economic resource for foreign, largely U.S.-based tech giants. Now, however, India is moving toward a regulatory strategy that reduces the autonomy of these companies in order to pivot away from a system that recently has been termed “data colonialism”—in which Western technologies use data-driven revenue bolstered by information extracted from consumers in the Global South to consolidate their global market power. The policy thinking underpinning India’s new grand vision still has some gaps, however.

Data Localization

Starting with a circular from the Reserve Bank of India in April 2018, the Indian government has introduced a range of policy instruments mandating “data localization”—that is, requiring that certain kinds of data must be stored in servers located physically within India. A snapshot of these policies is summarized in the table below.

(Source here. Design credit: Saumyaa Naidu)

While there are a number of reasons for this maneuver, two in particular are in line with India’s broader vision of data sovereignty—broadly defined as the sovereign right of nations to govern data within their territory and/or jurisdiction in order to support their national interest for the welfare of their citizens. First, there is an incentive to keep data within India’s jurisdiction because of the cumbersome process through which Indian law enforcement agencies must go during criminal investigations in order to access data stored in the U.S. Second, data localization undercuts the extractive economic models used by U.S. companies operating in India by which the data generated by Indian citizens is collected in India, stored in data centers located largely in the U.S., and processed and analyzed to derive commercially valuable insights.

Both foreign players and smaller Indian private-sector actors were against this move. A study on the issue that I co-authored earlier this year with Elonnai Hickok and Aditya Chawla found that one of the reasons for this resistance involved the high costs of setting up the data centers that are needed to comply with the requirement. President Trump echoed this sentiment when he explicitly opposed data localization during a meeting with Prime Minister Narendra Modi on the sidelines of the G-20 in June 2019.

At the same time, large Indian players such as Reliance and Paytm and Chinese companies like AliBaba and Xilink were in favor of localization—possibly because these companies could absorb the costs of setting up storage facilities while benefiting from the fixed costs imposed on foreign competition. In fact, some companies, such as AliBaba, have already set up storage facilities in India.

As my co-authors and I noted, data localization comes with various risks, both diplomatically and politically. So far, the issue has caused friction in U.S.-India trade relations. For example, before Secretary of State Mike Pompeo's trip to New Delhi in June, the Trump administration reportedly contemplated limiting H-1B visas for any country that implements a localization requirement. Further, on his trips to New Delhi, Commerce Secretary Wilbur Ross has regularly argued that data localization restrictions are a barrier to U.S. companies and stressed the need to eliminate such barriers. Further, data localization poses several technical challenges as well as security risks. Mirroring data across multiple locations, as India’s Draft Personal Data Protection Bill mandates, increases the number of physical data centers that need to be protected and thereby the number of vulnerable points that malicious actors can attack.

Recently, the Indian media have reported disagreements between policymakers over data localization, along with speculation that the data storage requirement in the Draft Personal Data Protection Bill could be limited only to critical data—a term not defined in the bill itself—or be left to sectoral regulators, officials from individual government departments.

Our paper recommended a dual approach. In our view, data localization policy should include mandatory localization for critical sectors such as defense or payments data, while also adopting “conditional” localization for all other data. Under conditional localization, data should only be transferred to countries that (a) agree to share the personal data of Indian citizens with law enforcement authorities based on Indian criminal procedure laws (examples of such a mechanism may be an executive data-sharing agreement under the CLOUD Act) and (b) have equivalent privacy and security safeguards. This approach would be in line with India’s overarching vision of data sovereignty and the goal of standing up to the hegemony of big tech and of U.S. internet regulations, while avoiding undue collateral damage to India’s global alliances.

Intermediary Liability

In line with the goal of ensuring that big tech is answerable to the rule of law, the Indian government has also sought to regulate the adverse social impacts of some speech hosted by platforms. Rule 3(9) of the Draft of the Information Technology Intermediaries Guidelines (Amendment) Rules, 2018, released by the Ministry of Electronics and Information Technology in December 2019, takes up the interventionist mission of laws like the NetzDg in Germany. The regulation would mandate that platforms use “automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying and removing or disabling public access to unlawful information or content.” These regulations have prompted concerns from both the private sector and civil society groups that claim the proposal fails to address constitutional concerns about algorithmic discrimination, excessive censorship and inappropriate delegation of legislative powers under Indian law. Further, some observers object that the guidelines adopt a “one-size-fits-all” approach to classifying intermediaries that does not differentiate between platforms that thrive on end-to-end encryption like WhatsApp and public platforms like Facebook.

In many ways, these guidelines—likely to be notified (as an amendment to the Information Technology Act) as early as January 2020—put the cart before the horse. Before devising regulatory models appropriate for India’s geographic scale and population, it is first necessary to conduct empirical research about the vectors through which misinformation spreads in India and how misinformation impacts different social, economic and linguistic communities, along with pilot programs for potential solutions to the misinformation problem. And it is imperative that these measures be brought in line with constitutional requirements.

Community Data and “Data as a Public Good”

Another important question involves the precise meaning of “data” itself—an issue on which various policy documents have failed to deliver a consistent stance.

The first conceptualization of “community data” appears in both the Srikrishna Committee Report that accompanied the Draft Personal Data Protection Bill in 2018 and the draft e-commerce policy. However, neither policy provides clarity on the concept of data.

When defining community data, the Srikrishna Report endorses a collective protection of privacy as protecting an identifiable community that has contributed to community data. According to the Srikrishna Report, receiving collective protection requires the fulfillment of three key aspects. First, the data belong to an identifiable community. Second, the individuals in the community consent to being a part of the community. And third, the community as a whole consents to its data being treated as community data.

The draft e-commerce policy reconceptualizes the notion of community data as “societal commons” or a “national resource,” where the undefined ‘community” has rights to access data but the government has overriding control to utilize the data for welfare purposes. Unlike the Srikrishna Report, the draft e-commerce policy does not outline the key aspects of community data. This approach fails to demarcate a clear line between personal and nonpersonal data or to specify any practical guidelines or restrictions on how the government can use community data. For this reason, implementation of this policy could pose a threat to the right to privacy that the Indian Supreme Court recognized as a fundamental right in 2017.

The second idea is that of “data as a public good.” This is described in Chapter 4 of the 2019 Economic Survey Report—a document published by the Ministry of Finance along with the Annual Financial Budget. The report explicitly states that any data governance framework needs to be deferential to privacy norms and the soon-to-be-enacted privacy law. The report further states that “personal data” of an individual in the custody of a government is a “public good” once the datasets are anonymized.

However, the report’s recommendation of setting up a government database that links several individual databases together leads to the “triangulation” problem, in which individuals can be identified by matching different datasets together. The report further suggests that the same data can be sold to private firms (though it is unclear whether this includes foreign or domestic firms). This directly contradicts the characterization of a “public good”—which, by definition, must be n onexcludable and nonrivalrous—and is also at odds with the government’s vision of reining in big tech. The government has set up an expert committee to look into the scope of nonpersonal data, and the results of the committee’s deliberations are likely to influence the shape that India’s data governance framework takes across multiple policy instruments.

There is obviously a need to reassess and reevaluate the range of governance efforts and gambits that have emerged in the past year. With domestic cyber policy formulation pivots reaching a crescendo, we must consider how domestic cyber policy efforts can influence India’s approach to global debates in this space.

India’s Contribution to Global Cyber Policy Debates

As the largest democracy in the world, India is undoubtedly a key “digital decider” in shaping the future of the internet. Multilateral cyber policy formulation efforts remain polarized. The U.S. and its European allies continue to advocate for a free, rules-based conception of cyberspace with limited governmental interference. China and Russia, along with their Shanghai Cooperation Organisation allies, are pushing for a tightly regulated internet in which each state has the right to manage and define its “network frontiers” through domestic regulation free from external interference. To some degree, India is already influencing debate over the internet through its various domestic cyber policy movements. However, its participation in international debates has been lacking the vigor or coherence needed to clearly articulate India’s national interests and take up a global leadership role.

In shaping its contributions to global cyber policy formulation, India should focus its efforts on three key places: (a) internet governance forums that deliberate the governance of the technical architecture of the internet such as domain names, (b) cyber norms formulation processes that seek to establish norms to foster responsible behavior in cyberspace by states and nonstate actors in cyberspace, and (3) global debates on trade and cross-border data flows that seek to conceptualize the future of global digital trade relationships. As I discuss below, there are key divisions in Indian policy in each of these forums. To realize its grand vision in the digital sphere, India needs to do much more to make its presence felt.

Internet Governance Forums

India’s stance on a variety of issues at internet governance forums has been inconsistent, switching repeatedly between multilateral and multistakeholder visions for internet governance. A core reason for this uncertainty is the participation of multiple Indian government ministries, which often disagree with each other. At global internet governance forums, India has been represented either by the Department of Electronics and Information Technology (now renamed to Ministry of Electronics and Information Technoloft or the Department of Telecommunications (under the Ministry of Communications and Information Technology) or by the Ministry of External Affairs (MEA).

As my colleagues have documented in a detailed paper, India has been vocal in global internet governance debates at forums including the International Telecommunications Union, the Internet Governance Forum and the U.N. General Assembly. However, the Indian stance on multistakeholderism has been complex, with the MEA advocating for a multilateral stance while the other departments switched between multistakeholderism and “nuanced multilateralism”—which calls for multistakeholder participation in policy formulation but multilateral implementation. The paper also argues that there has been a decline recently in the vigor of Indian participation at forums such as the 2018 meeting of the Working Group on Enhanced Co-operation (WGEC 2.0), due to key personnel changes. For example, B.N. Reddy, who was a skilled and experienced negotiator for the MEA in previous forums, was transferred to another position before WGEC 2.0, and the delegation that attended the meeting did not make its presence felt as strongly or skillfully.

Cyber Norms for Responsible State Behavior in Cyberspace

With the exception of two broad and unoriginal statements at the 70th and 71st sessions of the U.N. General Assembly, India has yet to make public its position on the multilateral debate on the proliferation of norms for responsible state behavior in cyberspace. During the substantive session of the Open-Ended Working Group held in September, India largely reaffirmed points made by other states, rather than carving out a new or original approach. The silence and ambiguity is surprising, as India has been represented on four of the five Groups of Governmental Experts (GGEs) set up thus far and has also been inducted into the 2019-2021 GGE that is set to revamp the global cyber norms process. (Due to the GGE’s rotational membership policy, India was not a member of the fourth GGE that submitted its report in 2015.)

However, before becoming an evangelist of any particular norms, India has some homework to do domestically. It has yet to advance a clear, coherent and detailed public stance outlining its views on the application of international law to cyberspace. This public stance is necessary for two reasons. First, a well-reasoned statement that explains India’s stance on core security issues—such as the applicability of self-defense, countermeasures and international humanitarian law—would show India’s appetite for offensive and defensive strategies for external adversaries and allies alike. This would serve as the edifice of a potentially credible cyber deterrence strategy. Second, developing a public stance would help India to take advantage of the economic, demographic and political leverage that it holds and to assume a leadership role in discussions. The U.K., France, Germany, Estonia, Cuba (backed by China and Russia) and the U.S. have all made their positions publicly known with varying degrees of detail.

Data Transfers

Unlike in other forums, Indian policy has been clearer in the cross-border data transfer debate. This is a foreign policy extension of India’s emphasis on localization and data sovereignty in domestic policy instruments. At the G-20 Summit in Osaka, India and the rest of the BRICS group (Brazil, Russia, China and South Africa) stressed the role that data play in economic development for emerging economies and reemphasized the need for data sovereignty. India did not sign the Osaka Declaration on the Digital Economy that kickstarted the “Osaka Track”—a process whereby the 78 signatories agreed to participate in global policy discussions on international rule-making for e-commerce at the World Trade Organization (WTO). This was a continuation of India’s sustained efforts opposing the e-commerce moratorium at the WTO.

The importance of cross-border data flows in spurring the global economy found its way into the Final G-20 Leaders Declaration—which India signed. Foreign Secretary Vijay Gokhale argued that international rule-making on data transfers should not take place in plurilateral forums outside the WTO. Gokhale claimed that limiting the debate to the WTO would ensure that emerging economies have a say in the framing of the rules. The clarity expressed by the Indian delegation at the G-20 should be a model for more confident Indian leadership in this global cyber policy development space.

Looking Forward

India is no newcomer to the idea of normative leadership. To overcome material shortcomings in the nation’s early years, Jawaharlal Nehru, the first Indian prime minister, engineered a normative pivot in world affairs by championing the sovereignty of countries that had gained independence from colonial rule. In the years immediately after independence, the Indian foreign policy establishment sought to break the hegemony of the United States and the Soviet Union by advancing a foreign policy rooted in what came to be known as “nonalignment.”

Making sound contributions to foreign policy in cyberspace requires a variety of experts—international lawyers, computer scientists, geopolitical strategists and human rights advocates. Indian civil society and academia are brimming with tech policy enthusiasts from a variety of backgrounds who could add in-depth substance to the government’s cyber vision. Such engagement has begun to some extent at the domestic level: Most government policies are now opened up to consultation with stakeholders Yet there is still room for greater transparency in this process.

India's cyber vision is worth fighting for. The continued monetization of data dividends by foreign big tech at the expense of India’s socioeconomic development needs to be countered. This can be accomplished by predictable and coherent policymaking that balances economic growth and innovation with the fundamental rights and values enshrined in the Indian Constitution, including the right to equality, freedom of speech and expression, and the right to life. But inherent contradictions in the conceptualization of personal data, delays in tabling the Personal Data Protection Bill, and uncertain or rushed approaches in several other regulatory policies are all fettering the realization of this vision. On core geopolitical issues, there exists an opportunity to set the rule-shaping agenda to favor India’s sovereign interests. With global cyber policy formulation in a state of flux, India has the economic, demographic and intellectual leverage to have a substantial impact on the debate and recraft the narrative in favor of the rapidly emerging Global South.

For more details visit https://cis-india.org/internet-governance/blog/lawfare-arindrajit-basu-november-7-2019-indias-role-in-global-cyber-policy-formulation