Mission Cyber Insurance

There is an enthusiasm around India with the declaration of the Digital India project by our Prime Minister. The fact that more than Rs 450,000 crores of funds have been pledged by the Indian industry is an indication that the project will make substantial progress in the coming days.

We wholeheartedly welcome this initiative.

Cyber Security Initiative and Security of the Netizens

At the same time we also welcome the initiative of the Prime Minister in Cyber Security and the call he has made to the industry to make India a significant global player in Cyber Security.

We however believe that while Cyber Security efforts need to continue at the industry level, the common Netizens cannot be used as guniea pigs for introducing technology for the benefit of the industry without proper assessment of the security implications. We are aware that 100% security in Information security domain is impossible since technology is always evolving and even Microsoft does not know the vulnerabilities in its OS before it is exploited by the criminals. Many times vulnerabilities are deliberately allowed to exist to sever state interests. Under these circumstances, Netizens live in the constant fear of Cyber threats to themselves, their financial assets as well as their reputation.

As long as use of ICT was voluntary, it was possible to live with certain risks since those who donot want the risk exposure could have alternate means of living.  But gradually, the scenario is changing. Options to the public to opt out of the use of ICT are shrinking. They are already forced to use technology in Banking. Today Flipkart has announced its desire to turn into completely being “App-Based”. This is a development which indicates that in future all kinds of services starting with commercial services and later the other services will be available only through  technology tools even more modern than the computers themselves. There is already an indication that without “Aadhar” certain services of the Government may become difficult to access. Afterall Aadhar it the ultimate form of digital world since it establishes the very identity of a person and if it becomes critical for certain services, its absence in the case of any cyber attack could mean “Digital Death” to the Netizen.

In this scenario of every Citizen of India being forced to adopt to technology, a time has come for them to demand that they should be protected from the technology risks that the Digital India initiative will force upon them.

Just as Mr Modi spoke of “Social Security” through insurance schemes, there is a need for “Digital Security” through “Cyber Insurance for All”.

Naavi.org launches its Mission-Cyber Insurance with the avowed objective of making the public aware of what Cyber Insurance as a concept is and how it needs to be promoted in India.

Scope of Cyber Insurance

As a beginning, let us establish the scope of the term “Cyber Insurance” and later we shall go into its different dimensions.

“Cyber Insurance” is a term which we may use anonymously with “Cyber Crime Insurance”. In effect it means that if an IT asset owner suffers any loss on account of a Cyber Crime he should be compensated. What the public call a “Cyber Crime” is normally attributed by Information Security professionals as “Security Breach Incidents”.  Hence the term Cyber Insurance can be applied to situations where a loss occurs on account of a “Security Breach Incident”.

There are a few instances where a “Security Breach Incident” may not be “Cyber Crime” either because the law has not recognized it as a Crime or because the breach is only a contractual commitment between two entities.  We can therefore say that all Cyber Crimes are Security breach Incidents but not all Cyber breach incidents are Cyber Crimes.

Cyber Insurance therefore encompasses Cyber Crime Insurance and we can therefore use it both in relation to security breaches and cyber crimes under law.

Cyber Crime requires an act that is defined as an offence in a law such as Information Technology Act 2000 or any other law. For certain offences to be recognized, there has to be a “malicious intention” in addition to an act. Acts committed without malicious intention though negligently may constitute a lower level of Cyber Crime leading to Civil compensations but not to imprisonment.

From the Cyber Insurance aspect, there is a need for a “Financial Loss” which can be reimbursed by an Insurance policy. Hence Cyber Frauds such as Bank frauds are directly the subject matter of Cyber Insurance as far as the individuals are concerned.

As regards Companies they suffer loss some times because they pay compensation to their clients because of a cyber crime. Typically, when a Bank pays compensation to its customer for a Phishing fraud in which some fraudster has walked away with the money, they are entitled to claim insurance.

We must understand that Insurance is not an incentive for some body to act negligently because there is some body to pick up the claim. The insurance is a concept where the core business entity is not left to chase the cause of the loss at the expense of its business when it has acted diligently but has faced a criminal attack. The insurer in that case provides him the compensation so that the business entity can carry on its normal business activities where as the Insurance company either pursues its options against the real criminals or absorbs the loss from its profits.

The insurance claims made by the Companies are often an aggregation of the losses suffered by the members of public. This is particularly true of the data breach related insurance claims. In such cases the insurance companies either pay compensation directly to the individuals against their individual policies or the company pays them and recovers the loss through its insurance policy.

Hence Cyber Insurance for individuals and Cyber Insurance for Companies is closely related.

If individuals donot suffer any loss, they can neither recover it from an intermediary company nor the insurance company. If the Intermediary company has not reimbursed its customers any loss, they cannot recover any insurance claim for themselves.

The Challenges

There are many challenges in writing a Cyber Insurance policy and the industry needs to resolve them before Cyber Insurance can be made available to the masses. The Governmental intervention is required for resolving this purpose since there are too many conflicting interests at play.

The Companies would not like to incur the cost of insurance if they could avoid it. But they want information security so that the probability of cyber attacks and resultant loss is reduced. But Information security also has a cost and there has to be a trade off between potential loss if not secured vs reduced loss with good security and insurance coverage.

But today it is not easy to estimate what is the “Potential Loss” arising out of an operation since threats are dynamic, vulnerabilities are difficult to identify and the business impact of a risk is difficult to be quantified. Hence the industry struggles to identify the number of cyber crimes or data breach incidents that can be forecast during the next say year, what could be loss on the company given a specific security initiative that the company has taken etc. Cyber Crime data therefore becomes a key to this actuarial evaluation of the probability of loss.

Similarly, it is not easy to assign a value to the information security efforts taken by a Company and its potential to reduce the potential loss from say a level of X rupees to Y rupees. Metrics has to be developed for measuring the maturity level of companies in information security implementation.

If we know what is the extent of risk then we can attempt to determine what is the premium to be charged. But to determine the premium there has to be a base of a rate of premium and the value of the asset insured.

Measuring the value of data assets is again a complicated and to some extent arbitrary exercise and it is difficult for the insured and the insurer to come into a common understanding. The same problem persists when there is claim and we need to assess the loss.

Valuation of an asset and premium fixation is therefore areas of concern for the industry where professionals need to step in and provide clarity.

Liability Based Policies

One of the strategies that insurance companies adopt to overcome the uncertainty in valuation of asset insured and the  loss probabilities is to define the nature of incidents under which insurance can be claimed subject to certain limits in financial value. One example is that the insurance may cover loss of third party data subject to a total compensation of 25 lakhs per incident and a maximum of 50 lakhs in an year. In this situation, we may not define what was the value of the asset insured. Premium can be fixed based on the number of data elements that could potentially be lost or some other criteria such as a lumpsum based on the turnover of the company.

Asset Replacement Insurance

Compared to Liability insurance, the other type of Cyber Insurance can be providing for replacement of lost asset. This could in a simple case be a theft and general insurance type policy as far as the hardware is concerned. But if a company has a large part of its assets in the form of software and applications, it becomes necessary to assign a value to them for both determining the value of the policy and the claim.

The asset replacement policies have an additional issue about the right valuation of insurable asset. It is a general principle of insurance that an asset which is undervalued for the purpose of insurance is considered to be  co-insured by the insured to the extent of the understatement of value. Overvaluation of course can be considered as an attempt t cheat.

Uberrimae Fidei Nature

Yet another related general principle of insurance that the industry should always remember is that all Insurance contracts are considered to be “Contracts of Utmost Faith” (Uberrimae Fedei principle). This means that it is for the insured to declare what all information is relevant to the insurer to write a contract and if any information is held back, it can be a ground for rejection of claim even if premium has been paid.

It is because of this protection that the insurance agents often aggressively promote insurance even with a suggestion that some information need not be provided since the premium may be increased because of it. Declaring the right value of the asset and whether the company is exposed to extraordinary risks etc  are therefore issues that can affect the claims when they arise and there has to be neither misrepresentation nor suppression of facts.

However, threat assessment and risk profiling being fundamentally uncertain, it can always be argued that the insured suppressed facts and the insurance company may reject claims. Hence the insured should always keep appropriate documentation of what is their known risk profile at the time of writing of an insurance contract and get a sign off from the Insurance company.

 Role of Legal Compliance

One more fundamental principle of insurance is that once a claim is settled, the Insurance company steps into the shoes of the insured and has the right to pursue recovery from the fraud beneficiaries.  To satisfy this need, the insured should protect the legal interest of the insurance company by preserving evidence that they may require to pursue their recovery. Failure to do so may be a ground for rejection of the claim itself. It is therefore necessary for the insured to do whatever is required under law in terms of information security or evidence preservation. Hence legal compliance becomes an essential responsibility of all insured companies. In India this may translate into ITA 2008 compliance as a mandatory requirement for all insured companies.

Role of Certified Information Security Audits

Yet another common insurance principle is that the insured should in protecting the insured asset, act as if there was no insurance. This means that the security measures taken or any omission thereof could be a consideration for acceptance of rejection of a claim. In this context what are best information security practices to be followed, whether Certified audits such as ISO 27001 will be considered necessary, whether ISO framework is better or COBIT framework is better? are issues that the insured is confronted with. Probably the best way is for the insured and the insurer to agree upon the best practices to be followed in terms of information security rather than adopting any certification formats blindly.

What we Expect the Government to do

Considering the need to implement the Digital India project in the next 3-4 years, Government should immediately set up a Cyber Insurance Advisory Board  to assist IRDA in formulating appropriate policies for providing cyber insurance cover both for individuals and companies. Need for a separate advisory board other than IRDA is felt because the Cyber Insurance industry has the potential to influence information security standards and has to coordinate with the Information Security certification bodies, several regulatory agencies such as the RBI, SEBI,In-CERT etc and need a high level of technical expertise besides a knowledge of the insurance industry.

What You Can do

As a part of this Mission-Cyber Insurance, Naavi is undertaking a Cyber Insurance study along with some of his professional friends in the Information Security community and invite all the visitors of this site to participate. The survey would go online in a couple of days through this site. While answering the survey questions, some of the concepts discussed here should be relevant. Findings of the survey will be conveyed directly to the CEO of Digital India namely Prime Minister Modi.

The objective of the Mission-Cyber Insurance is to ensure that Netizens of India are provided adequate Digital Security before being dumped into the Digital India of the future. For this purpose every one of us should be aware of the potential of Cyber Insurance and we should demand the Government and the regulators to provide us security before forcing us to adopt to new risks.

Just as before a Car is put on road, it should be covered with third party risk insurance, before any digital service is put before us, we should be provided with an option to cover the risks. Cyber Insurance for All should therefore be the motto that we should persuade the Government to work with along with the implementation of the Digital India project.

Let’s us make our voice heard…by participating in the survey and passing on our valuable feedback to the Industry and the Government.

Naavi

Share Button
Print Friendly

Cyber Insurance for All.. A pre requisite for Digital India

In the context of the Government’s push on the Digital India concept, there is an increasing apprehension that the society in India will become more and more dependent on Internet, E Commerce and E Governance. Some of this dependence comes about not out of choice but out of compulsion. An inevitable consequence of this is the risk of Cyber Frauds that hurt the citizens.

Naavi.org has been time and again pointing out that customers of Indian Banks are being short-changed for technology by Banks and whenever a fraud occurs, the customer of the Bank is made to bear the loss.

A few pockets where justice was being done are being systematically blocked. We can only conclude that this is another “Vyapam type” systemic fraud that is going unchecked.

A case that immediately reminds this has been reported today from Pune. Details are available in this article at Indian Express : Cyber Crime in Pune: Unsecured Digital India dangerous 

The gist of the case is as in many other cases, the following.

1. A customer of a Bank (In this case, it is the ICICI Bank) finds that money in his account has been fraudulently withdrawn (In this case it is Rs 19 Lakhs)

2. Bank refuses to refund the amount stating that some X,Y Z has committed the fraud and the customer can file a police complaint. It also blames that their security system is perfect and the customer must have been negligent in handling his password and hence is responsible for the loss.

3.The ignorant customer believes the words of the Bank and approaches the Police . In most cases Police are unable to trace out the fraudsters and the customer is frustrated over time. If he was a farmer and commits suicide, politicians would come pouring at his house with compensation. But a Bank customer is not so lucky. He suffers the loss silently.

4. The system provides that in cases of any loss that arises out of what can be a crime under Information Technology Act 2000/8, an adjudicator (IT Secretary of the State) has the authority to adjudicate and order payment of compensation. He has the sole jurisdiction upto a claim of Rs 5 crores and hence covers most of the Bank frauds. An appeal to his award lies with a Cyber Appellate Tribunal. (Having an office in Delhi but with powers to sit anywhere in the country).

5. In the whole country where there is an adjudicator in each state and union territory, there have been only two Adjudicators (IT Secretaries) who understood their responsibilities and discharged their functions in the interest of the customers of the Bank. One was Mr PWC Davidar in Chennai and the other was Rajesh Aggarwal in Mumbai. But after about 5 decisions in Chennai which went against Banks (ICICI Bank and PNB) Mr Dawidar was transferred by Ms J.Jayalalitha to another department and since then there have been complete silence at the Adjudicator’s office in Chennai. Mr Rajesh Aggarwal decided more than 30 cases in Mumbai most of which went against Banks (SBI, ICICI Bank, Axis Bank etc). He was promptly transferred during the current regime to Delhi and since then even Mumabi Adjudication office has fallen silent.

6. At the same time, in States like Karnataka, Adjudicator went all the way as to dish out a legally untenable judgement in favour  of Axis Bank and the current Adjudicators  is following an aggressively anti consumer stance threatening to “teach a lesson” to any body who says Banks should compensate customers in such cases.

7. Above all this, the appellate court namely the Cyber Appellate Authority remains dysfunctional since 2011 since the successive Governments have been unable to find a Chair Person. Initially it was the fight between Kapil Sibal and the then CJI over the choice of the candidate and presently either Mr Ravi Shankar Prasad has not considered this as a priority or the same feud between the Government and CJI continues to cause problems.

8. As regards the High Courts, they seem to be un interested and pass judgements that the victims can approach the Cyber Appellate Tribunal which is of course the right forum but which is dysfunctional.  Karnataka High Court assumed jurisdiction to pass a stay in favour of the Bank against the award of the Adjudicator, but did not exercise the same jurisdiction to hear the case on merits which would have benefited the consumer. There was a blatant double standard followed by the Karnataka High Court.

9. Karnataka Human Rights Commission tried to take up the issue but was silenced by the Karnataka High Court. The National Human Rights Commission refuses to assume jurisdiction.

If we see this entire scenario which has been personally brought to the notice of several Karnataka Chief Ministers, Several Chief Justices of Karnataka and Supreme Court and several IT Ministers and Prime Ministers as well as the influential persons such as Rahul Gandhi, Sonia Gandhi and others at different points of time, no body seems to consider it important to protect the interest of the common Bank customer.

The Reserve Bank of India presents again a dual face. On records it actually mandates that Banks should take the liability and cover themselves with appropriate insurance as they stated way back in June 2001 and reiterated again in 2011. But beyond issuing  circulars, they are helpless under the influence wielded by powerful Banks such as ICICI Bank and SBI through the Indian Banks Association. Mr Raghuraman Rajan may be one of the best Governors of RBI because he is a good economist, but he seems to have no inclination to assume responsibility for secure Banking and welfare of Bank customers.

Some of the officials in RBI think that the so called 2-Factor authentication is a panacea for all. As we can see in the instant case in Pune, the 2-Factor authentication has been broken several times and cannot be considered as adequately protecting the interests of the customers. But technologists seem to be pushing the idea of more and more technology into Banking without corresponding improvement in security.

It is therefore clear that the legal system in India has demonstrated its inability to protect the Bank customer from the risks of E Banking and  neither a Regulatory will nor a Political will to set things right is evident.

The situation is murky since law clearly states that when a customer hands over money to the Bank in the form of deposit, he ceases to be the owner of the money and becomes a “lender” to the bank. If therefore money is lost subsequently, what is lost is the money of the Banker which he has borrowed and he is accountable to the customer. This fundamental law of “Banker-Customer Relationship” is ignored by the Banks when they force the customer to file a police complaint that they have lost their money.

Banks also hide the fact that Indian laws recognize only “Digital Signatures” as valid form of authentication for Bank transactions and all other systems of authentication are unapproved systems which fall under the category of systems use of which makes it mandatory for Banks to pick up legal liability against the customer and a coverage through cyber insurance, as per the Internet Banking guidelines.

Banks also hide the fact that in most cases money gets transferred from the victim’s account to fraudster’s accounts kept in the same Bank or other Banks  where there is a blatant KYC failure and apparent complicity with the fraudster. Police unfortunately fail to book the Banks as the main accused and end up chasing the elusive fraudster whose information is wrongly recorded in the Bank out of recklessness or deliberate complicity.

If our Judges, both the “Ex Officio Judicial Bodies” such as the Adjudicators as well as the honourable Judges of the High Court and Supreme Court understand and uphold the basic principles of Banking law and Information Technology law then the customers of the Bank should get justice each and every time when a cyber fraud occurs and siphons off money from their Banking account.

What is distasteful is that the same Banks are willing to compromise in many cases and pay off privileged customers including celebrities, Police officers and even large corporates. But when it comes to an ordinary individual customer, they put their best lawyers to fight the cases and frustrate them. RBI does not seem to notice this discrimination. Some of my customers have brought such discrimination to the notice of even Ravi Shankar Prasad recently but there has been no response.

I therefore appeal directly to our honourable Prime Minister, Mr Narendra Damodardas Modi, through his trusted aide Mr Amit Shah and the National Cyber Security Advisor Dr Gulshan Rai , as well as the Chief Justice of India and the Governor of RBI to take up the following actions.

1. Kindly get the Cyber Judiciary System in order by immediately appointing an appropriate Chair person to Cyber Appellate Tribunal

2. Reiterate the mandate vide RBI Circular on Internet Banking Guidelines of June 2011 that the Banks should  consider that every such fraud is “Insured” . If the Bank has not obtained insurance from an insurance company, then it should be considered as Self Insurance.

3. Just as there is a talk of “Social Security” through Life and Health Insurance schemes, there is  need for “Digital Security” through mandatory Cyber Insurance for all Bank Customers. Mr Narendra Damodardas Modi must ensure this before pushing the Digital India project ahead.

I invite a countrywide debate on the need for “Cyber Insurance for All”. All those media persons who are harping on Vyapam and Lalit Gate, please turn your attention on “Cyber Insurance for All”.

I would also invite readers to forward this note to the relevant persons and I would like to have a discussion on this matter directly with the relevant authorities in the Government of India.

I invite the IB which should be monitoring social media writings on political leaders to also forward this note to the relevant persons along with a note that the author is otherwise a known BJP sympathizer.

P.S: Naavi.org will be shortly announcing an All India Study on Cyber Insurance. This survey is generally aimed at capturing the current status of Cyber Insurance industry in India. A large part of the study is aimed at Company executives as respondents. However,  I would like every Netizen to participate in this survey since Cyber Insurance at Corporate level is to enable the companies to protect themselves against losses arising out of all Cyber Crimes including Cyber Frauds in Banks and hence should automatically protect the end Customers. 

Naavi

Share Button
Print Friendly

Conviction for Stalking in Maharashtra..Is it Cyber Stalking? or Physical Stalking?

A senior executive of a private company in Mumbai has been convicted for what is reported to be an offence of “Cyber Stalking” according to the media reports. (See this TOI report: First Cyber Case Conviction in Maharashtra). It is hailed as the first conviction case of cyber crime in the State since the cyber laws came into existence in 2000.

The case was prompted by a complaint from a lady stating that she was receiving e-mails from an unknown person indicating that the sender was following her physical world movements and that some of the messages contained some obscene pictures. Police traced the sender through IP address resolution and now he has been convicted with imprisonment of 4 months. It appears that there was also forensic investigation of two hard disks and mobile call details used as additional evidences.

While we appreciate the publicity that a Cyber Crime Conviction is getting, for academic purpose we may discuss if it was indeed a Cyber Crime or a Physical crime that was committed in this case.

At this point we are awaiting particulars whether the conviction was under ITA 2000/8 or IPC. Actually this was a fit case for Section 66A which  Supreme Court recently scrapped. The offence was clearly made out clearly under that section.

Just because the evidence is in electronic form, the crime itself does not become a “Cyber Crime”. In this case, annoyance was caused and fear was induced in the victim. But the fear was some body was following in the physical world. The threat was in physical space. The primary crime therefore appears to be in the physical space. Cyber space has been used for communication. But the moot question is whether the complainant felt harassed because she received the email? or because she realized from the email that she was being followed in the physical space when she went to a movie or to the temple? If it was an apprehension that she was physically followed and could be physically abused, it should be treated as a physical space crime.

We need to check if there was  a threat through email or if there was  obscenity in the content… then there is a case under ITA 200/8. But under the grand verdict of the learned Supreme Court judges, causing annoyance through email can still be within the definition of “Free Speech” !.

So to call this case as a “First Cyber Crime Conviction in Maharashtra” is perhaps not entirely correct.

However,we congratulate the Police for having presented the digital evidence in a manner that the Court accepted it and went for conviction.

We shall provide more information in these columns once the details are available.

Naavi

 

Share Button
Print Friendly

If NaMo is the CEO of Digital India.. who will be the CISO of Digital India?

The event on 1st July, 2015, in which our Prime Minister Modi launched the Digital India project along with the battery of industrialists was very very impressive.

I suppose Mr Arnab Goswami and the Congress must be squirming within themselves to some where find a fault. As luck would have it, an incident was reported yesterday that certain content changes were made on Wikipedia regarding Jawaharlal Nehru and his lineage and it was reportedly done from an IP address/email address traced to NIC. The ever eager Congress spokes person, Mr Sanjay Jha started saying that Modi Government is responsible for this and the more sinister TV anchor Mr Gaurav Sawant of India Today further prompted that this could have been engineered by RSS.

As long as such tendencies remain in the media and the opposition, any good intentioned project of the Government of India will be facing all kinds of opposition and the Digital India Project will also face a determined opposition both from irresponsible  opposition parties like Congress as well as motivated media.

It is therefore even possible that in future, the opposition may actually sponsor cyber attacks from NIC addresses or on Government assets only to deride the Digital India program of Narendra Modi. It is therefore to be considered that opposition parties and motivated media would be among the “Threats” that the Cyber Security planners need to factor in.

It was good to hear the PM speak of “Netizens” and “Cyber Security”, two terms which you find in abundance in our discussions in this blog over the last 15+ years. In fact a few years back when elections were being held in Karnataka for the assembly in which Congress won, the undersigned had proposed a “Charter of Demand” by netizens urging political parties to take it up as part of their election manifesto. I am sure that they did not understand the import of what was being suggested. But it is heartening to now hear Mr Modi speaking in similar language.

Skeptics will point out that making declarations and implementing them are two different things. By my personal experience, I have had enough disillusionment on various developments and therefore skepticism comes naturally even to me. However, being an optimist by nature, I always hope, that this time it would be different. Afterall Mr Modi has the right intentions and so far we never had a person like him at the helm of affairs. We only had persons like  Kapil Sibal or Manmohan Singh incapable of seeing beyond the political domain.

There is no doubt that India has enough talent in IT and it should also mean that we should have enough talent in Cyber Security. Before Mr Modi pointed out yesterday, even the industry champions would have never thought of the possibility that India should look to be a leader in Cyber Security !. Vision of Modi is therefore far ahead of Mukesh Ambani, Cyrus Mistry or Azim Premji. ..probably because these stalwarts have seen how the Governments used to function under the previous regimes and got used to the “Rules of UPA” where only money and personal connections worked. It is easy for some of the journalists to cry hoarse about “tainted” businessmen but we must agree that many of the businessmen became tainted by coercion from politicians. Now that the atmosphere has changed, there is a need to recognize that those businessmen who carry some “taint” in the past need to be given an opportunity to work honestly in the new regime.

However, persons like Arnab Goswami who donot care about the country are sure to put spokes into any new radical initiative of the Government including the Digital India concept and if this project has to succeed, we need to work our way around such malware in the society.

These thoughts were vindicated by the discussions on the TV media about the Nehru wikipedia issue. Most of us know that the objected content was already in circulation in You Tube and every body knew about it. Such contents will continue to be available on the Internet in the future also. We (also the media) should learn to differentiate the real cyber crime issues from random trolling on twitter or elsewhere. Rather than making statements on TV that Modi Government should take responsibility etc, I would have appreciated the media to have just warned of the dangers that the Internet presents and why some kind of regulation is essential if Internet is to be used for the benefit of the society.

Readers may be surprised to know that a few years back the Chief Minister Mr Yeddyurappa in a speech at the Cyber Security Summit in Bangalore declared Bangalore to be the “Cyber Security Capital”. In doing so it had been envisioned that Bangalore would undertake all necessary activties to make it the global center of cyber security activities. Of course it remained only a declaration in the summit and nothing much happenned there after. Presently Bangalore is ironically called the “Cyber Crime Capital” and no body is even concerned. We donot want the current Modi project to go the same way.

In this context we need to point out that the  media and several politicians including those from BJP hailed the decision of the Supreme Court when Section 66A was scrapped for all the wrong reasons. Only Naavi.org called it a “Black Day” and tried to draw the attention of everybody including the IT Minister all in vain. How can Digital India project take shape without a consesus on laws regarding cyber defamation and privacy, only God knows.

In the months preceding to Sec 66A scrapping, I have also brought to the attention of the Government about the serious gap in the Cyber Judiciary system with the closure of the Cyber Appellate Tribunal. Unfortunately the Ministry which includes the many scientists who work there have not been able to take corrective steps. In Bangalore one Adjudicating officer has redefined law to suit cyber criminals and the current Adjudicator is having such a closed mind that he is unable to see through the problem. This has rendered Karnataka a Haven for Cyber Criminals. But our politicians including the Union IT Ministry continue to talk  without even attending to small things on the ground.

In this background I would like Mr Modi to know that most Cyber Security professionals in closed circles are disbelieving the efficacy of the Digital India implementation.  But we all love Mr Modi and his honesty and therefore many may not raise their doubts in the public..except of course the undersigned.

In my opinion, industry can be counted upon to lay down the nation wide Optic Fiber network which Modi rightly called the I-Way. But the Government should be ready to ensure that the network is secured against vandalism and interception. Similarly, every E Governance, M- Governance project needs to be vetted for security..not from a China sponsored security group but a group supported only by the Government.

 This requires a policy today before the first set of Optic Fiber cables are laid down and first set of roads are laid in a smart city. The industry would be interested in selling and installing the cables but they would hardly be expected to worry about the security. We may therefore end setting up an entire infrastructure of I-Way which apart from carrying the digital data will also become the “CC-Way” i.e., a high way for Cyber Criminals.

If we donot understand this problem and take corrective action today, 5 years from now we will be ruing the very decision of setting up of the I-Way.

I donot expect Mr Modi as the CEO of the country be fully aware of these risks. The CTO of the country namely Mr Ravi Shankar Prasad may also be focussing more on the infrastructure build up and he may not be expected to take full control of the Cyber Security issue.  But it is the duty of the CISO of the country to take care of the security issues that accompany the Digital India project.

But the moot point is who is the CISO of Digital India?

Will the NIC be capable of taking up this responsibility? There is the recent warning signal and many in the past which does not provide the confidence.

Will the NSA be also the CISO of India?.. Perhaps it is too much to expect.

Of course there is a Cyber Security Advisor in Mr Gulshan Rai in the PMO. Will he be the designated CISO of India?

We may also ask, Will the CISO be a single person? or will it be a body like the IN-CERT? or will it a NASSCOM body such as DSCI?

If so, Where were they in yesterday’s Digital India presentation?

If we look at the threats around us such as the “Malicious Codes” -both digital and human that we need to confront with, and knowing the vulnerabilities of our administrative set up, the risks are too obvious.

But have we made a conscious effort to list down the risks and their “G0vernance Impact”? .. It is necessary for the Netizens of the country to be assured in this regard before we welcome the Digital India project whole heartedly.

During the Digital India launch, I wished that Mr Modi would speak of the “Cyber Insurance Industry” but no such discussion happenned. I want the Government to recognize that  Netizens cannot be exposed to the risks which even experts find it difficult to fathom when the Digital India, Smart City or IOT projects take shape.

When we need to move from Snail Governance to E Governance and then onto M-Governance and APP based Governance, we need to simultaneously assure the Netizens that they are protected from the risks arising out of this transition.

This is as much a necessity as the Health Insurance and Life Insurance schemes which Mr Modi has introduced as part of Social Security. In the Digital India, most of the Citizens will depend on the Government for security and Insurance when the security fails.

Hence Cyber Insurance should be a strong pillar on which the Digital India concept should be built up. I felt that this was not addressed by Mr Modi yesterday. It is perhaps the failure of the bureaucrats in not providing Cyber Insurance as a Risk Transfer mechanism for Netizens,  but I would still wait for Mr Modi to express his views on Cyber Insurance in the days to come.

I suppose the department of IT which should be monitoring posts such as these will bring it to the notice of Mr Modi so that some action can be worked out in this direction before it is too late.

I want to reiterate that the IT  industry whch will reap the benefits of the Rs 450,000 lakh crores is unlikely to advise the PM in this regard properly since “Security” and “Insurance” will increase the costs and reduce the profits. We have seen Banks declaring that “We will provide only that much security as is commercially feasible” and RBI does not even recognize the import of such policy statements.

Hence PM must have Cyber Security advisers who  will be empowered to question every IT project implementation from security angle even if it is implemented by  Reliance Geo or TCS or Wipro.

All this needs to be built into a “Cyber Security Governance and Management Infrastructure” that should be in place before the Digital India project takes off. But yesterday we have launched the Digital India project and banking on the old National Cyber Security policy which is not a full fledged implementable agenda.

I hope that in the coming few weeks some thing will happen in this direction.

I invite the attention of Mr Nandakumar Sarvade who has recently taken over as the CEO of DSCI to let us know what will be the role of DSCI in establishing a Cyber Security Framework which is Netizen oriented and not IT vendor oriented.

Naavi

Related Article: Charter of Demand on behalf of Netizens of Bangalore

Share Button
Print Friendly

Court Asks Facebook to reveal identity of a user

A Dutch Court has ordered Facebook to reveal the identity of a person who made a posting of an obscene video. According to Facebook, the posting was done from a fake account and was purged. The Court has however said that Facebook will have to submit its servers to eternal forensic investigators to extract the information.

Refer article here

It may be recalled here that Facebook faced an earlier law suit for payment of a damage of US $ 123 mn in which it took an unreasonably long time to delete a posting. In the instant case therefore it appears to have acted quickly to remove the content but now is caught in the controversy that it has not protected the legal interest of the victim.

It is considered as a compliance requirement under ITA 2008 for intermediaries, that  in such cases where the intermediary deletes the content once posted, it has to be archived for legal purposes.

Intermediaries should therefore ensure that their “Grievance Redressal Mechanism” includes appropriate guidance that while they remove the content after an initial internal enquiry, the evidence is preserved and produced when required by law enforcement.

Apart from Facebook and Twitter, such requirements also apply to websites such as Glassdoor, Mouth Shut etc which have created a business model out of posting  messages which could be considered defamatory.

While many of the Indian Companies operating in global markets try to comply with American law, most of the US companies are not so vigilant when it comes to complying with Indian law. Just as Facebook seems to have woken up with a $123 mn law suit, these companies will also wake up when they face a multi million dollar law suit.

Naavi

Share Button
Print Friendly

“Dyre” threat to Indian Bank customers

The threat of “Dyre” trojan discovered a few months back seems to have been upgraded with some recent reports with the finding of some variants. Dyre is a malware targetting customers of more than 1000 banks worldwide. Indian Banks are also in its radar and according to security researchers, it is one of the most dangerous trojans presently targetting Indian Banking scenario. It targets Windows computers and can steal Banking and other credentials.

The malware is delivered via an email message that comes with an attachment claiming to be a legal document containing a Zip or PDF document containing details about recent law modifications regarding fraudulent activity or any other information. The Trojan delivery spam emails may  include a PowerPoint attachment containing an exploit for the CVE-2014-4114 vulnerability in Windows operating system. The weakness is present in the OLE (Object Linking and Embedding) packager that allows download and execution of INF files.

Financial institutions, Payment services and HR related websites are the targets for the Dyre malware and India appears to be the sixth most targetted country for the time being.

Dyre’s money stealing activity follows a well-known pattern, with the web browser being hijacked for monitoring web sessions and redirecting the victim to fake websites or altering the content of the web pages on the fly to capture banking login credentials in man-in-the-browser events.

According to experts, the Dyre exfiltered data is difficult to distinguish since it is encrypted (with its own key) and appears like legitimate traffic. It includes log in credentials for a large number of global banks.

There are several prominent Banks which are targetted by the trojan including Bank of America, Citigroup, the Royal Bank of Scotland, Ulsterbank, and Natwest. At this point of time the list of Indian Banks in the Dyre’s radar is not clear though at least two Banks are reportedly in the list. One can expect ICICI Bank and HDFC Bank to be those Banks being the most prominent e-Banking entities in India. Customers of these Banks should therefore be extra careful when dealing with spam mails.

Simultaneously, we need to be also aware that the malware writers are getting more sinister as can be observed in the case of the “Rombertick” trojan which when detected could destroy part of the master boot record just to evade itself. It is a kind of a “Suicide Bomber” who when confronted blows himself.

E Bankers therefore are in a continuous attack from sophisticated trojans/viruses and are left to fend for themselves. It is therefore essential for the promoters of E Banking transactions which includes RBI in particular to mandate protection of Banking customers through appropriate Cyber Crime insurance. Bankers need to assume responsibility for malware activities and provide insurance cover along with their own secure web applications for customers to use.

Naavi

Related Articles:

India’s Financial Institutions sixth-most rargetted by Dyre Trojan malware-Symantec

Dyre Banking Malware Uses 285 Command and Control Servers

Researchers Analyze Dyre Sample with new features

Financial Institutions in “Dyre ” straits

Dyre Malware Developers Add Code to Elude Detection by Analysis Tools

Share Button
Print Friendly