I call for an “All India Cyber Law Awareness Movement”

In another regrettable incident, a talented young person from Patna who was earlier praised by none other than Dr Abdul Kalam for his technical skills has been arrested now for a criminal activity.

The 25 year old tech genius by name Shivendu Madhav from Bihar had reportedly earlier developed and demonstrated a search engine like Google to Dr Kalam in one of the exhibitions and   received accolades. He had also sold one of his technical blogs to an US professor for Rs 4.5 lakhs. He was therefore neither short of money nor recognition and future career prospects. Yet he decided to use his talents to develop a fake railway recruitment portal www.rrbbpl.org and duped lakhs of jobless youths promising them jobs via RRB Bhopal.

Refer Article in TOI

The youth has since been arrested and some of his accomplices are now being traced. Law will take its course and probably this young genius will be punished. As a routine we can also congratulate the police team and appreciate their work.

However, as information security professionals we need to sit back and reflect why such things happen. I am reminded of an earlier case where a youth was arrested in Bangalore for ATM frauds and it was found that he had a very lucrative employment. It appears that the traditional behavioral science theories are being over turned in the current generation where “Negative Motivation” influenced by unrealistic material expectations in the society over ride the traditional motivators such as “Security”, “Reasonable Money” and “Recognition”. People seem to be greedy for more and more money and are willing to risk their future for immediate gains.

This indicates

a) Lack of Ethical training in our IT education.

b) Lack of fear of the law.

I therefore call upon the Ministry of Information Technology to initiate an all India program of ” Creating an Ethical IT Work Force” as a part of the Cyber Security initiative. Such a program requires Cyber Law Education and  Awareness of the consequences of violation of Cyber Laws right from the XI standard when Compute science knowledge gets imparted to our students. We may call this “Cyber Ethics Education”.

Mr Modi has embarked on a “Clean India” program in memory of Mahatma Gandhi from today. I suppose what Mr Ravi Shankar Prasad has to initiate is a “Cyber Law Compliant Mindset Development Program”.

As regular followers of this site are aware, the undersigned has been pursuing “Karnataka Cyber Law Awareness Movement” or “saibar kanUnu PrajnaaMdOLana” (ಸೈಬರ್ ಕಾನೂನು ಪ್ರಜ್ಞಾಂದೋಳನ) and done several programs across Karnataka in the last decade. During the days when Mr H.K.Patil was the law minister of the state under S.M.Krishna’s regime as CM, the undersigned had also discussed several such initiatives with the then Karnataka Government authorities. KLE Society of educational institutions had provided support for the initiative in a big way. But over the years the interest appears to have waned as agencies other than Naavi’s initiatives failed to sustain the movement and Naavi’s initiatives could not sustain on their own due to lack of resources.

In fact one of the activities that these initiatives highlighted was the celebration of October 17 as the “Digital Society Day” to commemorate the notification of ITA 2000. This year this could be a day which Mr Ravi Shankar Prasad should consider to promote some positive action in improving the Cyber Law Awareness in the country.   “Bangalore Cyber Security Summits” conducted in Bangalore during the days when Mr Ashok Manoli was the IT Secretary were also part of such an effort with the participation of the local Government. They need to be revived.

Unfortunately over the next few years the movement withered out and slowly Karnataka lost the momentum it had gained as a “Cyber Law Capital of India”.

The current incident reminds me once again that the concept of “Cyber law Awareness Movement” retains its relevance and needs to be pursued. IIIT Law (International Institute of Information Technology Law), a trust based in Bangalore, Cyber Society of India (CySi) in Chennai are two surviving institutions co-promoted by the undersigned in the past to address the work related to Cyber Law Awareness in the community. Of these CySi is active and doing some good work in Chennai. IIIT Law has lost steam and efforts are being made to pull it back on rails.

I call upon the Karnataka Government as well as well private educational institutions and other related bodies with necessary resources to take up the cause of rebuilding the Karnataka Cyber Law Awareness Movement and also extend it as an “All India Cyber Law Awareness Movement”  (AICLAM).

Such a movement of this type  is an essential part of “Cyber Security” which Mr Modi stressed during his UN General Assembly address recently and therefore meets the objectives set forth by the current Government at the center.

Will Mr Ravishankar Prasad, the IT Minister in Delhi and the PMO consider this?

Naavi

(I Invite suggestions from the public in this regard. Please also spread this message widely)

Share Button
Print Friendly

Cyber War Risk with China is evident

Despite the recent visit of the Chinese premier to India and the pledging of the possible investment of US$20 billion, the utterances of the Chinese prime minister after his return to China asking his troops to be ready for a “Regional War” is a matter to be taken note of.

China has always been an unreliable nation and cannot be trusted for business relations. China is the leader in Cyber Warfare and using their technologies for our bullet trains and smart cities is an open invitation to disaster if and when there is a cyber war between India and China.

It is good for Mr Modi to keep China at arms length in the field of technology and ensure that India tries to develop its capabilities in the technology era with the assistance of Japan and USA.

Indian companies doing business with China should also be careful not to transfer any critical technology to China in the long term interest of our country.

Naavi

Share Button
Print Friendly

First Steps in Cyber Crime Insurance

Recently interest on Cyber Crime Insurance has been on the rise in India. According to a recent report in Business Standard, the premia for such policies is around o.5% to 1.5%.

It is important for the insured to however consider what are the exclusions in the policy and there is clarity on the valuations of the insurable assets at the time of purchase and the valuation of claims.

According to the above BS report “distribution of unsolicited email”, “wire tapping”, “eavesdropping”, “fraudulent acts”, “failure to maintain standard computer security” are some of the major exclusions.

Out of the above exclusions, the failure to maintain standard computer security is understandable. However, what is “Standard computer Security” is debatable.

Also it is not understandable how “eavesdropping”, “Fraudulent acts” etc can be excluded. If these are true, insurance companies must be considering more of “Loss due to technical failures” rather than “Loss arising out of Cyber Crimes”.

Technical failures may lead to loss of data. However in most of the cases where a claim is to be preferred there will always be a human hand, malicious or otherwise. Hence “Fraud” cannot be eliminated from the risks. Hence if “Frauds” are excluded, there is insufficient coverage. Also if the coverage does not cover “Liabilities” arising out of the security breach, it is not beneficial to the insured.

The question of “Standards” is always daisy. At present in India law requires “Reasonable Security Practice” which is often not interpreted properly by the companies. Hence what constitutes “Failure to meet Security Standards” is always a debatable issue. While many may be able to produce a certificate such as ISO audit or PCIDSS audit, these does not constitute indisputable standards under the “Reasonable Security Practice” under ITA 2000/8.

It would be interesting to see how insurance companies define such exclusions. Unless some data is built up over time on the claim settlements of different companies, it is difficult to evaluate which policy is better for a prospective insurance seeker.

As regards valuation, in a liability insurance, the value of the asset has to be based on the value of “Information” rather than the value of the hardware and software. Hence in companies where “Data Loss” is the prime criteria, the “Data” need to be valued.  Will this be based on acquisition cost or replacement value or liability potential is a matter to be discussed. Normally the acquisition cost of data is relatively low while the liability potential is high. The insurance premium would therefore be on the lower value but the claims would be on the higher value.

According to one of the recent security reports, in case of data breaches the biggest loss comes out of the “Reputation Loss”.  At the time of insurance, is it possible to add the “Value of Reputation” as part of the assets to determine the premium? is therefore a valid point for discussion.

Probably the role of insurance brokers s therefore very critical in the current juncture since they need to ensure a fair coverage for the clients at affordable premia.

We need to watch out the performance of such insurance brokers.

Naavi.org calls upon insurance seekers to share their experience with insurance companies and insurance brokers so that we can evaluate their performance from time to time.

Naavi

Share Button
Print Friendly

Cyber Crime Insurance industry is waking up

Several years after Indian industry started demanding Cyber Crime Insurance,  insurers appear to have realized that there is a potential business here worth exploring. (See article here). In our earlier article we had highlighted that after the recent G Mail hacking report, the interest seem to have got a boost.

While three companies namely HDFC ERGO, TATA AIG and ICICI Lombard appear to have started writing insurance policies, it appears that they are still in the process of writing customized policies for specific large clients. They may be banking more on their relationship with the existing customers in other products rather than developing an exclusive product for the “Cyber Crime Risk”.

The premia talked about in the media also appear to be unrealistically high and indicate that the insurance agencies are yet to get a grip on the risks and the acturial evaluation.

In order that the industry picks up such insurance products, it is necessary that the products must be affordable and also promise quick settlement of claims.

At present we donot have any experience as to the settlement of claims and therefore we need to await further developments to understand how the industry is set to progress in the coming days.

Naavi

Share Button
Print Friendly

Hacking of G Mail passwords

Recently, it was reported in the media that more than 4.93 million gmail account passwords are hacked and released through torrrent. There was also a website which provided a verification of whether a particular email address was included in this dump or not.

Subsequently it was also reported that Google had advised the affected account holders to change the passwords leading to a speculation that the Google had admitted the hacking of its resources.

It has been subsequently been explained by independent security professionals that Google stores the passwords only in encrypted form and hence even if there appears to be a compromise of a gmail password it might not have occurred through hacking of a Google server and could have possibly occured through other websites where users might have used the gmail account credentials along with a password which might be the same as what they use for the google accounts.

Related News 1

Related news 2

It was also interesting to note that there was a separate news that the terrorist organizations  ISIS is trying to establish a domination in the Cyber Space and develop Cyber war capabilities in the name of  “Cyber Caliphate”.

Cyber Caliphate news

Naavi

Share Button
Print Friendly

Android Users face attack through Facebook

A malware called iBanking is said to be targetting Android users through Facebook. The malware is spread through the computer to the mobile and is capable of intercepting the two factor authentication of Banks. It can send false SMS, intercept incoming SMS and also record voice calls etc.

Details : http://www.securityweek.com/attackers-use-facebook-target-android-users

Naavi

 

Share Button
Print Friendly