Karnataka IT Administration Wakes up

After a long period of lull, the IT department of Karnataka appears to have woken up. Under the leadership of the new IT Secretary, the State has unveiled certain welcome policies to give a boost to IT in Karnataka. One of the key policy announcements is the declaration of IT services as “Essential Services” and to protect it from the risks of bundhs, strikes and other interruptions to its 24X7 operations. Though the workforce in the IT industry may find it uncomfortable and claim that they may be exploited by the companies, this sacrifice is essential to keep the IT industry going and retain the global services running.

While we welcome the initiatives announced by the Karnataka Government in encouraging the industry in Karnataka particularly in Tier II and III centers, it is necessary to point out that IT cannot prosper in the State without adequate attention to Information Security and Cyber Law implementation. A law less jungle cannot be a fertile ground for attracting investment.

At present, Karnataka Government and more particularly the earlier IT Secretary (Mr M.N.Vidyashankar) has rendered Karnataka to be a State which can be called a “Cyber Crime Haven”. In Karnataka a cyber crime victim cannot seek cyber judicial assistance if the crime is committed by a company. Also no Company can seek redressal of its grievance under ITA 2008 since substantial parts of the Act have been ruled to be out of bounds for corporate entities.

Karnataka High Court has declined to intervene and  correct the ridiculous state of law-less ness in the State and has contributed to the problem.

The undersigned has for the umpteenth time taken up the matter once again with the Chief Minister of the State. A copy of the letter written to the Chief Minister Mr Siddaramayya in this regard is available here.

Let’s hope that the new IT Secretary and the new Chief Minister understands why the undersigned is calling the State as “Cyber Crime Haven” and takes the necessary steps to correct this anomaly.

Without a correction of the Cyber Judiciary Status in India, international investors have no reason to look at Karnataka as a destination for their investments despite any other advantages that the Government may promise.

Naavi

Refer article in DH


Rs 24600 crores per annum is the cost of Cyber Crimes in India

According to the 2013 Norton Report, the total cost of cyber crimes to India during August 2012 to July 2013 is estimated to be $4 billion (about Rs 24630 crores). This is 8% more than what was estimated for last year.

The basis for this cost is based on the “Amount spent by a user on replacing hardware or software as well as data after he/she has been subjected to a cyber attack”.

From the definition of the cost it appears that Norton has only taken the “Technical aspects of Information Security” into consideration and used the “replacement cost” as the basis. The estimate appears to have not considered the “Legal Dimension” of the information security or the financial losses suffered by the victims or the liabilities faced by the victims (whether actually incurred or not). Hence the estimate  has completely ignored what the common man considers as “Cost of Cyber Crimes”.

It is high time that security firms such as Norton realize that Information Security cannot be looked from a uni dimensional concept of technology. The total cost of cyber crime includes the legal liabilities that may arise on account of a security breach incident. Additionally, costs related to manpower hardening (covering the third dimension in Naavi’s Total Information Assurance model) is also a cost of cyber crime.

However, from a corporate perspective and technical investments into information security tools, the Norton estimate may provide a useful insight.

Refer Report in ET

The study also revealed that nearly 48% of smart phone and tablet users do not take even the basic precautions such as using passwords, having security software or backing up files from their mobile devices.

Norton Press Release

India Report

Naavi


Board Room Responsibility for Cyber Security

The undersigned has been highlighting the need for Directors of Companies and the CEO to take responsibility for Cyber Security in an organization. Section 85 of ITA 2008 as well as Section 79 has clearly laid out the need for “Due Diligence” without which Directors of Companies may find themselves saddled with civil and criminal liabilities.

The infamous Baazee.com litigation dragged the CEO Mr Avnish Bajaaj to a Court battle which prolonged for 8 years. Though he escaped conviction because of a technical error by the Police which in reasonable probability could be deliberate, the need for due diligence at Board levels was well emphasized in the process.

This article in Forbes titled “Boards are still Clueless about Cyber Security” highlights that even in US the level of Board attention on Cyber Security is still lacking. According to a Carnegie Mellon report,

71% of their boards rarely or never review privacy and security budgets
79% of their boards rarely or never review roles and responsibilities
64% of their boards rarely or never review top-level policies
57% of their boards rarely or never review security program assessments.

If this is the situation in a Compliance sensitive corporate community like US, one can imagine that the status in India can be pretty bad.

The undersigned has a personal experience of how the well known CEOs of ICICI Bank, Axis Bank and PNB have shown absolute incompetence and arrogance in understanding the cyber security risks which have landed some of their customers in trouble when confronted with complaints on Phishing and other frauds. It is only when one or more of such celebrity CEOs find themselves confronting FIRs like Avnish Bajaj, they will realize their true responsibilities. However as the wheels of justice grind slowly, it is possible that these executives may be long retired when law tries to catch up with them. However, if law can catch up with a retired executive like the Coal Secretary Mr Parakh, may be one day law will also catch up with the current CEOs of Banks who are playing with Customer’s lives by adopting a commercially motivated risky banking policies.

It is high time that the Boards of all IT user organizations to start devoting some attention on Cyber Security before it is too late.

Naavi

Also Read:

“Cyber Risk and the board of directors-closing the gap”

New Measures to Mitigate Mobile Banking Risks


13th Anniversary of the Indian “Digital Society Day”

It is 17th October once again. The day is of significance to all Cyber Space watchers in India since it was on this day in the year 2000 India notified the Information Technology Act 2000 (ITA 2000) bringing in legal recognition for digital documents, digital signing and digital contracts.

Unfortunately this anniversary has not been a day to rejoice since there is an increasing feeling that India is fast turning out to be a Cyber Jungle. On the one hand the Government is having no concern for Netizen welfare but is doing everything to misuse the Internet for its own political interests.

The first aspect that strikes us is the continued absence of the Chair Person at the Cyber Appellate Tribunal with Mr Kapil Sibal refusing to appoint a replacement to the previous Chair person who retired on June 30, 2011. It is not as if Mr Sibal is unmindful of the requirement under the responsibilities cast on him as the Union Law Minister trying to defend the UPA ministers and the PM from all the scams that they have been accused of having been indulging in in the last 9 years of their  UPA model of  Governance. The problem is that he wants just one specific person to be appointed as the Chair Person and it appears that the Chief Justice of India is not in agreement with the choice. Mr Sibal is holding his fort and saying “My Choice or No Choice”.

In the bargain the apex judicial authority that has to take the appeals from the adjudicators of all States and Union Territories is remaining closed for business. Victims of Cyber Crimes such as Mr S.Umashankar and several others are waiting for Mr Kapil Sibal to see reason. Recently Karnataka High Court heard a PIL on the delay in the appointment of the Chair Person. However after several months of futile proceedings the Court ended up the proceeding with just a word of advice to the Ministry of Communications and Information Technology that they should complete the process of appointment within a reasonable time. It is unlikely that such a reasonable time will not come before the next Loksabha elections. It is unfortunate that our Judicial System has also failed in this case to respond to the woes of the common men who are suffering because of this lack of Cyber Judiciary in India and gives a long rope to the Government to continue to be in power without working.

To Compound the problem, in a State like Karnataka, the decision of the Adjudicator Mr M.N.Vidyashankar that “no Company can take recourse or No Company can be accused under Sec 43 of ITA 2008” has made most of ITA 2008 in-effective in the State of Karnataka. Since Sec 43 is linked to Section 66, the judicial precedent set by this Adjudicator is that no Cyber Crime under Section 66 can be recognized against a Company or on a Company. This decision got a relief of a possible liability of around Rs 50 lakhs to Axis Bank which is a Government Contractor for the State’s E -Governance department also headed by the same official indicating the possibility of vested interest influence in corrupting the decision. Karnataka High Court again failed when it had an opportunity for correcting the anomaly.

The undersigned has now represented to the Chief Minister of the State to take necessary action to avoid Karnataka being branded as the “Cyber Crime Heaven”.

Under these circumstances, the 13th Anniversary day of ITA 2008 has to go down as one of the most depressing anniversaries since 2000.

We however hope that things would change in 2014 when there would possibly be a change of Government at the center.

It is necessary however to point out that while politicians have their own reasons to play foul, the officials often fail to  resist the politicians and take decisions that should help the society. The plight of the ex-Coal secretary Mr Parakh who remained silent and allowed the scam to take place and is now finding himself in the docks is a reminder to the officials of the IT Ministry that if they think they are honest but remain silent when things are going wrong around them, they may also soon find themselves in the same discomfort as what Mr Parakh is finding himself in today. If they realize that their duty is to the society and not only to their political masters of the day, Indian Citizens/Netizens would be happier.

Naavi


List of Adjudicators in India

As per the Information Technology Act 2000 and the notification there under of 25th March 2003, IT Secretaries of every State and Union Territory in India act as “Adjudicator” of their respective State or Union Territory.

Such Adjudicator has sole jurisdiction for adjudicating on any contravention of ITA 2000/8 and to award compensation to those who might have suffered a loss where the amount involved is less than Rs 5 crores. He will have the powers of a Civil Court but the procedure for adjudication is like conducting an “Enquiry”. It is not bound by the procedures of a Civil Procedure Code.

Most IT Secretaries are reluctant to take on this responsibility and hence avoid admitting their responsibilities. As a result Cyber Crime victims are unable to pursue civil claims.

At present only the Maharashtra Adjudicator Mr Rajesh Agarwal has been active.

In Karnataka one of the previous adjudicators went to the extent of adjudging to the effect that “Let no cyber crime be recognized under ITA 2008 in Karnataka either for civil or for criminal purpose”.  The Chief Minister of the State is unaware that he is ruling a state which is today a “Cyber Crime Haven”. The High Court of Karnataka is also not bothered.  One of the Adjudicators tried to correct the situation with the intervention of the Karnataka Human Rights Commission but got silenced by an order of  the Karnataka High Court. The new Adjudicator of Karnataka is yet to effectively assume responsibility as “Adjudicator”. Naavi.org is taking up the matter with the Chief Minister of the State so that the state can get back to the regime of proper law and order in Cyber Space.

However, since we keep receiving enquiries from all over India regarding what to do when they are confronted with Cyber crimes especially the Bank frauds, a list of Adjudicating officers in India is provided here along with the name and address. Cyber Crime victims may send a complaint to the adjudicator and pursue justice whenever they have suffered a financial loss.

For the general information of all, a copy of an earlier issue of Cyber Laws 4 CXOs is also available for more information.

List of Adjudicators:

Copy of Cyber Laws4 CXO