Are We Cyber Ready?.. Melissa Hathway Shares her concerns

melissa_hathawayMelissa Hathway, the Cyber Security expert from US was in Bangalore recently and addressed members of DSCI Bangalore Chapter at NLSUI on 1st October 2015.  Melissa was until recently working with US President Obama and was tipped to be appointed as the “Cyber Czar”. She also worked as Director of the Joint Inter agency Cyber Task Force during President George Bush time and brings with her enormous US and International experience in management of Cyber Security at the Government level. She however left the US Government post and is now working as an independent Cyber Security Consultant.

During her presentation, Ms Melissa traced in detail how in the emerging Digital World, people are connected amongst themselves and with machines and machines themselves are connected with other machines, people and machines are connected with the house and the environment etc. and the security  issues emerging therefrom.

Speaking on the privacy issues, she raised a pertinent point that the risk to individual privacy from private sector enterprises such as Google is much more than from the Government agencies.

While hinting that National Security should get the priority in designing the IT infrastructure, she raised a question on whether all the connectivity we are thinking of in the IOT concept is at all necessary.

Another important point she made is to question the manufacturers of appliances on whether the electro mechanical engineers who design the new systems and freely put in IP devices to monitor the activity of the machine understand the “Risks” inherent in such connectivity.

She concluded her interesting and authoritative presentation with a very pertinent question which was not specific to India but was nevertheless relevant. The question was “Are we Cyber Ready”?

The talk was followed by a Q&A session in which as usual solutions were discussed in the form of how to build awareness among the masses on Cyber Risks, what should be the responsibility of the Telecom companies, whether the legal system is resilient, whether our law enforcement had the requisite knowledge? etc.

The undersigned left a question with Ms Melissa and the audience that while creating awareness of Citizens, Police and Corporate officials  is feasible, the biggest challenge was to create awareness in Judiciary and Top level Bureaucrats because they insulate themselves from attending any training sessions. She agreed that it was a challenge and it does exist in other countries also and strategies need to be found to bridge this lacuna.

Overall, it was a fruitful discussion and the audience felt that it opened new thoughts on security in the context of India entering the Digital India program.


Related Info:

Cyber Readiness index 1.0

Cyber Readiness index 2.0

Cyber Security indicies-ITU

Share Button
Print Friendly

Why Cyber Insurance seekers need to do better home work

Naavi has been advocating that companies need to start using  Cyber Insurance in India though the current level of awareness as well as the penetration is low.

In these circumstances, the news that BitPay, a Bitcoin processor  could not recover its claim for a loss of $i.8 million despite having a Cyber Insurance policy since their claim was rejected by the Insurance company is disturbing.

At the same time, the incident highlights how lot of care is required before a Cyber Insurance policy is purchased and the purchaser should be able to analyze the policy terms in detail and avoid the kind of technical interpretations that were used by the Insurance Company in this case to reject the claim.

The details of the incident as reported in indicate as follows.

BTC Media had obtained a “Commercial Crime Insurance Policy” for $ 1 million from MBIC which stated

” “will pay for loss of or damage to ‘money,’ ‘securities’ and ‘other property’ resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’: a. To a person (other than a ‘messenger’) outside those ‘premises’; or b. To a place outside those ‘premises,’ “

In December 2014, the CEO of the company was spearphished the company’s CFO and managed to get hold of his email credentials. This was used to spoof mails to the CEO and 5000 bitcoins worth $1.8 million were stolen.

The Company filed a claim under the Cyber Insurance policy which was declined for the following reason.

““The Policy requires that the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises. ‘Direct’ means without any intervening step i.e. without any intruding or diverting factor. The Computer Fraud Insuring Agreement is only triggered by situations where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer of Money to an outside person or place. The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into Bitpay’s computer system fraudulently causing a transfer of Money. Instead, the computer system of David Bailey, Bitpay’s business partner, was compromised resulting in fictitious emails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured,”

Bitpay has now sued MBIC for breach of contract, bad faith, failure to pay and statutory damages and seeking $950,000 in damages plus court fees.

The litigation is likely to go for some time and in the mean time the industry will debate whether Cyber Insurance is reliable at all.

MBIC may be technically correct where as BitPay may feel that MBIC has misrepresented and cheated. The argument could be based on the nature of contract and what is implied and what is not.

The incident highlights one of the points I have been highlighting for a long time and that is that a company obtaining  Cyber Insurance Contract must be able to decypher the policy terms and map it to the risks against which it needs a coverage. Any ordinary information security professional would list “Phishing” of credentials of any authorized user as one of the threats that can manifest into a risk and result in losses. He would presume that “Cyber Crime Insurance” will cover this. But being a technical person and not able to understand the terminology used in the contract which distinguishes “Direct” and “What is not Direct” as also “What is a loss” etc., he is unable to find out what the policy is really covering or not. While the CFO or even the legal department is able to understand this part, they may not know the anatomy of all Cyber threats. Thus neither the CFO/Legal team nor the IS team understands the nature of this “Techno Legal Contract” leading to problems of this nature.

Naavi and his group of professionals who are working on the India Cyber Insurance Survey will find out the views of the professionals in this matter and present it to the public shortly. (If you still want to participate and provide your feedback, rush to

CEOs and CFOs  should realize that all Cyber Insurance contracts are considered contracts of utmost faith and it is the responsibility of the proposer to disclose what risks he wants to be covered and ensure that the Insurer has not excluded the risks that he requires to be covered in the policy document. This requires the company to take the advise of a suitable consultant on his behalf other than the Insurance Company representatives and also the broker who is more inclined towards the Insurance company than the insured or is not fully conversant with all the legal nuances.

If proper care is taken then the kind of problem that BitPay is now facing should not have arisen.


Related Articles:

Share Button
Print Friendly

Brand Ambassador of Digital India Program wins the International Award….

The officials at the Department of Electronics and Information Technology (DeitY) must be congratulating themselves on the excellent work done by their search committee  which found out and recommended  Sri Ankit Fadia to be appointed as the Brand Ambassador for the Digital India Program when they hear that their golden choice won an International award recently in a conference called DEFCON-23. The award was called “Security Charlatan of the year”.

It is great news that  Mr Ankit Fadia the celebrated Brand Ambassador for Digital India appointed on 1st July 2015 under a grand certificate  signed by none other than the then Secretary of the department Mr Ram Sewak Sharma won the coveted global award in the conference.

DEFCON-23 was held in Las Vegas between August 6-9 and I am not sure if any representative from DeitY  attended the.  But they must be glad to know that this is an annual event  widely attended by the community of “Hackers” from around the world and is very popular in the Information Security Community. Perhaps they should plan to attend the next DEFCON conference is expected to be  held between August 4-7, 2016 at Las Vegas.  As custodians of Digital India,  it will be a great opportunity for them to  identify more Brand Ambassadors for Digital India program.

(P.S: We can for the time being ignore the controversy surrounding the appointment  as to whether it  was done by the Secretary without the knowledge of others in the department and hence was  disowned in a PIB press release in the morning of 29th September 2015. However, by that time Mr Ankit had already published the certificate signed by Mr Ram Sewak Sharma and hence the department was forced to confirm the appointment  in the evening. See details).

The Best Security Charlatan award was won by Ankit Fadia against stiff competition involving 7 global nominations including one more from India namely Rahul Tyagi. The citation is available in the enclosed Video available on Youtube (See minutes 31 onwards.. It is a must watch). The award was given in absentia since Mr Fadia did not attend the conference.

If I stop here, the officials of DeitY will perhaps pat their backs and also hold a grand function in Delhi to honour their newly appointed Brand Ambassador. Because I donot want Mr Ravi Shankar Prasad and Mr Modi to be again facing inconvenient questions from the press, I would like to add the full details of the award.

The award is known as the “Security Charlatan Award” and is given for the “Best Charlatan in the Information Security and Hacking domain” as nominated by a global audience and voted during the conference.

The word “Charlatan” is not a commonly used word and hence we need to look up a dictionary for understanding the meaning.

According to, the word “Charlatan” means

 a person who pretends or claims to have more knowledge or skill than he or she possesses; quack.”

This was surprising for me since I wase looking at the “Brand Ambassador” of Digital India and confused how can he be a “Quack” and that too an award winning “Quack”?

Then I made a fresh search in the trusted Google and was horrified to get the meaning as

“A charlatan (also called swindler or mountebank) is a person practicing quackery or some similar confidence trick in order to obtain money, fame or other advantages via some form of pretense or deception.”

I was stunned..What? “also called swindler”?.. I intend taking up this with Mr Sundar Pichai and seek a clarification.

Anyway readers may check their own dictionary and confirm if this word has any different meaning.

If Mr Ankit Fadia is a global award winner for the “Security Charlatan” in the DEFCON conference, it is high time DeitY should check what kind of award their search committee should get for identifying and appointing a “Charlatan” as a “Brand Ambassador”.

May be our readers have a recommendation?..If so forward it to Mr Ravi Shankar Prasad.


Share Button
Print Friendly

Lesson to DeitY- Who is a Brand Ambassador?

The DeitY has recently been in the news for its decision to appoint “Brand Ambassadors” for the Digital India Programme.

My previous post on this subject in these columns has suggested that there are moles in DeitY who are trying to derail the Modi Government’s flagship program. Only a proper enquiry by the Government would unravel the persons involved. It may also be worthwhile to read this article in Business World which also highlights the problem of the Modi Government due to dishonest bureaucracy.

Assuming that there was no malicious intention in appointing Brand Ambassadors and if any shortcomings were there, it was only a reflection of lack of awareness or inefficiency or ineptitude of the officials, I will try to provide some of my thoughts on the concept of Brand Ambassadors.

The concept of appointing “Brand Ambassadors” is popular in private sector where a “Celebrity” is used in advertisements and promotional campaigns consistently in such a manner that the “Association” with the brand ambassador’s own personality adds value to the product. For example, Amitab Bachhan is used as a brand ambassador for ICICI Bank and it is working well. Lux has been using many celebrities over a period of time.

When Brand Ambassadors get associated with a Brand, they mutually reinforce the brand values. If the product is new and the ambassador is reputed, the reputation of the ambassador gets rubbed onto the product. If the product already has a strong brand perception, the ambassador may also gain.

Take the case of all friends of Indrani Mukherjee like say Suhail Seth.  As long as Indrani Mukherjee was a successful business women, the associated friends also reaped the benefit of association in terms of perception of the outside world.  But the moment she got embroiled in controversies, the friends started running for cover. This is the risk of associating with a brand with an ambassador who has the potential to fail. Such things happen often when sportsmen are used as brand ambassadors. When the sportsman goes through a lean patch, the image of the product also takes a hit.

There are also stray incidents where the failure of the product hurts the image of the ambassador also. Recently,  when Maggi was pulled up for being not what it claimed to be, both Amitab and Madhuri Dikshit who were the brand ambassadors were questioned for their role in misleading the public. The instance of Mr Dhoni being  hauled to Court is an example of how improper use of the brand ambassador by the brand manager can also cause trouble.

Ideally, the image or personality of the brand ambassador should be in sync with the brand personality of the product. If I am the CEO of a company and want to use the services of a brand personality, I will have to do a thorough background check on the person and be satisfied that his past does not contain any adverse image related issues. Besides, I will also ensure that the possibilities of the person’s image being hurt in future is also reasonably non existent. Otherwise, I may be in the midst of a high stake multi crore publicity extravaganza and suddenly my brand ambassador may be caught in a drunken brawl and arrested. Worst still, he/she may be accused of a  crime involving moral turpitude.

The prudence of the Brand management team is to pick the brand ambassador who has an impeccable reputation which gels with the brand personality and is unlikely to be in the wrong end of publicity when his association with the product is being harnessed for the campaigns. If I donot get a proper ambassador who fulfills my criteria, I would rather go without an ambassador for my brand and try to win the consumer’s heart through the product itself.

Now let us apply these principles to the decision of the Ministry in appointing four persons as brand ambassadors to the Digital India project.

Two of these are students who have performed well in IIT JEE. One is working in Samsung USA and the other is Mr Ankit Fadia known more as a “Hacker”. The two students obviously have no baggage. But they also have no great past except as “Topper of IIT JEE”. The third is working in USA and his contribution to India is largely unknown. All these three would get more recognition out of being the brand ambassadors rather than the other way round.

The fourth will on the other  hand come with a lot of baggage and most of it is bad reputation. In fact the possibility of Digital India as a brand losing is more in this case as the other three have little or no potential to damage the brand image of Digital India.

If therefore an evaluation was made objectively, certain negative marks need to be awarded to Mr Ankit Fadia’s choice.

I am also not sure if being a “Topper in IIT JEE” should be a criteria for Digital India. Digital Success globally is often represented by school drop outs since “innovative” persons often feel that the education system as it exists at their time is unable to support their innovative brain. Such people will always be “Ahead of their times” and they can never aspire to work for being an IIT JEE topper.  Some IIT toppers may eventually end up as successful CEOs but they may be working for the school drop outs. (Remember the film Three Idiots).

The choice of all the four Brand Ambassadors is therefore considered as not prudent since they cannot provide a positive brand reinforcement to the concept of Digital India and at least one of them has the potential to impose a huge negative reinforcement.

I therefore call upon the department to withdraw the announcement.

Hope the DeitY officials will incorporate the principles indicated above when they chose a Brand Ambassador in future if required.

Perhaps for the Digital India Project, Government may not need a brand ambassador at present. There can however be an alternative approach. Once the project is under implementation, periodically Government can identify persons who have significantly contributed to the project and recognize them for their contribution for which some criteria need to be developed. He could be considered the  “Brand Ambassador for the Year/Month” until replaced by the next . During the interim period his achievements can be publicized and that will be a motivation for others to contribute to the project in subsequent periods. Such persons can be ordinary Netizens, School Teachers, may be some MPs or even Start Ups and Business owners.

(There is a survey which one of the IS professionals has launched in this respect. Readers can access the survey here and respond.


Share Button
Print Friendly

Are there Trojans in DeitY trying to spoil the Digital India Project?

Ravi Shankar Prasad as the Minister of Communication and Technology occupies a key position in the Modi cabinet. His ministry is also critical to the image of Mr Modi himself who is pushing the Digital India Concept world over.

On the other hand, opposition is very keen that Modi should be portrayed in bad light and one strategy they seem to have hit upon is to work through the DeitY and put spokes in the digital projects that Modi would like to succeed. Mr Ravi Shankar Prasad has been caught in between and he is forced to face the bad publicity generated by the series of blunders committed by the department.

First it was the net neutrality debate, the publication of lacks of e-mail addresses by TRAI, then it was the Draft Encryption Policy and now the appointment of  “Brand Ambassadors” for the Digital India promotion.

The most recent of the decisions which has caught the attention of the public is the announcement on 29th September 2015 that Mr Ankit Fadia was appointed as a Brand Ambassador of the Digital India project on 1st July 2015. Also, PIB first released a press release number 128279 at 03.46 GMT (09.16 IST) denying that any brand ambassador was appointed as reported in the section of press as shown below.


Actually, the press report had emanated because Mr Ankit Fadia himself had posted on his Facebook Time line the information about the appointment along with a certificate issued by Mr Ram Sewak Sharma who was the secretary of the department earlier and has now moved over as the TRAI chairman and is due to go into super annuation shortly.


Then surprisingly, there was a clarificatory press release issued at 1800 IST that Mr Ankit Fadia and three others had been appointed as “Brand Ambassadors”.



It is surprising how the department manages to work in this manner again and again as if there are a bunch of school kids managing the department.

Apart from the strange manner in which notifications are issued, retracted and re-issued, it is necessary for the public of the country to understand that these repeated bloomers reflect a gross inefficiency and ineptitude of the departmental officials. They show case the ignorance of the officials in arriving at decisions which are downright bad.

To this list we may add one more shortly when the President of India would be passing a bill to amend Indian Registration Act in a manner that is not legally feasible under Information Technology Act 2000.

(Ed: This refers to a bill from Karnataka and the department has already been notified by the undersigned that it is ultra-vires ITA 2008 and has to be rejected by the President. But I am not confident that DeitY would act in time to stop the bill and we can discuss this once again as another faux pas involving the President also).

The people of India are worried that  these people in DeitY may be incapable of taking India to the Digital India and implement projects such as Smart Cities, IOT etc.

Let us look at the lack of normal due diligence that is evident in the appointment of Mr Ankit Fadia as the Brand Ambassador. If anybody makes a google search, he would come across a multitude of articles expressing grave doubts about this gentleman’s capability for what he claims, that is as an “Expert Ethical Hacker” and more importantly expressing doubts about his integrity, penchant for making false claims etc. I am not trying to pass a judgement on the gentleman here but would only draw the attention of the citizens of the country to some of the following articles namely

1.Ankit Fadia Revealed– Forbes India

2.Ankit Fadia is Indian

3.Ankit Fadia-India’s Best Fake (Fraud) hacker–

4.Is Ankit Fadia selling Viagra?..Midday

While there are many articles which on the other hand speak about his training programs etc., the information available from the informed Information Security Community indicate that Mr Fadia unfortunately does not seem to enjoy a good reputation.

Further, some body who claims to have hacked CHIP magazine, (Editor says this is false), helped FBI and CBI in cracking international cases (For which no proof seems to be there), the role of a “Brand Ambassador” where he has to be a “Role Model” does not suit. .

Perhaps  the wisemen in DeitY may be thinking that  we need to bring up the next generation of youngsters on the thought that it is great to be a hacker. I disagree on this view. The future of Digital India should not  be built on youngsters who think a “hacker”  is a role model.

I reiterate that I am no body to pass a professional view on Mr Fadia and his capabilities as a Hacker. But I am only looking at the perception that he carries in the professional circles and the perception that his appointment would have with the community.

I request through these columns, Mr Fadia to explain why the perception which the information security professionals seem to hold about him is wrong. We will be glad to publish the same here.

But at the same time we would like DeitY to explain if possible what sort of due diligence they exercised in appointing Mr Fadia as the Brand Ambassador for Digital India, whether the above articles were brought to the notice of Mr Ravi Shankar Prasad and he understood the import of appointing Mr Fadia for this role. Or were these articles hidden from the attention of the Minister and he was kept in the dark about this alternate view present in the market about Mr Fadia.

I am aware that this information can be sought by an RTI but we would like DeitY to disclose the information without the formality of going through an RTI process. We will be glad to publish the clarification that the department may give in this regard.

Assuming that some corrective action would be initiated by the Minister in this regard, we may put aside the issue for the time being.

However, I am deeply concerned that the repeated occurrences of what appears to be an impossibly foolish decisions taken by the DeitY indicate that there is some mole in the department who is working solely for the purpose of discrediting Mr Ravi Shankar Prasad and through him Mr Modi. He is acting like a typical “Trojan” or a “Computer Contaminant” who needs to be identified and removed. It is possible that the trojan may not be alone but actually be a group who owe their loyalty to the previous regime.

I call upon Mr Amit Shah to personally investigate the matter and take corrective action as otherwise the fears all of us have about Digital India project ending up in a fiasco may actually manifest.

On our part, as responsible members of the digital society at present,  undersigned as well as a few other professionals have found it necessary to start a “Secure Digital India” initiative and keep alerting the Government on some of the key issues on which attention may be required. We hope sooner or later the Government will realize that it is better to take advise from people who care for the nation rather than those who may be within the department and trying to destabilize the operations.

P.S: My apologies to Mr Ankit Fadia as a person. I have made some of the comments here with lot of regret. I  would have liked to avoid it if it was not for the belief that the administration needs to be toned up and citing his example was necesssary for this purpose.   I have used his example here more to highlight the lack of due diligence of the department rather than to pass any judgement on his capability. He may have a useful role to play for the success of  Digital India project but I doubt if that would be as a “Brand Ambassador”.  My friendly advise to him is to recuse himself from being the Brand Ambassador for the Digital India project.


Share Button
Print Friendly

Private Enterprise Reacts positively to support DeitY on Secure Digital India

As Prime Minister Modi concludes his historic visit of the US west Coast aggressively selling the concept of Digital India to the US tech industry, back in India, it is recognized that the Digital India initiatives need to be supported by other support initiatives.

 The Ministry of Communications and Information Technology (MCIT) should be the natural leader in developing this support system. Other ministries including the Education Ministry,  Commerce Ministry, the Law Ministry and the Finance Ministry also have their roles to play. When it comes to security of Digital India, even the Home Ministry needs to provide its support.

At present, Mr Modi is running ahead of others with his ideas and marketing efforts. But others don’t seem to be able to catch up with him. In particular, the bureaucracy appear to be completely confused.

The scenario as it is building up is very much like a management problem that a CEO of a company faces when a major new project is being taken up for implementation and the organization as a whole is not ready for the change.

Some of the recent decisions of the MCIT which are initiated by the DeitY have created a concern among Information Security professionals that DeitY has no clue on the problems that Digital India implementation and Security requirements.

But, instead of remaining arm chair critics, a responsible group of Information Security professionals have decided that they would support the Digital India initiative of the Government with a “Secure Digital India” initiative.

The group has formed a “Special Interest Group” and will collaborate through the Face Book page and try to develop specific documents commenting on the information security aspects of Digital India. It will be a non Government voluntary initiative aimed at working like a “Shadow Cyber Security Expert Group” advising the Government (though unsolicited at this point of time) through the social media on issues relevant to Secure Digital India.

I look forward to your support in this initiative.


Share Button
Print Friendly