Cyber Security Subsidy for SMEs in UK

After the attack on Sony in US, Naavi.org had pointed out that there is a need for Government subsidy for SMEs towards maintenance of Cyber Security. Now in a move which supports this view, the UK Government has come up with an innovative scheme to improve Cyber Security investments in SMEs through a system of granting Cyber Security vouchers to cover expenses for hiring experts etc.

Read the article here

The launch of the voucher scheme is part of a package of initiatives designed to increase the resilience of UK businesses to cyber-attacks. The new UK £ one million cyber security innovation vouchers scheme will offer micro, small and medium sized businesses up to £5,000 for specialist advice to boost their cyber security and protect new business ideas and intellectual property.

There is a lesson in this for Indian Digital India managers. We also need a similar scheme to augment the cyber security in the system.

The scheme need to be innovatively designed and effectively supervised so as to ensure that the funds are used productively.

This could be part of the over all Cyber Security policy of the Government, and needs to be explored furher.

Naavi

Share Button
Print Friendly

Why Do we need a Cyber Fraud Prevention Policy?

The Ministry of Information Technology has already adopted a National Cyber Security Policy adopted in 2013 by the Kapil Sibal ministry and continued by the new Government. The Cyber Security Task Force of NASSCOM-DSCI has tried to take a deeper look at the policy issues involved in the Digital India initiative which may require some changes to the strategic elements of the policy.

The National Cyber Security Policy 2013 identifies the following as a vision statement.

” To Build a secure and resilient cyberspace for citizens, businesses and Government”

The Mission statement proceeds to state as under:

“To Protect Information and Information Infrastructure in cyberspace, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation”

It may be observed that while the vision statement includes the” security of citizens” as one of the objectives, the mission statement focusses only on “Protection of Information and Information Infrastructure”. Protection of “Citizens” is not found in the mission statement. This is the typical approach to information security which we often call the “Technical Approach” which fails to recognize that behind every information there are “people” . This approach also fails to recognize that  when there is a  breach of information security, these information owners get hurt and hence the information security policy should not forget that protection of these people behind information as the main objective of any security initiative.

To draw a parallel, if there is a terrorist attack on a building containing people, the security objective of “Secure the Building from collapsing” will be good enough to prevent the people from direct exposure to gun fire but will not be sufficient to prevent a biological warfare in which a lethal gas is aimed at the air vents. The security focus cannot therefore be the building but the people behind the walls of the building.

Similarly the vision and mission statement of a National Cyber Security Policy should consider protection of Citizens as the core focus and cannot stop at protecting the infrastructure which is only a step in the direction.

This is the prime reason why the National Cyber Security Policy as it exists is inadequate to protect the Citizens (who will also be Netizens in this context) and we need a separate policy for protection of the Citizens and Netizens. (Naavi.org has once called them as Cinezens).

Since we already have a National Cyber Security Policy in place, in order to achieve the objective of ensuring that the protection of Citizens and Netizens without a need to scrap this policy, we suggest building additional sub policies within the cyber security policy to protect the people from the vagaries of Cyber Space.

The role of this policy within the overall context is indicated below.

cyber_fraud_policy2

The protection of people from the adverse impact of the developments in Cyber Space consist of two distinct faces. One is the “Financial Impact” and the other is the “Non Financial Impact”. The non financial impact consists of reputation harm that is difficult to be easily converted into monetary terms. All other adverse aspects of Cyber Crimes/Terrorism/warfare that has an effect on financial impact can be brought under one category.

We need a policy exclusively addressing the protection of Citizens from such financial losses. We can have a single policy to address all incidents of financial loss suffered by the Citizens irrespective of whether it is an act of Cyber Crime, Cyber Terrorism or Cyber warfare. This aggregation is required since the end victim cannot distinguish what is a crime committed by an individual for himself or on behalf of a terror outfit or a state actor.

It is this sub policy which we shall call  “Cyber Fraud Prevention Policy” and urge the Government to formulate as a part of the Digital India project.

The undersigned has created a local circle to take this discussion further on www.localcircles.com with a title “Save Digital India from Cyber Frauds”. If you have a view on this subject and contribute to the formulation of a draft policy which can be forwarded to the Government, I request you to join the local circle.

Naavi

Share Button
Print Friendly

Save Digital India From Cyber Frauds

We are all Netizens who depend on Internet for our day to day communications as well as transactions. It has been several days since we have visited Banks physically and are happy to transact through Internet and Mobiles. Come to think of it, all our financial assets whether it is our Bank savings or shares, are in the form of digital assets and are controlled through mobile apps.

Ask any Cyber Security expert, he will vouch that Apps are inherently unsafe and so are computers. Targetted phishing, sophisticated trojans created by state actors, spywares created by hacker network which even FBI is willing to buy, a well developed underworld where our credit card and ATM card details are available for a price, all threaten every rupee that we hold in the Banks.

Recently, Economic Times carried an article titled “Cyber frauds increased after growth in mobile banking, NEFT and RTGS: Study “The article referred to a study conducted by ASSOCHAM and stated that Mobile Banking is being used by 2.2 crore account holders out of the 58 crore total bank account holders in India. The mobile banking transactions themselves jumped from Rs 1819 crores in 2011/12 to over Rs 10000 crores in 2014/15. The study also stated that mobile frauds jumped from Rs 10 crores in 2011/12 to around 70 cores in 2014/15. This indicated that while the usage grew by 5 times, the frauds grew faster by 7 times. i.o.w. Frauds are growing at a rate 40% faster than the usage.

If we consider that the fraud data is under reported, it is clear that frauds grow at rates faster than the usage. An extrapolation of the ASSOHAM study indicates that if in the next decade, the entire Banking starts using mobile banking, the frauds would grow to around Rs 2100 crores. Our own estimate is that even this is an underestimation.

These frauds only take into account individual cyber crimes. If we consider the possibility of cyber terrorism and cyber warfare, Cyber Risks can create an economic wipe out of our country if we donot realize the risks and take effective counter action.

Does the Government of India which is set to usher in a “Digital India” for our benefit know about the risks? We should say that they do know the risks. Afterall, Mr Modi has made a statement that India should focus on Cyber Security to the extent that we should lead the world in this domain. This was a statement I made more than 10 year back and we can rejoice that at least now, a Prime Minister of India has realized the importance of Cyber Security.

But is it sufficient if we are only thinking of how to build a business in Cyber Security like Israel has done?.

The Digital India initiative is set to increase the dependence of the Netizens on Internet for every aspect of our life. Along with this dependency, what is increasing is the Cyber Fraud Risk. Today there are hundreds of frauds that are happenning in mobile Banking and Internet banking. Most of them are not however reported and the RBI is content in claiming that the losses are not too disconcerting. As the Digital India initiative progresses further, we will have more frauds that will start eroding the wealth of the Indian public. Then one day an attack by a Pakistan terrorist group or Chinese Cyber army will close down all Banks through a cyber attack and Indians will face a situation like the Greece people when all ATMs will be empty and no money can be withdrawn. Probably our money will also be siphoned off to fund the terrorists to create more physical damage on our property and people.

In such a scenario, we need to initiate suitable policies at the Government level to tackle the problem of financial frauds through Cyber crimes , cyber terrorism and cyber warfare.

The DOT has a policy on Cyber Security but it does not focus on the “Security of Financial Assets of Netizens”. Recently the DOT came up with a policy on Net Neutrality but not on Netizen safety.

RBI has so far failed in its responsibility to maintain its statutory responsibility in securing the Indian Banking scenario. Mr Raghuraman Rajan appears to be completely oblivious to the needs of Secured Banking and cannot look beyond the monetary policies and Inflation control.

We the Netizens therefore need to organize ourselves to bring enough pressure on the Government to focus on Cyber Fraud Control.  Naavi.org has been working in this direction from a long long time and would continue to do so. As another step in this direction, we have created a local circle titled “Save Digital India  From Cyber Frauds” and invite  all like minded persons to join the forum and express their views so that our combined voice reaches the otherwise hard of hearing administrators.

The link to the local circle is available here.

A request for joining can also be sent to the undersigned so that an invitation can be sent.

Join the forum and help in the development of a draft Cyber Fraud Protection Policy for Netizens in India, which shall be the key deliverable that this special interest group will aim at.

Naavi

india_insurance_logo_2

Share Button
Print Friendly

Dendroid malware writer arrested

In yet another instance of a “Deviant mind” inside an otherwise brilliant security professional, a 20 year old security researcher who has worked as an intern in a security company doing research on mobile malware has been arrested for creating a malware himself.

The malware created by Morgan Culbertson, of Pittsburgh infects Android phones, steals data and takes control of the device. It can take stealthily screen shots, photos, videos and audio recordings from the target phone. The software was sold for $300 in the underground market. The incident came to light with the busting of the online black market identified as “Darkode”.

While one can regret the nature of human tendencies to misapply our capabilities to wrong ends in greed for money, the incident also highlights the need for better psychometric analysis of people who work in security research companies.

More information is available here

Naavi

india_insurance_logo_2

Share Button
Print Friendly

Reputation damage through Social Media..New Zealand passes new law

“Reputation Damage” is a concern of both Individuals or a Companies. The risk of “Reputation Damage” has increased with the growing influence of Internet and more particularly the social media such as Twitter and Facebook.  While the core objective of Twitter and Facebook can be considered as providing a neutral platform for communication in the digital society, there are a few other internet based services that operate under a facade of “Free Speech” and build a commercially remunerative business of “Abusive Content”.

India has been a witness to this phenomenon by a glaring example in the TV media. Mr Arnab Goswami, the anchor of Times Now can be credited with being the creator of this brand of “Abusive Journalism” which has now showed a tendency to corrupt the minds of upcoming young journalists and other channels such as NewsX. On the Internet, sites such as *sucks.com have been there for some time to present a counter point of view against an identified physical entity. Websites such as Mouthshut.com built on the principle of Consumer protection through information dissemination have also been present in the Indian social media scene.

While one cannot fault the principle of “Consumer Protection” or “Freedom of Fee Speech” it is only when we analyse how an individual website or a user has used the medium in a given context that determines whether the medium is being used as an instrument of benefit to the society or an instrument of “Profiteering by Abuse”.

“Trolling” or “Flaming” are ways by which the social media is abused to harm the reputation of identified individuals. The differentiation of permitted “Criticism” and “Flaming” or “Trolling” is only in the degree of abuse and choice of words. When some body crosses the line, then law has to come to the assistance of the victim. This is the basis of “Defamation law”.

The frequent misuse of the defamation law by politicians in India has actually hurt the cause of decency in media by branding “Defamation law” as an instrument of oppression. Recently, clever lawyers convinced the Supreme Court of India that Section 66A of Information Technology Act 2000/8 was against the constitutional provision of free speech and hence should be deleted from the statute. Since even Judiciary is often carried away with popular sentiments such as “Free Speech” and “Human Rights”, they often err in their judgement as they did in the case of Section 66A where they equated “Abusive, targetted, one to one communication causing annoyance and distress” as “Free speech”. The legal representatives who defended the case from the Government failed to understand and project the purpose of the section. Even they were carried away by the grand talk of “Freedom of Speech” . The result is that there is a perception in some quarters that in India any abuse is tolerable though there are defamatory laws under IPC which can be invoked in case of need even against misuse of Internet.

Recently, a journalist has pointed out that in a criminal case (Aarushi murder case), the Judge had started writing his judgement convicting the accused, much before the defence even started its arguments. The Section 66A judgement was perhaps similar since the Judges were waiting for passing a judgement to scrap the section even before the petition was filed because they were angry that Police had repeatedly (mis) applied the section to mean that it was meant to address defamation and political criticism on social media.

It has been pointed out in these columns that in what we call as a “Glassdoor Attack”, that companies in India have frequently become a subject of abuse and reputational damage by disgruntled employees. This was earlier presented in an earlier article in the context of need to cover “Reputation Damage” through Cyber Insurance. However there is a larger need to debate if these principles of  “Abusive Journalism” which we see in Times Now TV channel or websites should be considered as equivalents of “Flaming” or “Trolling” and dealt with accordingly.

In New Zealand it appears that a new law called “Harmful Digital Communications Act” has been passed to address such issues. (Refer article here).

The law aims to deter, prevent and mitigate serious emotional distress resulting from digital communications, and to provide victims with “quick and efficient” redress. It includes civil and criminal remedies. The offence can be punished with imprisonment of upto 2 years and fine upto Pounds 21000 for individuals and 85000 for companies. The law applies to “Intermediaries” also.

In India, Section 79 of ITA 2000/8 makes an intermediary liable for any offence committed with content handled by them unless they can prove “Due Diligence”. Such due diligence could become a subject matter of interpretation in a Court of law and may involve the debates of free speech etc.  However, the victim has every right to seek a remedy. Indian law also has “Extra territorial jurisdiction” and hence can be applied to websites operating from outside India. If however, there is a problem of justice being denied by Courts in foreign jurisdiction, the victim can seek remedy of Courts to block the content from Indian viewers which results in a revenue loss to the website.

On the part of the websites who want to genuinely support the cause of consumer protection, there is a need to put in practice certain due diligence standards that protect the Companies from unfair reputation damage.  The due diligence requirements in such cases include a need to identify the persons who make abusive posts when a demand is made under due process of law. Failure to do so will elevate the media from being a neutral purveyor of information to an active supporter of the cause espoused by the abusing individual and a concomitant responsibility to defend under the freedom of speech provisions of law.

Unfortunately, many of these websites turn arrogant that they are protected by “Free Speech law” and any person raising objection is a votary for Internet censorship and hence fail to respond to genuine requests for either taking down of objectionable content or revealing the identity of the person posting the abusive content. This gives an opportunity even for business competitors to post harmful content solely to hurt the business prospects of an entity. Since these websites donot have any means of identifying the person posting the content, any imposter can easily post content as either an employee or ex-employee or a product user and post abusive reviews.

Now with the passage of the New Zealand law, there is a wake up call to the Intermediaries all over the world that they cannot make “Abuse as a business model”. The days of journalistic clan of Arnab Goswami and his clones in the digital media need to be brought to a logical end.

At the same time, there is a need for industry organizations such as ASSOCHAM, FICCI or CII to take up the issue of “Organized Media Abuse” as an industry issue and seek remedies. The “Risk Managers” in the industry need to look at the “Reputation Risk” arising out of such abusive journalism, trolling and flaming and cover it with appropriate cyber insurance. The Cyber Insurance industry on the other hand has to work out a mechanism to mitigate the risk of reputation loss through such abusive journalism and misuse of social media freedom.

Hopefully, the New Zealand law will pave the way for a debate on this issue.

Naavi

india_insurance_logo_2

Share Button
Print Friendly

Farmer’s Suicides.. lessons for Digital India Managers

india_insurance_logo_2

The vagaries of weather are a risk that Indian farmers need to manage as part of their life. Those who cannot face problems in the form of inability to repay farm loans taken from the loan sharks in the village. This has given rise to many farmers committing suicides and reflecting on the Governance aspects of the relevant State Governments. The Central Government is trying tackle the problem with its own policy on “More Crop for Every Drop” and encouraging drip irrigation to conserve water and ensure a larger area of irrigation. Today the RBI has also moved in the right direction reiterating the need for Banks to participate in direct farm lending so that low cost funds become available to the farmers and their dependence on local loan sharks is reduced. In the last few years, the emphasis on farm loans for Banks had been reduced and hence the flow of credit had fallen.

The response of Modi’s Government and the RBI are pragmatic and could reduce the farmer’s vows. It shows that the Government and RBI is learning lessons from past mistakes and inaction.

It would however be wiser if we can anticipate the adverse impact of a policy on the society and respond pro-actively than reacting to the adverse events after it has taken away precious lives.

Digital India is now calling for similar pragmatism and wisdom from the Government. If the Government has not realized the threat of Cyber Frauds in the increased digitization of the Banking and Governance systems in India, we can only say that the Government is blind. While the Ministry of IT has come up with a report on Net Neutrality, it has not yet come up with any report or policy on “Cyber Frauds”.

In the case of farmer’s suicides it is the inability to repay the loans and only those farmers who feel humiliated by being an insolvent commit suicide. But Cyber Frauds make a comfortable citizen suddenly turn a pauper when his bank account is wiped out. This is more shocking than the vows of the farmer. If there are any suicides in this class of Cyber Fraud victims, it is unlikely that it will get the same publicity as the farmer’s suicides until a time when thousands of frauds get reported simultaneously.

Let the Government take notice that frauds are happening in hundreds and not all of them get reported. May be the losses are in smaller amounts of less than a lakh and hence the victims are some how absorbing the risks.

The Government on the other hand has done pretty little in this area. In fact it has not been able to put the Cyber Judiciary in place. The Chair Person for Cyber Appellate Tribunal has not yet been appointed and Adjudicators in States are non functional. But the DEITY remains unconcerned. Mr Ravi Shankar Prasad remains stoic. Mr Modi in the mean time keeps pushing the Digital India process. This is a recipie for disaster.

I would like to highlight here that any policy change that does not take into account the problems of the society will lead to disaster. It is therefore necessary for the Government of India to address the issue of securing the public against Cyber Fraud losses before it is too late.

It is in this context that Naavi.org demands “Cyber Insurance For All” as a policy of the Government. To us, this is more important than the Net Neutrality debate.

Will the Government wake up?

P.S: If you have not participated in the India Cyber Insurance Survey 2015, it is time you do so now and record your views. You can access the survey form here.

Naavi

Share Button
Print Friendly