Let's Build a Responsible Cyber Society




International Conference on Cyber Security in India

Nov 29-30, 2008

A Brief Report on the Recommendations


An international conference on Cyber Security was held at New Delhi on November 29th and Nov 30th organized by the World Council of Corporate Governance and Institute of Directors. After the debate a set of recommendations were developed on behalf of the participants.. The recommendations (which will be shared with the Government) along with some rationale for the same are provided herewith for general information.  ...Naavi


Regional Cooperation

1. It is recommended that India should take the lead in developing a Cyber Crime Cooperation pact between counties in this region on a priority basis.

2. It is recommended that the Cyber Crime cooperation pact should in due course be ratified as a Mutual Assistance Treaty along with harmonization of Cyber Laws.

Rationale: The need for international cooperation in tracking down perpetrators of Cyber Crimes is well understood. India is also deliberating joining the EU treaty and other International treaties. One of the reasons why this may be taking time is because of the difference in laws of these countries. While these efforts may continue, an effort to bring the regional countries together is considered a step in the required direction. Since India is the largest country in the region it is well placed to take the role of a facilitator for regional cooperation in Cyber Crime investigations. This will also help in knowledge sharing to improve the investigation skills as well as forensic practices.

National Cyber Law Enforcement Agency

3. In order to effectively deal with concerns and challenges of Cyber Space, inter state Police cooperation and effective use of trained manpower through a longer career, it is recommended that a national set up for Cyber Crime policing is recommended.

Rationale: Cyber Crime investigations require not only cooperation between different countries but also between cyber crime police personnel in India. Further most of the Police personnel get trained in Cyber Crime investigations and before their expertise is fully available for the department their term in the Cyber Crime division often comes to a close. In order to provide long term career options for trained Cyber Crime Police and to provide a federal set up for investigation within a country, it is considered necessary to have a national cadre of Cyber Crime Police.

Capacity Building

4. It is recommended that capacity building initiatives are initiated on a large scale covering Legal, Judicial and Enforcement authorities on all aspects of Cyber Law, Cyber Crimes and Enforcement Challenges.

Rationale: The present set of law enforcement officers as well as the prosecutors and judicial officers need to be trained so that the complexities of technology crimes as well as the Evidentiary and  the forensic requirements are properly understood by the entire law enforcement machinery. This is required to be achieved on a large scale with the creation of at least 5 or 6 cyber crime police stations in each State. In the event amendments to ITA 2000 are approved, the expertise needs to be built up in every Police Station. This huge task needs to be addressed in a systematic manner by an army of instructors under a special training schedule. The task is beyond the routine training capacity of the current system with the Police and Judiciary and a special programme needs to be drawn up for the purpose if necessary with the assistance of private sector.

Monitoring of Illegal Financial Transactions in Cyber Space

5. Cyber Space is being used increasingly for Money Laundering and other illegal purposes. It is recommended that a suitable Cyber monitoring/regulatory mechanism for money transfer through non-banking channel using cyber space be set up urgently to contain the problem.

Rationale: In order to effectively tackle the menace of Cyber Crimes, it is felt necessary that the Cyber Crime economy is dismantled by choking avenues of transfer of crime proceeds. It is estimated that nearly 60% of the crime fund transfers are affected using non Banking financial intermediaries. Hence apart from tightening up the Anti Money Laundering control mechanism in Banks, a separate plan of action needs to be drawn up for monitoring the fund transfers through non banking sources.

Corporate Accountability

6. It is recommended that Corporate should designate Compliance officers to ensure mandatory data protection/preservation in private sector

Rationale: In order to ensure that information security loopholes in the private sector are plugged and that the private sector effectively shares sensitive Cyber Crime related information with the Police, there is a need to build accountability in the corporate circles through designated persons who may also be the liaison persons for cooperation.  Simultaneously, a good data protection legislation that ensures that any data shared by the private sector with the Police is not mis handled by the Police will be required to provide confidence to the private sector that any sharing of data with the law enforcement shall not result in damage to their own interests.

Cyber Ethics

7. Awareness building and education program among net users on cyber ethics is expected to help young ignorant cyber space users who are vulnerable to the risks in Cyber Space. It is recommended that this should be part of regular education at all levels.

Rationale: In order to build a "Security Culture" in the society, it is considered essential to ensure that employees of all organizations as well as youngsters in schools and colleges are well aware of the dangers of Cyber Crimes and adopt an ethical approach to use  IT with responsibility and ethical commitment. A suitable educational input is therefore considered necessary at different level of education and in the employment place.

Cyber Crime Insurance

8. Although large corporations and financial institutions can protect themselves from losses arising out of Cyber Crimes through various means, a majority of the vulnerable sections of population have no protection against Cyber Crimes. It is recommended that the Government may take the lead in building a Cyber Crime insurance infrastructure covering development of best security practices, development of security tools and coverage of losses arising out of cyber crimes to the insured.

Rationale: In order to incentivize use of secure measures of handling information, and to provide security for IT users, it is considered necessary and beneficial to develop a Cyber Crime insurance system. Such a system will ensure that proper security standards are developed, proper security tools are available, users are suitably educated and in return provide a certain risk coverage. In respect of vulnerable sections such as rural users of e-Governance applications,  Government can even provide free insurance. Banks can be made to insure losses to customers on account of frauds and users may also be able to take their own insurance if they hold valuable information in their systems.

Indigenous Security Standards

9. It is recommended that Indigenous Information Security standards be developed to suit the requirements of SMEs and different user segments in India.

Rationale:  In order to provide affordable and appropriate security standards for different segments of users and the SMEs, it is considered necessary that indigenous information security standards are developed as a substitute for expensive standards such as ISO 27001. Small segments such as Medical Transcription units, LPOs, Cooperative Banks, Online Brokers etc require such standards. If such standards are already available in the indigenous market, the same may be adopted.

ISP Cooperation

10. It is recommended that ISPs are mandated to introduce appropriate mechanisms to filter SPAM and Malicious e-mails and to maintain transaction logs for a reasonable period.

11. It is recommended that ISPs are mandated for filtering illegal web content.

Rationale: The role of ISPs including the mobile service providers in cracking Cyber Crimes is well known. Currently the intermediaries are not taking enough steps to reduce SPAM and distribution of malicious viruses even when they are notified.  Substantial reduction of crimes can be achieved if ISPs institute appropriate filtering mechanisms. Similarly, malicious websites containing illegal content proliferate on the web and ISPs need to be forced to take steps to prevent their facilities from being mis used. Simultaneously there is a need to mandate a minimum of 3 year term for holding activity logs by ISPs which serve as evidences in case of Cyber Crimes. Since these measures reduce the profitability of the ISP operations, they will not be implemented unless mandated in law.

Cyber Security Knowledge Base

12. It is recommended that the Cyber Security knowledge base maintained by CERT-IN is expanded to ensure greater public awareness about Cyber Crimes.

Rationale: Presently, CERT-IN is the organization that is entrusted with the responsibility of maintaining a cyber security knowledge base and ensure its availability to the public.  Since the resources available to CERT-IN is limited there is a need to supplement the work of CERT-IN regarding public education through other means.

Technology Neutrality and IP Assurance

13. It is recommended that in order to ensure greater participation of the private sector in national security initiatives of the Government, appropriate measures are initiated regarding Technology neutrality and IP assurance  in Public Private partnerships.

Rationale: Successful development of a national cyber security plan requires the assistance of private sector participation. There is however a reluctance by the private sector to share knowledge because of a fear of losing IP. Some times their participation is also affected since projects are allocated on the basis of specific technologies instead of the end goals. A re look at the system to enable more private participation is therefore considered necessary.

Research Support

14. It is recommended that  Government should earmark resources to encourage research and development towards development of indigenous security software in collaboration with Indian security product companies.

Rationale: Adequate Cyber Security raises issues of the risks in use of proprietary hardware and software.  Unless open source software, escrowing of codes as well as indigenous production of Chips and software are encouraged, it is difficult to achieve self dependency in securing our systems.

National Cyber Security Command

15. It is recommended that in order to coordinate all activities under a national security programme, a "National Cyber Security Command" on the lines of the US Cyber Command be considered as an umbrella organization.

Rationale: Last year US has created a separate defense command called "Cyber Command" to focus on the national cyber security. In India also such a set up is required for securing the national cyber space. Unlike the physical space where borders can be clearly identified and army can guard it, cyber space borders are difficult to identify. Every computer connected to Internet represents a cyber space border post. Hence securing the national cyber space requires integration of the efforts of the defense forces, cyber crime police, private sector infromation security efforts and an individuals security of his desktop/laptop. An umbrella organization is therefore considred necessary for Unified command.

National Cyber Security Advisory Group

16. It is recommended that in order to continuously advise the  Government on all issues related to Cyber Security, a "National Cyber Security Advisory Group" with public private participation is recommended to be set up as a professional advisory body.

Rationale: Since  the development of national cyber security is a complicated and a long drawn process, there is a need for  continuous guidance to the Government and other agencies involved so that the convergence of efforts of different organizations is ensured. This requires a Core Advisory Group such as a "National Cyber Security Advisory Group" constituted with professionals from different segments of Information Security industry and stakeholders. A set up like TRAI with some advisory powers is considered desirable though the process can be started with an informal group of professionals identified for the purpose.


November 30 2008

Related Article: 5 key Steps to National Security


Download the Print Copy