Header image alt text


Building a Responsible Cyber Society…Since 1998

Cyber Crime observers are well aware of “Nigerian Frauds” where people from Nigeria cheat persons globally on false allurements. Exporters to Nigeria are aware from times immemorial that remittances from Nigeria are unreliable. Bankers refuse to finance exporters for exports to Nigeria.

Now it appears that Hong Kong is also becoming a country like Nigeria where criminals are opening bank accounts to commit frauds on the global netizens.

In one of the cases reported in India, an importer has been lured to transfer money due to the Chinese Company to an account in Hong Kong which happenned to be a fraudulent account.

It is also reported that Hong Kong is trying to develop “Secret Banking” on the Swiss Banking model so that tax evaders and criminals in the world can now switch their Swiss Bank accounts to Hong Kong.

In view of the above if any remittance is sent to a bank in Hong Kong, the remitter may find it very difficult to recover the money through normal legal course.

I therefore urge Reserve Bank of India to send an advisory to all Banks that any remittances to a Bank in Hong Kong should be subjected to a check on the authenticity of the recipient. The receiving Bank must give an undertaking that any customer recipient of a remittance from India is not a criminal and the remittance is not part of money laundering.


Making managements realize the Risk situation

Posted by Vijayashankar Na on March 30, 2013
Posted in Uncategorized  | No Comments yet, please leave one

I refer to my earlier article on “Risk Appetite” where I had highlighted the fact that many managements are unaware of risks and hence keep on consuming the risks until one day it is too late to correct.

CISO s by virtue of their exposure to threat environments may try to keep their managements informed from time to time the need to undertake “Risk Assessments” and initiate “Risk Mitigation” efforts. But often in organizations which have a low Information Security awareness, CISO even if one such designation exists may not have adequate authority to reach out to the top management. In many organizations there will be only an IT Manager and no CISO. Only if the IT manager has adequate security exposure, he tries to bring it to the notice of the management the need for a risk assessment and initiate some action leading to Risk assessment.

In this context when the need for Information Security is presented as a “Legal Compliance” mandate, the possibilities of the top managements understanding the implications are higher. If the Chairman is made aware that he may personally go to jail if adequate security is not in place, then only the Board of Directors will call for a presentation from the IT head on the need for creating a Information Security department and proceed further.

The path to Information Security implementation is therefore through the fear of legal consequences. This needs to be communicated to the top management through various means to kink off the IS process.

Even after this, before the top management can agree to an Information Security program, they need to be aware of the compliance requirements and consequences of non compliance. Hence building the “Awareness about Legal aspects of Information Security” often becomes the starting point for Information Security in an organization.

It is for this reason that the undersigned often recommends that the IT department may organize an “Awareness Workshop” for top management before even discussing the details of what is the Risk assessment program, how much it may cost, how long it may take and what benefits that the organization may expect.

This “Information Security/Assurance Feasibility Workshop” is one of the services that the undersigned has proposed to help the CISOs break the barriers of communication.

I hope more and more companies will opt for such a workshop which is a low cost investment before they take the decision to proceed further.


How Much is our Risk Appetite?

Posted by Vijayashankar Na on March 29, 2013
Posted in Information AssuranceUncategorized  | 4 Comments

In Information Assurance/Security management we often feel that organizations are not as receptive as we the consultants feel they should to emerging threats. For those of us who follow the incidence of Cyber Threats around the world, there appears to a minefield of risks in everything we do. If we are recruiting a key employee, we worry if he is a mole from the competitor. If we receive an email, we suspect it to contain a virus. If somebody offer freebies, we think it must have some embedded risk. ..In fact we live in a state of constant fear.

On the other hand when as consultants we approach a corporate which we think should jump at our offer of consultancy for risk assessment and mitigation, we are surprised at the cold reception we may recieve. Some managements think that a consultant speaks of risk because of his own benefit and fail to see any counter benefit which the company may have. Some times this doubt stops the very consulting proposal itself and some times it goes beyond into assessment of the pricing of the consultancy service.

While the consultant feels that he is providing a high value service which should reasonably be priced at say Rs x, the corporate intending to buy the risk is not so sure about the value of the service and therefore rejects the offer or provide a counter offer which the consultant decides to pass off.

In the bargain the Company continues to bask in the feeling “All is Well” until disaster hits one day to consume the organization in full.

I was recently reading a literature on a research in psychology where a researcher was testing when will a house fly stop eating. He found that the food which the fly consumes passes through the gullet where there is a nerve which recognizes how much food has passed through. The desire to consume itself is triggered by another nerve in its legs so that when these sensors sense food it will start eating and when the gullet nerve indicates enough is enough, it will stop eating. The researcher continued his experiment by surgically removing the gullet nerve and found that the fly went on consuming food though it bloated the fly to a level where it could burst. This tendency is also found in ants who serve as store houses of food and keep bloating unmindful of its consequences.


Are Our Corporates bursting with risks?

This example is very relevant for the Indian Companies when we talk of Information Security risks or ITA 2008 compliance requirements. It appears that the corporates have no means of measuring how much of risk they are consuming and maintain an infinite risk appetite. In the field of financial investments the market is more mature and corporates have some measure of their risk appetite and a sense of how far they can go before they say “Enough is enough” and pull out their risky investments. Unfortunately in the field of “Information Risk” managements donot have the same understanding of the risk environment, the threats and vulnerabilities and therefore fail to take appropriate risk mitigation measures. Even those who have crossed this threshold for various reasons and instituted some kind of risk management measures also may fail to understand the efficacy of “Controls” and be satisfied with “Controls for the sake of audits” rather than “Controls for the sake of security”.

CISOs in every organization therefore have the biggest task of trying to get the attention of the top management to their field of work and often find it the more challenging aspect of their job. The problem with many CISOs is that they are good in their security related knowledge but are weak in public relations or communication capabilities.

I therefore suggest that CISO s should consider “Communication Skills” as part of their required skill sets and keep enhancing their skills through appropriate training on this facet of management from time to time. This could result in a better communication of risk to the top management and ensure that the risk appetite of an organization does not cross the limit of danger.

I invite CISOs to share their views on “What is the risk appetite of my organization?” and share what risk appetite measurement strategies they adopt in their organization.


The power to pardon which the President of India and the Governors are empowered to exercise under our constitution have come for a debate in the context of Sanjay Dutt being convicted by the Supreme Court of India.

A good review of the provisions of the law is available here: http://www.lawteacher.net/administrative-law/essays/power-to-pardon-an-analysis-law-essays.php

For the general information of the public, I am reproducing the two articles of the Constitution that provide powers to the President and the Governor.

Article 72 : Powers of the President:

(1) The President shall have the power to grant pardons, reprieves, respites or remissions of punishment or to suspend, remit or commute the sentence of any person convicted of any offence—

(a) in all cases where the punishment or sentence is by a Court Martial;

(b) in all cases where the punishment or sentence is for an offence against any law relating to a matter to which the executive power of the Union extends;

(c) in all cases where the sentence is a sentence of death.

Article 161 : Power of Governor to grant pardons, etc, and to suspend, remit or commute sentences in certain cases:

The Governor of a State shall have the power to grant pardons, reprieves, respites or remissions of punishment or to suspend, remit or commute the sentence of any person convicted of any offence against any law relating to a matter to which the executive power of the State extends

However the orders if any are subject to Judicial Review as per the following Supreme Court decisions.

In Swaran Singh v State of U.P. [10] , the Governor of U.P. had granted remission of life sentence awarded to the Minister of the State Legislature of Assembly convicted for the offence of murder. The Supreme Court interdicted the Governor’s order and said that it is true that it has no power to touch the order passed by the Governor under Article 161, but if such power has been exercised arbitrarily, mala fide or in absolute disregard of the “finer cannons of constitutionalism”, such order cannot get approval of law and in such cases, “the judicial hand must be stretched to it.” The Court held the order of Governor arbitrary and, hence, needed to be interdicted.

In the early case of K.M. Nanavati v State of Bombay [11] , Governor granted reprieve under Article 161 which was held unconstitutional as it was in contrast with the Supreme Court rulings under Article 145.

In a landmark judgment Epuru Sudhakar & Anr vs Govt. Of A.P. & Ors [12] , it was held by the Supreme Court that it is a well-set principle that a limited judicial review of exercise of clemency powers is available to the Supreme Court and High Courts. Granting of clemency by the President or Governor can be challenged on the following grounds:

The order has been passed without application of mind.

The order is mala fide.

The order has been passed on extraneous or wholly irrelevant considerations.

Relevant material has been kept out of consideration.

The order suffers from arbitrariness.

Now that Mr Sanjay Dutt has said he will not apply for pardon, and Mr Katju insists that he will do so, the issue of whether a third party can apply for pardon will also come for discussion. In either case the review would be possible if any person either Mr Subramanya Swamy or Mrs Abha Singh files a review petition.

We are all aware how the Governors of different States are appointed. The position is occupied by hard core politicians who some times return to politics after a stint as a Governor. In such cases, granting them powers to overrule the Supreme Court judgements is very very dangerous. So far the only pardons that are being discussed were remission of death sentence and converting them into life sentence. This had some logic. But what is being discussed now is whether a prison sentence of 3 years and 6 months should be cancelled. If this is allowed then there would be no respect for any Court judgement and all the politically strong criminals will be able to get the support of politician Governors and escape punishments given to them by Courts after years of prosecution.

Such pardons will not be of any use to common people since it would only be used by politically powerful persons. Persons like Raja Bhayya or even Kanzimoli (under DMK Government in the State) can never be punished.

The provision of pardon is therefore not to be exercised without a very stringent control mechanism. The best option is to develop a public referendum if a suitable mechanism is in place (possible in the Netizen world). In the case of Sanjay Dutt type references which is closely related to “National Security” the state Government alone (in this case Maharashtra) should not have a say. Hence a referendum should be conducted by the same collegium that elects the Indian President which includes the MLAs/MLCs of all the State Government before any executive action is contemplated. Mere advise of the State Cabinet should not be considered acceptable.

Subsequently the decision should be subjected to mandatory review at Supreme Court before the terms of pardon are taken cognizance of.

Hopefully some of these points will be discussed in detail in the coming days.


Naavi has developed a charter of demand on behalf of the Netizens of Bangalore in the context of the forthcoming polls.

Details are available at http://www.aifon.org.in/wp/?p=87

The essential part of the demand are:

1. Recognize the existence of Netizens as part of the voting Citizens by providing a “Digital ID” to every Netizen of India with which he can participate in e-Governance in a manner that the law of the land will recognize. For this purpose every Citizen who opts for Digital ID should be given a free Digital Signature Certificate as per the provisions of ITA 2008 of the class that enables him to digitally sign e-mails. Higher class of digital certificates if opted for should be subsidized by the Government.

This move will build the basic infrastructure for the Netizens to participate in activities through which they can assert their democratic rights.


2. Recognize and the fact that Netizens have their own Infrastructural needs and develop a “Netizen Welfare Policy” for the State which incorporates projects that move towards providing “High Bandwidth Internet Connection” at an affordable cost just like water and electricity.


3. Recognize the fact that Netizens have their own security needs and develop an effective Cyber Security policy for the State and implementation program towards making Karnataka a “Safe Cyber State”.

During the regime of Mr Yeddyurappa as Chief Minister of the State a statement was made that measures will be taken to make the “Cyber Security Capital” of the world. Towards this cyber security projects of various kinds including education, research, software and hardware development etc were envisaged to be taken. The measures include making Cyber Crime Police more effective, reducing the adverse impact of cyber crimes on the society with better security, better prosecution and provision of Cyber crime insurance.

This promise remains unfulfilled and needs to be revived.


4. Recognize the fact that during the last two years, Cyber Judicial System in Karnataka has been closed with the IT Secretary who is also the Adjudicator of Karnataka and an exclusive judicial authority equivalent to a “Civil Judge”, effectively refusing to discharge his duties as an “Adjudicator”. This has made Karnataka the “Most Backward Cyber State of India”.

This needs to be corrected on a priority.


5. Recognize the fact that Netizens have a right similar to “Human Rights”. Protection of Netizen’s right to “Freedom of Expression” and “Privacy” are matters that require urgent attention. Measures are required to be taken at the local level to develop such policies that protect the rights of Netizens without adversely affecting the requirements of the security of the state or the possible misuse of the freedom of expression.

Towards this requirement, a “Netizen Rights Commission” has to be set up at the State level and policies of “Regulated Anonymity” and “Responsible Cyber Expression” to be implemented.

: Details of Regulated Anonimity  Details of Privacy Protected Zone

6. Recognize that Netizens are also “Consumers in Cyber Space”. In order to adequately recognize the “Consumer Rights of Netizens”, there is a need to expand and introduce effective implementation mechanism for protection of “E Consumer Protection” through a state legislation that covers consumers of mobile services, internet services, cyber cafes etc.

A large number of E Consumers are customers of E Banking, E Stock trading, E Commodity trading etc where the incidence of frauds is very high and the relative protection is low.

A separate institution should be set up for “E-Financial Consumer Protection” to provide assistance to victims of Cyber Frauds in the financial sector. This will be particularly useful to the Cooperative banking sector which functions under the State regulations more than under the RBI.

7. Recognize the power of “Cyber Education” and extend “Virtual Education” facility to all students upto X standard across the State by setting up “Centralized Cyber School” with a pool of state’s best teachers to contribute content which can be distributed through the internet to remote areas where there is acute shortage of qualified teachers.

In order to ensure implementation of the above suggestions, monitor and review the developments as also to suggest corrections and new activities, the State should set up a “Standing Committee” under the leadership and participation of voluntary organziations such as BPAC.

Most of the above issues have been discussed in naavi,org over a period of time. However some clarifications as may be required will be placed in future posts.


Let there be the rule of law

Posted by Vijayashankar Na on March 24, 2013
Posted in Cyber Crime  | 1 Comment

It is unfortunate that persons like Justice Katju, Digvijay Singh, Jayaprada and others are speaking of some kind of pardon for Mr Sanjay Dutt, who is convicted by the Supreme Court of India to undergo imprisonment for possession of illegal arms.

It is necessary for common citizens of India to raise their voice against this open revolt of some celebrities against the rule of law for the sake of one person who has been convicted under law.

If an exception is made for Mr Sanjay Dutt then there is no meaning for the rule of law in the country.

I urge the Supreme Court to issue contempt of court notice on all the persons who are coming in support of Mr Sanjay Dutt since they are indirectly asking for negation of the Court’s judgment through an illegal extra constitutional process. If this action is not taken then the issue will get policized and corrupt the integrity of our judicial systems.

Additionally it is also necessary to investigate all supporters of Mr Sanjay Dutt if there are any possibilities of involvement in terrorist activities.