It has come to the notice of Naavi.org that two individuals in Australia  have registered a domain name “Naavi.co” and are attempting to promote a blog and other educational products in the name of Naavi.

A preliminary notice has been sent to the promoters for necessary corrective action, failing which necessary action through legal means would be initiated.

In the meantime we would like to inform all the visitors of Naavi.org that we donot have any relation with Naavi.co or any of its declared promoters, Naavi Pty.co or the individuals Mr Blake Seufert and Michael Bates who declare themselves as the Co-Founders of Naavi.co.

Naavi

It is reported that NASSCOM and DSCI has set up a Cyber Security Task Force with representatives from industry and academia to identify key priorities and build a detailed action plan. The task force is expected to study the Indian Cyber Security eco system to identify the issues and challenges. The Chairman of NASSCOM states that the efforts will be to “bring together the stakeholders from across the board”.

(Refer report here)

The initiative is welcome.

However, it has been noticed earlier that the approach of NASSCOM lead by technology specialists often fail to address Cyber Security from the holistic perspective. The end results of most such initiatives lead by business leaders is to identify and pursue business opportunities that arise out of such initiatives and any benefits that the society may achieve becomes incidental. The interest of the end consumers is not always kept in mind by such initiatives.

One example which we can quote here for those who have great faith in such industry lead committees is the attempt made by some Bankers who were part of the G Gopalakrishna Working Group (GGWG) of RBI which was meant to address the Information Security requirements in E Banking, to influence the committee into taking decisions which were anti consumer and violation of the law of the land. It was only the efforts of a vigilante Naavi.org and an understanding Chair Person that the effort was thwarted.

It is therefore anticipated that even this NASSCOM-DSCI Cyber Security Task force runs the risk of such motivated manipulations that needs to be guarded against.

It is necessary for the task force to recognize that “Cyber Security is not achieved only by a set of technology tools such as an Anti Virus package,  Firewall or an IDS system but includes the Cyber Law environment and the management of the behaviour of human resources”. In other words it is necessary to recognize that Cyber Security is a three dimensional exercise involving technology, law and behavioural science.

I am confident that the task force will do an adequate work as regards the technical aspects of security. However I am more or less certain that the task force will fail to have a holistic view of the Cyber Security eco system that includes laws that affect technology and behavioural aspects of ICT users.

To be a comprehensive approach the task force report should incorporate the Cyber Law requirements to support the issues such as Cyber War fare, Cyber Terrorism, Organized international Cyber Crime syndicates, Privacy Issues, Anonymity and Pseudonomity, Addiction of Internet users to Social media, Effects of Video Gaming, Pornography, the issues of Social Engineering and the ubiquitous presence of Mobiles.

The attempt of technologists would be to drive technology use without fully covering up the risks. When the technology person himself looks at the security, there is an inherent conflict of interest and the final outcome always leans towards what increases the revenue and profitability. The risks which make consumers lose money are never the focus of such task forces.

I would like to draw the attention of the Chair persons of NASSCOM and DSCI to the above apprehension and take appropriate steps.

Naavi

Naavi.org has been highlighting the fact that banks are conducting “Unsafe Banking” in pursuance of “Profit before Customer Service” and pushing Customers into greater and greater risks.

RBI has through the 2001 guidelines on Internet Banking and again through the Information security guidelines (GGWG) in 2011 has mandated that Banks need to ensure proper cyber security and also cover themselves with Cyber Insurance. However, Banks have not upgraded their security but going for higher and higher levels of untested technology.

The Adjudicator of Maharashtra had provided several awards in favour of the customers and Bankers were very much dissatisfied. Eventually, the Adjudicating officer was transferred.

Simultaneously the Karnataka Adjudication system has been kept closed since the IT secretary is not interested.

As of now the entire system of Adjudication across the country has been paralyzed.

It is also well known that probably it is the influence of the Banks that the post of the Cyber Appellate Tribunal (CAT) remains unfilled for four years.

Cases which are already before CAT are in a limbo.

Now it is learnt that all the affected Banks in Mumbai are considering challenging the decision of the Adjudicator of Maharashtra in High Courts. From the recent verdict of a High Court in Bangalore we know that any lower court verdict can be turned upside down if necessary even using a faulty calculator to add. Banks have the resources which can work wonders with our system.

It is therefore necessary for Netizens and public spirited lawyers to be vigilant and ensure that Courts donot take decisions which are anti cyber crime victims under the influences that banks can mount on them. Consumer protection organisations also need to step in now to see that injustice is not done to bank fraud victims.

In any such litigation, RBI must also be made a party to clarify its stand on “Security in Banking system”.

I wish media also turns its attention on this class action by Banks against its own customers to cheat them of their hard earned savings in pursuance of the greed for more profits by Banks.

Naavi

“The general culture in our bank is to brush data security breach and loopholes under the carpet” says one of the senior executives of a leading Bank, according to this article in Midday.

Mumbaikars beware! Your bank details are being stolen and sold!

It is well known that Cyber Security has been subordinated by Bankers today to profits and RBI has been looking the other way. Highlighting one of the vulnerabilities in the Security protocols which became public a few months back, (SSl V3 exploit), the article explains how many of the Bank’s own executives admit that the Banks have been deliberately neglecting the security and “brushing the problem under the carpet”.

This should be an eye opener for RBI to tighten up its regulatory measures so that Indian Banking system is not a victim of greed of bankers to make profits at the cost of security.

Naavi

Any Questions on Cyber Law? Download this App from Google App Store a Ask

The undersigned has been undertaking several measures from time to time towards spreading awareness of Cyber Laws in the country. In a bid to further the mission of “Cyber Law Awareness For Everyone”, Naavi has launched a mobile App called “Cyber Law Guru”.

The app which is presently on Android platform enables any person to post a query and an attempt will be made to provide a feedback to the best of our ability.

Initially, Naavi will be providing the answers but in due course it is intended that a panel of experts will be answering the queries.

The purpose of this App is only to “Educate” and “Create a better awareness” and not to provide any consultancy.

The app can be downloaded from the Google App Store and here:

We hope that the app would be found useful.

The app is presently on extended testing and any constructive feedback is welcome. The feedback can be sent to Naavi

Naavi

Mr Raghuram Rajan, Governor of RBI sprang a surprise during the press interaction on 14th May following the Board meeting at Goa, by hinting at setting up of a subsidiary to meet the Cyber Security requirements of the sector.

This in fact is great news for the sector and we hope that the idea is taken forward in the right direction.

Our own perception about the tenure of Mr Raghuram Rajan has been that so far he has been focussing more on the monetary policies and is actually neglecting the “Banking Regulation” aspect. This is the first time that RBI under Rajan has expressed a recognition of the fact that “Cyber Crime Risks” are  a concern.

The undersigned has repeatedly pointed out that RBI does not walk the talk when it comes it its policies on Cyber security. There is Internet Banking guidelines of June 2001 which mandated Cyber Crime insurance which Banks never implemented. There is April 2011 guideline following the G Gopalakrishna Working group committee report implementation of which is also lagging behind. The Damodaran Committee report was sidelined and not notified. Many guidelines on ATM security have remained unimplemented. RBI has never proceeded with suitable penal action which would have instilled a greater sense of responsibility in Banks. The undersigned has a personal experience of how RBI ignored taking actions against ICICI Bank, PNB, SBI and AXIS Bank which were in the forefront of bullying the Internet customers who had suffered losses on account of Cyber Security failures.

At the same time, even before securing the more than decade old Internet Banking system, Bankers  have been able to push advanced cyber Banking products such as Social Media Banking. Mobile Banking itself has moved into the second generation “App based Banking” which will revolutionize the way people use the Banking system. Recently we had lot of legal controversies surrounding App Based Taxi services. Similar issues may in future arise if RBI does not handle the App Based Banking regulations properly.

There is no doubt that technology will make a lot of difference to Banking. In the recent press interaction, Rajan repeated the words which have been part of my presentation slides for a long time that “Banking no longer belongs to Bankers. It belongs to Technologists”, the words of wisdom first uttered by Mr A.T. Panner Selvam, previously my senior colleague in Indian Overseas Bank, who later on went on to become the Chairman of other Banks.

But the undersigned has also repeatedly pointed out that any innovation in technology cannot be at the cost of “Security” of banking transactions using Bank customers as Guinea Pigs. The mandate for RBI is to manage the Indian Banking system with the core beneficiary being the “Customer”, who is the “Purpose” of Banking as Mahatma Gandhi put it.

In this connection, the undersigned suggested that RBI should make Cyber Insurance mandatory when the new Banking licenses were considered since the new generation banks are likely to have a larger stake in technology and therefore a greater technology risks. Of course RBI ignored such suggestions and did not even make a mention of Cyber Security as part of Bank licensing criteria.

So far, the perception of the undersigned (which I hope is not correct) is that RBI is subordinating its regulatory responsibilities to the commercial interests pushed through by IBA. It is for this reason that some Banks are pushing technology that is not compliant with law and exposes customers to greater fraud risks. If Mr G Gopalakrishna the former ED had not been vigilant, some of the Banks which were members of the working group headed by him would have pushed through certain suggestions which were bad in law.

During some of my interactions with RBI through RTI applications, I have even been told that RBI does not collect fraud data which can identify Phishing type of frauds from loan frauds. A recent RTI has given at least some information on the number of Cyber Crimes though there is no consistency with the figures of similar nature revealed by the IT Minister in the Parliament. The Cyber Crime metrics in banking industry is still unreliable and is a big hindrance to the development of Cyber Crime Insurance industry.

I hope all these apprehensions are things of the past and RBI has now recognized the need for a change of heart and recognized the need to address Cyber Security as a core issue. We therefore warmly welcome the development suggesting that there could be a focus on Cyber Security through a separate IT division.

The exact shape this suggestion will take needs to be watched.

We know that there is already an institution such as IDRBT under direct control of RBI with a reasonable expertise in technology and significant contribution to the Indian Banking system and its technology developments.  Will the new idea be an extension of IDRBT? or will there be a new Subsidiary? or will there be a new division of RBI? are some of the issues to be decided.

It is necessary that whatever be the status, the focus has to be on “Information Security” and not limited to “Information Technology”.

Presently the division of RBI which supervises payment settlement system has been providing enough impetus to technology through its own policy formulations often ignoring the security concerns. It will continue to promote IT and no new division is required for this purpose.

There is also a “Risk Monitoring” Department which does some good work on protecting consumer interests though little away from the technology aspects.

It would therefore be appropriate for RBI to consider a separate division or subsidiary which is called “Information Security” division/subsidiary. This division can also set information security standards for the financial sector and also work as CERT for the industry. Such a division can work closely with Cyber Insurers and develop actuarial data to help the industry to develop affordable cyber crime insurance products both for the industry and the individuals.

Also, if the entity is an external subsidiary, how will it be managed? What will the representation of RBI in the board? Vis a Vis the commercial Banks?.. is an issue to be settled.

I  have  suggested in the past creation of a fund for Cyber Crime loss reimbursement out of the KYC fines imposed from time to time. Such projects can be integrated with the Cyber Crime insurance and the activities of Information Security of the proposed department. In such a case multiple divisions of RBI may have to be represented in the activities of this new division/subsidiary.

Presently, the IT initiatives of RBI are often dictated by ICICI Bank and SBI.  These Banks in pursuance of their commercial objectives tend to relegate Information Security to “What is Commercially Feasible”. Some vendors also wield enormous influence in the decisions. We apprehend that there will be an attempt by these vested interests to take over this new “Cyber Security” entity  and ensure that it will also dove tail the commercial interests.

Mr Raghuram Rajan who appears to be dependent on his other colleagues on the subject of Information Security, should ensure that he is not misguided by vested interests in implementing these new Cyber Security initiatives.

I request all Information Security professionals to keep track of the developments in this regard and raise red flags when required.

Naavi