Naavi.org

On 4th January 2017, CERT IN had issued an order regarding reporting of incidents to CERT IN.

The order has now been re-issued along with detailed instructions on other security measures which will be applicable to all service providers, intermediaries, data centers, body corporate and Government organizations. These directions will be effective from 60 days from the date of issue of this notification (28th April 2022). Refer here

Some of the requirements are as follows.

1. Shall connect to the Network Time Protocol (NTP) server of NIC or NPL or with NTP servers traceable to these NTP servers for synchronization of clocks.
2. Mandatorily report cyber incidents within 6 hours and follow the instructions provided if any.
3. Shall provide a point of contact.
4. Enable logs of all their ICT systems and maintain them for a rolling period of 180 days and shall be maintained within the Indian jurisdiction.
5. Shall maintain information of subscribers and customers hiring services for a period of 5 years, including IP s allotted to members, E Mail address, time stamp at the time of on boarding.
6. Virtual asset service providers shall maintain KYC of its users as per RBI/SEBI norms.
7. Accurate transaction records shall be maintained.

The type of incidents that need to be reported has also been expanded to include the following.

i. Targeted scanning/probing of critical networks/systems
ii. Compromise of critical systems/information
iii. Unauthorised access of IT systems/data
iv. Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
v. Malicious code attacks such as spreading of virus/worm/ Trojan/Bots/ Spyware/ Ransomware/ Cryptominers

vi. Attack on servers such as Database, Mail and DNS and network devices such as Routers
vii. Identity Theft, spoofing and phishing attacks
viii. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
ix. Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks
x. Attacks on Application such as E-Governance, E-Commerce etc.
xi. Data Breach
xii. Data Leak
xiii. Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
xiv. Attacks or incident affecting Digital Payment systems
xv. Attacks through Malicious mobile Apps
xvi. Fake mobile Apps
xvii. Unauthorised access to social media accounts
xviii. Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications
xix. Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
xx. Attacks or malicious/ suspicious activities affecting systems/ servers/ software/ applications related to Artificial Intelligence and Machine Learning

The incidents can be reported to CERT-In via email (incident@cert-in.org.in), Phone (1800-11-4949) and Fax (1800-11-6969).

Given the  reluctance of the companies to resist any security measures of the Government of India, we can expect a media campaign to oppose the directions.

However, it is good to know that CERT-IN has woken up from its slumber and has considered issuing this order. We have to wait and see how seriously the order would be implemented.

From the compliance point of view the CISOs need to take immediate action as the CERT IN also has quasi judicial powers and  can take action including initiating prosecution for criminal punishments if the order is ignored.

It may be noted that the data breaches of Non personal data and personal data are to be reported to CERT IN and also to the Data Protection Authority to be set up under DPA 2021. Hopefully CERT IN will focus on post incident action in respect of security while Data Protection Authority will focus on punitive action on Data Fiduciaries related to  personal data. Timely waking up of CERT In is therefore significant. The silence of CERT In for several years had rendered the office as a mere advisory issuing back office. This perception has to change and probably this notification signals to such a welcome change.

Naavi

Copy of PIB press release

It is well recognized that behind many of the successful ransomware attacks in an organization, there is a simple security failure of an employee clicking an e-mail attachment containing a malicious code. Prevention of E Mail based attacks is therefore one of the important security measures to be taken by any enterprise. Statistics indicate that more than 70% of malicious email attachments are delivered through attachments in PDF and Ms Office Documents.

The anti virus software normally works on the principle of scanning a document to identify a known virus signature. This could work for known viruses but cannot protect against zero day attacks. Also non updation of anti virus also could defeat the security and allow intrusion of the malicious code.

The Sandbox method where the files are allowed to be processed in a controlled environment until they are cleared for security may delay the delivery of the incoming files for further processing.

Considering the unacceptable level of risk that arises in a ransomware attack, there is a need to fortify the security of emails to ensure that malicious codes in incoming data is identified at source and stopped at the gateway.

The CDR (Code Disarming and Reconstruction) technology (also referred to as Threat Extraction or data sanitization) is a technology where a file is deconstructed into separate components such as image, text etc using the vendor specified specifications for the document type. They are then reconstructed leaving out any malicious (non conforming) content so that the file is cleaned of any unwanted components that may be the potential source of a malicious code. In the process, any executable content in the document also gets removed. The safe content after removal of the undesirable content is forwarded to the user and the original file is held in safe storage to be accessed only if required and confirmed that it is benign say after a sandbox inspection.

It is expected that the CDR technology could introduce certain delays in releasing the file for operation based on the signature based identification since it works on “Zero Trust” and inspects every file by deconstruction and reconstruction. But considering the risks associated with ransomware in large corporations, enterprises should be tolerant of some delays in the interest of security.

While the CDR technology is expected to provide 99.9% reliability for removal of malware, there could be some operational issues to be contended with when the usability of the incoming file could be curtailed. The “Policy Setting” therefore becomes important to ensure that the system is useful.

In the market there appears to be many solutions available on CDR technology. While there could be solutions like Checkpoint-Harmony that integrates CDR technology to the legacy malware security systems, specialized CDR based malware security providers such as Odix, Glasswall Solutions, Fortinet OPSWAT, Sasa software etc are also trying to capture the markets.

Some of the service providers may provide “CDR as a Service” and cost effective solutions for SMEs. Odi-x from Israel is reported to be one of the solutions that SMBs may be able to afford particularly if they are working on the Microsoft environment.

It would be good if in future CDR technology becomes affordable to even individuals.

Naavi

P.S: Comments and additional information and user experiences are invited

While we in India is still procrastinating on the introduction of a law for protecting information privacy, the world seems to be moving ahead into legislating for “Mental Privacy”.

The “Information Privacy” as defined by the Puttaswamy judgement refers to the right of a person to exercise his choice about how his personal information may be collected, used or disclosed by a third party.

Puttaswamy judgement recognizes that “Privacy” is a state of mind and much more than “Right to Spatial Privacy”. But technology developments are opening up new challenges on defining the boundaries of “Privacy”.

While I am not discussing the boundaries from the perspective of how much privacy intrusion should be allowed to Government or Law Enforcement or even Commercial interests, it is time to look at the more basic level of how technology may be threatening the very basics of “Freedom of Thought”.

Firstly, let us look at medical implants which sit inside our body, and watch how our heart is beating or blood sugar is changing etc. Is this “Privacy Invasion”? …of the exempted category where there is a need to protect life, and there is an explicit consent?

If the implant device owning company like it does in the case of all IoT devices, retain an ability to collect data, store it, analyze it and make money out of such analysis, is there a concern about potential misuse of personal data, possible crimes which may extend to causing death of the individual etc.?

When sports medics analysed the bowling action of Muttiah Muralidharan, were they intruding on his privacy and to gather evidence which could be incriminating against Mr Muralidharan himself?

…are issues that we are already aware of.

The wearable devices like the smart watches and the Alexa kind of “Always listening” devices also pose substantial privacy risks in the normal sense though “Explicit Consents” could be used to manage them.

In the next level, we are getting into the era of Meta Verse with Virtual presence where the potential for privacy invasion causing mental disturbance is extremely high.

Over and above these developments, the questions now coming up are the “Neuro Intrusions” where probes collect brain wave emissions and collect the subject’s thoughts. Probably in the coming days, the same probes may be capable of sending in messages to alter the brain perceptions and make people hallucinate more realistically than ever before.

Does our present legal system address  “Brain Hacking”? is a question we need to ask ourselves.

ITA 2000 attributes an action of a computer to its owner. This has effectively extended the Act to the field of Artificial Intelligence. The definition of “unauthorized access” is however limited to “Computer Devices”.

A Computer is defined in ITA 2000 as

” any electronic, magnetic, optical or other high-speed  data processing device or system which performs logical, arithmetic, and  memory functions by manipulations of electronic, magnetic or optical  impulses, and includes all input, output, processing, storage, computer  software, or communication facilities which are connected or related to the  computer in a computer system or computer network;”

While the legislative intent has to be limited to treating the devices that we today recognize as Computers, Mobiles and other binary processing devices , this definition is difficult to be extended to the “System” of “Human Brain” though the neuro system also  consists of data storage, data transmission, data sensors, data input and output periherals etc. similar to the computer system we know of.

In India, our Supreme Court can assume any kind of power whether written in the constitution or not and this argument has been used in the Puttaswamy judgement by one of the judges (Justice Chelameswar). Hence the Supreme Court has the power to read down the section 2(i) to interpret that the definition of a computer system includes the human brain since it also receives and emits electro magnetic impulses.

Every end point of a nerve is like a pixel in a computing device and has an experience which is communicated by the neurons. The software inside the human brain interprets the experience as “Sight” if it comes from the eye or “Sound” if it comes from the ears and “Touch” if it comes from the skin, “Smell” if it comes from the nose and “Taste” if it comes from the tongue and so on. There are APIs inside our body with specific instructions on how to interpret different sensory perceptions.

We may therefore consider that there is a need to discuss whether the interpretation of “Computer” has to be limited to the “Devices” or should be extended to human brain also. If so, our current law, either the ITA 2000 or the upcoming DPA 2021 can be used also to interpret Mental Privacy as the west is trying to interpret.

We may need more discussions on this subject and we shall continue our discussions in due course.

Naavi

Related Article in vidhilegalpolicy.in

We have moved from Security by Design to Privacy By Design. Now it is time to upgrade to Compliance by Design.

Non Compliance of Data Protection law could lead to a penalty of 4% of Global Turnover.

Mitigation of the 4% Penalty Risk Is the objective of CBD or Compliance by Design strategy.

CBD means compliance to Data Protection law. In India,…. the JPC approved Data Protection Act 2021.

While complacency born out of the Resistance to change stops us from taking compliance steps with the hope that Government will never get the courage to pass the law, Courts have already started interpreting parts of the new proposed bill as “Due Diligence” under Information Technology Act 2000.

If Courts can uphold Right to Forget before the DPA 2021 is passed, nothing prevents a Court from imposing penalties for non compliance of DPA 2021 as part of ITA 2000.

Let us not wait for some body to teach us with a penalty. Let us develop our own Code of Practice… to be compliant before we are forced to.

FDPPI< the dada of data protection in India has organized a one day seminar on “Compliance View of DPA 2021” at Chennai on April 23rd, 2021, in association with Madras Management Association and in partnership with ISACA, IACC and CySi.

Contact any of these organizations to participate in the program and enrich yourself with the Law, Technology, opportunities and means of compliance embedded in DPA 2021.

Naavi

India is planning to pass a law on Privacy and Data Protection and the Bill titled Data Protection Act 2021 (DPA 2021) which is pending in the Parliament. The copy of this Bill originated in 2018 following the Srikrishna Committee report and was later modified as Personal Data Protection Bill 2019 (PDPB 2019)  and a Joint Parliamentary Committee (JPC) has deliberated on the bill for more than two years, held consultations with many stakeholders and has now revised the PDPB 2019. The revised version now referred to as DPA 2021 is ready for final debate in the Parliament and being passed into a law.

Like all laws that have a significant impact on the society, DPA 2021 has also been facing opposition from a section of the industry. As a result,  the mainstream industry has been presented with a skewed view of the proposed law and creating uncertainty in the minds of the industry professionals on whether the law  will be passed and whether it is desirable or not. This has resulted in many organizations delaying the implementation of their compliance program.

We need to  realize that  DPA 2021 is  a continuation and expansion of the currently applicable law namely, Information Technology Act 2000 (ITA 2000) and forms the part of the “Due Diligence” under Section 43A of the ITA 2000. Several Courts have taken cognizance of the Bill and incorporated the provisions in their decisions. Prudent Companies therefore think that the time for compliance has already come and the time upto the actual passage of the Bill and further implementation time that may be provided there in is a cushion against being held liable to the potential penalties envisaged in the Act for non compliance.

FDPPI (Foundation of Data Protection Professionals in India) is an organization that  is  dedicated to the cause of “Data Protection” in India and building a Data Protection Compliance Eco system in India. FDPPI since 2018 has been engaged in outreach programs to build awareness of the Privacy and Data Protection concepts and also the development of professionals who are certified in the relevant skills to provide consultancy to organisations and conduct audits of the “Data Protection Compliance Management Systems”.  FDPPI is today the apex organization in India dedicated to the establishment of the Data Protection compliant environment in India.

During the pandemic times, FDPPI conducted nearly 100 online events on Data Protection regulations and related issues which has already created wide awareness of the forthcoming laws.

As a part of the activities in the post-pandemic scenario, FDPPI is now conducting a series of physical programs in different parts of the country in association with multiple organizations to spread the awareness of the regulation from the compliance perspective.

In this series, FDPPI conducted one program in Bangalore in association with Indo American  Chamber of Commerce (IACC) on 04^th March, 2022. On April 23^rd 2022, FDPPI is conducting a program in Chennai in association with Madras Management Association, ISACA Chennai Chapter, Cyber Society of India and IACC.

During these programs, we discuss the compliance measures that are required to be followed by the industry steering clear of the controversies. The discussions cover the overview of the law as presented in DPA 2021, the Technology and Business Challenges that the law presents, the Professional opportunities created for Data Protection Officers and Data Auditors and also the Compliance framework exclusively designed for compliance of the law.

FDPPI presently has developed a Compliance framework called “Data Protection Compliance Management Standard of India (DPCMS)” which is focussed on the compliance of DPA 2021 incorporating the best principles of other international frameworks. This is an indigenous approach designed to be a Unified Framework for Indian companies to be compliant with all Personal Data Protection laws and includes some aspects of compliance of Non-Personal Data protection which is part of DPA 2021.

The framework includes innovative and globally unique concepts such as “Data Valuation”, “Distributed Implementation Responsibility”, “ Generation of Data Trust Score” etc. It is flexible enough to be customized and adopted by different industry segments.

Recognizing the difficulties that arise when implementing one law applying  equally to all industries and entities of all sizes, FDPPI is now in the process of developing different “Sector Specific Compliance Code of Practice” which meet the requirements of law under Section 50 of DPA 2021. The Data Protection Authority of India (when operative) can approve such codes of practice after due consideration whether they meet the requirements of the law. This should substantially ease compliance and encourage increased voluntary compliance in the industry. FDPPI has a vision to create tailor made Compliance frameworks for different industry segments with  the participation of  industry representatives.  This is a “First in the World” approach to the customization of data protection law compliance to different sectors and would help in reducing the pain of compliance.

FDPPI however is a Not-for-Profit organization and its bandwidth to conduct the outreach programs in different locations is dependent on the partner organizations. Presently we are working with organizations like IACC and ISACA which have presence in multiple locations. However we are looking for other  suitable partners who are interested in associating with FDPPI for this “National Data Protection Compliance Movement” where we disseminate knowledge, motivate companies to start compliance initiatives and develop sector specific codes of practice.

Come, Let’s together  bring about a Data Protection Revolution in the country.