Naavi.org

The NSE Co-location has been identified as a massive scam and SEBI has taken the unprecedented step of penalizing NSE and some of its executives. (Refer ET article here)

We refer to our earlier article “Whistle Blower Reveals Information Security Breach and Fraud at NSE” in which the NSE Co-Location Scam was discussed.

Now SEBI has conducted an enquiry and come to the conclusion that NSE failed in its “Due Diligence” which allowed some of the brokers had an unfair advantage in trading which could have enabled them to make an unfair gain of enormous provisions.

A Copy of the SEBI order is available here. (Copy also here)

The incident is an eye opener to Information Security professionals as it throws up the deficiencies in managing critical array of systems where the server to which a user logs in and the relative time of logging in had a profound impact on receipt of trading data. Those who had the knowledge of the system were able to develop an algorithmic trading pattern which enabled them to make unfair gains.

The scam also exposed the weaknesses of the Audit system in which reputed information security auditors were involved.

The enquiry has also highlighted that there was no laid down policies and procedures for allocation/mapping of IPs  and no SOPs to deal with request for change of servers.

The report of SEBI contains complete details which will make delicious reading for information security specialists.

In conclusion, SEBI has stated that though sufficient evidence was not available to conclude that NSE had itself committed a fraud, lack of due diligence was proved and penal action is based on this.

As a penalty, NSE has been digorged (asked to repay all the unfair profits made) of Rs 624.89 crores which was the profit made from co-location services in the period 2010-11 to 2013-14

SEBI has also barred NSE from security trade for 6 months from the date of the order

Also, two of the formed MDs of NSE have been disgorged 25% of their salaries in the relevant period.

The amount so recovered would be credited to the Investor Protection Fund.

We congratulate SEBI on successfully concluding this complicated investigation and taken  penal action.

This incident should be an eye opener to all information security managers of critical systems.

Political Fall out

In India, every major scam in recent times has inevitably been linked with politics.  So is this scam.

I would like to draw the attention of readers to the article here.

This article traces the beneficiaries of the fraud to none other than Mr P Chidambaram and Karti Chidambaram. It suggests that the total earnings made unfairly by all the persons involved could be of the order of Rs 60000 crores. It is difficult for any of us to evaluate the allegations made in this article to Mr P Chidambaram and Karti Chidambaram. But the allegation cannot be ignored and needs further investigation at a different level.

It is not a coincidence that this fraud occurred during the UPA II regime and it involved a very sophisticated financial and technical knowledge in executing it.

It is possible to believe that the MDs of NSE were perhaps victims in the cross fire and were not directly involved in the fraud. In fact the fraud was highly sophisticated and it is reasonable to expect that it was beyond their comprehension levels.

While SEBI could not go beyond the current investigation, it may be necessary for the Government to now continue the investigation from where NSE has left off with a CBI investigation to find the real beneficiaries. CBI may also take the assistance of experts perhaps from FBI who have experience in investigation of complicated techno frauds in Bitcoin investigation and other frauds.

Coming as it does during the election time, there should be no attempt to bury this fraud as a simple cyber crime. It deserves to be classified as one another Scam of the UPA II era where money of the Indian public were looted.

Once again, considering the political implications, we need to again appreciate the SEBI for the action taken.

Naavi

The security measures that the Sri Lankan Government has initiated int he aftermath of the terrorist attack on 21st April 2019, include a total shut down of the social media in Sri Lanka.

India has also adopted Social media shout down from time to time in Kashmir though India will never be able to replicate the strong will of Sri Lanka in such national security matters. Though we have strong expectations from Mr Modi to take care of national security, we still have Congress which supports Paksitan, Terrorism and the Tukde Tukde Gang as part of its election manifesto.

We also have a Supreme Court which obliges the Congress advocates and is prepared to defer cases against congress interests indefinitely to suit the political convenience of the party. In these circumstances the threat of a total social media shut down in India may not be high.

However, in the aftermath of the Sri Lankan incident and the possibility that the strong measures that they are initiating in curbing terrorism could push the sleeping cells from there to Kerala, which is a fertile ground for terrorism to grow in India, the next Government is likely to push the stalled amendments to the Intermediary Guidelines . T\

This will require more of self regulation by the Social Media companies and if they donot oblige, we may have stringent action against individual social media companies such as Whats  App or Face Book.

To prevent Government action, I wish that these social media companies start tweaking their services to ensure that their platforms cannot be misused.

I strongly advocate that all these social media companies introduce an option for flagging the users with “Identity Verification”.. As we gradually create an “Identified Social Media Network”, the “Anonymous Social Media Network” will shrink in size and can be subjected to stronger controls.

Face Book started this trend during the elections to ensure that “Political Advertising” is restricted to only identified/verified accounts. This should be extended even after the elections so that we reduce the size of the “Anonymous Social media network”.

Naavi

Naavi was the author of the first book on Cyber Laws in India when he released “Cyber Laws For Netizens” on December 9, 2000, the day when Information Technology Bill 1999 was introduced in the Parliament.

Now the proposed draft Bill titled “Personal Data Protection Act 2018” had been introduced in the last Parliament on the recommendations of the Justice Sri Krishna Committee.  This would have been the first dedicated Data Protection legislation in India and would be so when it is ultimately passed into a law.

At present the Bill has lapsed due  to the dissolution of the Parliament and will have to be re-introduced in the next Parliament.

There is no reason to think that the Bill will not be re-introduced immediately after the new Parliament comes into existence and becomes a law which may be renamed as “Personal Data Protection Act-2019”.

After the developments in the Election scenario in the last two days, it appears that the BJP Government led by Mr Modi is likely to come back. We can therefore expect that the Bill PDPA 2018 will be reintroduced shortly without much changes and will be passed during the current year.

Naavi has already taken the initiative to create an online training program on PDPA 2018.in as it exists now.

As a part of the curriculum support, Naavi is now preparing a Book titled “Personal Data Protection Act” which will be released shortly.

Initially the book will be used as course material for the PDPA training program and will be placed on the E book section thereafter.

Naavi

We have been discussing the different aspects of the  Personal Data Protection Standard of India. (PDPSI).  During these several articles, we have discussed the philosophy behind the PDPSI and some of the controls which require a special mention.

In continuation of our exploration of PDPSI, I would like to present the “Pentagon Model of Personal Data Protection” which provides a quick overview of the PDPSI approach.

The model is presented in the picture above. Naavi has earlier adopted the Pyramid Model for Information Security Implementation  and a Pentagon model for Information Security Motivation 

The pyramid model was appropriate for prioritization but the closed polygon model was found more suitable to represent the Information Security Motivation. A similar model appears appropriate for representing the requirements of the Personal Data Protection also.

The difference between the hierarchial model of the pyramid and the closed model of the polygon is that the hierarchial model is meant to be built level by level while the polygon model would require all wings to be in place simultaneously to close the polygon.

Since “Pentagon” represents security in general, we have adopted the pentagon model and put all requirements identified under PDPSI into the five categories which form the five boundaries of the Personal Data Protection pentagon.

To understand the five elements of the pentagon, let us analyze each of them with reference to our earlier detailed articles.

Element 1: Classification

As we have discussed in detail,  (Article 1:Article 2) “Data Classification” is the starting point for the exercise and the foundation of a proper construction of Privacy by design. Data Classification also defines the scope of the compliance exercise since it maps the Data Protection law to which the compliance needs to be bench marked. 

Element 2: Responsibilities

The responsibilities under PDPSI does not start and end with the DPO. DPO will remain the pivot around whom the responsibility is shared across the organization starting from the Board and the Data Protection Committee at the top to “Internal Data Controllers” spread across the organizations handling different functional responsibilities. This system of diversified responsibility recognizes the practical problems that a DPO would face in an organization particularly if it is spread across different functions and different geographical locations. Once the functional management of data and its security are in proximity, the implementation of any policy becomes easier.

Element 3: Tech Controls

Technical controls of Information Security are well researched and there is a lot of knowledge and skill in organizations around the world. These controls in the form of different hardware and software devices/applications provide solutions for meeting the CIA aspects of Information security and the extended concepts of accountability which includes Authentication and Non Repudiation. The Firewalls, IDS, Anti Virus, Access Control, Encryption, Digital Signature, version control, Data Leak Prevention systems, Multi factor authentication systems, the DRP/BCP systems, Forensic devices, etc all form the control tools under this head. 

Element 4: Policies

The Policies part of the pentagon represent all the different policy and procedure documents that are required under the data protection laws including the Information Security policy, Privacy Policy, the Notification, Business Associate policy, Whistle Blower Policy , legitimate interest policy, Incident management policy, Data Disclosure cum Breach Notification policy, Business Agreement Control policy, HR recruitment, termination, sanction policies, the BYOD, Hardware/Software purchase policies, the web and email usage policies, documentation policies etc are all part of this segment of compliance.

Element 5: Culture

Apart from the Technical and Legal aspects of compliance addressed by the two earlier elements, the “people” aspect and in particular the “Behavioural Aspects of People” that affects the compliance is an important issue in itself. This may include the awareness building, motivation of people to be compliant, along with the incentives and disincentives to ensure that a proper “Data Protection Culture” is built in the organization. 

While Classification and Responsibility assignment are essentially a one time exercise (except for changes that need to be accommodated from time to time), the three other segments require continuous monitoring and may also require different skills and knowledge. In large organizations three different experts may be required to address these three issues differently or the DPO should have the multi dimensional expertise.

This model breaks down the PDPSI into 5 elements for easy management. I suppose that this Pentagon model of Personal data protection would provide some clarity to organizing  the Data Protection Compliance exercise in an organization. 

Naavi

“Internet was born free but is found everywhere in Chains” was a statement made by Naavi in 2002. Several articles   were showcased discussing the developments at that time which may make interesting reading even today. I hope for students of the philosophy of Cyber Space, these articles may be interesting. 

However during the last nearly 2 decades, things have changed in our society. Many of the apprehensions expressed at that time have become true today. The borderless state of Internet and the Anonymity inherent in its design has now given way to Cyber crimes of unlimited proportions across the globe forcing rethinking on the “Security issues in Internet”. 

While there is one segment of the law makers who still swear by Privacy and Freedom of Speech over Internet, there is an equally strong lobby who swear by the need for Security. At present laws are trying to balance these requirements though not with complete success.

China started a trend of creating a firewall to segregate Chinese Internet space from the rest through creation of its own search engine, its own social media etc making the Google and Facebook redundant.

Now Russia seems to have taken a further step by creating a specific law to build a “Cyber Border” for Russia.

The concept of each sovereign country defining its own Cyber Space and legal jurisdiction over it started long back when Cyber Crimes investigations cut across borders. So far attempts have been made to bridge this jurisdictional gap by creating MLATs for Cyber Crimes to address the issue of cross border jurisdiction.

However, it is now reported that Russia is adopting law to isolate “Runet” from Internet. Naavi has in recent times veered to the view that there is a need for setting up a “Digitally Identified Network” within “Internet” which we can call “Internet-S” where S stands for Secure. The idea is that every Netizen of Internet-S is identified by a system as good as a legally recognized digital signature system with the backing of a sovereign Government. In this world, every Netizen’s activity is mapped to an identified individual.

The Concept of “Regulated Anonymity” which we have discussed repeatedly in Naavi.org advocates that anonymity and privacy in transactions with others can be protected without sacrificing national security if we can create “Trusted Identity Intermediaries” who issue proxy identities but protect national interest under a proper regulated process.

This concept has now become a legal possibility in India with the proposed PDPA 2018 in the form of Data Fiduciaries, though I am personally not sure if this possibility would be recognized by other Privacy professionals in India and the law makers.

Data Localization requirements under the Indian laws also assert the concept of “Data Sovereignty” through PDPA 2018. (Proposed Personal Data Protection Act)

In the meantime, what has happened in Russia is to be recognized as a significant step of redefining the way Internet functions as a “Federation of Net Societies allied with sovereign Governments in the physical space”.

According to the new law reported to have been adopted by the State Duma, in order to protect the Country from external threats, Russia wants to create a “Sovereign Cyber Space” over which it has complete control. (See Report here)

Some of the key provisions in this law include the introduction of a system that will channel Russian internet traffic through government-controlled routing points as well as granting unlimited powers to Roskomnadzor, which will be able to cut off non-complying internet providers. The country’s telecom watchdog will set up a monitoring center that will detect threats and issue instructions. Roskomnadzor will also create and maintain a national domain name system (DNS).

The new legislation is designed to ensure that online data transfers between Russian citizens, businesses and organizations are executed within the country instead of being routed internationally.

The Runet law is scheduled to enter into force in November this year, with the rules governing Russian domains and cryptographic protection of information expected to be introduced on January 1, 2021.

As could be expected, there is an opposition to the proposal which is accused as a measure of censorship. The counter argument is very forceful but it is not clear if the opposition would be able to scuttle the law. Most probably Mr Putin would push through this legislation which will become a fore runner to other countries passing similar laws.

If such a law is brought in India particularly in the present regime of Mr Modi, there would be an immediate outcry from the opposition. Many of the IS professionals would also feel that this is an extreme step that would curtail the freedom of expression on the Internet and the Democracy. Probably they may be right and India would not go the extent of passing such laws.

But it is necessary for us to recognize that most of the Democratic countries are hypocritical when it comes to their stand on preservation of “Data Sovereignty”. Today “Data Localization” has become a norm and most countries try to retain data generated within the country confined to its borders. Where countries agree on Cross border data transfers, they impose severe restrictions. Whether they are called Safeharbour agreements or by any other name, they are like signing of “Data Transfer Treaties” at corporate level. Every country wants to have its own laws of data protection applied to personal data generated from within its borders which makes it necessary for data processors to classify personal data in accordance with the privacy protection laws to which it is subject to. (Refer PDPSI Classification and Scope Definition articles).

In a way we have already drawn borders in cyberspace by the data protection laws of each country defining norms for protection of data of their citizens and with data localization within their physical borders.  What Russia is set to do is a bolder and more transparent way of expressing that Cyber Space of a Country belongs to its sovereign jurisdiction and anybody entering in and out need to identify themselves and allow being monitored lime an Cyber Passport and Cyber VISA system

PDPA 2018 (Draft) provides a perfect legal ground to implement some of the provisions of this Russian Law without the need for modifications to ITA 2000/8.

We need to watch how things develop in India in the next decade and whether the Russian approach would be replicated in India also either with a separate law (which is difficult) or with a suitable interpretation of the Data Localization requirements under the current laws.

Naavi

This article posted on April 16, 2019 had been deleted in a server crash.

It has now been substituted with a new article here

Naavi