Naavi.org

It was way back on 17th October 2000 that ITA 2000 was notified and long with it the Indian Evidence Act 1872 got amended with several new sections being added to address the issue of Electronic Evidence. One such issue was the “Admissibility of Electronic Evidence” for which certain procedure was introduced under Section 65B, a new section that was introduced into the Act along with Section 65A,

Since then there has been lot of confusion in the traditional legal circles as well as the Judiciary on how the section should be applied in actual practice.

The First Case where Section 65B certificate was used

The undersigned was the first person in India to have submitted a Section 65B evidence in a Court which was admitted and used to convict the accused to a sentence of 5 years. It was the case of The Government of Tamil nadu Vs Suhas Katti in the AMM Court, Egmore, Chennai which was decided in 2004. (Refer www.ceac.in for more information and copy of the judgement).

The essence of the case was that an offence had been committed by the accused in the form of publishing of an electronic document on groups.yahoo.com. A message appeared there which was posted by the accused and involved some content which could be considered as “obscene” under Section 67 of ITA 2000. However there was no way we could have sent a police party to  USA, and seize the electronic evidence in the form of the hard disk in the possession of  Yahoo. But it was not necessary since Section 65B was available for us and a Print out of what was seen by me sitting in Chennai could be considered “also as a document” without the need for production of the “Original”. The Judge therefore continued the trial with a print out certified by me and pronounced the judgement. The defense raised the issue that I was not a Government appointed expert but the Court felt that that was not necessary.  These were all very important judicial principles that the Judge of this Court actually enunciated though he was an unsung hero and no body praised him for his vision. (I hope some body traces this Judge and honours him even now).

Many judges even today call that hard disk in the yahoo server as the “Original Evidence” and anything else including a print out as “Secondary” evidence. This is the first myth that we need to break. In electronic documents there is no “original” electronic document that can be brought into the Court and handed over to the Judge. Only a “Container” can be handed over.

Secondly, many legal experts including some judges consider that if a Section 65B certificate is required to be submitted for an electronic document that is lying in the yahoo server, it has to be signed by the administrator of Yahoo. This is the second myth we need to break. Section 65B certificate is a certificate provide by an observer of an electronic document that he “experienced” the effect f the electronic document and affirms it through the certificate and the attached set of documents in print or electronic copies.

I have explained this a number of times but still it is necessary to repeat it if required.

Now even after the law came into being in 2000 and the Suhas katti judgemment came in 2004, being a judgement of a small Court lawyers failed to recognize the meaning of the judgement and the explanations that we have been giving ever since including the books that I have authored.

Section 65B under Supreme Court Radar

When the Supreme Court first addressed the issue in the Afzan Guru case, (Navjot Sandhu @Afzan Guru judgement dated 4/8/2005) some people took note since it was the decision of the Supreme Court. In this case the debate was that when the person who could have provided the Section 65B certificate himself is present in the Court and deposes on the electronic document, then there is no need for Section 65B certificate. Hence some of the CDs produced in that case which were also affirmed by the witnesses were accepted as evidence and the decision was taken.

Then came the celebrated three member judgement in the case of Anvar P.V. Vs P.K. Basheer (discussed in detail at Naavi.org) declared that the Afzan Guru judgement was wrong and it is mandatory that Section 65B certificate has to be produced for admissibility of all Electronic Evidences.

Subsequently a notification was issued by the Government under Section 79A regarding possible notification of agencies as “Digital Evidence Examiners” which created further confusion in the legal circles. Again Naavi.org explained its views in several articles to explain the role of Digital Evidence Examiners and how this is different from the Section 65B certificates provided at the time of admissibility. (see articles :The Role of “Notified Digital Evidence Examiners” and Clarification on Section 65B… Who should sign the Certificate? ,  More Clarification on Section 65B Certification… For Forensic Labs)

In all these discussions including after the Basheer case judgement, the classification of evidence as  “Primary”and “Secondary” continued to prevail and cloud the decisions of the legal fraternity.

We have repeatedly held that in the case of Electronic Documents, the discussion of Primary and Secondary is superfluous and will lead to contradictions. Unlike the views of many in the legal circles and Judicial circles, a “Hard Disk” seized from a computer is not a “Primary” document and it is only a “Container” of an electronic documents. Similarly, even the CD is not a “Primary Electronic Document” but only a “Container of Electronic Document”.

A Container of electronic document contains many electronic documents and just as Police may seize a box from an accused house that contains say some tools of crime along with other things, a CD or a hard disk is a “Bx of electronic documents” and one or more of them is what we recognize as “Evidence” that is required for judicial examination.

Now in the case of Suhas Katti such an electronic document was one of the messages appearing on groups.yahoo.com amidst lakhs of other messages. This message appeared to a viewer as “Text” and the meaning assigned to the “Text” leads us to the conclusion that it is “Obscene” or “Defamatory” etc. That is, the viewer “Experiences” a text document which is rendered before him in a browser application running on windows operating system.

If the document was an image we would have seen an image. if it was an audio, we would have heard it.

The computer monitor is the device which makes the human being read a text document, a speaker gives out the sound that a human being hears and the combination of the monitor and speaker gives an experience of the video.

Though the experiences are different, behind the experience, the electronic document is a “String of binary characters” and nothing else. Hence all electronic documents are “Binary Documents”.

On the hard disk they may appear as magnetic orientations of individual cells. In the CD they may appear as depressions and flat surfaces (Pits and lands).

The electronic document is always an “Experience” of an observer when he renders the binary expression using one or more devices which we call computers, operating systems, applications, monitors, speakers etc.

It is this experience which the Judge wants the Section 65B certifier to bring to the attention of the Court with his confirmation that the experience is “reliable” and a judicial verdict can be based on it. Without such a certificate the judge cannot see the electronic document and if he views it on a computer then it will be his experience that becomes an evidence and the Judge himself becomes a witness. .

It is for this reason that Section 65B expects that some human being who can be relied upon should say that “When I opened this document using a certain process, this is what I saw or heard”… . Such a certifier is the person who experiences the certificate and it is not always necessary for the admin of the hosting company to provide the certificate.

Such a certification is mandatory and has been mandatory since 17th October 2000 and not just because the Supreme Court pronounced its judgement in the Basheer case.

Sonu@Amar Case

If we look at Sonu@Anvar appeal in the Supreme Court, the argument was that the electronic document relied upon were not certified under Section 65B and hence were invalid technically. The appellant therefore sought that his conviction for abduction and murder should be set aside.

There is no doubt that the Supreme Court went into a detailed debate on  what happens when an evidence is technically imperfect and a decision has already been arrived at etc.

But what we need to take note is that this judgement has graciously acknowledged that some times the superior Court cannot go back in time and correct things and has to take a view on the issue within the limitations that are presented. For example if an innocent has been sentenced and later he is to be released, we can regret the effect of wrongful confinement but the Court cannot return the lost time.

The Court therefore finally decided that the appeal has to be rejected and in turn implied that at the appeal stage it is not necessary to re-open past cases where there has been no Section 65B certificate.

This does not mean that in future Court would show a similar concession if the Certificate is not obtained.

Hence the legal community should not now jump to either conclude that they can file uncertified documents and seek pardon later or start filing appeals for reversing earlier convictions where electronic evidence has not been properly certified under Section 65B.

The Court  may however be  under liberty to question the genuinity of any document in the interest of proper justice to be done if evidences have been manipulated and such manipulated evidence has been used to arrive at wrong judgements in the lower Court.

The Basheer judgement therefore was not recommended to be applied retrospectively  though the first press reports as it normally happens were focussed more on the lines of thoughts discussed by the Judges in the judgement and gave an impression as if all the previous cases involving uncertified electronic documents would be annulled.

Fortunately, no such thing is happening though in future Courts will not take it kindly if the Certificate is omitted.

This,  is the lesson we need to draw from this Sonu@Amar judgement. It does not condone non submission of certificate nor reverses the earlier Anvar Vs Basheer judgement nor calls for a review of all earlier cases. It upholds the earlier judgement unequivocally and for practical reasons applies it only in futuristic sense.

It is also to be noted that in the case of Section 65B, it is not a law created by the judgement of either Afsan Guru case or the Basheer case or this new Sonu@Amar case. The law was created with the notification of ITA 2000 and all the Courts are only trying to understand and give their views when there is a need to apply it in any specific judgement.

If people think that law is only when it is expressed by the Supreme Court, they can wait for every aspect of opinion expressed above to be brought out in some judgement in future. I am sure it will happen but it will happen in bits and pieces and will take a long time. In the meantime we may come to wrong inferences which we should avoid if possible.

I am sure that the debate may still continue… I invite comments on the above and would be glad to clarify.

Naavi

In the recent days, we have heard of many instances when CCTV footages have gone missing in important Criminal investigations. This will frustrate the investigations and completely destroy the case.

Deletion of CCTV footages have been alleged in the case of the complaint filed by a Police officer, in Karnataka against the privileged treatment meted out to some inmates of the Parappana Agrahara jail in Bangalore.

Though many of the CCTV footages are circulating in the media, the persons who were supposed to have collected and preserved it appear to have lost it.

Similarly, in the Sunanda Pushkar’s Case, the management of Leela Palace hotel apparently switched off the CCTVs just prior to the alleged murder (could be an excuse also) and the footages which should have showed who visited her earlier have been deleted. Additionally the mobile and the laptop also seems to have been cleaned out of any incriminating information.

Similarly in the case of the unnatural death of an IAS officer Mr D.K.Ravi, again in Karnataka, Police took custody of a storage device from a CCTV camera from the residence of the officer and returned it after two days saying that the tapes had no recording.

In all these cases, it is doubtful if the Courts would be naive enough to believe that the CCTVs were smart enough to have stopped working or go silent at the precise time when they could have provided evidence of what could be a murder or a high profile offence.

The persons responsible in all the three cases mentioned above are none other than the Police officers or Jail authorities who are supposed to know law and uphold it rather than being ignorant computer operators who did not know what they were deleting.

It is important to note that Information Technology Act 2000 (ITA 2000) had actually identified such possibilities and included Section 65 precisely for this purpose.

Section 65 of ITA 2000/8 states:

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network,

when the computer source code is required to be kept or maintained by law for the time being in force,

shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.

Explanation –

For the purposes of this section, “Computer Source Code” means the listing of programmes, Computer Commands, Design and layout and programme analysis of computer resource in any form.

I am aware that some observers of Cyber Law might not have observed this possibility that Section 65 can be used for deletion of evidence.

They may hold a view that Section 65 is not applicable in the case of CCTV footage either because CCTV footage is not “Computer Source Code” or that the footage was not “required to be maintained under law for the time being”.

But a “Techno Legal Interpretation” of Section 65 indicates that Section 65 can be applied to such cases for the following reasons.

1. It is not difficult to accept that the CCTV recording (assuming that it was present at one point of time and vanished later) was an electronic document that was deleted.

This electronic document was recognized as evidence in a potential criminal offence and hence should have been treated as “Evidence” that should have been retained and submitted to the Court or the investigating officer.

It’s deletion was therefore a contravention of both Section 65 of ITA 2000/8 and also Section 204 of IPC.

For applying Section 204, it is enough if the deleted electronic document was an “Evidence” .

For the deletion to be covered under Section 65, we may also have to examine if the electronic document can be considered as a “Computer Source Code” as defined under this section.

2. Generally, the word “Computer Source Code” is understood as

“any binary string which triggers a computing device to alter its state of activity”

In this incident, the binary code which human beings may call as “Video Recording” is read by a computer, which human beings may call as a “Video Player” and the computer later instructs the screen to show some pixel transformations that human beings may call as a “Display of video”.

The video recording therefore is nothing but a “Computer Source Code which Section 65 has referred to.

It is therefore clear that deletion of CCTV footage is a punishable offence under Section  204 of IPC (Punishable with 2 years imprisonment) and under Section 65 of ITA 2000/8 (punishable with 3 years of imprisonment).

Additionally the action may also invoke Section 43(i) and 43 (j) of ITA 2008 which provides for civil damage to be claimed by any person who suffers a damage as a result of such action. Since Section 43 is linked to Section 66, the action would also become a criminal offence for which the punishment is imprisonment of upto 3 years.

Both Section 65 and 66 are cognizable offences though are bailable.

If the deletion has been done by the computer operator under the instructions of his bosses or political directions, the persons who gave such instructions would become “accomplices”.

In the event the affected Police Officer in the case of the Parappana Agrahara incident is eventually suspended or dismissed from service etc and there by suffers a financial loss resulting out of the deletion of the CCTV footage, the affected person can invoke Adjudication (followed by appeal in a Court if required). It is not clear if there is any civil damage in the case of the other tow incidents namely the Sunanda Pushkar or D K Ravi case.

The discussion here is  for academic purpose and to show how strong is ITA 2000/8 if it is properly interpreted. We are fully aware that since in all the above cases, the deletion can only be traced to law enforcement persons only, the possibility of any action being initiated there on is improbable and hence the above theory may never be tested at least in these three cases.

If however, CBI takes up the case or some body like Mr Subramanya Swamy takes note, they may bring up the issue before the Courts and we may have an interesting debate.

Naavi

In what can be considered as a serious concern to criminal cases where decisions have already been taken based on electronic evidence without Sec 65B certificate, Supreme Court has debated the issue of challenge of Electronic Evidence at the appeal stage if Section 65B certificate is not adduced.

The following judgement of 18th July 2017 may be referred.

Sonu@Amar Vs State of Haryana (Supreme Court of India, 18/7/2017)

We will discuss this in detail shortly in a separate article.

However this could affect a very large number of decisions already taken and appeals may be made on the ground that the electronic evidence was not certified earlier.

In our opinion such appeals will not be sustainable.

We will elaborate the effect of this Judgement in our humble opinion in subsequent articles.

Naavi

Download Copy of Judgement

P.S: On detailed reading of the judgement, the title of this article has been modified and incidental corrections have been made.

Naavi

We have discussed some aspects of the organizational structure for the proposed CERT-Fin in our previous article (See here). 

Let’s now see some of the other aspects of the report on which public comments can be submitted upto July 31, 2017.

The scope of activities of the CERT-FIN will be defined by MOUs that will be signed between CERT-In and the CERT-FIN as well as CERT-FIN and its sub sectoral CERTS such as CERT-RBI, CERT-SEBI, CERT-IRDAI, CERT-PFDRA etc.

Presently the functions of CERT In is defined under ITA 2008 and similar obligations and powers need to be bestowed with the sectoral CERTs with some oversight responsibility being retained with CERT IN.

The Core Mission of the CERT-Fin would be to provide support to the stake holding organizations in identifying Cyber threats and Vulnerabilities so that the Cyber Risks can be mitigated. This can be achieved by dissemination of threat information collected from global sources and out of its own research to the stake holders on a real time basis.

Simultaneously, there could be regulatory responsibilities which may include providing directions to the stakeholders on security matters and pulling them up if required.

The statutory powers vested with the CERT IN cannot be transferred to the sectoral CERTs including CERT Fin and at best these CERTs may be allowed to make recommendations to CERT-In for regulatory sanctions on an erring stake holder.

According to the report the following are listed as the activities of the CERT-FIN

1) Analysis of financial sector cyber incidents and reporting the incidents to CERT-In including

i) Collection, analysis & dissemination of information on cyber incidents.
ii) Forecast and alerts on cyber security incidents.
iii.) Emergency measures on cyber security incidents
iv) Coordination for cyber incident response activities.
v) Issue guidelines, advisories, vulnerability and white papers relating to
information security
vi) Monitor sectoral efforts in financial sector towards maintaining dynamic and
modern cyber security architecture, developing awareness amongst
regulated entities and public in general.
vii) Such other functions relating to cyber security in financial sector, as may be
prescribed

2) Create Awareness on security issues through its website and 24X7 incident response helpdesk

3) Provide Incident Prevention and Response Services and Security Quality Management Services

4) Offer policy suggestions for strengthening financial sector cyber security to all stakeholders including regulators/Government

5) Conduct workshops for employees of the sector and public if necessary through public-private partnership

6) Provide seamless integration for information dissemination to other nodal agencies using standard protocols.

7) Develop its own research capability to identify threat information which essentially means that it should maintain its own Honey-Pot, SOC and ability to collect, process and value add on threat intelligence.

8) Facilitate quality training and certification programs including online programs in the cyber security area, develop manpower and expertise in Cyber Security product development and Cyber operations etc.

9) Collaborate with academic institutions such as IITs and IISc to chart out the long term plan for Cyber Security infrastructure  in the Indian context.

10) Develop Critical manpower infrastructure to improve employability of youth at the bottom of the pyramid by designing proper courses.

11) Identify “Protected Systems” in the sector (under Section 70 of ITA 2008)

12) Develop an international Interface with tie ups with various financial CERTs operating internationally to adopt international best practices in its functioning.

13) Standing Technical sub committee to be established to ensure collaboration with TEL-CERT (New CERT for the telecom sector) for continuous flow of information

14)Coordinate efforts at rendering the  Financial Infrastructure secure through efforts including Cyber Risk Insurance

The report suggests that apart from placing the report in public domain for comments, workshops can be held with all stakeholders and scholars specialized in the area of Cyber Security, leading academic and technology institutions for feedback.

The proposed scope of activities for the CERT-Fin is fairly comprehensive and completely welcome.

However, keeping in mind our previous observations of the merit of a “Unified Command” for better Cyber Security management, and preventing subsuming of the Cyber Security functions within the functional responsibilities of the individual regulators, thereby subordinating the security objectives to other functional objectives, it is essential that most of the above responsibilities need to be kept with CERT-In itself.

If CERT-Fin tries to become a complete CERT in itself including international interface, management of SOC for the industry, Research through Honey-Pots etc, its core competence which is liaising with the industry stake holders may go under utilized. There will be needless duplication of efforts and degradation of the objectives.

It is therefore suggested that CERT-FIN should focus on meeting the objectives of CERT-In which is well reflected in the above document itself as part of the CERT-FIN responsibilities as an accessory to CERT-In rather than doing all of it on its own.

What this could mean is to re-invent CERT-In itself as a Section 8 company and enrol representatives of each of the Financial Sector regulators into its Governing body, create CEOs for each sector with appropriate domain expertise and run the entire operations of CERT-FIN as an integral part of CERT-In outside the direct control of the individual regulators. This new CERT-In should report directly to the PMO and share intelligence space with the Police and Military since Cyber issues are part of any Cyber Terrorism or Cyber war strategies in the current days.

The working group has failed to underscore the risk of “Imported Hardware and Software” used in the IT infrastructure and the need for quick indigenisation.

The “Research” is therefore also required on “Unraveling the hidden code” in hardware and software that is embedded in our devices and analyzing them from the security perspective.

It must be recalled here as a matter of caution that last time an attempt was made to have “Security Certification for Telecom Equipment”, the committee headed by the IISC director and having representation of CERT In director was formed. However, the operations were sponsored by none other than a leading Chinese Telecom equipment supplier indicating a complete absence of security precaution to avoid conflict situations.

We should not do a similar mistake now and the core operations of CERT-In should be funded from the budget directly by the Parliament carved out as part of the National defense expenditure.

CERT-FIN may raise funding from its stake holders and use it for its outreach activities such as education etc and reduce the burden on the exchequer. However any funding or sponsorship of the core activities of the CERT-In or any other CERT organization by the stake holders themselves is not a good idea and should be re visited.

P.S: The above comments are meant to stimulate further thought among the public so that they can provide their own feedback on the working group report. I hope it would be useful for this purpose. 

It is made clear that the observations are not meant in anyway to undermine the great effort that has gone into the preparation of this report and the efforts deserves a high degree of praise. 

I will be forwarding these thoughts also as my observations on the report. I urge readers to also send their observations without fail.

We appreciate the public consultation effort and ensure that it becomes useful to the decision makers so that this practice continues.

Instead of remaining silent and later coming up with criticisms, it is necessary for the Civil Society to respond now even if some of the early reactions can be wrong for lack of adequate research. 

Naavi

The Working Group under the Chairmanship of  the Director General of CERT-IN constituted to study and submit the recommendations on the setting up of a Computer Emergency Response Team (CERT) exclusively for the Financial Sector in India covering Banks, Fintech Industry, BFSI sector, Stock Market Sector, the Pension Fund sector etc, has submitted its report and sought comments from the stake holders including Public before 31st of July 2017. The comments can be sent by email to surjith.k@nic.in or sent by hard copy to Shri Surjith Karthikeyan, Deputy Director (FSDC), Department of Economic Affairs, Ministry of Finance, Room No 269, North Block, New Delhi 110001.

A Copy of the report along with the press note is available here.

A brief discussion of the report with immediate comments are available below.

Organization:

1.  CERT-FIN will be set up as a Section 8 Company with financial contributions from the industry. It will be guided by an “Advisory Board” for providing strategic direction as well as for reviewing its performance and for allocation of budget/resources.
2. There will also be a Governing body with nominees of shareholding institutions.
3. RBI will act as a “Lead Regulator” for setting up CERT-Fin.
4. CERT-Fin will be acting a “Sectoral CERT” for the Financial Services industry and will be an umbrella organization for the industry.
5. Additionally, “Sub Sectoral CERTs” may be set up for sub sectors within each of the regulators such as RBI, SEBI, IRDAI and  PFDRA .
6. CERT-FIN itself will be working under a contractual arrangement with CERT-In and in turn have contractual arrangement with other sub sectoral CERTs.
7. Cert-Fin will be jointly funded by all financial sector regulators.

Comments 1 (Organization of CERT-FIN):

The suggested set up indicates that where today there is one CERT in the form of CERT-In, now there will be a total of Five or Six organizations called “CERT” s just for covering one sector namely the Financial sector.

Further, a precedence is being set up that each regulator will have its own CERT which will function as if it is a department of the regulator.

The suggested set up apart from proliferating the number of entities will create issues in inter CERT information sharing the way some times the intelligence agencies at the Central and State level face.

It appears that each regulator wants to keep the control on the players in their domain. In other words, IRDAI does not want to share security incident information in say an Insurance Company with RBI and SEBI does not want to share the security incident information with PFDRA and so on. Each regulator is protecting his turf.

Further the CERT-Fin  will be a figure-head  which will be governed by a Board of Directors and directed by two super management bodies firstly a “Governing Body” and secondly ” An Advisory Body”.

Under the Company’s Act, any body that can set guidelines to the Board and control its budget is considered “Ultra-Vires” the Company’s act since the Board has to be supreme. Legal debate may therefore be necessary for the Advisory Body to be what it is suggested to be.

The entire set up is a recipe for inefficiency, infighting and increased cost.

At present, CERT-In has the legal powers to be the nodal agency for all information security issues. This itself has been diluted with NCIIPC (National Critical Information Infrastructure Protection Center) which is the second nodal agency under Section 70A of ITA 2000.

There is no doubt that there is a lot of work to do in Cyber Security work in the country and it requires a huge manpower. But the best way to start the work is with a proper structuring of the control organization. What is now shaping up is certainly not appearing to be an ideal set up.

Given that the “Advisory Body” will control the budget and also give operational directions, the CERT-FIN will be a puppet. I pity the CEO who is likely to head this organization which on the face of it appear to be a very prestigious entity. Any CISO worth his name will think twice before accepting the responsibility.

The suggested structure is also creating a precedent where by tomorrow there will be demand for one CERT for Airlines, One CERT for Surface Transport, certainly one CERT for GST, One CERT for the Army, One for Airforce and one for Navy and so on and ultimately atleast one CERTs for each of the ministries. Then a question will be raised why not one CERT for each State and it will be a big mess difficult to untangle.

I strongly suggest that this needs to be thought over once again.

Presently RBI already has an IT division and IDRBT exists as an organization with some experience in managing critical networks. Some how these departments are being bypassed and additional 5 organizations are being created.

We are aware that out of these regulators, Except RBI and perhaps SEBI other regulators donot have much exposure to IT itself and let alone Information Security. IRDAI is just now learning how to use IT for Insurance Business. PFDRA is a much more recent organization and not much is known about its IT capability.

Also when an CERT-FIN is funded by the stake holders and the same stake holders become part of the Advisory group and share holder’s meeting, it is effectively a set up where the “Controlled End up as the Controller”. There will be no hard decisions taken in such a body and all security decisions will be subordinated to the commercial interests of the funding agencies. We find that even now RBI is often not able to assert itself against Big Banks though the legal structure is in favour of the RBI. In the proposed set up of the CERT-FIN, there will be no control for the FIN CERT Management on its own existence and hence they will have to follow the diktats of the supporting organizations whose security postures need to be challenged by the CERT-FIN

CERT-In itself for whatever it has done or not done in the last 16 years after ITA 2000 and 8 years after ITA 2008, has gathered valuable experience from which it can manage things better than the five new CERTs that are being created.

There is no doubt that domain expertise may be lacking in CERT In today for different sectors. But keeping the current structure, one can build four different Directors reporting to the Director General and each such Director can be provided with a domain expertise support from sub-sectoral-advisory groups/Committees and such an organization should be far more effective under a unified command.

For effective management of the security of the Cyber world, a “Unified Command” is most essential. The only division that can be considered is one such command for the military and one for the civil society and further sector wise division should not be made to create parallel organizations.

Additionally CERT-In has to be liberated from the  Meity and made into an independent entity in true spirit with a separate building and budget. It should be separated in body and mind from the current set up. 

We observe that currently, even the controller of certifying Authority which is a statutorily independent body,functions just like a department of Meity.

Because CERT-In contains the word “Team” in its name, it is being treated as if it is an informal group within the mighty MeitY. This has to change if Cyber Security should be managed properly.

Security and Functionality are two different aspects of IT management. While Meity needs to handle Digital India promotion, CERT-IN needs to put the checks and balances so that technology does not become a run away horse.

Even in a corporate environment we know that unless the CISO is liberated from the CTO and made to report directly to the Board, he cannot discharge his duties properly.

Similarly CERT-In which is the apex quasi judicial authority mandated to manage the Cyber Security of the country needs to be treated as an independent organization and report directly to the PMO.

Any other structure is not only inefficient but also dysfunctional.

A Suggestion

The Government of India should call for an informal meeting of Management Experts from the private sector and discuss some of the specific aspects of managerial challenges that the proposed structure may create as raised here and just listen to the management Gurus before proceeding further. I also request relevant academic institutions such as IIMs, IIITs, NLSUI, NALSAR etc to conduct symposia on CERT-FIN and submit free and voluntary suggestions to the Government on how the organization could be structured for better coordination and effect.

(The discussion will continue in the next article)

Naavi

Who would make an effective Compliance official in an organization? is a question that troubles many in the management.

In large organizations, there is no dearth of people or capacity to appoint professionals and hence there could be several persons with different designations trying to work on Compliance. There could be a Chief Privacy Officer and CISO working along with a Chief Compliance official with each commanding a team under them. But most companies donot have that luxury and have to meet the legal obligation nevertheless with some body doubling up with “Additional Charge”.

HIPAA-HITECH Act mandates that a person should be designated as “Privacy Compliance Official” and “Security Compliance Official” and his contact should be available on the website 24X7.

ITA 2008 mandates that there should be a “Grievance Officer” under Section 79 who faces the customers and a “Compliance Contact person” facing CERT-IN or Ministries of Finance and Home for being available for responding within 2 hours if need be.

Cert-In is a quasi judicial body which can order legal action in case of non compliance while other agencies may initiate action under other legal provisions.

The Compliance official is expected to be the nodal person to interact within the organization and be answerable to the regulators. He needs to have the skills of PR to deal with the regulators and people within though on the face of it the function seems to be a legal role.

In such a scenario, the questions that trouble most managements of small organizations is how do I assign the responsibilities of compliance within my existing team members whose core activity may be either IT or Software programming with no exposure to law. There is no doubt that they can take the assistance of external consultants for understanding ITA 2008 compliance requirements but ultimately some body under the roles of the organization needs to be designated as a “Compliance Official”

Compliance is an activity which starts from the zero day of a company’s existence. Hence even when a Start Up entrepreneur starts his initial work, and launches his project in a low key controlled public release he needs to have a compliance official. In case the entrepreneur fails to designate a person, the CEO himself becomes the compliance official. Since the CEO needs to focus on other business needs, it would be wise that he designates some body who works closely with his team and is present in the office all the time to act as a Compliance official rather than taking over the responsibility himself even though the buck ultimately stops with him.

In circumstances where the CEO works only with a team of software programmers and no body else to assist him, it therefore becomes necessary for one of the software developers and ideally the Team Lead to be also designated to be the Compliance Official.

If a CEO proposes that the person whom he has recruited for his software development expertise should also be designated as a “ITA 2008 compliance official” or a “Grievance Redressal official”, the software professional would in many cases not be comfortable since he thinks that he is not a “Legal Person” and hence “Compliance” does not sit with his designation properly.

However, it is time that software developers realize that basic knowledge of Cyber Law is today an essential knowledge for all IT workers and without it, they are likely to be challenged in their career progress. We often talk of “Privacy by Design” and that only means that the person who thinks of software architecture and coding should have some basic awareness of what his software is expected to do when it faces a client.

Today if we have many “Zero Day vulnerabilities” that pose a threat to Cyber Security, the main reason is that the software developers out their ignorance have not taken care of security at the time the software was designed and constructed. It has been an after thought which leads to compromises and creates security holes.

It is therefore felt that in smaller organizations, there is nothing unnatural in a software team lead to be additionally designated as “ITA 2008 compliance Official” and persons with such responsibility should consider themselves as premium  professionals. It goes without saying that they need to understand their responsibility and discharge it faithfully.

I would advise software professionals to go through a quick online course if necessary (check apnacourse.com for course of Cyber law college) or take up more formal courses if time permits to equip themselves with some basic cyber law knowledge that enables them to work with an external consultant when required and discharge their responsibilities as a compliance official. The knowledge may also enable them to improve the quality of their software since the software by design would be “compliance ready”.

So, the new slogan that we need to pursue in software circles is “Compliance By Design” and I hope the software community raises to this requirement which actually helps the cause of Cyber Security.

This should reduce the incidence of “Zero Day Vulnerabilities” and the cost of maintaining “Bug Bounty Programs” along with the cost of Cyber Insurance coverage for user organizations.

Naavi