Naavi.org

(P.S: This is in continuation of the previous article in the series of discussions held at the 2 day conclave in Delhi on 14th and 15th July 2017 titled “Securing Cyber Space” )

The discussion on Civil Society Consultations on Net issues had focused on two specific aspects namely “Internet Shutdowns” and “Net Neutrality” and Naavi placed his views for discussion which is also reflected in greater detail here.

The “Internet Shutdowns” have recently come under criticisms by Human Rights Activists since they have been used when the Police have observed that WhatApp messaging has been used to mobilize violent protesters and Police sought to break this communication channel as a part of their law enforcement requirement.

Internet is respected as “Free Speech” and we often demand that it should be considered as a “Fundamental Right” and should be protected as such in a democratic society. We are also aware that Internet has been used in the past for positive democratic movements including the Anna Hazare movement itself and shutdowns if it occurs are of concern to citizen activists.

However, we cannot deny that , in the recent days Internet has been misused by protestors in J&K to mobilize Stone Pelters to disturb the activity of the army against terrorists. It has also been used in other places in India including perhaps in Gujarat to mobilize crowd for anti Government protests and for spreading rumours aimed at disturbing peace in the society.

If the law enforcement has credible information that such protests or rumours can cause law and order problems, it is difficult to object to law enforcement seeking temporary shutdown of the channel of communication that can fuel trouble.

The debate of what is a reasonable case in which there could be an intervention and when it becomes trampling of democratic rights will never end and there has to be checks and balances including a judicial review if need be in case the Internet shutdown is used indiscriminately. Present law in ITA 2008 already has some provisions in this regard and if it is not being followed properly, we can examine the remedies related to proper implementation of the Section 69/69A rules.

Genuine, law respecting civil society would not mind accepting inconvenience as a part of the security of the society since we all realize that only if we survive in the society we can demand democratic rights such as free speech and privacy. These rights are therefore always subordinate to the requirements of Security.

The Civil society concern is not therefore on whether Internet shutdowns should be allowed or not but that it should not be misused. This requires a trust building between the regulatory authorities and the public and following up a “Due Process of Law” in administering the shutdowns.

Presently the checks and balances all revolve around officials in the Government and the Civil Society representatives (of the right type) are not involved either in the decision making or post decision review. This breeds distrust and a feeling that the provisions of Internet Shutdowns may be used like imposition of emergency to curb civil rights.

We need to therefore strengthen the process of post internet shutdown review and involve civil society members  in the consultation process. The concept of “Netizen’s Rights Commission” which I will elaborate more in my next article is one of the tools that we can use for this purpose.

Focusing now  more on the technical solution side, it is to be recognized that with India becoming more and more dependent on Digital transactions, Internet shutdowns could adversely affect innocent citizens who want to simply carry on their normal digital activities. In particular we would like our digital financial transactions, the health services etc not to be disturbed by the Internet shutdowns.

The challenge is to ensure that the “Critical Digital Services” continue to operate even when an Internet shutdown is warranted.

Technically this means that the communication channels like the WhatsApp like messaging services, E Mail and Web which can be used for spreading rumours and causing law and order problem should be separated from the part of the internet that deals with critical services.

Just as there is a “DarkWeb” which criminals have created as their territory, we should consider the possibility of creating a “White Web” where we can run the critical services.

If we have the segregation of “Non Essential Communication Data” from the “Essential Communication Data”, we can try to apply Internet Shutdowns selectively so that law enforcement needs are met without adverse impact on critical services.

This situation is like in the case of a Curfew being in town, critical movements of citizens can still be accomplished in Government vehicles.

We need to therefore find means of diverting the “Critical Services” to an “Emergency Network” during the time “Internet Shutdowns” are required.

This can be achieved either by creating a separate communication channel that can take the “Sensitive Critical data Traffic” like a VPN which can either be a permanent solution to many of our security issues or could be operated only during emergencies.

The access to such a network would obviously be based on “Identity clearance” through an “Identity Gateway” using digital signature or e-sign  as a base for identity. OTP is not considered a recommended identity clearance mechanism. If there are any other alternatives, it can be considered.

These services can also be licensed to the service operators themselves under a strict guideline and work like a “Digital Ambulance Service” that carries the critical data at times of Internet shutdowns.

One such “Digital Ambulance” can also be licensed to a “Media Self Regulatory Body” or even the “Supreme Court” or the “Netizen Rights Commission”  so that “Free Speech” can still reach an ombudsman who can filter them and take steps where by citizen’s democratic rights are not trampled with.

Some of these measures may come in conflict with the “Net Neutrality” debate which is discussed in the next article. But with the creation of the Netizen’s Rights Commission and that such instances of internet shutdowns are temporary and not permanent, we must be able to consider this “Digital Ambulance” concept to address the Internet Shutdown requirements.

Naavi

Yesterday, in the conclave on “Securing Cyber Space” at IIC, Delhi, experts from different NGOs spoke on the topic of Civil Society Consultations on Net issues such as net Neutrality and Internet Shutdowns before an august audience of Cyber Security professionals.

Naavi speaking on the occasion discussed the concerns of the civil society and how it needs to be addressed.

He recalled the instance when around the year 2000, Mumbai High Court listening to a public interest case on whether people should be asked to produce IDs for visiting Cyber Cafes mandated that an Internet article of Naavi was to be placed on the Government website of VSNL (at that time VSNL was the sole Internet service provider) along with the proposal of the Government and ensure that the larger public could react. This trend is what the Internet has brought to the domain of Civil Society consultations. In fact Draft E-commerce Act 1998 which was the pre-cursor to the current Information Technology Act was also perhaps the first legislatory “Bill” to be placed for public comments. Even recently we have seen that in the Bitcoin issue was discussed on the forum of MyGov.in to solicit public opinion.

RBI is also frequently placing draft regulations for public comments before they are finalized.

There is no doubt that this is the norm and in future all legislations when in draft form would be placed for public comments. It is a good practice and needs to be strengthened.

However, the consultations will have meaning only when proper representation of the “Civil Society” is allowed to contribute their views and the decision makers actually take those views into consideration.

We have some times seen that the web based collection of views is only a formality and public really donot know if the views really go into the decision making process as an input. There are also instances (eg Bitcoin consultation) that vested interests take over such consultation process and flood the forum like a Twitter troll with their views corrupting the process. In the Bitcoin issue, MCX which as an insider to the process of Bitcoin regulation was caught using the forum to express vested interests and it was left to vigilantes like the undersigned to call their unethical act.

Similarly, when RBI floated a “Limited Liability Draft Circular” on August 11, 2016 and closed the consultations on 30th August 2016, the final rule was expected soon after. But it took time upto July 6, 2017 for the draft circular to be confirmed and that too after the undersigned brought it to the attention of all concerned including our busy PM, FM and others. In this time there were many more banking frauds where the victims could not get timely reaction from the Banks. Though the final notification is well appreciated, the delay could have been avoided and indicated that there was perhaps some differences of opinion that had to be contended with.

Presently there  are many other issues such as AEPS, P2P lending, HDPSA, amendments to ITA 2008, new Data Protection Act, Cyber Insurance etc which are under different stages of development in which public consultation is called for.

If we observe how US has handled the HIPAA consultation process (Refer to the Final Omnibus Rule”) the document that was finally published discusses the various comments made and the reasons why it was considered or not considered. The process is trust building since public know why a certain rule was made.

We need to adopt such a process of “Revealing the public response” along with what were the views of the decision making committee on specific points made in the response (after filtering  troll like opinions) and why a decision was finally taken was in a particular manner should be used in all future consultations.

It is needless to say that when a more detailed consultation with physical meetings are held it is the duty of the consultative committee to ensure that the Civil society representatives they chose to consult are limited to the few vocal media facing persons located near the seat of power. There has to be consultations in other places down south also so that a wide set of view points are used before coming to the final decision.

(These are part of the discussions…will be continued)

Naavi

In a welcome development on the Bitcoin front, Supreme Court of India has taken note of the possible illegal use of Bitcoin and is reported to have questioned RBI on its inaction in taking a decision on Bitcoins. It has given a four week deadline to examine all security related issues pertaining o virtual currencies including bitcoin.

The Supreme Court has also sought information on the steps taken by the government and the RBI to ensure digital currencies aren’t used for terror funding and money laundering.

(See Report here)

It may be recalled that the Government of India has been examining the issue of whether Bitcoins have to be legalized in India and there has been a gathering of public opinion in this regard through the Mygov.in website last month. During that time there was a concerted effort from the industry to push the Government into taking a stand inclined to either recognize Bitcoin as a “Legal Tender” or atleast say that the Crypto Currency is being “Observed”.

Naavi.org has been repeatedly stating that Bitcoin and all other privately controlled crypto coins has no place in the economy and there is no option other than declaring them as “Illegal”.

However there is undoubtedly an effort to influence the Government into taking a decision in favour of Bitcoin legalisation mounted by the industry. Even the above  report in Cryptocoinnews.com ends up with a hope that “A Ban is highy unlikely”.

Any attempt to promote Bitcoin as a “Currency” that can be used for payment for goods and services is per-se violation of the RBI Act and those who indulge in such promotion may be punishable with imprisonment of 3 years.

It is no secret that Bitcoin is being used by criminals and terrorists and hence any thought of continuing its usage in India is completely unacceptable.

If Bitcoin is not immediately declared illegal, there is likely hood of more Indian Black money being converted into Bitcoins.

It is good that the Supreme Court has taken cognizance of these possibilities and put pressure on RBI to spell out its policy and not remain silent in this regard.

A report in Livemint.com quotes M/s Nisthit Desai, the legal firm that is representing some of the Bitcoin industry players suggests that the industry should “Self-regulate”.

It is not clear how can an illegal activity can “Self-regulate”. The law firm is trying to mislead the public that by what they call “Self regulation”, the ill effects of Bitcoin could be curtailed. The self-regulation that the industry is talking of is for the Bitcoin exchanges to follow KYC principles and identifying the buyers and sellers in the exchange. This will not make “Bitcoin” legal or “Bitcoin Exchange activity” legal. It is surprising that SEBI has not so far taken penal action on Bitcoin Exchanges for running the exchange business like a “Commodity Exchange” without any authority.

Supreme Court should have also pulled up SEBI for its inaction in this regard.

During the recent effort to gather public view on Bitcoin regulation through MyGov.in, there was an effort from MCX itself to support legalization of Bitcoins. When this was vehemently opposed by Naavi.org, the comment posted by MCX on the MyGov.in site was removed without any explanation. This indicated that there were perhaps corrupt elements within the Government who want Bitcoins to be legalized.

The Supreme Court observation and direction therefore may perhaps be making some people in the power corridors a bit uncomfortable.

We however welcome the direction of Supreme Court and urge RBI to immediately come out with

a) Declaration that Bitcoin being represented as “Currency” is punishable under RBI Act

b) Declaration that Bitcoin being traded like either a commodity or a foreign exchange currency is illegal and punishable under RBI Act

Since Bitcoin is per-se not legal, there is no further regulation that needs to be considered except to declare that any person in possession of Bitcoin is presumed to have acquired it illegally through the illegal exchange activity and hence is punishable.

The question of collecting tax also does not arise since the trading itself is illegal and any profits made there on is not legal ab-initio.

Criminal punishment may perhaps be spared if the holders voluntarily declare and hand over possession of their Bitcoin possession to the RBI for destruction like it is done when fake currency or drugs are confiscated.

It is observed that the Bitcoin exchange rate has fallen drastically in the last few weeks and it could be a result of the realization that India may not fall into the Bitcoin trap by allowing current status.

Another trap which RBI should avoid is to restrict its ban only on Bitcoin and leaving other AltCoins. It must be recognized that Bitcoin is easily convertible into other Altcoins and hence all privately controlled Crypto currencies must be considered as fungible and equally illegal. Hence the ban should extend to all such Crytpo Currencies.

Unless RBI introduces its own Crypto Currency, there is no scope for any other Crypto currency to be legally recognized in India. What is left is for the RBI to clear the air and remove the uncertainty that may encourage some innocent persons to invest their hard earned white money into Crypto Coins and lose.

Naavi

Also Read:

RBI and Government should not drift in deciding about Bitcoin …

Bitcoin Regulation… What the Government needs to do.

Bitcoin is a National Security Issue… SEBI and RBI must step in and …

Can we replace Bitcoin argument with a “Law Compliant Crypto …

If Bitcoin is legalized in India, the money supply will jump up by 50 …

Is it time for a worldwide ban on Bitcoin to stop Cyber Financial …

How Does Bitcoin break India into bits and pieces and realize the …

The Bitcoin Battle…Will it be Modi Vs ZebPay?…like Kumble Vs …

Fight Against Corruption now has a new Slogan: Say No to Bitcoins …

Is MCX of India involved in insider tampering of the Committee on …

say_no_bitcoins – Naavi.org 

Regulate Bitcoins through ITA 2000 notifications under Section 1(4 …

Will the Government succumb to Zebpay PR pressure? – Naavi.org

Close on the heels of China Cyber Security Law, we now have a draft of a comprehensive Cyber Security law from Singapore. Both are interesting pieces of legislation that requires a detailed analysis which we may keep for a later day.

These developments will obviously trigger a thought on whether India should also consider a similar law.

In India, we have the ITA 2008 which provides the office of the Director General, CERT-IN all the powers that is required to implement an effective Cyber Security plan across the Cyber Space. These powers are supplemented with Sections 69,69A and 69B which provides powers to the secretaries of Home and IT additional powers that can lead to Cyber Security related decisions. Once the Data Protection law comes in, there will be a “Data Protection Commissioner” in place.

Presently, RBI already regulates the Financial Sector which is the key sector for Cyber Security. CERT-IN is restricting its control mostly to the Critical Information Infrastructure and is not imposing itself on the private sector as regards Cyber Security issues.

Most of the objectives that the Singapore legislation tries to achieve can be achieved in India through notifications by the CERT-IN. Legal empowerment is already present and we may not need a separate law to reach our objectives though the temptation for a new law is always great.

Probably CERT-IN needs to expand its work force base to meet all the responsibilities that an Apex Cyber Security Organization needs to fulfill. It also needs to step out of Delhi and start a sub-office in places like Bengaluru to be in close touch with South India and the IT hub.

Such regrouping and enhancement of CERT-IN resources is perhaps a more effective option than to think of another separate law with overlapping powers for executives and additional expenditure for the Government.

Perhaps more discussion is needed on this aspect and the two day conference in Delhi on “Securing Cyber Space-2017” on July 14th and 15th should be one forum in which these discussions may start.

Naavi

Reference:

Singapore releases draft of a Cyber Security Law

China Cyber Security Law-analysis by KPMG

China Cyber Security Law

US Cyber Security Laws

Yesterday, after the NSE technical glitch, Naavi.org raised the suspicion that it could be a Cyber Attack probably emanating from China. Today, it appears that this angle is being pursued with further investigation by the Home Ministry taking into account other recent incidents that occurred recently.

According to this report in Hindu, “The government’s senior cyber security officials are looking into both the Airtel and Jio incidents to see if they were possible attacks,” ….” they expected to know more about the cases in the next few days”….”the attacks could have emanated from a neighbouring country.”

The incidents flagged include the 32 lakh debit card data that was breached, Network outage experienced by Airtel on July 7, and Jio data breach reported on July 9.

This “China Risk” has long been ignored by the Telecom industry in pursuance of “Profits at any cost”. A few years back, the Government had set up a “Security Certification Lab” at IISc in Bangalore to certify telecom equipments from security perspective after coming to know that some of these equipments had a backdoor apparently to enable remote servicing of the software. We have not heard much about the activities of this lab except that the operations of the lab were sponsored by none other than “Huawei” !. The logic of getting the activity sponsored by the Chinese equipment supplier with connections to the Chinese Government must be known only to the then Government and the officials who represented in the committee that supervised in this project.

It is not clear if our Government under Modi has come out of the clutches of Chinese influence and the perception is that it has not. In this context the caution sounded by the Home Ministry as per this report is welcome.

The report also says that  the Home Ministry official also said “We have been warning the telecom companies for long regarding the use of Chinese products. Earlier personalisation of SIM cards was being done by Bharat Sanchar Nigam Limited (BSNL) for a fee, but later on the contract was given to Chinese companies. Essentially all telephone data is with the Chinese and we had warned against this dependence,”

Now that the Home Ministry has flagged this issue, we need to see some action to remedy the situation.

I had recently pointed out the danger of using Chinese made Finger Print scanners to be used for Aadhar Enabled Payment System suggesting that the data would be diverted to China. I therefore suggested that unless we are able to develop “Tamper Proof” biometric scanners in the facilities of BEL or ECIL, we should defer the implementation of AEPS.

I wish that at least now the relevant ministry officials realize the risk of using imported Biometric devices in AEPS and ensure that we donot make the mistake of going ahead with AEPS without proper preparation.

We know that Jio uses a biometric device for registration of customers and we donot know if it is a Chinese made equipment. May be some of the security professionals check out with the Jio dealers and let us know if this could be one of the reasons how the Jio customer data was leaked. According to one report even the CDR data of 120 million Jio users is available in the dark web for a price. If this is so, then Jio has a lot to explain about its security preparedness. Probably the giant IT companies who are working with Jio in designing the systems some of them are Indian companies, need to explain their perspective of security in Jio.

I have a doubt that apart from the data that was leaked out, there is a possibility of Aadhar registered biometric data also being available in a stored form because all Jio customers were registered with Aadhar KYC.

Now the Government has asked other mobile service providers also to link Aadhar and some of them are stating that it would require biometric based KYC and not merely providing the Aadhar number. The risk of biometric data being leaked is therefore very much there in this process.

I therefore request the Government to ensure that no Chinese made biometric devices are being used by the mobile service providers to register Aadhar.

In the meantime we await the result of the investigations about NSE technical glitch to find out whether it was in deed a Cyber Attack from China as we surmise or it was really a normal technical glitch.

Naavi.org is fully in support of the movement to reduce the national dependence on Chinese products as a means of opposing the Chinese support to Pakistani terrorists through border skirmishes. Many feel that the Chinese dependency is so deep rooted that it would be difficult to impose “People’s Sanctions” that can really hurt China, but it is still a mark of protest that requires pursuing.

Naavi

At around 9.15 am today as soon as the markets opened, after the first few ticks, the NSE system developed a glitch and its cash market rates stopped getting updated.

Probably the contracts also did not get executed. However the F&O continued to operate and BSE continued to operate smoothly.

The system is expected to come online back at 10.45 am.

The exact reasons are being analyzed. Let’s wait and watch.

If the dislocation of NSE is a result of any malicious attack, this needs to be considered as a case of Cyber Terrorism and handled as such irrespective of the reputation of NSE.

Naavi

Update 1:

The obvious question is whether the systems had a crash because of some technical glitch such as balance loading failed or such other network related issues.

There is a possibility that there was a cyber attack also which may not be immediately be revealed.

The BCP however has taken around 75 minutes to pull back the system into operation.

SEBI needs to check the cause and then determine if it has to take any further action to prevent such happenings in future.

Over the last few days, there is an online movement to boycott Chinese products in India and according to one report the sales of Chinese products in India has come down by 60% during this period.

I see a distinct possibility that  China may be flexing its muscle in the Indian Cyber Space which could be a reason for the NSE glitch. CERT IN should conduct a special investigation keeping this angle in mind.

We may have to be careful on the NPCI infrastructure being targeted next and then the Aadhar.

I urge CERT In to create a special gateway to prevent Chinese intrusion into any of our critical information infrastructure.

Update 2:

The re-opening has now been further deferred and it is not able to re-open at 10.45 am.

Update 3:

The markets re-opened at 11.15 am. But the F&O is still frozen. It is probably because they have moved some of the servers from Futures to Cash handling.  After a while both servers have been stopped at around 11.18.

I suppose both will re-open simultaneously after a few more minutes.

Update 4:

NSE to re start operations at 12.30 pm.

Update 5:

NSE seems to have come back to normal operations after 12.30 pm. Analysis of the cause etc are awaited.

Update 6:

Finance Ministry is expecting SEBI to submit a report on the incident by the end of the day. I think CERT IN should also seek a report from NSE and SEBI and prepare its own report.

Final Take

This incident is a “Denial of Access” incident in a nationally important system and it requires reporting to CERT-IN under Section 70B. If NSE does not report and CERT-In does not assert its rights, it will encourage other private sector entities also to avoid reporting security incidents to CERT-IN.

Naavi