Naavi.org

One of my friends and a prominent Cyber Security specialist Dr Rakesh Goyal of Mumbai has released a valuable article on “Challenges for digital India“ a copy of which is available here.

Dr Rakesh has brought out the many challenges that are before us and also provides some of the solutions he thinks should be considered.

The paper is an excellent read and needs further discussion at the Government level.

Today, I also went through a video received through WhatsApp about a “Chaiwala educating the public on the need for a surgical operation to remove black money”. This video in Kannada with English subtitles captures the mood of the ordinary men on the street and underscores several truths which some of us may fail to notice. I wish viewers need to go through the video and capture at least the essence of the narration.

Coming back to Dr Rakesh’s paper, it is interesting to note that he compares the cost of digital transactions vs savings of the Government if we move towards cashless society and makes a case for Government bearing part of the transaction cost. This will be one “Subsidy” which will be progressive.

Obviously Dr Rakesh raises the need to focus on interoperability and cyber security. These are not only concerns but also tremendous opportunities which I am sure IT savvy people will harness. Though in India we have so far seen little effort to invest in security, this time we hope things will be different. May be Government subsidy scheme can also consider how to drive the incentives towards a secure platform vs an insecure platform.

User awareness is ofcourse a challenge which is being addressed now through advertisements in the TV and Radio and should continue with the schools and colleges. Perhaps the public have a role in this education also.

Dr Rakesh also speaks of the legal issues and the need to protect the consumers. He points out the absence of a proper Cyber Insurance scheme for protecting the consumers. Government has a ready solution for this which is only being held up by the IBA and influential bankers. RBI is presently under pressure not to operationalize the August 11 2016 circular on Limited Liability which is a good starting point for protecting the interest of the consumers. The undersigned is trying to push RBI into taking a decision but so far not been able to persuade Dr Urjit Patel in taking action. Hopefully some thing is brewing and may happen soon.

Discussing the solutions, Dr Rakesh has suggested many measures which require a serious thought.

Hopefully the Government will take note of some of these suggestions and try to act on the same without any further delay.

Naavi

CERT-IN has today released some advertisements in news papers reiterating the rules that require mandatory reporting of cyber incidents. The circular makes a reference to the notification dated 16th January, 2014 titled  “Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules ,2013” (Copy available here) in which under Section 12(1)(a), it is stated that “Any individual, organization or corporate entity affected by cyber security incident may report the incident to CERT-IN” .

Types of cyber security incidents that need to be reported to CERT-In are

1. Targeted scanning/robing of critical networks/systems
2. Compromise of critical systems/information
3. Unauthorized access of IT systems/data
4. Defacement of website or intrusion into a wbsite and unauthorized changes such as insertion of malicious code,links to external websites etc.
5. Malicious code attacks such as spreading of cirus/Trojan/Botnets/Spyware
6. Attacks on servers such as Database, Mail and DNS and network devices such as Routers
7. Identiy Theft, Spoofing and Phishing Attacks
8. Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks
9. Attacks on Critical infrastructure, SCADA Systems and Wireless networks
10. Attacks on Applications such as E Governance, E Commerce etc.

To facilitate such reporting CERT-In was to maintain an Incident Response Help Desk on 24 hour basis on all days including holidays .

The system incident reporting form can be downloaded from here. 

Incidents may be reported by the victims.  But for Service providers, Data Centers and Body Corporates, reporting of Cyber Incidents as per list provided under this rule is Mandatory”. Reporting should be done within a “reasonable period”.

If one peruses the reporting format, it is clear that it is drafted with a trained CISO in mind Small Companies Ordinary individuals  may not be either capable of identifying “Cyber Incidents” nor reporting properly in the form in which it is indicated.

The report may be sent to the helpdesk whose contact details are given below.

E-Mail: incident@cert-in.org.in

Ph: +91 1800 11 4949

Fax: +91 1800 11 6969

Now that CERT-In has issued a public advertisement, it is essential for them to exempt “Individuals” and “Non Corporate entities” as well as “Corporate entities with a turnover less than a reasonable amount” from this mandatory reporting system.

Though this rule was in existence since 2014 and CERT-In has the quasi judicial powers to start prosecution proceedings leading to imprisonment of upto 1 year for non submission of information, neither CERT-In nor the public had taken this rule seriously. They therefore were mostly non-compliant.

However, now there may be an increased attention of the industry on correcting the situation….thanks to de-monetization and consequent promotion of digital payments followed by a realization of the increased risks…

Naavi

The Indian Election Commission has been suggesting that the Government should initiate measures to ensure that funding of election parties is properly accounted so that black money transactions are reduced. The present Government of Mr Modi has also shown a greater resolve than earlier Governments to tackle the issue of election funding. It is therefore time to find a proper solution to ensure that black money does not get generated in the election process.

For this issue there are two requirements that the EC and Government should address. First the artificial restriction on election expenses can be removed. Let political parties spend money as long as they account for it. Unaccounted cash expenses can be reduced to some negligible amount less than the current expenditure limits as a drive towards cash less election spending. At the same time the spending limits through digital payments which can be traced and accounted can be completely removed.

Having provided the freedom to spend the resistance of political parties to account the donations received can be reduced. Then the Government can reduce the unaccounted cash donations to some ridiculously low level of say Rs 100/-. Anything above Rs 100 has to be through digital payment system so that it is accounted. No more should an option be created for donations in cash upto Rs 20000/-.

However, the excuse for anonymous donations based on possible retribution by political opponents still remains to be tackled. Here we can adopt the time tested principles of “Privacy Protection” through de-identification of information for which ready tools are already available.

The essence of this election funding system is a “De-identification Portal for Election Funding” which runs like the “Anonymizer” as both a mobile App as well as a desktop tool. Any person who wants to contribute will open the app and will be allocated a transaction ID. The server issuing transaction ID does not know what is the amount of contribution but only maintains a mapping of the transaction ID to the Aadhar ID of the contributor or his finger print for aadhaar invocation.  The app will then connect to the payment gateway and complete the payment against the transaction ID. The Transaction ID server and the Payment gateway will both report the transaction to the tax authorities which alone will have the real identity of the contributor and the contribution. This is of course inevitable if we want to eliminate black money.

The de-identifcation transaction server can be maintained by the Election Commission or the IT auhorities. Private agencies may also be allowed to maintain such servers on a distributed service model so that the transaction IDs are handled randomly by different servers defusing the identification possibilities. There are more robust anonymization strategies through “Multi-split ID Management for anonymization” which Naavi has discussed earlier, to completely eliminate any private agency coming to know the real identity of the contributor so that there is no reason to fear any retribution.

If therefore there is a political will to eliminate black money in election process without the obnoxious suggestions such as “Public Funding” etc, here is a solution. Let the Election Commission and Mr Modi both consider this and adopt if they have the resolve.

Naavi

Five years after the Cyber Appellate Tribunal (CyAT) became dysfunctional because the earlier Chair Person retired, it is now reported that the Government may merge CyAT with TDSAT (Telecom Disputes Settlement and Appellate Tribunal).(View Report here)

According to the Government they are looking at rationalizing the tribunals and this move is keeping with that principle.

The move is at first glance to be welcomed from the point of view of reviving the dead CyAT. However, the TDSAT has so far been involved in high profile multi crore cases where as the CyAT normally handles small ticket cases in comparison. The difference in the culture of the two organizations needs to be taken note of before such a move is attempted.

Also, since CyAT is part of the ITA 2000, there will be a major amendment that would be required at ITA 2000 level and the merger cannot be a simple administrative note.

It appears that unable to find a Chair person and irked by the CAG report questioning the idle expenditure, Government has give an off the cuff answer without considring the pros and cons and more particularly how it may affect the interest of the cyber crime victims.

The TDSAT does not appear to be the forum which cyber crime victims will be comfortable with. From the Adjudicator to the TDSAT it would be a jump similar to going from a district court to supreme court. Victims would find the expense and procedures of TDSAT overwhelming.

I would urge the Government to drop the idea.

We may wait and see how the things develop.

Naavi

For some time it has been a hot discussion whether a WhatsApp admin should be held liable for the contents posted by a member.  In several places, police have launched action against WhatsApp admins in such cases. It is however heartening to note that the Delhi High Court has in a recent decision has held that the Admin should not be held liable.

(See the report here)

In Ashish Bhalla Vs Suresh Chawdhary & Others [CS(OS) no 188/2016, IA No 4901/2016,IA 8988/2016, IA 9554/2016) the High Court of New Delhi has observed “…to make the administrator of an online platform liable for defamation would be like making the manufacturer of the newsprint on which defamatory statements are published liable for defamation”.

The case has been dismissed also for other reasons. But Netizens and WhatsApp admins should be happy with the remarks recorded in the judgement.

Naavi

In what can be considered as a commendable move, the CERT IN has indicated that it will shortly set up a “Malware Cleaning Service” to the public. It is expected to maintain a botnet hosting malware cleaning tool kits which can be accessed by public on demand to clean their devices.

The botnet service would be supported by a  malware detection facility and a coordination with anti phishing facilities of Banks at least in India.

Refer Article here

Presently the information has been released as an answer to a Parliamentary question and more details are awaited.

However, according to Economic Times,  the center is being rolled out tomorrow the 20th December 2016 and a full fledged launch would be on next Monday, December 26th.

This is certainly a good move which will make CERT In relevant for the general public for the first time since its formation along with the notification of ITA 2000 on 17th October 2000. If properly implemented as envisaged, it will be a game changer in the Cyber Security domain in India with many down stream benefits.

Naavi