Naavi.org

The recent ransom ware attacks with  Wanna Cry have woken up the Indian corporate sector  to the needs of having Cyber Insurance as a means of recovering the losses arising out of such attacks.

I refer to the article in Economic Times today where several industry executives have been quoted with there views on Cyber Insurance.

As readers here are aware, we conducted an all India survey two years back to document the awareness of Cyber Insurance amongst the CISOs and CIOs in India and found that most of them had very little understanding of the nuances of what constitutes Cyber Insurance.

Most CISOs do accept that “Transfer of Risks” is one of the four methods by which risks are managed (Mitigation, avoidance and absorption being the other three). But in most practical situations it is the CFOs who take decision son buying Cyber Insurance policies the risks to be covered, the financial limits to be accepted etc and CISOs are hardly allowed to link the Cyber Insurance needs of a company to the “Risk Mitigation efforts”.

Though RBI had mandated that banks should take Cyber Insurance against hacking, denial of service etc ., way back in June 2001, hardly any Bank obtained such insurance until the last few years.

Companies started looking at insurance after their data vendor business partners in  USA and EU started getting concerned from the liabilities that could arise by breaches that may occur in outsourced operations and made it part of their business contracts.

Now the ransomware attacks have brought an urgent need for cover as a part of the Corporate Governance policy.

The ransomware attacks create two kinds of liabilities namely

a) Cost of recovery of data and managing the reputation management

b) Actual payment of Ransom

In most cases of WannaCry demands, the actual ransom was upto 3 Bitcoins which was about Rs 4-5 lakhs and it often was less than the minimum self liability in most of the cases. Hence it was not considered as a coverage.

But in principle, ransom payment could be a claim under the policy and we need to understand if this is covered under insurance. We are aware that in another incident of ransom demand on Wipro, there is a demand of ransom upto Rs 500 crores and hence the possibility of ransom demand becoming a real liability is high.

It is understood that some Insurance companies provide specific coverage of ransom payments under an extension of the basic policy.

It is of course debatable if ransom payments should be covered under an “Insurance” since it is an “Illegal payment”. By covering the ransom payment as a genuine business expense, Insurers would be actually providing an incentive for companies to be less vigilant to take security measures and also encourage criminals by making it easier for the victims to pay ransom.

We have also pointed out that there are many challenges in Cyber Insurance including the “Zero day Vulnerabilities”, the “Delay between identification of a vulnerability and its patching up” and the general apathy of companies to subordinate security measures to profitability etc.

The “Uberrimaei Fidei” (utmost faith)  nature of Cyber Insurance contracts make it very difficult for the insured to really consider insurance policy as an adequate risk cover since they will be always at the mercy of the insurance companies at the time of a claim settlement.

We have therefore recommended that we need to take a cue from China which has converted the Insurance from a “Contract of Utmost faith” to a “Contract of honest disclosure”.

This is in the hands of IRDA which needs to consider Cyber insurance as a separate category of insurance and not club it with other forms of general insurance and then apply the principle of “Contract of honest disclosure” to these policies.

Today the insurance terms are dictated only by the reinsurance writers and hence IRDA needs to work with re-insurers to structure the Cyber Insurance policies in a manner that it will actually be considered useful to the insurer when the Cyber attack materializes.

The user industry needs to come together and form their own consortium to guide and if necessary lobby with the IRDA for a better structuring of Cyber Insurance plans which is acceptable both to the insurers and the insured.

Thanks to WannaCry companies are now better aware of Cyber Insurance!

Naavi

P.S. This is in continuation of the previous article

The second e-mail threat received by Wipro has been reported with some more detail today in this article in Times of India. 

According to this report, the investigation has now been taken back by CID from the Bellandur Police. However unless this is pursued like a Terror threat in full invoking the assistance of NIA, it is unlikely that any quick progress can be made.

Law enforcement naturally have a nose for smelling intelligence but Companies are more prone to displaying an “All is Well” syndrome and try to downplay such risks under the false impression that they are protecting their reputation which would otherwise be lost.

In this case, the natural complacency of the corporate sector  seems to have rubbed off on the Police also and hence over the last one month, no progress seems to have been made in tracing the e-mail.

For those who think Naavi.org is being needlessly hyper about the incident, it is necessary to point out that “Risk Management” requires identification of risk and assigning the probability of its manifestation. As long as the risk is not brought down to zero, it is the duty of the Risk manager to flag the risk and seek action. In the subject incident I feel the risk goes beyond the corporate boundaries of WIPRO and hence we the citizens have the right and also the duty to seek proper corrective action by all those concerned.

If this delinquent employee as is being believed turns himself up to be recruited by a terror organization, his threat may be used as a potent weapon against people outside WIPRO. Hence the incident cannot be buried as a coprorate event on which only WIPRO is interested

In Cyber Crime investigation, one month is an unpardonable delay and parking of the investigation at the local police station which every one knows is ill equipped  to handle was as good as abandoning the investigation.

I hope atleast now the investigation is taken up with a new vigour to catch up with the loss of time that has occurred.

I would like to also make a comment here about companies thinking that if they give weight to such incidents, they would be harming the reputation of the company.

Actually, in my opinion, the reputation of the companies would be enhanced when they respond promptly to adverse situations.

As the proverb goes,

“ It is not the way you fall down that determines your character, but it is the way you get up after a fall“

When a company hides problems under the carpet fearing a reputation loss fall out  (in a case like this where no fault can be ascribed to the Company in the first place), it is only enhancing the risk of the incident escalating in future with a greater force.

I hope the wisemen investigating the incident would correct for the deliberate neglect over the last month and go hyper now.

Naavi

We had extensively discussed the e-mail threat received by Wipro some time back in which an e-mail had been received by Wipro threatening that if Rs 500 crores is not paid in Bitcoins, they would spread “Ricin” in Wipro premises through Drones or mix it with food in Wipro canteens. Ricin is a poison extract from Castor seeds and can cause death. Extracting Ricin from Castor sludge from a castor oil extraction plant is considered to be easy.

There were two ways of dealing with the threat. One was to consider this as a prank or an empty threat from a disgruntled employee and ignore. This was easy and instinctive. The second was to take it seriously and take steps as if the attack was imminent.

Naavi.org had indicated that there was a need to take the threat seriously and suggested a series of measures mostly to be taken by the Police to meet the contingency of the attack actually being played out.  This included registering the case as a “Terror Threat” and go about tracing the e-mail with international assistance.

However, Karnataka Police took things lightly and registered the case as an ordinary e-mail threat and transferred it to the local police station in Bellandur. The Cyber Crime division traced the e-mail to a Switzerland IP address and left it to the Bellandur police station to follow up with CBI and Interpol to try to find out the sender. It was clear that everybody assumed that we will not hear about it once again and the prank can be forgotten.

But unfortunately, it is now reported that the e-mail threat has returned to haunt WIPRO once again with a renewed threat. The sender is aware that the earlier e-mail was not traced and was bold enough to use the same e-mail address ramesh2@protonmail.com.

Now the problem is back on the desk of the Police. Will they continue to ignore the threat (As reported in this article in Indian Express) and expect the Bellandur Constable to trace the Switzerland IP address and crack the case? or Will they invite the Anti Terror department of the Police to come in and take up the investigation?.

WIPRO says that they have taken some safety measures. Hope they are safety measures to prevent any form of dispersion of RICIN on any of the premises of WIPRO. They appear to have reported the incident to CERT IN and consider it as a sufficient fulfillment of the data breach notification requirements. It is not known if CERT IN has made any investigations and tried to trace the e-mail which should have been sent from India through some Proxy servers.

At this time we cannot say anything other than regretting that neither the Police nor the Company appear to be keen on escalating the issue to a “High Level Threat” and wish that it would simply go away.

If by any remote probability the threat gets executed and we are caught unprepared, then it would be in the fitness of things that the persons responsible for the negligent handling of the incident may have to stand trial for gross negligence leading to loss of life.

Let’s pray that nothing of that sort happens…. because I am talking of my personal friends both in the Police and Wipro whom I include in not being serious enough in this incident.

Naavi

Recently, I had raised an objection about a comment posted by MCX of India limited on the Discussion forum of MyGov.in regarding Bitcoin regulation. The Government had asked for public opinion on the forum which was expected to be used by the Committee formed for the purpose to arrive at a decision.

Obviously there were different stake holders with different vested interests. Some wanted Bitcoins to be legalized and some did not. The undersigned was one who held that Bitcoins is detrimental to the interests of the country and needs to be banned.

(Details are available in a series of articles at present ending with this article on naavi.org: Fight Against Corruption now has a new Slogan: Say No to Bitcoins).

Multi Commodity Exchange of India (MCX) is a licensed Commodity Exchange that allows trading of derivatives related to different commodities including Gold and Silver as well as Foreign Exchange under the regulations formed by SEBI and RBI. It is like BSE and NSE and is a quasi regulator of commodity derivatives.

In the event Bitcoin or any other Crypto Currency is recognized by India as a commodity, it would be naturally a “Commodity or a Derivative” which would come under the trading list of MCX. Hence MCX is a direct stake holder of the Government decision to legalize Bitcoins or otherwise.

Just as RBI or SEBI itself was not expected to participate in the forum discussions and give its views since they were the decision makers themselves, MCX was also considered as part of the regulator and not part of the public.

However, some  executive who did not understand the nuances of propriety posted an opinion using the official logo of MCX stating that MCX recommends legalization of Bitcoins. This was posted on the forum a few hours before the end of May 31 when the collection of opinion was to end.

The undersigned raised an objection and called it as an attempt of an “Insider” in “Fixing” the decision of the committee and demanded action. Since MCX is a Board managed company and the opinion expressed was a policy decision, it should have been taken only under the directions of the Board. Also since MCX is a listed company itself, major Policy decisions that are considered “Price Sensitive” need to be notified to the BSE/NSE before being released to the public.

What MCX did was therefore a failure of Corporate Governance and fit for penal action from SEBI.

When the objection was raised by the undersigned, the Board naturally moved in and perhaps wanted to take its own corrective action. The first thought that came to their mind was “Removing the Comment” which was perhaps not authorized. Perhaps most managers would come to the same conclusion. They would have therefore contacted My Gov forum administrator and requested for removal of the content. MyGOv.in admin obliged by removing the content.

However this raises one issue of “Electronic Evidence” being tampered with. MyGov.in in this context is an “Intermediary” and when a notice of objectionable content is given to them by a suitable authority, under Section 79 of ITA 2000/8 they could remove the content. But this was a forum where the persons posting the comments were not authorized to remove the content once posted and hence it was expected that content once posted was an “Evidence” that could be acted upon by others who could view the content and be influenced by it.

According to Section 79 rules, it is necessary that content removed needs to be preserved for evidentiary purpose for atleast 90 days ass “Provisional Evidence” . If however he becomes aware that actually there is a dispute related to the content and it is “Actual Evidence” then he needs to preserve it for a reasonable longer time.

In the current incident, anticipating the removal of content, CEAC had already captured the evidence as it existed on May 31 2017 and also captured the forum content on June 1, 2017 showing clearly the absence of the original content or more appropriately, the “Tampered Page” .

Now the My Gov.in administrator can be accused of allowing of tampering of the electronic evidence when it was required to be maintained under law. (Section 65 of ITA 2000/8).

The correct procedure for removal of content was one of the following two methods.

1. A rejoinder could have been posted along with the original content indicating prominently that the content has been reportedly been posted without the authority of MCX (which is an offence under say Trade Mark Act, Impersonation under Section 66C/66D of ITA 2000/8 etc) and the management has disclaimed the opinion made there in and should be ignored. Then the viewers would see both the original content and the correction. (This method was suggested by Naavi way back in December 2000 in the context of dalistan.org website in our article How To control Rogue Sites)
2. The administrator of MyGov.in could have masked the earlier message with his note that the content has been masked because it had been reportedly been posted without authority of the organization in whose name it was posted.

If therefore BSE or NSE now wants to take action as mandated by the SEBI regulations on MCX for violating the listing guidelines, they will have to contend with a situation that the offending evidence is no longer available on the web and has been tampered with by none other than MyGov.in administrator. He can plead ignorance and escape criminal prosecution but the evidence is lost at his end.

However, CEAC is maintaining the evidence and has also posted it on www.naavi.org . The article posted in naavi.org itself can be used as an evidence with Section 65B certification of the naavi.org webpage.

This article is being published to explain the Compliance requirements under Section 65 of ITA 2000/8 by public discussion forum owners.

It also explains the context in which Section 65 B certificates can be of use in public interest litigations as well as specific litigation involving tamperable electronic documents. (Provided one is alert to capture the before and after instances of the electronic documents through a trusted third party like CEAC).

Other aspects of Section 65B certification on who has to give such certification and how are discussed elsewhere.

Naavi

Yesterday, we pointed out that MCX of India Limited which manages the Commodity exchange operations and is therefore a stake holder in Bitcoin being banned or legalized had placed a comment on the MyGov.in discussion board that Bitcoin was proposed to be legalized.

MCX is an insider to the stock market operations and is carrying the permissions from SEBI and RBI to carry on its activity and is considered as a quasi regulator for commodity transactions. It is also listed in BSE and NSE.

Being an insider, it was inappropriate for MCX to release its views on Bitcoin regulation to the public on the forum unlike other private companies and individuals. Also since MCX is a company, any policy decision of this nature should have carried the permission of the Board of Directors in the form of a resolution. Also being a listed company and probably the exchange which woould be entrusted with the management of Bitcoin exchanges in India if Bitcoin is legalized, the information put out on the public platform was an attempt to influence the policy of the Government which could affect its own business prospects. Hence it was a price sensitive information both for the price of MCX on BSE/NSE as well as price of Bitcoins in the unofficial exchanges.

We therefore were constrained to raise an objection and bring it to the notice of the Directors of MCX and also the committee on Bitcoin regulation besides other relevant persons.

Also the Stock exchange had not been informed earlier and hence it was a violation of the listing guidelines of SEBI.

We expected that if the posting was from a person in MCX not authorized by the Board of MCX, suitable corrective action including disciplinary proceedings would be initiated for this breach of a  Corporate Governance aspect.

We are happy to now report that some action seems to have been initiated by MCX as indicated by the removal of the comment from the discussion board as indicated by the following two screen shots captured by Cyber Evidence Archival Center yesterday and today.

As we can observe, the comment of MCX which was between the comments of Amit Kumar Maurya and Shashank Rao is no longer there.

We appreciate the action initiated by MCX and hope it would take further action as may be necessary including issuing a press release expressing regret. BSE/NSE also needs to clarify if it has taken any action in this regard. Further the Bitcoin regulation committee also may clarify and assure that they will not be influenced by the views of MCX and it will take an independent decision in this regard.

It would be a good corporate Governance aspect if the Directors of MCX confirm that they donot have stock of Bitcoins in their possession as of now and they have no conflicting interest in the decision of the committee.

Naavi

Copy of the PDF document removed is available here

Naavi.org has been maintaining that Bitcoins is a menace to the civilized society and India should ban it. We have given our logic through a series of articles in this site.

We have also made a note that many of the opinions expressed at My Gov.in discussion page are from persons who have no idea of what is Bitcoins and how it can damage the Indian economy but were expressing support on the site because they were plants from vested interests.

Today there was a huge surprise in store and it has to be brought to the notice of the public so that public can take their own view about the need for what kind of regulation is required to be considered by the Government of India on Bitcoins.

I would like to re-iterate that Bitcoin is  the “Currency of the Criminals” and under the current legislative scenario in India it cannot be regularized either as a currency nor as a Commodity fit to be traded in a legal exchange regulated by SEBI. Bitcoin recognition in any form or even continuing the current status of “Observation” will promote Black Money and Money Laundering and the act of supporting it is itself a betrayal of the country’s interests.

Not initiating action to stop the current use of Bitcoins as a perceived “Currency” and ignoring the fact that there are exchanges which are buying and selling Bitcoins in India against Cash is a dereliction of duty on the part of regulators and the situation has to be corrected before the matter becomes a scandal in the media and attracts rebuke from the honourable Supreme Court of India.

On perusing the comments posted on the MyGov site, it was found that a comment had been posted by Multi Commodities Exchange of India Limited operating under the regulations of SEBI.

The objects clause of the Memorandum of Association of MCX India Limited states as follows

“To establish, operate, regulate, maintain and manage facilities in Mumbai and elsewhere in India and abroad enabling the members of the Exchange, their authorized agents and constituents and other participants to transact, clear and settle trades done on the Exchange in different types of contracts in commodities and other instruments and derivatives thereof, in futures markets and to provide accessibility to the markets to various members of the Exchange and their authorized agents and constituents and other participants within and/ or outside India, and to provide, initiate, facilitate and undertake all support services relating thereto as per the Articles of Association, ByeLaws, Rules and Regulations of the Exchange.”

The exchange carries the permissions from RBI and SEBI making it part of the regulatory system at present and its expression of support for legalization of Bitcoins means that the Committee of the Finance Ministry has insider interests in legalizing Bitcoins.

From a prima facie indication the Committee and collection of opinion from the public etc could be a farce and part of a conspiracy in which a decision has already been take to legalize Bitcoin.

The copy of the PDF document enclosed in the opinion is not typed on the letter head of the exchange nor is signed.

It says as follows:

QUOTE:

Multi Commodity Exchange of India Ltd

Comments/Suggestions for the Existing Virtual Currencies Framework

We propose that Bitcoin be accepted as legal financial instrument in India and the regulations be governed under a separate ‘Virtual Currency Act’. The adoption of virtual currency should be encouraged in India since Blockchain technologies are now considered to be the future of electronic financial transactions. A very strong impetus to legalize virtual currency is its potential to drastically reduce corruption, shrink transaction costs and eliminate third party involvement.

To ensure consumer protection, companies who wish to deal with Bitcoin must be subjected to stringent regulation to ensure that the virtual currencies are not being used for criminal purposes. Currently in Japan, a company wishing to use Bitcoins is required to have at least $100,000 in reserve currency, report their activities to the government regularly and undergo routine audits by the National Tax Agency. Meanwhile in Philippines, Bitcoin is largely used for remittances and payments with transaction volumes reaching up to US$6 million per month for certain major players and therefore Bitcoin companies are treated as remittance companies. That means that all requirements for remittance companies such as registration, minimum capital, internal controls, regulatory reports, and compliance with know-your-customer (KYC) and anti-money laundering (AML) policies applies to Bitcoin startups in Philippines.

Although counterfeiting of Bitcoin is not supposedly possible, extra caution should be improvised and special cyber law be drafted under Ministry of Information and Technology to protect against security breaches on the Bitcoin network. The following are some notable breaches in the past:

1. In 2013, about 850,000 Bitcoin valued at over $400 million were stolen by hackers in a service attack against the most popular Bitcoin exchange Mt. Gox, following which they declared bankruptcy.

2. In April 3, 2013, Instawallet, a web-based wallet provider, was hacked, resulting in the theft of over 35,000 Bitcoins.

To promote orderly development of VCs we propose the following measures:

1. Allowing Bitcoin exchanges to operate in India. These companies perform KYC checks and can follow anti-money laundering provisions and suspicious transaction reporting.

2. Encourage Financial Institutions, government bodies and Tech companies to use blockchain technologies.

3. Allow e-commerce companies and to accept Bitcoin as a mode of payment
Finally institution(s) like the Indian Revenue Service , Ministry of Information and Technology and Reserve Bank of India should be allowed to should monitor/ regulate the VCs.

May 31, 2017

UNQUOTE:

The recommendation is clear and advocates that “Bitcoin be accepted as legal financial instrument in India” leaving no doubt to the intentions of making the instrument called Bitcoins be available for all those who want to park their wealth anonymously so that Black Money can proliferate and Criminals can continue to demand ransom in the form of Bitcoins.

At this point of time,I am not aware if this is an official communication from MCX or the logo of MCX has been used by some mole in the organziation.

This needs to be clarified by the organization and its Directors in particular.

The following are the directors of MCX:

I request these august members of the Board to

a) Confirm if they are aware of the official position that MCX has taken and published even before the Committee has met to consider the public opinion

b) Give a disclaimer that as of this date they have never held,  traded or benefitted from Bitcoin trading in the past

c) Confirm whether they individually endorse the opinion that Bitcoin should be legalized in India ignoring the fact that it is the preferred currency of Cyber Criminals and Cyber Financial Terrorists and could be the currency of the future for funding terrorist operations in India?

I request the Finance Minister Mr Arun Jaitely to order an enquiry on how the subordinate regulator working under RBI and SEBI has already taken a stand on legalization of Bitcoins and the entire exercise of collecting public opinion is therefore rendered as a farce.

I request the Prime Minister to take note that the attempt to legalize the Bitcoins is a betrayal of the Fight on Corruption and Black money initiated by him and there is a conspiracy that may be under hatching behind his back.

I will treat this as a public notice to all these directors and wish that they provide their views on this development immediately.

Probably Mr Subramanya Swamy and Arnab Goswami should follow up and ensure that if there is any conspiracy by MCX Exchange of India to influence the decision of the Committee, the illegality of it is brought out into the open.

I will also try to find out the e-mail contacts of these Directors and send them individual notices though it may not be strictly necessary.

P.S: If the posting of the opinion on the MyGov forum was not authorized by the Board, I expect the Board to initiate an enquiry and punish the person responsible. If an honest disclosure is made by these distinguished persons, I express my regrets that I had to bring this incident to the open.

Naavi