Naavi.org

In pursuance of Naavi’s efforts to promote the concept of Cyber Insurance in India, Naavi has launched a dedicated website Cyber Insurance.org.in to discuss all issues of Cyber Insurance in India.

Naavi considers Cyber Insurance an important developing field because in the era of increasing Cyber threats accompanied by an increasing usage of Internet in a Digital India, the Netizen community needs to be protected against the risks.

Naavi also considers that Cyber Insurance is an extension of the Techno Legal Information Security activities since “Risk Transfer” is one of the four ways Risks can be managed in business, the others being Risk avoidance, Risk absorption and Risk Mitigation.

For the last several years, Naavi has been discussing the issue of Cyber Insurance with several industry players but found very little interest on the subject in the market place.

The reasons are many. Some may consider that like many of Naavi’s obsessions, this is ahead of its time and the business is yet to mature. Some may have no confidence that this is a viable business. Some may think it is some body elses’s responsibility.

The recent India Cyber Insurance Survey 2015 and the interactions Naavi has had with professionals in the Insurance industry do suggest that there is still lot of grounds to be covered in this field by both the Insurance industry as well as the Information Security industry.

But Naavi considers that this ground has to be covered if our dream of Digital India does not end up as a disaster.

Naavi has urged PM Mr Narendra Modi that just as he launched the life and accident insurance schemes for the masses as a part of his national agenda, he needs to push Cyber Insurance as part of Digital India agenda.

We hope that in due course this would be accepted as a policy in the Government.

In the meantime, we shall continue our efforts to popularize the concept of Cyber Insurance and also provide whatever assistance that is required by the industry to enhance the use of Cyber Insurance.

For some time there may be dual posting of articles between naavi.org and cyberinsurance.org.in.

However, I expect that Cyberinsurance.org.in should attract contributions from other professionals and develop into a community website.

I welcome contributions.

Naavi

Technology has disrupted many traditional business practices. For example, Banking before and after technology has never been the same. Same way, ever since Cyber Laws became a prominent practice area, lawyers have found that their traditional practice domain has been disrupted.

Today, it is almost impossible to run an efficient litigation without using Cyber evidence and Cyber law. If any firm is unable to make proper use of evidence most of which is in electronic form and also be able to run a good cross examination of witnesses trying to prove or disprove electronic evidences presented, they would find it difficult to be effective as a litigation lawyer. Hence good legal firms have found it necessary to use the services of experts where required and also develop in house expertise in Cyber Forensics.

When it comes to using the services of high end experts, the firms have a difficulty in forging a long term association because those professionals may not be qualified advocates and hence cannot be partners in business.

At the same time, the Chartered Accountants who are already in the domain of whatever is called “Auditing” have also been fighting to get into the space of “Forensics” since their internal audit work in any Corporate environment lands them in fraud investigation in electronic environment and associated Cyber Forensics.

They also have difficulty in forging long term association with Techno Legal experts who can assist them in the auditing work when it comes to “Compliance Audit” or “Fraud Audit”.

Actually, “Cyber Forensics” is an area which is highly technical and should have been a natural domain of a software or hardware specialist. Professionals in this tech field should normally be found in organizations such as Computer Society of India but they seem to be absent in the race for business in Cyber Forensics. There is also a professional group belonging to the “Information Security Domain” which includes those who are certified with diplomas such as “Certified Ethical Hacker”, “CISSP”, “Network Forensics” etc who also claim to be experts in Cyber Forensics and have a say in this domain. But this set of professionals donot have a strong organization and hence most of the Information Security audit work is done by Chartered Accountants with CISA qualification rather than core information security expertise.

This Economic Times Report highlights the emerging Turf war between law firms and the Big Four accounting firms. It is stated that law firms are poaching forensic experts from BigFour firms and even launching legal action charging the Big Four firms of running unauthorized legal practice. (See this report)

Essentially, Law Firms are trying to take protection from the “Advocates Act” which tries to reserve legal practice to registered members of the Bar Council. This tendency for “Reservation” is also present in the Chartered Accountants who also prevent non CAs to join firms run by CAs in providing corporate advise. The Company Secretaries and Computer Society professionals are not so well organized to fight for their own turf in the corporate scenario.

Now that the Delhi Bar Council has taken the issue to the Court, there is going to be a big fight for “Reservation” of business between the Advocates and Chartered Accountants.

Given that the Judicial Community has emerged only from the advocate community, the judicial fight may be skewed towards the advocate community and there is a huge conflict of interest between the Judiciary and this dispute.

The undersigned has always opposed every kind of reservation in life and is not comfortable with the professional agencies using their clout to reserve parts of the business to themselves. ( Naavi himself has faced issues in forging partnership with law firms and CA firms though both use his services for improving the quality of their services.)

However, the Cyber Forensic business is a new business area which involves Technology, Law and Auditing expertise. We can even say that Forensic involves analysis of “Behaviour” of the technology user which is a “Behavioural Science” skill. Naavi has been a pioneer in projecting Information Security as a three dimensional expertise of Technology, Law and Behavioural Science. However in view of the fact that these domains of expertise developed in recent years and there were no formal degrees and diplomas in these fields until recently. As a result  the law graduates who claim their right to litigate Cyber Crime cases have no relevant qualification in Cyber Laws nor the Chartered Accountants who qualified in the past and claim their right to auditing today are  exposed to technology issues as they should be. Hence the claims of reservation of business based on qualifications appear to be unreasonable.

It appears that a day has come where the “Disruptive” aspect of technology has come into the area of “Reserved Professional Practice” and it is time that the restrictions placed on legal firms partnering non legal practitioners as well as Chartered Accountant forms partnering non CAs should be summarily removed. We must recognize that the technology areas requires collaboration of people with different skills and in the interest of clients who require efficient services, a legal firm needs technology, accounting and behavioural science experts, in their fold and the Big Four or other CA firms also need Cyber Law experts and Experts in international law, taxation law etc in their fold.

Instead of the top legal firms fighting with top accounting firms in Courts, they need to forge an alliance and ensure that the mutual exclusions which they have used in the past which I call as “Reservation Mentality” is dropped and “Merit” prevails in the profession.

We however would advise that both the legal firms and Big Four should not compromise to keep the Information Security professionals outside the area of Information Security Audit and Forensics. In fact these professions should study the case which Delhi Bar Council has brought and implead themselves to put up their arguments if required so that they are not pushed out by the law firms and Big Four from the field of Cyber Forensics.

Probably the case brought up by the Delhi Bar Council has more to do with corporate advisory services in the area of Mergers and Acquisitions and less on Cyber Forensics. However, the principles of “Exclusivity in Professional Practice” is a potential “Frankenstein” and should be curbed before it gains any judicial validity through this case. If IS professionals are negligent, then lawyers and chartered accountants may declare that Cyber forensics is their exclusive business domain and make IS professionals subordinate to either of the professions!.

Naavi

It is reported that Mumbai police are pursuing a data theft complaint against a senior Bank employee in Mumbai.  According to this TOI report the senior employee, (a lady), with 20 years of working in the Bank in the past, resigned and is due to join another Bank.

The allegation is that some time after resignation, she  has taken away  some confidential information belonging to the Bank to her pen drive. The complaint has been made by the Bank manager.

The report

There are many inconsistencies in the report and there is every indication that it could be  a motivated report. More clarification is required before it is given credence.

According to the Bank manager, “She got access, after quitting the job, on the pretext of taking down data stored in her computer system in her office”. Bank officials complained that she took the data without the knowledge of anyone present on the premise.

The complaint was lodged on September 9, 2015 where as the person has left the Bank on April 21. It is not clear when she got the access and how the manager came to know the “pretext” when no body was present in the premises.

According to the TOI report, a spokes person of the Bank is supposed to have stated “The data was related to Reserve Bank of India rules and banking policies, which the suspect can misuse”.

If the data related to RBI guidelines, it is not clear what is the confidentiality involved.

If the Bank is concerned it could as well be a case of some information which the Bank is afraid would harm its reputation.  If it was simply rules and policies, there is no reason for the Bank to file a complaint except as a vendetta against a parting executive.

It would be interesting to observe how the case develops.

If the Police conduct a proper investigation, there is every possibility that the complainant himself may turn out to have indulged in some offence.

There is however a need for the defense to handle this technical case with some intelligence as otherwise the weight of the complainant’s organization may have a bearing on the way the case proceeds from now on.

Naavi

During our childhood, we have heard of stories of a Fox and Bear who agree for collaborative cultivation. For the first crop they agree that whatever grows above the soil belongs to Fox and whatever grows underneath the soil belongs to the Bear. Fox suggests that they grow tomatoes. Bear works hard and when the cultivation is ready, Fox walks off with all tomatoes and the Bear is unhappy. Fox convinces the bear for the next crop and agrees that what grows above the soil will now belong to the Bear and what grows underneath the soil belongs to the Fox. Bear agrees. Fox suggests that they grow ..potatoes…. so the story goes…

It appears that Maharashtra Government has now implemented a PPP model of a similar nature where the Government and Mumbai Police in particular will promote a PPP project in which all the revenue goes to a private party while the Government and the Police is only used to promote the project for the benefit of the private partner.

I refer to a project called coin.org.in which is projected as a platform for global law enforcement people with information, training and support for investigation of cyber crimes. However it also invites public to become members of the project at a membership cost upto Rs 24000/- per year.

The website however does not provide any information on the revenue sharing between the Government and the Private partner.

Some time back, we had exposed the case of  e2labs which had used the Union Home Ministry, CERT IN etc to promote its business and tried to convince investors to invest in its company. On verification with CERT IN it was found that the claims made by e2labs in the investment promotion presentation prepared by a well known investment banker, were false . The information was later withdrawn.

Presently the coin.org.in project appears to be heading in the same direction.

For records, we appreciate the nature of the venture. We have no issue of the project being a commercial project. However, using the Government and Mumbai Police to project as if this is a Government project but retaining the entire commercial revenue with itself is not considered ethical. The disclosures on the website as of now donot provide a truthful representation of the status of the project and there is every attempt to mislead and misrepresent the public to give an impression that this is a joint venture with Mumbai Police. The previous Mumbai Commissioner Mr Rakesh Maria’s speech made at the time of launching of the website has been  used for promotion along with the name of the Chief Minister Mr Fadnavis who inaugurated the event in which the website was launched.

We here by call upon the Maharashtra Government and the Mumbai Police to clarify

a) if they have an equity stake in the project and a claim on the revenue and if so what is the share distribution?.

b) If not, will they clarify if they are happy with the use of the Government for promotion with the revenue being entirely kept by the private partner? Or

c) Was the project envisaged as a non-profit venture and the private promoter has introduced a commercial element without the knowledge of the Government?

We also call upon the Private partner to clarify the nature of arrangement between them and the Government and whether they have the permission to put Rakesh Maria’s speech on the website copyright of which is claimed by them.

We request both the Government and the Private partner to review their arrangement and make the service as a free service (which may be restricted to the law enforcement personnel if required) and remove the commercial aspects of the project.

If there has to be a commercial project in which the Government wants to pass on benefits to a private party, there will be needless questions on what was the procedure adopted in selection of the private partner, whether any public notice was given of such a project, whether any other entities competed for the project etc.. All these will raise the issue of “Transparency” in Government administration and I request the BJP Government in Maharashtra not to make yet another mistake that may show Mr Narendra Modi in bad light.

Naavi

The India Cyber Insurance Survey 2015 which tries to capture the views of the stake holders on what is the current status of the  Cyber Insurance industry in India is, is shortly set to close.

If you have not yet participated in the survey, kindly do so now. Your views would be valuable. To participate in the survey you need not be knowledgeable in Cyber Insurance nor an expert in Information Technology. If you donot find any question not relevant to you, mark it as “neutral” and proceed.

Click on the above image or here for the form

Naavi

The case of M G Gokul, a techie in Bangalore who has been arrested for sending hoax messages through WhatsApp to Bangalore and New Delhi airports suggesting that bombs have been placed on 6 flights causing an estimated $ 1 million (Rs 650 lakhs).

Bangalore police should be congratulated for having solved the hoax message case within 48 hours and arresting Gokul. What was commendable was that the SIM card which was used for committing the offence was in the name of another person Mr Jose who was innocent and was a neighbor of Mr Gokul. Police did not get diverted by this prima facie evidence which pointed out the innocent person as the offender and went deeper into the use of the SIM card with which they zeroed in on Gokul. The investigating Officer should be commended for the presence of mind and also for having persevered with the investigation until the real culprit was caught.

This was the second time that a Bangalore techie had sent messages to the Delhi airport about a bomb threat. Last incident was that of an Infosys employee who wanted to catch the flight for which he could not reach in time and thought of delaying it by sending such a message. He was also caught immediately.

As some body involved in Counter Cyber Crime activities for a long time, I wonder why the so called “Techies” should not realize that such messages would be traced easily and they would be caught and punished.

There could be two reasons. One is “Ignorance” that there are laws in India that make sending of such messages punishable under ITA 2000 as well as under IPC or under Air Safety related laws. Secondly it is “Technology Intoxication” which makes them blind to the fact that Police may also be sufficiently intelligent as to solving such cases.

These incidents also point out  negligence of the HR functionaries in these companies who have not taken steps to educate their employees on the ethical aspects of usage of technology. Hopefully these incidents would make at least some of the HR managers to sit up and take action to build a basic ethical behavioural culture in their employees.

Refer article in Bangalore Mirror

If one goes through the article in Bangalore mirror, one wonders if Gokul is another incarnation of Indrani Mukherjea who had reportedly schemed murder of her daughter and son and executed the murder of the daughter Sheen Bora in Mumbai .

Gokul not only schemed (As per the report) and murdered his wife but also laid an elaborate plan to win over his neighbors wife first by forging letters in the name of an Archbishop and then trying to frame the husband of the lady whom he loved. He has also reported to have tried to get Mr Jose framed by creating a facebook page and putting ISIS promotion information there in.

It is interesting to note that both Indrani and Gokul had committed the offence of  sending forged electronic messages and committing Cyber Crimes under ITA 2008. Though their other offences are graver and can lead to hanging or life imprisonment, the use of Cyber Crimes by ordinary IPC criminals as a common modus operandi seems to be clear. This highights the need for Police to improve their skills and investigative resources for solving Cyber Crimes because it can lead to solving of many other non ITA 2008 crimes also.

The case of Gokul makes an excellent case study for criminologists on how an educated and well informed techie can misuse his knowledge and skill if he has no ethics but is unable to see the possibility of being caught by the Cyber Crime investigators.

Naavi