Naavi.org

It was heartening to note that during the recent Cyber Security Summit in Delhi (Ground Zero), Mr Rajnath Singh, the Home Minister, stressed the need for “Cyber Security” for the success of the other Government initiatives such as the Digital India.

Naavi.org has not only been highlighting this issue for a long time but also urging specific action plans from the Government in this regard including the”Cyber Insurance For ALL” as a Government initiative. Naavi also initiated a private sector Special Interest Group in “Secure Digital India” with the hope that other security professionals will join hands in providing voluntary inputs on information security to the Government.  As a further follow up, Naavi also initiated the “Cyber Law Compliance Center”. Naavi had also stressed the need for a revision of ITA 2008 with a vision on the futuristic issues such as Internet of Things (IoT) and Big Data with a document on “Cyber Law Vision-2018″  . After noting that the Government of India has set up an expert committee for a review of ITA 2000/8, Naavi has now also invited experts from the private sector to contribute ideas to what needs to be done in this regard through the “Special Interest Group on Amendment to ITA 2000/8”.

In all these efforts, it is possible that the efforts of Naavi is unlikely to gather as much support as it deserves from the community. The reason is not that others are not as much concerned about the welfare of the Digital India project as Naavi is, but it is because they all feel that it is futile to do anything voluntarily for the Government or the Country since it would not be appreciated.

Probably they are right but like an eternal optimist Naavi will continue to voice his views through Naavi.org and expect that just as many of his ideas have taken years to find support, these will also gain acceptance over a period of time, if not in this tenure of Modi, in his next tenure.

However, looking at the reasons for the lack of trust between Information Security professionals and the Government, the article “It’s No Secret That the Government Uses Zero Days for Offence” published in eff.org, gives a hint.

Though this article reflects development in USA, it has universal application. The article highlights the fact that the Government of USA is guilty of using many “Zero Day Vulnerabilities” to snoop on its own rather than trying to secure the Digital Space with counter action to secure the society against such vulnerabilities.

A Citizen would think that if he finds a vulnerability, he has a duty to inform the Government so that the society is kept safe. Many Information Security specialists also feel the same. Some of them do their best to contact the source of the vulnerable software so that the vulnerabilities are corrected. But companies driven by their business interests and immediate profit goals often donot make necessary corrections and let the vulnerabilities remain. Some Companies may reward the informers in their Bug Bounty program but most donot have such programs in operation.

When companies fail to remove vulnerabilities, the security professional who pointed out the vulnerability has two options with him. One is to inform the regulatory authorities in the hope that they will initiate action against the Company which has released a vulnerable software and endangered the community of users or teach the laggard company a lesson by actually exploiting the vulnerability and make it more visible to the public.

If he choses the second option, he will be called a “hacker” and probably be punished by law. If he choses the first option and the Government itself tries to exploit it instead of bringing a correction, he will soon develop a distrust for the Government and eventually become a rebel and a hactivist.

I invite Sociologists to conduct a study of the mindset of “Information Security Professionals who turn into Hackers” and identify the reasons for such transformation which is detrimental to the society.

At the same time, the minority of Information Security Professionals who resist the temptation of hacking and remain “Compliance Consultants” need to be identified, encouraged and recognized.

In the light of these thoughts, I would like to draw the attention of the Government to some of the following action elements.

If Modi Government wants to continue its economic policy thrust based on Digital development, despite the reverse in Bihar, and avoid the fate of Mr Chandra Babu Naidu in Andhra, there is a need to merge the digital policies to social goals.

In working towards this goal, it is essential to ensure that community understands and supports whatever we are doing sincerely for the good of the country. Just as political opponents can make capital out of anything including a well designed suit, and the fact that there are a majority of people who are happy to continue living in a  half torn Dhoti and say “Jai Lalu”, there are information security professionals who may turn into “Hackers”  (or Hactivists) if they are not with you.

If the Government has to succeed in their mission “Digital India”, it is therefore essential for it to cultivate these IS professionals and take them on its side.

As some body watching the developments in the Government and also closely watching the Information Security industry, I can categorically say that India possesses a huge talent pool of information security skills which are today not being tapped by the Government.

Many of these professionals are productively engaged in the private sector and some are successful entrepreneurs in the filed of security. But the best in the field may be staying aloof from Government projects since they are not in the privileged “List of Accredited Experts” who get appointed as “Brand Ambassadors” and “Members of Expert Committees”.

Government therefore needs a policy to bring such experts into the main stream and give them the psychological satisfaction of having contributed to the growth of the country.

So far the policy of the Government is only to introduce some courses in Colleges and sponsor some workshops conducted by NASSCOM or DSCI. But most specialist Information security professionals are outside the gamut of the Government sponsored organizations are not easily connected. They are not qualified in Engineering colleges and donot hold the degrees and certificates based on which the Government tends to measure their utility.

The participation of Mr Rajnath Singh in events such as Ground Zero was therefore a welcome development and such interactions need to increase in future. One of the positive outcomes of this meeting is a policy initiative to start the Indian Cyber Crime Coordination Center (I-4C) and formation of a National Cyber Registry.

Bug Bounty By Government

May be in the context of US Government using Zero Day vulnerabilities to its own use, a comprehensive policy for “Disclosure of Vulnerabilities” providing for a Bug Bounty from the Government side would be desirable to enable reporting of zero day vulnerabilities without distrusting the Government.

Some would scoff at this idea of a “Bug Bounty by Government” and may not agree and feel that the Government should  not take over the private sector responsibilities. But I would like to state that Government is a stake holder in any vulnerable IT program being in the public space since it leads to a “Law and Order Issue in Cyber Space”.

If an Ola program or a Flipkart program or a Paytm program is vulnerable and a million customers find their credit card data compromised and a few thousands of them get exploited, then there will be a huge issue of credibility of our online Banking system. Hackers and Enemy States may attack our Banking system through these vulnerable private sector vulnerable apps. Hence Government has a duty to watch the space and take curative action when the vulnerabilities are still at Zero Day status. This is like the public safety body taking objection when a private multi storeyed building is being constructed without safety features.

If there is a good Bug Bounty Program by the Government, then the Citizen who reports the vulnerability will have a reason to report the vulnerabilities and also create a record of the report. He can be rewarded immediately and later with a suitable recognition (Padma Bhushan?.. non returnable!) that goes beyond educational qualifications.

Having taken the vulnerability on record under the Bug Bounty Program, Government would not be able to misuse the vulnerability. Government on receipt of such notice of a vulnerability can send a suitable notice to the developer, get the feed back and impose a fine to recover the cost of the bug bounty program. The program will therefore be  a self financing program.

Hopefully, the developers will insure themselves against such unexpected losses through a Cyber Insurance plan that covers the risk of being fined for vulnerabilities. (A new Policy Opportunity for Cyber Insurers!).

The actual reward to be paid and fine to be imposed may vary based on the threat impact assessment  of the vulnerability . It can be a token of Rs 1000/- or a maximum of say Rs 5 lakhs depending on the assessment for which some transparent guidelines can be developed.

Remember that if the vulnerability gets exploited, then the liability of the software releasing/using organization can be higher as per ITA 2008. Hence the system of a Government’s Bug Bounty program and a fine to cover the cost could be an acceptable suggestion which even the software/App development/user companies may welcome.

If the program requires an amendment to ITA 2008, it can be addressed by the new “Expert” committee being set up for the purpose of amendment. (If such “Experts” have a vision beyond the limited objective of restoration of Sec 66A in a form acceptable to Supreme Court)

In fact the software/App buyer can ask the developer to indemnify against any such vulnerabilities reported in the first one month of the release and later take over the liability himself. This will improve quality and testing of software before it is delivered for public use.

The program if introduced will therefore help the goal of Secure Digital India in multiple dimensions and I request the Government to consider it in right earnest.

Nice words have been spoken by the Minister during his inaugural speech at Ground Zero summit and if this finds support in its implementation, then it is an encouraging sign. There is still a long way to go in making this “encouraging sign” a real “game changer”.

Let’s keep watching the developments and hope for action from the Government.

Naavi invites views of the readers on this need for a “Bug Bounty Program by Indian Government” and how to motivate all Information Security Professionals contribute towards Secure Digital India.

Naavi

More on the Summit

In a significant ruling, the US Federal Communications Commission (FCC)has rejected to force websites a petition by the Consumer Watchdog to enforce the “Donot Track” requests from individuals.

The petition had requested  that the Commission “initiate a rule making proceeding requiring ‘edge providers’ (like Google, Facebook, YouTube, Pandora, Netflix, and LinkedIn) to honor ‘Do Not Track’ Requests from consumers.”

The FCC however ruled that the current regulations meant for voice services cannot be applied to broadband internet and dismissed the petition.

Copy of Order

Some observers in the Privacy and Consumer Interest groups express concern that this will prevent online services from requiring consumers to consent to tracking in exchange for accessing web services, preventing online services from sharing personal information of users with third parties when consumers send “Do Not Track Requests”. This may also mean that websites will reject the web browser settings that send “Opt out” requests.

A counter view is that the FCC order only applies to “Transmission Services” and not “Content Services”. If this view is valid, then the content owners need to continue obtaining consent from the website visitors as they are doing at present.

We concur with the counter view since use of web services is a contract and the visitor should be given the option to either share or not share data which he considers as not essential for the service.

If however, the website wants to make it a “Dotted line contract”,  they need to highlight and draw specific attention of the user to the information sharing clauses before proceeding with the use of the services.

This may not however be practical to implement for all user and hence any prudent website owner would continue the existing practice of honouring automatic requests for opting out of any such information collection that the website wants to do and wait for an Opt-in for collecting analytics which involve identifiable personal information.

Naavi

Naavi has been pointing out that the increasing use of IT in E Governance and E Commerce and the embracing of the Digital India policy which includes the Internet of Things and Big Data, there is a need for a revision of Information technology Act 2000.

A “Cyber Law Vision-2018” was suggested by Naavi which included some thoughts on the direction that the Indian Cyber Law of the future should pursue. The vision document was released before the Supreme Court verdict but anticipated the possibility of Supreme Court holding the section unconstitutional.

Naavi has also repeatedly drawn the attention Modi Government on the unsavoury experience of Mr Chandrababu Naidu who lost a political election despite his glorious achievements in the IT sector and warned the Government of a possibility of similar nature for Modi. ( Refer: An Open Letter to Mr Modi) Now unfortunately this prediction has come through in the form of a debacle in the Bihar election.

Scrapping of Section 66A by the Supreme Court, had already forced the hands of the Government to start a process of revisiting ITA 2008 and the Bihar debacle has added the urgency.

In order to ensure that Government gets the right inputs on amending the ITA 2008 which not only satisfies the Supreme Court but also provides a base for Secure Digital India without a political backlash, Naavi invites interested specialists in Cyber Law to come together into a Virtual Special Interest Group that can recommend a comprehensive revision of ITA 2008.

It may be remembered that when an “Expert Committee” was formed by the then Government in 2005 to amend ITA 2000, it had no representation of Netizens and it came up with a highly controversial amendments. Though some of the mistakes were corrected by the Parliamentary Committee before it was passed in 2008 (what we recognize now as ITA 2008), many of the weaknesses remain.

Over the period we have pointed out how the Government officials themselves are flouting ITA 2000/8 out of sheer ignorance. In particular, we have pointed out the Karnataka IT Secretary who ruled “Person” in Section 43 means only an individual and not a company. Karnataka Legislature passed the amendment to Indian Registration Act 1908 which is ultra vires the ITA 2000/8. Even the Central Government in its notifications for the Digital Locker project violated ITA 2000/8.

In view of the above, we the Citizens of India who are being forced to be also Netizens because of the rapid digitization of the country, but firmly believe that ICT has the potential to transform India for the better if the policies are implemented in a proper manner, need to participate in the process of this transformation of Cyber Laws.

We presume that the Government may not invite the public to contribute their ideas until it is too late for making any positive contributions and hence need to move now before the Government pushes ahead its own efforts in this matter.

The objective is to ensure that the amendments when made are “Citizen Centric” and even the Biharis and Uttar Pradeshis who would vote in the elections should be able to appreciate the benefits and does not derail the Digital India vision.

We shall call this the “VSIG on Cyber Laws for Digital India” and collate recommendations from the private sector for amending ITA 2008 in such a manner that it becomes an instrument of development which does not face the opposition either from the politicians or the general public who only feels the effect of IT but does not understand the intricacies or the limitations.

Looking forward to participation from the Cyber Law stalwarts of India.

Naavi

An interesting narration from a security professional published in techinasia.com (Read the Article here), highlights how Indian Start ups are neglecting information security and opening themselves to the “Data Breach” and “Cyber Law Non Compliance Risk”.

The article indicates that in a recent study, 17 start ups in India including Ola, Zomato, HomeShop18, BookMyShow and others were found to have security vulnerabilities that could cause leak of Personal and Sensitive Personal Data of its customers. According to the author, more than 70% of the Start Ups have severe bugs compromising security and creating a potential financial risk to the company.

We refer to our earlier article “The Start-ups and Techno Legal Risks” in which we have highlighted the need for “Techno Legal Feasibility Analysis” to be undertaken by Start ups to identify and mitigate certain risks that arise out of non compliance of ITA 2008.

The article in TechInAsia also highlights the Section 43A of ITA 2008 and warns the entrepreneurs of the possibility of financial losses arsing out of data breach. It also suggests that there is a need for good “Bug Bounty” programs to ensure that these Start Ups get voluntary help from security professionals.

We also highlight that it is not only the breach of Sensitive Personal Information that creates liabilities but also breach of personal information. Additionally, ITA 2008 can create liabilities on account of many other non compliance issues and any company which does not conduct an “ITA 2008 Compliance” audit on its processes (including mobile Apps) is running the risk of not only a hacker’s attack but also liabilities that can cripple or kill the company.

There are many aspects of ITA 2008 which can land the innocent CEO or CTO of a Start Up in Jail for non compliance of ITA 2008.

The undersigned invites such companies to use the services of Naavi’s Cyber Law Center, so that it reduces the risk of a premature death.

Naavi

[Once again, I apologize for a non Cyber Law Post prompted by the unprofessional views expressed by Moody’s which needs countering. Ignore if you want….Naavi]

Press Reports suggest that the International Credit Rating Agency  Moody’s has warned that Narendra Modi needs to rein in members of the Hindu fringe elements or risk losing credibility.

Read Economic Times Article here

Moody’s is a credit rating agency and has the expertise to comment on the financial aspects of the country. It is customary to consider that the economy of the country is affected by several factors one of which is the political environment.  Hence “Country Risk” and “Political Risk” is often used as elements of analysis in a Credit Rating exercise.

However, a prudent Credit Rating agency assigns appropriate weightages to different aspects that affect the economy and obviously the facts such as that it is natural in a Democratic country for  opposition to keep rattling  has to be taken into consideration before factoring in impact of such opposition antics into its rating.

According to the ET report, Moody’s are reported to have “Advised” PM Narendra Modi that

“Modi must keep his members in check or risk losing domestic and global credibility,”.

The report goes on to comment on the ongoing Bihar elections and says

“The BJP is not the incumbent (in Bihar), so a win here would help secure an upper house majority… Overall, it is unclear whether India can deliver the promised reforms and hit its growth potential. Undoubtedly, numerous political outcomes will dictate the extent of success,” 

There is no doubt that the report is a scathing attack on the Modi’s Government and predicts that the GDP growth rate would be around 7.4% to 7.6% for the full fiscal year 2015-2016 as against a potential of around 9.3%.

In a way the report has placed a value on the disruptionist impact of the opposition as around 2% of GDP.

However, instead of restricting itself to providing its views, the report actually becomes a political commentary set to help the opposition in the Bihar elections. Now, politicians like Lalu Prasad Yadav who may not know the difference between Modi and Moody will start quoting the agency in their election speeches.

It must however be emphasized that in our view,

“While a Credit Rating agency has the right to make its observations, it is unacceptable to word its observations in the form of an “Advice” to the country’s Chief executive.

Lifting the Corporate Veil

The report  has to be read along with the credibility of the agency which has lent its name. Since it comes from Moody’s, it is being read and commented. But at the same time, we all know that any such report is a product of some individual’s efforts and ultimately the credibility of the report has to be tested against the credibility of the person who puts out the report. We therefore need to look beyond the name of Moody’s and lift the corporate veil.

This report is attributed to Faraz Syed, associate economist at Moody’s Analytics and raises a question on the credibility of the analyst as well as Moody’s as a Credit Rating Agency.

At the outset, I would like to categorically state that my comments should be disassociated from the fact that the name of the analyst may lead to certain inferences. I am only analyzing the issue from other factors.

Mr Faraz Syed is based in Sydney and is in the process of completing his Master’s degree in Economics. He completed his Bachelor’s degree in 2013 from MACQUAIRE Universtity, in Australia. His interest initially has been in the field of Cricket and  entered the career as an Economist in January 2013. After working for one year with the Australian Bureau of Agricultural and Resource Economics and Sciences, he joined Moody’s in December 2014 as Associate Economist.

His experience  as an analyst in Moody’s is therefore less than an year. I suspect that he has never visited India and his knowledge of India may be through Cricketers  and IPL.

His attempt to convert a Financial Analytical report into a political advisory to a Head of State  shows his immaturity as an analyst and nothing else.

However, one cannot appreciate how Moody’s let the report to be published under its name and that indicates that there is no control or supervision over the work of an “Associate Economist”.

What this States of the Opposition

While the opposition parties and the so called  intellectuals  who are spearheading the AwardWapsi movement would rejoice at the endorsement they have received from Mr Syed Faraz, I must point out the other dimension of the report.

What Mr Syed Faraz says is that the potential of 9.3% growth in GDP has been reduced to around 7.4% because Mr Modi has an opposition in Rajya Sabha and cannot pass progressive legislation. This confirms that the disruptionist activities of the opposition are harming the progress of the nation.

In other words, Mr Syed Faraz and the Moody’s are confirming that the actions of the opposition are “Anti National”.

Having been involved in the Financial Services industry for a long time in the beginning of my career and observed the birth and growth of Credit Rating agencies in India such as CRISIL and ICRA, I consider that India is in a path to progress with economic reforms which need time to yield results. Professionals in credit rating agencies need to understand that we cannot set up power plants in one year and without adequate power, industries cannot take off, and without industries taking off, there cannot be employment etc.. All this takes time and a professional in a credit rating agency should be aware.

The Dadri incident or Kalburgi incident has no relevance in the long term economic building of the country. It is only the anti national forces who would like to fish in troubled waters when such incidents happen and if a professional lets himself to be drawn into using those incidents to blame the PM, he stops being a professional. I consider Syed Faraz has betrayed his incapability of filling the boots of an “Economist”. If he gets to be a “Master in Economics” because of his erudite discourse on India, it would reflect the standards of the University that grants him the degree.

Though political commentators in their Bihar election mood may say whatever they feel like, professional organizations such as Moody’s should have shown maturity in passing comments as have been passed in the report and this actually undermines the credibility of Moody’s as a credit rating agency.

I would like to call upon the Moody’s as an organization to disown the advisory, withdraw the report and publish a corrected version without the politicized comments of Syed Faraz.

I will be forwarding a copy of this article to appropriate persons in Moody’s and also request readers to send it to appropriate contacts in Moody’s if they are able to reach out.

Naavi

ICICI Bank has introduced a new type of Card which it calls “Innovative” and “Asia’s First”.

The uniqueness of the Card is that it carries an LCD screen and a 12 button keyboard. User needs to first register the Card with VISA CODESURE and subsequently, dynamic pass codes are generated for every transaction. There will be an inbuilt battery and a micro processor. The lifespan of the card is about 3 years.

Presently the card is being offered by “Invitation”.

Though the Bank claims that this is more secure, what we can see is that it is as secure as the single PIN that is assigned to the registered card and the dynamic generation of PINs has no value. In  fact if the OTP was being sent through the mobile, then a thief who got hold of the Card and the Core PIN (say if it is written down or is found out by brute force or otherwise) needed to steal the mobile also. However in this system it is not necessary at all.

The Bank therefore needs to explain how this system is more secure than the mobile based OTP. RBI also needs to assure the public that the card meets it’s guidelines.

Naavi