Naavi.org

We have been discussing the concept of “ITA 2008 Compliance” in these columns. Naavi has suggested some directions for measuring the level of compliance in the form of maturity model. (Refer this article).

In the recent times, we have also introduced the extended thought of Cyber Insurance for which ITA 2008 compliance is an essential ingredient.

While the measurement of ITA 2008 maturity is itself a measure of “Cyber Insurability” of an organization, it is time to think about a separate measurement for quantitative measurement of” Cyber Insurability” of an organization. A preliminary attempt to introduce the concept is made here. It is envisaged that  with the contribution from other readers this concept may be extended further.

Naavi

Cyber Insurability for this context is defined as ” A measure of maturity of an organization for a Cyber Insurance Company to provide a Cyber Insurance Cover”.

The perspective is from the Cyber Insurance Company which has to assess the proposed Insurer, accept an underwriting proposal and quote a premium.

Cyber Insurance proposal normally consists of two key elements. First is a cover for “Own damage” and the second is the cover against “Third Party Liability”.

The own damage liability is more controllable than the third party liability which depends on whether the affected third party can successfully make a claim for damages.

If a company does not use or store the personal data of third parties, their exposure to third party liability risk is low. The risk that an Insurance company takes may therefore be dependent on the “Type of Information Asset insured”.

We can roughly say for the purpose of understanding that the “Cyber Insurability of an organization which does not use, transmit or store third party liability” is high. The exact amount for which an organization is insurable may however depend on the value of assets possessed by the Company.

In an organization where Cyber Insurance is sought only for its own information assets namely the hardware, software and corporate data residing there in, the insurer’s concern is limited to the efficiency of the DRP/BCP and the reputation loss that the organization may undergo on account of an attack.  For example, if there is an E Commerce website which is under DOS attack and closed for say 3 hours, then there is a loss of business for 3 hours besides a marginal reputation loss. If the DRP/BCP System of the organization is efficient, the loss can be reduced further. However, there is some ability to control the loss and contain it within a  set of its existing customers.

On the other hand, if the attack involves “Loss of Data” then the question of valuing the loss becomes important. Here the presence or absence of third party data becomes very important to determine the value of the  loss. If there is no third party data, the possibility of any claim from third parties is zero.

The loss of corporate data could be the business data or data which constitute “Intellectual Property”.  Loss of Intellectual Property can be valued and also defended subsequently by litigation. Hence it is also controllable. Loss of corporate business data may lead to reputation loss or weakening of its business competitiveness. There is an element of uncertainty of such damage but an Insurance company may consider such damage as “Discretionary” and “Vague” and reject recognizing an insurable component for “Likely reduction in market share on account of compromise of the Corporate business data”.

As compared to the above, if the Insuree possesses third party personal information, any loss arising there of would create a potential litigation from a large section of the customers. The exact loss estimate becomes difficult since each person may make claim for a different amount and the claims may arise at different points of time in the post data breach scenario.

In situations where there is a regulatory authority which can step in on behalf of the data subjects and impose a fine or collect damages on behalf of the community, it may be possible for the regulatory agency to fix some norms to determine the total liability which becomes a subject matter of Insurance. The individual liabilities also may be limited by the insuree obtaining legally binding contracts from the data subjects limiting the potential damage either to a fixed amount or to a maximum amount. In such cases the losses may be determinable. If no such contractual bindings are there, the potential loss may be open in terms of value as well as time.

The business practices that an Insuree organization follows therefore may have impact on the liabilities that the Insurer has to undertake in the event of a data breach.

This difference is what we may call as the “Cyber Insurability” of an organization.

An organization may be considered Cyber Insurable if its liabilities can be determined with some degree of certainty when a mishap occurs and not so if it is indeterminate.

Obviously, every organization will have a certain “Degree of Certainty and a degree of uncertainty” and hence we cannot measure the Cyber Insurability as a binary property.

We need to therefore develop a “Cyber Insurability Index” that measures the ease with which different organizations may be assessed for its ability to determine the insurance risk.

The Cyber Insurability Index may have two dimensions. One is the index across the other insurance subjects which measures how Company A is more easily insurable than Company B or vice versa. The other dimension is how a given company over the years moving up over a period of time on its own measure of Cyber Insurability.

May be we can call this Inter Company indexing  and Intra Company indexing.

Inter company indexing will depend on the nature of the industry, its potential to be a target for cyber attacks, its location, size, information security culture etc. This can be based on the study of the environment of threats and vulnerabilities affecting a given type of activity. This may be done as an industry level analysis even without a specific study of a company.

For example, from the Cyber Crime studies released by most companies, it emerges that BFSI industry has higher risk in terms of insurance claims and also a high possibility of indeterminable losses that may be claimed by the clients of the company in the even of a data breach.

Intra Company indexing may indicate how the company is improving or declining in its standard of bringing in some kind of control on the potential loss that may occur on account of a breach. This will include information security measures undertaken by the company from year to year, the changes in the industry environment, emergence of new technology in the industry etc. This will be a subject matter to be determined by a “Cyber Insurability Audit” of a company.

When a company is first audited for the Intra Company Cyber Insurance Index, the audit can try to measure the changes that has occurred in the last one year that contributes to making the Insurance liability more determinable and show the current status as an indication of progress or deterioration over a period of one year. This would be a good indicator to be incorporated in the annual report of a company.

For example, if I say the CII-Intra of Company X is 120, it means that there was a 20% improvement in the status (an indication of how much more the company is palatable to an insurance company) in the last one year. If I say the CC-Intra for Company Y is 70, it may mean that the uncertainties in the company from the point of view of a Cyber Insurance Company has increased.

Each subsequent year the index can be re worked with a reference to the base year.

These are some of my preliminary thoughts that I place before the audience for a feedback and further refinement.

Naavi

The first ever study of the Indian Cyber Insurance Industry-2015 throwing up the perception of the industry on what they want from the Cyber Insurers is ready for being released some time in January 2016.

The study undertaken by the undersigned along with a group of IS professionals collected responses from different professionals from the industry and academia has given a good insight into what the industry perceives about the Cyber Insurance policies.

Since the industry is in a nascent stage and the experience of how the industry functions is yet to mature, the results are more representative as a “Perception” or “Expectation” study and would be available for being expanded in the coming days into a “Status of the industry study.

The survey provides interesting insights into the prospects of the industry and what the Insurance companies need to consider to strengthen their products.

Though only 6% of the  respondents indicated that they have actual experience of the products, 72% said that they are willing to consider such products if a suitable product at a proper price is available. There is also an indication that if suitable product under proper price is not available, more than 54% of the respondents were not ready to jump in in the near future.

The study also provides valuable qualitative insights into what would be acceptable to the market in terms of conditionalities, exclusions, liability limitations etc.

The report is being issued in two versions. One will be a free version for public information containing the summary of the findings. The other would be a professional version with business insights meant for the industry users which may be nominally priced.

Await for more information  in due course.

Naavi

(First posted  on Cyberinsurance.org.in)

The fact that Cyber Appellate Tribunal (CAT) the appellate authority for all Adjudications in the country under Section 46 of ITA 2000/8 has not been functional since June 2011 has been discussed adnauseam on this site. (Refer here). It was therefore heartening to note that a Parliamentary Panel made reference to CAT in one of its recent briefings. (Refer DNA article).

The committee is reported to have made the following observations.

Quote:

The committee also expressed concern on only one Cyber Appellate Tribunal (CAT) being set up in the country till date though the Act provides for setting up Benches in other parts of the country.

“The Committee are surprised to learn that since inception of CAT, only 17 appeals have been disposed off by the former Chairperson and 21 appeals are still pending for hearing in the Tribunal which are scheduled for disposal on appointment of the new Chairperson,” it said.

While expressing their displeasure over the undue delay taking place in disposal of appeal by the CAT, the committee strongly recommended the department to deploy adequate manpower at the earliest.
“Efforts may also be made to set up CAT branches in other parts of the country, if need arises,” it said.

Unquote:

We may recall that it is not only the CAT that has been rendered dysfunctional over the last 4 years, even the State level Adjudication systems have also been rendered dysfunctional.

The first adjudicator who recognized his powers and duties under ITA 2000 was Mr PWC Davidar of Tamil Nadu. He went on to provide the first adjudication decision against a Bank namely ICICI Bank in the complaint filed by Mr S. Umashankar who had lost money out of phishing. ICICI Bank promptly appealed to CAT. CAT admitted the appeal with the condition that the Bank deposits Rs 5,50000/- with the adjudicator against the loss they were decreed to pay.  The appeal was heard and when the judgement was about to be delivered, the then Chair Person attained Super annuation. Since then, the case is awaiting appointment of the new Chair Person.

Additionally TN adjudicator had provided other judgements and was also hearing certain cases against PNB which were also appealed against and got stuck in the CAT. In the meantime J Jayalalitha took over as CM and promptly transferred Mr Davidar out of his position as IT Secretary ( Adjudicator by designation) and the TN adjudication system went dead.

Subsequently Maharashtra IT Secretary Mr Rajesh Aggarwal became active and held out several judgements in which Banks were indicted. He also innovated with E-Adjudication and was threatening to disrupt the system. He was promptly transferred to Delhi and since then the Maharashtra Adjudication has gone dead.

In Bangalore some applications were made to the Adjudicator and one of which was against Axis Bank which was also the Bank which does E Governance work for Karnataka Government. With this conflict, the Adjudicator gave out a bizarre ruling that Section 43 of ITA 2000/8 cannot be invoked by a Company (In the subject case the complainant was a company) and also that no complaint could be entertained on a Company (Respondent Bank was the company) and dismissed the complaints. The argument was that the word “Person” used in Section 43 does not apply to a Body corporate. The appeal to this blatantly erroneous decision has also got stuck in the non functioning CAT.

These developments indicate that Banks who were hurt in some of these judgements brought undue influence on the MCIT and stalled the activation of CAT. The CJI is also a party to this delay in appointment of the Chair Person to CAT since the appointment suggested by the Ministry has not been approved by CJI.  The Karnataka High Court which was moved to correct the impasse got stalled because the decision to appoint a CAT Chair person was pending at the CJI’s office.

As a result of these developments, the Cyber Judiciary System in India is presenting a void.  At a time we are talking of “Digital India” and increasing cyber crimes, the situation is appalling.

The entire system therefore seems to have conspired against the Cyber Crime victims in India seeking a judicial remedy.

During 2010, CAT did sit in Chennai in the case of Umashankar Vs ICICI Bank and created a precedent. There were also advanced discussions for the setting up of a Southern Bench in Bangalore. But unfortunately with the transfer of the then IT Secretary/Adjudicator Mr Ashok Manoli, all these projects were shelved and subsequently the Government of Karnataka and the subsequent Adjudicators have not shown any interest.

The Parliamentary committee deserves commendation for flagging the issue of non functional CAT but needs to push through more strongly measures to re activate the CAT. This gives a glimmer of hope to all Cyber Crime victims that Cyber Judiciary is likely to be active once again in India.

Let’s keep our fingers crossed.

Naavi

I recall my earlier article titled “Is it a WhatsApp Moment or Napster Moment for Indian Financial System?”  in which I had pointed out certain doubts about the legality of the new Electronic Signature system that was notified by the Government of India and Controller of Certifying Authorities vide the notification dated 28th January 2015  read with guidelines issued by CCA in June 2015 on the e-Sign process.

(Detailed presentation by CCA on e-sign process)

I have not so far received any response from CCA and hence I am re-iterating some of the points mentioned in that article briefly and request CCA to clarify.

I refer to the “E-authentication guidelines for e-Sign-online Electronic Signature Service”  Version 1.0 issued by CCA on 24th June 2015.

This guideline has been issued in support of the Gazette Notification GSR 61(E) dated 27th January 2015 which the Government made in support of its Digi Locker program which introduced a new “Electronic Signature” system by an addition in the Second Schedule  of ITA 2000/8.

The second schedule introduced the system which it called  “E-authentication Technique using Aadhar e-KYC services”.

Details of Aadhar e-KYC services is at the UIDAI website . Under this scheme,  UIDAI acts as an “enabler” by issuing a “digitally signed Govt issued photo ID” in electronic form for KSAs/KUAs supporting paper-less KYC schemes for Aadhaar holders (KSA or KYC Service Agency means  a valid Authentication Service agency with a secure leased line connectivity to UIDAI’s data center who has been approved and has signed the agreement to access KYC API through their network. KUA or KYC User Agency means  a valid Authentication User Agency, which is an organization or an entity using Aadhaar authentication as part of its applications to provide services to residents such as a Bank who has been approved and has signed the agreement to access KYC API.

e-Authentication Service introduced in the second schedule as a valid electronic signature is dependent on the e-KYC service of UIDAI which itself uses the digital signature.

According to the proposed system as described in the GSR 61(E) of 28th January 2015, the application form of a subscriber would be sent by a trusted third party to the Certifying authority for issue of digital certificate. In the case of Digilocker kind of on-line system, the application submission would be an “On-line” process using an API. The details submitted by the subscriber would be verified by the Aadhar e-KYC service.

In this process, an “Undigitally signed” application of the subscriber would be forwarded by the trusted third party to the certifying authority with the aadhar number. The certifying authority would get the digitally signed confirmation of the aadhar information from the aadhar e-KYC service based on which it would proceed to issue the digital certificate. (This will be subsequently consented to online by the subscriber)

The unanswered question is

If the subscriber’s application and consent is done online without a digital signature, what is the validity of the digital signature certificate issued on the basis of such unauthenticated digital submissions?

The detailed procedure for issue of digital certificate is indicated in the CCA guideline of 24th June 2015.

The CCA guideline suggests that the private-public key pair would be generated on a HSM owned by the intermediary (the trusted third party mentioned in the Gazette notification), the private key is stored in the HSM for the validity period of 30 minutes and later destroyed. All these activities are done under systems which are not under the control of the subscriber. Hence it should be considered that the private key has been compromised ab-initio.

Secondly, the authentication process of approval of the application would be based either on “Biometric” or “OTP”. (OTP is presumed to be mobile based or e-mail based). If the approval is based on OTP, it means that the approval of the application form is dependent on the KYC already done by the mobile operator or the e-mail operator. If the e-mail approval is obtained, then there is no authentication for the application form. If the mobile OTP is used, it is as good or bad as the mobile operator’s KYC system.

The CCA circular says that the DSC application form should be electronically generated and programmatically filled up with the data obtained from the e-KYC process. This means that just by submitting the Aadhar number and confirming the OTP, the DSC application gets submitted without an “Digital Signature”. Hence it is an unsigned DSC application that gets the approval of the Certifying authority.

The entire process is a circular mutually authenticating procedure dependent on the KYC of the mobile operator only.

CCA should review this process and confirm if it is in accordance with the provisions of ITA 2000/8.

Naavi

P.S: This note has to be corrected for the notification made on 30th June 2015 [GSR 539(E)] where in the use of hardware module has been deleted from the earlier notification.

Some time back, Bangalore Traffic Police introduced a mobile app “Public Eye” inviting members of public to send pictures of traffic violation based on which the department will issue notices. Now a similar APP has been released in Delhi. Probably this will be taken up by traffic police in other cities also since it makes their work easy. Police can sit back and keep issuing notices without themselves doing any due diligence.

Recently, I pointed out to the Police an erroneous Challan issued by them based on evidence which was questionable. The challan was issued based on a photograph which showed a vehicle in front of the zebra crossing. What the notice ignored was that the traffic light at the time was in green and there were several vehicles in front of the charge vehicle. Evidence pointed to the fact that the bunch of vehicles was moving after the light had turned green and since it was a bumber to bumber traffic, the owner of the two wheeler which was charged, had one leg touching the ground. Interpreting this as “Parking in front of the Zebra Crossing” was an error and hence the challan was disputable.

However, when a complaint was sought to be sent, it was clear that t.here was no clear grievance redressal mechanism associated with this Public Eye Complaint system. Once a complaint is filed by a member of the public, his identity is not made known but the photo is taken as an “Evidence” and a charge is made on another member of the public. The “Evidence” itself is not authenticated by any digital signature and in the absence of the identity of the person filing the complaint, the accused is completely in the dark of why and how he is being pronounced guilty.

I have also come across occasions when challans are issued with the note “Photographic evidence not available”.

This is grossly unfair and legally questionable.

In such cases the citizen who is charged does not have any option to raise his objection and the issue of the challan becomes arbitrary. If the challan remains is unpaid, one does not know what consequences can follow when another offence is registered. Hence there is a perceived threat and coercion inherent in  the process. There is also a public perception that in order to increase traffic fine collection, Police may book false cases and send Challans since most people tend to pay up without demur. If some body starts clicking photographs near a traffic junction each time the traffic light turns red or green, one can find border cases of violation which in actual practice was not actually a violation. Hence Police can easily use this as a tool to increase the fine collection without any obligation to be either truthful nor instilling a sense of discipline.

Further this will encourage people to keep clicking photographs in public ostensibly for Public Eye but use it for private extortion or misuse. In such cases, there should be legal remedy to the victim to take action against the misuse. At present the system does not have these safeguards.

While the intention of the system to check on major traffic violations is acceptable, using it for minor offences without proper evidence is irritating and constitutes a harassment of the honest public.

Also, issuing of a Challan entirely based on a photo submitted by a Non Law Enforcement Member of the public does not seem to carry legal sanction. Though the system suggests that the photo would be reviewed by the Police, there is no evidence of the same.

Soon we will have photo- shopped evidences presented to either genuinely harass a person or rag a person for fun.

In order to render the scheme more acceptable, it is necessary to have a robust grievance redressal mechanism to support such complaints. I therefore suggest the following mechanism.

1. On receipt of the complaint, the complaint  should be serially numbered against the identity of the complainant and forwarded to an “Inspector” who has the authority for issuing challans if need be. 
2. The Inspector should examine the evidence and record his recommendation for issuing of a challan under a digitally signed note which should include a certificate that “He has examined the evidence and found it sufficient to issue the challan for the offence as noted”.
3. The recipient of the notice should be given only a “Show Cause” notice and not an automatic challan. 
4. On receipt of the reply if found unacceptable or failure to reply within a reasonable time, the notice can be converted into a Challan again with the due recommendation of the “Inspector”.
5. The process has to be recorded in the form of a log record.
6. An option should be provided in the Challan indicating what judicial option is available to the recipient of the Challan to dispute the charge along with an option to pay the fine without raising a dispute.
7. The ticket can be closed and archived with the log record after the payment is received or the process is brought to a culmination either by the Challan being reviewed and cancelled or by the Traffic Court disposing off the objection.

I suppose the Bangalore Traffic Police as well as the Delhi Traffic Police and others who may introduce similar system also adopt such procedures.

Naavi

It is unfortunate that some of the unpleasant prophesies of Naavi.org on increasing Card related frauds are becoming a reality. It is reported that Mumbai Police statistics show that in the first 9 months of 2015, Credit card frauds rose by 90% over the corresponding period last year. Overall Cyber Crimes rose by 52% and obscene e-mails by 34%.

Article in Indian Express

It has been pointed out in the article that the reasons for this massive raise in frauds include

a) Pushing of technology to persons who does not understand the security implications

b) Card cloning and Vishing

c) Lack of safeguards built around technology

Naavi.org agrees that the all the above reasons do contribute to the increasing card frauds and reflect that there is a fundamental flaw in the system of regulation.

Firstly, Banks are going too fast in introducing insecure technology to serve their commercial needs and RBI has failed in its duty as a regulator to prevent insecure services hitting the market.

In June 2001, RBI did mention that Banks need to obtain Cyber Insurance against technology related frauds and consider them as the Bank’s legal risk. However, Banks have neither obtained Cyber Insurance nor taken the onus on securing the system. On the other hand, they are going ahead with increasing risk in new services.

Though initially the “Adjudicators” in Chennai and Mumbai gave relief to victims of bank frauds by holding the Banks liable on Section 43 of ITA 2000/8 read with Section 85, Banks held up delivery of justice through appeals which were held up due to reasons such as “Non Appointment of Chair Person for Cyber Appellate Tribunal” since 2011, and mis-judgement of at least one Adjudicator in Bangalore which has not been corrected by Karnataka High Court and pending because of the Cyber Appellate Tribunal being non functional.

The mis-judgement was perhaps a consequence of ignorance of the Adjudicator or it could have been a decision influenced by the affected bank and the conflicting relations it had with the decision maker. The inability of Karnataka High Court was again a matter of the inability of the concerned judge to appreciate the facts of the case which was mis represented by the Bank as well as its reluctance to take responsibility for delivery of justice to the victims. The non availability of Chair person in Cyber Appellate Tribunal is perhaps a conspiracy between the affected Banks and the officials since 2011 as well as the controversies surrounding the NJAC.

The Modi Government is encouraging greater use of the card system in meeting its its digital economy goals but the IT ministry under Mr Ravi Shankar Prasad and RBI under Raghuram Rajan are both incompetent and uninterested in ensuring security of the financial model of Digital India.

As we go into the next decade, there will be more and more of these card frauds involving amounts less than 10000/-, with the use of mobile wallets where security is the secondary objective for the Banks. The amounts individually will be too small for victims to pursue legal remedies and hence most of the accused will go unpunished.

Police are doing a great disservice by not recognizing that Banks who introduce insecure banking services are to be considered as mainly liable for such frauds and have failed to charge the respective Banks in cases of frauds. These banks not only fail in introducing untested technology but also repeatedly fail in the KYC obligations.  Many of the mobile service providers are also guilty of KYC failures and since the mobile KYC is the foundation for many mobile based services, these failures of KYC reflect in increased frauds.

In many cases of frauds including the “Call from Information division of Delhi Consumer Courts” reported in these columns, Police have not taken any pro active remedial action. Call centers are operating in Delhi NCR region right under the nose of the countries top police authorities in which people are recruited for doing frauds by calling prospective victims and BPO operations are being run. Naavi.org itself has provided a couple of phone numbers during the last week and there is no news that Police has actually acted on it.

If Police want every such crime to be confirmed only with a complaint from the affected person and refuse to investigate without a complaint, then these frauds will not come down.

Just as Banks are an indirect cause of such frauds due to their negligence, Police by their inaction are also contributing to the proliferation of these crimes.

Despite the clear instructions of RBI for Banks to secure the victims by a system of Cyber Insurance, and their flouting of such regulatory guidelines, it is unfortunate that Police have not made Banks a co-accused in any of these card cases. In cases where there is a possibility of the involvement of Bank employees, Police may initiate action. But what we are trying to say is that even when there is no direct evidence of the involvement of Bank employees, using the “Negligence” aspect under Section 85 of ITA 2000/8, Police are bound to make Banks pay for the losses of the fraud victims. Banks themselves need to cover this risk through Cyber Insurance.

In the case of S.Umashankar Vs ICICI Bank, after the adjudicator held the Bank negligent and granted compensation, the undersigned wrote specific letters to the DGP of Tamil Nadu to pursue criminal charges against ICICI Bank. But they failed to do so. Now in Mumbai, there have been many decisions of the adjudicator Rajesh Aggarwal against Banks. He was transferred out of the position so that he does not create fresh problems for Banks. But the Police in Mumbai could have initiated their own criminal action against each of the Banks held guilty in the civil proceedings of the adjudicator. This would have created a deterrence against continuance of the crime and would have also woken up organizations such as RBI and Indian Bank’s Association. Their reluctance to charge Banks under Section 85 of ITA 2000/8 is therefore  a contributory factor for the increase of cyber frauds.

I hope that Mumbai Police will now show the way for the rest by filing cases under Section 43-66 of ITA 2000/8 read along with Section 85 of ITA 2000/8 in all the cases in which Mr Rajesh Agarwal has found the Banks guilty of negligence and granted compensation to the fraud victims.

Simultaneously, the Chief Justice of India should immediately clear the papers which is reportedly being held up at his office for appointment of the Chair person for Cyber Appellate Tribunal. Also the Karnataka High Court which is sitting on a PIL in this respect without listing it for final hearing to also expedite the hearing so that all these institutions work in unison with the Police to improve the counter cyber crime ec0 system.

It is not necessary to remind the authorities that a substantial part of this crime income may be also reaching the terrorists and funding their operations against India. Hence neglecting them is a grave error on the part of the Law enforcement, Judiciary and the Government.

As I have highlighted several times, the Anti Modi brigade will use the increasing Cyber Crime as a charge of inefficiency against Mr Modi’s Governance particularly when the heat is felt by the beneficiaries of Jandhan yojana in villages.

Law and Order in Cyber Space will be a relevant election issue in 2019 elections which will determine whether Mr Modi’s policies will survive to serve the country in future or not.  If Mr Modi does not realize it now and act appropriately,  it will be too late to save the country.

Naavi

Related Article: Hotel Industry will be the next big victim