Naavi.org

Just as Maggi has got into a controversy on its taste enhancing additives to its noodles, Airtel appears to be encountering a controversy by introducing a “Computer contaminant” into its customer’s browsers which is an offence under Section 66 of ITA 2008.

According to this report in ehacking news.com , a programmer has published his findings that when customers using Airtel broadband internet account and browse internet, Airtel introduces a java script and an iframe into the browser. This script and iframe points to a specific URL.

On its part, Airtel has released a statement trying to explain its position. The explanation does not appear convincing but appears to suggest that it is trying to develop a tool to provide users information about the data usage during their browsing sessions.

In a way therefore there is an admission that Airtel has introduced what is considered as a “Computer Contaminant” under Section 43 of ITA 2008 which is defined as follows:

“Computer Contaminant” means any set of computer instructions that are designed –
(a)to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or
(b)by any means to usurp the normal operation of the computer, computer system, or computer network

Introduction of a Computer contaminant without the permission of the owner of a computer is a contravention under Section 43 of ITA 2008 and an offence under Section 66. The company would be liable for financial compensation and probably for at least being tried for a cognizable offence.

While the Company may have a reason to experiment with a tool not meant to harm the users, it has ignored the ITA 2008 compliance requirement which could have been met by providing a proper notice to the users.

Hope it would take the necessary corrective action by sending a proper notice to its customers clarifying its position.

(P.S: Thanks to a published erroneous judgement of the Adjudicator of Karnataka in December 2011, and the continued neglect of the Karnataka High Court and the apathy of the Central Government in not appointing a Chair person for the Cyber Appellate Tribunal,  neither Section 43 nor Section 66 is applicable to Bharti Airtel in the state of Karnataka.)

Naavi

New Mobile App launched for Cyber Law Awareness for Everyone

One of the first innovations that the proposed Smart Cities in India need to build up is an efficient way of distributing electricity so that the net cost of consumption of Electricity is reduced. The solution for this without doubt is to build a Smart Grid. A Smart Grid is a mechanism where there is an intelligent sharing of information from the  end of the consumer of electricity and using it to modify the electricity supply and usage pattern so that a balance is achieved between production and consumption.

This requirement of matching demand with supply on a real time basis arises since electricity production and consumption varies throughout the day and there are peak requirements and slack period requirements. Since power cannot be easily and economically  stored and used at different times, if we need to satisfy consumer demand, we always need to keep production matching the peak requirement and let it go waste at other times. Otherwise outages would occur when peak load is demanded and the grid cannot supply the same.

If  smart management of demand and supply is possible,  the consumers can stagger the use of electricity to match the production and suply. Also different production sources such as solar production, wind production, etc can be connected to a common grid to which the conventional production sources dump their production. Since the natural source production of electricity may depend on say the availability of Wind or Sun, there will be variation in production of such energy which needs to be balanced by the consumers being incentivised to  stagger their consumption by offering discounts on consumption when surplus power in the grid is available as against premium charged when there is a shortage.

Also if the consumers are able to produce electricity on their own by say owning solar panels on their rooftops or a single wind turbine in the farm etc., they can supply electricity to the grid during peak hours and earn premium income while consuming electricity for their own use in the off-peak hours when the prices can be at a discount. In a way the consumers will consume electricity when it is cheap on the grid and produce electricity and push it to the grid when it is expensive on the grid.  This makes a consumer become a new category of user who may be called a “Prosumer” who both produces and consumes.

These fancy ideas of a smart grid are very much within the realms of possibility even now if the electric grid architecture can be planned properly ab-initio. The architecture will require supply of electricity and exchange of data over the same power line. In other words, every electric line will carry both electricity and data which will be resolved at each end through appropriate modems. Even broadband on power lines will also be possible under the same system.

The above smart grid applications can be built and are expected to be built in the smart cities. In cities like Amaravati where the electricity lines are to be drawn from scratch, perhaps it would be easier to use the appropriate hardware to build the dual purpose electricity distribution system which can carry power and data over the same lines.

While Electrical Engineers will work on the technology required for the purpose of carrying data over power lines and software professionals build applications to process the data and use them to modify distribution etc., the cyber security professionals will be concerned about the risk of data being unauthorizedly accessed and modified. In fact, the experience of Stuxnet is too recent to be forgotten. All Smart grids will fall into the category of  critical infrastucture and will be juicy targets for Cyber terrorists and as targets during a Cyber War.

Security will therefore be a major concern for Smart Grid developers and hence this is one of the first challenges to be tackled by the Smart City Cyber Security managers.

Note that use of smart grids will immediately require a modification of electricity laws as well as redefining of many cyber crime related laws and there could be obstructions from short sighted politicians who donot understand security issues. Modification of Cyber Laws is therefore a part of the cyber security plan for smart grids or smart cities.

In designing a Cyber Security system for a smart grid, all the five aspects of data security such as Availability, Integrity, Confidentiality, Authentication and Non Repudiation will be applicable. There will be threats and vulnerabilities to be recognized and risks estimated. Controls need to be built to mitigate the risks with a very very low tolerance levels and with redundancy built in some form to tackle the inevitable security breaches.

Building security to a smart grid system after it is established would be complicated, inefficient and some times impossible. Hence planners of the Smart cities need to integrate cyber security plans when building the smart grid network itself.

It is difficult to conceive of the cyber security system for a smart grid without knowing exactly the architecture. But NIST has worked on the requirements and come up with a suggested architecture for interoperability as well as guideline for information security applicable for smart grids and perhaps it needs to be adopted to our requirement with whatever minor changes need to be made.

If these requirements are not studied now and addressed, the specifications for the hardware would be imperfect leading to delay in projects, escalation of project costs and also compromise of security for which we may have to pay a huge price some time in future.

I therefore request the CM of AP in charge of Amaravati project,  Mr Chandrababu Naidu and also the Union Power minister Mr Piyush Goyal  not to neglect the cyber security requirements of smart grids when they plan for the smart cities, and more particularly for Amaravati where work has to commence from a zero base.

Naavi

AP Chief Minister Mr Chandrababu Naidu laid the foundation stone for the new Capital City of Andhra Pradesh to be known as Amaravati. The City is to be developed as a “Smart City”. Knowing the cyber savvy nature of Mr Chandra Babu Naidu and the opportunity to build the capital city with a Zero based planning, it is possible that Amaravati can come up as an ideal smart city which is the dream of Mr Narendra  Modi.

While we watch the developments as they unfold, we once again reiterate that the success of the concept of “Smart City” is closely associated with the Cyber Security plans that are implemented when the smart city is built brick by brick. As if to remind everyone about the vulnerabilities associated with the dependence on “Information” in Governance, US Government has announced its apprehensions of a major hacking of its federal information systems by China. (Read the article in Independent here).

A Smart City by its very concept is highly susceptible to information security vulnerabilities since its critical resources such as Electricity Supply, Water Supply, Road Transport, Health system etc will be vulnerable to terrorist attacks and cyber warfare. We are not sure if managers of other smart cities are capable of understanding these risks and taking appropriate security measures but feel that Mr Chandrababu Naidu is one who can understand the risks and take such steps which would form a guideline to other smart cities in India.

We therefore congratulate Mr Naidu on laying of the foundation stone for  Amaravati, and at the same time urge him to lay the foundation stone for an appropriate “Smart City Cyber Security Framework” which is technologically sound.

We reiterate that the technologically sound cyber security framework should also be supported by a “Smart City Cyber Law Framework” which takes into account the issues surrounding Big Data and Internet of Things. Aditionally  people involved must be adequately trained and motivated to implement the information security as a backbone to the city’s law and order eco system.

Naavi.org will try to present the major information security issues to be tackled by a Smart City one by one. I request all security professionals to consider contributing to this knowledge base in the form of articles on various issues involved in securing the Smart City cyber systems. The articles and comments can be sent to naavi@vsnl.com with a brief profile of the author, for publication in Naavi.org. Students of Technical and Legal institutions are also welcome to contribute.

Naavi

It has come to the notice of Naavi.org that two individuals in Australia  have registered a domain name “Naavi.co” and are attempting to promote a blog and other educational products in the name of Naavi.

A preliminary notice has been sent to the promoters for necessary corrective action, failing which necessary action through legal means would be initiated.

In the meantime we would like to inform all the visitors of Naavi.org that we donot have any relation with Naavi.co or any of its declared promoters, Naavi Pty.co or the individuals Mr Blake Seufert and Michael Bates who declare themselves as the Co-Founders of Naavi.co.

Naavi

It is reported that NASSCOM and DSCI has set up a Cyber Security Task Force with representatives from industry and academia to identify key priorities and build a detailed action plan. The task force is expected to study the Indian Cyber Security eco system to identify the issues and challenges. The Chairman of NASSCOM states that the efforts will be to “bring together the stakeholders from across the board”.

(Refer report here)

The initiative is welcome.

However, it has been noticed earlier that the approach of NASSCOM lead by technology specialists often fail to address Cyber Security from the holistic perspective. The end results of most such initiatives lead by business leaders is to identify and pursue business opportunities that arise out of such initiatives and any benefits that the society may achieve becomes incidental. The interest of the end consumers is not always kept in mind by such initiatives.

One example which we can quote here for those who have great faith in such industry lead committees is the attempt made by some Bankers who were part of the G Gopalakrishna Working Group (GGWG) of RBI which was meant to address the Information Security requirements in E Banking, to influence the committee into taking decisions which were anti consumer and violation of the law of the land. It was only the efforts of a vigilante Naavi.org and an understanding Chair Person that the effort was thwarted.

It is therefore anticipated that even this NASSCOM-DSCI Cyber Security Task force runs the risk of such motivated manipulations that needs to be guarded against.

It is necessary for the task force to recognize that “Cyber Security is not achieved only by a set of technology tools such as an Anti Virus package,  Firewall or an IDS system but includes the Cyber Law environment and the management of the behaviour of human resources”. In other words it is necessary to recognize that Cyber Security is a three dimensional exercise involving technology, law and behavioural science.

I am confident that the task force will do an adequate work as regards the technical aspects of security. However I am more or less certain that the task force will fail to have a holistic view of the Cyber Security eco system that includes laws that affect technology and behavioural aspects of ICT users.

To be a comprehensive approach the task force report should incorporate the Cyber Law requirements to support the issues such as Cyber War fare, Cyber Terrorism, Organized international Cyber Crime syndicates, Privacy Issues, Anonymity and Pseudonomity, Addiction of Internet users to Social media, Effects of Video Gaming, Pornography, the issues of Social Engineering and the ubiquitous presence of Mobiles.

The attempt of technologists would be to drive technology use without fully covering up the risks. When the technology person himself looks at the security, there is an inherent conflict of interest and the final outcome always leans towards what increases the revenue and profitability. The risks which make consumers lose money are never the focus of such task forces.

I would like to draw the attention of the Chair persons of NASSCOM and DSCI to the above apprehension and take appropriate steps.

Naavi

Naavi.org has been highlighting the fact that banks are conducting “Unsafe Banking” in pursuance of “Profit before Customer Service” and pushing Customers into greater and greater risks.

RBI has through the 2001 guidelines on Internet Banking and again through the Information security guidelines (GGWG) in 2011 has mandated that Banks need to ensure proper cyber security and also cover themselves with Cyber Insurance. However, Banks have not upgraded their security but going for higher and higher levels of untested technology.

The Adjudicator of Maharashtra had provided several awards in favour of the customers and Bankers were very much dissatisfied. Eventually, the Adjudicating officer was transferred.

Simultaneously the Karnataka Adjudication system has been kept closed since the IT secretary is not interested.

As of now the entire system of Adjudication across the country has been paralyzed.

It is also well known that probably it is the influence of the Banks that the post of the Cyber Appellate Tribunal (CAT) remains unfilled for four years.

Cases which are already before CAT are in a limbo.

Now it is learnt that all the affected Banks in Mumbai are considering challenging the decision of the Adjudicator of Maharashtra in High Courts. From the recent verdict of a High Court in Bangalore we know that any lower court verdict can be turned upside down if necessary even using a faulty calculator to add. Banks have the resources which can work wonders with our system.

It is therefore necessary for Netizens and public spirited lawyers to be vigilant and ensure that Courts donot take decisions which are anti cyber crime victims under the influences that banks can mount on them. Consumer protection organisations also need to step in now to see that injustice is not done to bank fraud victims.

In any such litigation, RBI must also be made a party to clarify its stand on “Security in Banking system”.

I wish media also turns its attention on this class action by Banks against its own customers to cheat them of their hard earned savings in pursuance of the greed for more profits by Banks.

Naavi