Naavi.org

It is reported that Mumbai police are pursuing a data theft complaint against a senior Bank employee in Mumbai.  According to this TOI report the senior employee, (a lady), with 20 years of working in the Bank in the past, resigned and is due to join another Bank.

The allegation is that some time after resignation, she  has taken away  some confidential information belonging to the Bank to her pen drive. The complaint has been made by the Bank manager.

The report

There are many inconsistencies in the report and there is every indication that it could be  a motivated report. More clarification is required before it is given credence.

According to the Bank manager, “She got access, after quitting the job, on the pretext of taking down data stored in her computer system in her office”. Bank officials complained that she took the data without the knowledge of anyone present on the premise.

The complaint was lodged on September 9, 2015 where as the person has left the Bank on April 21. It is not clear when she got the access and how the manager came to know the “pretext” when no body was present in the premises.

According to the TOI report, a spokes person of the Bank is supposed to have stated “The data was related to Reserve Bank of India rules and banking policies, which the suspect can misuse”.

If the data related to RBI guidelines, it is not clear what is the confidentiality involved.

If the Bank is concerned it could as well be a case of some information which the Bank is afraid would harm its reputation.  If it was simply rules and policies, there is no reason for the Bank to file a complaint except as a vendetta against a parting executive.

It would be interesting to observe how the case develops.

If the Police conduct a proper investigation, there is every possibility that the complainant himself may turn out to have indulged in some offence.

There is however a need for the defense to handle this technical case with some intelligence as otherwise the weight of the complainant’s organization may have a bearing on the way the case proceeds from now on.

Naavi

During our childhood, we have heard of stories of a Fox and Bear who agree for collaborative cultivation. For the first crop they agree that whatever grows above the soil belongs to Fox and whatever grows underneath the soil belongs to the Bear. Fox suggests that they grow tomatoes. Bear works hard and when the cultivation is ready, Fox walks off with all tomatoes and the Bear is unhappy. Fox convinces the bear for the next crop and agrees that what grows above the soil will now belong to the Bear and what grows underneath the soil belongs to the Fox. Bear agrees. Fox suggests that they grow ..potatoes…. so the story goes…

It appears that Maharashtra Government has now implemented a PPP model of a similar nature where the Government and Mumbai Police in particular will promote a PPP project in which all the revenue goes to a private party while the Government and the Police is only used to promote the project for the benefit of the private partner.

I refer to a project called coin.org.in which is projected as a platform for global law enforcement people with information, training and support for investigation of cyber crimes. However it also invites public to become members of the project at a membership cost upto Rs 24000/- per year.

The website however does not provide any information on the revenue sharing between the Government and the Private partner.

Some time back, we had exposed the case of  e2labs which had used the Union Home Ministry, CERT IN etc to promote its business and tried to convince investors to invest in its company. On verification with CERT IN it was found that the claims made by e2labs in the investment promotion presentation prepared by a well known investment banker, were false . The information was later withdrawn.

Presently the coin.org.in project appears to be heading in the same direction.

For records, we appreciate the nature of the venture. We have no issue of the project being a commercial project. However, using the Government and Mumbai Police to project as if this is a Government project but retaining the entire commercial revenue with itself is not considered ethical. The disclosures on the website as of now donot provide a truthful representation of the status of the project and there is every attempt to mislead and misrepresent the public to give an impression that this is a joint venture with Mumbai Police. The previous Mumbai Commissioner Mr Rakesh Maria’s speech made at the time of launching of the website has been  used for promotion along with the name of the Chief Minister Mr Fadnavis who inaugurated the event in which the website was launched.

We here by call upon the Maharashtra Government and the Mumbai Police to clarify

a) if they have an equity stake in the project and a claim on the revenue and if so what is the share distribution?.

b) If not, will they clarify if they are happy with the use of the Government for promotion with the revenue being entirely kept by the private partner? Or

c) Was the project envisaged as a non-profit venture and the private promoter has introduced a commercial element without the knowledge of the Government?

We also call upon the Private partner to clarify the nature of arrangement between them and the Government and whether they have the permission to put Rakesh Maria’s speech on the website copyright of which is claimed by them.

We request both the Government and the Private partner to review their arrangement and make the service as a free service (which may be restricted to the law enforcement personnel if required) and remove the commercial aspects of the project.

If there has to be a commercial project in which the Government wants to pass on benefits to a private party, there will be needless questions on what was the procedure adopted in selection of the private partner, whether any public notice was given of such a project, whether any other entities competed for the project etc.. All these will raise the issue of “Transparency” in Government administration and I request the BJP Government in Maharashtra not to make yet another mistake that may show Mr Narendra Modi in bad light.

Naavi

The India Cyber Insurance Survey 2015 which tries to capture the views of the stake holders on what is the current status of the  Cyber Insurance industry in India is, is shortly set to close.

If you have not yet participated in the survey, kindly do so now. Your views would be valuable. To participate in the survey you need not be knowledgeable in Cyber Insurance nor an expert in Information Technology. If you donot find any question not relevant to you, mark it as “neutral” and proceed.

Click on the above image or here for the form

Naavi

The case of M G Gokul, a techie in Bangalore who has been arrested for sending hoax messages through WhatsApp to Bangalore and New Delhi airports suggesting that bombs have been placed on 6 flights causing an estimated $ 1 million (Rs 650 lakhs).

Bangalore police should be congratulated for having solved the hoax message case within 48 hours and arresting Gokul. What was commendable was that the SIM card which was used for committing the offence was in the name of another person Mr Jose who was innocent and was a neighbor of Mr Gokul. Police did not get diverted by this prima facie evidence which pointed out the innocent person as the offender and went deeper into the use of the SIM card with which they zeroed in on Gokul. The investigating Officer should be commended for the presence of mind and also for having persevered with the investigation until the real culprit was caught.

This was the second time that a Bangalore techie had sent messages to the Delhi airport about a bomb threat. Last incident was that of an Infosys employee who wanted to catch the flight for which he could not reach in time and thought of delaying it by sending such a message. He was also caught immediately.

As some body involved in Counter Cyber Crime activities for a long time, I wonder why the so called “Techies” should not realize that such messages would be traced easily and they would be caught and punished.

There could be two reasons. One is “Ignorance” that there are laws in India that make sending of such messages punishable under ITA 2000 as well as under IPC or under Air Safety related laws. Secondly it is “Technology Intoxication” which makes them blind to the fact that Police may also be sufficiently intelligent as to solving such cases.

These incidents also point out  negligence of the HR functionaries in these companies who have not taken steps to educate their employees on the ethical aspects of usage of technology. Hopefully these incidents would make at least some of the HR managers to sit up and take action to build a basic ethical behavioural culture in their employees.

Refer article in Bangalore Mirror

If one goes through the article in Bangalore mirror, one wonders if Gokul is another incarnation of Indrani Mukherjea who had reportedly schemed murder of her daughter and son and executed the murder of the daughter Sheen Bora in Mumbai .

Gokul not only schemed (As per the report) and murdered his wife but also laid an elaborate plan to win over his neighbors wife first by forging letters in the name of an Archbishop and then trying to frame the husband of the lady whom he loved. He has also reported to have tried to get Mr Jose framed by creating a facebook page and putting ISIS promotion information there in.

It is interesting to note that both Indrani and Gokul had committed the offence of  sending forged electronic messages and committing Cyber Crimes under ITA 2008. Though their other offences are graver and can lead to hanging or life imprisonment, the use of Cyber Crimes by ordinary IPC criminals as a common modus operandi seems to be clear. This highights the need for Police to improve their skills and investigative resources for solving Cyber Crimes because it can lead to solving of many other non ITA 2008 crimes also.

The case of Gokul makes an excellent case study for criminologists on how an educated and well informed techie can misuse his knowledge and skill if he has no ethics but is unable to see the possibility of being caught by the Cyber Crime investigators.

Naavi

The recent circular from the Maharashtra Government explaining the law of “Sedition” as mentioned in Section 124A of IPC has opened up a debate rightly in how the law can be misused.

Refer here for more information

For records the section states as follows:

Section 124A in The Indian Penal Code
124A. Sedition.—Whoever, by words, either spoken or written, or by signs, or by visible representation, or otherwise, brings or attempts to bring into hatred or contempt, or excites or attempts to excite disaffection towards, 102 [***] the Government estab­lished by law in 103 [India], [***] shall be punished with im­prisonment for life, to which fine may be added, or with impris­onment which may extend to three years, to which fine may be added, or with fine.

Explanation 1.—The expression “disaffection” includes disloyalty and all feelings of enmity.

Explanation 2.—Comments expressing disapprobation of the meas­ures of the Government with a view to obtain their alteration by lawful means, without exciting or attempting to excite hatred, contempt or disaffection, do not constitute an offence under this section.

Explanation 3.—Comments expressing disapprobation of the admin­istrative or other action of the Government without exciting or attempting to excite hatred, contempt or disaffection, do not constitute an offence under this section.

Following a direction from Mumbai High Court to the Government of Maharashtra that a proper instruction be given to the field level Police so that the section 124A is not misapplied, some official of the Government has issued a circular in Marathi. The press has indicated that the circular has tried to explain the views of the High Court but in the process has stated that any criticism of a Government official which word includes representatives of the Government such as the MLAs, Zilla Parishad members etc will also come under this section.

It is obvious that for the Police in Maharashtra which interpreted a “Like” of a face book posting to “Any message sent from a communication device” and arrested a lady, this circular gives a free license to arrest persons under Sc 124A which  may result in “Life imprisonment” and is therefore cognizable and non bailable.

There is therefore no two opinions that Maharashtra Government should not only withdraw the circular but also get an undertaking from every policeman in the State that he will not use SEC 124A IPC against any criticism of a Government representative unless it is accompanied with a threat of breaking the country like what LTTE elements in Tamil Nadu or the Terrorist and some political elements in Kashmir indulge in.

Why I insist on such an undertaking is that Police either are too naive or some times crooked and apply non existent laws to harass people. We have seen that in two recent cases one in Tamil Nadu and another in Maharashtra, cases have been booked under Section 66A which has been scrapped by Supreme Court (albeit for wrong reasons).

We have extensively discussed in these columns why Supreme Court was wrong to just believe that whatever Police constables interpret is the law and therefore if they make a mistake, it is attributed to the law itself being bad rather than the policemen being bad interpreters of law.

I expect that the circular on Sedition once issued will therefore be used by the Police even after it is withdrawn to harass people. Hence a mere administrative withdrawal or clarification by another circular will not suffice. We need a more visible action by none other than the Chief Minister of Maharashtra to reduce the possibilities of misuse of the circular. It would be better if the clarificatory circular states that the erring Policemen will be booked for malicious mis-use of law.

In the meantime, if some capable person such as Shreya Singhal 3 can move the Supreme Court and ensure that a bench consisting of Honourable Justices Nariman and Chelmeshwar hear the case, then it may be possible to get Section 124A to be struck down. Never mind the genuine cases where it would be required. It is not the responsibility of the Supreme Court to ensure that there are stringent legal provisions in our law as long as they can draw a link between Freedom of Expression and an errant police action.!

Naavi

There are no two opinions on the fact that the stake of society in general and corporate entities in particular on data is on the increase. Companies are investing a lot of their money to create data assets and part of this data is “Sensitive” in the sense that its loss or compromise can cause huge damage to the Company and its customers.

In a recent limited study done in India, it was estimated that average cost of data breach in a Company is around Rs 8.3 crores. This would be much higher if the Customers of data lost had invoked legal compensation for breach of data.

Companies need to think if they are willing to absorb such risks or take suitable steps to counter these risks.

Unfortunately, the financial risks are easily understood by the CFOs and CEOs but not the CTOs or CISOs. At the same time, it is the CTOs and CISOs who report to the CFO/CEO, the level of technical risks as they perceive.

Unless the CFO/CEO understands the technical aspects of risk or the CTO/CISOs are able to make a financial assessment of the technical risks, neither of them can match the risks to the risk appetite of the Company.

There is also another psychological problem in CTO/CISOs sharing their real risk perceptions with the CFO/CEOs because any report of unmitigated risk reflects on the efficiency of the CTO/CISO himself and it will be self incriminating.

There is therefore a tendency for the CTO/CISO to underestimate reported risks to the CFO/CEO. Since the CFO/CEO who is not adequately informed about the technical aspects of risk cannot challenge the views of CTO/CISO on the extent of risks faced by the Company and whether it is being underplayed by the CTO/CISO, the Company ends up under securing its data assets.

In certain cases, the CFO/CEO may also be guilty of putting off required security activities for reasons of financial constraints in the hope that their company will be lucky enough to avoid any major losses.

Both the groups namely the CFO/CISO on the one hand and the CTO/CISO on the other hand will therefore be trading on probability that threats may not materialize in their environment.

This tendency has been observed  in interaction with the IS professionals in general and has been corroborated in the Cyber Insurance Survey 2015 that we are presently undertaking. It is amusing to see that many in the technical community are shying away from even providing their response to the survey since the questions raise unpleasant memories of possible ways by which the company may lose money.

This is a classic problem of all  insurance agents when they meet a prospective customer and try to convince him that his life is fragile and he needs insurance. At least Life insurance is avoidable since once a person dies, the problems are for the survivors. However in the case of Health Insurance, people are slowly realizing  that living without a Health Insurance Cover is dangerous since they may incur expenses on health and survive to meet the debt liabilities.

The dilemma which Companies need to resolve is precisely that. Should I under secure my assets and face the challenge when it comes? or Should I spend today’s profits to cover the fear of a data breach which may never materialize?

Some executives may however feel that Cyber Insurance is like life insurance, if my company dies, so be it. I will go over to some other Company and survive. Unfortunately this logic does not apply to the Promoters and to some CEOs. For them death of the Company is the end of a life’s ambition.

Both the CEO/Promoter as well as the CXOs should realize that some times the escape will not be smooth enough to say, “let the company die, I will survive elsewhere” because the law may catch up with them where they may have to pick up criminal liabilities of negligence.

In this context, it is time for the Promoters of Companies  or the Board of Directors of a Company who have to take the bull by the horn and question the CFO/CEO/CTO/CISO as a group and ask them tough questions on how they have evaluated the risks, how they have valued the risks and what is the unabsorbed value of risks for which the Company should be prepared to write a cheque in case of a data breach.

It is only then that the Company will realize that if risks absorbed are greater than their capacity for risk appetite, they need to call in a Cyber Insurer and negotiate a “Risk Transfer” contract.

I urge the Directors of all Companies to start thinking in this direction now rather than thinking of wriggling out of a data breach situation after it occurs.

I welcome the comments of CXOs and Directors of Companies on these views.

Naavi