Spreading the knowledge of Cyber Law has been a mission for Naavi. In continuation of this effort, Naavi has launched an Android App which can be used for sending questions on Cyber Law to Naavi.
The App titled “Cyber Law Guru” is available on Google App Store.
This app is meant to answer general questions on Cyber Law as an educative exercise and not meant for legal consultancy. If you have any questions which you want to ask Naavi outside the App, please send an e-mail.
Naavi
Information Security Professionals think that all the talk of Cyber Insurance is nonsense since the risks are so huge that any company that insures Cyber risks is doomed to fail. Is this negative thinking justified?.. Let’s explore
Cyber Insurance is a concept where an insured person or organization looks to claim recovery of loss suffered by him on account of an adverse cyber event. The adverse cyber event could be a financial fraud in case of an individual who loses money in his bank account. In an organization, it could be a denial of service attack that causes business loss or a hacking/data theft that leads to reduction in business competitiveness. In the case of “Intermediaries” who process third party data, the adverse event could be also a theft or compromise of customer data leading to liabilities payable to customers.
While an individual will be happy if some body can provide insurance cover against losses on account of Banking frauds, he does not know if such policies are available and if available, what is the cost. Some Banks are persuading their credit card customers to take such fraud insurance but the costs are unreasonably high and are meant to cover the liabilities that the Banks are expected to legally bear. Why should a customer bear the cost if the Bank makes a payment against a forgery?. So the individual does not know how he should approach the Cyber insurance. But he does expect the Government and the regulators who are keen on digital India, to do some thing to ensure that financial risks of common day to day activities does not increase. Hence there is a need for pushing the Government for a Cyber Fraud Prevention policy. Insurance companies are also not very keen on the retail market since it may be uneconomical for them to manage the business from the point of view of the administrative cost.
At the same time providing Cyber Insurance to corporate is considered a lucrative business for the Cyber Insurance Companies and this market is in a take off stage. There is however lack of statistical data of risks and hence the Cyber Insurance companies try to cap their liabilities by imposing several restrictions on the claims.
In fact the Information Security professionals generally dismiss the talk of Cyber Insurance since they think that the threats are so great that any body thinking of providing insurance to this sector is foolish. The more they know about the threats, vulnerabilities and the risks, the less confidence that they have on the feasibility of the Cyber Insurance proposition.
But what the IS professionals are not aware of is that the Insurance industry has seen risks of many types and devised its own ingenious ways of providing an insurance cover in an environment of uncertainty and still manage the risks.
For example, one way by which the Cyber Insurance companies manage their risks is to put a cap on their liability per claim or per incident with sub-limits of various types. Accordingly, in a DDOS liability, the Cyber Insurance may place a limit on loss per hour of disruption and total loss to not more than say 1 day disruption etc. (This may vary from industry to industry). Similarly, in the case of data loss situation there can be a loss per data limit and a total data loss in a single event and in multiple events during the policy period etc.
As a result even if there is a loss of Rs 5 crores as estimated in a data loss situation, and the Company has a policy of say 25 lakhs, the actual loss reimbursed in a given data loss or a given DDOS disruption incident may be only say Rs 5 lakhs. Thus the risk of 25 lakhs that the company has underwritten is spread over 5 incidents in an year and if not the first, the subsequent losses can be attributed to the insured not taking adequate security measures despite an earlier warning which may be a reason for rejecting a claim. As a result, despite underwriting a policy of Rs 25 lakhs and despite the insured suffering a loss of more than Rs 25 lakhs, the Insurance company may not really lose Rs 25 lakhs.
Some may jump to a conclusion that this is not fair. But what the insured need to understand that just as an IS professional manages his technology risks, the Cyber Insurance professional manages the financial risks and he has to have his shields. In the process, it becomes necessary for the IS professional to ensure that “Similar” security breach incidents donot occur repeatedly in his company and “Each security Breach” does not result in a run away loss and it is his responsibility to ensure that the company returns to its normal business within a short time. Essentially, having an Insurance does not allow the IS professional to be complacent. He has to be more responsible.
The Information Security Professional therefore have to appreciate that Cyber Insurers are ingenious enough to take only such risks that they can bear. In fact, it is the best of the Information Security professionals who will be assisting the Cyber Insurance companies in formulating policy conditions, conducting a pre-insurance evaluation and claim assessment. The best of the forensic professionals are engaged by the industry to find out the root cause of an incident and whether there is any ground to attribute the loss to the negligence of the Company. So, the Cyber Insurers are fully aware of the risks they are underwriting and taken necessary steps to meet their liabilities even when a Zero day attack creates havoc in the insured company.
It is clear therefore that the Information Security Professionals need to shed their bearish outlook on Cyber Insurance industry and appreciate that this is an industry which is set to grow rapidly in the coming years. In fact, Information Security professionals should be excited about the new career opportunities that the Cyber Insurance industry is opening up both in the prospective users of the Cyber Insurance products as well as the Cyber Insurance industry itself.
Naavi
After the attack on Sony in US, Naavi.org had pointed out that there is a need for Government subsidy for SMEs towards maintenance of Cyber Security. Now in a move which supports this view, the UK Government has come up with an innovative scheme to improve Cyber Security investments in SMEs through a system of granting Cyber Security vouchers to cover expenses for hiring experts etc.
The launch of the voucher scheme is part of a package of initiatives designed to increase the resilience of UK businesses to cyber-attacks. The new UK £ one million cyber security innovation vouchers scheme will offer micro, small and medium sized businesses up to £5,000 for specialist advice to boost their cyber security and protect new business ideas and intellectual property.
There is a lesson in this for Indian Digital India managers. We also need a similar scheme to augment the cyber security in the system.
The scheme need to be innovatively designed and effectively supervised so as to ensure that the funds are used productively.
This could be part of the over all Cyber Security policy of the Government, and needs to be explored furher.
Naavi
The Ministry of Information Technology has already adopted a National Cyber Security Policy adopted in 2013 by the Kapil Sibal ministry and continued by the new Government. The Cyber Security Task Force of NASSCOM-DSCI has tried to take a deeper look at the policy issues involved in the Digital India initiative which may require some changes to the strategic elements of the policy.
The National Cyber Security Policy 2013 identifies the following as a vision statement.
” To Build a secure and resilient cyberspace for citizens, businesses and Government”
The Mission statement proceeds to state as under:
“To Protect Information and Information Infrastructure in cyberspace, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation”
It may be observed that while the vision statement includes the” security of citizens” as one of the objectives, the mission statement focusses only on “Protection of Information and Information Infrastructure”. Protection of “Citizens” is not found in the mission statement. This is the typical approach to information security which we often call the “Technical Approach” which fails to recognize that behind every information there are “people” . This approach also fails to recognize that when there is a breach of information security, these information owners get hurt and hence the information security policy should not forget that protection of these people behind information as the main objective of any security initiative.
To draw a parallel, if there is a terrorist attack on a building containing people, the security objective of “Secure the Building from collapsing” will be good enough to prevent the people from direct exposure to gun fire but will not be sufficient to prevent a biological warfare in which a lethal gas is aimed at the air vents. The security focus cannot therefore be the building but the people behind the walls of the building.
Similarly the vision and mission statement of a National Cyber Security Policy should consider protection of Citizens as the core focus and cannot stop at protecting the infrastructure which is only a step in the direction.
This is the prime reason why the National Cyber Security Policy as it exists is inadequate to protect the Citizens (who will also be Netizens in this context) and we need a separate policy for protection of the Citizens and Netizens. (Naavi.org has once called them as Cinezens).
Since we already have a National Cyber Security Policy in place, in order to achieve the objective of ensuring that the protection of Citizens and Netizens without a need to scrap this policy, we suggest building additional sub policies within the cyber security policy to protect the people from the vagaries of Cyber Space.
The role of this policy within the overall context is indicated below.
The protection of people from the adverse impact of the developments in Cyber Space consist of two distinct faces. One is the “Financial Impact” and the other is the “Non Financial Impact”. The non financial impact consists of reputation harm that is difficult to be easily converted into monetary terms. All other adverse aspects of Cyber Crimes/Terrorism/warfare that has an effect on financial impact can be brought under one category.
We need a policy exclusively addressing the protection of Citizens from such financial losses. We can have a single policy to address all incidents of financial loss suffered by the Citizens irrespective of whether it is an act of Cyber Crime, Cyber Terrorism or Cyber warfare. This aggregation is required since the end victim cannot distinguish what is a crime committed by an individual for himself or on behalf of a terror outfit or a state actor.
It is this sub policy which we shall call “Cyber Fraud Prevention Policy” and urge the Government to formulate as a part of the Digital India project.
The undersigned has created a local circle to take this discussion further on www.localcircles.com with a title “Save Digital India from Cyber Frauds”. If you have a view on this subject and contribute to the formulation of a draft policy which can be forwarded to the Government, I request you to join the local circle.
Naavi
We are all Netizens who depend on Internet for our day to day communications as well as transactions. It has been several days since we have visited Banks physically and are happy to transact through Internet and Mobiles. Come to think of it, all our financial assets whether it is our Bank savings or shares, are in the form of digital assets and are controlled through mobile apps.
Ask any Cyber Security expert, he will vouch that Apps are inherently unsafe and so are computers. Targetted phishing, sophisticated trojans created by state actors, spywares created by hacker network which even FBI is willing to buy, a well developed underworld where our credit card and ATM card details are available for a price, all threaten every rupee that we hold in the Banks.
Recently, Economic Times carried an article titled “Cyber frauds increased after growth in mobile banking, NEFT and RTGS: Study “. The article referred to a study conducted by ASSOCHAM and stated that Mobile Banking is being used by 2.2 crore account holders out of the 58 crore total bank account holders in India. The mobile banking transactions themselves jumped from Rs 1819 crores in 2011/12 to over Rs 10000 crores in 2014/15. The study also stated that mobile frauds jumped from Rs 10 crores in 2011/12 to around 70 cores in 2014/15. This indicated that while the usage grew by 5 times, the frauds grew faster by 7 times. i.o.w. Frauds are growing at a rate 40% faster than the usage.
If we consider that the fraud data is under reported, it is clear that frauds grow at rates faster than the usage. An extrapolation of the ASSOHAM study indicates that if in the next decade, the entire Banking starts using mobile banking, the frauds would grow to around Rs 2100 crores. Our own estimate is that even this is an underestimation.
These frauds only take into account individual cyber crimes. If we consider the possibility of cyber terrorism and cyber warfare, Cyber Risks can create an economic wipe out of our country if we donot realize the risks and take effective counter action.
Does the Government of India which is set to usher in a “Digital India” for our benefit know about the risks? We should say that they do know the risks. Afterall, Mr Modi has made a statement that India should focus on Cyber Security to the extent that we should lead the world in this domain. This was a statement I made more than 10 year back and we can rejoice that at least now, a Prime Minister of India has realized the importance of Cyber Security.
But is it sufficient if we are only thinking of how to build a business in Cyber Security like Israel has done?.
The Digital India initiative is set to increase the dependence of the Netizens on Internet for every aspect of our life. Along with this dependency, what is increasing is the Cyber Fraud Risk. Today there are hundreds of frauds that are happenning in mobile Banking and Internet banking. Most of them are not however reported and the RBI is content in claiming that the losses are not too disconcerting. As the Digital India initiative progresses further, we will have more frauds that will start eroding the wealth of the Indian public. Then one day an attack by a Pakistan terrorist group or Chinese Cyber army will close down all Banks through a cyber attack and Indians will face a situation like the Greece people when all ATMs will be empty and no money can be withdrawn. Probably our money will also be siphoned off to fund the terrorists to create more physical damage on our property and people.
In such a scenario, we need to initiate suitable policies at the Government level to tackle the problem of financial frauds through Cyber crimes , cyber terrorism and cyber warfare.
The DOT has a policy on Cyber Security but it does not focus on the “Security of Financial Assets of Netizens”. Recently the DOT came up with a policy on Net Neutrality but not on Netizen safety.
RBI has so far failed in its responsibility to maintain its statutory responsibility in securing the Indian Banking scenario. Mr Raghuraman Rajan appears to be completely oblivious to the needs of Secured Banking and cannot look beyond the monetary policies and Inflation control.
We the Netizens therefore need to organize ourselves to bring enough pressure on the Government to focus on Cyber Fraud Control. Naavi.org has been working in this direction from a long long time and would continue to do so. As another step in this direction, we have created a local circle titled “Save Digital India From Cyber Frauds” and invite all like minded persons to join the forum and express their views so that our combined voice reaches the otherwise hard of hearing administrators.
The link to the local circle is available here.
A request for joining can also be sent to the undersigned so that an invitation can be sent.
Join the forum and help in the development of a draft Cyber Fraud Protection Policy for Netizens in India, which shall be the key deliverable that this special interest group will aim at.
Naavi
In yet another instance of a “Deviant mind” inside an otherwise brilliant security professional, a 20 year old security researcher who has worked as an intern in a security company doing research on mobile malware has been arrested for creating a malware himself.
The malware created by Morgan Culbertson, of Pittsburgh infects Android phones, steals data and takes control of the device. It can take stealthily screen shots, photos, videos and audio recordings from the target phone. The software was sold for $300 in the underground market. The incident came to light with the busting of the online black market identified as “Darkode”.
While one can regret the nature of human tendencies to misapply our capabilities to wrong ends in greed for money, the incident also highlights the need for better psychometric analysis of people who work in security research companies.
More information is available here
Naavi
