It was heartening to note that Tech Mahindra has reportedly started using digital signatures for sending out its job offers to counter the phishing mails sent in their name. (See Report Here).
This has been a continuing demand of the undersigned for last decade and I am happy to note that at least now one company has realised the importance of being Cyber Law Compliant. We presume that this would be because of some enterprising and committed individual in the IS department who is different from others. We congratulate this anonymous IS professional for his initiative.
We may note that ICICI Bank was pulled up by the Adjudicator of Tamil Nadu in the phishing case in which ICICI Bank was ordered to pay compensation to their client Mr S.Umashankar who had suffered a wrongful loss on account of a phishing mail, for not using digital signatures on their mail communication to the clients. Banks have still not learnt their lessons since the lethargic judicial system of India supported by the lethargic bureaucracy is available to them to prolong litigations and harass their customers into submission in such cases. But we have faith in the adage “God Sees the Truth But Waits” and one day Banks will realize that they would be held liable for Phishing because they failed to use digital signatures on their mails as a continuing practice.
It was also reported (See report here) opening of emails with subjects such as “Salary Hikes for Government Employees” was a reason for a Pakistani firm stealing data from Government functionaries. If the Government had adopted the use of digital signatures for their internal communications, the possibility of such data thefts could have been reduced.
Having reiterated the need for the use of digital signatures by corporates as a part of the ITA 2008 compliance requirements in India and as a risk mitigation measure in general, it is also necessary to point out two other aspects that have a bearing on the use of digital signatures.
Firstly, the “Ponemon Institute’s 2015 Cost of Failed Trust Report” revealed that most organizations believe the trust established by cryptographic keys and digital certificates, which they require for their businesses to operate, is in jeopardy. This study done across 2300 IT security professionals in Australia, France, Germany, UK and US, concludes that in the next two years attacks on keys and certificates are likely to increase and threaten the crypto systems. Security professionals look at the possibility of a “Crypto-apocalypse”, a scenario where standard algorithms of trust like RSA and SHA are compromised and exploited overnight. (Apocalypse=pralayaMtaka darshana/shruti/saakshaatkaara, in Sanskrit or Kannada)
In the light of this survey, we are in a situation where we need to ask “Are we in India ready to face the consequences of a Crypto apocalypse”?
My recent encounters with some of the certifying authorities indicate that even those who are using digital signatures in India are doing so in an extremely insecure manner and the CCA is itself grossly negligent of turning a blind eye to the situation of organized non compliance of ITA 208 by certifying authorities.
Wish CCA responds to this post.