Monthly Archives: March 2014

DOT India Asks ISPs To Adopt New Cyber Security Measures Including Securing Home ADSL And Broadband

DOT India Asks ISPs To Adopt New Cyber Security Measures Including Securing Home ADSL And BroadbandRouter and modems insecurity is a major cause of concern for governments around the world. Cyber criminals are targeting routers and modems used by home users’ for a broadband connection. In most of the case the routers and modems come with standard login and password credential for practical reasons and convenience. The manufacturers of routers and modems expect the end user to change their login credentials and password. However, a majority of home users do not change such crucial information and this make the routers and modems vulnerable to various cyber attacks.

Amid growing threats of cyber attacks and hacking of websites, the Department of Telecommunications (DoT) has prescribed the security measures to be adopted in ADSL Modems to safeguard against misuse (PDF). These security measures must be adhered to by internet service providers (ISPs) of India within 60 days of the formulation of these measures. This is asking too little from the ISPs as there are other major telecom security issues in India that are still not redressed properly. The truth is that Indian telecom networks are highly vulnerable to cyber security threats.

DoT has noted that crackers have been exploiting vulnerabilities in the asymmetric digital subscriber line (ADSL) modems. The ADSL modems are usually installed by broadband service providers at homes and offices. DoT has written to all ISPs to “assist customers to change the password, including by physical visits”. It has also come out with a new set of guidelines for ISPs that must be implemented by May 2014 to ensure security of almost 1.5 crore fixed-line broadband users.

The ADSL modems are presently supplied by vendors with default set up of user ID and password as “admin’. The default password needs to be changed to a strong password by customer at the time of installation of modem to avoid unauthorised access to modem. The ISP executive visiting customer for installation of modem should ensure this.

The protocol ports in ADSL modem on WAN side [for example, FTP, TELNET, SSH, HTTP, SNMP, CWMP, UPnP] be disabled. These ports may be used by the hackers to enter into the ADSL modem to misuse/compromise the ADSL modems by way of implanting the malware, changing the DNS entries in the modem.

In other instructions, the ISPs have been asked to devise a “mechanism to upgrade the firmware of the ADSL modems remotely by ISPs”. For this, the ISPs need to have separate login password, which is not possible in the present system of ADSL modem design. The DoT has asked the ISPs to tell their customers to check their online daily usage, and if any unexpected high usage of data is noticed, they may bring it to the notice of the ISP concerned. Customers should also be advised to switch off their modem when not in use. Readers of this blog may see the document (PDF) for a detailed analysis.

National Security Council Secretariat (NSCS) Wants Reliance Jio Infocomm To Share Potential Cyber Security Threats On India’s Telecom Networks

National Security Council Secretariat (NSCS) Wants Reliance Jio Infocomm To Share Potential Cyber Security Threats On India’s Telecom NetworksGovernments around the world are stressing upon stringent cyber security breach disclosures norms but telecom companies are opposing the same on cost and other burdensome regulatory reasons. Nevertheless the governments across the globe are working in the direction of forcing the telecom companies to disclose the cyber security breaches.

There is no universally acceptable international cyber security treaty (PDF) and countries across the globe have adopted a national approach toward cyber security. However, the way sophisticated malware are developed by nations as a cyber warfare and cyber espionage weapon, this national approach is of little help and significance.

India has also decided to formulate a cyber security breach disclosure norm in the past. However, keeping in mind the slow pace at which Indian government works in the field of cyber security, this may take few more years before this much required security practice is actually implemented in India.  The cyber security trends in India 2013 (PDF) have underlined many crucial cyber security lapses of India.

Indian government has already formulated the cyber security policy of India that intends to cover some of the crucial cyber security aspects of the nation. However, the cyber security policy has not been implemented till now and it may take few more years before some action can be expected in this regard from Indian government.

Indian government has also tried to spread cyber security awareness in India. It has mandated that a cyber security brochure must be essentially supplied along with hardware to spread cyber security awareness among Indian consumers. However, telecom and hardware vendors are not happy with this direction and they are postponing this requirement for one reason or other.

Meanwhile, the National Security Council Secretariat (NSCS) has urged the Reliance Jio Infocomm to become part of an industry platform which shares information with the government on potential cyber security threats to the country’s telecom networks. The NSCS says “it is important to involve Reliance Jio in sharing information on potential cyber threats, trends and incidents to enable the government to take suitable counter measures”.

The matter was recently discussed at an internal meeting of the Joint Working Group on cyber security chaired by NSCS secretary and Deputy National Security Advisor Nehchal Sandhu. The NSCS is the apex agency looking into India’s political, economic, energy and strategic security concerns and works closely with the Prime Minister’s Office (PMO).

India’s security establishment wants regular leads on potential cyber security threats from Reliance Jio as it is the sole holder of a pan-India 4G permit and is slated to roll out high-speed broadband services later this year on the long term evolution (LTE) technology standard. Last month, Jio also entered the voice segment by buying 1800 MHz band spectrum in 14 regions for nearly Rs 11,000 crore as a precursor to launching 4G services on the frequency band.

In the meeting, the telecom department’s security chief Ram Narain said that Jio is mandated by license conditions (PDF) to share information on potential cyber threats. Besides, the national telecom security policy of India 2014 may impose more stringent obligations than the licence conditions. As the foreign telecom companies are facing the heat of cyber security and telecom security in India, this is a good opportunity for Indian telecom companies to extend their commercial base in India. India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. The Telecom Commission Cellular Loop’s Proposal would also strengthen mobile based surveillance on national security grounds in India.

Clearly, the intentions to ensure critical infrastructure protection in India (PDF) are taking a concrete shape. The National Technical Research Organisation (NTRO) has been assigned the task of protecting the critical infrastructure of India.

As Reliance Jio is still not part of any of the telecom industry bodies like the GSM’s Cellular Operators Association of India or the CDMA’s Association of Unified Telecom Service Providers of India (Auspi) who have both supported creation of the Information Sharing and Analysis Centre (ISAC), the agency that will collate all classified industry feedback on potential cyber threats and vulnerabilities in telecom networks across technology platforms.

The latest developments come at a time when the telecom department is framing testing standards for telecom gear to shield networks from potential cyber attacks. India is also readying a cyber security framework, a cyber security policy and a National Cyber Coordination Centre (NCCC) that will monitor metadata on cyber traffic flows.

Telecom Security Policy Of India 2014 And Unconstitutional E-Surveillance Issues

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBIndia literally borrows a majority of Security and Intelligence related ideas from United States (U.S.). This creates many unique problems for India. Firstly, these projects and ideas are meant for western countries and they are not at all suitable for a country like India. Secondly, if something goes wrong with the U.S. model, the “Infirmity and Irregularity” automatically creeps into Indian Projects and Initiatives as well.

In U.S., Civil Liberty Activists have started challenging U.S. Government’s E-Surveillance Projects and Policies. Even U.S. Courts have started taking a strict note of these E-Surveillance Activities of U.S. Agencies. Recently, the Massachusetts Supreme Judicial Court declared that phone users have Legitimate Expectation of Privacy while using their phones. Similarly, the Texas Appeals Court ruled that law enforcement officials do need a warrant to search an arrested person’s cell phone he/she has been jailed.  The U.S. Government is also facing many lawsuits regarding illegal and excessive gathering and retention of phone details and metadata. The White House is also facing limited and difficult options to restructure National Security Agency’s phone surveillance program.

Now let us come to India that “Dedicatedly and Blindly Follows” these U.S. Models. The Cell Site Data Location Laws in India and Privacy Issues are still ignored by Indian Law Makers. The Cell Site Location Based E-Surveillance in India is rampant “without any Regulatory Checks and Judicial Scrutiny”. We have no dedicated Data Protection and Privacy Rights Laws in India.  Even the Fifty-Second Report of Standing Committee on Information Technology (2013-14) titled Cyber Crime, Cyber Security and Right to Privacy (PDF) has slammed Indian Government for poor Privacy Laws in India. The Cyber Law of India and the Indian Telegraph Act, 1885 also deserve an “Urgent Repeal”.

India has also launched E-Surveillance and Privacy Violating Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. Even the essential E-Surveillance Policy of India is missing till now.

Now it has been reported that Indian Government plans to put in place systems and regulations that will allow Law Enforcement Agencies to trace cellular phone users and provide access to targeted communication, text messages, information data and even value added services on a real-time basis, according to the draft guidelines of the country’s Telecom Security Policy.

The Department of Telecommunication (DOT) has proposed comprehensive norms in the draft policy after the Ministry of Home Affairs expressed strong reservations since the department had not created provisions for law enforcement agencies to intercept communication.

In a version of the draft policy that addresses National Security concerns, the DOT has said that the policy would “put in place effective systems, processes and regulations to ensure the traceability of telecom users or devices in terms of identity, permanent address and current location with specified accuracy and resolution in the case of need”. India intends to deal with Telecom Security issues in an in-depth manner as the open telecom environment has made it easier to intrude on networks and cause damage to information they contain. The recent allegation of hacking by Huawei of Indian Telecom Infrastructure proves this point. India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. The Telecom Commission’s cellular loop’s proposal would strengthen Mobile Based Surveillance in India on National Security Grounds.

Techno Legal Compliances like Privacy Law Compliances, Data Protection Requirements (PDF), Cloud Computing Compliances, Encryption Related Compliances, Cyber Law Due Diligence (PDF), etc are not followed by the Law Enforcement Agencies of India. The Telecom Security Policy of India must address all these issues while keeping in mind the Telecom and National Security of India. Further, India must Reconcile Civil Liberties and National Security Requirements as well.

The proposed policy also envisages providing analysis of information and data including decrypted messages, flowing through the telecom network, stored in systems and devices. Abilities of security agencies to analyse information quicker will be enhanced by making latest technology and systems available which will cut down delays and minimise information leakage.

However, security agencies will uphold privacy rights of Indian citizens, the draft norms said. This is difficult to believe as the proposed Privacy Law of India is already facing Intelligence Agencies Obstacles. Even the National Cyber Security Policy of India has failed to protect Privacy Rights in India.

A Telecom Security Directorate (TSD) has been proposed for implementing and updating the proposed Telecom Policy. Meanwhile, security certification centre for testing telecom equipment, centralised monitoring system for interception and monitoring and emergency response team for detecting and analysing cyber attacks, internet traffic hijacks and telecom sectoral frauds would be created.

DOT is of the opinion that the sector requires a separate security policy since the cybersecurity policy is not sufficient to deal with security issues specific to the telecom industry that has created critical information infrastructure.

The Government will largely depend on mobile phone companies that will implement the security instructions as a key stakeholder and also share the cost with the government. Telecom operators would have to build systems, procedures and methods to make their network resilient so that any damage has a minimum impact on the network and it can be revived quickly.

Telcos would have to share information on attacks on their networks, intrusion and frauds with Government agencies, including telecom sectoral CERT, the national CERT and the National Cyber Coordination Centre, that may monitor all web traffic passing through internet service providers in the country and issue ‘actionable alerts’ to government departments in cases of perceived security threats. Indian Government is also planning a legislation mandating strict Cyber Security Disclosure Norms in India.

These Proposals, Policies and Initiative are not only “Controversial and Unconstitutional” in nature but they are also far from being actually implemented. At the time of their implementation, they must be supported with “Constitutionally Sound Laws” to avoid “Constitutional Attacks”. Otherwise this would only increase unnecessary and unproductive litigations in India.

Telecom Commission Cellular Loop’s Proposal Would Strengthen Mobile Based Surveillance On National Security Grounds

Telecom Commission Cellular Loop’s Proposal Would Strengthen Mobile Based Surveillance On National Security GroundsRecently the National Cyber Security Policy of India 2013 (NCSP 2013) (PDF) was released by Department of Electronics and Information Technology (DeitY). However the same was not made part and parcel of the National Security Policy of India. Further, the cyber security policy of India itself was insufficient and weak on many counts including lack of privacy safeguards. The cyber security policy is also not at all framed to cover the telecom security aspects as well.

India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. It would also be interesting to see what types of telecom security policies would be implemented for border regions of India. Telecom security in India is not in a good shape and Indian telecom infrastructures are vulnerable to numerous cyber attacks. Recently it was reported that Huawei was accused of breaching national security of India by hacking base station controller in AP.

We have no implementable cyber attacks crisis management plan of India. The critical ICT infrastructure of India (PDF) is in a poor shape.  The cyber security trends of India 2013 (PDF) proved that India has still to cover a long field before cyber security can be effectively implemented in India. Thus, telecom infrastructures and equipments located at borders of India would be more vulnerable to cyber attacks than general telecom infrastructures of India.

The Telecom Commission may clear an Rs 7,103-crore rollout of Greenfield 2G networks in regions close to the Chinese and Bangladesh borders. These regions are presently outside the mobile loop. There are 8621 villages in locations of strategic importance across the northeast that are proposed to be brought under the cellular loop for the first time to bolster mobile-based surveillance on national security grounds.

Universal Services Obligation Fund (USOF), which will fund the project, will shortly invite bids from telcos for rolling out nearly 6,700 base stations in these regions. The USOF is the Department of Telecommunication’s (DOT) rural network infrastructure financing arm.

But it remains to be seen whether USOF will tweak tender norms to ensure any future cost escalations triggered by India’s spectrum reframing policy are shouldered by telecom operators. It would also be relevant to observe how the telecom security and cyber security aspects would be managed by Indian government in the near future.