Cyber Crimes And Cyber Attacks Insurance In India: A Techno Legal Perspective

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBInsurance business is well structured and well established in India. Even the regulatory framework in the traditional insurance sector is well managed by Indian government. With the passage of time, new avenues are now available for the insurance business. One such avenue comes from the adoption of information and communication technology (ICT) in our daily lives and the misuse of the same by criminal elements.

Perry4Law has been advocating use of cyber insurance since 2004 and from that year onwards we have been keeping a close watch upon the developments in this field at both national and international levels. Cyber insurance was adopted by developed nations earlier than India as it is only now that Indian insurance companies and Indian companies and other individuals have realised the importance of cyber insurance.

Information Technology Act, 2000 (IT Act 2000) prescribes adoption of adequate cyber security practices and cyber law due diligence (PDF) by Indian companies and individuals. Even technology companies, financial institutions and e-commerce websites are required to observe cyber due diligence in India and this requirement cannot be ignored anymore. A special attention must be given to the Information Technology (Intermediaries Guidelines) Rules 2011 (PDF) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (PDF) by those engaged in technology related business in India.

Regulatory compliance requirements under the Indian Companies Act 2013 (PDF) have added many legal obligations on the part of Indian companies and their directors. These include the liability of directors for cyber law and cyber security breaches and a liability for not following cyber law and cyber security legal obligations while conducting the functions of their respective companies.

Foreign companies and e-commerce websites having a business presence in India would now be required to register in India. This would also make them amendable to Indian laws and to face legal obligations for their non compliances. For instance, the recent cyber breach at Target Corporation has exposed it to litigation in multiple jurisdictions around the world.

Cyber breaches in India would raise complicated cyber law issues in the near future. For instance, cyber security issues of e-commerce business in India need to be discussed and implemented by Indian government and insurance companies. Similarly, cyber due diligence must also be outlined and implemented for online payment makers. Maintenance and inspection of document in digital form under corporate laws of India would also raise privacy, data protection (PDF) and cyber security issues.

All these aspects need a dedicated techno legal framework that is presently missing in India. Similarly, corporate frauds investigations in India would need scientific technologies and methods like e-discovery, cyber forensics, etc. If cyber security (PDF) and cyber forensics (PDF) trends in India are considered, this is a big challenge for Indian government, insurance companies and other corporate stakeholders. If cyber insurance has to be considered to be a potential source of revenue by insurance companies and adequate protection by Indian company ies, they have to work hard in their respective fields.

Merely entering into an insurance agreement for cyber insurance purposes would create more trouble than solutions as complicated techno legal issues are involved in international cyber crime and cyber attack cases. For instance, insurance companies and affected companies may also face and have to tackle conflict of laws in cyberspace, authorship attribution for cyber crime and cyber attacks, refusal and non cooperation by foreign governments and companies in cyber crimes investigations, etc.

In these circumstances, not only the cyber insurance agreements must be properly drafted by insurance companies but techno legal investigation skills must also be used for investigating cyber crimes and cyber attacks cases by both the affected companies and insurance companies.

India Opposes Proposal To Include Cyber Security Technologies Under The Wassenaar Arrangement

India Opposes Proposal To Include Cyber Security Technologies Under The Wassenaar ArrangementOne of the ways to prevent technologies and weapons from falling into wrong hands is to restrict and regulate their export out of the jurisdictions possessing the same. By putting export restrictions, weapons and technologies can be exported according to set norms and under scrutiny.  The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (Wassenaar Arrangement) is one such arrangement between many western countries.

The Wassenaar Arrangement has been established in order to contribute to regional and international security and stability. Participating States seek, through their national policies, to ensure that transfers of restricted items do not contribute to the development or enhancement of military capabilities. The decision to transfer or deny transfer of any item is the sole responsibility of each Participating State. All measures with respect to the Arrangement are taken in accordance with national legislation and policies and are implemented on the basis of national discretion.

The Wassenaar Arrangement is focusing primarily on the transparency of national export control regimes and not granting veto power to individual members over organisational decisions. It is not a treaty, and therefore is not legally binding. However, through its collective decision making process, it can prohibit the transfer of a particular technology to non member nation(s). India is one such non member Nation and she has keen interests in import of technologies like cyber security software and hardware.

UK, France have now proposed amendments to Wassenaar Arrangement to include cyber security technologies. Naturally, India has expressed her concerns regarding this attempt as India is primarily dependent upon foreign nations for her cyber security related requirements. Changes were made to the Wassenaar Arrangement in December 2013 at a plenary meeting held at Vienna following the Snowden revelations.

”These changes could have severe impact on India’s cyber security programme — both software and hardware — as these would come under export control regime, the entire inventory of high-end cyber technology is with the Western countries like the US and they may deny products to Indian organisation,” said a senior Government official.

A high level meeting of the National Security Council was recently held to discuss the next course of action. The problem is that the products included in the control list have not yet been made public and the next round of plenary meeting to be held at the end of this month is expected to see the formal adoption of this agreement.  Since India is not part of the agreement, it does not have access to the decisions or means to influence the proceedings. Therefore, Indian may seek membership to the exclusive club.

“The best way to deal with this would be to have our own technologies and invest in R&D but that would take time. We would like to engage with countries like US and UK to take our view on board before listing out products under export control,” said a Government official directly dealing with the issue.

The official also said that as a pre-emptive move India was looking to purchase critical technology before the new arrangement is finalised. An expert committee has been set up to figure out the future course of action, including negotiating with six countries — the US, the UK, Israel, Germany, France and Canada.

CERT-In has claimed that some softwares supplied to India are tweaked which become prone to hacking. India was given a solution of the “Heart Bleed” malware, which impacted security of softwares, by vendors after a year of its discovery. Software companies under the product sale agreement are bound to provide solution of any vulnerability found in their product(s) immediately after detection.

Sources said Ministry of External Affairs was of the view that high technology items are always an issue for the US but India could influence the decision by seeking membership of the Wassenaar Arrangement.

Intelligence Agencies Reforms In India Are Urgently Needed

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBIntelligence Agencies play an important role in protecting National Security of a country. They help in maintaining Internal and External Security of a Nation. The very nature of their functioning and work requires some degree of Anonymity, Secrecy and Confidentiality. However, this must not be confused with “Non Accountability” and “Lack of Transparency”. Unfortunately, Indian Intelligence Agencies have become synonymous to Non Accountability and Lack of Transparency.

World over it has been accepted that there must be a balance between National Security and Civil Liberties Protection. The United Nations (UN) Third Committee has also approved a text titled Right to Privacy in the Digital Age. This is in recognition of the Privacy Right in the Information Era that has gained prominence off late. It also means that the Big Brother must not “Exceed its Limits” as prescribed by the Human Rights and Civil Liberties Protection in Cyberspace.

India is clearly inclined to become an “Endemic E-Surveillance State” with no respect for Constitutional Rights and Civil Liberties. The journey of India “From Welfare State to E-Police State” began in 2009 with the notification of Information Technology Amendment Act, 2008 and it became complete in the year 2014 with the introduction of E-Surveillance Projects like Central Monitoring System (CMS) and Internet Spy System Network And Traffic Analysis System (NETRA) of India. I even suggested in May 2013 that Indian CMS must be subject to Prime Minister Office (PMO) “Scrutiny and Intervention”.

Nevertheless, the Big Brother Initiatives in India remained unaffected. In fact, the Congress Government made it “Absolutely Sure” that various E-Surveillance Projects are not only “Kept Alive” but they should also be “Made Immune from Judicial Scrutiny”. Our Constitutional Courts also did not consider it necessary to interfere and take appropriate actions.

To make the matter worst, we have no E-Surveillance Policy of India. It is now well known that Indian Government forced Telecom Companies like Vodafone to install “Secret Wires” to indulge in Unconstitutional E-Surveillance and Phone Tapping. Similarly, Indian Telecom Infrastructures have been constantly used for indulging in Unconstitutional E-Surveillance Practices as we have no implementable Telecom Security Policy in India.

In other jurisdictions, new methods of E-Surveillance are devised on regular basis. For instance, use of Radio Waves and Malware United State’s NSA for World Wide E-Surveillance is well known. The Department of Justice (DOJ) has recently announced a New Reporting Methods for National Security Orders. India on the other hand, is not at all interested in making its Intelligence Agencies and E-Surveillance Projects “Accountable to the Parliament”. This is a situation that needs to be urgently changed as it “Undermining the Constitution” and “Rule of Law” has no meaning and significance in these circumstances.

Indian Government does not understand and accept that Law Enforcement and Intelligence Work is “Not an Excuse for Non Accountability”. For some strange reasons Intelligence Infrastructure of India has become synonymous to Unaccountability and Mess. There is neither any Parliamentary Oversight nor and Transparency and Accountability of the working of Intelligence Agencies of India.

Perry4Law has already provided a “10 Point Legal Framework for Law Enforcement and Intelligence Agencies in India” (PDF) to the Government of India in September 2009. However, the Indian Government failed to act upon the same and to formulate a Techno Legal Framework accordingly.

In a Recent Landmark Judgment (PDF), the constitution of CBI was held Unconstitutional by Gauhati High Court. In my personal opinion, the decision of Gauhati High Court declaring CBI unconstitutional is “Legally Sustainable”. Although almost all have criticised this decision of Gauhati High Court yet it is “Neither Absurd nor an Uncalled One”. Parliamentary Oversight of any Law Enforcement Agency is the “Core Requirement” under Indian Constitution. However, our Intelligence Agencies and many Law Enforcement Agencies, including CBI, are not governed by any sort of Parliamentary Oversight.

Unfortunately, the Supreme Court of India stayed this decision. This may be for a good cause if the Modi Government utilises this opportunity to formulate suitable Law for CBI and other Intelligence Agencies of India. However, this exercise of Supreme Court would be the “Most Unfortunate One” if there is no action in this regard by the Modi Government. So what should be the Modi Government’s next step?

Firstly, there is an urgent need to repeal draconian laws like Telegraph Law and Indian Cyber Law. Secondly, there is a dire need to formulate dedicated Telephone Tapping Law of India as soon as possible. Thirdly, India “Must Reconcile” the Civil Liberties and National Security Requirements but the same is presently missing. Indian Government is also “Not Serious” about formulating a dedicated Privacy Law for India. Data Protection and Privacy Rights in India are in real bad shape.

Fourthly, India’s own Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), NETRA, etc are violative of Civil Liberties Protection in Cyberspace. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. In short, Intelligence Infrastructure of India needs Transparency and Strengthening to make it “Effective and Accountable”.

With the new Government some action in this regard is expected but only time would tell whether Modi Government would “simply step into the shoes of Congress” or actually protect the Constitutional Rights of Indian Citizens.

Cyber Security Of Banks In India Needs Strengthening

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBIndian Cyber Security has been ignored for many years by the previous Governments making Indian computer systems and critical infrastructures vulnerable to sophisticated cyber attacks. One of the critical infrastructures is banking sector of India that has miserable cyber security infrastructure. The Cyber Security Trends and Developments in India (PDF) have proved this point very well.

We have no dedicated cyber security laws in India and this is creating numerous troubles for various stakeholders. The banking sector of India is also neglecting cyber security in the absence of stern and effective cyber security regulatory norms in India. Some basic level guidelines and recommendations have been issued by Reserve Bank of India (RBI) but they are far from satisfactory and being effective. These include Internet banking guidelines, formation of a RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, RBI Recommendation on Information Security and its implementation in India, etc.

RBI has also mandated establishment of Steering Committees on Information Security by Banks in India and appointment of Chief Information Officers (CIOs) for all banks in India.  However, banks in India have failed to comply with the directions of RBI so far and even RBI has allowed them to take this liberty. In effect, this means that there is neither a legal framework nor any compulsion to ensure cyber security of banks in India. Naturally, the online banking system of India is not at all cyber secure and banks in India are not following cyber security due diligence and cyber law due diligence (PDF) at all.

Sophisticated malware are targeting banking industry around the world. For instance, Malware Dump Memory Grabber has been targeting Indian banks and POS Terminals. Similarly, the Gameover Zeus or GOZ botnet is also capable of stealing sensitive banking and financial information and details. Recently, the US Justice Department even charged a Russian national for creation of Gameover Zeus (GOZ) Botnet.

India is considering wide scale adoption of mobile banking, Internet banking and other online banking and financial transactions methods. However, India has not considered the issues of mobile banking cyber security, internet banking cyber security, legal aspects of Internet banking, cyber security of e-governance services, etc.

There is no doubt that Indian online banking transactions are vulnerable to cyber attacks. The cyber security for banking and financial sectors of India must be ensured as soon as possible. Online payment market of India and e-commerce and online business legal compliances have further increased the requirements of banking cyber security in India. Similarly, cyber due diligence for Paypal and online payment transferors of India must also be ensured by these stakeholders. The sooner this is done the better it would be for the larger interest of banking sector of India.

Techno Legal Analysis Of Gameover Zeus Or GOZ Botnet And P2P Malware

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBThe present era belongs to highly sophisticated and accurately targeting malware that are compromising computer systems at will. Not only they have the capabilities to infect even the most secured and sophisticated systems, they are also designed to remain under the radar and work in a stealth mode. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc just few examples that we are aware of and there are many more still operating that we are not aware of at all. Some of them are operating in the hidden Internet or deep web using encryption and anonymous systems.

Financial institutions and financial credentials are widely targeted by Malware for obvious reasons. Besides targeting financial organisation, botnet are used for all sorts of illegal activities over the Internet. For instance, for online advertisement industry alone, botnet are causing losses upto the extent of $6 million a month.

One such Malware is known as Zeus that is well known for stealing banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads, spam and phishing techniques. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. The latest variant of Zeus is known as Gameover Zeus, or GOZ botnet.

According to a good research analysis (PDF) of GOZ botnet, Zeus is a family of credential-stealing trojans which originally appeared in 2007. The first two variants of Zeus are based on centralized command servers. These command servers are now routinely tracked and blocked by the security community. In an apparent effort to withstand these routine countermeasures, the second version of Zeus was forked into a peer-to-peer variant in September 2011. Compared to earlier versions of Zeus, this peer-to-peer variant is fundamentally more difficult to disable.

Due to its lack of centralized C2 servers, P2P Zeus is not susceptible to traditional anti-Zeus countermeasures, and is much more resilient against takedown efforts than centralized Zeus variants. The main P2P network is divided into several virtual sub-botnets by a hardcoded sub-botnet identifier in each bot binary. While the Zeus P2P network is maintained and periodically updated as a whole, the sub-botnets are independently controlled by several botmasters.

The Zeus P2P network serves two main purposes. These are: (1) Bots exchange binary and configuration updates with each other and (2) Bots exchange lists of proxy bots, which are designated bots where stolen data can be dropped and commands can be retrieved. Additionally, bots exchange neighbor lists (peer lists) with each other to maintain a coherent network. As a backup channel, P2P Zeus also uses a Domain Name Generation Algorithm (DGA), in case contact with the regular P2P network is lost.

According to researchers, P2P Zeus has evolved into a complex bot with attack capabilities that go beyond typical banking trojans. They believe that P2P Zeus is used for activities as diverse as DDoS attacks, malware dropping, Bitcoin theft, and theft of Skype and banking credentials. Researchers have also found that till recently bot traffic was encrypted using a rolling XOR algorithm, known as “visual encryption” from centralized Zeus, which encrypts each byte by XORing it with the preceding byte. Since June 2013, Zeus uses RC4 instead of the XOR algorithm, using the recipient’s bot identifier as the key. Rogue bots used by analysts to infiltrate the network typically use continuously changing bot identifiers to avoid detection. The new RC4 encryption is a problem, because a rogue bot may not always know under which identifier it is known to other bots, thus preventing it from decrypting messages it receives. In addition, RC4 increases the load on botnet detection systems which rely on decrypting C2 traffic.

Zeus uses RSA-2048 to sign sensitive messages originating from the botmasters, such as updates and proxy announcements. In all P2P Zeus variants researchers studied, update exchanges and C2 messages feature RC4 encryption over an XOR encryption layer. For these messages, either the identifier of the receiving bot or a hardcoded value is used as the RC4 key, depending on the message type. Each Zeus bot runs a passive thread, which listens for incoming requests, as well as an active thread, which periodically generates requests to keep the bot up-to-date and well-connected.

The researchers have concluded (PDF) that P2P Zeus is a significant evolution of earlier Zeus variants. Compared to traditional centralized versions of Zeus, P2P Zeus is much more resilient against takedown attempts. Potential countermeasures against P2P Zeus are complicated by its application of RSA-2048 signatures to mission critical messages, and rogue bot insertion is complicated by the Zeus message encryption mechanism which makes the use of random bot identifiers impossible. Poisoning attempts are forced to use widely distributed IPs due to a per-bot IP filter which only allows a single IP per /20 subnet. The network’s resilience against takedown efforts is further increased by its use of a Domain Generation Algorithm backup channel, and by an automatic blacklisting mechanism. P2P Zeus demonstrates that modern P2P botnets represent a new level of botnet resilience, previously unseen in centralized botnets.

On the legal side, the creator and users of Gameover Zeus are difficult to prosecute. This is because the cyber attack scenario has shifted its nature and territorial scope from being fun and regional to become a potential tool of cyber warfare and cyber espionage. We have no globally acceptable international legal regimes for cyber attacks as on date. Thus, international legal issues of cyber attacks are yet to be resolved.

Cyberspace also put forward complex problems of authorship attribution for cyber attacks and anonymity. Cyberspace also gives rise to conflict of laws in cyberspace where multiple laws of different jurisdictions may be applicable at the same time. Thus, cyber security and international cooperation cannot be separated in these circumstances. Nevertheless international cooperation among law enforcement agencies of different Nations and entering of extradition treaty among themselves can be a good beginning. Some success has already been achieved in this regard and more international cooperation is expected very soon in the cyber law and cyber security fields.

Intelligence Community, Social Media And Open Source Intelligence

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBIntelligence Community has been engaged in “Intelligence Gathering Activities” for long. This may be covert or overt, technological or non technological, legal or illegal and so on. But this gathering exercise was there and it is going to be there in future as well.

However, modern practice of Intelligence Gathering is crucially different from traditional practices. Traditional Intelligence Gathering was more on the side of Human Intelligence (HUMINT) whereas the contemporary one is based more upon Information and Communication Technology (ICT).

As far as Technological Intelligence Gathering is concerned, Social Media is a “Favourite Destination” for Intelligence and Security Agencies. Social Media is a favourite destination because it is a “Gold Mine” of valuable and voluntary information available for ready reference. Social Media also provides the best platform for Open Source Intelligence (OSINT).

Social Media also, in majority of cases, provides a “Legally Obtainable” and “Legally Relevant” Evidence. Since the “Information” or “Evidence” is available “Openly” and to “Public at Large” and in a “Non Confidential” manner, generally any such acquired Information or Evidence can be “Relied Upon” in a Court of Law. However, “Admissibility” of such Evidence is subject to the “Discretion” of the Court and well established “Legal Principles”.

Besides Intelligence Agencies, Military Forces are also using Social Media to gain Information relevant to their uses. Military and Intelligence Agencies have been using “Fake Profiles” to get such Information. The aim may be to get a “Predictive Behaviour or Trend” or to obtain any other Information that is of “Strategic Importance”.

Getting Information from Social Media requires good Communication and Data Mining Skills. However, while doing so, one must not violate any Civil Liberties or Laws Protecting such Information. Although many countries have Social Media Laws, we have no dedicated Social Media Laws in India. Even we do not have any Social Media Policy of India.

Social Networking Laws in India are urgently required. To start with, we must have a Social Networking Policy of India. Open Source Intelligence through Social Media Platforms would raise a number of Techno Legal Issues, especially Civil Liberty Issues. For instance, questions like what constitutes “Public Data”, how can a Person Legally obtains Data, what is the “Relevancy” of such Information/Data, how the “Admissibility” of such Information/Data would be decided, etc would be asked.

Similarly, Privacy Issues, Speech and Expression Issues, scope and nature of E-Surveillance, etc would also be required to be resolved in future. This is a new field for both Law makers and Law Enforcers and needs an “Urgent Attention” of Parliament of India.

Indian Cyberspace Must Be Protected On A Priority Basis

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBA robust cyber security is essential to protect critical infrastructures (PDF) and public services rendered through information technology. If world wide events are some hints then India must seriously think in the direction of ensuring effective cyber security for Indian IT infrastructures and cyberspace. However the new Government would face many cyber security challenges as India has ignored cyber security for decades.

Meanwhile, Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc have been written to subvert the cyber security of Nations around the world. They are clearly made with the objective to indulge in cyber espionage, cyber warfare and cyber terrorism. If India establishes a counter terrorism centre, cyber security would be integral part of the same. In fact, the intelligence agencies of India have been working in the direction of acquiring a legal immunity for themselves while indulging in cyber deterrent acts.

India would revise her national security priorities now as the new Government is more committed towards that. The same would be techno legal in nature as considering traditional security alone would be counter productive in the long run. Cyberspace has emerged as a new security frontier and the new Government is well equipped to deal with the same.

However, companies, business houses, Government departments, public utility service providers and defence forces must also change the way they are presently managing their cyber security affairs. The cyber security obligations of stakeholders like law firms, e-commerce websites, directors of companies, Government departments, thermal power sector, power and energy utilities, etc must be properly understood and effectively implemented in India.

In order to achieve this, the Government must take pro active steps. For instance, there is an urgent need to formulate and actually implement cyber security breach disclosure norms and cyber crisis management plan. Similarly, National Critical Information Infrastructure Protection Centre (NCIPC) of India, National Cyber Coordination Centre (NCCC) of India, Tri Service Cyber Command for Armed Forces of India, etc. must also be constituted and made active immediately.

The cyber security trends of India (PDF) have shown that Indian cyber security initiative and efforts are grossly inadequate and poorly coordinated. There is no centralised coordination between various cyber security projects of India and all are operating in an independent manner. At times this creates a conflict situation between them and the end result is very disappointing.

There are little efforts towards modernisation of law enforcement and intelligence agencies of India. Cyber forensics methods and techniques are also not widely used (PDF) by our law enforcement and intelligence agencies like Enforcement Directorate (ED), Central Bureau of Investigation (CBI), etc in the absence of techno legal expertise. Even investigations into the cases of IPL match fixing, Nokia’s software download, etc was not upto the mark. The regulations and guidelines for effective investigation of cyber crimes in India are still awaited and many cyber criminals are not prosecuted effectively.

All these lacuna and shortcomings have created a vicious circle of problems that is detrimental to Indian cyberspace. We have to systematically cure these defects and shortcomings one by one as they are interrelated in nature. While doing so we must keep in mind the fragile and precarious nature of Internet and cyberspace that would create troubles for India in the near future.

National Counter Terrorism Centre (NCTC) Of India Must Be Constituted Urgently

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBEstablishment of the National Counter Terrorism Centre of India (NCTC) has been facing many problems and difficulties. These include administrative, political and technological problems that need to be addressed on a priority basis by the new Government. The obvious but unsolvable terrorism dilemma of India cannot be allowed to be continued any longer in the larger interest of India.

By its very nature and design any proposed NCTC shall be managed by intelligence and security agencies of India. India has plethora of intelligence agencies and security agencies. These include Research and Analysis Wing (RAW), Aviation Research Centre (ARC), Intelligence Bureau (IB), National Technical Research Organisation (NTRO) and Defence Intelligence Agency (DIA), etc.

However, the administrative and political structure governing these agencies is highly defective as they are operating in a decentralised manner. There is no centralised authority or Ministry that can coordinate or collaborate between different intelligence and security agencies. Further, there is no Parliamentary oversight of these intelligence agencies as well.

On top of it Civil Liberties and National Security requirements of India are not balanced at all. This would give rise to constitutional issues and create problems for such agencies in future. For instance, the immunity request of these agencies for engaging in cyber deterrent act cannot be accepted in these circumstances that would be an essential function of NCTC in future.

As Mr. Narendra Modi is committed to keep the internal security part of Home Ministry with himself, these issues can be easily managed. The proposed Prime Minister’s Office (PMO) would emerge as a “centralised national reforms point” of India. The approach regarding the proposed PMO is much required as that may be a game changer for India. It would also not be difficult to constitute the proposed NCTC in these circumstances as the centralised approach towards NCTC would eliminate interference of different Departments/Ministries. Mr. Modi can comfortably guide and supervise NCTC from the PMO.

However, NCTC must not be established in the manner proposed by the previous Government. The “safest and easiest method” to establish NCTC is to give a Parliamentary Scrutiny to intelligence agencies and their functioning. In the same legal framework, establishment and role of NCTC can be formulated.

The NCTC is very significant and essential for the National Security of India. Terrorist attacks against India are on increase and we need a “Specilaised Institution” like NCTC to provide and analyse valuable intelligence inputs and leads. The real problem seems to be “lack of coordination and harmonisation” between the Centre and States and the PMO must resolve this problem while establishing NCTC.

There are other related problems as well. For instance, the intelligence infrastructure of India is in big mess.  We need to develop intelligence gathering skills development in India so that effective intelligence can be generated, processed and used in real time. On the legislation front, a legal framework on the lines of Intelligence Services (Powers and Regulation) Bill, 2011 must be formulated and enacted by our Parliament. The National Intelligence Grid (Natgrid) Project of India has already been launched. However, a legal framework for Natgrid project of India is also needed as an unaccountable Natgrid is not a panacea for intelligence failures of India.

Surprisingly, the bureaucrats at Home Ministry have dropped the reference of NCTC altogether from their proposed report to Mr. Modi. They believe that NCTC is not a viable project and it need not to be part of the projects that have to be undertaken on a priority basis. It seems the bureaucrats are well aware of the previous dislike of Mr. Modi towards NCTC and they do not wish to offend him.

This is a highly unfortunate situation. No project should be dropped simply because Mr. Modi has disliked the same in the past. It is the constitutional duty of bureaucrats to suggest inclusion of projects of National Importance keeping aside their own biases, prejudices or fears. If they simply drop a worth project like NCTC on the basis that Mr. Modi disliked it in the past nothing is more embarrassing and unfortunate than such an approach. Even if Mr. Modi is averse to NCTC as on date, the bureaucrats must suggest the same. Of course, if there are some other issues, besides personal preferences or dislikes of Mr. Modi, they must be openly and frankly communicated to Mr. Modi and let him decide ultimately.

The things and circumstance have changed drastically and it is high time to analyse projects like NCTC as per contemporary standards and requirements. The present circumstances are in favour of constitution of NCTC and the same must be done as soon as possible.

Cyber Security Challenges Before The Narendra Modi Government

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBAs Mr. Narendra Modi is all set to swear to the post of Prime Minister of India he has to face unlimited challenges that have accumulated over a period of time. Thanks to our bureaucratic set up and all pervasive corruption, public reforms have always been kept at bay. There was no dearth of money and skilled people to accomplish the projected targets but still a dominant majority of projects in the last decade have failed to materialise.

Now that Mr. Modi has asked for a brief but accurate report and analysis of the situation, our bureaucrats are sweating and are in high stress. Even if they may somehow justify their non action and national reforms massacre still they would not be in a position to accomplish the mammoth tasks that have yet to be achieved. Decades of corrupt practices, incompetencies and indifference cannot be defeated in few years especially by retaining the same bureaucratic and ministerial structure.

Although there are hundreds of issues of national importance yet I would like to confine myself to a single issue that is closely and intrinsically related to our national security. The issue that I am talking about is the cyber security of India that is in a really bad shape (PDF). For decades our bureaucrats and Indian government did not consider cyber security as an essential part of national security policy of India. As a result cyber security has been grossly neglected and this has created a situation of high alert.

Even on the legislation front, India has failed to do the needful. For instance, we need to repeal the laws like Information Technology Act, 2000 (IT Act 2000), Indian Telegraph Act, 1885, etc but for some strange reasons our bureaucrats and Indian government kept them intact. I have been suggesting this recourse for the past five years but till now nothing concrete has happened in this regard. Similarly, crucial laws are absent from Indian statute books. These include law regarding privacy, data protection (PDF), telecom security, encryption, cloud computing, etc.

Mr. Modi would be required to not only overhaul his cabinet structure but also cleanse the bureaucratic circles that have been plaguing Indian reforms. Bureaucrats and politicians with clean image, hard working reputation and reforms oriented approach must alone be part and parcel of the Prime Minister’s Office (PMO) that may emerge as a “centralised national reforms point” of India. The approach regarding the proposed PMO is much required as that may be a game changer for India.

The previous PMO of India has already sanctioned a plan to spend 1,000 crore over the next four years to strengthen the cyber security capabilities of India. All Mr. Modi has to do is to make it sure that this may not be another proposal with no actual implementation. It must also be ensured that the allocated money is not only utilised but corrupt practices must also not take place while executing the cyber security project.

Obviously India needs to establish both offensive and defensive cyber security capabilities. This is important to protect the critical infrastructures (PDF) of India that are dependent upon information technology. A cyber warfare policy of India (PDF) must also be formulated as Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc are far beyond the reach of present cyber security mechanisms. These Malware are stealth in nature and till the time they are discovered the damage is already done.

Skilled workforce is also need of the hour and for this purpose cyber security courses must be introduced at the university level. Online education must be encouraged so that online cyber security courses can be imparted in India.

In short, the cyber security challenges before the Modi Government are institutional, skills driven, time sensitive and urgent in nature. We have already delayed strengthening of our cyber security capabilities and any further delay should not be tolerated by him.

Cyber Security Breaches Are Increasing World Over And India Must Be Cyber Prepared

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBCyber attacks have not only become sophisticated but they have also increased significantly in terms of numbers. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc are example of the contemporary Malware that are far beyond the reach of present cyber security mechanisms. These Malware are stealth in nature and till the time they are discovered the damage is already done.

It has been reported by the ICS-CERT of United States that a U.S. public utility was cyber attacked and its control system network were compromised. Similarly, E-Bay has asked for change of passwords after breach of its database containing account information. Before that Target Corporation was targeted by cyber criminals and as a result of that Target Corporation faced litigation threats around the world.

The cyber attack scenario has shifted its nature and territorial scope from being fun and regional to become a potential tool of cyber warfare and cyber espionage. We have no globally acceptable international legal regimes for cyber attacks as on date. Thus, international legal issues of cyber attacks are yet to be resolved.

Cyberspace also put forward complex problems of authorship attribution for cyber attacks and anonymity. Cyberspace also gives rise to conflict of laws in cyberspace where multiple laws of different jurisdictions may be applicable at the same time. Thus, cyber security and international cooperation cannot be separated in these circumstances.

Meanwhile, nations around the world are streamlining their respective cyber security capabilities. We must also develop offensive and defensive cyber security capabilities of India. As per the cyber security trends and developments of India 2013 (PDF) India is lagging far behind than required cyber security initiatives.  Cyber security in India is still not upto the mark in the absence of a dedicated cyber security law of India.

Even compulsory cyber security breaches notification norms are missing in India. Recently the National Security Council Secretariat (NSCS) requested Reliance Jio Infocomm to share potential cyber security threats on India’s telecom networks. India has announced that cyber security breach disclosure norm would be formulated very soon. However, till now no such disclosure norms are applicable in India against companies/telecom companies/ISPs of India and this could raise serious cyber security issues for India in the near future.

These cyber security breach disclosures are important as critical infrastructures of India like automated power grids, thermal plants, satellites, etc are vulnerable to diverse forms of cyber attacks. This is the reason why NTRO has been assigned the task of protecting the critical infrastructure of India. Till the national cyber coordination centre (NCCC) is put into place, national level cyber security coordination would be missing. The cyber crisis management plan of India and the cyber security policy of India must also be made operational as soon as possible.

Strict enforcement of the license conditions (PDF) against telecom companies operating in India and the proposed national telecom security policy of India 2014 may strengthen the cyber security infrastructure of India. However, nothing is better than formulating a good cyber security law of India that can establish a regulatory regime for compulsory cyber security breach notifications on the part of companies/telecom companies/ISPs.  Let us hope that the new Indian government would do the needful as soon as possible.