Category Archives: Uncategorized

Hacking Issues Of Automated Cars Must Be Addressed By International Security Community

Automated Cars Hacking

Cyber security battle between cyber criminals and business community is not new. Businesses are natural choice for crackers as it is businesses where money can be made by them. However, business community is not very keen in adopting best cyber security practices for their products.

Take the example of automated cars or vehicles made by automobile manufactures and companies. Majority of automobile manufacturers have for long either ignored or dismissed cyber security research exposing cyber security gaps in the automated and networked features in their vehicles.

But Takuya Yoshida, a member of Toyota’s InfoTechnology Center, along with his Toyota colleague Tsuyoshi Toyama, have developed a new tool, called PASTA (Portable Automotive Security Testbed). PASTA is an open-source testing platform for researchers and budding car hacking experts. Now automakers including Toyota are preparing for next-generation attacks, but there remains a lack of security engineers that understand auto technology.

There is also a lack of regulatory norms and techno legal standards that can govern automated cars/vehicles issues. Recently UK released new cyber security standards for self driving vehicles. This follows the government’s publication last year which set out key principles of cyber security for automated vehicles, such as the expectation that systems should be designed to be resilient to attacks and respond appropriately when its defences fail.

These are good developments and more techno legal research and development is needed in this regard by national and international stakeholders.

Cyber Espionage Policy Of India Is Urgently Needed: Perry4Law Organisation (P4LO)

Praveen DalalThe traditional methods of espionage are things of the past. Now most of the crucial and sensitive information and data are stored on computers and electronic devices. Naturally, computers and information and communication technology (ICT) associated with government and companies are the primary target of those seeking espionage in the modern era. This process of infiltration and breach of sensitive and top secret government and corporate computers is known as cyber espionage.

Cyber espionage in India is not a new concept but has been in existence since last decade. Further, cyber espionage may be done by an insider or an outsider by exploiting the vulnerabilities in the cyber security of an organisation. The real problem is that cyber espionage is inexpensive and relatively easy to commit and it is also very difficult to prove with absolute certainty. In short, without a conclusive “authorship attribution” cyber espionage is largely a lost battle. This is the reason why the Defense Advanced Research Projects Agency (DARPA) of United States is soliciting innovative research proposals in the area of cyber attribution.

If we analyse the cyber attacks trends against India for the past few years it would be apparent that the frequency and sophistication of various cyber attacks has significantly increased. This has been well analysed and documented by the cyber security developments of India 2015 and cyber security trends in India 2016 by Perry4Law Organisation (P4LO). Sophisticated cyber espionage malware like Uroburos/Snake, FinFisher, etc are easily defeating the cyber security safeguards. The global cyber espionage operation named SafeNet was discovered in the year 2013 that infected computers across the globe.

Recently it was reported in the media that a cyber espionage group named Danti could have breached the computer of top ranking bureaucrats in the government. Cyber espionage groups like Danti usually sends an e-mail carrying a malware or a malicious link, which seems to be originating from a government official mail or an e-mail from some government department. Once such malware is activated by either opening of the malicious downloaded file or by clicking at the malicious link, the malware is silently installed upon the victim’s system. It works in a stealth manner and keeps on stealing the sensitive information and sending it to the designated server in an encrypted and coded manner.

India has neither a dedicated cyber security law nor a mandatory cyber breach disclosure norms as on date. Even the cyber security infrastructure of India is grossly deficient as it cannot tackle sophisticated cyber attacks and malware. We do not have any cyber warfare policy of India (pdf), cyber terrorism policy of India, critical infrastructure protection policy of India (pdf) and cyber espionage policy of India. Even the important encryption policy of India (pdf) is missing till now. Constitution of the Tri Service Cyber Command for Armed Forces of India has skipped many deadlines and it is yet to be established. All we have is a defective and outdated cyber security policy formulated in the year 2013 that needs urgent reformulation.

As far as Indian cyber law is concerned, it has become almost redundant and it needs an urgent amendment, preferably a re-enactment. Even Indian Telegraph Act needs to be repealed as it carries many draconian e-surveillance and phone tapping related provisions that have no place in a modern democratic society like India. However, the worst blow came from Indian Supreme Court that has virtually killed the cyber law due diligence (pdf) instead of strengthening the same. Clearly, India lacks the required techno legal framework that alone can help it in fighting against cyber crimes and sophisticated national and international cyber attacks.

Another area of concern is the absence of adequate cyber security of e-governance services in India. Indian government is pushing its Digital India project without any civil liberties and cyber security safeguards. For instance, we have inadequate cyber security for smart grids, smart cities, critical infrastructures, nuclear facilities, satellites, governmental informatics infrastructures, defense networks, etc and Digital India cannot succeed in the absence of a robust and resilient cyber security for these critical infrastructures. We do not have an implementable cyber attacks crisis management plan of India that can be relied upon in case of a sophisticated cyber attack.

At a time when US law enforcement and intelligence agencies have acquired trans border hacking powers, it would be naive to assume that the same would not be used against Indian computers. The truth is that US is pushing other nations towards cyber warfare and cyber espionage race. In this background it is imperative that Indian government must not only enact dedicated and techno legal cyber security laws for India but also insulate Indian cyberspace and computers from foreign cyber attacks and cyber espionage attempts. We at Perry4Law Organisation (P4LO) strongly recommend that a dedicated cyber espionage policy of India must be urgently formulated by Indian government in these circumstances. P4LO would be happy to assist Indian government and other national and international stakeholders in formulation of cyber espionage policy in general and amended cyber law and cyber security laws in particular.

As per media reports, Indian government is contemplating to frame a comprehensive policy to deal with cyber espionage and other threats related to it. The policy that may enable setting up of a panel of experts who can work closely with the security establishment is being closely monitored by the Prime Minister’s Office. Indian government is also working in the direction of bringing suitable changes in the existing laws to make them more compatible and contemporary to the present time requirements. The cyber security manpower would also be strengthened along with upgrading the cyber security infrastructure to tackle cyber attacks. P4LO welcomes these positive developments and wishes all the best to Indian government in this regard.

Trans Border Hacking And Search Activities Of FBI Would Violate Civil Liberties And Cyber Laws Of Different Nations

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBInternet is full of news and discussions about the recent expansion of the Rule 41 of the Federal Rules of Criminal Procedure by US Supreme Court. While the Department of Justice of US is trying to pass the amendment as a simple modification yet its ramifications are global in nature. To put it straight, the proposed Rule would allow the FBI to access, search and hack any computer, device or equipment remotely while sitting at the home.

Even worst, FBI can hire the services of hackers who can get the job done on behalf of FBI or any other law enforcement agency. State sponsored hacking is not a new concept and almost all the countries are engaging in such activities. Not only this the hackers who work on behalf of a country are also granted legal immunity against cyber deterrent acts by these countries. Even the intelligence agencies of India have demanded such legal immunity in the past and the result of such demand is still not clear.

In these circumstances, it would be naive to suggest that the proposed amended Rule would not violate privacy and cyber laws of different jurisdictions where FBI would use its newly acquired hacking power under the proposed Rule.

All individuals have a right to privacy and this right includes their digital properties, computers and information stored in these computers. Just like you cannot enter into my home without a justified reason and court warrant similarly there is no reason why FBI should intrude into my privacy by some self assumed powers under a US Rule. Further, it is very difficult to understand how can a search warrant issued by a US court empowers the FBI or US law enforcement agencies to access my computer in an unauthorised, illegal and unconstitutional manner? When even Indian government cannot do so how can a foreign government commit such an act?

Clearly, privacy is at grave danger with such attitude and Rules and this would also affect the cloud computing industry as well. Who would like to store their sensitive documents on clouds managed by US companies in such disturbing circumstances? Similarly, the proposed Rule would also flare up the cyber espionage and cyber warfare race among the nations. All this because a vague and unconstitutional US rule empowers FBI and other law enforcement agencies of US to violate civil liberties and digital rights of netizens around the world.

This is a situation where even the self defence would not sufficient and nations and individuals would try their hands upon aggressive defence. There would be a sudden change from the defensive cyber security strategy to an offensive cyber security strategy around the world. The limits to legitimate exercise of self defence would ceases to exist. In the absence of international cyber law treaty and international cyber security treaty (PDF), this limit has to be judged and guided by the principle of private international law.

The proposed Rule would further increase the conflict of laws in cyberspace and negate civil liberties protection in cyberspace. Use of malware would further increase that would make the Internet and cyberspace a more insecure place. Malware are already defeating the cyber security safeguards and this global cyber espionage, cyber warfare and hacking power of FBI is only going to make the scenario more complicated.

Civil liberty activists need to come up with innovative ideas and products to safeguard privacy of netizens. When the Tor system is already been compromised, even the Tor community need to have a relook at their product. Similarly, smart phones encryption is widely targeted these days and the same can be cracked by the law enforcement agencies. Smart phone companies are also required to make their encryption protection stronger otherwise consumer would loose faith in their products and services. Telecom companies are also required to fight against illegal e-surveillance activities of governments around the world.

It is imperative on the part of Indian government to clarify its stand on the proposed Rule and ask its US counterpart for an explanation in this regard. Similarly, other countries should also ask US by what authority they can access the computers and devices located in foreign jurisdictions? As on date, the trans border hacking and search activities of FBI would violate civil liberties and cyber laws of different nations.

Contemporary Malware Are Defeating Cyber Security Products And Services

Perry4Law-Organisation-P4LOInfection and compromise of systems and devices is not a recent phenomenon. However, malware in the contemporary times are highly sophisticated in nature. In fact, as per a report, malware nuisance would significantly increase in the year 2016.

Malware writers are no more script kiddies who hack for the sake of fun. Now the motive of these hackers ranges from cyber espionage, financial gains to cyber warfare. Naturally, malware play a key role in achieving these objectives.

Malware are a big cyber security nuisance for long. Cyber security vendors have been trying to contain various sophisticated malware that come up from time to time. As the nations and state actors have become interested in these malware and some of them are even funding their development and exploitation, cyber security products and services are finding it difficult to match their capabilities.

Till the time a cyber security product or service is launched to contain a sophisticated malware, the havoc and damage is already done. In this article titled “Malware Are Defeating Cyber Security Safeguards With Ease“, this fight between malware and cyber security products has been aptly described.

Presently malware are clearly winning the fight between security and system infections as security products are inherently incapable of tackling zero day vulnerabilities and state sponsored cyber attacks.

In the research article titled “Prospective Cyber Security Trends In India 2015“, Perry4Law Organisation (P4LO) predicted that state sponsored cyber attacks would increase. This actually happened and even Twitter and Google issued warnings that state sponsored cyber attacks may be there for their products and services. The “Cyber Security Trends In India 2016” have also predicted the rise of botnet, malware and cyber attacks against critical infrastructures around the world.

It is a wake up call for the cyber security vendors to either improve their security products and services or become redundant and ready to be exiled. What is the purpose of an anti virus that cannot detect and remove a malware?

At the same time there is a need to change the attitude towards cyber security by individuals, companies and governments. At the organisation level, there must be a techno legal policy for cyber security that should be religiously followed. Any lapse in the policy may be lethal for the financial and brand value of the organisation.

As far as India is concerned, India is still struggling to establish the Chief Information Security Officer (CISO) culture. Even at the government level, CISO culture is still missing. For instance, recently the Prime Minister Office (PMO) of India appointed Dr. Gulshan Rai as the first CISO of India. Although this is a very good and pro active move yet we have seen little development in this regard so far. Similarly, appointing the Chief Information Officers (CIOs) was made mandatory for all banks in India in 2012 yet till 2016 banks have not done so. In fact, cyber security of banks in India is in a very poor condition.

Even the government projects like National Critical Information Infrastructure Protection Centre (NCIIPC), National Cyber Coordination Centre (NCCC), etc have failed to achieve for what they were contemplated. There are no cyber breach disclosure norms in India as well. As a result we have almost missing cyber security infrastructure in India that needs to be revamped and strengthened immediately. This is more so when India has introduced the “Digital India” project that would make Indian infrastructure vulnerable to sophisticated cyber attacks from around the world. When everybody is passing the buck who is going to bell the cat named malware.

Smart Cities Cyber Security In India: The Problems And Solutions

Smart cities are the future of urbanisation and population sustainability. The aim of smart cities is to provide a conductive environment for living, commercial activities, healthcare and overall development. Smart cities also predominantly rely upon use of information and communication technologies (ICT) to render public services. Wherever applicable, Internet of Things (IoT) (PDF), cloud computing and virtualisation and machine to machine (M2M) system usage is also there. However, this omnipresent usage of ICT, IoT, M2M, cloud computing, etc has a potential drawback as well in the form of indifference towards smart cities cyber security.

It is not difficult to visualise a scenario of cyber attacks against the critical infrastructures of the smart cities that are run by ICT and technology. Such a cyber attack can cripple the entire smart city if properly executed. Critical infrastructure protection in India (PDF) is still at nascent stage. The national cyber security policy of India 2013 is also very weak and even that has not been implemented by Indian government so far. The much awaited cyber security policy of India 2015 is also missing so far.

A strong cyber security infrastructure of India is need of the hour especially when there is no well settled international legal issues of cyber attacks that can be invoked in the case of a cyber incidence. It is very important that international legal issues of cyber attacks must be resolved by various government and non government stakeholders. There is no globally acceptable cyber law treaty and cyber security treaty (PDF) that can govern the relationships between various countries.  Even the Tallinn Manual on the International Law Applicable to Cyber Warfare  (PDF) is just an academic document with no legal binding obligations. The truth is that Tallinn Manual is not applicable to international cyber warfare attacks and defence and countries are free to take measures as per their own choices.

This has necessitated that cyber security related projects in India must be not only expedited but they must also be successfully implemented as soon as possible. Unfortunately, cyber projects like National Cyber Coordination Centre (NCCC) of India, National Critical Information Infrastructure Protection Centre (NCIPC) of India, Grid Security Expert System (GSES) of India, National Counter Terrorism Centre (NCTC) of India, Cyber Attacks Crisis Management Plan of India, Crisis Management Plan Of India For Cyber Attacks And Cyber Terrorism, Cyber Command For Armed Forces Of India, Tri Service Cyber Command for Armed Forces of India, Central Monitoring System (CMS) Project of India, National Intelligence Grid (Natgrid) Project of India, Internet Spy System Network And Traffic Analysis System (NETRA) of India, Crime and Criminal Tracking Network and Systems (CCTNS) Project of India, etc have still not been implemented successfully by Indian government.

This raises the pertinent question as to how Indian government would ensure cyber security of smart cities in India. We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must take cyber security seriously. The cyber security challenges in India would increase further and India must be cyber prepared to protect its cyberspace. CECSRDI believes that the starting point is to draft the cyber security policy of India 2015 as the 2013 policy is highly defective and of little significance. We also believe that a dedicated cyber security law of India is need of the hour. The same must be a techno legal framework keeping in mind contemporary cyber security threats. Further cyber security disclosure norms in India must be formulated by Modi government. The cyber security awareness in India must be further improved so that various stakeholders can contribute significantly to the growth and implementation of cyber security initiatives of Indian government.

International Legal Issues Of Cyber Attacks Must Be Resolved

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBInternet has become a necessity for all Countries of the World. Internet has also connected the virtual territories of different Countries to a collective area known as Cyberspace. This connectivity element has provided many opportunities and benefits to Cyberspace Netizens and stakeholders at large. However, this connectivity has also given rise to the possibilities and opportunities for committing wrongs and crimes by various criminal elements.

Newer concepts like Cyber Terrorism, Cyber Warfare, Cyber Espionage, etc have also emerged that have disastrous effects if not properly safeguarded and tackled. As on date there is no globally acceptable Cyber Law or Cyber Security Treaty.  Similarly, there is also no full proof and absolutely certain way to ascertain Authorship Attribution for Cyber Crimes and Cyber Attacks. Presence of Conflict of Laws in Cyberspace and absence of Civil Liberties Protection in Cyberspace has further complicated the international Cyber Law and Cyber Security related issues. Privacy Protection in the Information Era has also become an invincible task for Governments around the world.

In these circumstances, International Legal Issues of Cyber Attacks are not easy to manage. This is more so for India that is still not Cyber Prepared for International Cyber Attacks. Take the example of recent episode of hacking of Sony’s systems. Despite the strong statements of United States and its Agencies, it is very difficult to accept that North Korea was behind the hack. This is because United States has failed to prove authorship Attribution in a “Convincing and Proper Manner”. Thus, despite all allegations, counter allegations and other materials, it may not be possible to trace back the true attacker.

There is no “Neutral Authority” that can analyse the claims of both United States and North Korea in this regard. Both Countries may stick to their respective stands but in the end not much could be achieved through the same. Of course, this episode may give impetus to revive the lapsed or suspended Laws in United States that would have serious Civil Liberties Issues.

At a time when “Net Neutrality” is in grave danger, imposing own Standards and Measures against Potential, Actual and Invented Cyber Attacks by any Country should be sternly discouraged. It is also high time to resolve International Legal Issues of Cyber Attacks at a global scale

Cyber Crimes And Cyber Attacks Insurance In India: A Techno Legal Perspective

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBInsurance business is well structured and well established in India. Even the regulatory framework in the traditional insurance sector is well managed by Indian government. With the passage of time, new avenues are now available for the insurance business. One such avenue comes from the adoption of information and communication technology (ICT) in our daily lives and the misuse of the same by criminal elements.

Perry4Law has been advocating use of cyber insurance since 2004 and from that year onwards we have been keeping a close watch upon the developments in this field at both national and international levels. Cyber insurance was adopted by developed nations earlier than India as it is only now that Indian insurance companies and Indian companies and other individuals have realised the importance of cyber insurance.

Information Technology Act, 2000 (IT Act 2000) prescribes adoption of adequate cyber security practices and cyber law due diligence (PDF) by Indian companies and individuals. Even technology companies, financial institutions and e-commerce websites are required to observe cyber due diligence in India and this requirement cannot be ignored anymore. A special attention must be given to the Information Technology (Intermediaries Guidelines) Rules 2011 (PDF) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (PDF) by those engaged in technology related business in India.

Regulatory compliance requirements under the Indian Companies Act 2013 (PDF) have added many legal obligations on the part of Indian companies and their directors. These include the liability of directors for cyber law and cyber security breaches and a liability for not following cyber law and cyber security legal obligations while conducting the functions of their respective companies.

Foreign companies and e-commerce websites having a business presence in India would now be required to register in India. This would also make them amendable to Indian laws and to face legal obligations for their non compliances. For instance, the recent cyber breach at Target Corporation has exposed it to litigation in multiple jurisdictions around the world.

Cyber breaches in India would raise complicated cyber law issues in the near future. For instance, cyber security issues of e-commerce business in India need to be discussed and implemented by Indian government and insurance companies. Similarly, cyber due diligence must also be outlined and implemented for online payment makers. Maintenance and inspection of document in digital form under corporate laws of India would also raise privacy, data protection (PDF) and cyber security issues.

All these aspects need a dedicated techno legal framework that is presently missing in India. Similarly, corporate frauds investigations in India would need scientific technologies and methods like e-discovery, cyber forensics, etc. If cyber security (PDF) and cyber forensics (PDF) trends in India are considered, this is a big challenge for Indian government, insurance companies and other corporate stakeholders. If cyber insurance has to be considered to be a potential source of revenue by insurance companies and adequate protection by Indian company ies, they have to work hard in their respective fields.

Merely entering into an insurance agreement for cyber insurance purposes would create more trouble than solutions as complicated techno legal issues are involved in international cyber crime and cyber attack cases. For instance, insurance companies and affected companies may also face and have to tackle conflict of laws in cyberspace, authorship attribution for cyber crime and cyber attacks, refusal and non cooperation by foreign governments and companies in cyber crimes investigations, etc.

In these circumstances, not only the cyber insurance agreements must be properly drafted by insurance companies but techno legal investigation skills must also be used for investigating cyber crimes and cyber attacks cases by both the affected companies and insurance companies.

India Opposes Proposal To Include Cyber Security Technologies Under The Wassenaar Arrangement

India Opposes Proposal To Include Cyber Security Technologies Under The Wassenaar ArrangementOne of the ways to prevent technologies and weapons from falling into wrong hands is to restrict and regulate their export out of the jurisdictions possessing the same. By putting export restrictions, weapons and technologies can be exported according to set norms and under scrutiny.  The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (Wassenaar Arrangement) is one such arrangement between many western countries.

The Wassenaar Arrangement has been established in order to contribute to regional and international security and stability. Participating States seek, through their national policies, to ensure that transfers of restricted items do not contribute to the development or enhancement of military capabilities. The decision to transfer or deny transfer of any item is the sole responsibility of each Participating State. All measures with respect to the Arrangement are taken in accordance with national legislation and policies and are implemented on the basis of national discretion.

The Wassenaar Arrangement is focusing primarily on the transparency of national export control regimes and not granting veto power to individual members over organisational decisions. It is not a treaty, and therefore is not legally binding. However, through its collective decision making process, it can prohibit the transfer of a particular technology to non member nation(s). India is one such non member Nation and she has keen interests in import of technologies like cyber security software and hardware.

UK, France have now proposed amendments to Wassenaar Arrangement to include cyber security technologies. Naturally, India has expressed her concerns regarding this attempt as India is primarily dependent upon foreign nations for her cyber security related requirements. Changes were made to the Wassenaar Arrangement in December 2013 at a plenary meeting held at Vienna following the Snowden revelations.

”These changes could have severe impact on India’s cyber security programme — both software and hardware — as these would come under export control regime, the entire inventory of high-end cyber technology is with the Western countries like the US and they may deny products to Indian organisation,” said a senior Government official.

A high level meeting of the National Security Council was recently held to discuss the next course of action. The problem is that the products included in the control list have not yet been made public and the next round of plenary meeting to be held at the end of this month is expected to see the formal adoption of this agreement.  Since India is not part of the agreement, it does not have access to the decisions or means to influence the proceedings. Therefore, Indian may seek membership to the exclusive club.

“The best way to deal with this would be to have our own technologies and invest in R&D but that would take time. We would like to engage with countries like US and UK to take our view on board before listing out products under export control,” said a Government official directly dealing with the issue.

The official also said that as a pre-emptive move India was looking to purchase critical technology before the new arrangement is finalised. An expert committee has been set up to figure out the future course of action, including negotiating with six countries — the US, the UK, Israel, Germany, France and Canada.

CERT-In has claimed that some softwares supplied to India are tweaked which become prone to hacking. India was given a solution of the “Heart Bleed” malware, which impacted security of softwares, by vendors after a year of its discovery. Software companies under the product sale agreement are bound to provide solution of any vulnerability found in their product(s) immediately after detection.

Sources said Ministry of External Affairs was of the view that high technology items are always an issue for the US but India could influence the decision by seeking membership of the Wassenaar Arrangement.

Intelligence Agencies Reforms In India Are Urgently Needed

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBIntelligence Agencies play an important role in protecting National Security of a country. They help in maintaining Internal and External Security of a Nation. The very nature of their functioning and work requires some degree of Anonymity, Secrecy and Confidentiality. However, this must not be confused with “Non Accountability” and “Lack of Transparency”. Unfortunately, Indian Intelligence Agencies have become synonymous to Non Accountability and Lack of Transparency.

World over it has been accepted that there must be a balance between National Security and Civil Liberties Protection. The United Nations (UN) Third Committee has also approved a text titled Right to Privacy in the Digital Age. This is in recognition of the Privacy Right in the Information Era that has gained prominence off late. It also means that the Big Brother must not “Exceed its Limits” as prescribed by the Human Rights and Civil Liberties Protection in Cyberspace.

India is clearly inclined to become an “Endemic E-Surveillance State” with no respect for Constitutional Rights and Civil Liberties. The journey of India “From Welfare State to E-Police State” began in 2009 with the notification of Information Technology Amendment Act, 2008 and it became complete in the year 2014 with the introduction of E-Surveillance Projects like Central Monitoring System (CMS) and Internet Spy System Network And Traffic Analysis System (NETRA) of India. I even suggested in May 2013 that Indian CMS must be subject to Prime Minister Office (PMO) “Scrutiny and Intervention”.

Nevertheless, the Big Brother Initiatives in India remained unaffected. In fact, the Congress Government made it “Absolutely Sure” that various E-Surveillance Projects are not only “Kept Alive” but they should also be “Made Immune from Judicial Scrutiny”. Our Constitutional Courts also did not consider it necessary to interfere and take appropriate actions.

To make the matter worst, we have no E-Surveillance Policy of India. It is now well known that Indian Government forced Telecom Companies like Vodafone to install “Secret Wires” to indulge in Unconstitutional E-Surveillance and Phone Tapping. Similarly, Indian Telecom Infrastructures have been constantly used for indulging in Unconstitutional E-Surveillance Practices as we have no implementable Telecom Security Policy in India.

In other jurisdictions, new methods of E-Surveillance are devised on regular basis. For instance, use of Radio Waves and Malware United State’s NSA for World Wide E-Surveillance is well known. The Department of Justice (DOJ) has recently announced a New Reporting Methods for National Security Orders. India on the other hand, is not at all interested in making its Intelligence Agencies and E-Surveillance Projects “Accountable to the Parliament”. This is a situation that needs to be urgently changed as it “Undermining the Constitution” and “Rule of Law” has no meaning and significance in these circumstances.

Indian Government does not understand and accept that Law Enforcement and Intelligence Work is “Not an Excuse for Non Accountability”. For some strange reasons Intelligence Infrastructure of India has become synonymous to Unaccountability and Mess. There is neither any Parliamentary Oversight nor and Transparency and Accountability of the working of Intelligence Agencies of India.

Perry4Law has already provided a “10 Point Legal Framework for Law Enforcement and Intelligence Agencies in India” (PDF) to the Government of India in September 2009. However, the Indian Government failed to act upon the same and to formulate a Techno Legal Framework accordingly.

In a Recent Landmark Judgment (PDF), the constitution of CBI was held Unconstitutional by Gauhati High Court. In my personal opinion, the decision of Gauhati High Court declaring CBI unconstitutional is “Legally Sustainable”. Although almost all have criticised this decision of Gauhati High Court yet it is “Neither Absurd nor an Uncalled One”. Parliamentary Oversight of any Law Enforcement Agency is the “Core Requirement” under Indian Constitution. However, our Intelligence Agencies and many Law Enforcement Agencies, including CBI, are not governed by any sort of Parliamentary Oversight.

Unfortunately, the Supreme Court of India stayed this decision. This may be for a good cause if the Modi Government utilises this opportunity to formulate suitable Law for CBI and other Intelligence Agencies of India. However, this exercise of Supreme Court would be the “Most Unfortunate One” if there is no action in this regard by the Modi Government. So what should be the Modi Government’s next step?

Firstly, there is an urgent need to repeal draconian laws like Telegraph Law and Indian Cyber Law. Secondly, there is a dire need to formulate dedicated Telephone Tapping Law of India as soon as possible. Thirdly, India “Must Reconcile” the Civil Liberties and National Security Requirements but the same is presently missing. Indian Government is also “Not Serious” about formulating a dedicated Privacy Law for India. Data Protection and Privacy Rights in India are in real bad shape.

Fourthly, India’s own Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), NETRA, etc are violative of Civil Liberties Protection in Cyberspace. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. In short, Intelligence Infrastructure of India needs Transparency and Strengthening to make it “Effective and Accountable”.

With the new Government some action in this regard is expected but only time would tell whether Modi Government would “simply step into the shoes of Congress” or actually protect the Constitutional Rights of Indian Citizens.

Cyber Security Of Banks In India Needs Strengthening

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBIndian Cyber Security has been ignored for many years by the previous Governments making Indian computer systems and critical infrastructures vulnerable to sophisticated cyber attacks. One of the critical infrastructures is banking sector of India that has miserable cyber security infrastructure. The Cyber Security Trends and Developments in India (PDF) have proved this point very well.

We have no dedicated cyber security laws in India and this is creating numerous troubles for various stakeholders. The banking sector of India is also neglecting cyber security in the absence of stern and effective cyber security regulatory norms in India. Some basic level guidelines and recommendations have been issued by Reserve Bank of India (RBI) but they are far from satisfactory and being effective. These include Internet banking guidelines, formation of a RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, RBI Recommendation on Information Security and its implementation in India, etc.

RBI has also mandated establishment of Steering Committees on Information Security by Banks in India and appointment of Chief Information Officers (CIOs) for all banks in India.  However, banks in India have failed to comply with the directions of RBI so far and even RBI has allowed them to take this liberty. In effect, this means that there is neither a legal framework nor any compulsion to ensure cyber security of banks in India. Naturally, the online banking system of India is not at all cyber secure and banks in India are not following cyber security due diligence and cyber law due diligence (PDF) at all.

Sophisticated malware are targeting banking industry around the world. For instance, Malware Dump Memory Grabber has been targeting Indian banks and POS Terminals. Similarly, the Gameover Zeus or GOZ botnet is also capable of stealing sensitive banking and financial information and details. Recently, the US Justice Department even charged a Russian national for creation of Gameover Zeus (GOZ) Botnet.

India is considering wide scale adoption of mobile banking, Internet banking and other online banking and financial transactions methods. However, India has not considered the issues of mobile banking cyber security, internet banking cyber security, legal aspects of Internet banking, cyber security of e-governance services, etc.

There is no doubt that Indian online banking transactions are vulnerable to cyber attacks. The cyber security for banking and financial sectors of India must be ensured as soon as possible. Online payment market of India and e-commerce and online business legal compliances have further increased the requirements of banking cyber security in India. Similarly, cyber due diligence for Paypal and online payment transferors of India must also be ensured by these stakeholders. The sooner this is done the better it would be for the larger interest of banking sector of India.