Recent Posts

Pages: [1] 2 3 ... 6
1


Aadhaar has created serious constitutional, civil liberties and cyber security problems in India. Indian government and Supreme Court are not interested in rescuing Indians from this precarious situation. Clearly India is heading towards dystopian and totalitarian state and something has to be done right now to counter this position.
 
We have suggested few strategies to Indians so that they can escape from being digital slaves forever. These include:
 
(a) Blocking of your biometric at UIDAI website and never using Aadhaar again for KYC or EKYC purposes in future,
 
(b) Deseeding of Aadhaar from all services, whether government or private, where you have seeded the Aadhaar, and
 
(c) Asking the UIDAI and Supreme Court to delete your biometric database from UIDAI registry and any and all other places where your biometric have been stored.
 
According to Praveen Dalal, it is pertinent that you must go for biometric blocking and Aadhaar deseeding together and not in isolation. Neither blocking of biometric nor deseeding of Aadhaar from all services without blocking of the biometric is sufficient in itself.
 
Once the biometric have been blocked and Aadhaar is deseeded from all government and private services, ask UIDAI, Indian government and Supreme Court to destroy your biometric to prevent any future misuse of the same.
 
Cyber security of Aadhaar and its biometric database is very poor by design and implementation. It is better to safeguard you interests, including your civil liberties, than being sorry in future. So start blocking your biometric at UIDAI, deseed Aadhaar from all services and demand for destruction of biometric from all places.
 
The Constitution of India and your Fundamental Rights empower you to take all these actions. Neither Indian government nor Supreme Court of India can restrict you from doing above mentioned three activities of blocking, deseeding and destruction of biometric database of Aadhaar.
 
Source: P4LO Blog.
2


Recently the Meity released guidelines pertaining to data security for various government departments. The guidelines intend to assist government departments that collect, receive, possess, store, deal or handle personal information including sensitive personal information or identity information to implement the reasonable security practices and procedures and other security and privacy obligations under the IT Act, 2000 and Aadhaar Act, 2016.

While the IT Act 2000 has become grossly outdated yet the constitutionality of Aadhaar Act, 2016 is already questioned before the Supreme Court of India. Further, the guidelines are general guidelines meant for guiding the government departments and lack enforceability capability. In any case, enforcement of laws in India is very poor especially when it comes to enforcement of cyber law and cyber security related norms.

Some people have already started celebrating as if these guidelines have brought something magical. Truth is these guidelines are neither effective nor enough to cover even the basic concepts of data protection and cyber security as per international standards. So the fact remains that India has no dedicated privacy, cyber security and data protection laws and cyber security of sensitive information, including Aadhaar and its CIDR, is at great risk.

The guidelines are just suggestions with no binding legal obligations for data breaches. They are simply telling the government departments to use common sense while dealing with sensitive data of Indians. They have not put any onerous obligations upon government departments the violation of which would be subject to prosecution. Indians have no right even if their data and information is leaked by such government departments.

Government departments are even free to ignore these guidelines as non-existent by simply not acting upon them. There is no time line within which the government departments are required to ensure even basic cyber security practices. Saying that government departments must do this and that does not make any sense if there is no time bound obligations coupled with imposing sanctions against non compliance.

In short, these guidelines are just eyewash to fool Indians and Supreme Court by claiming that some magical data security and cyber security remedy has been put at place. In reality, the guidelines are nothing more than a façade to keep Indians in dark.

Source: Perry4Law Organisation (P4LO) Blog.
3

Cyber security is a complicated field to manage and even the most ardent players of cyber security are aware that absolute cyber security is a myth. So if anybody is claiming that his/her system, software or project is 100% cyber secure, he/she is simply ignorant of the ground realities as exist in the cyberspace.
 
Till sometime back, cyber warfare was considered as a fiction and not reality. But with growing incidences of cyber espionage, cyber terrorism and even cyber warfare, countries have started taking their critical infrastructures seriously. Nevertheless, the task to secure these critical infrastructures is next to impossible as the bad guys are always many steps ahead of the government and its agencies.
 
Aadhaar is one such highly sensitive and highly insecure project of India government that is neither prudent nor secure. It only has a false sense of security that government is projecting to divert the attention of critics of Aadhaar. But real cyber security professionals are well aware of the dangers of Aadhaar project that has put the lives and properties of Indians in great peril.
 
In reality, Aadhaar has created serious constitutional anomaly and irresolvable cyber security issues that would always jeopardise rule of law and personal safety and security of Indians. No matter whatever Indian government tells you, stay away from Aadhaar. And if you have already made an Aadhaar, deseed it from all services and block your biometric as soon as possible so that it cannot be abused by government and private individuals.
 
Source: Cyber Security Issues.
4
As India is marching towards the goal of being Digital India, it is imperative to consider related issues as well. These issues can be legal or technical or both. In other words, techno legal challenges are bound to occur when we would try to implement the noble goal of Digital India. The Companies Act, 2013 of India has also introduced cyber law, cyber security and other techno legal liability and obligations on the part of directors of Indian companies. Some of the techno legal challenges would originate due to cyber crimes, cyber attacks, cyber espionage, cyber terrorism, etc. It is obvious that losses in the form of money and materials would be there. It is also clear that companies and individuals who would be victims of such cyber nuisance would be required to get themselves proper insurance covers.

Cyber crimes and cyber attacks insurance in India is still maturing. We have very few insurance companies in India that are providing cyber insurance policies in India. Further, we have few takers of cyber liability insurance in India. Even the legal issues of cyber liability insurance in India are not clear.

For instance it is still not clear for which categories cyber liability insurance is available and what the exempted categories are in this regard. Further, fine details of these cyber liability insurances are also not clear to both insurance companies and those seeking the insurance. This would raise disputes while redeeming these cyber liability insurances in future.

Many times cyber crimes and cyber attacks originate from outside the India. How would these cyber intrusions be investigated, traced back and prosecuted in India is a big challenge before the law enforcement agencies of India. It would require significant skills on the part of insurance companies as well to ascertain the origin of such cyber attacks and cyber crimes and meet the requirements of cyber liability insurance accordingly. In short, conflict of laws in cyberspace is a major challenge and hurdle before insurance companies providing cyber liability insurance in India.

We at Perry4Law believe that cyber liability insurance agreements must be thoroughly drafted keeping in mind the genuine interests of both insurance company and the insured subject. Cyber liability insurance involves high stakes and so the premium is also high. It would be a futile and frustrating exercise if after facing a cyber attack, the insured sum is also not released citing some clause or provision in the cyber liability insurance agreement.

In their own interest, those seeking cyber liability insurance must get the insurance agreement vetted by suitable techno legal professionals or law firms of their choices. While choosing the concerned legal expert or law firm, the companies and individuals must ensure that such legal experts or law firms are maintaining a proper cyber security mechanism to protect sensitive and crucial information pertaining to their clients.

The cyber security obligations of law firms in India are increasing and they cannot afford to take the data of their client causally. Law firms in India must also keep in mind the legal obligations arising out of privacy and data protection (PDF) norms as applicable in India from time to time. We wish all the best to both insurance companies and the insurance seekers regarding cyber liability insurance issues.

Source: Global ICT Policies And Strategies.
5
Insurance business is well structured and well established in India. Even the regulatory framework in the traditional insurance sector is well managed by Indian government. With the passage of time, new avenues are now available for the insurance business. One such avenue comes from the adoption of information and communication technology (ICT) in our daily lives and the misuse of the same by criminal elements. Perry4Law has been advocating use of cyber insurance since 2004 and from that year onwards we have been keeping a close watch upon the developments in this field at both national and international levels. Cyber insurance was adopted by developed nations earlier than India as it is only now that Indian insurance companies and Indian companies and other individuals have realised the importance of cyber insurance.

Information Technology Act, 2000 (IT Act 2000) prescribes adoption of adequate cyber security practices and cyber law due diligence (PDF) by Indian companies and individuals. Even technology companies, financial institutions and e-commerce websites are required to observe cyber due diligence in India and this requirement cannot be ignored anymore. A special attention must be given to the Information Technology (Intermediaries Guidelines) Rules 2011 (PDF) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (PDF) by those engaged in technology related business in India.

Regulatory compliance requirements under the Indian Companies Act 2013 (PDF) have added many legal obligations on the part of Indian companies and their directors. These include the liability of directors for cyber law and cyber security breaches and a liability for not following cyber law and cyber security legal obligations while conducting the functions of their respective companies.

Foreign companies and e-commerce websites having a business presence in India would now be required to register in India. This would also make them amendable to Indian laws and to face legal obligations for their non compliances. For instance, the recent cyber breach at Target Corporation has exposed it to litigation in multiple jurisdictions around the world.

Cyber breaches in India would raise complicated cyber law issues in the near future. For instance, cyber security issues of e-commerce business in India need to be discussed and implemented by Indian government and insurance companies. Similarly, cyber due diligence must also be outlined and implemented for online payment makers. Maintenance and inspection of document in digital form under corporate laws of India would also raise privacy, data protection (PDF) and cyber security issues.

All these aspects need a dedicated techno legal framework that is presently missing in India. Similarly, corporate frauds investigations in India would need scientific technologies and methods like e-discovery, cyber forensics, etc. If cyber security (PDF) and cyber forensics (PDF) trends in India are considered, this is a big challenge for Indian government, insurance companies and other corporate stakeholders. If cyber insurance has to be considered to be a potential source of revenue by insurance companies and adequate protection by Indian company ies, they have to work hard in their respective fields.

Merely entering into an insurance agreement for cyber insurance purposes would create more trouble than solutions as complicated techno legal issues are involved in international cyber crime and cyber attack cases. For instance, insurance companies and affected companies may also face and have to tackle conflict of laws in cyberspace, authorship attribution for cyber crime and cyber attacks, refusal and non cooperation by foreign governments and companies in cyber crimes investigations, etc.
In these circumstances, not only the cyber insurance agreements must be properly drafted by insurance companies but techno legal investigation skills must also be used for investigating cyber crimes and cyber attacks cases by both the affected companies and insurance companies.

Source: International Legal Issues Of Cyber Security.
6
Cyber insurance in India has become an acceptable reality in India these days. Many companies have shown their interests in obtaining cyber insurance and some of them have actually obtained the same. Before taking up a cyber insurance policy in India, the concerned company or individual must be well aware of the techno legal compliance requirements of India and the potential cyber risks. This alone would help it/him/her to take the most appropriate cyber insurance policy.

Similarly, an improper cyber insurance policy that is not covering the cyber risks in entirety and leaves scope for ambiguity and legal complications while claiming the insured amount should be avoided. A techno legal vetting of cyber insurance polices obtained in India is an absolute must before obtaining the same.

Just like legal due diligence, a techno legal cyber insurance policy due diligence must be conducted before signing any such cyber insurance policy. The terms and conditions of such cyber insurance policy must be thoroughly analysed line by line to avoid any unfavorable and surprise outcome. Merely signing of a cyber insurance policy does not mean that in case of a cyber breach the concerned insurance company would release the insured amount.

Insured companies and individuals who have obtained a cyber insurance policy must also be aware if the issues like privacy, data protection (PDF), data security, e-discovery, cyber forensics, cyber crimes investigation, etc. This does not mean that those insured themselves must be capable of managing the techno legal aspects of these issues and fields.

Similarly, insurance companies must also make it sure that Indian companies and other stakeholders have already introduced and implemented cyber security best practices, cyber forensics best practices, e-discovery best practices, cyber law due diligence (PDF), e-commerce due diligence, etc. This would prevent future disputes between the insurance companies and the insured stakeholders when a cyber breach occurs. Insurance companies can also provide a more comprehensive cyber insurance policy to those companies and individuals who can demonstrate using of a robust cyber security infrastructure and techno legal best practices for their business activities.

We at Perry4Law believe that there is an urgent need to formulate suitable techno legal regulations for various sectors, including cyber insurance in India. In particular, Indian government needs to enact cyber security laws, data security laws, privacy laws, data protection laws, cyber security breach disclosure laws, etc. As on date, all of these laws are missing and this has created a state of uncertainty and chaos in Indian cyberspace. This environment is also not conducive for the growth and adoption of cyber insurance in India.

Source: Cyber Laws In India.
7
Mobiles are believed to play a major role in the successful implementation of the Digital India project of Indian government. From mobile commerce to mobile banking, the Indian government is betting big upon mobiles and their use for public delivery of services through electronic means. Of course, this big scale use of mobiles will also give rise to cyber law and cyber security issues that Indian government must be well prepared to deal with in future.
 
Mobile phones have become ubiquitous these days. They are used for multiple purposes ranging from personal use to mobile banking. Cyber criminals have also realised the importance of mobile phones for committing cyber crimes and financial frauds. This is also the reason why malware writers are also writing mobile phone specific malware to steal confidential and sensitive information.
 
Mobile cyber security in India has become a cause of concern these days. Mobile phones are now proposed to be used for mobile banking and mobile governance in India. Naturally, we must ensure robust mobile cyber security in India. An electronic authentication policy of India can help in more active and secure mobile usages in India. Mobile governance and e-authentication in India are also closely related and with the proposed electronic delivery of services in India this is also a must have requirement.
 
For the time being we have no implementable electronic delivery of services policy of India though it may be in pipeline. Indian government is working in the direction of ensuring electronic delivery of services in India. In fact a legal framework titled electronic delivery of services bill 2011 (EDS Bill 2011) was also proposed by Indian government in the past. The same has still to become an applicable law in India. Once the EDS Bill 2011 becomes an applicable law, governments across the India would provide electronic services through various modes, including mobile phones. This requires putting a robust and reliable mobile security infrastructure in India.

However, using of mobile phones for commercial and personal transactions in India is also risky. For instance, the mobile banking in India is risky as the present banking and other technology related legal frameworks are not conducive for mobile banking in India. Similarly, we do not have a well developed e-governance infrastructure in India. As a result India is still not ready for m-governance.
 
We at Perry4Law Organisation (P4LO) believe that the biggest hurdles before the mobile related uses in India pertain to use of weak encryption standards and non use of mobile cyber security mechanisms in India. Absence of encryption laws in India has further made the mobile security very weak in India. The ever evolving mobile malware are further increasing the woes of mobile users’ world wide. As on date the malware are defeating cyber security products and services with ease.
 
It is high time for India to seriously work upon mobile cyber security aspects as soon as possible. The policy decisions in this regard must be taken urgently and must be implemented as soon as possible.

Source: Cyber Security Issues In India.
8
Internet of things (IoT) is the new buzz word these days. Everybody is talking about IoT because it has great business, commercial and personal use potential. IoT combines software, hardware and a communication infrastructure so that systems/devices can contact and communicate with each other in a non intrusive and automatic manner. Like any other technology, IoT has its own used and challenges. 

For instance, IoT can be used for smart grids, smart cities,  e-health, etc and thereby reduce their cost of operation and improve their productivity. However, IoT also has civil liberties and cyber security challenges to manage. Cyber criminals have already started abusing IoT controlled devices for launching malicious cyber attacks. As the technology protocols for IoT are still evolving, it is very difficult to avoid such cyber attacks.

Similarly, on the legal framework front, IoT has yet to be suitably regulated around the world. India has no dedicated law for IoT and some guidance can be found from the Information Technology Act, 2000 (IT Act, 2000). Indian government has issued the draft IOT Policy of India (pdf) and Revised Draft IOT Policy of India (pdf) but they are not sufficient to manage the complicated techno legal issues of IoT.

IoT is essential part of Digital India project of Indian government that is already heading towards rough waters in the absence of adequate cyber security and civil liberties protections. For instance, ensuring of cyber security for smart grids and smart cities is still a distant dream for Indian government. Similarly, IoT and Smart cities have to manage civil liberties issues as well that are presently ignored by Indian government.

Perry4Law Organisation (P4LO) has launched a dedicated and exclusive techno legal centre of excellence (CoE) for Internet of things (IoT) in India. We have covered many techno legal issues there that Indian government is required to manage in near future. We have been managing these issues for long and we would discuss the same at our CoE-IoT website in more details in our subsequent posts.

P4LO would help national and international IoT stakeholders in formulation and implementation of techno legal frameworks so that adoption and use of IoT can be as smooth and hassle free as possible.

Source: Perry4Law Blog.
9
Present days critical infrastructures are connected to information and communication technology (ICT) for portability, convenience and remote control purposes. Although this process brings many advantages yet this usage of ICT for critical infrastructures also exposes them for potential cyber attacks.
 
According to the Cyber Security Trends of India 2015 by Perry4Law Organisation (P4LO), Critical Infrastructure Protection in India (PDF) would be required in the year 2015 as India has launched projects like Digital India and Internet of Things (IoT) (PDF). Indian Government needs to work hard in this regard as cyber security challenges in India are very daunting in nature. 

The cyber security challenges before the Narendra Modi government are more demanding than its predecessor government due to heavy reliance upon ICT and technology. However, India is not yet prepared to deal with the same. We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must urgently formulate the Cyber Security Policy of India 2015 as the previous policy is just a paper work with no actual benefits. 

Now here lies the real problem. Formulation of a techno legal framework and robust cyber security policy of India 2015 require tremendous techno legal acumen. Further, the actual implementation of the proposed 2015 policy would be even more difficult. This may be the reason that Modi government is shy in bringing any change in the otherwise outdated and redundant 2013 cyber security policy of India. Nevertheless, a call has to be made in this regard and immediate action is need of the hour.
 
It is not the case the Modi government has not taken pro cyber security initiatives in India. Firstly, Modi government has appointed Dr. Gulshan Rai as the first chief information security officer (CISO) of India. Secondly, Narendra Modi has suggested to Nasscom that a task force be set up to solve the growing cyber security menace in India. According to Nasscom the taskforce would be constituted within a period of one month. Now it has been reported that the Grid Security Expert System (GSES) of India has been proposed to be developed by Powergrid. 

GSES would involve installation of knowledge based Supervisory Control and Data Acquisition (SCADA) system, numerical relays and Remote Terminal units upto 132 kV stations and the reliable Optical fibre Ground wire (OPGW) communication system at an estimated cost of around Rupees 1200 crores. The objective of the GSES is implementation of the Automatic Defense mechanism to facilitate reliable and secure grid operation.
 
CECSRDI welcomes this move of Indian government. We have been advocating that a robust cyber crisis management plan of India is need of the hour. A crisis management plan for preventing cyber attacks on the power utilities in India has also been suggested by CECSRDI. We have also suggested that crisis management plan of India for cyber attacks and cyber terrorism is required. Power grids cyber security in India and its challenges are not much known as on date but awareness about the same is fast increasing. The present decision of Indian government to establish GSES is an example of the same.
 
It has also been stated that the Computer Emergency Response Team-India (CERT-IN), Department of Information Technology, Ministry of Communication and Information Technology, Government of India has prepared a Crisis Management Plan (CMP) for countering cyber attacks and cyber terrorism. The CMP intends to prevent large scale disruption in the functioning of critical information systems of Government, public and private sector resources and services. A framework has also been outlined for dealing with cyber related incidents for rapid identification, swift response and remedial actions to mitigate and recover from cyber related incidents impacting critical national processes. 

In December 2010, Ministry of Power had constituted CERTs (Computer Emergency Response Teams) for power sector. At CECSRDI we welcome establishment of these dedicated CERTs as they can manage cyber security issues in a better manner. For instance, CERT-Thermal (nodal agency- National Thermal Power Corporation (NTPC)), CERT-Hydro (nodal agency- National Hydroelectric Power Corporation (NHPC)) and CERT-Transmission (nodal agency- Power Grid Corporation of India Limited (PGCIL) can take necessary action to prevent cyber attacks in their domains. The State Power Utilities have also been advised to prepare their own sectorial Crisis Management Plan (CMP) and align themselves with the Nodal Agencies i.e. NTPC, NHPC & PGCIL and CERT-In for the necessary actions.
 
Cyber security of automated power grids of India is need of the hour. It is only after a massive power blackout in 2012 that Indian government has woken up to the dangers of cyber attacks against Indian power sector. Based on the recommendations of the Enquiry Committee, constituted by Ministry of Power to enquire into the causes of the grid collapse of 2012, several measures like third party protection audit, review of Unscheduled Interchange mechanism, review of Central Electricity Authority transmission planning criterion, tightening of frequency band, coordinated planning of outages, development of islanding schemes, proper maintenance of under frequency relays etc. have been taken by the Government to prevent grid failures. We welcome these pro active efforts on the part of Indian government.
 
However, it would be really interesting to observe what actual steps would be taken by Modi government to strengthen Indian cyber security. Till now Modi government has not come out with even a single cyber security related policy decision or initiative. These policy decisions and projects, with their own merits and demerits, are the legacy of Congress government. What Modi government would do in this regard is yet to be seen. We wish all the best to Modi government in the field of cyber security and other related projects.
 
Source: Global Techno Legal News And Views.
10
Indian Cyber Security News And Articles / Cyber Security Of Smart Grids In India
« Last post by PTLB on February 12, 2017, 08:23:35 PM »
Utility industry around the world is undergoing radical changes in its structure and business models. It is being reshaped by disruptive technologies, environmental pressures and social expectations. Traditional electric grids are now replaced with smart grids that are controlled by information and communication technology (ICT). In many cases, these utilities are managed through remote administration as well. Power grids are also centrally connected and integrated in nature from the stage of power generation to it transmission and distribution. A compromise of such power grids can lead to power outages/blackout or even damage to power system devices and thereby huge loss to the utilities. This is also the stage and process that makes these utilities vulnerable to cyber attacks.

Naturally smart grids cyber security has become a top priority for governments around the world in these circumstances. The contemporary malware are very sophisticated in nature and they are easily defeating the cyber security products and services. As a result cyber attacks and malware have become a big nuisance for businesses and individuals alike. Smart grids are also facing sophisticated cyber attacks from around the world.

Cyber security issues in India are emerging day by day. Similarly, the cyber security awareness in India is also increasing. However, cyber security capabilities of India are still not up to the mark. Cyber security skills developments in India are urgently required so that both offensive and defensive cyber security capabilities of India can be developed. Keeping this fact in mind, critical infrastructure protection in India in general and cyber security of automated power grids of India in particular must be ensured with latest technology and international best practices. In the past Indian government declared that a Grid Security Expert System (GSES) of India would be developed in India. The same may be a reality very soon keeping in mind the focus upon Digital India project of Indian government.

There would be many cyber security challenges for future smart grids of India. The evolution of SCADA system, deficiencies and shortcomings of existing power devices and vulnerabilities of software managing SCADA systems are areas of special concern for India. Internet is full of unprotected and unsafe devices, SCADA systems and computers. Critical infrastructures protection has also become a major challenge with the SCADA systems still remaining exposed and unprotected. For instance, healthcare industry is facing increased cyber attacks against its critical infrastructures. Cloud computing is also facing low adoption and regulatory issues in India.

Further, renewable energy/distributed generation demands are the added feature of smart grid and due to networked control future power system will be much more vulnerable to cyber terrorism attacks, cyber warfare activities and cyber espionage attempts. Therefore, before switching to smart grids, India must consider cyber security challenges for them as well.

Although India has recognised the significance of cyber security yet its efforts in this direction are still scattered, unstructured and inadequate. Perry4Law Organisation (P4LO) has been advocating for establishing a strong, robust and resilient cyber security infrastructure in India for almost a decade. P4LO also believes that international legal issues of cyber security must be resolved on mutual cooperation basis among various countries. Countries may work in the direction of formulating international cyber law treaty and international cyber security treaty (PDF). Similarly, international legal issues of cyber security and conflict of laws in cyberspace must also be resolved by Indian government. We hope Indian government would resolve the cyber security issues related to smart grids very soon.
Pages: [1] 2 3 ... 6