Author Topic: Techno Legal Cyber Security Issues Of Internet Of Things (IoT) In India  (Read 7958 times)


  • Administrator
  • Newbie
  • *****
  • Posts: 6
  • Centre Of Excellence For Cyber Security In India
    • View Profile
    • Centre Of Excellence For Cyber Security Research And Development In India (CECSRDI)

This is an organic article and we would update it from time to time. :)

Cyber security is a techno legal filed where both law and technology interacts. Whenever a cyber breach is involved, we have to analyse the incidence from the point of view of applicable laws and technical specifications. For instance, a simple cyber attack originating from location A and affecting a computer situated at location B would give rise to not only conflict of laws in cyberspace but also tracking and extraditing the accused to the nation where the damage has occurred. This also involves invoking the time consuming and complicated Mutual Legal Assistance Treaty (MLAT) in many cases.

If we combine the techno legal cyber security issues with Internet of things (IoT), we have a new set of problems at hand. IoT at the present stage are by their very design insecure and unreliable. Most of them are based on old architectures and technologies and are very poor at cyber security, data protection and privacy protection safeguards. The standards and best practices of IoT are still evolving and there is no uniformity for managing these techno legal issues among the national and international stakeholders.

Despite these limitations, there are many businesses and startups that are launching IoT products and services with little regard to the techno legal safeguards. This is creating problems for not only the actual IoT consumers but also other stakeholders. For instance, insecure IoT devices can be misused for spying, distributed denial of service (DDoS) attacks, cyber attacks, spreading of malware, etc. Internet is full of unprotected and unsafe devices, SCADA systems and computers. IoT devices have only added further insecure devices to the crackers by exposing and connecting insecure devices to the Internet.

Indian government is also pushing hard digital payments and cashless modes to reduce dependency upon cash. However, the approach of Indian government is faulty in this regard as enumerated in the digital payments and cashless economy trends of India 2017. Use of Aadhaar for digital payments itself is a big mistake and blatant violation of civil liberties that would create more troubles than solutions in near future. Aadhaar has further weakened the already insecure banking sector of India. Cyber security in the Indian banking sector needs rejuvenation and not a shock in the form of Aadhaar or Aadhaar enabled payment system (AEPS), including the BHIM application.

Now if digital India project of Indian government relies upon such insecure IoT infrastructure of India, we can visualise about the cyber security nightmare that we are about to face in near future. Malware are clearly defeating cyber security safeguards and if we add an army of insecure IoT to this scenario, we are heading towards a big trouble. It is only logical that digital India and IoT must address civil liberties and cyber security issues urgently in India.

A related problem with insecure IoT infrastructure is that technologies, services and projects depending upon it would also be vulnerable to similar attacks and defects. For instance, smart cities cyber security would be compromised to a great extent if they are dependent upon insecure IoT infrastructure.

As on date, the cyber security infrastructure of India is not in a good shape. We are stressing too much upon anti virus software and firewalls rather than engaging in deep techno legal cyber security research. Perry4Law Organisation (P4LO) has been managing the exclusive Techno Legal Centre of Excellence for Cyber Security Research and Development in India (CECSRDI). Our aim is to develop techno legal cyber security capabilities of India so that Indian can possess both offensive and defensive cyber security capabilities.

Take the example of cyber security of banks in India that is not in good shape. Reserve Bank of India (RBI) prescribed a September 30, 2016 deadline for the banks to make the cyber security of their banking infrastructure robust and strong. However, till January 2017, no bank has complied with this direction. This is happening because Indian banks neither have the requisite cyber security expertise nor they are interested in spending to acquire the same. They are still dragging the traditional and old methods that have been successively exploited by criminals and cyber criminals. 
« Last Edit: January 24, 2017, 10:49:33 AM by CECSRDI »