Monday, December 7, 2015

Cyber Security Problems And Challenges in India: Report By Perry4Law Organisation (P4LO)

Cyber security is a techno legal field that requires patience and techno legal expertise to practice. India has been a late entrant in the cyber security field and a robust and resilient cyber security infrastructure in India is still missing. We have a national cyber security policy of India (NCSP) 2013 but the same has remained on paper only so far. An analysis of the existing cyber security policy of India would reveal that India has still to do its homework in the cyber security field. We at Perry4LawOrganisation (P4LO) believe that a new and proper cyber security policy of India 2015 must be urgently formulated by Narendra Modi government.

With fast urbanisation and stress upon establishment of smart cities, which mainly depends on information and communication technologies (ICT) to provide public services, we can expect increased number of cyber attacks upon critical infrastructure of India. The critical infrastructure protection in India (PDF) has its own challenges and issues. Similarly, smart cities cyber security in India would have their own problems and solutions. There is no second opinion that cyber attacks are going to increase further and this would raise complicated international legal issues of cyber attacks and cyber security.

For instance it was reported in 2014 that there was a 136% increase in cyber threats and attacks against Indian government organisations as compared to the previous year. Similarly, there was 126% increase in attacks targeting financial services organisations. There is no doubt that a strong cyber security infrastructure is need of the hour in India. Even the national cyber security policy of 2013 must be substituted with the new cyber security policy of India 2015.

Perry4Law Organisation (P4LO) has been suggesting formulation of the encryption policy of India (PDF) for long. As a result Indian government tried to bring an encryption policy recently under Section 84A of the Information Technology Act, 2000 (IT Act 2000) but it was highly defective. The government ultimately scrapped the encryption policy but it need to be formulated in a proper manner again.

As on date we are facing the following cyber security challenges in India:

(1) Cyber security is not a very easy process to manage. It requires both technological expertise and legal compliances which are lacking in the country.

(2) There are no dedicated cyber security laws in India, except one or two sections in the the IT Act 2000 which also has its shortcomings such as lack of privacy, lack of civil liberties protection, absence of cyber security breaches disclosure norms etc.

(3) The IT Act 2000 was passed to govern legal issues of e-commerce, e-governance, cyber crimes, etc. But, according to experts, new and better techno-legal laws must be enacted in place of the old law. Techno legal experts believe that Indian laws like IT Act 2000 and telegraph act require urgent repeal and new and better techno legal laws must be enacted to replaces these laws.

(4) On 13 April 2015, the government announced that the Ministry of Home Affairs would form a committee of officials from the Central Bureau of Investigation, Intelligence Bureau, Delhi Police, National Investigation Agency and ministry itself to produce a new legal framework similar to the erstwhile Section 66A of IT Act 2000. However, it is still to be enacted as per the information available with Perry4Law Organisation (P4LO).

(5) Many critical cyber security related issues need to be taken care of such as critical infrastructure protection, cyber warfare policy (PDF), cyber terrorism, cyber espionage, e-governance cyber security, e-commerce cyber security, cyber security of banks, etc.

(6) The cyber security obligations of stakeholders like law firms, e-commerce websites, directors of companies, Government departments, thermal power sector, power and energy utilities, etc must be properly understood and effectively implemented in India.

India is presently facing many type of cyber security threats. These include sophisticated cyber attacks, cracking, child pornography, cyber stalking, denial of service (DoS) attacks, distributed denial of service (DDoS) attack, malware infections, zero day vulnerabilities, phishing attacks, data theft, etc. In June 2012, cyber attacks were reported on the Indian Navy’s Eastern Command systems. On July 12, 2013, just few days after the release of the National Cyber Security Policy, several high-level GOI officials reported their emails had been hacked. A report later on revealed that almost 12,000 systems were hacked which included systems from the Ministry of External Affairs, Defence Research and Development Organisation, Ministry of Home Affairs, National Informatics Centre etc. There are also few reports of Pakistan indulging in threatening cyber warfare. Hacker groups based out of Karachi and Lahore have in recent years managed to hack the websites of the Central Bureau of Investigation (CBI) and the Bharat Sanchar Nigam Limited (BSNL) mostly to leave hate mail. It is widely believed that regional terrorist outfits, like the Indian Mujahideen (IM) have also made use of social media sites to communicate effectively.

Perry4Law Organisation (P4LO) has provided the following suggestions to Indian government from time to time:

(1) The Narendra Modi government must take cyber security of the country seriously considering the ever-increasing cyber security challenges in India.

(2) It is high time that India must be cyber prepared to protect its cyberspace.

(3) Draft of the National cyber security policy of India 2015 should be formulated as soon as possible.

(4) There must be a dedicated cyber security law of India keeping in mind contemporary cyber security threats.

(5) Cyber security disclosure norms in India must be formulated as soon as possible.

(6) The cyber security awareness in India must be further improved and spread so that various stakeholders can also effectively take part to the implementation of cyber security initiatives of Indian government.

Perry4Law Organisation (P4LO) hopes that this cyber security research report of India would be useful to all cyber security stakeholders in India and foreign jurisdictions.

Sunday, November 22, 2015

Digital India Project Of India Lacks Cyber Security Infrastructure

In this article, Praveen Dalal, Managing Partner and CEO of Perry4Law Organisation (P4LO) and PTLB, is discussing shortcomings of Digital India project of Indian government. Digital India and cyber security issues in India have been ignored by Indian government so far and this article is addressing that aspect as well.

The success or failure of any project depends upon it due research and analysis. Without a proper homework and due diligence, a project may face many shortcomings, lacuna and limitations. One such project is known as Digital India. As on date, the Digital India project of India government is heading towards rough waters and problems. This is because Digital India project is suffering from many shortcomings and limitations that Indian government has failed to remove.

For instance, the cyber security infrastructure of India is not in a good shape. Take the example of smart grids cyber security in India. India is contemplating using of smart meters but the same has become a headache for the power companies. Even a Grid Security Expert System (GSES) of India was suggested by Indian government in the past but the same has not been implemented till now.

The Digital India Project of India Government is the classic example of use of Information and Communication Technology (ICT) for delivery of public services. Like any great project, Digital India is also suffering from some “Shortcomings”. The chief among them are lack of Cyber Security, ineffective Civil Liberties Protection, absence of Data Protection (PDF) and Privacy Protection, unregulated E-Surveillance in India, absence of Intelligence Agencies Reforms in India, etc.

Unfortunately, the initial objective of public delivery of services through use of ICT seems to be fading away day by day. Instead of public services the focus has now been shifted towards e-surveillance and data mining. To make this work, Indian Government has been using e-surveillance projects like Aadhaar, Central Monitoring System, Network and Traffic Analysis System (NETRA), National Intelligence Grid (NATGRID), National Cyber Coordination Centre (NCCC), etc. None of them is supported by any “Legal Framework” and “Parliamentary Oversight”.

In fact, Vodafone has confirmed that India has been using “Secret Wires” in the Telecom Infrastructure to indulge in e-surveillance. Indian Department of Telecommunications suppressed the whole incidence with a mere assurance of “Investigation” that never took place. As per my personal information, no “Public Report” was made available in this regard by Indian Government so far.

In a latest twist, the Indian Government clubbed its latest Project named Digital Locker with Aadhaar. Essentially it means that Digital Locker is a legal project based upon illegal technology named Aadhaar. I have serious doubts that Digital Locker would serve its or Digital India’s purpose in these circumstances. The matter does not end here. Indian Government has claimed before the Supreme Court that Aadhaar is not mandatory for availing public services. However, this stand of Indian Government is not correct as Aadhaar has already been made compulsory for many public services and many more are added on regular basis.

Surprisingly, Supreme Court has not invoked either the Contempt or the Perjury proceedings against Central Government and States for making false claims and giving incorrect statements. Is not it the duty of Supreme Court to protect the Fundamental and Human Rights of Indian Citizens and residents? It is difficult to believe that Supreme Court is not aware of the ground situation that is actually happening in India. How can the Supreme Court simply rely upon false and misleading statements and allow the Central Government and States to operate in a manner that is clearly prejudicial to the Constitutional Protections and Principles?

It would be really unfortunate if Digital India Project is made the biggest Panopticon of Human History and an endemic E-Surveillance Instrumentality for the Indian Government where every bit of “Digital Information” can be accessed and manipulated by Indian Government. If this is the intention of Indian Government then Digital India Project is heading for rough waters.

Wednesday, November 4, 2015

Smart Cities Cyber Security In India: The Problems And Solutions

Smart cities are the future of urbanisation and population sustainability. The aim of smart cities is to provide a conductive environment for living, commercial activities, healthcare and overall development. Smart cities also predominantly rely upon use of information and communication technologies (ICT) to render public services. Wherever applicable, Internet of Things (IoT) (PDF), cloud computing and virtualisation and machine to machine (M2M) system usage is also there. However, this omnipresent usage of ICT, IoT, M2M, cloud computing, etc has a potential drawback as well in the form of indifference towards smart cities cyber security.

It is not difficult to visualise a scenario of cyber attacks against the critical infrastructures of the smart cities that are run by ICT and technology. Such a cyber attack can cripple the entire smart city if properly executed. Critical infrastructure protection in India (PDF) is still at nascent stage. The national cyber security policy of India 2013 is also very weak and even that has not been implemented by Indian government so far. The much awaited cyber security policy of India 2015 is also missing so far.

A strong cyber security infrastructure of India is need of the hour especially when there is no well settled international legal issues of cyber attacks that can be invoked in the case of a cyber incidence. It is very important that international legal issues of cyber attacks must be resolved by various government and non government stakeholders. There is no globally acceptable cyber law treaty and cyber security treaty (PDF) that can govern the relationships between various countries.  Even the Tallinn Manual on the International Law Applicable to Cyber Warfare  (PDF) is just an academic document with no legal binding obligations. The truth is that Tallinn Manual is not applicable to international cyber warfare attacks and defence and countries are free to take measures as per their own choices.

This has necessitated that cyber security related projects in India must be not only expedited but they must also be successfully implemented as soon as possible. Unfortunately, cyber projects like National Cyber Coordination Centre (NCCC) of India, National Critical Information Infrastructure Protection Centre (NCIPC) of India, Grid Security Expert System (GSES) of India, National Counter Terrorism Centre (NCTC) of India, Cyber Attacks Crisis Management Plan of India, Crisis Management Plan Of India For Cyber Attacks And Cyber Terrorism, Cyber Command For Armed Forces Of India, Tri Service Cyber Command for Armed Forces of India, Central Monitoring System (CMS) Project of India, National Intelligence Grid (Natgrid) Project of India, Internet Spy System Network And Traffic Analysis System (NETRA) of India, Crime and Criminal Tracking Network and Systems (CCTNS) Project of India, etc have still not been implemented successfully by Indian government.

This raises the pertinent question as to how Indian government would ensure cyber security of smart cities in India. We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must take cyber security seriously. The cyber security challenges in India would increase further and India must be cyber prepared to protect its cyberspace. CECSRDI believes that the starting point is to draft the cyber security policy of India 2015 as the 2013 policy is highly defective and of little significance. We also believe that a dedicated cyber security law of India is need of the hour. The same must be a techno legal framework keeping in mind contemporary cyber security threats. Further cyber security disclosure norms in India must be formulated by Modi government. The cyber security awareness in India must be further improved so that various stakeholders can contribute significantly to the growth and implementation of cyber security initiatives of Indian government.

Monday, July 20, 2015

Aarushi Murder Case And The Neglected Cyber Forensics Issues

In an in-depth research article by Perry4Law Organisation (P4LO) it has been revealed that the Aarushi murder case reflects poor cyber forensics usage by CBI and defense lawyers. The way investigation and prosecution was conducted in the Aarushi case, it is clear that electronic evidences were not given the importance that they deserved. It was very much possible to ascertain the truth with great certainty if electronic evidences were forensically acquired by CBI and the defense lawyers used the same while examination and cross examination of the prosecution witnesses.

However, the case was decided merely on the basis of circumstantial evidences that also relying upon many presumptions and circumstances. Some of these presumptions and circumstances could have been proved or disproved by using electronic evidence and cyber forensics methods.

Nevertheless, both CBI and defense lawyers neglected the cyber forensics angle and the case was decided by the lower court based upon the version given by CBI. It is not clear what would the fate of this case at the higher court level be as the High Court has to keep in mind many more considerations besides the circumstantial evidences on the basis of which the prosecution case rests.

The logs, details and data from the accessed websites, computer’s hard disk, router’s logs, etc could have provided valuable lead and evidences regarding the case, opines Praveen Dalal, the leading techno legal lawyer of Asia. The digital evidence from all available technology platforms and instruments must have been analysed in depth and they must have been used by the parties to the case for claiming rights and avoiding liabilities, says Dalal.

India has recently announced the digital India initiatives that intend to strengthen e-delivery of services in India. However, along with e-delivery of services, Indian government must also be ready to deal with increased cyber crimes. We have very few initiatives in India that are catering to the requirements of cyber crimes investigation and cyber forensics analysis of the growing cyber crimes and cyber contraventions happening in India. Indian government must ensure modernisation of law enforcement agencies of India as soon as possible along with making them accountable to the Parliament of India.

Tuesday, June 30, 2015

Aadhaar Is The Worst E-Surveillance Instrumentality Abused By Indian Government: Praveen Dalal

This is the guest post of Praveen Dalal elaborating the dangers that Aadhaar project is posing to the democracy and fundamental rights of Indian citizens. The persistent use of Aadhaar by Indian government even at the cost of contempt of court and prohibition by the Supreme Court of India shows that Indian government is well committed to violate the civil liberties of Indian citizens, opines Dalal. In fact, the Digital India project has become the biggest digital panopticon of human history as Indian government has illegally linked the same with the illegal and unconstitutional technology names Aadhaar, says Dalal.

Aadhaar Project was visualised as a public good project but it ended up being a project that is violating various Constitutional and Statutory Provisions. The Constitutional Validity of the Aadhaar Project has been questioned before the Supreme Court of India. In another related case, the Supreme Court of India has held that the Aadhaar cannot be made compulsory for availing Public Services. Similarly, the Supreme Court has also restrained UIDAI from transferring any Biometric Information of any person who has been allotted the Aadhaar number to any other Agency without his consent in writing (PDF).

Just like Congress Government even the BJP Government has declared that it would bring and ensure a Legal Framework for Aadhaar. However, till the writing of this Article, no news about a Legal Framework for Aadhaar is available. As a result the position on the date is that Aadhaar is operating without any Legal Framework and Parliamentary Oversight.

Aadhaar Project in its “Current Form” is suffering from many “Illegalities and Infirmities”. For instance:

(1) Aadhaar has been made “Mandatory and Exclusive” for availing many Public Services in India despite Supreme Court’s Interim Order and Constitutional Prohibitions.

(2) Aadhaar Project is not supported by any Legal Framework and is not subject to “Parliamentary Oversight”.

(3) Aadhaar Project is violating various “Civil Liberties” like Privacy Rights of Indians.

(4) Aadhaar Project is “Grossly Weak” on the fronts of Cyber Security and Data Security.

(5) Aadhaar is not “Full Proof and Tamper Proof” and it can be “Obtained Illegally” and in Wrong Name.

(6) The “Authentication Mechanism” of Aadhaar Project is also faulty and in many cases gives “False Negative Alarms”.

(7) The present Practices and Methods adopted by Indian Government and its Agencies for Biometric Collection of Indians/Residents is Unconstitutional.

(8) Even “Clubbing/Merging” of Biometric Data of Aadhaar and National Population Register (NPR) has “Serious Constitutional Ramifications” and the same should not be done.

(9) Absence of Encryption Policy of India (PDF) to safeguard Biometrics Data, etc.

If we add the “Unaccountable Intelligence Related Exercises” of Indian Government, its Agencies and Foreign Partners like United States, the list is too bulky to be discussed here. Suffice is to say that the Aadhaar Project is suffering from many “Vices and Illegalities”. These include Civil Liberties Violations, Unconstitutional E-Surveillance Issues, Data Security and Cyber Security Issues, Compulsory Nature of Aadhaar, Unaccountable Intelligence Agencies, Foreign E-Surveillance Threats, Telecom Security Issues, Integration with Surveillance projects like NATGRID, Unconstitutional Biometrics Collections, etc.

All these aspects make the Aadhaar Project an Unconstitutional Project that was required to be Scrapped by the Modi Government. Alternatively, all these Constitutional Infirmities and Illegalities were required to be “Eliminated” by the Modi Government before allotting further funds to Aadhaar Project. There cannot be a “Third Option” for the Modi Government and wasting precious “Public Money” on Unconstitutional Project like Aadhaar “Can Never Be Justified” even by the Standards of the “Fancy Words and Empty Promises” made by the Congress and BJP Governments regarding Aadhaar Project.

Not only this, the entire situation has also raised “Serious Questions” about the “Real Intentions” of Indian Government vis-à-vis Aadhaar Project. The “Present Form” of Aadhaar Project and the behaviour of Indian Government regarding Civil Liberties have definitely negated the theory of Welfare Project as projected by both Congress and BJP Government. But if Aadhaar Project is not a Welfare Project what is its purpose and true nature?

In my personal opinion, Aadhaar in its present form has no Welfare Elements attached to it whatsoever but is an “Endemic E-Surveillance Project” that is operating well beyond the Constitutional Protections, Parliamentary Oversight and Judicial Scrutiny. The sole purpose seems to be to club the Biometric Details of Indian Citizens/resident with other “Centralised Databases” like National Intelligence Grid (NATGRID) Project of India, Central Monitoring System (CMS) Project of India, Internet Spy System Network and Traffic Analysis System (NETRA) of India, Crime and Criminal Tracking Network and Systems (CCTNS) Project of India, etc. Gradually, both Biometrics and Non Biometrics based details and data would be clubbed with the DNA Databank of India that Indian Government would definitely go for in the near future.

It is for You to decide whether You wish to give Your Children a “Free and Transparent India” or You wish Your Children to be a Guinea Pig or Lab Rat for Indian E-Surveillance Projects like Aadhaar that are clearly Illegal and Unconstitutional.

Online Gaming And Gambling Websites May Be Legally Risky In India: Perry4Law

India is presently gripped in the euphoria of digital India. This is also a time when many have started exploring the entrepreneurship instead of seeking an employment career. While this is a good move yet entrepreneurship without a legal framework or in derogation of the laws of India is not a thing to be encouraged. One such area where there is a need of urgent laws and regulations is online gaming and online gambling.

Online gaming has created great interest among the gaming stakeholders. India has also witnesses many companies and gaming stakeholders trying to establish their online gaming business. These include launch of online poker and rummy websites, online card games websites, etc. However, in the absence of a holistic and comprehensive regulatory framework in this regard, online card games and online games are still legally risky ventures.

In fact, online card games websites may be legally risky if not properly drafted and managed. Till now the position regarding playing rummy with stakes is not clear and different High Courts have given conflicting judgments in this regard. This has exposed all those who are playing card games with stakes to numerous litigations across the India.

For instance, a majority of online poker and rummy websites are flouting laws of India and they can be punished any time by the government. Perry4Law strongly recommends that till the time Indian Supreme Court or Central Government clarifies the legal position regarding online gaming in India, the online gaming/gambling stakeholders must comply with existing and applicable techno legal requirements of Indian laws.

Unfortunately, this is not happening as on date and online gaming websites are openly flouting the laws of India. They are not at all complying with the cyber law due diligence (PDF) requirements of Indian cyber law.

What is more surprising is the stand of Indian Government in this regard. Indian Government is neither clarifying its stand before the Supreme Court nor is bringing a suitable techno legal legislation to make the regulatory uncertainty clear.

Perry4Law believes that the least various online gaming stakeholders can do is to comply with the maximum possible laws of India. This compliance requirement must consider technological, traditional and commercial laws of India.

Digital India Has Severe Civil Liberties And Cyber Security Issues

We all are systematically, continuously and vigorously brainwashed with daily doses of social media and other forms of publicity regarding the digital India project of Indian government. However, when it comes to critical analysis of the digital India project, they are severely censored in India. Even the facets of digital India like smart cities are suffering from violation of civil liberties issues and facing dangers of inadequate cyber security.

In this guest post, Praveen Dalal has wonderfully analysed the shortcomings of digital India project that must be removed by Indian government. He believes that digital India is biggest panopticon of human race the moment it is clubbed with e-surveillance tool named Aadhaar.

According to Dalal, Digital India is a very ambitious and significant project by Indian Government. However, it is also suffering from some “Shortcomings” that have still not been tackled properly. As a result the Digital India project is heading towards rough waters and may face many legal and technological challenges in the near future.

I would not discuss all these shortcomings in this article but am focusing on a particular problem that has taken the shape of a “Civil Liberties Violations Menace”. Yes I am talking about the E-Surveillance and Eavesdropping aspects of Indian Government projects like Central Monitoring System (CMS), National Intelligence Grid (Natgrid), Internet Spy System Network and Traffic Analysis System (NETRA), National Cyber Coordination Centre (NCCC), etc. To make the matter worst, Indian Government has been postponing Intelligence Agencies Reforms for many decades.

However, nothing can beat the draconian e-surveillance project named Aadhaar that has been designed to take a complete control over the digital lives of Indians. Surprisingly both the Indian Parliament and Supreme Court of India are watching helplessly while the Executive branch has usurped the “Legislative Powers” and literally mocked all sorts of Judicial Review.

Take the example of the interim order (PDF) issues by Supreme Court of India mandating that Aadhaar cannot be made mandatory for availing various public services. Although Central Government has informed the Supreme Court that Aadhaar is not mandatory for availing public services yet it has been made compulsory for almost all the digital and non digital services in India. As a result a wonderful project like Digital India would be heading for rough waters if our Judiciary is even “Remotely Sensitive” to Civil Liberties Violation issues.

This is also not the end of the story. When everything is clubbed with Aadhaar, it gives a complete control to our E-Surveillance loving Government over our digital and non digital lives. There is nothing left to claim Informational Privacy from our own Government. Privacy is our Human Right and not a Government charity and it should not be taken away with direct or indirect methods.

What is most anguishing is the “Deafening Silence” of the Parliament of India and Indian Supreme Court to resolve these issues. Why Parliament has abdicated its “Legislative Powers” in favour of the Executive and why Supreme Court has not taken the Executive stringently cannot be explained with any rationale explanation. However, in the absence of exercise of their “Constitutional Duties” we can safely conclude the “Separation of Powers” under the Indian Constitution has “ceased to exist” in the present and turbulent E-Surveillance era of India.