Thursday, March 31, 2011

Measurement Of ICT Resilience And Robustness

Information and communication technology (ICT) brings efficiency and many more benefits. On the darker side, it is also exploited by cyber criminals for their nefarious activities. That is why information security of ICT networks and systems is of paramount importance.

Dartmouth’s Institute for Information Infrastructure Protection (I3P) has provided its Cyber Security Research Recommendations in the past, informs Praveen Dalal, managing partner of New Delhi based techno legal firm Perry4Law and leading techno legal expert of India. They are in the form of a set of “Recommendations” for advancing Research in Cyber Security that can be implemented in the next five to 10 years, informs Dalal

The report recognises four areas upon which work should be started on a priority basis. These are:

(1) A coordinated and collaborative approach is needed.
(2) Metrics and assessment tools must be developed.
(3) An effective legal and policy framework for security must be created.
(4) The human dimension of security must be addressed.

These are very good recommendations and need to be developed further, suggests Dalal. Recently, European Union (EU) Agency European Network and Information Security Agency (ENISA) provided its 1st comprehensive report on Metrics and Measurements in Network and Service Resilience, informs Dalal. The report has showed a lack of Standards and Coherency in this regard, informs Dalal.

ENISA has published the “Main Challenges and Recommendations on Network and Service Resilience Metrics” report, as well as a technical report. These are the first ever reports in Europe to address this area's lack of a holistic review. ENISA believes that metrics and a measurement framework are essential to the assessment of practices and policies to improve network and service resilience.

One of the challenges mentioned in the report says that there are very few existing frameworks and not one is globally acceptable. Even in the field of Cyber Crimes, there is no Internationally Acceptable Cyber Law Treaty, informs Dalal. Although we have EU Convention on Cyber Crimes, but many countries are not part of the same, says Dalal. Similarly, we have no internationally acceptable cyber security treaty.

Thus, there is no international harmonisation in the crucial fields like cyber law and cyber security. Naturally, we have no international norms and standards to measure ICT resilience and robustness as well. It is also important for the Critical ICT Infrastructure Protection that nations must be able to accurately measure the security and resilience of their critical infrastructures.

These recent developments are much needed and I hope they would be transformed into a Harmonised Code, wishes Dalal. I hope India would also take note of these international developments and would do the needful in this regard.

India’s Telecom Security Policy Needed

Telecom security of India has finally received the attention of India government. However, the response of Indian government in this regard is not only incoherent but is also far from reality. Instead of stressing upon real and crucial issues, Indian government is wandering upon unnecessary terrains.

In fact, Indian government has become paranoid to a great extent. Recently, the government has directed that telecom service providers employ only Indian nationals in sensitive positions like Chief Technical Officer and Chief Information Security Officer. These are the positions that are primarily responsible for handling interception and monitoring requests from intelligence and security agencies of India.

Surprisingly, Indian government is not bothered by the fact that phone tapping in India is occasionally arranged by private security agency employees who are contracted by the telecom service provider to receive interception orders from official agencies.

Indian government is also not worried of the fact that India has no constitutionally sound lawful interception law. Experts like Praveen Dalal have been insisting that lawful interception law is urgently needed in India.

We have no telecom security policy in India. There is no mechanism in India through which telecom hardware and software can be analysed for backdoors and malware. In these circumstances, formulating an Indian telecom security policy is urgently required.

Another area that has remained by and large untouched by the Indian telecom regime pertains to unpredictable and unreliable encryption policy of India. Troubled by this chaos United States government will seek changes in India's policies on telecom security and encryption in its next meeting with the telecoms department officials.

Companies like Gmail, Skype and BlackBerry are facing Indian security agencies irk over encryption issues. In the absence of any legal framework and regulatory regime for encryption in India, there is lot of confusion existing in India. Department of Telecommunication (DoT) is in the process of formulating the new telecom policy of India 2011 and it would be appropriate if these issues are redressed by the same.

Wednesday, March 30, 2011

Indian Telecom Security Policy Required

Of late foreign telecom companies are demanding a level playing field in India. They are of the opinion that Indian telecom policies, especially telecom security policy of India, are not conductive for free trade and healthy competition.

In the past import restrictions have been placed on foreign hardware and software vendors. Hardware vendors like Huawei and ZTE faced the security concerns of Indian intelligence agencies. After much delay and restrictions, they were finally allowed to export their hardware to India with stringent penalty provisions.

The department of telecommunication (DoT) has proposed Rs 1000-crore as the upper limit for imposing penalty upon mobile phone companies in case any spyware or malware is found in imported networks equipment or in the event of a security breach. The lower limit for the penalty will be Rs 50 crore. Further a Telecom Security Council of India has also been proposed by the DoT that would look into security related aspects of hardware and network equipments.

On the software front, India has decided to abandon a controversial rule that made it mandatory for foreign equipment manufacturers to put their software in the equivalent of a sealed envelope and submit it to the government. However, vendors like Ericcson, Nokia Siemens, Cisco and Alcatel-Lucent did not find this acceptable and they decided to stay away from the burgeoning $100 billion Indian market.

However, Telecom Security and Encryption Policy of India is still not formulated and this is causing lots of trouble for Companies like Google/Gmail. Skype, Research in Motion’s (RIM) Blackberry, etc informs Praveen Dalal, managing partner of New Delhi based law firm Perry4Law and leading techno legal expert of India. The National Security concerns of India must be “Reconciled” with Civil Liberties and Commercial Interests of these Companies, suggests Dalal.

DoT is in the process of formulating the new telecom policy of India 2011 and it would be appropriate if these issues are redressed by the same.

Telecom Security Policy Of India

Telecom security policy of India is an area that does not require much introduction. Its importance for India is also well known. However, despite it being a very crucial and national policy issue, telecom security in India never received much attention of Indian government.

The only time Indian government considered telecom security of India is when security and intelligence agencies of India raise objections regarding various hardware and software imports to India.

The new telecom policy of India 2011 is in pipeline and here lies some chances to improve the telecom security of India. A Telecom Security Council of India has also been proposed by the Department of Telecommunications (DoT) that would look into security related aspects of hardware and network equipments.

In the past as well suggestions for the establishment of Telecom Security Regulatory Authority of India (TSRAI) were given. However, till now no steps have been taken in this regard.

Indian Government must clear its head regarding crucial issues like Encryption Standards, Network Sniffing, E-Mails Sniffing, Mobile Phones Interceptions, Cell Phone Data Usages, etc, says Praveen Dalal, managing partner of Perry4Law. It is high time for India to enact a Comprehensive Legislation in this regard, suggests Dalal.

Telecom security is an idea whose time has come. It would be a good idea if DoT starts working on this crucial aspect as soon as possible.

Telecom Security Policy Of India And Encryption Rules

Encryption is a very useful technology for safe and secure e-transactions. It is also needed to have secure and confidential electronic communications. However, encryption is an unresolved enigma in India. We have no encryption laws in India and despite the suggestions of many experts’ encryption laws and regulations in India are still missing.

Encryption has also become essential due to faulty electronic sniffing and e-surveillance approach of India. For instance, India is pressurising Research in Motion’s (RIM) Blackberry for providing unencrypted e-mail and telecom communications in India. By threatening to ban Blackberry services in India, the government has already obtained access to Blackberry’s messenger services. Now India is forcing the telecom service providers of India to drop Blackberry’s services if it does not provide free and unencrypted access to its services in India. This is not only a wrong strategy but also an unconstitutional act on the part of Indian government.

According to Praveen Dalal, a Supreme Court lawyer and leading techno legal expert of India, we have “No Constitutionally Sound” Lawful Interception Law in India and we need one immediately. The Indian Telegraph Act, 1885 has served it purpose and it must be “Repealed” as soon as possible if India cares about Fundamental Rights of Indian Citizens, suggests Dalal.

According to Dalal India is the only country of the World where phone tapping is done without a Court Warrant and by Executive Branch of the Constitution of India. Phone tapping in India is "Unconstitutional" and the Parliament of India has not thought it fit to enact a "Constitutionally Sound Law" in this regard. Even the Supreme Court's directions in PUCL case have proved futile and presently the Court is dealing with the issue once more, informs Dalal. India urgently needs a lawful interception law, suggests Dalal. Industrial body Assocham has also endorsed the views of Praveen Dalal.

However, India is compromising the mobile security in India by insisting otherwise. Mobile cyber security in India is not upto the mark and unencrypted communication would further increase the risks. New telecom policy of India 2011 is in pipeline and it would be a good idea if mobile security policy of India is also made a part of the same, suggests Dalal. The proposed Telecom Security Council of India can take this issue when constituted, suggests Dalal.

Meanwhile, the United States government will seek changes in India's policies on telecom security and encryption in its next meeting with the telecoms department officials. Companies like Gmail, Skype and BlackBerry are facing Indian security agencies irk over encryption issues.

We must urgently formulate a telecom security policy of India that covers encryption aspects as well. Let us hope the encryption issues and lawful interception issues of India would be resolved very soon.

Cyber Attack Hit European Parliament

The European Parliament's computer network has been breached by a cyber attack. The attack was similar to the one that was launched against the European Commission last week. Both the cyber attacks were sophisticated and were not the work of any script kiddy.

As a precautionary measure, the employees of Parliament were directed to change their login information for the body’s network. Similar instructions were also issued to EC workers when their computers were breached. Even the remote access has been temporarily disabled.

The European Council confirmed it had been hit last week ahead of a significant summit in Brussels. The External Action Service, which effectively acts as the EU’s foreign ministry, was also hit.

Cyber Crimes fight is hampered by lack of International Coordination and Harmonised International Standards, opines Praveen Dalal, managing partner of New Delhi based law firm Perry4Law and leading techno legal expert of India. For instance, India is not a Signatory to International Cyber Crime Treaty of European Union, informs Dalal. This gives lots of room for International Cyber Attacks, Cyber Terrorism and Cyber Espionage by Rouge Nations, says Dalal.

Meanwhile, information technology services of European Parliament are working really hard to investigate the source of cyber attacks and to put in place effective cyber security measures.

Monday, March 28, 2011

India Is Facing Serious Cyber Threats

India has been facing serious cyber threats these days. These include threats from cyber espionage, cyber terrorism, cyber warfare, etc. Even social networking sites and cloud computing applications have come under cyber attacks.

Although cyber crimes and cyber threats have increased significantly in India yet cyber crimes prevention and network security in India are still far from perfect. India’s preparedness to tackle growing cyber crimes and cyber attacks is not proper and we do not have any cyber law policy in India.

In fact, cyber attacks and cyber terrorism preparedness of India is missing at all. Cyber terrorism is a concept that is closely related to national security and cyber security of any nation. While the definition and nature of cyber terrorism is still debatable yet none can doubt about the use of information and communication technology (ICT) for attacking crucial computer systems of others, says Praveen Dalal, India’s leading techno-legal expert.

Realising the importance of cyber security and a defense against cyber terrorism, countries all over the world are streamlining their defense networks. Some have merged their traditional armed forces defenses with technology driven security while others have established a separate and dedicated cyber security segment for themselves. India also needs good techno-legal cyber security for its defense forces.

India must urgently formulate good cyber security policy and effective crisis management plan for cyber attacks and cyber terrorism. The issue must be taken at the national level and a national policy is needed in this regard, says Dalal.

We have launched a centre for protection of human rights in cyberspace that is covering the issues pertaining to protection of critical ICT infrastructure in India, prevention of cyber terrorism in India, cyber espionage in India, defense against cyber war in India, etc. The centre would also provide suggestions and methods to prevent e-surveillance by governmental as well as non-governmental persons and organisations, informs Dalal.

Time has come when India must seriously take issues like cyber security, cyber terrorism, cyber war and other rallied issues. We need both policy level as well as legislative measures to make Indian cyberspace robust and secure. On the legislative side, we must enact strong cyber laws and on the policy side we must enact suitable cyber security policy of India and cyber crimes policy of India.

Till now India lacks initiatives on both these fronts. The present cyber law of India has decayed and it needs must urgently be repealed. The information technology act 2000 is not serving much purposes these days and it must be replaced by a more effective and strong cyber law. Let us hope that Parliament of India would do the needful in the forthcoming session.

Indian Crisis Management Plan For Cyber Attacks And Cyber Terrorism

The threats of cyber attacks, cyber espionage and cyber terrorism are looming large at India. India needs to understand the seriousness of cyber attacks upon its critical infrastructures and cyberspace. To start with, India must formulate a crisis management plan to tackle cyber attacks, cyber terrorism and cyber espionage attempts.

Crisis management plan (CMP) is a measure of readiness to meet uncertainties and future risks and accidents. If we have a good crisis management plan at place, we can minimise the damage and harm to maximum possible extent.

CMP pertaining to information and communication technology (ICT) is an essential part of national ICT policy of India. The other parts of national ICT policy of India are cyber security policy of India, critical infrastructure protection policy of India, critical national infrastructure protection policy of India from cyber attacks, national security policy of India, etc.

Similarly, we must also formulate a cyber security policy for India. With more and more networks and computers are now connected with public utilities and essential public services, cyber security assumes great significance these days. India is also looking forward for mandatory electronic delivery of services. This would increase the risks of cyber attacks upon crucial public delivery systems of India.

The government of India has issues certain guidelines to safeguard Indian cyberspace. According to these guidelines no sensitive information is to be stored on the systems that are connected to Internet. The Government has also claimed to have formulated Crisis Management Plan for countering cyber attacks and cyber terrorism for implementation by all Ministries/ Departments of Central Government, State Governments and their organizations and critical sectors.

The organisations operating critical information infrastructure have been advised to implement information security management practices based on International Standard ISO 27001. Ministries and Departments have been further advised to carry out their IT systems audit regularly to ensure robustness of their systems. Ministry of External Affairs has also issued a comprehensive set of IT security instructions for all users of MEA and periodically updates them on vulnerabilities.

Although the steps taken by Indian government are praiseworthy, they are not sufficient to ward off the sophisticated cyber attacks. The practical implementation of the crisis management plan of India is still missing. With a beginning already taken place, it needs a political will to give it a final shape and help it to reach its final destination.

Sunday, March 27, 2011

Data Protection Laws In India

Data protection is a very important aspect of civil liberties like privacy rights and is of great commercial value. Data protection is required as it preserves the privacy of the individuals and organisations whose data has been taken.

Similarly, certain data has tremendous commercial value and its leakage may adversely affect the business profits of organisations. For instance, take the example of the business process outsourcing industry that relies heavily upon data protection requirements. If crucial data like credit cards details is not protected by any law, the same would give rise to many sorts of crimes.

Data protection and privacy rights are becoming important day by day in India. India does not have any specific and dedicated data protection and privacy laws in India. As a matter of fact, privacy laws in India are missing.

On the contrary India is sternly committed to e-surveillance and other forms of privacy violation activities. Ironically, we do not have a lawful interception law in India and phone tapping and e-surveillance are committed in an unconstitutional manner in India.

This indifference of Indian government towards privacy laws, data security laws and data protection laws is also becoming a headache for government itself. Controversial issues like illegal phone tapping, imposition of Aadhar project, launch of projects like national intelligence grid (Natgrid) and crime and criminal tracking network and systems (CCTNS) without any procedural safeguards, etc requires not only enactment of a dedicated and constitutionally sound privacy law but also putting in place sufficient data protection mechanisms.

With issues like cloud computing and m-governance the things have become even more complicated. The real problem is that India does not have any dedicated Privacy Law, Data Protection Law and Legal Enablement of M-Governance in India informs Praveen Dalal, a Supreme Court Lawyer and leading Techno Legal expert of India.

With the proposed use of Cloud Computing, Software as a Service (SaaS) and M-Governance by Indian Government, more “Privacy Violations”, “Cyber Security” and many more “Regulatory Issues” would arise in future. These “Initiatives” cannot succeed in India in the absence of adequate and strong Laws in this regard, informs Dalal.

With the proposed Draft Electronic Delivery of Services Bill 2011 (EDS Bill 2011) things would even become more complicated. When most of the public services would be delivered through Mandatory E-Governance Model, a very strong Data Protection Regime and Privacy Protection Regulatory Framework would be required, opines Dalal.

Till now India has not paid any attention to data protection, data security and privacy laws. This is a bad policy decision that would hamper not only the present but also the future projects of Indian government as well.

Saturday, March 26, 2011

Mobile Security Policy Of India

Mobile security in India has assumed a centre stage these days as more and more online services are attached to mobile phone. Whether it is micro payments through mobile or m-governance, mobile has changed the entire game of public delivery of services in India. The draft electronic delivery of services bill 2011 would further augment use of mobile phone for delivery of services in India.

These days’ malware writers have written specific malware for smart phones. Newer form of viruses and worms are regularly released that specifically target mobile phone. Mobile cyber security in India is need of the hour in these circumstances.

However, mobile security cannot be implemented in India till it is made part and parcel of the larger mobile security policy of India. New telecom policy of India 2011 is in the pipeline and it must include the aspects of mobile security as well.

Further, proposals are also there to constitute telecom security council of India. The council would consider the security aspects of mobile phone hardware and software. The council must play a pro active role for formulating national mobile security policy of India.

However, certain Security Related Issues must be resolved by India urgently, says Praveen Dalal, managing partner of Perry4Law and leading techno legal specialist of India. For instance, Encryption issues must be resolved by India as soon as possible, suggests Dalal. A Sense of Uncertainty among Mobile Service Providers is the last thing that India needs at this point, suggests Dalal.

India should start the ball rolling and formulate a national mobile policy of India that should include all aspects regarding mobile use in India. Mobile security policy must be an essential part of the same.

Safeguarding The Digital Economy

Digital economy is a parallel world where everything happens in an online environment. The concept of digital economy is very wide and it covers almost all the areas of interaction among human beings. These days, it includes every aspect of life from health to education and from business to banking. The latest to add to this list are e-governance and e-commerce.

Digital economy has brought its own shares of problems as well. The biggest of them is pertaining to safeguarding the same from cyber attacks and malicious activities. In fact, it has become a real challenge to secure critical national infrastructure from cyber attacks these days.

Digital Economy cannot be safeguarded till we have good and effective Cyber Security Laws on the one hand and effective Information Security Policy on the other, tells Praveen Dalal, Managing Partner of Perry4Law and leading techno legal expert of India.

Two of the most important aspects of Digital Economy are Social Networking Sites and Virtual Worlds. These Social Networking Sites and Virtual Worlds must be protected from Cyber Attacks and Malicious acts, suggests Dalal.

Cyber security is presently lagging far behind than the sophisticated cyber attacks. Cyber security industry must be innovative and responsive in order to protect digital economy from growing nuisance of cyber crimes and cyber attacks.

Digital economy also brings its own sets of rights and civil liberty issues. For instance, Civil Liberty aspects of Cyberspace must be kept in mind by various Governments while delivering services in a Digital Environment, suggests Dalal.

Digital economy is not an easy world to manage and handle. There must be a gradual shift to digital economy with proper legal framework and policies at place.

Innovation Trends in Cyber Security

Innovation is a continuous process that makes the evolution of existing technologies and emergence of new technologies possible. Without innovation, products and service would become unproductive and redundant. This is more so in the cyber security field where newer viruses and worms keep the cyber security industry at toes.

However, innovation in the field of cyber security is not matching the progress that malware industry is making. The virus and worm writers are winning the game for the time being as it is very difficult to trace, prevent and eliminate all sorts of malware completely.

According to Praveen Dalal, managing partner of New Delhi based law firm Perry4Law and leading techno legal expert of India, Cyber Criminals are developing new and very dangerous Malware these days. At times, these Malware are so sophisticated that even the Cyber Security Industry fails to detect the same. Till detected, these Malware causes tremendous loss both in terms of money and crucial information, informs Dalal.

Cyber security industry must be innovative to meet the challenges posed by cyber criminals and malware writers. Further, the growing popularity of social networking sites has also attracted the attention of cyber criminals and now they are targeting them as well.

We need to monitor and secure social networking sites and virtual worlds as well, suggest Dalal. Further, Cyber Laws and Due Diligence Compliance would also arise in future as Government asserts more and more control over Cyberspace, informs Dalal.

Disruptions are also visible in fields like social networks, mobile devices, and cloud computing. These circumstances are accelerating the pace of innovation in cyberspace in general and cyber security in particular.

Innovation in the cyber security field is need of the hour as the cyber security industry cannot sustain in long run if it stops upgrading its products and services.

Friday, March 25, 2011

Computer Forensics Courses In India

The importance of information and communication technology (ICT) related research, education and training is self explanatory. This is more so when this is techno legal in nature where both technical as well as legal issues are involved.

This is the reason that the Lok Sabha passed a bill to provide status of IIT to eight new institutes and upgrade BHU's institute of technology into IIT. The government has also asserted that steps were being taken to address shortage of faculty and quality of higher education.

The government has also endorsed the importance of public private partnership (PPP) in imparting qualitative research, education and training in India. One area that can greatly benefit from PPP model is computer forensics research, education and training.

The word computer forensics depicts a picture of science fiction movie where cops or professionals engage in the same with great ease and style. However, in real life things are not as easy and glamorous as they are shown in movies.

Computer forensics is not an easy task. Rather it is a complicated procedure that requires great cyber skills development. Computer forensics requires practical scientific knowledge about computers and associated accessories. The evidence acquired through computer forensics must be legally admissible hence every precaution must be taken to acquire evidence in a legally acceptable manner.

Computer forensics in India is still at its youth stage. This is so because there is a general lack of legal enablement of ICT systems in India that can strengthen computer forensics research, education and training in India. In the absence of adequate legal enablement of ICT systems in India, computer forensics has also not developed much.

Another reason for lack of computer forensics in India is absence of adequate and qualitative techno legal computer forensics institutions. There are very few institutions that provide computer forensics educations and training in India. However, computer forensics is techno legal in nature that must cater both technical and legal requirements of the learners.

India has a single techno legal cyber forensics research, training and educational institution. It is managed by Perry4Law's Techno Legal Base (PTLB) and Perry4Law's Techno Legal ICT Training Centre (PTLITC). The centre is providing techno legal computer forensics education, trainings and course in India.

PTLB and PTLITC are providing their computer forensics courses and other techno legal course and trainings through the use of e-learning and online education models. Registration for online education and trainings in the field of cyber forensics and other techno legal courses of PTLB and PTLITC can be done through their online platforms here and here.

Some of the topics covered by the basic level computer forensics course include basic introduction about applicable law, cyber law of India, digital evidencing in India, e-mail tracing, data recovery, etc. The students or professionals undergoing the basic level trainings and education from PTLB would be given preference for courses and trainings undertaken by PTLITC.

Application form for the enrollment to various courses, internships and trainings can be downloaded from here and more details about the courses of PTLB can be found here.

PTLITC is also in the process of providing highly specialised and domain specific techno legal trainings, courses and educations in the fields like cyber law, cyber security, cyber forensics, anti cyber terrorism, anti cyber warfare, human rights protection in cyberspace, lawful interceptions and self defence against unlawful interceptions, etc. If you have a temperament for techno legal course, get yourself a seat as techno legal profession is going to be one of the most remunerative and in demand profession in future.

Financial Sector Legislative Reforms Commission (FSLRC) Of India

Of late banking and financial sector reforms and legislations are on the list of Union Finance Minister Pranab Mukherjee. The banking regulation amendment act has been approved by the cabinet, chief information officers (CIOs) have been made mandatory for banks in India, a steering committee on information security has been made mandatory for banks in India by RBI, etc.

Further, information and communication technology (ICT) would also play a more pro active role in the future banking and financial sector of India, says Praveen Dalal, managing partner of Perry4Law and leading techno legal expert of India. The Cyber Law of India carries provisions regarding e-governance and e-commerce and the draft Electronic Delivery of Services Bill 2011 mandates the government of India to provide electronic services, informs Dalal.

In this background, the government of India has taken another significant step. Recently a resolution has been passed by Government of India for the constitution of Financial Sector Legislative Reforms Commission (FSLRC) of India. The constitution of FSLRD was announced by the Union Finance Minister Shri Pranab Mukherjee in his budget speech of 2010-11.

The main objective of constitution of FSLRC is to rewrite and harmonise financial sector legislations, rules and regulations. This had become necessary as the institutional framework governing India’s financial sector was built over a century and the same has become redundant for the contemporary requirements.

A need has been continuously felt to rewrite and streamline the financial sector laws, rules and regulations and to bring them in harmony with the requirements of India’s fast growing financial sector.

There are over 60 Acts and multiple Rules/Regulations in the sector and many of them date back decades when the financial landscape was very different from what is obtaining today. Large number of amendments made in these Acts over time has increased the ambiguity and complexity of the system. It is therefore required to sort out these ambiguities and complexities and enact suitable financial sector rules, regulations and legislations.

The Com FSLRC has been assigned the role to simplify and rewrite financial sector legislations, including subordinate legislations, to achieve harmony and synergy among them. This will remove ambiguity, regulatory gaps and overlaps among the various legislations making them more coherent and dynamic and help cater to the requirements of a large and fast growing economy in tune with the changing financial landscape in an inter-connected financial world. In the long-term, it would help usher in the next generation of reforms, contribute to efficient financial intermediation enhancing the growth potential of the nation.

FSLRC would also examine issues of data privacy and protection of consumer of financial services in the Indian market. Further, FSLRC would also analyse role of information technology in the delivery of financial services in India, and their effectiveness.

The role assigned to FSLRC is very important and let us hope it would fulfill its objectives, roles and responsibilities.

Thursday, March 24, 2011

International Commercial Arbitration In India

Alternative dispute resolution (ADR) is increasingly seen as an effective alternative to traditional court based dispute resolution. ADR is speedier, economical and more effective than traditional litigation model. India has also been encouraging use of arbitration, conciliation, mediation and other ADR techniques to settle disputes out of court.

ADR may be used for both national as well as international dispute resolution. One area that actively looks upon ADR as a preferential mode of dispute resolution is international commercial arbitration. International commercial arbitration in India has also invoked interest of foreign investors and international business community.

International commercial arbitration is no more the simple one as it used to be. The emerging trends in International commercial arbitration indicate that it has become complicated and more demanding. This is especially true when information and communication technology (ICT) is used for dispute resolution. The advent of online dispute resolution (ODR) is a classic example of the same. Further, ODR is no more just technical or legal. Rather it has become techno legal in nature.

Both online dispute resolution in India and international commercial arbitration in India have been trying their level best to cope up with the contemporary international standards. However, even the international standards are themselves not uniform and there is an urgent need to have harmonised standards for ODR.

The scope of international commercial arbitration in India is increasing day by day. It can be availed of for disputes arising out of contracts on sales of goods, distributorship, agency and intermediary contracts, construction, engineering and infrastructure contracts, intellectual property contracts, domain name dispute resolutions, joint venture agreements, maritime contracts, employment contracts, etc.

India needs to fine tune its practices regarding international commercial arbitration, especially those pertaining to ODR. The future disputes resolution would rely heavily upon ICT and adapting the current dispute resolution model to the same is need of the hour.

Wednesday, March 23, 2011

Homeland Security In India

Homeland security in India is an essential part of the overall security and national security of India. Recent events such as the Mumbai terror attacks and other security concerns have forced Indian government to not only modernise the law enforcement and intelligence infrastructure of India but also to establish homeland security infrastructure in India.

However, homeland security of India needs urgent rejuvenation as the same is not up to the mark. Experts have even suggested for the establishment of a centralised ICT control system in India for this purpose.

Homeland Security is in infancy stage in India, says Praveen Dalal, Managing Partner of Perry4Law and leading techno legal expert of India. Further, India also needs a separate Framework for Cyber Security, Critical Infrastructure Protection (CIP) and Homeland Security issues, suggest Praveen Dalal.

Homeland security is also an important aspect of India’s cyber security. India is increasingly facing issues like cyber crimes, cyber terrorism, cyber security breaches, cyber warfare, cyber espionage, etc. This is the main reason why we are considering establishment of cyber warfare capabilities in India.

Further, another area that has been ignored by India pertains to lawful interception law in India. India presently has no lawful interception law and enacting a constitutionally sound law in this regard is the need of the hour.

Lawful e-surveillance capabilities have also assumed importance in India these days due to growing concerns of civil liberties protection in cyberspace. If the e-surveillance conducted by the Indian government and its agencies is beyond what is approved by the laws of India and Indian Constitution, the same may be challenged before a court of law.

Homeland security is a very tricky issue and Indian government must keep in mind all the aspects pertaining to the same. It must also maintain a delicate balance between civil liberties and national security requirements in India. Giving primacy to one over another without any balancing exercise would be counter productive for India, says Praveen Dalal.

Although homeland security issues have already been discussed in India yet they need a direction and policy support. Indian government must work in the direction of formulating a homeland security policy of India.

Tuesday, March 22, 2011

New Telecom Policy Of India 2011

Telecom policy of a nation is very crucial for the development of information and communication technology (ICT) related growth. The basic requirement of a good telecom policy is that it must be in national interest.

The telecom policy of India has been in controversies in the past. As a matter of fact, the present telecom policy of India is anti common man. It is going against the interests of telecom consumers of India.

This is also the reason why 2G scam happened in India and investigations are in the process of revealing the loss that occurred to national exchequer. India needs consumer friendly telecom policy to break the vicious circle that has engulfed the telecom sector of India, says Praveen Dalal, managing partner of Perry4Law and leading techno legal expert of India.

Finally, India has given some hints that more productive telecom policies would be adopted very soon. In an attempt to boost manufacturing of indigenous hardware and mobile equipments, the Centre may grant a preferential status to products that have been made in India. This has been stipulated under the new Telecom Policy of India 2011.

Even the Wireless Planning Commission (WPC), a Department of Telecommunications (DoT) segment for spectrum management, has also decided to reserve some radio waves for indigenously developed technologies and systems in the new National Frequency Allocation Plan of 2011.

Even a Telecom Security Council of India has been proposed by the DoT that would look into security related aspects of hardware and network equipments. This is a good step as India’s dependence upon foreign players for its cyber security and telecom security is not conducive for telecom growth in India.

However, issues pertaining to mobile security in India and mobile cyber security in India are still to be addressed. As more and more mobile connections would be taken in India, the chances of their abuse and cyber crimes against them would also increase. Till now there is no mobile security policy of India.

Let us hope, the proposed Telecom Policy of India 2011 would also address these issues and many more such issues.

Telecom Security Council of India

India has been seriously considering the possibilities of embedded malicious codes and spyware in the imported hardware. This has also affected the import of crucial network hardware in the past by mobile companies in India.

Indian government has also decided to get the hardware tested for malware from foreign institutions till indigenous capabilities are established by India. It is expected that from April 2013 onwards all such tests would be carried out in India itself.

Meanwhile the department of telecommunication (DoT) has put stringent conditions for the import of network equipments. DoT has proposed Rs 1000-crore as the upper limit for imposing penalty upon mobile phone companies in case any spyware or malware is found in imported networks equipment or in the event of a security breach. The lower limit for the penalty will be Rs 50 crore.

There cannot be a doubt about the proposition that both hardware and software based backdoors and malware can be preinstalled, inform Praveen Dalal, managing partner of Perry4Law and leading techno legal expert of India. This step of DOT would act as a deterrent for importing telecom hardware casually and without proper caution, says Dalal.

DoT has also suggested the creation of the Telecoms Security Council of India (TSCI) that would look into security related aspects of hardware and network equipments. This is a good step as India’s dependence upon foreign players for its cyber security and telecom security is not conducive for telecom growth in India.

In the past proposals for the establishment of Telecom Security Regulatory Authority of India (TSRAI) were mooted. However, till now no steps have been taken in this regard. Similarly, Indian government must clear its head regarding crucial issues like encryption standards, network sniffing, e-mails sniffing, mobile phones interceptions, cell phone data usages, etc. It is high time for India to enact a comprehensive legislation in this regard, suggests Dalal.

Let us hope that the proposal for Telecom Security Council of India may not face the same fate as has been faced by TSRAI.

Monday, March 21, 2011

Mobile Cyber Security In India

Mobile phone has become an important aspect of our daily lives. We use mobile phone for multi purposes including mobile banking and mobile governance. With the use of third generation spectrum, even better, speedier and more productive use of mobile phones is now possible.

However, of all the benefits of use of mobile, we cannot ignore the risks associated with it. For instance, the mobile banking in India is risky as the present banking and other technology related legal frameworks are not conducive for mobile banking in India.

Similarly, we do not have a well developed e-governance infrastructure in India. Naturally, India is still not ready for m-governance. India does not have any infrastructure, legal framework, policies and strategies and most importantly expertise to implement these ambitious projects.

The biggest hurdles before the mobile related uses in India pertain to use of weak encryption standards and non use of mobile cyber security mechanisms in India, informs Praveen Dalal, managing partner of New Delhi based law firm Perry4Law. Absence of encryption laws in India has further made the mobile security very weak in India, says Dalal.

Mobile viruses and worms are further increasing the woes of mobile users’ world wide, claims Dalal. Recently 50 applications within Google’s official Android Market were found to be contaminated with DroidDream malware. The malware stole sensitive information like phone’s International Mobile Equipment Identity (IMEI) Number and the SIM card’s International Mobile Subscriber Identity (IMSI) number. It then sent it to a command-and-control server, informs Dalal. Similarly, other spyware and bugs are also infecting mobile phones worldwide

Instead of making the encryption requirements redundant and weak, India must concentrate upon further strengthening the same for better and secure mobile communications. Governments of most developed countries allow the usage of strong encryption standards ranging from 128 bits to 256 bits or more to ensure the security of sensitive information exchanged via Internet and other networks. However, India is still clinging to 40 bits encryption standards for the simple reason that intelligence and security agencies of India are not capable enough to break strong encryptions.

In fact, threats have been issued by Indian government to services providers providing encrypted mobile, e-mail and VOIP services. Gmail and Skype have been asked to provide the encryption keys to Indian government and its security agencies. However, neither Google nor Skype have admitted of receiving any such communication. India is also indirectly pressurising Blackberry to help India in its e-surveillance activities. These actions of Indian government would only make mobile security weaker.

Indian population is still not interested in mobile cyber security and if the default encryption protection is also taken away, mobile usage in India is definitely going to be suffered from malware attacks and cyber attacks. India must urgently concentrate upon mobile security so that these infected mobile cannot be used by criminals.

Increasing Cyber Security Readiness With Adaptive Threat Management

Cyber security in India has yet to take a good start. There are many factors that ail cyber security of India. This is primarily due to that fact that we have no cyber security policy and strategy in India. Without a cyber security policy, cyber security cannot grow in India.

Cyber security is not only essential for safeguarding national cyber assets but also for securing private assets of individuals and corporations. This is the reason why much importance should be given to cyber security initiatives in India.

Cyber security must also be seen as a sound business strategy. When organisations and businesses are connected to always on networks and Internet, it is of great business value that such computer systems must be strongly secured from cyber attacks, says Praveen Dalal, managing partner of New Delhi based Law Firm Perry4Law and CEO of exclusive techno legal cyber security research, training and educational centre of India. Even a temporary shut down of such crucial business computers may have significant business losses, opines Dalal.

Recently, the Reserve Bank of India (RBI) reiterated the importance of cyber security for banking and financial sectors of India. RBI has declared that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. RBI also mandated cyber due diligence for banks in India.

Companies and business houses must understand the importance of increasing cyber security readiness and corresponding adaptive threat management, opines Dalal. They must understand the importance of e-discovery practices, incidence response, first responder’s roles, cyber due diligence, etc. If these companies and business houses have a sound e-discovery mechanism, good cyber security readiness model and adaptive threat management policy, many frauds can be anticipated and prevented before they occur, suggests Dalal.

India has to cover a long gap before it can ensure cyber security readiness and adaptive threat management. With the help of cyber security research centre of India not only suitable cyber security polices for India can be formulated but good cyber security readiness can be ensured.

International Cyber Crime Treaty And India

Cyber laws of the world are by and large territorial in nature and applicability. As a result, different countries have different cyber law and this at times result in conflict of laws.

International initiatives to bring harmonisation were also undertaken but these initiatives failed to generate confidence among the developing countries. As a result, these developing countries are still not part of any international treaty or convention on cyber crimes. International cyber crime treaty and India are still two different domains till date.

The European Union convention on cybercrime is the first international treaty that is trying to resolve the growing nuisances of cyber crime and Internet crimes. The treaty is trying to harmonise national laws, improve cyber crimes investigative techniques and increase cooperation among nations. The treaty came into force on 1 July 2004.

Recently, efforts were made at the United Nations (UN) to adopt a “more comprehensive” and “truly global” International cyber crime treaty, informs Praveen Dalal, managing partner of New Delhi based law firm Perry4Law and leading techno legal expert of India. However, the proposal was rejected by UN and till now there is no globally acceptable cyber crime treaty in existence, informs Dalal.

The biggest roadblock preventing culmination of an internationally acceptable cyber crime treaty is absence of procedural safeguards to prevent abuse and violation of civil liberties of netizens. There is an urgent need to maintain a balance between civil liberties and national security and law enforcement requirements, suggests Dalal. The clash of civil liberties like free speech and expression, privacy rights, etc with law enforcement needs must be adequately reconciled by any international treaty to be successful, suggests Dalal.

Nations across the world are not paying much attention to privacy issues in cyberspace in general and human rights protection in cyberspace in particular. For instance, India has an exclusive techno legal human rights protection centre for cyberspace. Issues pertaining to protection of civil liberties in Indian cyberspace are regularly discussed by this centre. However, such centers are rare not only in India but also in other parts of the world. As a result civil liberty representations are not properly made while formulating any international treaty or convention.

Among many laudable objectives of this centre, one of it pertains to providing assistance in the formulation of “international cyber law treaty”. In fact, Perry4Law and PTLB are in the process of formulating a draft that must be considered by the Indian government before acceding to any convention in this regard.

India must not sign any international treaty or convention on cyber crime till it is very much sure that the delicate balance between civil liberties and law enforcement needs is properly maintained. Further, India must also not sign such treaty if it is discriminatory or is going against India’s interests, suggests Dalal.

For the time being, India is in no mood to join any such international treaty and when it desires to do so all the aspects must be kept in mind.

Thursday, March 17, 2011

India Must Deal With Encryption Immediately

India has never been comfortable with encryption technology and its uses. Even on the front of legal framework, India has no effective and practical law on encryption. For reasons best known to Indian government, encryption is a feared technology in India.

Government of India in general and intelligence and security agencies in particular are trying their level best to curb use of encryption in India. Till now there are no clear and definite encryption standards in India and encryption norms and regulation in India are still missing.

Recently India reiterated its stern stand that companies offering encrypted communication services will have to allow monitoring of such services by security agencies if they want to operate in the country. Home Secretary Gopal K. Pillai categorically declared that only those who allow access would be allowed to operate in India and none else.

Blackberry maker Research in Motion (RIM) although provided e-surveillance access to its messenger services yet it categorically denied its capability to provide real time access to its enterprise services. Indian government tried to pressurise Blackberry by ordering the telecom service providers to drop services of Blackberry if the later keeps on using encrypted services in India.

However, Blackberry stick to its stand amidst great uncertainty of its future in India. Now the Department of Telecommunication (DoT) has finally listed Google's Gmail and email services running on BlackBerry among 15 communication services that cannot be monitored.

DoT declaration leaves the only possible option for intelligence agencies to develop cyber capabilities that can empower them to monitor and intercept these encrypted communications. It seems intelligence agencies and Indian government has finally learned the bitter truth that e-surveillance cannot be a substitute for cyber skill and capabilities.

Now DoT has shown its inability to decrypt communications in real time and in plain text, the ball is in Home Ministry’s court. Let us wait and watch how Home Ministry of India would react to this situation.

Centralised ICT Control System Of India

This is the updated version of my previously published article. In my previous article, Praveen Dalal, the leading Techno-Legal Expert of India and Managing Partner of Perry4Law, suggested the establishment of a Centralised ICT Control System in India. The Department of Telecommunications (DOT) accepted his suggestion and established the Central Monitoring System (CMS) of India. The article has been revised and updated keeping in mind the subsequent developments.

The need of a centralised ICT control system was very pressing. The decentralised nature of e-surveillance and lawful interceptions has posed various practical difficulties before the Central government. The DOT and Home Ministry of India realised these practical difficulties and established a CMS for India.

The central monitoring system is a centralised mechanism that can assist in lawful interception of communications from landline, mobile and Internet. This would help the law enforcement and intelligence agencies of India to effectively analyse ICT traffic for intelligence inputs.

According to Praveen Dalal, “Intelligence Agencies of a country play an important role in its Internal and External Security. There must be a “Centralised ICT Control System” to govern Intelligence Agencies if there are more than one such Agencies. If there are numerous Intelligence Agencies working for different Government Departments, there is a possibility of “Lack of Coordination” and “Inadequate and Inappropriate Information Sharing”. Nothing can be more beneficial than a “Centralised ICT Control Centre” for the Indian National and Internal Security.

Presently, intelligence agencies of India are operating in a decentralised manner. There is no centralised authority or Ministry that can coordinate or collaborate between different intelligence agencies. Further, there is no Parliamentary oversight of these intelligence agencies as well. This is also one of the reasons why the national counter terrorism centre (NCTC) of India has still not been established.

The Intelligence Infrastructure of India needs to be rejuvenated and streamlined, opines Praveen Dalal. Home Minister Mr. P. Chidambaram must consider these suggestions seriously and start working in this direction as soon as possible.

Wednesday, March 16, 2011

CMS As The Internet Kill Switch Of India

Internet censorship in India has increased tremendously and that also without a constitutionally sound lawful interception law in India. Internet censorship requires a good balance between civil liberties and law and order and national security requirements. Presently, the approach of Indian government is leaning heavily towards e-surveillance and Internet censorship without much regard to civil liberties of Indians in cyberspace.

Take the example of Internet kill switch (IKS) that has been in limelight these days. Lots of people are talking about IKS without knowing where it exists and how it can be used. The Indian equivalent of IKS can be found in the form of central monitoring system (CMS), which is a centralised mechanism that can assist in lawful interception of communications from landline, mobile and Internet. Although it can be used only if there is a lawful interception law in India yet it seems to have been tested recently without any lawful interception law in India at place.

According to Praveen Dalal, leading techno legal expert of India and managing partner of New Delhi based law firm Perry4Law, the present Cyber Law of India is incorporated in the Information Technology Act, 2000 (IT Act 2000), as amended by the Information Technology Amendment Act 2008 (IT Act 2008). It also carries provisions regarding Internet Censorship and Website Blocking but without any “Procedural Safeguards and Guidelines”. This amounts to taking away “Fundamental Rights” of Indians without Reasonable Restrictions and without prescribing any “Procedural Safeguards” to prevent use of this abusive power, says Dalal.

Recently the Blogspot domain (hosted services) and sub domain (free blogs) were systematically blocked by many of the internet service providers (ISPs) of India. Even Google did not give any reason as to the cause of this outage. Google had enough time to analyse the traffic reports and respond back yet it preferred to keep a mum due to commercial interests it has in Indian market.

This outage may be an “experimental blockage” that took place at the point where Internet traffic enters and exits India. This exercise may have different names. Some may call it an Internet kill switch whereas others may call it a centralised monitoring system. At this stage it is not the nomenclature that is important but the need to put measures and safeguards to prevent its abuse in India.

So next time when we discuss about Internet kill switch of India, we must keep in mind the central monitoring system project of Indian government. If Indian government is not committed to safeguard our civil liberties, we must use self defence measures to protect our civil liberties in cyberspace.

Internet Kill Switch In India

Indian government in general and intelligence and security agencies of India in particular are not at all comfortable with the use of information and communication technology (ICT) in India. For instance, use of encryption technology in India is feared like a plague by Indian government. That is why there are practically no encryption laws and regulations in India.

Similarly, Internet in India is under potential threats of e-surveillance and civil liberties violations. We have no lawful interception law in India and phone tapping and e-surveillance in India is done in an illegal and unconstitutional manner. As a result, Internet censorship in India, phone tapping and e-surveillance in India have increased a lot.

India has poor cyber law and inadequate cyber security. We have no cyber security policy as well as a national security policy in India. Critical infrastructure protection in India has not yet received the attention of Indian government.

No doubt critical infrastructure protection in India is absolutely required but Internet kill switch is no a solution to cyber security problems of India. Further, Internet kill switch should not be used as a tool of e-surveillance and Internet control in India. On the contrary, we need active steps to formulate anti Internet kill switch measures in India.

We originally raised these concerns in India for the first time and it seems now the media has also taken note of this issue. We once again reiterate the need of anti Internet kill switch laws in India before it is too late.

Thursday, March 3, 2011

Steering Committees On Information Security By Banks In India

Cyber crimes have increased a lot in India. Cyber crimes have not left any field or commercial activity untouched. Even the banking sector has not remained unaffected by cyber crimes. Further, the cyber law of India has introduced its own set of due diligence requirements for banks operating in India.

Realising the gravity of the situation, the Reserve Bank of India (RBI) has recently released a report of its working group on information security, electronic banking, technology risk management, and cyber frauds. In this report, the RBI mandated cyber due diligence for banks in India.

The matter does not end here. It is clear that RBI has to meet great challenges before Indian banking industry can be considered reasonably safe from cyber criminals. This is more so when we have inadequate cyber laws and other laws to effectively tackle cyber crimes pertaining to banking sector of India.

Internet banking is increasingly becoming popular in India. However, Internet banking is a risky venture and India must be prepared to deal with the risks associated with it. The increasing cases of ATM frauds, online banking frauds, credit cards frauds, etc have shaken the confidence of Indian consumers in Internet banking in India.

However, Internet banking in India cannot succeed till a strong legal framework in this is enacted. According to Praveen Dalal, leading techno legal expert of India and a Supreme Court lawyer, we have no dedicated Internet Banking Law in India. Although, RBI has issued many guidelines in this regard and even our Information Technology Act, 2000 contains some indirect and implied provisions for Internet Banking yet we need a separate and dedicated law in this regard, opines Praveen Dalal.

Similarly, the present banking and other technology related legal frameworks are not conducive for mobile banking in India. We do not have a well developed e-governance infrastructure in India. Similarly, on the front of e-commerce as well, India is not much successful.

In this background, the requirements of cyber due diligence of banks in India has become more onerous. RBI has further made this requirement absolute through its Information Technology Vision Document 2011-17. According to this policy document, all banks now would have to create a position of chief information officers (CTOs) as well as steering committees on information security at the board level at the earliest.

The presence of CTO and steering committees on information security would ensure that banks are following cyber due diligence and other technology and non technology related due diligence requirements in India, says B.S.Dalal, a banking and financial law expert and senior partner of Perry4Law. Till now there was no such requirement and banks were taking cyber law related issues lightly. RBI has taken a good step in right direction and this would increase the confidence of bank customers of India.