Saturday, March 22, 2014

Cyber Security And International Cooperation

Cyber attacks are global in nature as they are designed like that only. Initially, cyber attacks were conducted more on the side of fun but now they have become weapons of trans border crimes. Countries have also realised the potential of a covert cyber attacks to gain strategic and sensitive information from a country of interest. In this entire scenario we have no international legal issues of cyber attacks that can govern the position at the international level.

Naturally, countries across the world are required to manage international cyber threats at the national level. This is not a very fruitful exercise but it gives a psychological boost to the nations that their cyberspace and critical infrastructures are safe from external cyber attacks. India is also following the national cyber security approach to international cyber security threats.

The cyber security breaches in India would raise serious cyber security issues in the near future. In order to effectively analyse and prevent future cyber attacks, companies and individuals must adopt suitable cyber security breach notification to appropriate cyber authorities of India. Sophisticated malware like Stuxnet, Duqu, Flame, Uroburos/Snake, etc cannot be tackled with normal cyber security products.  We need dedicated cyber security workforce which is well trained in this regard as indicated by the cyber security trends and developments of India 2013.

India has announced few cyber security initiatives to strengthen its cyber security capabilities. These include a cyber command, critical infrastructure protection, cyber crisis management plan, national cyber security coordination centre (NCCC), thermal power cyber security proposal, national security policy of India, tri service cyber command, national cyber security policy of India 2013, etc. However, according to techno legal experts, implementation of these proposals is still a big challenge for the Indian government. Further, a robust cyber security law of India is also required to be formulated by India as soon as possible.

Cyberspace stakeholders must understand that cyber security is an international issue (PDF) and not a national one. Therefore, an international cyber security treaty is required (PDF). In the absence of such globally acceptable cyber security treaty, the conflict of laws in cyberspace would continue to make the things difficult. Of course, India is not at all prepared to meet the future cyber security threats and challenges with the present framework and policies.

Sunday, March 16, 2014

Cyber Security Breaches In India Would Raise Complicated Cyber Security Issues- Perry4Law

Cyber security breaches have become a norm these days. Whether it is an e-commerce website or a law firm, cyber attacks have put them under grave risk. Any organisation having online presence is vulnerable to cyber attacks and data theft. It is not possible to completely safeguard the data and information stored in an online environment. Sophisticated malware like Stuxnet, Duqu, Flame, Uroburos/Snake, etc cannot be tackled with cyber security products.  

At times the cyber attacks are so covert that they remain in operation for years. It is in the larger interest of cyberspace community that information about them is share as early as possible. This is the reason that many jurisdictions have prescribed cyber security breach notification requirements. Similarly, remedial actions must be also be taken against such cyber attacks as soon as possible so that further damage can be prevented.

The recent spate of cyber crimes and cyber attacks that happened in India or having Indian connection is alarming to say the least. The Karnataka CID is already investigating the possible involvement of Enstage Software’s staff in international ATM heist case. Similarly, the search exercise by the enforcement directorate (ED) of India upon Bitcoin exchanges is also well known. Target Corporation’s data breach is also being investigated world over and legal proceeding against it is pending in numerous jurisdictions, including India.

These are some of the examples that have reported and many more such incidences have still not surfaced. This is so because individuals and companies are not at all disclosing cyber breaches to Indian authorities and agencies. India has still not enforced strong and robust cyber security breach disclosure norms.

While western countries and European Union are working in the direction of protecting consumer interests and cyber security yet India has neglected this crucial field, informs Asia’s leading techno legal law firm Perry4Law.  Indian government has neglected and failed to formulate a dedicated cyber security law in India and this is creating a host of problems for India, opined Perry4Law. As a result various cyber security breaches in India are either ignored or they are not properly prosecuted by Indian authorities. The position would change very soon as these cyber breaches would raise complicated cyber law and cyber security issues in the near future in India and they cannot be ignored any more by Indian government, informs Perry4Law.

The real problem seems to be lax attitude of Indian government and law enforcement agencies to seek proper and timely cyber security breach information. These cyber security breaches need a mandatory reporting system that can be analysed and evaluated from time to time ,opines Praveen Dalal, managing partner of Perry4Law and leading techno legal expert of Asia. 

There is no doubt that foreign companies and websites would witness increased cyber litigation against them in India. They are required to comply with cyber law due diligence (PDF) and cyber security due diligence that they are presently not following. Even e-discovery and cyber forensics best practices are required to be adopted by various national and international companies operating in India. It is a matter of time only that these companies and websites would be prosecuted in India for flouting Indian laws and rules.

Wednesday, March 12, 2014

Cyber Security Breaches Need A Mandatory Reporting Mechanism

Cyber security attacks have become very sophisticated in nature. The recent malware named Uroburos/Snake is another example of growing cyber espionage and cyber warfare among various nations. The era of websites defacement is well over and stealing of sensitive information is the new trend.

India is a very late starter as far as cyber security is concerned. The speed of cyber security initiative of India is still very slow. Further, there is no dedicated cyber security law of India that can be used in cases of cyber crimes, cyber attacks and cyber contraventions. The information technology act, 2000 is ill suited to take care of the cyber security related issues in India.

The telecom companies/internet services providers (ISPs) are also not sharing information pertaining to cyber attacks against their networks. As a result, a robust cyber security strategy to counter cyber attacks cannot be formulated.

National Security Council Secretariat (NSCS) has requested Reliance Jio Infocomm to share potential cyber security threats on India’s telecom networks. India has announced that cyber security breach disclosure norm would be formulated very soon. However, till now no such disclosure norms are applicable in India against telecom companies/ISPs of India.

Strict enforcement of the license conditions (PDF) and the proposed national telecom security policy of India 2014 may change this scenario in the near future. However, nothing is better than formulating a good cyber security law of India that can establish a regulatory regime for compulsory cyber security breach notifications on the part of telecom companies/ISPs.  

This is important as critical infrastructures of India like automated power grids, thermal plants, satellites, etc are vulnerable to diverse forms of cyber attacks. This is the reason why NTRO has been assigned the task of protecting the critical infrastructure of India. Till the national cyber coordination centre (NCCC) is put into place, national level cyber security coordination would be missing.

The cyber crisis management plan of India and the cyber security policy of India must also be made operational as soon as possible. Let us hope that Indian government would do the needful as soon as possible.