Offensive And Defensive Cyber Security Capabilities Of India Must Be Established Says Visionary Praveen Dalal

 

Cyber security in India has always remained an ignored world whether it is Congress or BJP govt. Neither Congress nor BJP has the vision to ensure a safe and robust cyber security in India and till October 2022 the position of Indian cyber security is very bad.

In 2012, Visionary Praveen Dalal suggested many far reaching and reformative cyber security measures but both Congress and BJP failed to act upon them. One of the suggestions of Visionary Praveen Dalal in 2012 was that Offensive And Defensive Cyber Security Capabilities Of India must be developed as soon as possible. However, even in October 2022 that has remained a distant dream.

Even Cyber Warfare against India and its defenses have remained an illusive dream and till October 2022 India is a sitting duck in cyber security field. India has focused upon illegal and unconstitutional e-surveillance instead of strengthening of Rule of Law, Privacy, Civil Liberties in Cyberspace and cyber security. As a result, India is facing tremendous cyber attacks and cyber crimes in the year 2022.

In the year 2014, Visionary Praveen Dalal brought to the attention of Modi Govt the challenges of cyber security but it failed to act upon them even in October 2022. Now Indians are bearing the consequences of the same and cyber crimes, cyber frauds and digital payment related crimes have increased significantly in India. This all is well attitude of Indian govt is not good for the national interests of India and that is why we have ensured a robust and effective cyber crimes reporting system in India.

So bad is the situation that even cyber security breach reporting in India has failed to take off since 2014. Except chasing away cryptocurrencies and VPN service providers from India, this norm has not done anything. MSMEs and small companies in India openly declared that they would not comply with such rules and this forced the govt to further extend the deadline. So one can simply refuse to comply with cyber security related norms and Indian govt cannot do anything in this regard.

To develop robust Offensive and Defensive Cyber Security Capabilities of India, we need a 360 degree view of the cyber security landscape of India says Visionary Praveen Dalal. But what we have is lack of political will, unwillingness of stakeholders to ensure cyber security and lack of cyber law and cyber security skills in India. We at Perry4Law Organisation (P4LO) and PTLB have been working on all these aspects and techno legal online skills development from K12 to lifelong learning stages in one of our priority areas.

For instance, Streami Virtual School is the only school of the world that is teaching cyber law and cyber security to school students. Streami Virtual School is the first virtual school of India and first techno legal virtual school of the world. This is the approach that we need for India but political parties like Congress, BJP, AAP, etc are engaging in rhetoric and drama instead of actually working upon reforming education and ensuring skills development of Indians.

Till we have a capable govt and capable and skilled workforce, ensuring offensive and defensive cyber security capabilities of India is not possible. We at P4LO and PTLB have done our part and now those stakeholders who believe in same cause must do their part.

Source: ODR India

Authorship Attribution And Cross Border Cyber Attacks Convictions

Legal issues of Internet and cyberspace are very difficult to manage. There are many challenges that nations around the world are facing in this regard and the same can be managed only by establishing an international techno legal framework. From conflict of laws in cyberspace to civil liberties protection in cyberspace, governments around the world have to manage many sensitive, crucial and constitutional norms. This situation is further made complicated due to absence of international treaties on cyber law and cyber security (pdf).

It is common knowledge that there is a cyber tussle between United States and China for long. While US claims that China is the cyber villain yet China maintains that it is a victim and not a villain. Till the time we are capable of ascertaining the real force behind a cyber attack, we cannot prove the guilt of an organisation, nations, individual or corporation. Granting of legal immunity to state supported hackers has further complicated this international fight against cyber attacks.

Recently the US Supreme Court approved amendments in the Rule 41 of the Federal Rules of Criminal Procedure. This would give a long arm jurisdiction to US law enforcement agencies to meddle with the sovereignty and laws of other nations. For instance, the trans border hacking and search activities of FBI would violate civil liberties and cyber laws of different nations. These types of rules and regulations must be avoided by all nations, including India.

Who are behind a cyber attack or cyber crimes is a very crucial aspect to decide to punish the guilty. Of course, this requires tremendous cyber forensics and cyber crime investigation capabilities. Cyber crimes and cyber attacks are increasing world over. The semi anonymous nature of Internet has also encouraged these criminal activities. Besides there are many methods to conceal the identity of an accused and mixing within the crowd is one such method. In many cases the offender hides himself among law abiding and legitimate Internet users. Many times even the identity of such law abiding users is stolen to commit the crime or launch a cyber attack. Even worst, many computers are compromised and made part of the botnet that are used for all sorts of illegal activities over the Internet.

When an accused commits a cyber crime by mixing among the legitimate and law abiding crowd, it becomes imperative to ascertain, with great certainty, that a particular culpable act has been committed by a particular person alone. We at Perry4Law Organisation (P4LO) believe that “authorship attribution” is an important aspect of “determining the culpability” of an offender where the means to commit the offence are common and accessible to many people simultaneously. Data mining and profiling of the accused to “attribute culpability” to him/her alone is an emerging area of cyber crime investigation and India must pay more attention to this branch.

US Supreme Court Expands The Long Arm Jurisdiction Of US Subordinate Courts Regarding Computer Searches And Hacking

In an over ambitious move, the US Supreme Court has expanded the applicability of Rule 41 of the Federal Rules of Criminal Procedure to not only US citizens but also those living in other countries.

When even limiting the applicability of the Rule 41 to entire US jurisdiction is troublematic it is too much to expect that other countries would take it in a friendly manner when their sovereignty is violated. For instance, if a warrant issued by a judge allows the FBI to investigate a matter in China, will China take it in a friendly manner?

Similarly, if the FBI hacks into a computer system located in India, will Indian government accept such an approach? It seems the US Supreme Court was carried away while protecting the interests of law enforcement agencies of US rather than the actual victims. Indian Supreme Court has also committed a mistake in the past regarding limiting the cyber law due diligence in India. We need a stronger cyber law due diligence and not a weaker one.

It is good to hear that Supreme Courts of US and India are trying to adopt technology and accordingly are modifying the laws of US and India. But their actual impact and constitutional effects must also be kept in mind.

The approach of the US Supreme Court would only result in an increased use of state sponsored cyber attacks that is already on rise. Intelligence agencies around the world are asking for legal immunity against cyber deterrent acts. India is also following this path and this approach of US Supreme Court would only complicate the matter further.

Conflict of laws in cyberspace are further going to increase due to this self centered approach of various nations. This is more so when there is no uniformity regarding international legal issues of cyber attacks and cyber security as on date.

Cyber Security Trends In India 2016

Cyber security is a complex and unpredictable field and it is very difficult to provide a sure shot pattern for the same. Perry4Law Organisation (P4LO) provided the cyber security trends of India 2015 that proved almost accurate. The cyber security developments in India 2015 provided by P4LO outlined the important cyber security incidences and events that took place in the year 2015. Overall, Indian cyberspace witnessed an enhanced level of sophisticated and stealth cyber attacks that India was not prepared to deal with. The main reason for this inability was that a robust and effective cyber security infrastructure in India is still missing.

Now Perry4Law Organisation (P4LO) has provided the cyber security trends of India 2016 that has outlined the potential cyber security incidences and events that may take place in India in the year 2016. The crux of the 2016 cyber security trends is that Indian needs to stress upon development of both offensive and defensive cyber security capabilities. This include adequate cyber security measures against botnet, malware, zero day vulnerabilities, cyber warfare, cyber terrorism, cyber espionage, etc.

Two areas where India has miserably failed in 2015 are lack of a dedicated cyber security law and adequate cyber breaches disclosure norms in India. As a result various stakeholders are least bothered to ensure sufficient cyber security infrastructure for their respective fields. Even if their infrastructures are breached, they do not report the same to Indian cyber security agencies. This practice of cyber apathy may change in the year 2016 as the cyber security policy of India 2016 may be introduced by Narendra Modi government.

The cyber security trends of 2016 would also witness an increase focus and stress upon data protection (PDF) and privacy protection in India. The Digital India project is suffering from many shortcomings and lack of cyber security infrastructure and absence of civil liberties protection are two prominent shortcomings of Digital India. If concepts like smart cities and smart grids are made digital without making them cyber secure, it would be a serious mistake on the part of Indian government. Similarly, if Indian government is peeking into the private lives of its citizens on every occasion, this would make India the biggest digital panopticon of human history.

Perry4Law Organisation (P4LO) has launched two dedicated techno legal cyber security centres named Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) and Cyber Security Research and Development Centre of India (CSRDCI). The prime objective of these cyber security centres is to empower India with a techno legal cyber security framework that is presently missing. We have urged in the past that Indian government must be serious about cyber security. We have also emphasised that Narendra Modi government must protect Indian cyberspace on a priority basis.

We hope the year 2016 would be a good one for Indian cyber security. Perry4Law Organisation (P4LO) and CECSRDI would extend their techno legal expertise to strengthen the offensive and defensive cyber security capabilities in India.

Open Source Intelligence (OSINT) By Intelligence Agencies Through Social Media Websites

Social Networking websites are rich source of sensitive and personal information. This information is mostly shared voluntarily by the users of such Social Networking websites but in many cases they are also forced to part with this information to have access and continued access to such websites. Naturally, Intelligence Agencies have "Inherent Interest" in such information especially those Intelligence Agencies who belong to the same Nation where such Social Networking websites are located.

Intelligence Agencies gather such information either with a Court Warrant or without the same. Further, they also gather such information by simply analysing the "Publically Available Information" by creating an account at the concerned Social Networking website. In short, Intelligence Agencies have been engaged in “Intelligence Gathering Activities” for long. This may be covert or overt, technological or non technological, legal or illegal and so on. But this gathering exercise was there and it is going to be there in future as well.

However, modern practice of Intelligence Gathering is crucially different from traditional practices. Traditional Intelligence Gathering was more on the side of Human Intelligence (HUMINT) whereas the contemporary one is based more upon Information and Communication Technology (ICT).

As far as Technological Intelligence Gathering is concerned, Social Media is a “Favourite Destination” for Intelligence and Security Agencies. Social Media is a favourite destination because it is a “Gold Mine” of valuable and voluntary information available for ready reference. Social Media also provides the best platform for Open Source Intelligence (OSINT).

Social Media also, in majority of cases, provides a “Legally Obtainable” and “Legally Relevant” Evidence. Since the “Information” or “Evidence” is available “Openly” and to “Public at Large” and in a “Non Confidential” manner, generally any such acquired Information or Evidence can be “Relied Upon” in a Court of Law. However, “Admissibility” of such Evidence is subject to the “Discretion” of the Court and well established “Legal Principles”.

Besides Intelligence Agencies, Military Forces are also using Social Media to gain Information relevant to their uses. Military and Intelligence Agencies have been using “Fake Profiles” to get such Information. The aim may be to get a “Predictive Behaviour or Trend” or to obtain any other Information that is of “Strategic Importance”.

Getting Information from Social Media requires good Communication and Data Mining Skills. However, while doing so, one must not violate any Civil Liberties or Laws Protecting such Information. Although many countries have Social Media Laws, we have no dedicated Social Media Laws in India. Even we do not have any Social Media Policy of India.

Social Networking Laws in India are urgently required. To start with, we must have a Social Networking Policy of India. Open Source Intelligence through Social Media Platforms would raise a number of Techno Legal Issues, especially Civil Liberty Issues. For instance, questions like what constitutes “Public Data”, how can a Person Legally obtains Data, what is the “Relevancy” of such Information/Data, how the “Admissibility” of such Information/Data would be decided, etc would be asked.

Similarly, Privacy Issues, Speech and Expression Issues, scope and nature of E-Surveillance, etc would also be required to be resolved in future. This is a new field for both Law makers and Law Enforcers and needs an “Urgent Attention” of Parliament of India.

Narendra Modi Government Must Protect Indian Cyberspace On A Priority Basis

A recent Techno Legal Research Report by Perry4Law Organisation (P4LO) on Cyber Security has raised crucial questions about Cyber Security Problems and Challenges in India. The major problem with Indian Cyber Security is that we have no effective Cyber Security Infrastructure in India that can successfully tackle sophisticated Cyber Attacks against Indian Infrastructures. For instance, the Digital India Project of Indian Government itself is vulnerable to Cyber Attacks and this factor has not been taken into account by Indian Government so far. Perry4Law Organisation (P4LO) has recommended formulation of suitable Techno Legal Framework and bringing adequate amendments in the Indian Constitution to make Digital India a success.

A robust cyber security is essential to protect critical infrastructures (PDF) and public services rendered through information technology. If world wide events are some hints then India must seriously think in the direction of ensuring effective cyber security for Indian IT infrastructures and cyberspace. However the new Government would face many cyber security challenges as India has ignored cyber security for decades. It is expected that Narendra Modi Government would be serious about Cyber Security of India.

Meanwhile, Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc have been written to subvert the cyber security of Nations around the world. They are clearly made with the objective to indulge in cyber espionage, cyber warfare and cyber terrorism. If India establishes a counter terrorism centre, cyber security would be integral part of the same. In fact, the intelligence agencies of India have been working in the direction of acquiring a legal immunity for themselves while indulging in cyber deterrent acts.

India would revise her national security priorities now as the new Government is more committed towards that. The same would be techno legal in nature as considering traditional security alone would be counter productive in the long run. Cyberspace has emerged as a new security frontier and the new Government is well equipped to deal with the same.

However, companies, business houses, Government departments, public utility service providers and defence forces must also change the way they are presently managing their cyber security affairs. The cyber security obligations of stakeholders like law firms, e-commerce websites, directors of companies, Government departments, thermal power sector, power and energy utilities, etc must be properly understood and effectively implemented in India.

In order to achieve this, the Government must take pro active steps. For instance, there is an urgent need to formulate and actually implement cyber security breach disclosure norms and cyber crisis management plan. Similarly, National Critical Information Infrastructure Protection Centre (NCIPC) of India, National Cyber Coordination Centre (NCCC) of India, Tri Service Cyber Command for Armed Forces of India, etc. must also be constituted and made active immediately.

The cyber security trends of India (PDF) have shown that Indian cyber security initiative and efforts are grossly inadequate and poorly coordinated. There is no centralised coordination between various cyber security projects of India and all are operating in an independent manner. At times this creates a conflict situation between them and the end result is very disappointing.

There are little efforts towards modernisation of law enforcement and intelligence agencies of India. Cyber forensics methods and techniques are also not widely used (PDF) by our law enforcement and intelligence agencies like Enforcement Directorate (ED), Central Bureau of Investigation (CBI), etc in the absence of techno legal expertise. Even investigations into the cases of IPL match fixing, Nokia’s software download, etc was not upto the mark. The regulations and guidelines for effective investigation of cyber crimes in India are still awaited and many cyber criminals are not prosecuted effectively.

All these lacuna and shortcomings have created a vicious circle of problems that is detrimental to Indian cyberspace. We have to systematically cure these defects and shortcomings one by one as they are interrelated in nature. While doing so we must keep in mind the fragile and precarious nature of Internet and cyberspace that would create troubles for India in the near future.

National Counter Terrorism Centre (NCTC) Of India: A Techno Legal Analysis

Terrorism has become a global menace and the war against terrorism is a continuous process. Terrorists are inventing novel methods to engage in nefarious activities and various Nations are fighting back with "Counter Terrorism Technologies" to tackle the same.

Terrorists have taken their fight to a new level with active use of technology to cause damage to individuals and properties. A few years back, it was very difficult to accept that conepts like Cyber Terrorism exist. Now it is clear that Cyber Terrorism not only exists but it can cause serious damage to Critical Infrastrucures that are relying upon information technology for their functioning.

India has been facing terrorist activities for many decades. This has necessiated for the introduction of anti terrorism initiatives on the part of Indian Government. One such good initiative that is facing practical difficulties is National Counter Terrorism Centre of India (NCTC) of India. There is no second opinion that the NCTC must be urgently constituted in India by Indian Government. However, administrative, political and technological problems need to be addressed on a priority basis by Indian Government. The obvious but unsolvable terrorism dilemma of India cannot be allowed to be continued any longer in the larger interest of India.

By its very nature and design any proposed NCTC shall be managed by intelligence and security agencies of India. India has plethora of intelligence agencies and security agencies. These include Research and Analysis Wing (RAW), Aviation Research Centre (ARC), Intelligence Bureau (IB), National Technical Research Organisation (NTRO) and Defence Intelligence Agency (DIA), etc.

However, the administrative and political structure governing these agencies is highly defective as they are operating in a decentralised manner. There is no centralised authority or Ministry that can coordinate or collaborate between different intelligence and security agencies. Further, there is no Parliamentary oversight of these intelligence agencies as well.

On top of it Civil Liberties and National Security requirements of India are not balanced at all. This would give rise to constitutional issues and create problems for such agencies in future. For instance, the immunity request of these agencies for engaging in cyber deterrent act cannot be accepted in these circumstances that would be an essential function of NCTC in future.

As Mr. Narendra Modi is committed to keep the internal security part of Home Ministry with himself, these issues can be easily managed. The proposed Prime Minister’s Office (PMO) would emerge as a “centralised national reforms point” of India. The approach regarding the proposed PMO is much required as that may be a game changer for India. It would also not be difficult to constitute the proposed NCTC in these circumstances as the centralised approach towards NCTC would eliminate interference of different Departments/Ministries. Mr. Modi can comfortably guide and supervise NCTC from the PMO.

However, NCTC must not be established in the manner proposed by the previous Government. The “safest and easiest method” to establish NCTC is to give a Parliamentary Scrutiny to intelligence agencies and their functioning. In the same legal framework, establishment and role of NCTC can be formulated.

The NCTC is very significant and essential for the National Security of India. Terrorist attacks against India are on increase and we need a “Specilaised Institution” like NCTC to provide and analyse valuable intelligence inputs and leads. The real problem seems to be “lack of coordination and harmonisation” between the Centre and States and the PMO must resolve this problem while establishing NCTC.

There are other related problems as well. For instance, the intelligence infrastructure of India is in big mess.  We need to develop intelligence gathering skills development in India so that effective intelligence can be generated, processed and used in real time. On the legislation front, a legal framework on the lines of Intelligence Services (Powers and Regulation) Bill, 2011 must be formulated and enacted by our Parliament. The National Intelligence Grid (Natgrid) Project of India has already been launched. However, a legal framework for Natgrid project of India is also needed as an unaccountable Natgrid is not a panacea for intelligence failures of India.

Surprisingly, the bureaucrats at Home Ministry have dropped the reference of NCTC altogether from their proposed report to Mr. Modi. They believe that NCTC is not a viable project and it need not to be part of the projects that have to be undertaken on a priority basis. It seems the bureaucrats are well aware of the previous dislike of Mr. Modi towards NCTC and they do not wish to offend him.

This is a highly unfortunate situation. No project should be dropped simply because Mr. Modi has disliked the same in the past. It is the constitutional duty of bureaucrats to suggest inclusion of projects of National Importance keeping aside their own biases, prejudices or fears. If they simply drop a worth project like NCTC on the basis that Mr. Modi disliked it in the past nothing is more embarrassing and unfortunate than such an approach. Even if Mr. Modi is averse to NCTC as on date, the bureaucrats must suggest the same. Of course, if there are some other issues, besides personal preferences or dislikes of Mr. Modi, they must be openly and frankly communicated to Mr. Modi and let him decide ultimately.

The things and circumstance have changed drastically and it is high time to analyse projects like NCTC as per contemporary standards and requirements. The present circumstances are in favour of constitution of NCTC and the same must be done as soon as possible.