Tuesday, May 10, 2016

Authorship Attribution And Cross Border Cyber Attacks Convictions

Legal issues of Internet and cyberspace are very difficult to manage. There are many challenges that nations around the world are facing in this regard and the same can be managed only by establishing an international techno legal framework. From conflict of laws in cyberspace to civil liberties protection in cyberspace, governments around the world have to manage many sensitive, crucial and constitutional norms. This situation is further made complicated due to absence of international treaties on cyber law and cyber security (pdf).

It is common knowledge that there is a cyber tussle between United States and China for long. While US claims that China is the cyber villain yet China maintains that it is a victim and not a villain. Till the time we are capable of ascertaining the real force behind a cyber attack, we cannot prove the guilt of an organisation, nations, individual or corporation. Granting of legal immunity to state supported hackers has further complicated this international fight against cyber attacks.

Recently the US Supreme Court approved amendments in the Rule 41 of the Federal Rules of Criminal Procedure. This would give a long arm jurisdiction to US law enforcement agencies to meddle with the sovereignty and laws of other nations. For instance, the trans border hacking and search activities of FBI would violate civil liberties and cyber laws of different nations. These types of rules and regulations must be avoided by all nations, including India.

Who are behind a cyber attack or cyber crimes is a very crucial aspect to decide to punish the guilty. Of course, this requires tremendous cyber forensics and cyber crime investigation capabilities. Cyber crimes and cyber attacks are increasing world over. The semi anonymous nature of Internet has also encouraged these criminal activities. Besides there are many methods to conceal the identity of an accused and mixing within the crowd is one such method. In many cases the offender hides himself among law abiding and legitimate Internet users. Many times even the identity of such law abiding users is stolen to commit the crime or launch a cyber attack. Even worst, many computers are compromised and made part of the botnet that are used for all sorts of illegal activities over the Internet.

When an accused commits a cyber crime by mixing among the legitimate and law abiding crowd, it becomes imperative to ascertain, with great certainty, that a particular culpable act has been committed by a particular person alone. We at Perry4Law Organisation (P4LO) believe that “authorship attribution” is an important aspect of “determining the culpability” of an offender where the means to commit the offence are common and accessible to many people simultaneously. Data mining and profiling of the accused to “attribute culpability” to him/her alone is an emerging area of cyber crime investigation and India must pay more attention to this branch.

Friday, April 29, 2016

US Supreme Court Expands The Long Arm Jurisdiction Of US Subordinate Courts Regarding Computer Searches And Hacking

In an over ambitious move, the US Supreme Court has expanded the applicability of Rule 41 of the Federal Rules of Criminal Procedure to not only US citizens but also those living in other countries.

When even limiting the applicability of the Rule 41 to entire US jurisdiction is troublematic it is too much to expect that other countries would take it in a friendly manner when their sovereignty is violated. For instance, if a warrant issued by a judge allows the FBI to investigate a matter in China, will China take it in a friendly manner?

Similarly, if the FBI hacks into a computer system located in India, will Indian government accept such an approach? It seems the US Supreme Court was carried away while protecting the interests of law enforcement agencies of US rather than the actual victims. Indian Supreme Court has also committed a mistake in the past regarding limiting the cyber law due diligence in India. We need a stronger cyber law due diligence and not a weaker one.

It is good to hear that Supreme Courts of US and India are trying to adopt technology and accordingly are modifying the laws of US and India. But their actual impact and constitutional effects must also be kept in mind.

The approach of the US Supreme Court would only result in an increased use of state sponsored cyber attacks that is already on rise. Intelligence agencies around the world are asking for legal immunity against cyber deterrent acts. India is also following this path and this approach of US Supreme Court would only complicate the matter further.

Conflict of laws in cyberspace are further going to increase due to this self centered approach of various nations. This is more so when there is no uniformity regarding international legal issues of cyber attacks and cyber security as on date.

Friday, December 25, 2015

Cyber Security Trends In India 2016

Cyber security is a complex and unpredictable field and it is very difficult to provide a sure shot pattern for the same. Perry4Law Organisation (P4LO) provided the cyber security trends of India 2015 that proved almost accurate. The cyber security developments in India 2015 provided by P4LO outlined the important cyber security incidences and events that took place in the year 2015. Overall, Indian cyberspace witnessed an enhanced level of sophisticated and stealth cyber attacks that India was not prepared to deal with. The main reason for this inability was that a robust and effective cyber security infrastructure in India is still missing.

Now Perry4Law Organisation (P4LO) has provided the cyber security trends of India 2016 that has outlined the potential cyber security incidences and events that may take place in India in the year 2016. The crux of the 2016 cyber security trends is that Indian needs to stress upon development of both offensive and defensive cyber security capabilities. This include adequate cyber security measures against botnet, malware, zero day vulnerabilities, cyber warfare, cyber terrorism, cyber espionage, etc.

Two areas where India has miserably failed in 2015 are lack of a dedicated cyber security law and adequate cyber breaches disclosure norms in India. As a result various stakeholders are least bothered to ensure sufficient cyber security infrastructure for their respective fields. Even if their infrastructures are breached, they do not report the same to Indian cyber security agencies. This practice of cyber apathy may change in the year 2016 as the cyber security policy of India 2016 may be introduced by Narendra Modi government.

The cyber security trends of 2016 would also witness an increase focus and stress upon data protection (PDF) and privacy protection in India. The Digital India project is suffering from many shortcomings and lack of cyber security infrastructure and absence of civil liberties protection are two prominent shortcomings of Digital India. If concepts like smart cities and smart grids are made digital without making them cyber secure, it would be a serious mistake on the part of Indian government. Similarly, if Indian government is peeking into the private lives of its citizens on every occasion, this would make India the biggest digital panopticon of human history.

Perry4Law Organisation (P4LO) has launched two dedicated techno legal cyber security centres named Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) and Cyber Security Research and Development Centre of India (CSRDCI). The prime objective of these cyber security centres is to empower India with a techno legal cyber security framework that is presently missing. We have urged in the past that Indian government must be serious about cyber security. We have also emphasised that Narendra Modi government must protect Indian cyberspace on a priority basis.

We hope the year 2016 would be a good one for Indian cyber security. Perry4Law Organisation (P4LO) and CECSRDI would extend their techno legal expertise to strengthen the offensive and defensive cyber security capabilities in India.

Thursday, December 10, 2015

Open Source Intelligence (OSINT) By Intelligence Agencies Through Social Media Websites

Social Networking websites are rich source of sensitive and personal information. This information is mostly shared voluntarily by the users of such Social Networking websites but in many cases they are also forced to part with this information to have access and continued access to such websites. Naturally, Intelligence Agencies have "Inherent Interest" in such information especially those Intelligence Agencies who belong to the same Nation where such Social Networking websites are located.

Intelligence Agencies gather such information either with a Court Warrant or without the same. Further, they also gather such information by simply analysing the "Publically Available Information" by creating an account at the concerned Social Networking website. In short, Intelligence Agencies have been engaged in “Intelligence Gathering Activities” for long. This may be covert or overt, technological or non technological, legal or illegal and so on. But this gathering exercise was there and it is going to be there in future as well.

However, modern practice of Intelligence Gathering is crucially different from traditional practices. Traditional Intelligence Gathering was more on the side of Human Intelligence (HUMINT) whereas the contemporary one is based more upon Information and Communication Technology (ICT).

As far as Technological Intelligence Gathering is concerned, Social Media is a “Favourite Destination” for Intelligence and Security Agencies. Social Media is a favourite destination because it is a “Gold Mine” of valuable and voluntary information available for ready reference. Social Media also provides the best platform for Open Source Intelligence (OSINT).

Social Media also, in majority of cases, provides a “Legally Obtainable” and “Legally Relevant” Evidence. Since the “Information” or “Evidence” is available “Openly” and to “Public at Large” and in a “Non Confidential” manner, generally any such acquired Information or Evidence can be “Relied Upon” in a Court of Law. However, “Admissibility” of such Evidence is subject to the “Discretion” of the Court and well established “Legal Principles”.

Besides Intelligence Agencies, Military Forces are also using Social Media to gain Information relevant to their uses. Military and Intelligence Agencies have been using “Fake Profiles” to get such Information. The aim may be to get a “Predictive Behaviour or Trend” or to obtain any other Information that is of “Strategic Importance”.

Getting Information from Social Media requires good Communication and Data Mining Skills. However, while doing so, one must not violate any Civil Liberties or Laws Protecting such Information. Although many countries have Social Media Laws, we have no dedicated Social Media Laws in India. Even we do not have any Social Media Policy of India.

Social Networking Laws in India are urgently required. To start with, we must have a Social Networking Policy of India. Open Source Intelligence through Social Media Platforms would raise a number of Techno Legal Issues, especially Civil Liberty Issues. For instance, questions like what constitutes “Public Data”, how can a Person Legally obtains Data, what is the “Relevancy” of such Information/Data, how the “Admissibility” of such Information/Data would be decided, etc would be asked.

Similarly, Privacy Issues, Speech and Expression Issues, scope and nature of E-Surveillance, etc would also be required to be resolved in future. This is a new field for both Law makers and Law Enforcers and needs an “Urgent Attention” of Parliament of India.

Narendra Modi Government Must Protect Indian Cyberspace On A Priority Basis

A recent Techno Legal Research Report by Perry4Law Organisation (P4LO) on Cyber Security has raised crucial questions about Cyber Security Problems and Challenges in India. The major problem with Indian Cyber Security is that we have no effective Cyber Security Infrastructure in India that can successfully tackle sophisticated Cyber Attacks against Indian Infrastructures. For instance, the Digital India Project of Indian Government itself is vulnerable to Cyber Attacks and this factor has not been taken into account by Indian Government so far. Perry4Law Organisation (P4LO) has recommended formulation of suitable Techno Legal Framework and bringing adequate amendments in the Indian Constitution to make Digital India a success.

A robust cyber security is essential to protect critical infrastructures (PDF) and public services rendered through information technology. If world wide events are some hints then India must seriously think in the direction of ensuring effective cyber security for Indian IT infrastructures and cyberspace. However the new Government would face many cyber security challenges as India has ignored cyber security for decades. It is expected that Narendra Modi Government would be serious about Cyber Security of India.

Meanwhile, Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc have been written to subvert the cyber security of Nations around the world. They are clearly made with the objective to indulge in cyber espionage, cyber warfare and cyber terrorism. If India establishes a counter terrorism centre, cyber security would be integral part of the same. In fact, the intelligence agencies of India have been working in the direction of acquiring a legal immunity for themselves while indulging in cyber deterrent acts.

India would revise her national security priorities now as the new Government is more committed towards that. The same would be techno legal in nature as considering traditional security alone would be counter productive in the long run. Cyberspace has emerged as a new security frontier and the new Government is well equipped to deal with the same.

However, companies, business houses, Government departments, public utility service providers and defence forces must also change the way they are presently managing their cyber security affairs. The cyber security obligations of stakeholders like law firms, e-commerce websites, directors of companies, Government departments, thermal power sector, power and energy utilities, etc must be properly understood and effectively implemented in India.

In order to achieve this, the Government must take pro active steps. For instance, there is an urgent need to formulate and actually implement cyber security breach disclosure norms and cyber crisis management plan. Similarly, National Critical Information Infrastructure Protection Centre (NCIPC) of India, National Cyber Coordination Centre (NCCC) of India, Tri Service Cyber Command for Armed Forces of India, etc. must also be constituted and made active immediately.

The cyber security trends of India (PDF) have shown that Indian cyber security initiative and efforts are grossly inadequate and poorly coordinated. There is no centralised coordination between various cyber security projects of India and all are operating in an independent manner. At times this creates a conflict situation between them and the end result is very disappointing.

There are little efforts towards modernisation of law enforcement and intelligence agencies of India. Cyber forensics methods and techniques are also not widely used (PDF) by our law enforcement and intelligence agencies like Enforcement Directorate (ED), Central Bureau of Investigation (CBI), etc in the absence of techno legal expertise. Even investigations into the cases of IPL match fixing, Nokia’s software download, etc was not upto the mark. The regulations and guidelines for effective investigation of cyber crimes in India are still awaited and many cyber criminals are not prosecuted effectively.

All these lacuna and shortcomings have created a vicious circle of problems that is detrimental to Indian cyberspace. We have to systematically cure these defects and shortcomings one by one as they are interrelated in nature. While doing so we must keep in mind the fragile and precarious nature of Internet and cyberspace that would create troubles for India in the near future.

National Counter Terrorism Centre (NCTC) Of India: A Techno Legal Analysis

Terrorism has become a global menace and the war against terrorism is a continuous process. Terrorists are inventing novel methods to engage in nefarious activities and various Nations are fighting back with "Counter Terrorism Technologies" to tackle the same.

Terrorists have taken their fight to a new level with active use of technology to cause damage to individuals and properties. A few years back, it was very difficult to accept that conepts like Cyber Terrorism exist. Now it is clear that Cyber Terrorism not only exists but it can cause serious damage to Critical Infrastrucures that are relying upon information technology for their functioning.

India has been facing terrorist activities for many decades. This has necessiated for the introduction of anti terrorism initiatives on the part of Indian Government. One such good initiative that is facing practical difficulties is National Counter Terrorism Centre of India (NCTC) of India. There is no second opinion that the NCTC must be urgently constituted in India by Indian Government. However, administrative, political and technological problems need to be addressed on a priority basis by Indian Government. The obvious but unsolvable terrorism dilemma of India cannot be allowed to be continued any longer in the larger interest of India.

By its very nature and design any proposed NCTC shall be managed by intelligence and security agencies of India. India has plethora of intelligence agencies and security agencies. These include Research and Analysis Wing (RAW), Aviation Research Centre (ARC), Intelligence Bureau (IB), National Technical Research Organisation (NTRO) and Defence Intelligence Agency (DIA), etc.

However, the administrative and political structure governing these agencies is highly defective as they are operating in a decentralised manner. There is no centralised authority or Ministry that can coordinate or collaborate between different intelligence and security agencies. Further, there is no Parliamentary oversight of these intelligence agencies as well.

On top of it Civil Liberties and National Security requirements of India are not balanced at all. This would give rise to constitutional issues and create problems for such agencies in future. For instance, the immunity request of these agencies for engaging in cyber deterrent act cannot be accepted in these circumstances that would be an essential function of NCTC in future.

As Mr. Narendra Modi is committed to keep the internal security part of Home Ministry with himself, these issues can be easily managed. The proposed Prime Minister’s Office (PMO) would emerge as a “centralised national reforms point” of India. The approach regarding the proposed PMO is much required as that may be a game changer for India. It would also not be difficult to constitute the proposed NCTC in these circumstances as the centralised approach towards NCTC would eliminate interference of different Departments/Ministries. Mr. Modi can comfortably guide and supervise NCTC from the PMO.

However, NCTC must not be established in the manner proposed by the previous Government. The “safest and easiest method” to establish NCTC is to give a Parliamentary Scrutiny to intelligence agencies and their functioning. In the same legal framework, establishment and role of NCTC can be formulated.

The NCTC is very significant and essential for the National Security of India. Terrorist attacks against India are on increase and we need a “Specilaised Institution” like NCTC to provide and analyse valuable intelligence inputs and leads. The real problem seems to be “lack of coordination and harmonisation” between the Centre and States and the PMO must resolve this problem while establishing NCTC.

There are other related problems as well. For instance, the intelligence infrastructure of India is in big mess.  We need to develop intelligence gathering skills development in India so that effective intelligence can be generated, processed and used in real time. On the legislation front, a legal framework on the lines of Intelligence Services (Powers and Regulation) Bill, 2011 must be formulated and enacted by our Parliament. The National Intelligence Grid (Natgrid) Project of India has already been launched. However, a legal framework for Natgrid project of India is also needed as an unaccountable Natgrid is not a panacea for intelligence failures of India.

Surprisingly, the bureaucrats at Home Ministry have dropped the reference of NCTC altogether from their proposed report to Mr. Modi. They believe that NCTC is not a viable project and it need not to be part of the projects that have to be undertaken on a priority basis. It seems the bureaucrats are well aware of the previous dislike of Mr. Modi towards NCTC and they do not wish to offend him.

This is a highly unfortunate situation. No project should be dropped simply because Mr. Modi has disliked the same in the past. It is the constitutional duty of bureaucrats to suggest inclusion of projects of National Importance keeping aside their own biases, prejudices or fears. If they simply drop a worth project like NCTC on the basis that Mr. Modi disliked it in the past nothing is more embarrassing and unfortunate than such an approach. Even if Mr. Modi is averse to NCTC as on date, the bureaucrats must suggest the same. Of course, if there are some other issues, besides personal preferences or dislikes of Mr. Modi, they must be openly and frankly communicated to Mr. Modi and let him decide ultimately.

The things and circumstance have changed drastically and it is high time to analyse projects like NCTC as per contemporary standards and requirements. The present circumstances are in favour of constitution of NCTC and the same must be done as soon as possible.

Wednesday, December 9, 2015

Narendra Modi Government Must Be Serious About Cyber Security Of India

During the election campaign, Narendra Modi Government promised many pro active reforms for India and a robust Cyber Security Infrastructure was one of them. While it is premature to confirm or deny fulfillment of Cyber Security related promises yet it is clear that the Cyber Security Infrastructure of India is not in a good shape as on date.

There are many Cyber Security Challenges that are creating complicated Cyber Security Problems for India. Even the Digital India project of Modi Government is suffering from lack of Cyber Security Infrastructure. Smart Cities have posed their own Cyber Security and Civil Liberties Problems and they must be resolved before launching of full fledged Smart Cities in India.

Modi Government is presently facing unlimited challenges that have accumulated over a period of time. Thanks to our bureaucratic set up and all pervasive corruption, public reforms have always been kept at bay. There was no dearth of money and skilled people to accomplish the projected targets but still a dominant majority of projects in the last decade have failed to materialise.

Now that Mr. Modi has asked for a brief but accurate report and analysis of the situation, our bureaucrats are sweating and are in high stress. Even if they may somehow justify their non action and national reforms massacre still they would not be in a position to accomplish the mammoth tasks that have yet to be achieved. Decades of corrupt practices, incompetencies and indifference cannot be defeated in few years especially by retaining the same bureaucratic and ministerial structure.

Although there are hundreds of issues of national importance yet I would like to confine myself to a single issue that is closely and intrinsically related to our national security. The issue that I am talking about is the cyber security of India that is in a really bad shape (PDF). For decades our bureaucrats and Indian government did not consider cyber security as an essential part of national security policy of India. As a result cyber security has been grossly neglected and this has created a situation of high alert.

Even on the legislation front, India has failed to do the needful. For instance, we need to repeal the laws like Information Technology Act, 2000 (IT Act 2000), Indian Telegraph Act, 1885, etc but for some strange reasons our bureaucrats and Indian government kept them intact. I have been suggesting this recourse for the past five years but till now nothing concrete has happened in this regard. Similarly, crucial laws are absent from Indian statute books. These include law regarding privacy, data protection (PDF), telecom security, encryption, cloud computing, etc.

Mr. Modi would be required to not only overhaul his cabinet structure but also cleanse the bureaucratic circles that have been plaguing Indian reforms. Bureaucrats and politicians with clean image, hard working reputation and reforms oriented approach must alone be part and parcel of the Prime Minister’s Office (PMO) that may emerge as a “centralised national reforms point” of India. The approach regarding the proposed PMO is much required as that may be a game changer for India.

The previous PMO of India has already sanctioned a plan to spend 1,000 crore over the next four years to strengthen the cyber security capabilities of India. All Mr. Modi has to do is to make it sure that this may not be another proposal with no actual implementation. It must also be ensured that the allocated money is not only utilised but corrupt practices must also not take place while executing the cyber security project.

Obviously India needs to establish both offensive and defensive cyber security capabilities. This is important to protect the critical infrastructures (PDF) of India that are dependent upon information technology. A cyber warfare policy of India (PDF) must also be formulated as Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc are far beyond the reach of present cyber security mechanisms. These Malware are stealth in nature and till the time they are discovered the damage is already done.

Skilled workforce is also need of the hour and for this purpose cyber security courses must be introduced at the university level. Online education must be encouraged so that online cyber security courses can be imparted in India.

In short, the cyber security challenges before the Modi Government are institutional, skills driven, time sensitive and urgent in nature. We have already delayed strengthening of our cyber security capabilities and any further delay should not be tolerated by him.