Cyber Security – CERTs, Policy, etc

Nov, 02, 2019

[op-ed snap] The sovereign test

Context

Will Cathcart, the global head of WhatsApp, wrote that “Governments and companies need to do more to protect vulnerable groups and individuals”. 

Background

    • He was referring to spyware attacks, like the one that the messaging platform succumbed to from Pegasus.
    • Pegasus is a malicious software developed by NSO.
    • WhatsApp has disclosed that a “not insignificant” number of Indian journalists, rights activists and lawyers were targeted using Pegasus.

Responsibility of governments

    • Cathcart placed the responsibility on both tech companies and governments. 

NSO

    • NSO severed its contract with Saudi Arabia after accusations by a journalist.
    • He claimed that its software was used to hack his phone, which allowed Saudi agencies to track journalist Jamal Khashoggi, who was assassinated in Istanbul. 

Technology & Fundamental Rights

    • WhatsApp has often claimed that its end-to-end encryption makes it a safe and private way to communicate. That claim is now being contested. 
    • In the digital age, companies will emerge and operate in the grey areas of the intersection between technology and security to make a profit. 
    • But national security must not be used as a shield by either governments or private players to justify the violation of fundamental rights.

Indian scenario

    • Right to privacy – India is a constitutional democracy where the courts have read the right to privacy in the right to life and liberty. 
    • Indian response – Law and IT minister said he has asked WhatsApp to explain the breach, while the home ministry has said it will take strict action against those violating the law. 
    • Actions in previous instances – Earlier, the Indian government and parliamentary committees have summoned executives from Facebook and Twitter.
    • The vulnerability of India – Indians continue to be the largest user base for WhatsApp. 
    • Relation with Israel – India also enjoys close ties with Israel. 

Way ahead

    • Indian government must leverage its relationship with Israel to hold NSO to account. 
    • It must punish anyone found guilty of unlawfully violating the privacy of Indian citizens. 
    • The government has made it clear that it holds a sovereign right over the data of its citizens. The idea of data sovereignty must include a citizen’s right to privacy. 

Conclusion

The government’s response in the aftermath of the WhatsApp hack will demonstrate its commitment to the rights enshrined in the Constitution.

Nov, 01, 2019

[op-ed snap] Along came spyware

Context

WhatsApp has revealed that Indian journalists and human rights activists have been under the surveillance of Israeli spyware Pegasus. 

Disclosure

  • This disclosure was made after WhatsApp filed a lawsuit in a US federal court against NSO.
  • NSO, the bug’s maker has allegedly been helping governments around the world hack smartphones and place their on-screen activity under watch. 
  • Pegasus can reportedly gain access to mobile devices simply by making missed calls via WhatsApp to identified targets.
  • Reports say that, by WhatApp’s count, over 20 Indians were under the scanner for about a fortnight in May.

Not the first time

  • This is not the first time NSO has been sued. 
  • Victims of hacking had taken it to Israeli courts on earlier occasions. 
  • The spyware doesn’t just intercept network communication, it has the ability to steal your data, track your location, and much more.

Surveillance

  • Intelligence agencies use whatever means they can to zoom into the lives of people who arouse suspicion. 
  • Most often, it reveals a pattern that suggests a state paranoid about dissent. 

Way ahead

Each individual should take precautionary measures to protect from spy agencies and cybercriminals.

Nov, 01, 2019

Spyware Pegasus


News

  • The popular messaging platform WhatsApp was used to spy on journalists and human rights activists in India earlier this year.
  • The surveillance was carried out using a spyware tool called Pegasus, which has been developed by an Israeli firm, the NSO Group.
  • WhatsApp sued the NSO Group in a federal court in US accusing it of using WhatsApp servers in the United States and elsewhere to send malware to approximately 1,400 mobile phones and devices.

Pegasus

  • All spyware do what the name suggests — they spy on people through their phones.
  • Pegasus works by sending an exploit link, and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone.
  • A presumably newer version of the malware does not even require a target user to click a link.
  • Once Pegasus is installed, the attacker has complete access to the target user’s phone.
  • The first reports on Pegasus’s spyware operations emerged in 2016, when Ahmed Mansoor, a human rights activist in the UAE, was targeted with an SMS link on his iPhone 6.

Method of working

  • A Pegasus operator must convince a target to click on a specially crafted ‘exploit link’ which allows the operator to penetrate security features on the phone.
  • This automatically installs Pegasus without the user’s knowledge or permission.
  • Once the phone is exploited and Pegasus installed, it begins contacting the operator’s command and control and send back the target’s private data, including passwords, contact lists, events, text messages, and live voice calls from popular mobile messaging apps.
  • The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity.
Oct, 22, 2019

TechSagar: national repository of India’s cyber tech capabilities launched


News

  • The National Cyber Security Coordinator’s office in partnership with Data Security Council (DSCI) of India on Monday launched TechSagar – a platform to discover India’s technological capability through a portal.

TechSagar

  • TechSagar is a consolidated and comprehensive repository of India’s cyber tech capabilities which provides actionable insights about capabilities of the Indian Industry, academia and research across key technology areas.
  • The portal will list business and research entities from the IT industry, startups, academia, and individual researchers.
  • These include internet of things (IoT), Artificial Intelligence (AI), Machine Learning (ML), blockchain, cloud & virtualization, robotics & automation, ar/vr, wireless & networking, and more.
  • TechSagar will allow targeted search, granular navigation and drill down methods using more than 3000 niche capabilities.

Components of TechSagar

  • As of now, the repository features 4000+ entities from industry, academia and research including large enterprises and start-ups providing a country level view of India’s cyber competencies.
  • A dynamic platform, TechSagar, will be frequently updated with new entities and information to maintain its relevancy and usefulness.

Why such move?

  • In order to combat the growing threat from cyber crime, there is an urgent need to collaborate and develop cyber technology capabilities in India.
  • With the launch of TechSagar, we have sown the seed for start-ups to prosper in cyber tech.
  • This is a good example of government facilitating industry growth in a strategic domain.
  • Cyber technology capabilities have become central to our national strategic outlook and there was an urgent need for developing TechSagar.
  • Start-ups, enterprises, academia, researchers, and R&D institutes in the country need to synergise their efforts and work in tandem to make India a technology leader.

About Data Security Council (DSCI) of India

  • DSCI is not-for-profit industry body on data protection in India, setup by NASSCOM.
  • It is committed to making the cyberspace safe, secure and trusted by establishing best practices, standards and initiatives in cyber security and privacy.
  • To further its objectives, DSCI engages with governments and their agencies, regulators, industry sectors, industry associations and think tanks for policy advocacy, thought leadership, capacity building and outreach activities.
Oct, 01, 2019

Explained: Right to be forgotten


News

  • The European Court of Justice (ECJ) ruled in favour of the search engine giant Google, which was contesting a French regulatory authority’s order to have web addresses removed from its global database.
  • The court ruled that an online privacy rule known as the ‘right to be forgotten’ under European law would not apply beyond the borders of EU member states.
  • The ruling comes as an important victory for Google, and lays down that the online privacy law cannot be used to regulate the internet in countries such as India, which are outside the EU.

The ‘Right to be forgotten’

  • The right to be forgotten empowers individuals to ask organisations to delete their personal data.
  • It is provided by the EU’s General Data Protection Regulation (GDPR), a law passed in 2018.
  • It states: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”
  • Under Article 2 of the GDPR, “personal data” means “any information relating to an identified or identifiable natural person (“data subject”)”.
  • “Controller” means “the natural or legal person, public authority, agency or any other body which… determines the purposes and means of the processing of personal data”.

Issue

  • In 2015, the internet regulating agency in France, required that Google go beyond its practice of region-specific delinking, and ordered the search engine company to delete links from its global database.
  • Google refused to abide by the order, arguing that following the same would impede the free flow of information across the world.
  • This led to the slapping a fine of EUR 100,000 (around INR 77 lakh) on Google in 2016 so it challenged the order at the ECJ.

Conclusion: No privacy law beyond EU

  • Google contended that implementing the online privacy law beyond the EU would hamper access to information in countries around the world, especially those ruled by authoritarian governments.
  • Arriving at a landmark ruling, the ECJ has now restricted applying the privacy law beyond the EU.
  • It has also observed that the EU cannot enforce the ‘right to be forgotten’ on countries which do not recognise such a right.
Aug, 24, 2019

[op-ed snap] Data deprivation makes cyber crime difficult to tackle

CONTEXT

In recent times, there have been many instances of the hard-earned money of Indians being taken out of bank accounts and charges loaded onto credit cards through online frauds.

How does it affect India

  1. We are making a huge transition to a cashless economy. So, public faith in the digital system needs to be consistently reinforced.
  2. Cybercrimes affect the emerging “startup” ecosystem. Customers of genuine startups and Indian businesses have been subjected to online fraud.
  3. The skepticism on online transactions also hurts the potential of emerging companies that could take India to the $5 trillion economies that the country aspires to.
  4. The Srikrishna Commission recommended that data be stored in the country either directly or through mirror servers to serve law enforcement needs. 

How online money frauds work:

  1. Fraudsters start by creating various websites or accounts on social media platforms that host some content to make them look similar to the authentic companies’ websites or social media interfaces.
  2. Such websites and social media accounts list fake customer care numbers for relevant brands.
  3. When a customer tries to search for a company name by using a search engine, the customer care numbers or email IDs that pop up as results are often these fraudulent ones.
  4. The customer may end up calling such a fake number, and get entrapped by fraudsters into sharing his or her bank information, which enables the anonymous con artists to siphon off money from the customer’s account.
  5. These fraudsters send online links, asking customers to share their UPI details or other such information.
  6. Unsuspecting customers are also asked to download screen mirroring apps, through which they gain access to information on mobile phones.

Challenges in tackling cyber crimes

  1. All the players involved, including banks, telecom companies, financial service providers, technology platforms, social media platforms, e-commerce companies, and the government, need to play a responsible role.
  2. The customer also has a responsibility to maintain basic cyber hygiene by following practices and taking precautions to keep one’s sensitive information organized, safe and secure.
  3. Law enforcement agencies in different states are not fully equipped to understand and act upon complaints of such frauds.
  4. Victims of fraud are too ashamed to admit that they have been conned, and often do not even tell their families. If the losses are large, the results can be devastating for fraud victims.
  5. While many cases aren’t even reported, in cases that are, the investigations make little or no progress due to lack of access to data.
  6. Despite multiple requests for data from Indian startups, search engines, and social media platforms have generally been unresponsive, taking cover under the privacy principles or laws of the countries they are based in.
  7. The US Electronic Communications Privacy Act bars US-based service providers from disclosing electronic communications to law enforcement agencies of any country unless US legal requirements are met.
  8. The bilateral mechanism of the India-US Mutual Legal Assistance Treaty is a bit outdated and does not seem to work.
  9. Since most search engines and social media platforms have no “permanent establishment” in India, law enforcement agencies have hit a wall on data access.
  10. The US Cloud (Clarifying Lawful Overseas Use of Data) Act, however, enables law enforcement authorities in India to request electronic content directly from US service providers under an executive agreement with the US government.

Conclusion

India needs to work out a way to crack cyber frauds and crimes. The country urgently needs a legally-backed framework that would bind all parties and enable law enforcers to act quickly and safeguard Indian citizens and businesses from a fast-growing menace.

Back2Basics

[Burning Issue ] Data localization

Aug, 23, 2019

[op-ed snap] Data deprivation makes cybercrime difficult to tackle

Context

Cyber hygiene: Need of hour

  • In recent times, there have been many instances of the hard-earned money of Indians being taken out of bank accounts and charges loaded onto credit cards through online frauds.
  • As a nation making a huge transition to a cashless economy, public faith in the digital system needs to be consistently reinforced.
  • All the players involved, including banks, telecom companies, financial service providers etc. and the government, need to play a responsible role in ensuring innocent citizens do not undergo the trauma of suffering losses.
  • The customer also has a responsibility to maintain basic cyber hygiene, which includes following practices and taking precautions to keep one’s sensitive information organized, safe and secure.

The new startups

  • Another emerging casualty of such cybercrimes is the emerging “startup” ecosystem.
  • We are beginning to see multiple cases where customers of genuine startups, unicorns and Indian businesses have been subjected to online fraud.
  • These customers initially presume that it is the customer care departments of the companies that have conned them, as we see in many of the cases that get filed.
  • This is a dangerous trend. Not only does it shake people’s faith in digital systems, the scepticism vis-a-vis online transactions also hurts the potential of emerging companies.

Modus operandi of cyber crimes

  • Let us look at the modus operandi of some of the recent internet-based financial frauds affecting companies in the digital and e-commerce space.
  • Fraudsters usually start by creating various websites or accounts on social-media platforms that host some content to make them look deceptively similar to the authentic companies’ websites or social media interfaces.
  • Such websites and social media accounts list fake customer care numbers for the relevant brands.
  • When a customer tries to search for a company name by using a search engine, the customer care numbers or email IDs that pop up as results are often these fraudulent ones.

Most cases go unreported

  • Also, some victims of fraud are too ashamed to admit that they have been conned, and often do not even tell their families.
  • Yet, if the losses are large, the results can be devastating for fraud victims.
  • While many cases aren’t even reported, in cases that are, the investigations make little or no progress due to lack of access to data.

What can be done?

Enforcement agencies needs to gear up

  • Even the income tax department has not been spared, with people getting messages from a fraudulent source that masks itself as an income tax authority and sends a message asking them to claim tax refunds by sharing a link.
  • It is difficult to estimate the scale of the problem, as law enforcement agencies in different states are not fully equipped to understand and act upon complaints of such frauds.

Data localization

  • Since most search engines and social media platforms have no “permanent establishment” in India, law enforcement agencies have hit a wall on data access for the purpose of solving cybercrimes.
  • This has often raised calls for complete data localization, which could have been avoided had a collaborative mechanism for data access, based on agreed criteria, been put in place.
  • The Srikrishna Commission recommended that data be stored in the country either directly or through mirror servers to serve law enforcement needs.
  • The US Electronic Communications Privacy Act bars US-based service providers from disclosing electronic communications to law enforcement agencies of any country unless US legal requirements are met.
  • The bilateral mechanism of the India-US Mutual Legal Assistance Treaty is a bit outdated and does not seem to work.

Way forward

  • While privacy and data protection are necessary, and data localization may pose its own business challenges, India needs to work out a way to crack cyber frauds and crimes.
  • For this, the country urgently needs a legally-backed framework for a collaborative trigger mechanism that would bind all parties and enable law enforcers to act quickly and safeguard Indian citizens and businesses from a fast-growing menace.
Jul, 30, 2019

[op-ed snap] Going local

CONTEXT

A high-level government panel has recommended doing away with the requirement of foreign firms needing to store a copy of all personal data within India.

Background

  • Firms will now be able to store and process data abroad, though critical personal data will have to be processed and stored in the country.
  • This approach marks a significant departure from the recommendations of the Justice Srikrishna committee report which had suggested that a copy of personal data must be stored in the country.
  • The panel’s decision comes after a rethink by the Reserve Bank of India, which earlier relaxed its April 2018 circular that had mandated that all payment data generated in the country be stored here.

Impact of rethink

This decision, which is likely to be welcomed by foreign companies, who would have seen a surge in costs to comply with these regulations, suggests that a more considered view on localisation norms is evolving in India.

The arguments in favour of data localisation are straightforward — it will address questions on privacy and security, enable greater governmental access to data, and help develop local data infrastructure.

Costs associated with data localisation

But on each of these issues, it is not very clear if the benefits from localisation outweigh the costs.

 1.No strong data protection law – For instance, in the absence of a strong data protection law, questions of privacy and security are unlikely to be addressed.

2. Bilateral Treaties are better – And while there are reasonable arguments to be made in favour of law enforcement having greater access to data, especially when it is not stored in India, interventions such as bilateral treaties aimed at addressing specific issues might be a more prudent approach.

3. Definition of critical Data

  • The next set of questions are likely to centre around what constitutes critical personal data.
  • The Srikrishna committee report had classified personal data pertaining to finances, health, biometric and genetic data, religious and political beliefs, among others, as sensitive personal data.

4. A single agency

  • It had envisaged a data protection agency which would list out further categories of sensitive personal data.
  • But it is debatable whether a single agency is best suited to draw up this list. As, globally, the framing of localisation norms has been largely contextual, driven typically by the type of data and the sector it relates to — in Canada, any data may be sensitive based on the context — sector-specific regulators might be better at identifying which data is sensitive.
Jul, 05, 2019

Central Welfare Database of Citizens


News

Central Welfare Database of Citizens

  • The Economic Survey 2018-19 pitched for setting up a central welfare database of citizens — by merging different data maintained by separate Ministries and departments.
  • These recommendations come at a time when India is working on finalising its personal data protection policy.
  • The principle is that most data are generated by the people, of the people and should be used for the people.
  • This database can be tapped for enhancing ease of living for citizens, particularly the poor.

Data to be included

  • The datasets talked about inclusion of administrative data such as birth and death records, pensions, tax records, marriage records; survey data such as census data, national sample survey data; transactions data such as e-national agriculture market data, UPI data, institutional data and public hospital data on patients.

Why such centralized database?

  • The governments already held a rich repository of administrative, survey, institutional and transactions data about citizens, but these data were scattered across numerous government bodies.
  • Merging these distinct datasets would generate multiple benefits with the applications being limitless.
  • The government could utilise the information embedded in these distinct datasets to enhance ease of living for citizens, enable truly evidence-based policy, improve targeting in welfare schemes, uncover unmet needs, and integrate fragmented markets.
  • This will bring greater accountability in public services and generate greater citizen participation in governance, etc.

Need for stringent safeguards

  • It also recommended granting access to select database to private sector for a fee, given that stringent technological mechanisms exist to safeguard data privacy.
  • The Survey noted that there had been some discussions around the “linking” of datasets, primarily through the seeding of an Aadhaar number across databases such as PAN database, bank accounts and mobile numbers.
  • However, it clarified that the linking is “one-way.” For example, banks can use the tokenized Aadhaar number to combine duplicate records and weed out benami accounts.
  • This does not mean that the UIDAI or government can read the bank account information or other data related to the individual.

Way Forward

  • The Survey pointed out that governments can create data as a public good within the legal framework of data privacy.
  • Care must also be taken not to impose the “elite’s preference of privacy on the poor, who care for a better quality of living the most.
Jun, 25, 2019

Explained: Debate over Data Localization

News

  • The IT Ministry’s Bill on data protection is scheduled to be introduced in Parliament during the current session.
  • Worldwide, the data flow debate is playing out at the World Trade Organisation (WTO) and G20.

The ‘Data’ under debate

  • Data is any collection of information that is stored in a way so computers can easily read it.
  • These days, most people refer to data to mean information about their messages, social media posts, online transactions, and browser searches.
  • Big data refers to the immense amount of data that can now be collected, stored, and analysed to find patterns.

Why is Data important?

  • This large collection of information about people’s online habits has become an important source of profits.
  • Your online activity can expose a lot about who you are, and companies find it valuable to use the information to target advertisements to you.
  • Governments and political parties have also gained interest in these data sets for elections and policymaking.

Data Localization

  • Data is stored in a physical space, like a file cabinet that can be the size of the Taj Mahal.
  • Data is also transported across country borders physically, traveling through underwater cables that run as deep as Mount Everest and as long as four times the span of the Indian Ocean.
  • Thirdly, just as oil is refined, data has to be processed to be useful. This means it is analysed by computers.
  • These aspects of data flows — where it is stored, where it is sent, where it is turned into something useful — determines who has access to the data, who profits off the data, who taxes the data, and who “owns” the data.
  • With these questions in mind, individual governments are developing their own domestic rules and negotiating with each other on a global stage, raising values of national security, economic growth, and privacy.

India in favor of Data Localization

  • India’s recent drafts and statements have strong signals for data localisation, which means that data of Indians (even if collected by an American company) must be stored and processed in India.
  • Along with a RBI directive to payment companies to localize financial data, the Ministry of Commerce’s draft e-commerce policy is currently in public consultation.
  • The IT Ministry has drafted a data protection law that will be introduced in Parliament and has also framed draft intermediary rules that were leaked earlier.
  • These laws, broadly speaking, could require Facebook, Google, and Amazon to store and process in India information such as an Indian’s messages, searches, and purchases.
  • In some cases, they restrict what type of data these companies can collect. In others, it requires only a copy of the data to be in the country.
  • By requiring a copy of the data to be stored in India (data mirroring), the government hopes to have more direct control over these companies, including the option to levy more taxes on them.
  • The government also argues for data localisation on the ground of national security, to prevent foreign surveillance and attacks.

What are counter-arguments against data localisation?

  • On the other side, the US government and companies want cross-border flow of data. It would allow companies to store the data of Indians in the most efficient place in the world.
  • Even though India’s data economy is not as large as that of others, it is one of the fastest growing, making it a market that global companies cannot afford to ignore.
  • Proponents of free flow of data worry that if all countries begin to protect their data, it may backfire on India’s own companies that seek global growth.
  • Others caution that these laws could bring increased state surveillance, like India’s draft intermediary rules that would require WhatsApp to change its design to proactively filter messages.
  • The company says messages are currently encrypted, meaning neither the company nor any government can see them.

Data policies in neighbourhood

  • China has developed similar laws, which proponents say allow for a flourishing domestic economy of data centres and data processing by blocking foreign players out.
  • This is why Indian companies, like Reliance and PayTM, usually support data localisation.
  • The other argument from the Indian government is that localisation will help law enforcement access the data.
  • Currently, India has to use “mutual legal assistance treaties” (MLAT) with the US to get the data of Indians that are controlled by American companies.

What is happening at the global forums?

  • Trade tensions worldwide are escalating, giving the data flow debate new relevance at the WTO and G20.
  • WTO member countries are negotiating rules about e-commerce, which is the buying and selling of goods and services online.
  • Digital trade contributes more to global GDP than physical trade. India is one of the fastest growing markets, with e-commerce expecting to reach $1.2 trillion by 2021.
  • These laws raise questions about where companies can store, process, and transport data about transactions.
  • In their proposals, the US and the EU have called to prohibit customs duties on online transactions while China and Pakistan have called for allowing them.
  • The US has also recommended not having overly burdensome data standards nor localisation requirements, while the EU wants data localisation requirements.

Ahead of G20 meet

  • A principle titled “Data Free Flow with Trust” (DFFT) — supported by US, Japan, and Australia — is expected to be a significant talking point at the upcoming G20 summit.
Jun, 07, 2019

[op-ed snap] Breaking the algorithm

CONTEXT

Businesses are increasingly utilising algorithms to improve their pricing models, enhance customer experience and optimise business processes. Governments are employing algorithms to detect crime and determine fines. Consumers are benefitting from personalised services and lower prices. However, algorithms have also raised concerns such as collusions and malfunctioning, privacy, competition issues, and information asymmetry.

  • Automated systems have now made it easier for firms to achieve collusive outcomes without formal agreement or human interaction, thereby signalling anti-competitive behaviour.
  • This results in “tacit algorithmic collusion”, an outcome which is still not covered by existing competition law.

Case study –  This can occur in non-oligopolistic markets too. In 2015, US Federal Trade Commission fined David Topkins (former e-commerce executive of a company selling online posters and frames), for fixing the price of certain posters sold through Amazon Marketplace using complex algorithms, impacting consumer welfare and competition adversely. 

Security Concerns from collusion alogotithm

1.Negligence of private data

  • In order to enjoy services at low or zero price, consumers neglect the value of their data.
  • Access to easily procurable data such as Facebook “likes” can be used to target only advantageous customers circumventing anti-discrimination mechanisms.

2.Ransomware attack –

  • Application of advanced algorithms have also resulted in an increase in ransomware attacks.
  • A devastating cyber attack — the WannaCry ransomware attack — hit the world in May 2017, affecting around 2,30,000 computers across 150 countries.

3.Competition –

  • Important concerns pertain to “competition” as well.
  • Processing of large datasets through dynamic algorithms generate real-time data “feedback loops”, impacting competition adversely.
  • As more users visit select platforms, not only more data, but data with greater reliability is collected, allowing firms to more effectively target customers. Consequently, more users feedback into this loop. 

Case Study – That Google has been estimated to charge a higher cost-per-click (CPC) than Bing, a competitor, suggests that advertisers attribute a higher probability of converting a viewer of Google’s ads into a customer.

4. Complexity of system –

  • Then, we have evolving machine-learning algorithms ranging from voice recognition systems to self-driving cars.
  • Even high-profile programmers/developers may not be able to trace the working of such algorithms making nearly impossible the identification of any anti-competitive practice.

Conclusion

A rethink of public policy is absolutely essential if non-desirable impacts of artificial intelligence on human race are to be arrested.

Feb, 25, 2019

India to have own DNS for safe browsing

Note4students

Mains Paper 3: Security| Basics of cyber security

From UPSC perspective, the following things are important:

Prelims level: DNS

Mains level: Data Localization and its implications


News

  • The government will soon roll out a public Domain Name Server, or DNS, for India aimed at providing a faster and more secure browsing experience for Internet users in the country, while ensuring that citizens’ data is stored locally.

What is DNS?

  • A DNS is a like a phonebook for the Internet.
  • Humans access information online through domain names, like abcd.com or pqrs.co.in etc.
  • Web browsers interact through Internet Protocol (IP) addresses.
  • DNS translates domain names to IP addresses so browsers can load Internet resources.

Indian DNS

  • The roll-out will be executed by the National Informatics Centre – the technology arm of the government.
  • NIC is already using the public DNS within the government network.
  • The users are not mandated to shift to India public DNS. A user is free to choose any DNS.
  • The government’s public DNS, Indian users’ data would be stored within the country, thereby creating a move for Data Localization.

Utility of Indian DNS

  • The main aim of bringing our own public DNS is to ensure availability, particularly for smaller Interest Service Providers (ISPs) who don’t have credible DNS.
  • Bigger ones usually have their own DNS..
  • There are other open DNS servers, including Google Public DNS.
  • The government’s DNS would prevent users from visiting malicious websites.
  • If the government wants to block a website, there is a mechanism in place.
  • The Govt can send a list to the ISPs for reasons such as child porn or fake news, and they have to comply with the order.
Feb, 01, 2019

[op-ed snap] Heading towards strategic instability

Note4students

Mains Paper 3: Security| Challenges to internal security through communication networks, role of media and social networking sites in internal security challenges, basics of cyber security; money-laundering and its prevention.

From UPSC perspective, the following things are important:

Prelims level: Basic knowledge of the emerging military high-tech innovations.

Mains level: The news-card analyses the challenges that India might face as there is a possibility of emerging disruptive technologies prompting inadvertent conflict, in a brief manner.


Context

  • In late 2018, the government decided to set up three new agencies — the Defence Cyber Agency, the Defence Space Agency and the Special Operations Division — in order to address the new age challenges to national security.

Recommendations given by Naresh Chandra Task Force and the Chiefs of Staff Committee

  • This is indeed a useful step in the right direction.
  • However, it is also important to note that the constitution of these agencies is a far cry from the crucial recommendations given by the Naresh Chandra Task Force and the Chiefs of Staff Committee.
  • Both the committees had suggested the formation of three separate joint commands to deal with new challenges to India’s national security in the cyber, space and special operations domains.
  • This lacklustre response to major ‘futuristic’ challenges to our national security have raised the question: is India adequately prepared for the new age wars?

World is moving away from traditional military hardware to high-tech innovations

  • There is a revolution in military affairs that seems to have attracted the attention of strategic analysts and policy planners across the world.
  • The current focus in military thinking across the world is increasingly moving away from traditional heavy-duty military hardware to high-tech innovations.
  • Such as artificial intelligence (AI), big data analytics, satellite jammers, hypersonic strike technology, advanced cyber capabilities and spectrum denial and high-energy lasers.
  • In the light of the unprecedented capabilities that these systems offer, there is also an increased focus on developing suitable command and control as well as doctrinal concepts to accommodate and calibrate them.

Implications

  • The arrival of these technologies might deeply frustrate strategic stability as we know it given their disruptive nature.
  • Strategic stability in the contemporary international system, especially among the nuclear weapon states, depends on several age-old certainties, the most important being the issue of survivability of a state’s nuclear arsenal and its ability to carry out a second strike after a first attack.
  • Once accuracies get better, hypersonic glide vehicles replace conventional delivery systems, real time tracking and surveillance make major strides, and AI-enabled systems take over, survivability of nuclear arsenal, which lies at the heart of great power stability, could take a severe beating.
  • There was an assumption that the naval leg of a nuclear triad is the most survivable part since it is hidden away in the depths of the ocean away from the adversary’s gaze.
  • However, the potential ability of deep-sea drones to detect ballistic-missile armed nuclear submarines or SSBNs may make this assurance a thing of the past thereby frustrating traditional calculations.

New era of strategic instability

  • The arrival of these new technologies is worrisome when we add it to the emerging strategic competition among great powers.
  • The U.S.’s withdrawal from the Intermediate-Range Nuclear Forces treaty is perhaps an indication of a potential arms race in the offing.
  • According to experts, disruptive new technologies, worsening relations between Russia and America and a less cautious Russian leadership than in the cold war have raised fears that a new era of strategic instability may be approaching.

Inherent paradox vis-à-vis high technology-enabled military systems

(a) Vulnerable to covert cyberattacks

  • While it is imperative for states to redesign their systems in the light of these new technologies, especially the digital and cyber components, this also makes the cyber- and digital-enabled systems vulnerable to covert cyberattacks.
  • More so, given that such surreptitious attacks might take place in the early stages of a conflict.
  • This might ensue confusion and scare might lead to uncontrolled escalation with little time for assessment and judgement.

(b) Risks of nuclear use

  • The biggest fear about these technologies is their potential to increase the risks of intentional and inadvertent nuclear use.

(c) Inadvertent escalation and conflict

  • The fear of a bolt-from-the-blue attack against one’s command and control systems or a disabling strike against strategic arsenal using new technological solutions is likely to dominate the strategic mind-space of great powers in the days ahead, thereby further deepening mistrust and creating instability.
  • Therefore, the possibility of emerging military technologies prompting inadvertent escalation and conflict cannot and should not be ruled out.

Increasing Chinese capabilities

  • China has emerged as a key actor in the field of emerging military technologies.
  • This is something that will concern New Delhi in the days ahead.
  • Some analysts believe that Beijing is in the lead position in emerging technologies with potential military applications such as quantum computing, 3D printing, hypersonic missiles and AI.
  • If Beijing continues to develop hypersonic systems, for instance, it could potentially target a range of targets in the U.S.
  • While the Chinese focus is evidently on U.S. capabilities, which China interprets as a potential threat, this is not without latent concerns for New Delhi.
  • In turn, India might consider developing some of these technologies which will create dilemmas for Islamabad.
  • The cascading strategic competition then looks unavoidable and that is worrisome.
  • However, it might be difficult to avoid some of these developments given their dual use.

Way Forward

  • There is a need to ask how survivable India’s naval platforms are given the feverish developments of advanced sensory capability in the neighbourhood.
  • India needs to be sufficiently prepared to face the new age wars
  • It is in this context that we must revisit the government’s decision to set up the agencies to address cyber and space challenges.
  • This is a timely effort from the government to have finally decided to set them up — though they are not yet in place.
  • The reports indicate that the Space Command will be headed by the Air Force, the Army will head the Special Operations Command, and the Navy will be given the responsibility of the Cyber Command.
  • If that happens, their effectiveness in terms of tri-service synergy will be much less than anticipated given that the higher defence decision-making in the country is still civil services-dominated.
Dec, 22, 2018

All computers can now be monitored by Govt. agencies

Note4students

Mains Paper 3: Internal Security | Challenges to internal security through communication networks, basics of cyber security etc.

From UPSC perspective, the following things are important:

Prelims level: Details of the MHA Order

Mains level: Cyber Security and associated issues


News

  • The MHA has issued an order authorising 10 Central agencies to intercept, monitor, and decrypt “any information generated, transmitted, received or stored in any computer.

Agencies free to Monitor

  • Intelligence Bureau
  • Narcotics Control Bureau
  • Enforcement Directorate
  • Central Board of Direct Taxes
  • Directorate of Revenue Intelligence
  • Central Bureau of Investigation
  • National Investigation Agency
  • Cabinet Secretariat (R&AW)
  • Directorate of Signal Intelligence (For service areas of Jammu & Kashmir, North-East and Assam only)
  • Commissioner of Police, Delhi

Details of the Order

  1. The subscriber or service provider or any person in charge of the computer resource will be bound to extend all facilities and technical assistance to the agencies.
  2. Failing to do will invite seven-year imprisonment and fine.
  3. The MHA gave the authorisation under 69 (1) of the Information Technology Act, 2000 which says that the Central government can direct any agency after it is satisfied that it is necessary or expedient.
  4. This will be done in the interest of the sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.
Aug, 24, 2018

35% of cyber attacks on Indian sites from China: official report

Note4students

Mains Paper 3: Internal Security | Cyber Security

From UPSC perspective, the following things are important:

Prelims level: Highlights of the report

Mains level: Rising threat of cyber attacks and data leakages


News

CERT-In Report on Cyber Attacks

  1. The report, prepared by the Indian Computer Emergency Response Team (CERT-In), which comes under the ministry, analysed cyber attacks from April-June 2018.
  2. It said that the maximum number of cyber attacks on official Indian websites is from China, US and Russia.
  3. It has also flagged the possibility of “malicious actors from Pakistan using German and Canadian cyberspace for intruding into Indian cyberspace and carrying out malicious activities”.

Highlights of the report

  1. According to the report, it has been observed that China continues to “intrude” Indian cyberspace in a significant way.
  2. The cyber attacks from China made up 35% of the total number of cyber attacks on official Indian websites, followed by US (17%), Russia (15%), Pakistan (9%), Canada (7%) and Germany (5%).
  3. They are targeting by sending spear phishing emails with malware attachments.
  4. Phishing attacks are usually in the form of an email from a trusted source where they ask for personal details such as bank details personal details, passwords.
  5. Many of the institutions impacted by the malicious activities have been identified, and they have been advised to take appropriate preventive action.
  6. These include ONGC, NIC, and IRCTC, Railways, Centre for Railway Information Systems (CRIS) and some banks like PNB, Oriental Bank of Commerce, SBI and state data centres, particularly in Maharashtra, Madhya Pradesh and Karnataka.

About CERT-In

  1. CERT-In is the nodal agency which deals with cyber security threats like hacking and phishing.
  2. It collects, analyses and disseminates information on “cyber incidents”, and also issues alerts on “cyber security incidents”.
  3. The activities relating to intruding into the cyberspace are being regularly monitored.
Jul, 09, 2018

Centre plans stronger defenses for key data

Note4students

Mains Paper 3: Internal Security | Cyber Security

From UPSC perspective, the following things are important:

Prelims level: Not Much

Mains level: Rising threat of cyber attacks and data leakages


News

Information Security Policy and Guidelines to be updated

  1. Worried about sensitive information making its way into the Internet, the Home Ministry is upgrading policy to secure government data and control access to it.
  2. Earlier the files were locked in a cupboard and accountability could be fixed, but with the advent of Digital India, a number of issues were in a grey area.
  3. In light of the evolving cyber threats, MHA directed that the National Information Security Policy and Guidelines (NISPG) be upgraded and updated for the government sector.

Major issues

  1. There are issues relating to the physical security of a computer. If it becomes obsolete then the hard disk discarded poses a threat of leakage.
  2. There are issues relating to the network as well.
  3. If the information is riding on own cyber cable, then everything can be encrypted, but if it is riding on a commercially available one, then it will have to make sure that guidelines are complied with.
  4. The whole policing system in India that began in 1860 now needs to be replicated in cyberspace. It will evolve gradually.
  5. The new guidelines will also take care of that.

Other details

The new policy would cover issues pertaining to the Official Secrets Act.

May, 07, 2018

A RAT that spies on computers

Note4students

Mains paper 3: Internal Security| Basics of cyber security

From UPSC perspective following things are important:

Prelims level: Gravity-RAT, CERT-In

Mains level: Rising incidents of malwares causing hacking of govt websites and ways to deal with them


News

A Malware designed by Pakistani hackers

  1. GravityRAT infiltrates a system in the form of an innocuous-looking email attachment, which can be in any format, including MS Word, MS Excel, MS PowerPoint, Adobe Acrobat or even audio and video files
  2. The ‘RAT’ in its name stands for Remote Access Trojan, which is a program capable of being controlled remotely and thus difficult to trace
  3. The hackers first identify the interests of their targets and then send emails with suitable attachments
    The RAT was first detected by Indian Computer Emergency Response Team (CERT-In), on various computers in 2017.

Features of RAT (Remote Access Trojan)

  1. It is designed to infiltrate computers and steal the data of users and relay the stolen data to Command and Control centers in other countries.
  2. The latest update to the program by its developers is part of GravityRAT’s function as an Advanced Persistent Threat (APT), which, once it infiltrates a system, silently evolves and does long-term damage.
  3. It lies hidden in the system that it takes over and keeps penetrating deeper
  4. According to latest inputs, GravityRAT has now become self-aware and is capable of evading several commonly used malware detection techniques.

Why is RAT so dangerous?

  1. The sandboxing technique is used to isolate malware from critical programs on infected devices and provide an extra layer of security.
  2. The problem, however, is that malware needs to be detected before it can be sandboxed, and GravityRAT now has the ability to mask its presence
  3. Typically, malware activity is detected by the ‘noise’ it causes inside the Central Processing Unit, but GravityRAT is able to work silently
  4. It can also gauge the temperature of the CPU and ascertain if the device is carrying out high-intensity activity, like a malware search, and act to evade detection

Problem with the data leaked

  1. The other concern is that the Command and Control servers are based in several countries
  2. The data is sent in an encrypted format, making it difficult to detect exactly what is leaked
Mar, 08, 2018

[op-ed snap] The new front

Note4students

Mains Paper 3: Internal Security | Basics of cyber security

From UPSC perspective, the following things are important:

Prelims level: Digital India, NCIIPC, Defence Cyber Agency

Mains level: Cybersecurity and related issues


Context

Growing threat of Cyberwarfare

  1. As “Digital India” grows, vulnerabilities of cyber warfare will only increase
  2. A 2017 study conducted by Symantec found that India ranked fourth in online security breaches, accounting for over 5 percent of global threat detections

Types of cyber threats

  1. Cyber crimes
  2. Cyber theft
  3. Cyber espionage
  4. Cyber intrusions

Measures taken to reduce such incidences

  1. Setting up of the National Critical Information Infrastructure Protection Centre (NCIIPC)
  2. The appointment of a National Cyber Security Coordinator

Real danger for India

  1. The real danger to India lies in targeted cyber attacks coming from adversarial nation states
  2. Countries like China can bring immense assets to bear in carrying out sophisticated cyber attacks
  3. Cyber warfare is going to become a regular part of the arsenal of nations

National strategy to counter cyber threats

The three main components of any national strategy to counter cyber threats are defence, deterrence and exploitation

  1. Critical cyberinfrastructure needs to be defended and the establishment of the NCIIPC is a good step in this direction
  2. Deterrence in cyberspace is a hugely complex issue. Cyber warfare is characterized by an absence of clarity
  3. Cyber operations cannot be a standalone activity but integrated with land, sea and air operations, and a part of information warfare (exploitation)

Setting up of a Defence Cyber Agency

  1. India is one of the few countries which still does not have a dedicated cyber component in its military
  2. The setting up of a Defence Cyber Agency has been announced but this is a typical half-hearted step which characterizes our strategic planning process
  3. India will never achieve the full capability of fighting and defending in the cyberspace if this agency is hobbled by limited mandates and roles
  4. It would be instructive to take a leaf out of the US Cyber Command, which has one of its focus areas as “strengthening (the) nation’s ability to withstand and respond to cyber attack

Way forward

  1. We are still unclear about how a future cyberwar will play out but capabilities definitely exist, particularly with China
  2. It would be absurd not to prepare, and the military must be at the forefront of this preparation
Mar, 06, 2018

Threat of new malware looms over cyberspace

Image source

Note4students

Mains Paper 3: Science & Technology | Awareness in the fields of IT, Space, Computers, robotics, nano-technology, bio-technology

From UPSC perspective, the following things are important:

Prelims level: DDoS attack, Mirai, Reaper, Saposhi, CERT-In

Mains level: Rising threat of cyber attacks


News

DDoS attack by malware

  1. After Mirai and Reaper, cybersecurity agencies have detected a new malware called Saposhi
  2. It is capable of taking over electronic devices and turning them into ‘bots’, which can be then used for any purpose
  3. This includes a Distributed Denial Of Service attack

What is a DDoS attack?

  1. In DDoS attacks, the malware first creates a network of bots called a botnet via internet-connected devices
  2. It then uses the botnet to ping a single server at the same time
  3. As the number of pings is far beyond the server’s capacity, the server crashes and denies service to its consumers

Previous malware attacks

  1. In October last year, the Computer Emergency Response Team (CERT)  had issued an alert about reaper
  2. It was a highly evolved malware capable of not only hacking devices like WiFi routers and security cameras, but also able to hide its own presence in the bot

Back2Basics

Computer Emergency Response Team (CERT)

  1. The Indian Computer Emergency Response Team (CERT-In) is an office within the Ministry of Electronics and Information Technology
  2. It is the nodal agency to deal with cybersecurity threats like hacking and phishing
  3. It strengthens the security-related defense of the Indian Internet domain
  4. CERT-In has been designated under Section 70B of Information Technology (Amendment) Act 2008 to serve as the national agency to perform the following functions in the area of cybersecurity:
    • Collection, analysis, and dissemination of information on cyber incidents
    • Forecast and alerts of cybersecurity incidents
    • Emergency measures for handling cybersecurity incidents
    • Coordination of cyber incident response activities
    • Issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents
Feb, 08, 2018

Google unveils security campaign to protect users from cyberbullying, fraud

Note4students

Mains Paper 3: Internal Security | Basics of cyber security

From UPSC perspective, the following things are important:

Prelims level: #SecurityCheckKiya campaign

Mains level: India’s growing digital reach and threats posed by it


News

Public safety initiative to protect the netizens

  1. Google has unveiled a public safety initiative in India to create awareness around Internet safety and protect the netizens
  2. The programme called ‘#SecurityCheckKiya‘ is targeted at young and first-time users to protect themselves from account hijacking
  3. It is also aimed at shielding their Android mobile devices from malicious apps and secure all their personal data if they lose them

Threats posed by internet

  1. India has the second largest Internet user base in the world
  2. There is a lot of social engineering abuse, for example, the lottery and job scams
  3. For kids and women, there could be cyberbullying and (internet) trolling

Recommended safety steps

  1. Google has recommended three simple steps that can help everyone start their journey towards internet safety
  2. This includes reviewing security settings and Google account activity with one click for all Android devices and Gmail users
  3. Google Security check helps users to automatically scan for any vulnerability and guides them to keep their account safe in few minutes
  4. ‘Find My Device’ app from Google helps a user to easily locate a lost Android device and keeps the device and information secure
Jan, 29, 2018

Govt. to set up apex cybercrime coordination centre

Note4students

Mains Paper 3: Internal Security | Challenges to internal security through communication networks, role of media & social networking sites in internal security challenges,

From UPSC perspective, the following things are important:

Prelims level: Indian Cyber Crime Coordination Centre (I4C)

Mains level: Cybersecurity and issues related to it


News

I4C to be set up

  1. Union Home Ministry is planning to set up an apex coordination centre to deal with cyber crimes such as financial frauds, circulation of communal and pornographic contents
  2. The apex centre — Indian Cyber Crime Coordination Centre (I4C) — would be set up in Delhi
  3. The Ministry has already created a new wing — Cyber and Information Security Division — to deal with cyber crimes and related issues

Working of I4C

  1. It would coordinate with State governments and Union Territories, and closely monitor the cyberspace and social media with due emphasis on vernacular content
  2. The centre would also block those websites which flout India’s laws and circulate child porn, and communally and racially sensitive content
  3. The centre would maintain a list of suspects
  4. The leads generated during investigations in cybercrime cases would be shared with law enforcement agencies through a “secured internal network”

Why such move?

  1. The move came in the wake of 1,44,496 cybersecurity attacks observed in the country during 2014-16
  2. Over a period of time, there has been a phenomenal increase in use of computers, smartphones and internet
  3. With this increase, cybercrimes have emerged as a major challenge for law enforcement agencies
Jan, 25, 2018

WEF launches Global Centre for Cybersecurity

Note4students

Mains Paper 2: IR | Important International institutions, agencies & fora, their structure, mandate

From UPSC perspective, the following things are important:

Prelims level: Global Centre for Cybersecurity, World Economic Forum,  Artificial Intelligence, Internet of Things (IoT)

Mains level: Rising threats from cyber world and measures to minimize risks


News

Global Centre for Cybersecurity

  1. The World Economic Forum (WEF) announced a new Global Centre for Cybersecurity
  2. It will help safeguard the world from hackers and growing data breaches — especially from nation-states

About the center

  1. Headquartered in Geneva, the center will become operational from Marc
  2. It will bring together governments as well as international organizations
  3. WEF will reach out to key industry players and G-20 countries in the beginning

Need for cybersecurity

  1. Cybersecurity is a borderless problem
  2. Urgent action is needed to create a safe operating environment for new technologies like Artificial Intelligence, robotics, drones, self-driving cars and the Internet of Things (IoT)
  3. Criminal abuse of virtual currencies is also happening at a faster rate
Jan, 18, 2018

Home Ministry pitches for Budapest Convention on cyber security

Note4students

Mains Paper 3: Internal Security | Challenges to internal security through communication networks, role of media & social networking sites in internal security challenges

From UPSC perspective, the following things are important:

Prelims level: Budapest Convention, Indian Cyber Crime Coordination Centre (I4C)

Mains level: Rising rate of cybercrimes and ways to deal with it


News

Need for international cooperation to tackle cyber crime

  1. India was reconsidering its position on becoming a member of the Budapest Convention
  2. This was because of the surge in cybercrime, especially after a push for digital India
  3. The Ministry of Home Affairs has flagged the need for international cooperation to check cyber crime, radicalization and boost data security

Opposition by Intelligence Bureau

  1. The move is being opposed by the Intelligence Bureau
  2. IB argues that sharing data with foreign law enforcement agencies infringes on national sovereignty and may jeopardize the rights of individuals

Deadline set for setting up I4C

  1. Home ministry has set a deadline of February this year to operationalize the Indian Cyber Crime Coordination Centre (I4C)
  2. The Home Minister had announced the setting up of I4C in 2016 to deal with all types of cyber crime at the national level
  3. I4C will be set up under the newly created Cyber and Information Security (CIS) division of the MHA
  4. CIS will have four wings, namely security clearance, cybercrime prevention, cyber security and information security

Back2Basics

Budapest Convention

  1. The Convention on Cybercrime, also known as the Budapest Convention on Cybercrime is the first international treaty seeking to address Internet and computer crime by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations
  2. It was drawn up by the Council of Europe
  3. It was opened for signature in Budapest, on 23 November 2001 and it entered into force on 1 July 2004
  4. The Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography, hate crimes, and violations of network security
  5. It also provides procedural law tools to make investigation of cybercrime and securing of e-evidence in relation to any crime more effective
  6. The convention allows  international police and judicial cooperation on cybercrime and e-evidence
  7. The Convention has 56 members, including the US and the UK
Dec, 30, 2017

Data protection law on anvil

Note4students

Mains Paper 3: Internal Security | Basics of cyber security

From UPSC perspective, the following things are important:

Prelims level: Data protection law, Justice Srikrishna committee

Mains level: Apprehensions being raised about Aadhar and data security and steps being taken to resolve such issues


News

Government in the process of framing a data protection law

  1. With the country emerging as a big center of data analysis, the government was in the process of framing a data protection law
  2. The government had set up a committee headed by Justice Srikrishna, retired Supreme Court Judge, on the issue

No proposal to make internet a fundamental right

  1. The government was committed to providing Internet connectivity to all citizens
  2. This does not entail that internet availability will be made a fundamental right
Dec, 19, 2017

For a safe cyberspace

Note4students:

 Mains paper 3:Internal Security| basics of cyber security

From UPSC perspective following things are important:

Prelims level: Ransomware

Mains level: This article deals with Why Cybersecurity in India needs to be integrated in every aspect of policy and planning. Cyber security is a hot topic in mains.Every year UPSC asks a question in it in mains.Even in 2017 mains they asked 1 question on Cybersecurity.


News:

Performance of India with respect to Digital and Knowledge-based economy

  1. India is one of the key players in the digital and knowledge-based economy, holding more than a 50% share of the world’s outsourcing market.
  2. Pioneering and technology-inspired programmes such as Aadhaar, MyGov, Government e-Market, DigiLocker, Bharat Net, Startup India, Skill India and Smart Cities are propelling India towards technological competence and transformation.
  3. India is already the third largest hub for technology-driven startups in the world and its Information and Communications Technology sector is estimated to reach the $225 billion landmark by 2020.

 Vulnerabilities of India with respect to cyberspace

  1. India is the fifth most vulnerable country in the world in terms of cybersecurity breaches.
  2. According to the Internal Security Threat Report of 2017 by Symantec. Till June 2017, 27,482 cybersecurity threats had been reported in the country.

Which Types of Attacks are most common in recent years?

  1. Ransomware attacks have been the most common in the last few years (Ransomware is a type of software that threatens to publish a person’s data or block it unless a ransom is paid).
  2. Apart from WannaCry and Petya, other Ransomware attacks that made news globally were Locky, Cerber, Bucbi, SharkRaaS, CryptXXX and SamSam.
  3. In India, in May 2017, a data breach at the food delivery App, Zomato, led to personal information of about 17 million users being stolen and put for sale on the Darknet. The company had to negotiate with the hacker in order to get it taken down.

Which devices are more vulnerable for attacks?

  1. While Windows operating systems were the most vulnerable to cyberattacks, a number of Android threats have been reported in the last couple of years, including potent crypto-ransomware attacks on Android devices.
  2. The attacks aren’t limited to mobile phones and e-Pads. All devices, including televisions that use Android, are also potentially vulnerable.
  3. In 2016, the first known Ransomware, named KeRanger, targeting Mac users was also reported.
  4. The Mirai botnet malware affected 2.5 million home router users and other Internet of Things devices

 

What should India do?

  1. Given the huge number of online users and continued efforts on affordable access, cybersecurity needs to be integrated in every aspect of policy and planning.
  2. India needs to quickly frame an appropriate and updated cybersecurity policy, create adequate infrastructure, and foster closer collaboration between all those involved to ensure a safe cyberspace.
  3. There is a need for a Geneva-like Convention to agree on some high-level recommendations among nations to keep the Internet safe, open, universal and interoperable.

B2B:

Read more about Ransomware: https://www.civilsdaily.com/op-ed-snap-held-to-ransomware/

 

 

Nov, 17, 2017

[op-ed snap] The rise of the bots

Image source

Note4students

Mains Paper 3: Science & Technology | Awareness in the fields of IT, Space, Computers, robotics, nano-technology, bio-technology

From UPSC perspective, the following things are important:

Prelims level: Web crawlers, Malicious bot, Artificial intelligence, Siri, Alexa, Cortana

Mains level: Rising level of automation and its effects on jobs as well as overall economy


Context

What are bots?

  1. A bot is a computer programme designed to work automatically
  2. It is mainly used to gather information on the Internet or perform repetitive jobs

Are they good or bad?

Like for every technology, there are two sides to bots as well

  • Positives
  1. Gathering information- Bots in such guises are called web crawlers
  2. Another good use is automatic interaction using instant messaging, instant relay chat or other web interfaces
  3. Dynamic interaction with websites is yet another way bots are used for positive purposes
  • Negatives
  1. Malicious bot- Self-propagating malware that infects its host and connects back to a central server(s)
  2. Malicious bots can gather passwords, log keystrokes, obtain financial information, relay spam, and exploit back doors opened by viruses and worms, among other things
  3. Bots have also come under scrutiny in relation to automated accounts on Twitter and Facebook

Use of ‘Good’ bots

  1. Artificial intelligence-based bots are increasingly being used by organizations and entities to provide customer care, and sales and marketing services
  2. Some popular examples of bots are Apple’s Siri, the Google Assistant, Amazon’s Alexa and Microsoft’s Cortana

How do you know your computer is infected?

Symptoms mentioned below may indicate that your system is infected

  1. Slow Internet
  2. Crashing of computer for no apparent reason
  3. Pop-up windows and advertisements appearing even when a web browser is not being used
  4. Friends and family receiving emails you did not send
  5. A fan going into “overdrive” when the device is idle
Oct, 26, 2017

Legal steps to guard digital payments

Note4students

Mains Paper 3: Basics of cyber-security

The following things are important from UPSC perspective:

Prelims: CERT-In.

Mains: This article discusses the trend of rise in the financial frauds post demonetization.


News

Context

  1. The Home Ministry has asked banks and e-wallet firms to furnish details of the extent of financial fraud reported in the past one year as digital transactions picked up post demonetization.
  2. The use of mobile wallets and online transactions has spiked since then.
  3. The Ministry convened a high-level committee to understand the extent of technological misuse and financial frauds committed through digital means.
  4. The Centre is planning to bring changes to the law to check frauds in the financial sector.

What does the data say?

  1. Representational data available with the RBI show that the value of prepaid payment instruments increased from Rs. 1,320 crore in November 2016 to Rs. 2,760 crore in September 2017.
  2. By an estimate of security agencies, nearly 10,000 fraud transactions are being reported every month through e-wallet platforms.
  3. Pre-demonetisation, the figure stood at 4,000.
  4. Approximately 45 lakh cybersecurity attacks were observed in the past three years.
  5. Information reported to, and tracked by, the Indian Computer Emergency Response Team (CERT-In) shows an increase in cybersecurity incidents.

Going unnoticed

  1. The extent of fraud is not known because many people do not report it as in some cases it is a small amount.
  2. The banks and e-wallet firms have been asked to furnish the data of the way it was being done.

 

The government has reviewed the preparedness of agencies to check financial cybercrimes, and asked security agencies to strengthen surveillance and legal frameworks to check the menace.


Back2basics

CERT-In( Indian Computer Emergency Response Team)

  1. It is a government mandated security organization.
  2. CERT-In was created by the Indian Department of Information Technology in 2004 and operates under the auspices of that department.
  3. According to the provisions of the Information Technology Amendment Act 2008, CERT-In is responsible for overseeing administration of the Act.
  4. The purpose of CERT-In is to respond to computer security incidents, report on vulnerabilities and promote effective IT security practices throughout the country.
  5. The Indian Computer Emergency Response Team (CERT-In) has signed cooperation pacts with its counterparts in various nations like in Malaysia, Singapore, Japan, UK etc. for cyber security.
  6. The Memoranda of Understanding (MoUs) will promote closer cooperation for exchange of knowledge and experience in detection, resolution and prevention of security-related incidents.                                                                                                                                                   
Sep, 27, 2017

Centre backs local cybersecurity tech

Note4students

Mains Paper 3: Internal Security | Basics of cyber security

From UPSC perspective, the following things are important:

Prelims level:Read the attached story

Mains level: Important decision taken by the government. Also, the topic is specially mentioned in the syllabus, and is therefore, very important for the exam.


News

New Policy

  1. The government will soon announce a policy that accords preference in official procurement to ‘Made in India’ antivirus and cybersecurity solutions
  2. Why: To promote domestic technology and preventing data theft by foreign entities
  3. Preference for domestic products would also be given for cybersecurity products used by intelligence agencies

Draft notification by the Ministry of Electronics and Information Technology (MeitY)

  1.  MeitY has issued a draft notification which states “preference shall be provided by all procuring entities to domestically manufactured/ produced cybersecurity products
  2. The notification will cover all products and software used for maintaining confidentiality, availability and integrity of information by protecting computing devices from attack, damage, or unauthorized access

Who is ‘local supplier’?(according to the notification)

  1. The draft notification has defined ‘local supplier’ as a company incorporated and registered in India,
  2. Adding that revenue from the product and revenue from Intellectual Property licensing should accrue to the company
Sep, 21, 2017

Govt plans Bill with more teeth to tackle cyber crimes

Note4Students

Mains Paper 3: Basics of cyber security

The following things are important from UPSC perspective:

Prelims: Inter Ministerial Committee.

Mains level: Steps being taken by the government to tackle rising number of cyber attacks post demonetization.


News

Context

Post-demonetization a spurt in number of cyber crimes has been observed-

  1.  In 2016-17, 998 crore digital transaction were reported as compared to 552 crore in 2015-16 and 369 crore in 2014-15.
  2.  As many as 1,44,496 cyber security attacks have been observed in the country in the past three years.
  3. CBI in December last year registered multiple FIRs after e-wallet company, Paytm filed a complaint, alleging that its customers were cheated to the tune of Rs 9.41 lakh soon after demonestisation.
  4. According to RBI data made available to the MHA, as many as 16,468 complaints related to ATM fraud, debit and credit card misuse and net banking hacking were filed with them in 2015-16 as compared to 13,083 in 2014-15.

So, in order to tackle these problems, the government plans to bring a digital payment Bill to strengthen legal framework and enhance surveillance to check cyber crimes in the financial sector, including frauds targeting cards and e-wallets.

  1. An inter-ministerial committee headed by the home minister will be setup to first study existing laws to deal with cyber crimes and then propose new legislation.
  2. The inter-ministerial panel will have representatives from the RBI, financial services, ministry of electronics and information technology, Delhi police and the National Cyber Security Coordinator.
  3. The proposed legislation will not only deal with punishment and fine but it will also have measures to fix responsibility in cases where digital transactions land in any dispute.
  4. The Home Minister directed all agencies concerned to take required measures in a time-bound manner and emphasized on the coordination of all agencies in this regard.

 Way Forward

To contain the rising number of cyber attacks-

·          Capacity building of various stakeholders — such as police, judicial officers, forensic scientists as well as officials in the banking sector should be focused upon and both legal and technological steps needs to be taken to address the problem.

 

Aug, 17, 2017

Post data leakage reports: Govt seeks data security details from mobile makers

Image Source

Note4students

Mains Paper 2: Governance | Government policies and interventions for development in various sectors and issues arising out of their design and implementation.

From UPSC perspective, the following things are important:

Prelims level: CERT

Mains level: Strategically important step by government.


News

Direction to prevent leakage of data

  1. The Indian Computer Emergency Response Team (CERT-In) has written to all 21 smartphone manufacturers operating in the country, including Chinese firms
  2. Why: To seek details of safety and security practices, architecture, frameworks, and standards put in place by manufacturers
  3. It is done to prevent leakage of data from handsets used by consumers

Objective of the exercise

  1. Through this exercise the government aims to scrutinise in hardware component as well as preloaded software and apps to find potential loopholes

Why this step?

  1. The step has implemented due to various cases of contacts and text messages being leaked in India as well as abroad
  2. According to government officals, further steps could be taken to contain the overall threat arising from “increasing Chinese business interest” in India
  3. The government is also undertaking a review of import of electronics and other IT products from China on account of fears about security and data leakages
Nov, 12, 2016

Centre unveils steps to boost cybersecurity

  1. What: In an attempt to strengthen cyber security in India, the government on Friday announced a slew of measures
  2. Measure: All organisations having a significant IT infrastructure will need to appoint cyber security officers
  3. Cert-In is being strengthened
  4. State Certs are being planned by Maharashtra, Tamil Nadu, Telangana, Kerala and Jharkhand
  5. Three sectoral Certs in power sector — generation, transmission and distribution, have been set up, in addition to the banking one
  6. Further,  a National cyber coordination center is being set up to provide near real time situational awareness and rapid response at a cost of Rs 985 crore
Oct, 21, 2016

Customers must be doubly vigilant: Security experts

  1. Event: India has been hit by one of its biggest financial security breaches compromising hundreds of thousands of debit cards
  2. Who bears the loss: According to experts, all banks are intermediaries under the Income Tax Act
  3. Under Section 79 of the Act they are mandated to do due diligence
  4. In case banks are negligent in doing this, leading to a loss, it is the banks that will have to bear the brunt of the loss
  5. But a bank may not be liable if it asks the customer to change his or her PIN but the customer chooses to ignore the advice
Oct, 20, 2016

RBI asks banks to replace 17.5 lakh debit cards

  1. The RBI has asked banks to replace debit cards whose security is suspected to have been compromised after being used in some ATM’s
  2. The issue was first suspected by payment gateways such as Visa, Mastercard and Rupay
  3. Cards falling in the suspicious category and needing replacement would number about 17.5 lakh
  4. Debit cards and credit cards face security issues when unauthorised parties access confidential details embedded in the card
  5. Such access could happen even as the card is being used in an ATM
Sep, 28, 2016

[op-ed snap] Towards a database nation

  1. Theme: An increase in surveillance measures by the government without appropriate public debate.
  2. Surveillance Measures and information databases in question: The Central Monitoring System, The National Intelligence Grid and the Aadhaar.
  3. The Central Monitoring System (CMS) is scanning citizens’ communication in real time in Delhi and Mumbai and its reach will be expanded gradually.
  4. CMS enables law enforcement agencies to get near real-time access to intercepted communication without the involvement of the telecommunications service provider.
  5. This raises concerns of potential surveillance excesses by the government and private information of citizens falling in the wrong hands. But this system has never been discussed meaningfully with the public, and no efforts have been made to explain what safeguards prevent its misuse.
  6. The National Intelligence Grid (NATGRID) which links multiple government databases will be operational next year. NATGRID is classified among the ‘intelligence and security’ organisations and is exempted from the Right to Information Act.
  7. Also, it is not known whether Aadhaar, with its access to citizens’ biometric identification and its connection with various databases like banking, health etc , will be a part of NATGRID.
  8. Additionally, various critical services have been made contingent on Aadhaar numbers.
  9. Also, it does not offer adults a way to withdraw consent and does not offer the next generation the opportunity to reverse their parents’ decisions.
  10. There is no mechanism/obligation on the part of government to inform the concerned citizens when their data is breached.
  11. There is no clarity on security of these databases despite major data breaches having been reported from entities ranging from the U.K. government to Adobe, Sony and Ashley Madison.
  12. Also, there has been no discussion on the consequences of a data breach.
Sep, 16, 2016

Setting computers to IST is just a matter of time

  1. What? CSIR has formally proposed to the Central government that all Indian computers be legally required to synchronise their clocks to the IST
  2. Globally: All countries require their computer infrastructure to synchronise to their local times
  3. Why? The time displayed on laptops or smartphones is derived from multiple American servers & is a few seconds off from the actual Indian time
  4. The frequent mismatches in the time stamps make it harder for Indian cyber security experts to investigate Internet-perpetrated frauds

Discuss: Who defines the Indian Standard Time (IST)?

Aug, 26, 2016

Cybercrimes have risen 4-fold in 3 years

  1. Study: ‘Protecting Interconnected Systems in the Cyber Era’ by PwC and Assocham
  2. Findings: The number of cybercrime cases registered in India has risen by 350% in the three-year period from 2011 to 2014
  3. Earlier, attacks have been mostly initiated from countries such as the U.S., Turkey, China, Brazil, Pakistan, Algeria, Turkey, Europe, and the UAE
  4. However, with the growing adoption of the Internet and smart-phones, India has emerged as one of the favourite countries among cyber criminals
  5. Cyber attacks around the world are occurring at a greater frequency and intensity
  6. A new breed of cyber criminals has now emerged, whose main aim is not just financial gains but also causing disruption and chaos to businesses in particular and the nation at large
  7. Attackers can gain control of vital systems such as nuclear plants, railways, transportation or hospitals that can subsequently lead to dire consequences
Mar, 11, 2016

Cabinet approves cyber security deal with UAE

  1. News: MoU signed between India and United Arab Emirates (UAE) on Technical Cooperation in Cyber Space and Combating Cyber-Crime
  2. Objective: To cooperate in combating cybercrime in the wake of the serious security threat posed by it to safety of people
  3. Cooperation in: cyber space and combating cyber-crime in all forms, particularly through coordination and exchange of information in relation with cyber crime
  4. Nodal Agency: Ministry of Home Affairs (MHA)
Feb, 26, 2016

Project Shield to protect news sites from attacks

  1. Context: Google said it will open its ‘Project Shield’ technology to protect news sites and portals
  2. Aim: Shield portals related to human rights from attacks that threaten free expression and access to information
  3. Debate: The move comes at a time when there is a raging debate globally about freedom of expression for media firms & around privacy and security in the era of social media
Feb, 18, 2016

U.S. had cyber-attack plans for Iran’s Fordo

  1. Context: In early years, US developed an elaborate plan for a cyber-attack on Iran in case diplomatic effort to limit its nuclear programme failed and led to a military conflict
  2. The Plan: code named Nitro Zeus, was designed to disable Iran’s air defences, communications systems and key parts of its power grid
  3. Relevance: Nitro Zeus was part of an effort to assure President Obama that he had alternatives, short of a full-scale war, if Iran lashed out at the US or its allies in region
  4. Cyber Plan: To disable the Fordo nuclear enrichment site, which Iran built deep inside a mountain near the city of Qum
  5. Importance of Fordo: It has considered one of the hardest targets in Iran, buried too deep for all but the most powerful bunker-buster in U.S. arsenal
Feb, 11, 2016

Obama launches cyber-security ‘action plan’

  1. The president has called for an overhaul of aging government networks and a high-level commission to boost security awareness
  2. The announcement responds to an epidemic of data breaches and cyber attacks on both government and private networks in recent years
  3. Under this plan, Mr. Obama has asked for $19 billion for cyber-security efforts, a 35% increase from current levels, with $3 billion earmarked
  4. To help modernise the patchwork of computer systems used in government agencies
  5. An executive order for creating a 12-member cyber-security commission to make recommendations to both the public and private sectors has also been issued
Jan, 28, 2016

CERT-In signs cyber security pacts with 3 nations

  1. CERT-In is the nodal agency responsible for dealing with cyber security threats.
  2. The Indian Computer Emergency Response Team (CERT-In) has signed cooperation pacts with Malaysia, Singapore and Japan for cyber security.
  3. The MoUs will promote closer cooperation for exchange of knowledge and experience in detection, resolution and prevention of security-related incidents.
Jan, 11, 2016

India to hire US, Israel cyber security firms for terror intel

The aim is to plug the holes in our cyber security apparatus.

  1. India to monitor communication between terror modules, block content meant for radicalising youths.
  2. India and Israel are working on a mechanism to encourage start‐ups from both countries to work on cyber security solutions.
  3. Indian cyber security market is still at a nascent stage – Rs. 1,500 Cr while Israel is the biggest player followed by US.
Dec, 28, 2015

Cyber security is no longer just about protection

  1. The nature and scale of threats organisations are facing have changed the dimensions of cyber security.
  2. It’s no longer about protection alone, but also about hunting down new malware.
  3. The industry has moved from protection to threat defence lifecycle, which involves protection, detectionand correction.
Nov, 20, 2015

Cybercrime hit half of India’s Net users: study

  1. The security services firm Norton says that nearly half of India’s netizens affected by cyber-crime during the past year.
  2. Despite the threat of cybercrime in India, it hasn’t led to widespread adoption of simple protection measures to safeguard information online.
  3. There are only 41% people who use a secure password, despite the concerns towards cybercrime.
  4. Besides the financial loss, there is an emotional impact as well.
Aug, 08, 2015

India follows global trends in taking on cyber attacks


 

  1. The trend in increase in cyber attacks on Indian computer networks is similar to that worldwide.
  2. Most of these attacks originate from countries such as the U.S., Pakistan, China and Bangladesh.
  3. In case of an attack, CERT-In notifies the organisation concerned regarding the cyber attacks and requests for logs of network devices, servers and other related components for analysing the attacks and identifying sources of attack.
  4. CERT-In (the Indian Computer Emergency Response Team) is a govt. mandated IT security organization to respond to computer security incidents, report on vulnerabilities and promote effective IT security practices throughout the country.
Jun, 19, 2015

MHA nod for cyber security wing under IB

  1. Creation of “cyber-security architecture” within the Intelligence Bureau (IB) that will work independently of the National Technical Research Organisation (NTRO), which works under the Prime Minister’s Office (PMO).
  2. In the past, it has been seen that cyberspace was used to recruit young people to join terrorist outfits like IS.
  3. The threat emanating from this medium is imminent and we require a dedicated team to crackdown on it.
Apr, 26, 2015

A Cyber Wing in the National Cadet Corps

  1. The 2014 Annual Security Report reveals that 2013 was a ‘particularly bad year’ with cumulative annual threat alert levels increasing by 14% since 2012.
  2. The writer explores the possibility of creation of a ‘Cyber Wing’ in each the 4 divisions of the NCC in India.
  3. The motto of the NCC is Unity and Discipline.
  4. The cadets must be given encouragement by way of financial rewards, recognition, scholarships for further studies in cyber security.
  5. With programmes like Digital India, National Optical Fibre Network, e-Governance, e-commerce and e-Services, our vulnerability in cyberspace cannot be condoned.
Apr, 03, 2015

Gulshan Rai takes charge as India’s first cyber security chief

  1. This new post was created in PMO and Rai is its first head.
  2. Prior to this appointment, he was Director-General Computer Emergency Response Team (CERT) at the Department of Electronics and Information Technology (DeitY).
  3. He also heads the E-Security and Cyber Law division in the Union Ministry of Communications and Information Technology.
  • Subscribe

    Do not miss important study material

Leave a Reply

Please Login to comment
  Subscribe  
Notify of