Cyber Security – CERTs, Policy, etc

Cyber Security – CERTs, Policy, etc

The epoch of cyberweapons

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Zero day vulnerability

Mains level : Paper 3- Cyberwarfare-Fifth dimension

Context

The controversy over the use of Pegasus spyware for snooping highlights the threats posed by cyber-weapons.

The emergence of the cyber weapons epoch

  • Cyberattacks on institutions such as banks and on critical infrastructure have proliferated to an alarming extent, signaling the emergence of the cyber weapon epoch.
  • Privacy has been eroded and the Internet has become a powerful weapon in the hands of those seeking to exploit its various facets.
  • Fifth dimension of warfare: Cyber is often touted as the fifth dimension of warfare — in addition to land, sea, air and space.

The domain of everyday life

  • Cyber, as the domain of military and national security, also co-exists with cyber as a domain of everyday life.
  • The war is no longer out there.
  • It is now directly inside one’s drawing-room, with cyberweapons becoming the weapon of choice.
  • Israelis today dominate the cyber domain along with the Chinese, Russians, Koreans and, of course, the Americans.
  • The linkage between sabotage and intrusive surveillance is but a short step.

Cyberattacks during the past decades

  •  Beginning with the 2007 devastating cyberattack on Estonia’s critical infrastructure, this was followed by the Stuxnet worm attack a few years later on Iran’s nuclear facility.
  • The Shamoon virus attack on Saudi Aramco occurred in 2012.
  • In 2016, a cyberattack occurred on Ukraine’s State power grid; in 2017 there was a Ransomware attack (NotPetya) which affected machines in as many as 64 countries.
  • United Kingdom’s National Health Service fell prey to the Wannacry attack the same year.
  • The series of attacks happened this year on Ireland’s Health Care System and in the United States such as ‘SolarWinds’, the cyber attack on Colonial Pipeline and JBS, etc.

What are the threats posed by cyberattacks?

  • Cyberweapons carry untold capacity to distort systems and structures — civilian or military.
  • Cyberweapons also interfere with democratic processes, aggravate domestic divisions and, above all, unleash forces over which established institutions or even governments have little control.
  • As more and more devices are connected to networks, the cyber threat is only bound to intensify, both in the short and the medium term.
  • What is especially terrifying is that instruments of everyday use can be infected or infiltrated without any direct involvement of the target.
  • The possibilities for misuse are immense and involve far graver consequences to an individual, an establishment, or the nation.
  • It is not difficult to envisage that from wholesale espionage, this would become something far more sinister such as sabotage.

Way forward

  • Deeper understanding:  Dealing with ‘zero day’ vulnerabilities require far more thought and introspection than merely creating special firewalls or special phones that are ‘detached’ from the Internet.
  • Recognising the mindset: What is needed is a deeper understanding of not only cyber technologies, but also recognising the mindsets of those who employ spyware of the Pegasus variety, and those at the helm of companies such as the NSO.
  • Short-term remedies are unlikely to achieve desired results.
  • No use of AI: Artificial Intelligence (AI) is often seen as a kind of panacea for many of the current problems and ills, but all advances in technology tend to be a double-edged sword.
  • If truth be told, AI could in turn make all information warfare — including cyber related — almost impossible to detect, deflect or prevent, at least at the current stage of development of AI tools.

Conclusion

All this suggests that security in the era of ever-expanding cyberweapons could become an ever-receding horizon.


Back2Basics: Zero-day vulnerability

  • The term “zero-day” refers to a newly discovered software vulnerability.
  • Because the developer has just learned of the flaw, it also means an official patch or update to fix the issue hasn’t been released.
  • So, “zero-day” refers to the fact that the developers have “zero days” to fix the problem that has just been exposed — and perhaps already exploited by hackers.

Cyber Security – CERTs, Policy, etc

Back in news: Pegasus Spyware

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Pegasus

Mains level : Whatsapp snooping

Telephone numbers of some noted Indian journalists were successfully snooped upon by an unidentified agency using Pegasus software.

Pegasus Spyware

  • All spyware do what the name suggests — they spy on people through their phones.
  • Pegasus works by sending an exploit link, and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone.
  • A presumably newer version of the malware does not even require a target user to click a link.
  • Once Pegasus is installed, the attacker has complete access to the target user’s phone.
  • The first reports on Pegasus’s spyware operations emerged in 2016, when Ahmed Mansoor, a human rights activist in the UAE, was targeted with an SMS link on his iPhone 6.

What is the new threat?

  • Pegasus has evolved from its earlier spear-phishing methods using text links or messages to ‘zero-click’ attacks which do not require any action from the phone’s user.
  • This had made what was without a doubt the most powerful spyware out there, more potent and almost impossible to detect or stop.

How do zero-click attacks work?

  • A zero-click attack helps spyware like Pegasus gain control over a device without human interaction or human error.
  • Zero-click attacks are hard to detect given their nature and hence even harder to prevent.
  • Detection becomes even harder in encrypted environments where there is no visibility on the data packets being sent or received.
  • Most of these attacks exploit software that receive data even before it can determine whether what is coming in is trustworthy or not, like an email client.

Answer this PYQ from CSP 2018:

Q.The terms ‘WannaCry, Petya, Eternal Blue’ sometimes mentioned news recently are related to

(a) Exoplanets

(b) Crypto currency

(c) Cyber attacks

(d) Mini satellites

Cyber Security – CERTs, Policy, etc

New online platform maps Pegasus spread

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Pegasus

Mains level : Whatsapp snooping

An online database about the use of the spyware Pegasus was recently launched by the Forensic Architecture, Amnesty International and the Citizen Lab to document attacks against human rights defenders.

What is Pegasus?

  • Last year, one of the biggest stories that broke into cyberspace was WhatsApp’s reports that 1,400 of its users were hacked by Pegasus, a spyware tool from Israeli firm NSO Group.
  • All spyware do what the name suggests — they spy on people through their phones.
  • Pegasus works by sending an exploit link, and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone.
  • A presumably newer version of the malware does not even require a target user to click a link.
  • Once Pegasus is installed, the attacker has complete access to the target user’s phone.

Why is Pegasus dangerous?

  • What makes Pegasus really dangerous is that it spares no aspect of a person’s identity. It makes older techniques of spying seem relatively harmless.
  • It can intercept every call and SMS, read every email and monitor each messaging app.
  • Pegasus can also control the phone’s camera and microphone and has access to the device’s location data.
  • The app advertises that it can carry out “file retrieval”, which means it could access any document that a target might have stored on their phone.

Cyber Security – CERTs, Policy, etc

Global Cybersecurity Index 2020

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Global Cybersecurity Index

Mains level : Cyber security challenges for India

India has made it to the top 10 in Global Cybersecurity Index (GCI) 2020 by ITU, moving up 37 places to rank as the tenth best country in the world on key cybersafety parameters.

Global Cybersecurity Index

  • GCI assessment is done on the basis of performance on five parameters of cybersecurity including legal measures, technical measures, organizational measures, capacity development, and cooperation.
  • The performance is then aggregated into an overall score.
  • For each of the five aspects, all the countries’ performance and commitment are assessed through a question-based online survey, which further allowed for the collection of the supporting evidence.

India’s progress

  • As per the ranking, India has moved up by 37 places to rank as the tenth best country in the world.
  • The US topped the chart, followed by the UK and Saudi Arabia tied on the second position, while Estonia was ranked third in the index.
  • India has also secured the fourth position in the Asia Pacific region, underlining its commitment to cybersecurity.

Its significance

  • The affirmation by the UN body of India’s efforts on cybersecurity comes just ahead of the sixth anniversary of Digital India on July 1.
  • India is emerging as a global IT superpower, asserting its digital sovereignty with firm measures to safeguard data privacy and online rights of citizens.

Back2Basics: International Telecommunication Union

  • ITU is the United Nations specialized agency for information and communication technologies – ICTs.
  • Founded in 1865 to facilitate international connectivity in communications networks. It is Headquartered in Geneva, Switzerland.
  • It allocates global radio spectrum and satellite orbits, develops the technical standards that ensure networks and technologies seamlessly interconnect, and strives to improve access to ICTs to underserved communities worldwide.
  • Recently, India got elected as a member of ITU Council for another 4-year term – from 2019 to 2022. India has remained a regular member since 1952.

Cyber Security – CERTs, Policy, etc

Cyberattacks reveal vulnerabilities in critical infrastructures

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Ransomware

Mains level : Paper 3- Threat of cyberattacks

The article highlights the threat posed by cyberattacks to our critical infrastructure and suggest the ways to deal with the the ever evolving threat.

Civilian targets of cyberattacks

  • Several high-profile cyberattacks were reported from the United States during the past several months.
  • These attacks were all primarily on civilian targets, though each one was of critical importance.
  • Obviously cyber, which is often referred to as the fifth domain/dimension of warfare, is now largely being employed against civilian targets.
  • Most nations have been concentrating till date mainly on erecting cyber defences to protect military and strategic targets, but this will now need to change.

Challenges

  • Defending civilian targets, and more so critical infrastructure, against cyberattacks such as ransomware and phishing is almost certain to stretch the capability and resources of governments across the globe.
  • The distinction between military and civilian targets is increasingly getting erased and the consequences of this could be indeterminate.
  •  In the civilian domain, two key manifestations of the ‘cat and mouse game’ of cyber warfare today, are ransomware and phishing, including spear phishing.
  • Banking and financial services were most prone to ransomware attacks till date, but oil, electricity grids, and lately, health care, have begun to figure prominently.
  • Ransomware attacks have skyrocketed, with demands and payments going into multi-millions of dollars.
  • India figures prominently in this list, being one of the most affected.
  • Compromised ‘health information’ is proving to be a vital commodity for use by cybercriminals.
  • All indications are that cybercriminals are increasingly targeting a nation’s health-care system and trying to gain access to patients’ data.
  • The available data aggravates the risk not only to the individual but also to entire communities.
  • Cybercriminals are becoming more sophisticated, and are now engaged in stealing sensitive data in targeted computers before launching a ransomware attack.
  • Also, today’s cybercriminals, specially those specialising in ransomware and similar attacks, are different from the ordinary  criminals.
  • Many are known to practise ‘reverse engineering’ and employ ‘penetration testers’ to probe high secure networks.

Way forward

  • The need to be aware of the nature of the cyber threat to their businesses and take adequate precautionary measures, has become extremely vital.
  • Cybersecurity essentially hinges on data protection. 
  • As data becomes the world’s most precious commodity, attacks on data and data systems are bound to intensify.
  • With mobile and cloud computing expanding rapidly cybersecurity professionals are now engaged in building a ‘Zero Trust Based Environment’, viz., zero trust on end point devices, zero trust on identity, and zero trust on the network to protect all sensitive data. 
  • Building deep technology in cyber is essential.
  • New technologies such as artificial intelligence, Machine learning and quantum computing, also present new opportunities.
  • Pressure also needs to be put on officials in the public domain, as also company boards, to carry out regular vulnerability assessments and create necessary awareness of the growing cyber threat.

Consider the question “Several high-profile cyberattacks across the world have exposed vulnerabilities in the critical infrastructure of even advanced nations. In light of this, examine the challenges posed by cyberattacks and suggest measures to deal with these challenges.” 

Conclusion

The threat posed by the cyberattacks highlights the need for improved defences against actual, and potential, cyberattacks by all countries across continents.

Cyber Security – CERTs, Policy, etc

What is Fastly Internet Outage?

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Content delivery network (CDN)

Mains level : Need for data localization

Several big websites around the world went down for about half an hour because of a major issue with the content delivery network (CDN) of American cloud computing services provider Fastly.

Global internet outage: Which websites were affected?

  • com, Reddit, Twitch, Spotify, Pinterest, Stack Overflow, GitHub, gov.uk, Hulu, HBO Max, Quora, PayPal, Vimeo and Shopify are some of the big names.
  • Prominent news websites impacted were the Financial Times, the Guardian, the New York Times, CNN, and Verge, to name some.
  • Most users would have seen a 503 error when trying to access these websites, indicating that the browser was not able to access the server.

What is Fastly?

  • Fastly is a cloud computing services provider, which offers CDN, edge computing, cloud storage services.
  • All of its geographies, including the three stations it has in India — Chennai, Mumbai and New Delhi — were suffering from “Degraded Performance”.

Answer this PYQ from CSP 2018:

Q.The terms ‘WannaCry, Petya, Eternal Blue’ sometimes mentioned news recently are related to

(a) Exoplanets

(b) Crypto currency

(c) Cyber attacks

(d) Mini satellites

What is a CDN?

  • A CDN refers to a geographically distributed group of servers that work together to provide fast delivery of Internet content.
  • They house content close to the telecom service providers’ networks.
  • Majority of web traffic across the world today is routed through CDNs.
  • Platforms such as Netflix, Facebook, Amazon — ones with large quantities of data held in global libraries — host their geographically relevant content closer to where that content is to be consumed.
  • This ensures the end customer is able to access the content faster.
  • Another reason companies rely on these CDNs is to help protect their sites against traffic spikes, distributed denial of service (DDOS) attacks, etc.

Cyber Security – CERTs, Policy, etc

The march towards an equitable data economy

Note4Students

From UPSC perspective, the following things are important :

Prelims level : GDPR

Mains level : Paper 3- Data governance

The article explains the data governance norms we need to adopt to secure better societal outcomes.

Whatsapp privacy issue

  • New terms of service circulated by WhatsApp, caused a stir among the user.
  • It informed users that data about chats with business accounts would be shared with Facebook.
  • These policies seemed unfair to India as they were not applicable to the European Union (EU), given their strong data protection policies.

Acceptable levels of data exchange

  • Default norms provide power to the tech platforms to collect, analyse and monetize data with complete control.
  • This undergirds business models that seem undesirable for society—with harms to privacy and free speech.
  • Global discussions about alternatives to the “exchange of data for free services” are becoming nuanced.

3 Norms in the data governance

1) Recognition of individual and collective rights related to data

  • It was generally accepted that extraction of data to access free services was a fair exchange with individuals.
  • Emergence of existential threats related to privacy and democracy have highlighted the role of guaranteeing human and civil rights.
  • There has been significant global progress through regulations on individual data rights.
  • A United Nations Conference on Trade and Development (UNCTAD) report claims that 128 of 194 countries have put in place legislations for data protection and privacy.
  • However, this protection is insufficient as it is centered on individuals and does not account for safety of groups.
  • The next wave of data governance ideas will seek to protect collective harms and build on the foundation of individual agency and control.

2) Data sovereignty

  • One-size-fits all global norms of data governance are changing and being replaced by region-specific ideas.
  • Greater acceptance for “data sovereignty” assertions across India and Europe is a welcome shift towards crafting governance that is respectful of local nuances and inclusive of civic participation.
  • The EU general data protection regulation (GDPR) had created an early lighthouse example.
  • On the other hand, the US has adopted a light regulation approach—there is no comprehensive country-wide data protection law.
  • Closer home, India is finalizing the contours of a country-wide and cross-sector personal data protection bill, which reflects local norms.

3) Value creation for all stakeholders

  • So far, data economy has operated in a completely unregulated space, creating a “winner takes all” market, with concentrated profits and little contribution to local taxes.
  • A healthy economy requires value creation for all stakeholders.
  • As tech platforms take up the profitable role of acting as the gateway to all information and social connections, they have a greater accountability and responsibility to contribute to the economy.
  • India’s digital tax through the 2% “equalization levy” is an attempt to make the tech giants pay for revenues earned in India.

Consider the question “What should be norms of data governance we must adopt for achieving better societal outcomes?”

Conclusion

Formal adoption of regulations and setting up of enforcement institutions will lead to meaningful progress in the right direction.

Cyber Security – CERTs, Policy, etc

Why the Personal Data Protection Bill matters

Note4Students

From UPSC perspective, the following things are important :

Prelims level : IT Act 2000

Mains level : Paper 3- Personal Data Protection Bill and related issues

The existing data protection framework based on IT Act 2000 falls short on several counts. The Personal Data Protection Bill seeks to deal with the shortcoming in it. The article explains how the two differs.

Need for new data protection regime

  • The need for a more robust data protection legislation came to the fore in 2017 post the Supreme Court’s landmark judgment in Justice K.S. Puttaswamy (Retd) v. Union of India.
  • In the judgment, the Court called for a data protection law that can effectively protect users’ privacy over their personal data.
  • Consequently, the Committee of Experts was formed under the Chairmanship of Justice (Retd) B.N. Srikrishna to suggest a draft data protection law.
  • The Personal Data Protection Bill, 2019, in its current form, is a revised version of the draft legislative document proposed by the Committee.

Issues with the existing data protection framework

  • The Information Technology Act, 2000 governs how different entities collect and process users’ personal data in India.
  • However, entities could override the protections in the regime by taking users’ consent to processing personal data under broad terms and conditions.
  • This is problematic given that users might not understand the terms and conditions or the implications of giving consent.
  •  Further, the frameworks emphasise data security but do not place enough emphasis on data privacy.
  • As a result, entities could use the data for purposes different to those that the user consented to.
  •  The data protection provisions under the IT Act also do not apply to government agencies.
  • Finally, the regime seems to have become antiquated and inadequate in addressing risks emerging from new developments in data processing technology.

How the new regime under Data Protection Bill 2019 is different

  • First, the Bill seeks to apply the data protection regime to both government and private entities across all sectors.
  • Second, the Bill seeks to emphasise data security and data privacy.
  • While entities will have to maintain security safeguards to protect personal data, they will also have to fulfill a set of data protection obligations and transparency and accountability measures.
  • Third, the Bill seeks to give users a set of rights over their personal data and means to exercise those rights.
  • Fourth, the Bill seeks to create an independent and powerful regulator known as the Data Protection Authority (DPA).
  • The DPA will monitor and regulate data processing activities to ensure their compliance with the regime.

Concerns

  • Under clause 35, the Central government can exempt any government agency from complying with the Bill.
  • Similarly, users could find it difficult to enforce various user protection safeguards (such as rights and remedies) in the Bill.
  • For instance, the Bill threatens legal consequences for users who withdraw their consent for a data processing activity.
  • Additional concerns also emerge for the DPA as an independent effective regulator that can uphold users’ interests.

Consider the question “What are the issues with the present framework in India for data and privacy protection? How the Personal Data Protection Bill seeks to address these issues?”

Conclusion

The Joint Parliamentary Committee that is scrutinising the Bill is expected to submit its final report in the Monsoon Session of Parliament in 2021 Taking this time to make some changes in the Bill targeted towards addressing various concerns in it could make a stronger and more effective data protection regime.

Cyber Security – CERTs, Policy, etc

Forestalling the cyber threats India faces

Note4Students

From UPSC perspective, the following things are important :

Prelims level : CERT-In

Mains level : Paper 3- Identifying the cyber threat

The article highlights the threat of a cyber attack on India’s critical infrastructure and suggests the need to take preventive measures.

Targetting the infrastructure

  • The U.S.-based cyber security firm, Recorded Future revealed that the past blackout in Mumbai was linked to the cyber attack from China.
  • Recorded Future had also found an increase in malware attacks targeting the Indian government, defence organisations and the public sector.
  • Also that, coinciding with Chinese incursions in Eastern Ladakh, certain Indian power facilities had been targets of a cyber attack.
  • This indicates that India’s key infrastructure facilities, such as the power sector, are now in the crosshairs of a hostile China.
  • Indian government agencies, such as the National Critical Information Infrastructure Protection Centre (NCIIPC) and the Indian Computer Emergency Response Team (CERT-In) needs to be on its guard.

Exploiting vulnerabilities

  • China’s cyber offensive is directed against many advanced nations as well.
  • In attempting this, what China is doing is essentially exploiting to perfection the many vulnerabilities that software companies (essentially those in the West), have deliberately left open (for offensive purposes at an opportune time).
  • Exploiting this loophole, and also turning matters on its head, it is companies in the western world that are now at the receiving end of such antics.
  • Chinese cyber espionage sets no limitations on targets.
  • Towards the end of 2020, and as the world prepared for large-scale deployment of COVID-19 vaccines, their attention was directed to vaccine distribution supply chains around the world.

Way forward

  •  Nations should beware and be warned about how cyber attacks can bring a nation to its knees.
  • This was well demonstrated way back in 2016 through a major attack on Ukraine’s power grid.
  • The Ukraine example should be a wake-up call for India and the world, as in the intervening five years, the sophistication of cyber attacks and the kind of malware available have become more advanced.
  • India, could well be blindsided by Chinese cyber attacks on critical infrastructure if the latter sets out to do so, unless prophylactic measures are taken in time.

Consider the question “Examine the threat posed by cyber attack on the critical information infrastructure? Suggest the ways to deal with it.”

Conclusion

Cyber’ could well be one of China’s main threat vectors employed against countries that do not fall in line with China’s world view. Drawing up a comprehensive cyber strategy, one that fully acknowledges the extent of the cyber threat from China, has thus become an imperative and immediate necessity.

Cyber Security – CERTs, Policy, etc

Critical information infrastructure

Note4Students

From UPSC perspective, the following things are important :

Prelims level : CERT-In

Mains level : Paper 3- Critical information infrastructure protection

The article underscores the threat of cyberattacks on the critical infrastructure and also suggests the steps to be taken to secure these infrastructures.

Cyberattack on the power grid

  • On October 12 last year, Mumbai plunged into darkness as the electric grid supply to the city failed.
  • Recently, a study by Massachusetts-based Recorded Future,  said that the Mumbai power outage could have been a cyberattack aimed at critical infrastructure.
  • It was carried out by the state-sponsored group Red Echo.
  • As recently as in February, the Centre’s nodal agency National Critical Information Infrastructure Protection Centre (NCIIPC) had reported concerted attempts by Red Echo to hack the critical grid network.
  • CERT-In, is reported to have detected the ShadowPad malware in one of the largest supply chain attacks a month after the Mumbai outage.
  • Many of the suspected IP addresses identified by NCIIPC and CERT-In were the same and most have been blocked in time.
  • The Chinese focus in the past was stealing information and not projecting power, but the situation with India might be different.

Why critical infrastructures are so vulnerable

  • As many of these critical infrastructures were never designed keeping security in mind and always focused on productivity and reliability, their vulnerability is more evident today.
  • With devices getting more interconnected and dependent on the internet facilitating remote access during a pandemic, the security of cyber-physical systems has, indeed, become a major challenge for utility companies.

Critical information infrastructure protection

  • For more than a decade, there have been concerns about critical information infrastructure protection (CIIP).
  • In January 2014, the NCIIPC was notified to be the national nodal agency for CIIP and over these years has been working closely with the various agencies.
  • In January 2019, the government also announced a National Mission on Interdisciplinary Cyber-Physical Systems (NM-ICPS), with a budget of Rs 3,660 crore for the next five years, to strengthen the sector.

Way forward

  • Most ministries and departments need better budget allocations for cybersecurity as well as a more robust infrastructure, processes and audit system.
  • The Industrial Cybersecurity Standards (IEC62443) launched by the Bureau of Indian Standards (BIS), has to be adopted soon.
  • For the power sector, a strong regulation on the lines of the North American Electric Reliability Critical Infrastructure Protection (NERC) policy could serve as a guide.

Consider the question “Discuss the importance of critical information infrastructure protection (CIIP)? Also mention the steps taken by the government in this regard.” 

Conclusion

Clearly, the incident is a wake-up call for better preparedness in terms of a more robust cyber security ecosystem in place. The new cyber security policy awaiting imminent announcement will hopefully cater to that.

Cyber Security – CERTs, Policy, etc

China’s cyber eye and India

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Not Much

Mains level : Cyber attacks as China's tool

Amid souring relations between India and China last year, evidence has emerged that a Chinese government-linked company’s attempt led to a power outage in Mumbai yesterday and now in Telangana today.

Q.The use of cyber offensive tools and espionage is a fairly active element of the People’s Republic of China. Discuss in light of recent incidences of cyber attack in India.

Red Echo & ShadowPad

  • On February 28, a Massachusetts-based firm published a report saying it had observed a steep rise in the use of resources like malware by a Chinese group called Red Echo.
  • It aimed to target “a large swathe” of India’s power sector.
  • It said 10 distinct Indian power sector organisations were targeted, including four Regional Load Despatch Centres (RLDCs) that are responsible for the smooth operation of the country’s power grid by balancing the supply and demand of electricity.
  • Red Echo used malware called ShadowPad, which involves the use of a backdoor to access servers.

India confirms cyber attack

  • The Ministry of Power has confirmed these attempts, stating it had been informed in November 2020 about the ShadowPad malware at some control centres.
  • The Ministry said it was informed of Red Echo’s attempts to target the country’s load despatch centres in February.
  • It had said “no data breach/data loss” had been detected due to the incidents.

What does it imply?

  • This is clearly something that is linked to China’s geopolitical interests.
  • It is established very clearly that the use of cyber offensive tools and espionage is a fairly active element of what the People’s Republic of China seems to be adopting and encouraging.
  • Even when they are not directly in charge of an offensive operation, they seem to be consistently encouraging actors to develop this capability.

PRC’s long term strategy

  • These cyber-attacks are seen as an attempt to test and lay the grounds for further operations in the future.
  • We need to remember that sometimes these offensive operations are carried out to distract people from other places that they might be targeting or other activities that might be occurring.
  • There was an increase in cyber offensive operations and incidents around the world in the second half of 2020 especially targeting the healthcare and vaccine space.
  • When vaccine companies are targeted, the motive could be competition.
  • The motivation behind Stone Panda’s attack against SII and Bharat Biotech’s IT systems was to extract the companies’ intellectual property and gain a competitive advantage.

Other such attacks: Stone Panda & vaccines

  • A Chinese hacker group known as Stone Panda had identified gaps and vulnerabilities in the IT infrastructure and supply chain software of Bharat Biotech and the Serum Institute of India.
  • These companies have developed Covaxin and Covishield, which are currently being used in the national vaccination campaign.
  • They are also in the process of testing additional Covid-19 vaccines that could add value to efforts around the world.

Cyber Security – CERTs, Policy, etc

Sandes: the government’s new Instant Messaging Platform

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Sandes

Mains level : Secured instant messaging

The National Informatics Centre (NIC) has launched an instant messaging platform called Sandes on the lines of WhatsApp.  Open initially only to government officers, it has now been released for the common public as well.

Features of Sandes Platform

  • The instant messaging app, called Sandes, has an interface similar to many other apps currently available in the market.
  • Like WhatsApp, the new NIC platform can be used for all kinds of communications by anyone with a mobile number or email id.
  • Although there is no option to transfer the chat history between two platforms, the chats on government instant messaging systems or GIMS can be backed up to a users’ email.
  • It also offers features such as group making, broadcast message, message forwarding and emojis.
  • Further, as an additional safety feature, it allows a user to mark a message as confidential, which will allow the recipient to be made aware the message should not be shared with others.

Why need such instant messaging platform?

  • Following the nationwide lockdown, the government felt the need to build a platform to ensure secure communication between its employees as they worked from home.
  • The idea for a secure communication network dedicated exclusively to government employees has been in the works for the past four years.
  • In August 2020, the NIC released the first version of the app, which said that the app could be used by both central and state government officials for intra and inter-organisation communication.
  • The app was initially launched for Android users and then the service was extended to iOS users.

Limitations of the app

  • The limitation, however, is that the app does not allow the user to change their email id or registered phone number.
  • The user will have to re-register as a new user in case they wish to change their registered email id or phone number on the app.

Do you remember?

[Burning Issue] WhatsApp Snooping

Cyber Security – CERTs, Policy, etc

What is NetWire Malware?

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Malwares

Mains level : Cyber attacks and the treats posed to national security

This newscard is an excerpt from the original article published in The Hindu.

Try this question from CSP 2018:

Q.The terms ‘WannaCry, Petya, Eternal Blue’ sometimes mentioned news recently are related to

(a) Exoplanets

(b) Crypto currency

(c) Cyber attacks

(d) Mini satellites

What is NetWire?

  • NetWire, which first surfaced in 2012, is a well-known malware.
  • It is also one of the most active ones around.
  • It is a remote access Trojan, or RAT, which gives control of the infected system to an attacker. Such malware can log keystrokes and compromise passwords.

Threats posed

  • This malware essentially does two things:
  1. One is data exfiltration, which means stealing data. Most anti-virus software is equipped to prevent this.
  2. The other involves infiltrating a system, and this has proven to be far more challenging for anti-virus software.
  • NetWire is described as an off-the-shelf malware, while something like Pegasus, which used a bug in WhatsApp to infiltrate users’ phones in 2019, is custom-made and sold to nations.

Back2Basics: Classification of malicious softwares

Viruses

  • A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program.
  • It spreads from one computer to another, leaving infections as it travels.
  • Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-of-service (DoS) conditions.
  • Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program.
  • When the host code (alternative word for a computer program) is executed, the viral code is executed as well.

Ransomware

  • Ransomware is a type of malicious software that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.
  • While some simple ransomware may lock the system in a way that is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion.
  • This encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.

Worms

  • Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage.
  • In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate.
  • To spread, worms either exploit the vulnerability on the target system or use some kind of social engineering to trick users into executing them.
  • A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided.
  • More advanced worms leverage encryption, wipers, and ransomware technologies to harm their targets.

Trojans

  • A Trojan is a harmful piece of software that looks legitimate.
  • After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses).
  • Trojans are also known to create backdoors to give malicious users access to the system.
  • Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.
  • Trojans must spread through user interaction such as opening an email attachment or downloading and running a file from the Internet.

Bots

  • “Bot” is derived from the word “robot” and is an automated process that interacts with other network services.
  • Bots often automate tasks and provide information or services that would otherwise be conducted by a human being.
  • A typical use of bots is to gather information, such as web crawlers, or interact automatically with Instant Messaging (IM), Internet Relay Chat (IRC), or other web interfaces.
  • They may also be used to interact dynamically with websites.

Cyber Security – CERTs, Policy, etc

New ideas needed for online privacy policies

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Data Protection Bill provisions

Mains level : Paper 3- Issues of informed consent to the online privacy policies

The article discusses challenges posed by online privacy policies and suggests some ideas to make them more user friendly.

Issues with online privacy policies

  • Such policies are not designed for easy reading.
  • These policies are full of legal jargon and most are difficult to read.
  • Most policies are exclusively in English, which is clearly inadequate in a country where no more than 12 per cent are comfortable with the language.
  • A human-centric study across India found that even people who couldn’t read or write, when made aware of what they were consenting to, cared deeply about it.
  • Online consent is, therefore, a false choice for most Indians.

Importance of consent in data ecosystem

  • Consent is also the fulcrum of India’s fast-growing data ecosystem.
  • The Data Protection Bill under consideration by Parliament lists consent as a legal ground for data processing.
  • Last year, NITI Aayog sought public comments on the Data Empowerment and Protection Architecture (DEPA), a system that will connect an individual’s financial, health, telecom and other data so that it can be moved from one provider to another.
  • DEPA intends to use consent to ensure that users remain in control of their data.

New ideas needed to give users greater control

1) Business as steward of consumer trust

  • Businesses need to become more responsible stewards of consumer trust.
  • Experiments suggest that making consumers read privacy policies by getting them to stay on the “privacy policy” page for a few minutes, led to increased trust in businesses and greater data sharing.
  • Businesses can adopt such ideas to make users trust them more.

2) Regulatory bodies need to guide consumers

  • Consumers do not have the time or knowledge to go through privacy policies.
  • The food regulator’s food safety certifications and the Bureau of Energy Efficiency (BEE)’s rating guides have become part of our everyday lives.
  • Similarly, a “privacy rating” for apps can help individuals make more informed choices about their data.
  • Such “rule of thumbs” can help them cut through the jargon, trust businesses more and share more data.

3) Running awareness campaign

  • Governments and industry associations can play an enabling role by running innovative awareness campaigns that leverage local contexts, and relatable narrative styles.
  • The campaign should include awareness about messages logging off from public computers, and not sharing phone numbers easily.

4) Some other ideas

  • The “burden of proof” on privacy should rest with providers rather than consumers.
  • Businesses should act as fiduciaries of user data and act in the best interest of the user than simply maximising profits.
  • Regulators can create a new class of intermediaries that warn consumers about dangerous practices, represent them, and seek recourse on their behalf.

Consider the question “What are the issues with the consent to the online privacy policies? Suggest the measures to give users greater control over their digital destinies.

Conclusion

By educating and empowering every Indian, we will enable her to participate fully in India’s digital economy, and thereby create a meaningful digital life for every Indian. Only then will the true potential of Digital India be realised.

Cyber Security – CERTs, Policy, etc

What is the SolarWinds Hack?

Note4Students

From UPSC perspective, the following things are important :

Prelims level : SolarWinds Hack

Mains level : Cyber attacks and the treats posed to national security

The ‘SolarWinds hack’, a cyberattack recently discovered in the US, has emerged as one of the biggest ever targeted against the US government, its agencies and several other private companies.

Do you know about the ‘Five Eyes’ group of nations?

Solar-Winds Hack

  • It was first discovered by US cybersecurity company FireEye, and since then more developments continue to come to light each day.
  • The US termed it as a highly sophisticated threat actor calling it a state-sponsored attack, although it did not name Russia.
  • It said the attack was carried out by a nation with top-tier offensive capabilities and the attacker primarily sought information related to certain government customers.

How dangerous is the attack?

  • This is being called a ‘Supply Chain’ attack.
  • Instead of directly attacking the federal government or a private organization’s network, the hackers target a third-party vendor, which supplies software to them.
  • Once installed, the malware gave a backdoor entry to the hackers to the systems and networks of SolarWinds’ customers.
  • More importantly, the malware was also able to thwart tools such as anti-virus that could detect it.

The deadliest cyber-attack ever in the US

  • The US Energy department which is responsible for managing America’s nuclear weapons is the latest agency to confirm that it has been breached in the SolarWinds cyber attack.

Cyber Security – CERTs, Policy, etc

Five Eyes (FVEY) group of nations

Note4Students

From UPSC perspective, the following things are important :

Prelims level : ‘Five Eyes’ group of nations, End-to-end encryptions

Mains level : Not Much

India joins the UK in drive known as ‘Five Eyes’ group of nations, as a seventh member against encrypted social media messages.

Map the countries in ‘Five Eyes’ group of nations.

‘Five Eyes’ group of nations

  • The Five Eyes (FVEY) is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States.
  • The origins of the Five Eyes alliance can be traced back to the Atlantic Charter, which was issued in August 1941 to lay out the Allied goals for the post-war world.
  • These countries are parties to the multilateral UK-USA Agreement, a treaty for joint cooperation in signals intelligence.
  • India is among seven countries to back a UK-led campaign against end-to-end encryption of messages by social media giants such as Facebook, which they say hinder law enforcement by blocking all access to them.

A formal expansion

  • The UK and India joined this group to ensure they do not blind themselves to illegal activity on their platforms, including child abuse images.
  • This marks an expansion of the so-called “Five Eyes” group of nations, a global alliance on intelligence issues, to include India and Japan.

For a common cause

  • All members claim that end-to-end encryption policies such as those employed by the social media giant erode the public’s safety online.
  • They have made it clear that when end-to-end encryption is applied with no access to content, it severely undermines the ability of companies to take action against illegal activity on their own platforms.
  • It also prevents law enforcement investigating and prosecuting the most serious crimes being committed on these services such as online child sexual abuse, grooming and terrorist content.

Back2Basics: End-to-end encryption

  • End-to-end encryption (E2EE) is a system of communication where only communicating users can read the messages.
  • It is regarded as the most secure way to communicate privately and securely online.
  • By encrypting messages at both ends of a conversation, end-to-end encryption prevents anyone in the middle from reading private communications.
  • In principle, it prevents potential eavesdroppers – including telecom providers, Internet providers, and even the provider of the communication service – from being able to access the cryptographic keys needed to decrypt the conversation.

Cyber Security – CERTs, Policy, etc

BlackRock Android Malware

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Malwares

Mains level : Data privacy issues

Various security firms have alerted about new malware, called BlackRock.

Try this question from CSP 2018:

Q.The terms ‘WannaCry, Petya, Eternal Blue’ sometimes mentioned news recently are related to

(a) Exoplanets

(b) Cryptocurrency

(c) Cyberattacks

(d) Mini satellites

BlackRock

  • BlackRock isn’t exactly a new malware. In fact, it is based on the leaked source code of the Xeres malware, itself derived from a malware called LokiBot.
  • The only big difference between BlackRock and other Android banking trojans is that it can target more apps than previous malwares.

How does it work?

  • BlackRock works like most Android malware. Once installed on a phone, it monitors the targeted app.
  • When the user enters the login and/or credit card details, the malware sends the information to a server.
  • BlackRock uses the phone’s Accessibility feature and then uses an Android DPC (device policy controller) to provide access to other permissions.
  • It can be used to send and steal SMS messages, hide notifications, keylogging, AV detection, and much more.

Threats posed

  • The new malware can steal information like passwords and credit card information from about 377 smartphone applications, including Amazon, Facebook, and Gmail.
  • It is so powerful that it makes antivirus applications useless.

Cyber Security – CERTs, Policy, etc

What are Deep Fakes?

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Deep Fake

Mains level : Cyber bullying and other threats posed by AI

Cybercrime officials in India have been tracking certain apps and websites that produce vulgar photographs of innocent persons using Artificial Intelligence (AI) algorithms. These images are then used to blackmail victims, seek revenge or commit fraud on social networking and dating sites.

The most notorious misuse of AI is knocking the door. The Deepfake is an application of Deep Learning (an axiom of AI and Machine Learning). UPSC may ask a mains question about the challenges posed by AI-based technology.

What is Deep Fake?

  • Cybercriminals use AI software — now easily available on apps and websites — to superimpose a digital composite (assembling multiple media files to make a final one) on to an existing video, photo or audio.
  • They are computer-generated images and videos.
  • Using AI algorithms a person’s words, head movements and expressions are transferred onto another person in a seamless fashion.
  • That makes it difficult to tell that it is a deepfake unless one closely observes the media file.

Threats posed

  • Because of how realistic deepfake images, audio and videos can be, the technology is vulnerable for use by cybercriminals who could spread misinformation to intimidate or blackmail people.
  • With real-time face tracking it is becoming easier to fabricate believable videos of people doing and saying things they never did.
  • There are rising cases of “revenge porn” i.e. creation of sexually explicit videos or images that are posted on the Internet without the consent of the subject as a way to harass them.

What are the catfish accounts?

  • Catfishing refers to the practice of setting up fictitious online profiles most often for the purpose of luring another into a fraudulent romantic relationship.
  • A “catfish” account is set up a fake social media profile with the goal of duping that person into falling for the false persona.

What can we do to protect yourself?

  • A basic check of their social media profiles, comments on the images and whether similar profiles exist could help determine if the person is genuine.
  • While it is not easy to keep track of who downloads or misuses the user images, the best way to protect is to ensure that we are using privacy settings on social media profiles.
  • If one feels his/her image has been used without prior permission, they could use freely available reverse image search tools to find images that are similar to yours.
  • One can also be mindful of who he/she is conversing with on the web.

Cyber Security – CERTs, Policy, etc

Private: Challenges to Internal Security through Communication Networks

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Not Much

Mains level : Threats to the internal security through communication networks

Context

The Ministry of Home Affairs notification through its Cyber Coordination Center on ZOOM Application after Computer Emergency Response Team’s (CERT-IN) raised concerns on video conferencing through the app in lockdown situation once again exposed the threats to the internal security through communication networks.

Security and Communication Networks

  • In the age of data revolution and AI and ML, the security regime has opened to a new and most fundamental threat dimension in the virtual world in the form of cybersecurity threats and the safety of the use of communication networks.
  • The world economy is increasingly being digitized and the big data storage and internet security are in the state of the perennial threat of attacks.

What are communication Networks?

Communication networks are defined as “the computer resource, the incapacitation or destruction of which shall have a debilitating impact on national security, economy, public health or safety” in the IT Act, 2000. They form a part of our critical information infrastructure.

The communication networks are crucial to the critical infrastructure connectivity such as

1) Civil Aviation

2) Shipping

3) Railways

4) Power

5) Nuclear technology

6) Finance and Banking

7) Law enforcement

8) Defence

9) Space etc.

Communication networks must not be confused with computer networks such as WAN, LAN, etc. because they are merely one form of the communication network.

What are the Key Security threats to communication networks?

The major security threats to communications network can take the form of the following ways-

  • Economic threats such as frauds, attack on banking communication infrastructure, acquisition of critical data such as customer’s credit/debit card data, Financial theft to destabilize the economy
  • Information warfare
  • Destabilizing critical infrastructure like Nuclear power plants, power grids, Dams, Share Market operations through cyber attacks. g. Stuxnet’s alleged involvement in destabilizing Iran’s Nuclear programme.
  • Data theft through social media applications, infringement of privacy
  • Penetrating value chain of production of communications network infrastructure and spying through this penetration
  • Theft of critical medical history data of a nation’s citizens
  • Data alteration and data destruction on the website and impairing its operations
  • Intellectual property right infringement through digital piracy

The threat to communications network can be of following types

1) Unauthorised release of information- called Passive attack

2) Unauthorised modification of information- Active attack

3) Unauthorised denial of normal service to users-Active Attack

Explanation of Key Terms

Network and Packet sniffing

  • Smaller packet bundles of large information are picked and processed by applications through “off-network”.
  • This kind of application that interprets the network packets is called packet sniffers. This poses a grave threat to government and business data flow.

Man-in-the-middle attacks

It refers to access to network packets coming across networks. It implements network sniffers and routing and transport protocols to do data theft, gaining access to the system’s internal network resources, Denial of service, the introduction of new information in existing networks to manipulate the system.

Denial of services (DoS)

  • This is the most infamous attack among attacks on communication networks and most difficult to eliminate. The ease of attack and potentiality of damages make them an important threat that deserves special attention.
  • Distributed denial of services attack refers to a simultaneous attack on many systems which temporarily brings down the targeted website/system.

IP spoofing

  • IP spoofing is an attack from an attacker outside the targeted network by pretending to be a trusted computer.
  • It can use the IP address of the targeted network or an authorized and trusted IP address.
  • It leads to the injection of malicious data or command structure in the existing communication networks between clients.

Phishing

  • It refers to gaining private and personal information for identity theft, using fraudulent e-mails making them appear to be received from legitimate sources.
  • Luring targets to give critical information such as Bank account, credit card details, Login ID, and passwords.

Brute force attacks

The repeated password attacks to identify user account passwords and creating a backdoor for future access.

Virus or Trojan Horse attacks

  • Viruses and trojan horse applications are a threat to end-user computers.
  • Viruses are malicious software attached to a programme to execute a directed, unwanted task on the user’s workstation.
  • Trojan horse is an application disguised to hide the original identity of attack tools. It not only attacks the user system but also spreads through engaging in automatic spread to known systems.

Ransomware

  • It is a type of malware that restricts access to certain information from the actual owner to demand a ransom paid to the creator of malware.
  • They use encryption, locking the system to deny user access to important information. A recent instance was the attack by WannaCry ransomware.

What are the types of cyber threats?

1) Cyber Espionage

It is an act of obtaining secret information using computer networks without the permission of secret holders from individuals, competitors, enemy countries for economic, political, military purposes.  In 2009, PMO was an alleged victim of cyber espionage by chinese hackers.

2) Cybercrime

  • Cybercrime is an offensive action by individuals/organizations targeting computer information systems, networks with an intention to damage or destroy critical information and infrastructure.
  • According to NCRB, the instances of cybercrimes are at an all-time high now due to the penetration of communication networks.

3) Cyberwarfare:

Cyber Warfare is nation-state actor actions to penetrate an enemy/competitor nation’s computers or networks with the intent of causing damage or disruption.

What are the features of the cyberwar?

  • Independent theatre of war due to the development of the internet and sophisticated communication infrastructure
  • An undefined (virtual) space as it is impossible to protect national cyberspace by just controlling and monitoring internet networks inside its territory as cyberspace is truly global.
  • It is a No contact war as the attacker does not need to be present at the site of the attack. The malware like Stuxnet can be penetrated in any link of the global value chain of communications infrastructure and then controlling the target can be from distant places.
  • Disguised attacks and attackers make it even more dangerous and untraceable and it surely complicates cybersecurity policy.

What is cybersecurity?

Cybersecurity is making cyberspace safe from threats, i.e. cyber-threats. “cyber-threats” means the malicious use of ICT as a target or as a tool by malevolent actors. It involves three things

  • A set of activities, intended to protect computers, computer networks, related hardware, and devices software, and the information they contain and communicate, including software and data, as well as other elements of cyberspace, from all threats, including threats to national security.
  • The protection intended in the application of these activities and measures;
  • The associated field of research and analysis, aimed at implementing those activities and improving their quality.

What is the government doing to secure communications networks?

  • The National Telecom Policy 2012 has set targets for domestic manufacturing of telecom equipment to meet 60 to 80 per cent of demand.
  • The National Telecom Policy 2018 stresses on developing robust digital communications network security frameworks.
  • The Computer Emergency response team (CERT) at both the national and state-level have been formed to respond to cyberattacks.
  • IT Act, 2000

1) Section 43A- compensation for the failure of protection of data

2) Section 72A- Punishment for disclosure of information in breach of lawful contract

3) Section 67C- Punishment with imprisonment of up to 3 years for anyone who intentionally or knowingly contravenes the provisions

4) Section 69- Power to issue directions for interception/monitoring/decryption of any information through any computer source.

  • A number of other measures, such as making local certification mandatory, have been announced.
  • The Ministry of Communications and Information Technology has also repeatedly urged telecom companies to take note of vulnerabilities in their equipment and told them they would be held responsible and subject to penalties if the vulnerabilities are not addressed

National critical information infrastructure protection centre (NCIIPC)

  • It is a national nodal agency for the protection of critical information infrastructure
  • It helps in Coordination, sharing, monitoring, collecting, analysing and forecasting threats.
  • It holds Responsibility to Develop plans, adopt standards, share best practices and refine procurement processes.
  • Exchange of knowledge and experiences with CERT-IN and other organisations is done in order to better coordinate.

Cyber Security – CERTs, Policy, etc

Private: Challenges to Internal Security through Communication Networks

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Various terms mentioned

Mains level : Challenges to Internal Security through Communication Networks

Context

The Ministry of Home Affairs notification through its Cyber Coordination Center on ZOOM Application after Computer Emergency Response Team’s (CERT-IN) raised concerns on video conferencing through the app in lockdown situation once again exposed the threats to the internal security through communication networks.

Security and Communication Networks

  • In the age of data revolution and AI and ML, the security regime has opened to a new and most fundamental threat dimension in the virtual world in the form of cybersecurity threats and the safety of the use of communication networks.
  • The world economy is increasingly being digitized and the big data storage and internet security are in the state of the perennial threat of attacks.

What are communication Networks?

Communication networks are defined as “the computer resource, the incapacitation or destruction of which shall have a debilitating impact on national security, economy, public health or safety” in the IT Act, 2000. They form a part of our critical information infrastructure.

The communication networks are crucial to the critical infrastructure connectivity such as

1) Civil Aviation

2) Shipping

3) Railways

4) Power

5) Nuclear technology

6) Finance and Banking

7) Law enforcement

8) Defence

9) Space etc.

Communication networks must not be confused with computer networks such as WAN, LAN, etc. because they are merely one form of a communication network.

What are the Key Security threats to communication networks?

The major security threats to communications network can take the form of the following ways-

  • Economic threats such as frauds, attack on banking communication infrastructure, acquisition of critical data such as customer’s credit/debit card data, Financial theft to destabilize the economy
  • Information warfare
  • Destabilizing critical infrastructure like Nuclear power plants, power grids, Dams, Share Market operations through cyber attacks. g. Stuxnet’s alleged involvement in destabilizing Iran’s Nuclear programme.
  • Data theft through social media applications, infringement of privacy
  • Penetrating value chain of production of communications network infrastructure and spying through this penetration
  • Theft of critical medical history data of a nation’s citizens
  • Data alteration and data destruction on the website and impairing its operations
  • Intellectual property right infringement through digital piracy

The threat to communications network can be of following types

1) Unauthorised release of information- called Passive attack

2) Unauthorised modification of information- Active attack

3) Unauthorised denial of normal service to users-Active Attack


Explanation of Key Terms

Network and Packet sniffing

  • Smaller packet bundles of large information are picked and processed by applications through “off-network”.
  • This kind of application that interprets the network packets is called packet sniffers.
  • This poses a grave threat to government and business data flow.

Man-in-the-middle attacks

  • It refers to access to network packets coming across networks.
  • It implements network sniffers and routing and transport protocols to do data theft, gaining access to the system’s internal network resources, Denial of service, the introduction of new information in existing networks to manipulate the system.

Denial of services (DoS)

  • This is the most infamous attack among attacks on communication networks and most difficult to eliminate. The ease of attack and potentiality of damages make them an important threat that deserves special attention.
  • Distributed denial of services attack refers to a simultaneous attack on many systems which temporarily brings down the targeted website/system.

IP spoofing

  • IP spoofing is an attack from an attacker outside the targeted network by pretending to be a trusted computer.
  • It can use the IP address of the targeted network or an authorized and trusted IP address.
  • It leads to the injection of malicious data or command structure in the existing communication networks between clients.

Phishing

  • It refers to gaining private and personal information for identity theft, using fraudulent e-mails making them appear to be received from legitimate sources.
  • Luring targets to give critical information such as Bank account, credit card details, Login ID, and passwords.

Brute force attacks

The repeated password attacks to identify user account passwords and creating a backdoor for future access.

Virus or Trojan Horse attacks

  • Viruses and trojan horse applications are a threat to end-user computers.
  • Viruses are malicious software attached to a programme to execute a directed, unwanted task on the user’s workstation.
  • Trojan horse is an application disguised to hide the original identity of attack tools.
  • It not only attacks the user system but also spreads through engaging in automatic spread to known systems.

Ransomware

  • It is a type of malware that restricts access to certain information from the actual owner to demand a ransom paid to the creator of malware.
  • They use encryption, locking the system to deny user access to important information. A recent instance was the attack by WannaCry ransomware.

What are the types of cyber threats?

1) Cyber Espionage

It is an act of obtaining secret information using computer networks without the permission of secret holders from individuals, competitors, enemy countries for economic, political, military purposes.  In 2009, PMO was an alleged victim of cyber espionage by chinese hackers.

2) Cybercrime

  • Cybercrime is an offensive action by individuals/organizations targeting computer information systems, networks with an intention to damage or destroy critical information and infrastructure.
  • According to NCRB, the instances of cybercrimes are at an all-time high now due to the penetration of communication networks.

3) Cyberwarfare

Cyber Warfare are nation-state actor actions to penetrate an enemy/competitor nation’s computers or networks with the intent of causing damage or disruption.

What are the features of the cyberwar?

  • Independent theatre of war due to the development of the internet and sophisticated communication infrastructure
  • An undefined (virtual) space as it is impossible to protect national cyberspace by just controlling and monitoring internet networks inside its territory as cyberspace is truly global.
  • It is a No contact war as the attacker does not need to be present at the site of the attack. The malware like Stuxnet can be penetrated in any link of the global value chain of communications infrastructure and then controlling the target can be from distant places.
  • Disguised attacks and attackers make it even more dangerous and untraceable and it surely complicates cybersecurity policy.

What is cybersecurity?

Cybersecurity is making cyberspace safe from threats, i.e. cyber-threats. “cyber-threats” means the malicious use of ICT as a target or as a tool by malevolent actors. It involves three things-

1) A set of activities, intended to protect computers, computer networks, related hardware, and devices software, and the information they contain and communicate, including software and data, as well as other elements of cyberspace, from all threats, including threats to national security.

2) The protection intended in the application of these activities and measures;

3) The associated field of research and analysis, aimed at implementing those activities and improving their quality.

What is the government doing to secure communications networks?

  • The National Telecom Policy 2012 has set targets for domestic manufacturing of telecom equipment to meet 60 to 80 per cent of demand.
  • The National Telecom Policy 2018 stresses on developing robust digital communications network security frameworks.
  • The Computer Emergency response team (CERT) at both the national and state-level have been formed to respond to cyberattacks.

IT Act, 2000

  • Section 43A- compensation for the failure of protection of data
  • Section 72A- Punishment for disclosure of information in breach of lawful contract
  • Section 67C- Punishment with imprisonment of up to 3 years for anyone who intentionally or knowingly contravenes the provisions
  • Section 69- Power to issue directions for interception/monitoring/decryption of any information through any computer source.
  • A number of other measures, such as making local certification mandatory, have been announced.
  • The Ministry of Communications and Information Technology has also repeatedly urged telecom companies to take note of vulnerabilities in their equipment and told them they would be held responsible and subject to penalties if the vulnerabilities are not addressed

National critical information infrastructure protection centre (NCIIPC)-

  • It is a national nodal agency for the protection of critical information infrastructure
  • It helps in Coordination, sharing, monitoring, collecting, analysing and forecasting threats.
  • It holds Responsibility to Develop plans, adopt standards, share best practices and refine procurement processes.
  • Exchange of knowledge and experiences with CERT-IN and other organisations is done in order to better coordinate.

Cyber Security – CERTs, Policy, etc

[op-ed snap] We should offer to safeguard the world’s telecom networks

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Not much.

Mains level : Paper 3- Cyber security in the wake of Huawei ban and concerns over cyber security in 5G age.

 Context

India should grab cybersecurity opportunities instead of focusing on smaller issues like import tariffs during Trump’s visit.

Opportunity for India in the US-China trade war

  • Technology will be an important front in the emerging trade war between the US and China.
    • It will create significant opportunities for India as global supply chains re-adjust to geopolitical pushes and pull.
    • In manufacturing: The immediate opportunity is in across-the-board manufacturing, especially if the Government puts in place a special task force to unclog the regulatory issues.
    • In cybersecurity: Beyond manufacturing, the unfolding US-China technology war is creating opportunities for India in the cybersecurity space on a scale that could match Y2K.

Balance national security and industry economics

  • The UK’s approach: It is a carefully constructed middle path.
  • Not allowing high-risk vendors: The UK decided that “high-risk vendors” will not be permitted in its core networks.
    • High regulatory and security oversight: High-risk vendors will also be subject to higher levels of regulatory and security oversight.
    • Ability to switch: Operators are expected to have the ability to switch away from such vendors should the government so require.
  • 35% restriction: The UK restricted to less than 35% of the equipment base of each telecom operator.
  • The EU approach:  The European Union is likely to adopt some variant of the British approach.
    • This means Chinese-made equipment will be deployed across EU countries but under tighter surveillance, audit and assurance regime.

How is it going to create opportunities?

  • 5G and more need for more security professionals
    • More base stations: 5G networks will employ many more base stations than existing networks.
    • The internet of things (IoT) is set to bring billions of connected sensors and devices online.
    • The requirement of security professionals: Tightening security norms will require both telecom firms and their customers to employ a lot of cybersecurity professionals in a wide range of roles, of varying levels of sophistication and sensitivity.
  • Shortage of cybersecurity professionals
    • The problem is: the world is already short of cybersecurity professionals.
    • Even before 5G networks are rolled out, estimates suggest that there are 2 to 3 million unfilled cybersecurity vacancies around the world.
    • Scrutiny of the Chinese vendors and employment opportunities: The more stringent the security regimes around Chinese vendors, the greater the demand for cybersecurity professionals security regimes around Chinese vendors, the greater the demand for cybersecurity professionals.
  • Where is the opportunity for India? The industry is responding to this shortage by employing more automation.
    • But demand for human will increase: The demand for trustworthy, reliable and competent human beings to keep an eye on cyber threats will only increase.
    • Where can hundreds of thousands of technology professionals who might be able to fill this gap come from? India and China.
    • Advantage India: Chinese firms and individuals are unlikely to be chosen to keep an eye on Chinese equipment makers and state-linked cyber attackers, it is advantage India.

Can India grab this opportunity?

  • Inadequate professionals in India: India doesn’t have adequate numbers of cybersecurity professionals either.
    • Skill initiative by the government: The government has launched a skills initiative to plug the shortage, but we’re far away from addressing our own cybersecurity needs.
    • India has all the necessary conditions to become as big a player in the global cybersecurity market.
    • India has the numbers, the companies and the market-driven economic models that can produce the skills that the industry wants.
  • Private sector’s role: During the 1990s’ information technology boom, India produced hundreds of thousands of software engineers not because of any government skills development programme, but because private firms popped up and supplied the skills that people and their employers wanted.

Way forward

  • Government to government arrangements: Unlike the Y2K days, the global demand for cybersecurity professionals has entry barriers that firms and individuals cannot easily cross on their own. Government-to-government arrangements can help Indian firms and individuals get clearances for cybersecurity roles.
  • Developing cybersecurity partnership: India will have to work on developing cybersecurity partnerships with the US, UK and the EU, focused on opening up their markets to Indian firms.
  • Win the trust: The latter, for their part, must work on gaining the trust of the West’s national security establishments.

 

 

Cyber Security – CERTs, Policy, etc

[pib] Indian Cyber Crime Coordination Centre (I4C)

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Indian Cyber Crime Coordination Centre (I4C)

Mains level : Cyber Security and various protection mechanisms

Union Minister for Home Affairs has inaugurated the Indian Cyber Crime Coordination Centre (I4C) and also dedicated National Cyber Crime Reporting Portal to the Nation.

I4C

  • The scheme to setup I4C was approved in October 2018 to deal with all types of cybercrimes in a comprehensive and coordinated manner.
  • At the initiative of Union Ministry for Home Affairs (MHA), 15 States and UTs have given their consent to set up Regional Cyber Crime Coordination Centres at respective States/UTs.
  • It has seven components:
  1. National Cyber Crime Threat Analytics Unit
  2. National Cyber Crime Reporting Portal
  3. National Cyber Crime Training Centre
  4. National Cyber Crime Research and Innovation Centre
  5. National Cyber Crime Forensic Laboratory Ecosystem
  6. Platform for Joint Cyber Crime Investigation Team
  7. Cyber Crime Ecosystem Management Unit

About National Cyber Crime Reporting Portal

  • National Cyber Crime Reporting Portal (www.cybercrime.gov.in) is a citizen-centric initiative that will enable citizens to report cyber crimes online through the portal.
  • All the cyber crime related complaints will be accessed by the concerned law enforcement agencies in the States and Union Territories for taking action as per law.
  • This portal was launched on pilot basis on 30th August, 2019 and it enables filing of all cyber crimes with specific focus on crimes against women, children, particularly child pornography, child sex abuse material, online content pertaining to rapes/gang rapes, etc.
  • This portal also focuses on specific crimes like financial crime and social media related crimes like stalking, cyber bullying, etc.
  • This portal will improve coordination amongst the law enforcement agencies of different States, districts and police stations for dealing with cyber crimes in a coordinated and effective manner.

Cyber Security – CERTs, Policy, etc

[op-ed of the day] Data and its discontents

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Nothing much

Mains level : Paper 3-Cyber security

Context

The Personal Data Protection Bill which was introduced in Lok Sabha contains a certain provision that might have implications for India’s digital economy. These provisions must be carefully considered as Parliament reviews the proposed legislation.

What are the stated objectives of the bill?

  • The first purpose deals with privacy concerns.
  • Its purpose is to safeguard the constitutional guarantee of privacy for Indian citizens
  • The second purpose is to provide a just and equitable vision for the future of India’s digital economy

What are the incongruent provisions?

  • One of the provision enables the central government to direct the regulated entity under the act to provide anonymised personal data.
  • The government wants to use this anonymised personal data to enable the targeted delivery of services or evidence-based policymaking
  • The above provisions could have certain implications that need to be carefully considered.

Anonymised data and issues with it

  • Under the bill, anonymised data refers to data from which all the markers of identity have been irreversibly removed.
  • Recent research shows that the present methods of anonymisation are imperfect.
  • With the use of modern machine learning techniques, the data released as “anonymous” can be re-identified.
  • So, the approach to regulation of anonymised data must be contextual and sectoral- with a focus on finance and healthcare.

Use of big data and AI in governance

  • The government also plans to use big data and artificial intelligence within governance and planning systems.
  • The use of these techniques has the potential to increase government capacity and transparency.
  • It can also help in making an informed decision about economic and social planning.
  • However, the provision ignores the multiplicity of existing and inchoate rights like IPRs (Intellectual Property Rights), copyrights and trade secret protections.

Consequences of the conflicting provision

  • While the government wants the data to be open for acquisition similar to the power of “eminent domain” over land, but it comes in conflict with existing laws.
  • It comes in conflict with the copyright acts, intellectual property rights, and trade secret laws.
  • Databases are commercially significant for commercial companies.
  • Overlap of these existing rights within the government system can jeopardise accountability and transparency.

 Problems with Big data and AI in governance

  • Unregulated use of the database in governance could have consequences for the people and communities who are being made visible or being invisible by this data.
  • A shift from a qualitative method like census to the quantitative method like big data which is collected in a different context and used for a different purpose may not be smooth.
  • Such data will be incomplete for governance.
  • The data could also be replete with biases of the private entity collecting the data.
  • So, the use of this unregulated data for policymaking or targeting beneficiaries could be disastrous.

Way forward

The regulation of non-personal data must take into account both the potential harms to individual privacy as well as the wider social and political consequences of the use of data for governance.

 

 

Cyber Security – CERTs, Policy, etc

StrandHogg Malware

Note4Students

From UPSC perspective, the following things are important :

Prelims level : StrandHogg

Mains level : Cyber Security

After Pegasus, the vulnerability in Android devices from a new malware StrandHogg has caught the eye of the cybersecurity wing of Ministry of Home Affairs

StrandHogg

  • Cybercriminals have found a malware to breach Android devices.
  • It is called StrandHogg, and it can allow them to listen to microphone, steal login credentials, take photos using camera, read SMS and even access photos.
  • The “Threat Analytical Unit” of Indian Cyber Crime Coordination Centre, has sent an alert to all states and police departments of a bug that can be exploited by malwares posing as genuine apps to spy on users.

So what is StrandHogg and why it targets Android devices?

  • At the heart of the issue is a weakness in the multi-tasking system of Android OS.
  • It basically exploits Android control settings called taskAffinity and taskReparenting to allow apps including malicious ones to freely assume identity of another task in the multitasking system.
  • It allows the malicious activity to hijack the target’s task, so the next time user opens the target app, the hijacked tasks will open up instead of the original tasks.
  • During this interception, the malicious app will seek permission to access the device’s camera, microphone, messages, GPS and storage.
  • If the user grants these permissions, the malicious app gains access to these components.

Cyber Security – CERTs, Policy, etc

Explained: Personal Data Protection Bill — issues, debate

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Read the attached story

Mains level : Debat over Data Localization Policy in India


  • India’s first attempt to domestically legislate on the topic, the Personal Data Protection (PDP) Bill, 2019 has been approved by the Cabinet and is slated to be placed in Parliament this winter session.
  • The Bill has three key aspects that were not previously included in a draft version, prepared by a committee headed by retired Justice B N Srikrishna.

What is Data?

  • Data is any collection of information that is stored in a way so computers can easily read them (think 011010101010 i.e. binary formats).
  • Data usually refers to information about your messages, social media posts, online transactions, and browser searches.

Data Principal

  • The individual whose data is being stored and processed is called the data principal in the PDP Bill.

Why this data matters?

  • This large collection of information user’s online habits has become an important source of profits, but also a potential avenue for invasion of privacy because it can reveal extremely personal aspects.
  • Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise to you online.
  • It is now clear that much of the future’s economy and law enforcement will be predicated on the regulation of data, introducing issues of national sovereignty.

Who handles my data, and how?

  • Data is stored in a physical space similar to a file cabinet of documents, and transported across country borders in underwater cables that run as deep as Mount Everest and as long as four times the Indian Ocean.
  • To be considered useful, data has to be processed, which means analysed by computers.
  • Data is collected and handled by entities called data fiduciaries.
  • While the fiduciary controls how and why data is processed, the processing itself may be by a third party, the data processor.
  • This distinction is important to delineate responsibility as data moves from entity to entity.
  • For example, in the US, Facebook (the data controller) fell into controversy for the actions of the data processor — Cambridge Analytica.

Storage of data

  • The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows.
  • Data localisation arguments are premised on the idea that data flows determine who has access to the data, who profits off it, who taxes and who “owns” it.
  • However, many contend that the physical location of the data is not relevant in the cyber world.

How does the PDP Bill propose to regulate data transfer?

  • To legislate on the topic the bill trifurcates personal data.
  • The umbrella group is all personal data — data from which an individual can be identified.
  • Some types of personal data are considered sensitive personal data (SPD), which the Bill defines as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief, and more. Another subset is critical personal data.
  • The government at any time can deem something critical, and has given examples as military or national security data.

Changes accorded in Justice B N Srikrishna Committee recommendations

Storage

  • The draft had said all fiduciaries must store a copy of all personal data in India — a provision that was criticised by foreign technology companies that store most of Indians’ data abroad and even some domestic startups that were worried about a foreign backlash.
  • The approved Bill removes this stipulation, only requiring individual consent for data transfer abroad. Similar to the draft, however, the Bill still requires sensitive personal data to be stored only in India.
  • It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA). The final category of critical personal data must be stored and processed in India.

Non-personal data

  • The Bill mandates fiduciaries to give the government any non-personal data when demanded.
  • Non-personal data refers to anonymised data, such as traffic patterns or demographic data.
  • The previous draft did not apply to this type of data, which many companies use to fund their business model.

Data fiduciaries

  • The Bill also requires social media companies, which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data as well as their turnover, to develop their own user verification mechanism.
  • While the process can be voluntary for users and can be completely designed by the company, it will decrease the anonymity of users and “prevent trolling”.

Other key features

  • The Bill includes exemptions for processing data without an individual’s consent for “reasonable purposes”.
  • These include security of the state, detection of any unlawful activity or fraud, whistle blowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
  • The Bill calls for the creation of an independent regulator DPA, which will oversee assessments and audits and definition making.
  • Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.
  • The committee’s draft had required the DPO to be based in India.

Other keywords

  • The committee’s draft had several other significant keywords that are expected to be in the Bill.
  • Purpose limitation” and “collection limitation” limit the collection of data to what is needed for “clear, specific, and lawful” purposes or for reasons that the data principal would “reasonably expect”.
  • It also grants individuals the right to data portability, and the ability to access and transfer one’s own data. Finally, it legislates on the right to be forgotten.

Debates around the Bill

  • With historical roots in European Union law, this right allows an individual to remove consent for data collection and disclosure.
  • After the Cabinet approval of the bill, an official source said this concept is still “evolving” and has not been “concretized” yet.
  • Government sources said they were open to the “widest debate on this Bill”.

Two sides of the debate

A. For data localisation

  • A common argument from government officials has been that data localisation will help law-enforcement access data for investigations and enforcement.
  • As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties” — a process that almost all stakeholders agree is cumbersome.
  • In addition, proponents highlight security against foreign attacks and surveillance, harkening notions of data sovereignty.
  • The government doubled down on this argument after news broke that 121 Indian citizens’ WhatsApp accounts were hacked by an Israeli software called Pegasus.
  • Even before that, the argument was used prominently against WhatsApp when a spate of lynchings across the country linked to rumours that spread on the platform in the summer of 2018.

Why localize data?

  • Many domestic-born technology companies, which store most of their data exclusively in India, support localisation.
  • They have strongly argued that data regulation for privacy and security will have little teeth without localisation, calling upon models in China and Russia.
  • Many economy stakeholders say localisation will also increase the ability of the Indian government to tax Internet giants.

B. Against the Bill

  • Civil society groups have criticised the open-ended exceptions given to the government in the Bill, allowing for surveillance.
  • Moreover, some lawyers contend that security and government access are not achieved by localisation.
  • Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.
  • Technology giants like Facebook and Google and their industry bodies, especially those with significant ties to the US, have slung heavy backlash.
  • Much of this sentiment harkens to the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
  • Opponents say protectionism may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India, such as TCS and Wipro.

Cyber Security – CERTs, Policy, etc

Budapest Convention on Cyber-Security

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Budapest COnvention

Mains level : Global partnership for cyber-security

India maintained its status as a non-member of the Europe-led Budapest Convention and it voted in favour of a Russian-led UN resolution to set up a separate convention.

Budapest Convention

  • The Convention on Cybercrime, also known as the Budapest Convention on Cybercrime is the first international treaty seeking to address Internet and cybercrime.
  • It aims at harmonizing national laws, improving investigative techniques, and increasing cooperation among nations.
  • It was drawn up by the Council of Europe in Strasbourg, France, with the active participation of the Council of Europe’s observer states Canada, Japan, Philippines, South Africa and the US.
  • It was opened for signature in Budapest, on 23 November 2001 and it entered into force on 1 July 2004.
  • The convention is the sole legally binding multilateral treaty that coordinates cybercrime investigations between nation-states and criminalizes certain cybercrime conduct.

Why dint India ratify?

  • Since it entered into force, important countries like Brazil and India have declined to adopt the Convention on the grounds that they did not participate in its drafting.
  • India’s is concerned due to data sharing with foreign law enforcement agencies as it infringes on national sovereignty.
  • The Russian proposal entitled “Countering the use of information and communications technologies for criminal purposes” was passed in the UNGA.
  • It allows for regarding cross-border access to data, including by limiting the ability of a signatory to refuse to provide access to requested data.
  • The proposal creates a committee to convene in August 2020 in New York to establish a new treaty through which nation-states can coordinate and share data to prevent cybercrime.

Cyber Security – CERTs, Policy, etc

Explained: Surveillance laws in India

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Not Much

Mains level : Provisions of the IT Act

  • On October 30, many publications reported that phones of several dozen Indian journalists, lawyers and human rights activists had been compromised using an invasive Israeli-developed malware called Pegasus.

Is surveillance of this kind illegal in India?

  • First, it’s important to explain that there are legal routes to surveillance that can be conducted by the government.
  • The laws governing this are the Indian Telegraph Act, 1885, which deals with interception of calls and the Information Technology (IT) Act, 2000, which deals with interception of data.
  • Under both laws, only the government, under certain circumstances, is permitted to conduct surveillance, and not private actors.
  • Moreover, hacking is expressly prohibited under the IT Act. Section 43 and Section 66 of the IT Act cover the civil and criminal offences of data theft and hacking respectively.
  • Section 66B covers punishment for dishonestly receiving stolen computer resource or communication. The punishment includes imprisonment for a term which may extend to three years.

How broad are the laws regarding legal surveillance?

  • The framework for understanding the checks and balances built into these laws dates back to 1996.
  • In 1996, the Supreme Court noted that there was a lack of procedural safeguards in the Indian Telegraph Act.
  • It laid down some guidelines that were later codified into rules in 2007.
  • This included a specific rule that orders on interceptions of communication should only be issued by the Secretary in the Ministry of Home Affairs.
  • These rules were partly reflected in the IT (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules framed in 2009 under the IT Act.

What do the Rules say?

  • The rules state that only the competent authority can issue an order for the interception, monitoring or decryption of any information generated, transmitted, received or stored in any computer resource (mobile phones would count).
  • The competent authority is once again the Union Home Secretary or State Secretaries in charge of the Home Departments.
  • In December 2018, the Central government created a furore when it authorised 10 Central agencies to conduct surveillance.
  • In the face of criticism that it was building a ‘surveillance state’, the government countered that it was building upon the rules laid down in 2009 and the agencies would still need approval from a competent authority, usually the Union Home Secretary.
  • The 2018 action of the Union government has been challenged in the Supreme Court.

What about the Supreme Court verdict on privacy?

  • The Supreme Court in a landmark decision in August, 2017 (Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Others) unanimously upheld right to privacy as a fundamental right under Articles 14, 19 and 21 of the Constitution.
  • It is a building block and an important component of the legal battles that are to come over the state’s ability to conduct surveillance.
  • But as yet a grey area remains between privacy and the state’s requirements for security.
  • In the same year, the government also constituted a Data Protection Committee under retired Justice B.N. Srikrishna.
  • It held public hearings across India and submitted a draft data protection law in 2018 which Parliament is yet to enact.
  • Experts have pointed out, however, that the draft law does not deal adequately with surveillance reform.

Do other countries have stricter laws against surveillance?

  • This continues to be a grey area around the world.
  • Take the U.S. for example. Electronic surveillance is considered a search under the Fourth Amendment which protects individuals from unreasonable search and seizure.
  • Thus the government has to obtain a warrant from a court in each case and crucially, establish probable cause to believe a search is justified.
  • It also has to provide a specific time period under which the surveillance is to be conducted and to describe in particularity the conversation that is to be intercepted.
  • There are very few exceptions or exigent circumstances under which the government may proceed without a warrant.

Cyber Security – CERTs, Policy, etc

[op-ed snap] The sovereign test

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Nothing much

Mains level : Rights in the age of technology

Context

Will Cathcart, the global head of WhatsApp, wrote that “Governments and companies need to do more to protect vulnerable groups and individuals”. 

Background

    • He was referring to spyware attacks, like the one that the messaging platform succumbed to from Pegasus.
    • Pegasus is a malicious software developed by NSO.
    • WhatsApp has disclosed that a “not insignificant” number of Indian journalists, rights activists and lawyers were targeted using Pegasus.

Responsibility of governments

    • Cathcart placed the responsibility on both tech companies and governments. 

NSO

    • NSO severed its contract with Saudi Arabia after accusations by a journalist.
    • He claimed that its software was used to hack his phone, which allowed Saudi agencies to track journalist Jamal Khashoggi, who was assassinated in Istanbul. 

Technology & Fundamental Rights

    • WhatsApp has often claimed that its end-to-end encryption makes it a safe and private way to communicate. That claim is now being contested. 
    • In the digital age, companies will emerge and operate in the grey areas of the intersection between technology and security to make a profit. 
    • But national security must not be used as a shield by either governments or private players to justify the violation of fundamental rights.

Indian scenario

    • Right to privacy – India is a constitutional democracy where the courts have read the right to privacy in the right to life and liberty. 
    • Indian response – Law and IT minister said he has asked WhatsApp to explain the breach, while the home ministry has said it will take strict action against those violating the law. 
    • Actions in previous instances – Earlier, the Indian government and parliamentary committees have summoned executives from Facebook and Twitter.
    • The vulnerability of India – Indians continue to be the largest user base for WhatsApp. 
    • Relation with Israel – India also enjoys close ties with Israel. 

Way ahead

    • Indian government must leverage its relationship with Israel to hold NSO to account. 
    • It must punish anyone found guilty of unlawfully violating the privacy of Indian citizens. 
    • The government has made it clear that it holds a sovereign right over the data of its citizens. The idea of data sovereignty must include a citizen’s right to privacy. 

Conclusion

The government’s response in the aftermath of the WhatsApp hack will demonstrate its commitment to the rights enshrined in the Constitution.

Cyber Security – CERTs, Policy, etc

[op-ed snap] Along came spyware

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Nothing much

Mains level : Cybersecurity and surveillance

Context

WhatsApp has revealed that Indian journalists and human rights activists have been under the surveillance of Israeli spyware Pegasus. 

Disclosure

  • This disclosure was made after WhatsApp filed a lawsuit in a US federal court against NSO.
  • NSO, the bug’s maker has allegedly been helping governments around the world hack smartphones and place their on-screen activity under watch. 
  • Pegasus can reportedly gain access to mobile devices simply by making missed calls via WhatsApp to identified targets.
  • Reports say that, by WhatApp’s count, over 20 Indians were under the scanner for about a fortnight in May.

Not the first time

  • This is not the first time NSO has been sued. 
  • Victims of hacking had taken it to Israeli courts on earlier occasions. 
  • The spyware doesn’t just intercept network communication, it has the ability to steal your data, track your location, and much more.

Surveillance

  • Intelligence agencies use whatever means they can to zoom into the lives of people who arouse suspicion. 
  • Most often, it reveals a pattern that suggests a state paranoid about dissent. 

Way ahead

Each individual should take precautionary measures to protect from spy agencies and cybercriminals.

Cyber Security – CERTs, Policy, etc

Spyware Pegasus

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Pegasus

Mains level : Cyber Security


  • The popular messaging platform WhatsApp was used to spy on journalists and human rights activists in India earlier this year.
  • The surveillance was carried out using a spyware tool called Pegasus, which has been developed by an Israeli firm, the NSO Group.
  • WhatsApp sued the NSO Group in a federal court in US accusing it of using WhatsApp servers in the United States and elsewhere to send malware to approximately 1,400 mobile phones and devices.

Pegasus

  • All spyware do what the name suggests — they spy on people through their phones.
  • Pegasus works by sending an exploit link, and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone.
  • A presumably newer version of the malware does not even require a target user to click a link.
  • Once Pegasus is installed, the attacker has complete access to the target user’s phone.
  • The first reports on Pegasus’s spyware operations emerged in 2016, when Ahmed Mansoor, a human rights activist in the UAE, was targeted with an SMS link on his iPhone 6.

Method of working

  • A Pegasus operator must convince a target to click on a specially crafted ‘exploit link’ which allows the operator to penetrate security features on the phone.
  • This automatically installs Pegasus without the user’s knowledge or permission.
  • Once the phone is exploited and Pegasus installed, it begins contacting the operator’s command and control and send back the target’s private data, including passwords, contact lists, events, text messages, and live voice calls from popular mobile messaging apps.
  • The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity.

Cyber Security – CERTs, Policy, etc

TechSagar: national repository of India’s cyber tech capabilities launched

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Tech Sagar

Mains level : Cyber Security


  • The National Cyber Security Coordinator’s office in partnership with Data Security Council (DSCI) of India on Monday launched TechSagar – a platform to discover India’s technological capability through a portal.

TechSagar

  • TechSagar is a consolidated and comprehensive repository of India’s cyber tech capabilities which provides actionable insights about capabilities of the Indian Industry, academia and research across key technology areas.
  • The portal will list business and research entities from the IT industry, startups, academia, and individual researchers.
  • These include internet of things (IoT), Artificial Intelligence (AI), Machine Learning (ML), blockchain, cloud & virtualization, robotics & automation, ar/vr, wireless & networking, and more.
  • TechSagar will allow targeted search, granular navigation and drill down methods using more than 3000 niche capabilities.

Components of TechSagar

  • As of now, the repository features 4000+ entities from industry, academia and research including large enterprises and start-ups providing a country level view of India’s cyber competencies.
  • A dynamic platform, TechSagar, will be frequently updated with new entities and information to maintain its relevancy and usefulness.

Why such move?

  • In order to combat the growing threat from cyber crime, there is an urgent need to collaborate and develop cyber technology capabilities in India.
  • With the launch of TechSagar, we have sown the seed for start-ups to prosper in cyber tech.
  • This is a good example of government facilitating industry growth in a strategic domain.
  • Cyber technology capabilities have become central to our national strategic outlook and there was an urgent need for developing TechSagar.
  • Start-ups, enterprises, academia, researchers, and R&D institutes in the country need to synergise their efforts and work in tandem to make India a technology leader.

About Data Security Council (DSCI) of India

  • DSCI is not-for-profit industry body on data protection in India, setup by NASSCOM.
  • It is committed to making the cyberspace safe, secure and trusted by establishing best practices, standards and initiatives in cyber security and privacy.
  • To further its objectives, DSCI engages with governments and their agencies, regulators, industry sectors, industry associations and think tanks for policy advocacy, thought leadership, capacity building and outreach activities.

Cyber Security – CERTs, Policy, etc

Explained: Right to be forgotten

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Right to be forgotten

Mains level : Read the attached story


  • The European Court of Justice (ECJ) ruled in favour of the search engine giant Google, which was contesting a French regulatory authority’s order to have web addresses removed from its global database.
  • The court ruled that an online privacy rule known as the ‘right to be forgotten’ under European law would not apply beyond the borders of EU member states.
  • The ruling comes as an important victory for Google, and lays down that the online privacy law cannot be used to regulate the internet in countries such as India, which are outside the EU.

The ‘Right to be forgotten’

  • The right to be forgotten empowers individuals to ask organisations to delete their personal data.
  • It is provided by the EU’s General Data Protection Regulation (GDPR), a law passed in 2018.
  • It states: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”
  • Under Article 2 of the GDPR, “personal data” means “any information relating to an identified or identifiable natural person (“data subject”)”.
  • “Controller” means “the natural or legal person, public authority, agency or any other body which… determines the purposes and means of the processing of personal data”.

Issue

  • In 2015, the internet regulating agency in France, required that Google go beyond its practice of region-specific delinking, and ordered the search engine company to delete links from its global database.
  • Google refused to abide by the order, arguing that following the same would impede the free flow of information across the world.
  • This led to the slapping a fine of EUR 100,000 (around INR 77 lakh) on Google in 2016 so it challenged the order at the ECJ.

Conclusion: No privacy law beyond EU

  • Google contended that implementing the online privacy law beyond the EU would hamper access to information in countries around the world, especially those ruled by authoritarian governments.
  • Arriving at a landmark ruling, the ECJ has now restricted applying the privacy law beyond the EU.
  • It has also observed that the EU cannot enforce the ‘right to be forgotten’ on countries which do not recognise such a right.

Cyber Security – CERTs, Policy, etc

[op-ed snap] Data deprivation makes cyber crime difficult to tackle

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Data localisation

Mains level : Cyber crime - data issues

CONTEXT

In recent times, there have been many instances of the hard-earned money of Indians being taken out of bank accounts and charges loaded onto credit cards through online frauds.

How does it affect India

  1. We are making a huge transition to a cashless economy. So, public faith in the digital system needs to be consistently reinforced.
  2. Cybercrimes affect the emerging “startup” ecosystem. Customers of genuine startups and Indian businesses have been subjected to online fraud.
  3. The skepticism on online transactions also hurts the potential of emerging companies that could take India to the $5 trillion economies that the country aspires to.
  4. The Srikrishna Commission recommended that data be stored in the country either directly or through mirror servers to serve law enforcement needs. 

How online money frauds work:

  1. Fraudsters start by creating various websites or accounts on social media platforms that host some content to make them look similar to the authentic companies’ websites or social media interfaces.
  2. Such websites and social media accounts list fake customer care numbers for relevant brands.
  3. When a customer tries to search for a company name by using a search engine, the customer care numbers or email IDs that pop up as results are often these fraudulent ones.
  4. The customer may end up calling such a fake number, and get entrapped by fraudsters into sharing his or her bank information, which enables the anonymous con artists to siphon off money from the customer’s account.
  5. These fraudsters send online links, asking customers to share their UPI details or other such information.
  6. Unsuspecting customers are also asked to download screen mirroring apps, through which they gain access to information on mobile phones.

Challenges in tackling cyber crimes

  1. All the players involved, including banks, telecom companies, financial service providers, technology platforms, social media platforms, e-commerce companies, and the government, need to play a responsible role.
  2. The customer also has a responsibility to maintain basic cyber hygiene by following practices and taking precautions to keep one’s sensitive information organized, safe and secure.
  3. Law enforcement agencies in different states are not fully equipped to understand and act upon complaints of such frauds.
  4. Victims of fraud are too ashamed to admit that they have been conned, and often do not even tell their families. If the losses are large, the results can be devastating for fraud victims.
  5. While many cases aren’t even reported, in cases that are, the investigations make little or no progress due to lack of access to data.
  6. Despite multiple requests for data from Indian startups, search engines, and social media platforms have generally been unresponsive, taking cover under the privacy principles or laws of the countries they are based in.
  7. The US Electronic Communications Privacy Act bars US-based service providers from disclosing electronic communications to law enforcement agencies of any country unless US legal requirements are met.
  8. The bilateral mechanism of the India-US Mutual Legal Assistance Treaty is a bit outdated and does not seem to work.
  9. Since most search engines and social media platforms have no “permanent establishment” in India, law enforcement agencies have hit a wall on data access.
  10. The US Cloud (Clarifying Lawful Overseas Use of Data) Act, however, enables law enforcement authorities in India to request electronic content directly from US service providers under an executive agreement with the US government.

Conclusion

India needs to work out a way to crack cyber frauds and crimes. The country urgently needs a legally-backed framework that would bind all parties and enable law enforcers to act quickly and safeguard Indian citizens and businesses from a fast-growing menace.

Back2Basics

[Burning Issue ] Data localization

Cyber Security – CERTs, Policy, etc

[op-ed snap] Data deprivation makes cybercrime difficult to tackle

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Not Much

Mains level : Curbing cyber crimes with data localization

Context

Cyber hygiene: Need of hour

  • In recent times, there have been many instances of the hard-earned money of Indians being taken out of bank accounts and charges loaded onto credit cards through online frauds.
  • As a nation making a huge transition to a cashless economy, public faith in the digital system needs to be consistently reinforced.
  • All the players involved, including banks, telecom companies, financial service providers etc. and the government, need to play a responsible role in ensuring innocent citizens do not undergo the trauma of suffering losses.
  • The customer also has a responsibility to maintain basic cyber hygiene, which includes following practices and taking precautions to keep one’s sensitive information organized, safe and secure.

The new startups

  • Another emerging casualty of such cybercrimes is the emerging “startup” ecosystem.
  • We are beginning to see multiple cases where customers of genuine startups, unicorns and Indian businesses have been subjected to online fraud.
  • These customers initially presume that it is the customer care departments of the companies that have conned them, as we see in many of the cases that get filed.
  • This is a dangerous trend. Not only does it shake people’s faith in digital systems, the scepticism vis-a-vis online transactions also hurts the potential of emerging companies.

Modus operandi of cyber crimes

  • Let us look at the modus operandi of some of the recent internet-based financial frauds affecting companies in the digital and e-commerce space.
  • Fraudsters usually start by creating various websites or accounts on social-media platforms that host some content to make them look deceptively similar to the authentic companies’ websites or social media interfaces.
  • Such websites and social media accounts list fake customer care numbers for the relevant brands.
  • When a customer tries to search for a company name by using a search engine, the customer care numbers or email IDs that pop up as results are often these fraudulent ones.

Most cases go unreported

  • Also, some victims of fraud are too ashamed to admit that they have been conned, and often do not even tell their families.
  • Yet, if the losses are large, the results can be devastating for fraud victims.
  • While many cases aren’t even reported, in cases that are, the investigations make little or no progress due to lack of access to data.

What can be done?

Enforcement agencies needs to gear up

  • Even the income tax department has not been spared, with people getting messages from a fraudulent source that masks itself as an income tax authority and sends a message asking them to claim tax refunds by sharing a link.
  • It is difficult to estimate the scale of the problem, as law enforcement agencies in different states are not fully equipped to understand and act upon complaints of such frauds.

Data localization

  • Since most search engines and social media platforms have no “permanent establishment” in India, law enforcement agencies have hit a wall on data access for the purpose of solving cybercrimes.
  • This has often raised calls for complete data localization, which could have been avoided had a collaborative mechanism for data access, based on agreed criteria, been put in place.
  • The Srikrishna Commission recommended that data be stored in the country either directly or through mirror servers to serve law enforcement needs.
  • The US Electronic Communications Privacy Act bars US-based service providers from disclosing electronic communications to law enforcement agencies of any country unless US legal requirements are met.
  • The bilateral mechanism of the India-US Mutual Legal Assistance Treaty is a bit outdated and does not seem to work.

Way forward

  • While privacy and data protection are necessary, and data localization may pose its own business challenges, India needs to work out a way to crack cyber frauds and crimes.
  • For this, the country urgently needs a legally-backed framework for a collaborative trigger mechanism that would bind all parties and enable law enforcers to act quickly and safeguard Indian citizens and businesses from a fast-growing menace.

Cyber Security – CERTs, Policy, etc

[op-ed snap] Going local

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Nothing Much

Mains level : Critical review of data localisation policy for Indian economy

CONTEXT

A high-level government panel has recommended doing away with the requirement of foreign firms needing to store a copy of all personal data within India.

Background

  • Firms will now be able to store and process data abroad, though critical personal data will have to be processed and stored in the country.
  • This approach marks a significant departure from the recommendations of the Justice Srikrishna committee report which had suggested that a copy of personal data must be stored in the country.
  • The panel’s decision comes after a rethink by the Reserve Bank of India, which earlier relaxed its April 2018 circular that had mandated that all payment data generated in the country be stored here.

Impact of rethink

This decision, which is likely to be welcomed by foreign companies, who would have seen a surge in costs to comply with these regulations, suggests that a more considered view on localisation norms is evolving in India.

The arguments in favour of data localisation are straightforward — it will address questions on privacy and security, enable greater governmental access to data, and help develop local data infrastructure.

Costs associated with data localisation

But on each of these issues, it is not very clear if the benefits from localisation outweigh the costs.

 1.No strong data protection law – For instance, in the absence of a strong data protection law, questions of privacy and security are unlikely to be addressed.

2. Bilateral Treaties are better – And while there are reasonable arguments to be made in favour of law enforcement having greater access to data, especially when it is not stored in India, interventions such as bilateral treaties aimed at addressing specific issues might be a more prudent approach.

3. Definition of critical Data

  • The next set of questions are likely to centre around what constitutes critical personal data.
  • The Srikrishna committee report had classified personal data pertaining to finances, health, biometric and genetic data, religious and political beliefs, among others, as sensitive personal data.

4. A single agency

  • It had envisaged a data protection agency which would list out further categories of sensitive personal data.
  • But it is debatable whether a single agency is best suited to draw up this list. As, globally, the framing of localisation norms has been largely contextual, driven typically by the type of data and the sector it relates to — in Canada, any data may be sensitive based on the context — sector-specific regulators might be better at identifying which data is sensitive.

Cyber Security – CERTs, Policy, etc

Central Welfare Database of Citizens

Note4Students

From UPSC perspective, the following things are important :

Prelims level : About the database

Mains level : Need for a centralized welfare database


Central Welfare Database of Citizens

  • The Economic Survey 2018-19 pitched for setting up a central welfare database of citizens — by merging different data maintained by separate Ministries and departments.
  • These recommendations come at a time when India is working on finalising its personal data protection policy.
  • The principle is that most data are generated by the people, of the people and should be used for the people.
  • This database can be tapped for enhancing ease of living for citizens, particularly the poor.

Data to be included

  • The datasets talked about inclusion of administrative data such as birth and death records, pensions, tax records, marriage records; survey data such as census data, national sample survey data; transactions data such as e-national agriculture market data, UPI data, institutional data and public hospital data on patients.

Why such centralized database?

  • The governments already held a rich repository of administrative, survey, institutional and transactions data about citizens, but these data were scattered across numerous government bodies.
  • Merging these distinct datasets would generate multiple benefits with the applications being limitless.
  • The government could utilise the information embedded in these distinct datasets to enhance ease of living for citizens, enable truly evidence-based policy, improve targeting in welfare schemes, uncover unmet needs, and integrate fragmented markets.
  • This will bring greater accountability in public services and generate greater citizen participation in governance, etc.

Need for stringent safeguards

  • It also recommended granting access to select database to private sector for a fee, given that stringent technological mechanisms exist to safeguard data privacy.
  • The Survey noted that there had been some discussions around the “linking” of datasets, primarily through the seeding of an Aadhaar number across databases such as PAN database, bank accounts and mobile numbers.
  • However, it clarified that the linking is “one-way.” For example, banks can use the tokenized Aadhaar number to combine duplicate records and weed out benami accounts.
  • This does not mean that the UIDAI or government can read the bank account information or other data related to the individual.

Way Forward

  • The Survey pointed out that governments can create data as a public good within the legal framework of data privacy.
  • Care must also be taken not to impose the “elite’s preference of privacy on the poor, who care for a better quality of living the most.

Cyber Security – CERTs, Policy, etc

Explained: Debate over Data Localization

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Data Localization

Mains level : Debat over Data Localization Policy in India

  • The IT Ministry’s Bill on data protection is scheduled to be introduced in Parliament during the current session.
  • Worldwide, the data flow debate is playing out at the World Trade Organisation (WTO) and G20.

The ‘Data’ under debate

  • Data is any collection of information that is stored in a way so computers can easily read it.
  • These days, most people refer to data to mean information about their messages, social media posts, online transactions, and browser searches.
  • Big data refers to the immense amount of data that can now be collected, stored, and analysed to find patterns.

Why is Data important?

  • This large collection of information about people’s online habits has become an important source of profits.
  • Your online activity can expose a lot about who you are, and companies find it valuable to use the information to target advertisements to you.
  • Governments and political parties have also gained interest in these data sets for elections and policymaking.

Data Localization

  • Data is stored in a physical space, like a file cabinet that can be the size of the Taj Mahal.
  • Data is also transported across country borders physically, traveling through underwater cables that run as deep as Mount Everest and as long as four times the span of the Indian Ocean.
  • Thirdly, just as oil is refined, data has to be processed to be useful. This means it is analysed by computers.
  • These aspects of data flows — where it is stored, where it is sent, where it is turned into something useful — determines who has access to the data, who profits off the data, who taxes the data, and who “owns” the data.
  • With these questions in mind, individual governments are developing their own domestic rules and negotiating with each other on a global stage, raising values of national security, economic growth, and privacy.

India in favor of Data Localization

  • India’s recent drafts and statements have strong signals for data localisation, which means that data of Indians (even if collected by an American company) must be stored and processed in India.
  • Along with a RBI directive to payment companies to localize financial data, the Ministry of Commerce’s draft e-commerce policy is currently in public consultation.
  • The IT Ministry has drafted a data protection law that will be introduced in Parliament and has also framed draft intermediary rules that were leaked earlier.
  • These laws, broadly speaking, could require Facebook, Google, and Amazon to store and process in India information such as an Indian’s messages, searches, and purchases.
  • In some cases, they restrict what type of data these companies can collect. In others, it requires only a copy of the data to be in the country.
  • By requiring a copy of the data to be stored in India (data mirroring), the government hopes to have more direct control over these companies, including the option to levy more taxes on them.
  • The government also argues for data localisation on the ground of national security, to prevent foreign surveillance and attacks.

What are counter-arguments against data localisation?

  • On the other side, the US government and companies want cross-border flow of data. It would allow companies to store the data of Indians in the most efficient place in the world.
  • Even though India’s data economy is not as large as that of others, it is one of the fastest growing, making it a market that global companies cannot afford to ignore.
  • Proponents of free flow of data worry that if all countries begin to protect their data, it may backfire on India’s own companies that seek global growth.
  • Others caution that these laws could bring increased state surveillance, like India’s draft intermediary rules that would require WhatsApp to change its design to proactively filter messages.
  • The company says messages are currently encrypted, meaning neither the company nor any government can see them.

Data policies in neighbourhood

  • China has developed similar laws, which proponents say allow for a flourishing domestic economy of data centres and data processing by blocking foreign players out.
  • This is why Indian companies, like Reliance and PayTM, usually support data localisation.
  • The other argument from the Indian government is that localisation will help law enforcement access the data.
  • Currently, India has to use “mutual legal assistance treaties” (MLAT) with the US to get the data of Indians that are controlled by American companies.

What is happening at the global forums?

  • Trade tensions worldwide are escalating, giving the data flow debate new relevance at the WTO and G20.
  • WTO member countries are negotiating rules about e-commerce, which is the buying and selling of goods and services online.
  • Digital trade contributes more to global GDP than physical trade. India is one of the fastest growing markets, with e-commerce expecting to reach $1.2 trillion by 2021.
  • These laws raise questions about where companies can store, process, and transport data about transactions.
  • In their proposals, the US and the EU have called to prohibit customs duties on online transactions while China and Pakistan have called for allowing them.
  • The US has also recommended not having overly burdensome data standards nor localisation requirements, while the EU wants data localisation requirements.

Ahead of G20 meet

  • A principle titled “Data Free Flow with Trust” (DFFT) — supported by US, Japan, and Australia — is expected to be a significant talking point at the upcoming G20 summit.

Cyber Security – CERTs, Policy, etc

[op-ed snap] Breaking the algorithm

Note4Students

From UPSC perspective, the following things are important :

Prelims level : Nothing Much

Mains level : Algorithm collusion should be monitored to promote transparent market.

CONTEXT

Businesses are increasingly utilising algorithms to improve their pricing models, enhance customer experience and optimise business processes. Governments are employing algorithms to detect crime and determine fines. Consumers are benefitting from personalised services and lower prices. However, algorithms have also raised concerns such as collusions and malfunctioning, privacy, competition issues, and information asymmetry.

  • Automated systems have now made it easier for firms to achieve collusive outcomes without formal agreement or human interaction, thereby signalling anti-competitive behaviour.
  • This results in “tacit algorithmic collusion”, an outcome which is still not covered by existing competition law.

Case study –  This can occur in non-oligopolistic markets too. In 2015, US Federal Trade Commission fined David Topkins (former e-commerce executive of a company selling online posters and frames), for fixing the price of certain posters sold through Amazon Marketplace using complex algorithms, impacting consumer welfare and competition adversely. 

Security Concerns from collusion alogotithm

1.Negligence of private data

  • In order to enjoy services at low or zero price, consumers neglect the value of their data.
  • Access to easily procurable data such as Facebook “likes” can be used to target only advantageous customers circumventing anti-discrimination mechanisms.

2.Ransomware attack –

  • Application of advanced algorithms have also resulted in an increase in ransomware attacks.
  • A devastating cyber attack — the WannaCry ransomware attack — hit the world in May 2017, affecting around 2,30,000 computers across 150 countries.

3.Competition –

  • Important concerns pertain to “competition” as well.
  • Processing of large datasets through dynamic algorithms generate real-time data “feedback loops”, impacting competition adversely.
  • As more users visit select platforms, not only more data, but data with greater reliability is collected, allowing firms to more effectively target customers. Consequently, more users feedback into this loop. 

Case Study – That Google has been estimated to charge a higher cost-per-click (CPC) than Bing, a competitor, suggests that advertisers attribute a higher probability of converting a viewer of Google’s ads into a customer.

4. Complexity of system –

  • Then, we have evolving machine-learning algorithms ranging from voice recognition systems to self-driving cars.
  • Even high-profile programmers/developers may not be able to trace the working of such algorithms making nearly impossible the identification of any anti-competitive practice.

Conclusion

A rethink of public policy is absolutely essential if non-desirable impacts of artificial intelligence on human race are to be arrested.

Cyber Security – CERTs, Policy, etc

India to have own DNS for safe browsing

Note4students

Mains Paper 3: Security| Basics of cyber security

From UPSC perspective, the following things are important:

Prelims level: DNS

Mains level: Data Localization and its implications


News

  • The government will soon roll out a public Domain Name Server, or DNS, for India aimed at providing a faster and more secure browsing experience for Internet users in the country, while ensuring that citizens’ data is stored locally.

What is DNS?

  • A DNS is a like a phonebook for the Internet.
  • Humans access information online through domain names, like abcd.com or pqrs.co.in etc.
  • Web browsers interact through Internet Protocol (IP) addresses.
  • DNS translates domain names to IP addresses so browsers can load Internet resources.

Indian DNS

  • The roll-out will be executed by the National Informatics Centre – the technology arm of the government.
  • NIC is already using the public DNS within the government network.
  • The users are not mandated to shift to India public DNS. A user is free to choose any DNS.
  • The government’s public DNS, Indian users’ data would be stored within the country, thereby creating a move for Data Localization.

Utility of Indian DNS

  • The main aim of bringing our own public DNS is to ensure availability, particularly for smaller Interest Service Providers (ISPs) who don’t have credible DNS.
  • Bigger ones usually have their own DNS..
  • There are other open DNS servers, including Google Public DNS.
  • The government’s DNS would prevent users from visiting malicious websites.
  • If the government wants to block a website, there is a mechanism in place.
  • The Govt can send a list to the ISPs for reasons such as child porn or fake news, and they have to comply with the order.

Cyber Security – CERTs, Policy, etc

[op-ed snap] Heading towards strategic instability

Note4students

Mains Paper 3: Security| Challenges to internal security through communication networks, role of media and social networking sites in internal security challenges, basics of cyber security; money-laundering and its prevention.

From UPSC perspective, the following things are important:

Prelims level: Basic knowledge of the emerging military high-tech innovations.

Mains level: The news-card analyses the challenges that India might face as there is a possibility of emerging disruptive technologies prompting inadvertent conflict, in a brief manner.


Context

  • In late 2018, the government decided to set up three new agencies — the Defence Cyber Agency, the Defence Space Agency and the Special Operations Division — in order to address the new age challenges to national security.

Recommendations given by Naresh Chandra Task Force and the Chiefs of Staff Committee

  • This is indeed a useful step in the right direction.
  • However, it is also important to note that the constitution of these agencies is a far cry from the crucial recommendations given by the Naresh Chandra Task Force and the Chiefs of Staff Committee.
  • Both the committees had suggested the formation of three separate joint commands to deal with new challenges to India’s national security in the cyber, space and special operations domains.
  • This lacklustre response to major ‘futuristic’ challenges to our national security have raised the question: is India adequately prepared for the new age wars?

World is moving away from traditional military hardware to high-tech innovations

  • There is a revolution in military affairs that seems to have attracted the attention of strategic analysts and policy planners across the world.
  • The current focus in military thinking across the world is increasingly moving away from traditional heavy-duty military hardware to high-tech innovations.
  • Such as artificial intelligence (AI), big data analytics, satellite jammers, hypersonic strike technology, advanced cyber capabilities and spectrum denial and high-energy lasers.
  • In the light of the unprecedented capabilities that these systems offer, there is also an increased focus on developing suitable command and control as well as doctrinal concepts to accommodate and calibrate them.

Implications

  • The arrival of these technologies might deeply frustrate strategic stability as we know it given their disruptive nature.
  • Strategic stability in the contemporary international system, especially among the nuclear weapon states, depends on several age-old certainties, the most important being the issue of survivability of a state’s nuclear arsenal and its ability to carry out a second strike after a first attack.
  • Once accuracies get better, hypersonic glide vehicles replace conventional delivery systems, real time tracking and surveillance make major strides, and AI-enabled systems take over, survivability of nuclear arsenal, which lies at the heart of great power stability, could take a severe beating.
  • There was an assumption that the naval leg of a nuclear triad is the most survivable part since it is hidden away in the depths of the ocean away from the adversary’s gaze.
  • However, the potential ability of deep-sea drones to detect ballistic-missile armed nuclear submarines or SSBNs may make this assurance a thing of the past thereby frustrating traditional calculations.

New era of strategic instability

  • The arrival of these new technologies is worrisome when we add it to the emerging strategic competition among great powers.
  • The U.S.’s withdrawal from the Intermediate-Range Nuclear Forces treaty is perhaps an indication of a potential arms race in the offing.
  • According to experts, disruptive new technologies, worsening relations between Russia and America and a less cautious Russian leadership than in the cold war have raised fears that a new era of strategic instability may be approaching.

Inherent paradox vis-à-vis high technology-enabled military systems

(a) Vulnerable to covert cyberattacks

  • While it is imperative for states to redesign their systems in the light of these new technologies, especially the digital and cyber components, this also makes the cyber- and digital-enabled systems vulnerable to covert cyberattacks.
  • More so, given that such surreptitious attacks might take place in the early stages of a conflict.
  • This might ensue confusion and scare might lead to uncontrolled escalation with little time for assessment and judgement.

(b) Risks of nuclear use

  • The biggest fear about these technologies is their potential to increase the risks of intentional and inadvertent nuclear use.

(c) Inadvertent escalation and conflict

  • The fear of a bolt-from-the-blue attack against one’s command and control systems or a disabling strike against strategic arsenal using new technological solutions is likely to dominate the strategic mind-space of great powers in the days ahead, thereby further deepening mistrust and creating instability.
  • Therefore, the possibility of emerging military technologies prompting inadvertent escalation and conflict cannot and should not be ruled out.

Increasing Chinese capabilities

  • China has emerged as a key actor in the field of emerging military technologies.
  • This is something that will concern New Delhi in the days ahead.
  • Some analysts believe that Beijing is in the lead position in emerging technologies with potential military applications such as quantum computing, 3D printing, hypersonic missiles and AI.
  • If Beijing continues to develop hypersonic systems, for instance, it could potentially target a range of targets in the U.S.
  • While the Chinese focus is evidently on U.S. capabilities, which China interprets as a potential threat, this is not without latent concerns for New Delhi.
  • In turn, India might consider developing some of these technologies which will create dilemmas for Islamabad.
  • The cascading strategic competition then looks unavoidable and that is worrisome.
  • However, it might be difficult to avoid some of these developments given their dual use.

Way Forward

  • There is a need to ask how survivable India’s naval platforms are given the feverish developments of advanced sensory capability in the neighbourhood.
  • India needs to be sufficiently prepared to face the new age wars
  • It is in this context that we must revisit the government’s decision to set up the agencies to address cyber and space challenges.
  • This is a timely effort from the government to have finally decided to set them up — though they are not yet in place.
  • The reports indicate that the Space Command will be headed by the Air Force, the Army will head the Special Operations Command, and the Navy will be given the responsibility of the Cyber Command.
  • If that happens, their effectiveness in terms of tri-service synergy will be much less than anticipated given that the higher defence decision-making in the country is still civil services-dominated.
Subscribe
Notify of
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
nitheen kanulu
nitheen kanulu
9 months ago

i want to become a C.E.O of github

nitheen kanulu
nitheen kanulu
9 months ago
Reply to  nitheen kanulu

hi everybody iam your fan of facebookand twitter and isntagram