Security, Governments, and Data: Technology and Policy

Ensuring the security of the India’s cyber space is a complex, challenging, and ever changing responsibility that the government is tasked with. Doing so effectively requires a number of factors to come together in a harmonized strategy including: laws & policies, technical capabilities, markets, and a skilled workforce. It also requires collaboration on multiple levels including with foreign governments, domestic and foreign industry, and law enforcement. The first of these is particularly important given the ability of attackers to penetrate across borders and the global nature of data. Any strategy developed by India must be proactive and reactive – evolving defences to prevent a potential threat and applying tactics to respond to a real time threat. To do so, the government of India must legally have the powers to take action and must have the technical capability to do so. Yet, many of these powers and technical capabilities require a degree of intrusion into the lives of citizens and residents of India through means such as surveillance. Thus, such measures must be considered in light of principles of proportionality and necessity, and legal safeguards are needed to protect against the violation of privacy. Furthermore, a principle of optimization must be considered i.e, how much surveillance achieves the most amount of security and how can this security be achieved with the optimal mix of technology, policy and enforcement. 

Challenges & Present Scenario

Protecting and enhancing the cyber security of India is a complex and dynamic responsibility. The challenge of securing cyber space is magnified by the demarcated nature of the internet, the multiplicity of vulnerabilities that can be exploited at the national level, the magnitude of infrastructure damage possible from a cyber attack, and the complexity of application of a jurisdiction’s law to a space that is technologically borderless. A comprehensive ‘cyber security’ ecosystem is required to address such challenges – one that involves technology, skills, and capabilities – including surveillance capabilities. The Government of India has taken numerous steps to address and resolve such challenges. In July 2013, the National Cyber Security Policy was published for the purpose of creating an enabling framework for the protection of India’s cyber security. In February 2014, the 52nd Standing Committee on Information Technology issued a report assessing the implementation of this policy – in which they found that a number of areas needed strengthening. The Government of India has also proposed the establishment of a number of centers focused on cyber security – such as the National Cyber Coordination Center and the

National Critical Information Infrastructure Protection Centre. CERT-IN, under the Department of Electronics and Information Technology is presently the body responsible for overseeing and enforcing cyber security in India, while other bodies such as the Resource Centre for Cyber Forensic and TERM cells under the Department of Telecommunications play critical roles in overseeing and undertaking capabilities related to cyber security.

Law & Policy

India has five statutes regulating the collection and use of data for surveillance purposes. These laws define circumstances on which the government is justified in accessing and collecting real time and stored data as well as procedural safeguards they must adhere to when doing so. The Department of Telecommunications has also issued the Unified Access License which, among other things, mandates service providers to provide technical support to enable such collection. The Indian judicial system has also provided a number of Rulings that set standards for the access, collection, and use of data as well as defining limitations and safeguards that must be respected in doing so. The draft Privacy Bill 2011, released by the Department of Personnel and Training, also contained provisions addressing surveillance in the context of interception and the use of electronic video recording devices. In the Report of the Group of Experts on Privacy, the AP Shah Committee found that the legal regime for surveillance in India was not harmonized and lacked safeguards. Furthermore, in the era where the direct collection of large volumes of data is easily possible, there is a growing need to re-visit questions about the legitimate and proportionate collection and use (particularly as evidence) of such data. Questions are also arising about the applicability of standards and safeguards to the state. At a global level, catalyzed by the leaks by Edward Snowden, there has been a strong push for governments to review and structure their surveillance regimes to ensure that they are in line with international human rights standards.

Architecture & Technology

India is in the process of architecting a number of initiatives that seek to enable the collection and sharing of intelligence such as the CMS, NATGRID, and NETRA. At a regional level, the Ministry of Home Affairs is in the process of implementing ‘Mega Policing Cities’ which include the instalment of CCTV’s and centralized access to crime related information. Globally, law enforcement and governments are beginning to take advantage of the possibilities created by ‘Big Data’ and ‘open source’ policing. The architecture and technology behind any surveillance and cyber security initiative are key to its success. Intelligently

and appropriately designed projects and technology can also minimize the possibility of intrusions into the private lives of citizens. Strong access controls, decentralized architecture, and targeted access are all principles that can be incorporated into the architecture and technology behind a project or initiative. At the same time, the technology or process around a project can serve as the ‘weakest link’ – as it is vulnerable to attacks and tampering. Such possibilities raise concerns about the use of foreign technology and dependencies on foreign governments and companies.

International and Domestic Markets

Globally, the security market is growing – with companies offering a range of services and products that facilitate surveillance and can be used towards enhancing cyber security. In India, the security market is also growing with studies predicting that it will reach $1.06 billion by 2015. Recognizing the potential threat posed by imported security and telecom equipment, India also develops its own technologies through the Centre for Development of Telematics –attached to the Department of Telecommunications, and the Centre for Development of Advanced Computing – attached to the Department of Electronics and Information Technology. At times India has also imposed bans on the import of technologies believed to be compromised. Towards this end, the Government of India has a number of bodies responsible for licensing, auditing, and certifying the use of security and telecommunication equipment. Though India has recognized the security vulnerabilities posed by these technologies, as of yet it has not formally recognized the human rights violations that are made possible. Indeed, though India has submitted a request to be a signing member of the Wassenaar agreement, they have yet to be accepted.

Notes from 52nd Standing Committee on IT

As of now, it can be said that the benefits, costs and dangers of the internet, are poorly understood and appreciated by the general public.

The key conributors to online risks for an individual can be summarized as follows:

● Lack of knowledge● Carelessness● Unintentional exposure of or by others● Flaws in technology – for instance, in the service offered online

● Criminal acts.Most of the internet frauds reported in the country are relating to phishing, usage of stolen Credit cards / debit cards, unauthorised fraudulent Real Time Gross Settlement (RTGS) transactions, fictitious offers of fund transfer, remittance towards participation in lottery, money circulation schemes and other fictitious offers of cheap funds etc.

Type of cyber crime

How it is carried out

Legal measures as per IT Act 2000 and Amendments.

Technical and other measures.

Cyber Stalking Email, IM web post etc.

43, 66

Compensation and punishment for three years.

Chatting with known people only.

Taking up the matter with concerned service providers in stopping cyber stalking activities.

Intellectual property crime

- Source code tampering etc.

Source code manipulation and tampering

43, 65, 66

Compensation and punishment of three years fine

Strong authentication and technical measures for prevention of data leakage.

Salami Attack(theft of data or manipulating banking account)

By means of unauthorised access to source code and deducting small amounts from account without getting noticed

43, 66

Compensation and punishment of three years fine

Strong authentication measures etc as mentioned above

Email bombing Flooding the 43, 66, 66c Anti spam filters.

and Phishing email account with innumerable number of emails to disable to notice important message at times, using automated tools

Bank financial frauds in electronic banking using social engineering techniques to commit identity theft.

Strong financial authentication transfer measures

Taking down of phishing websites

Pornography,

Child pornography

Video voyeurism and violation of privacy

Offensive messages

Publishing pornographic materials to social media sites etc

(for Offensive Communication of offensive messages through computer of phone

67A

67B (child porno)

66E (video voyeurism)

66A

Taking down

Hacking of protected systems

Hacking the computer system through various systems

70(10 years punishment with fine)

Strong layer of security.

As per the information given by the Department for the last five years the

number of reported incidents of website compromise has grown 5.5 times and

india is today among the first five countries with respect to spam mail. Phishing

incidents have increased from 392 to 887.

Efforts by the DeitY: an overall framework for the National Cyber Security,

looked after by National Security Council Secretariat (NSCS)

Our systems like Nuclear establishment are no on the internet yet, so so far its

safe for now. And power systems are not connected yet so there is less

vulnerability for now but as the sytems get complex and later on connected by

internet then the threat looms large. But there are possibilities that the

systems may have certain malware embedded in it so that once those

infrastructure gets connected online the systems could be vulnerable like

Stuxnet incident.