Friday, December 25, 2015

Cyber Security Trends In India 2016

Cyber security is a complex and unpredictable field and it is very difficult to provide a sure shot pattern for the same. Perry4Law Organisation (P4LO) provided the cyber security trends of India 2015 that proved almost accurate. The cyber security developments in India 2015 provided by P4LO outlined the important cyber security incidences and events that took place in the year 2015. Overall, Indian cyberspace witnessed an enhanced level of sophisticated and stealth cyber attacks that India was not prepared to deal with. The main reason for this inability was that a robust and effective cyber security infrastructure in India is still missing.

Now Perry4Law Organisation (P4LO) has provided the cyber security trends of India 2016 that has outlined the potential cyber security incidences and events that may take place in India in the year 2016. The crux of the 2016 cyber security trends is that Indian needs to stress upon development of both offensive and defensive cyber security capabilities. This include adequate cyber security measures against botnet, malware, zero day vulnerabilities, cyber warfare, cyber terrorism, cyber espionage, etc.

Two areas where India has miserably failed in 2015 are lack of a dedicated cyber security law and adequate cyber breaches disclosure norms in India. As a result various stakeholders are least bothered to ensure sufficient cyber security infrastructure for their respective fields. Even if their infrastructures are breached, they do not report the same to Indian cyber security agencies. This practice of cyber apathy may change in the year 2016 as the cyber security policy of India 2016 may be introduced by Narendra Modi government.

The cyber security trends of 2016 would also witness an increase focus and stress upon data protection (PDF) and privacy protection in India. The Digital India project is suffering from many shortcomings and lack of cyber security infrastructure and absence of civil liberties protection are two prominent shortcomings of Digital India. If concepts like smart cities and smart grids are made digital without making them cyber secure, it would be a serious mistake on the part of Indian government. Similarly, if Indian government is peeking into the private lives of its citizens on every occasion, this would make India the biggest digital panopticon of human history.

Perry4Law Organisation (P4LO) has launched two dedicated techno legal cyber security centres named Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) and Cyber Security Research and Development Centre of India (CSRDCI). The prime objective of these cyber security centres is to empower India with a techno legal cyber security framework that is presently missing. We have urged in the past that Indian government must be serious about cyber security. We have also emphasised that Narendra Modi government must protect Indian cyberspace on a priority basis.

We hope the year 2016 would be a good one for Indian cyber security. Perry4Law Organisation (P4LO) and CECSRDI would extend their techno legal expertise to strengthen the offensive and defensive cyber security capabilities in India.

Thursday, December 10, 2015

Open Source Intelligence (OSINT) By Intelligence Agencies Through Social Media Websites

Social Networking websites are rich source of sensitive and personal information. This information is mostly shared voluntarily by the users of such Social Networking websites but in many cases they are also forced to part with this information to have access and continued access to such websites. Naturally, Intelligence Agencies have "Inherent Interest" in such information especially those Intelligence Agencies who belong to the same Nation where such Social Networking websites are located.

Intelligence Agencies gather such information either with a Court Warrant or without the same. Further, they also gather such information by simply analysing the "Publically Available Information" by creating an account at the concerned Social Networking website. In short, Intelligence Agencies have been engaged in “Intelligence Gathering Activities” for long. This may be covert or overt, technological or non technological, legal or illegal and so on. But this gathering exercise was there and it is going to be there in future as well.

However, modern practice of Intelligence Gathering is crucially different from traditional practices. Traditional Intelligence Gathering was more on the side of Human Intelligence (HUMINT) whereas the contemporary one is based more upon Information and Communication Technology (ICT).

As far as Technological Intelligence Gathering is concerned, Social Media is a “Favourite Destination” for Intelligence and Security Agencies. Social Media is a favourite destination because it is a “Gold Mine” of valuable and voluntary information available for ready reference. Social Media also provides the best platform for Open Source Intelligence (OSINT).

Social Media also, in majority of cases, provides a “Legally Obtainable” and “Legally Relevant” Evidence. Since the “Information” or “Evidence” is available “Openly” and to “Public at Large” and in a “Non Confidential” manner, generally any such acquired Information or Evidence can be “Relied Upon” in a Court of Law. However, “Admissibility” of such Evidence is subject to the “Discretion” of the Court and well established “Legal Principles”.

Besides Intelligence Agencies, Military Forces are also using Social Media to gain Information relevant to their uses. Military and Intelligence Agencies have been using “Fake Profiles” to get such Information. The aim may be to get a “Predictive Behaviour or Trend” or to obtain any other Information that is of “Strategic Importance”.

Getting Information from Social Media requires good Communication and Data Mining Skills. However, while doing so, one must not violate any Civil Liberties or Laws Protecting such Information. Although many countries have Social Media Laws, we have no dedicated Social Media Laws in India. Even we do not have any Social Media Policy of India.

Social Networking Laws in India are urgently required. To start with, we must have a Social Networking Policy of India. Open Source Intelligence through Social Media Platforms would raise a number of Techno Legal Issues, especially Civil Liberty Issues. For instance, questions like what constitutes “Public Data”, how can a Person Legally obtains Data, what is the “Relevancy” of such Information/Data, how the “Admissibility” of such Information/Data would be decided, etc would be asked.

Similarly, Privacy Issues, Speech and Expression Issues, scope and nature of E-Surveillance, etc would also be required to be resolved in future. This is a new field for both Law makers and Law Enforcers and needs an “Urgent Attention” of Parliament of India.

Narendra Modi Government Must Protect Indian Cyberspace On A Priority Basis

A recent Techno Legal Research Report by Perry4Law Organisation (P4LO) on Cyber Security has raised crucial questions about Cyber Security Problems and Challenges in India. The major problem with Indian Cyber Security is that we have no effective Cyber Security Infrastructure in India that can successfully tackle sophisticated Cyber Attacks against Indian Infrastructures. For instance, the Digital India Project of Indian Government itself is vulnerable to Cyber Attacks and this factor has not been taken into account by Indian Government so far. Perry4Law Organisation (P4LO) has recommended formulation of suitable Techno Legal Framework and bringing adequate amendments in the Indian Constitution to make Digital India a success.

A robust cyber security is essential to protect critical infrastructures (PDF) and public services rendered through information technology. If world wide events are some hints then India must seriously think in the direction of ensuring effective cyber security for Indian IT infrastructures and cyberspace. However the new Government would face many cyber security challenges as India has ignored cyber security for decades. It is expected that Narendra Modi Government would be serious about Cyber Security of India.

Meanwhile, Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc have been written to subvert the cyber security of Nations around the world. They are clearly made with the objective to indulge in cyber espionage, cyber warfare and cyber terrorism. If India establishes a counter terrorism centre, cyber security would be integral part of the same. In fact, the intelligence agencies of India have been working in the direction of acquiring a legal immunity for themselves while indulging in cyber deterrent acts.

India would revise her national security priorities now as the new Government is more committed towards that. The same would be techno legal in nature as considering traditional security alone would be counter productive in the long run. Cyberspace has emerged as a new security frontier and the new Government is well equipped to deal with the same.

However, companies, business houses, Government departments, public utility service providers and defence forces must also change the way they are presently managing their cyber security affairs. The cyber security obligations of stakeholders like law firms, e-commerce websites, directors of companies, Government departments, thermal power sector, power and energy utilities, etc must be properly understood and effectively implemented in India.

In order to achieve this, the Government must take pro active steps. For instance, there is an urgent need to formulate and actually implement cyber security breach disclosure norms and cyber crisis management plan. Similarly, National Critical Information Infrastructure Protection Centre (NCIPC) of India, National Cyber Coordination Centre (NCCC) of India, Tri Service Cyber Command for Armed Forces of India, etc. must also be constituted and made active immediately.

The cyber security trends of India (PDF) have shown that Indian cyber security initiative and efforts are grossly inadequate and poorly coordinated. There is no centralised coordination between various cyber security projects of India and all are operating in an independent manner. At times this creates a conflict situation between them and the end result is very disappointing.

There are little efforts towards modernisation of law enforcement and intelligence agencies of India. Cyber forensics methods and techniques are also not widely used (PDF) by our law enforcement and intelligence agencies like Enforcement Directorate (ED), Central Bureau of Investigation (CBI), etc in the absence of techno legal expertise. Even investigations into the cases of IPL match fixing, Nokia’s software download, etc was not upto the mark. The regulations and guidelines for effective investigation of cyber crimes in India are still awaited and many cyber criminals are not prosecuted effectively.

All these lacuna and shortcomings have created a vicious circle of problems that is detrimental to Indian cyberspace. We have to systematically cure these defects and shortcomings one by one as they are interrelated in nature. While doing so we must keep in mind the fragile and precarious nature of Internet and cyberspace that would create troubles for India in the near future.

National Counter Terrorism Centre (NCTC) Of India: A Techno Legal Analysis

Terrorism has become a global menace and the war against terrorism is a continuous process. Terrorists are inventing novel methods to engage in nefarious activities and various Nations are fighting back with "Counter Terrorism Technologies" to tackle the same.

Terrorists have taken their fight to a new level with active use of technology to cause damage to individuals and properties. A few years back, it was very difficult to accept that conepts like Cyber Terrorism exist. Now it is clear that Cyber Terrorism not only exists but it can cause serious damage to Critical Infrastrucures that are relying upon information technology for their functioning.

India has been facing terrorist activities for many decades. This has necessiated for the introduction of anti terrorism initiatives on the part of Indian Government. One such good initiative that is facing practical difficulties is National Counter Terrorism Centre of India (NCTC) of India. There is no second opinion that the NCTC must be urgently constituted in India by Indian Government. However, administrative, political and technological problems need to be addressed on a priority basis by Indian Government. The obvious but unsolvable terrorism dilemma of India cannot be allowed to be continued any longer in the larger interest of India.

By its very nature and design any proposed NCTC shall be managed by intelligence and security agencies of India. India has plethora of intelligence agencies and security agencies. These include Research and Analysis Wing (RAW), Aviation Research Centre (ARC), Intelligence Bureau (IB), National Technical Research Organisation (NTRO) and Defence Intelligence Agency (DIA), etc.

However, the administrative and political structure governing these agencies is highly defective as they are operating in a decentralised manner. There is no centralised authority or Ministry that can coordinate or collaborate between different intelligence and security agencies. Further, there is no Parliamentary oversight of these intelligence agencies as well.

On top of it Civil Liberties and National Security requirements of India are not balanced at all. This would give rise to constitutional issues and create problems for such agencies in future. For instance, the immunity request of these agencies for engaging in cyber deterrent act cannot be accepted in these circumstances that would be an essential function of NCTC in future.

As Mr. Narendra Modi is committed to keep the internal security part of Home Ministry with himself, these issues can be easily managed. The proposed Prime Minister’s Office (PMO) would emerge as a “centralised national reforms point” of India. The approach regarding the proposed PMO is much required as that may be a game changer for India. It would also not be difficult to constitute the proposed NCTC in these circumstances as the centralised approach towards NCTC would eliminate interference of different Departments/Ministries. Mr. Modi can comfortably guide and supervise NCTC from the PMO.

However, NCTC must not be established in the manner proposed by the previous Government. The “safest and easiest method” to establish NCTC is to give a Parliamentary Scrutiny to intelligence agencies and their functioning. In the same legal framework, establishment and role of NCTC can be formulated.

The NCTC is very significant and essential for the National Security of India. Terrorist attacks against India are on increase and we need a “Specilaised Institution” like NCTC to provide and analyse valuable intelligence inputs and leads. The real problem seems to be “lack of coordination and harmonisation” between the Centre and States and the PMO must resolve this problem while establishing NCTC.

There are other related problems as well. For instance, the intelligence infrastructure of India is in big mess.  We need to develop intelligence gathering skills development in India so that effective intelligence can be generated, processed and used in real time. On the legislation front, a legal framework on the lines of Intelligence Services (Powers and Regulation) Bill, 2011 must be formulated and enacted by our Parliament. The National Intelligence Grid (Natgrid) Project of India has already been launched. However, a legal framework for Natgrid project of India is also needed as an unaccountable Natgrid is not a panacea for intelligence failures of India.

Surprisingly, the bureaucrats at Home Ministry have dropped the reference of NCTC altogether from their proposed report to Mr. Modi. They believe that NCTC is not a viable project and it need not to be part of the projects that have to be undertaken on a priority basis. It seems the bureaucrats are well aware of the previous dislike of Mr. Modi towards NCTC and they do not wish to offend him.

This is a highly unfortunate situation. No project should be dropped simply because Mr. Modi has disliked the same in the past. It is the constitutional duty of bureaucrats to suggest inclusion of projects of National Importance keeping aside their own biases, prejudices or fears. If they simply drop a worth project like NCTC on the basis that Mr. Modi disliked it in the past nothing is more embarrassing and unfortunate than such an approach. Even if Mr. Modi is averse to NCTC as on date, the bureaucrats must suggest the same. Of course, if there are some other issues, besides personal preferences or dislikes of Mr. Modi, they must be openly and frankly communicated to Mr. Modi and let him decide ultimately.

The things and circumstance have changed drastically and it is high time to analyse projects like NCTC as per contemporary standards and requirements. The present circumstances are in favour of constitution of NCTC and the same must be done as soon as possible.

Wednesday, December 9, 2015

Narendra Modi Government Must Be Serious About Cyber Security Of India

During the election campaign, Narendra Modi Government promised many pro active reforms for India and a robust Cyber Security Infrastructure was one of them. While it is premature to confirm or deny fulfillment of Cyber Security related promises yet it is clear that the Cyber Security Infrastructure of India is not in a good shape as on date.

There are many Cyber Security Challenges that are creating complicated Cyber Security Problems for India. Even the Digital India project of Modi Government is suffering from lack of Cyber Security Infrastructure. Smart Cities have posed their own Cyber Security and Civil Liberties Problems and they must be resolved before launching of full fledged Smart Cities in India.

Modi Government is presently facing unlimited challenges that have accumulated over a period of time. Thanks to our bureaucratic set up and all pervasive corruption, public reforms have always been kept at bay. There was no dearth of money and skilled people to accomplish the projected targets but still a dominant majority of projects in the last decade have failed to materialise.

Now that Mr. Modi has asked for a brief but accurate report and analysis of the situation, our bureaucrats are sweating and are in high stress. Even if they may somehow justify their non action and national reforms massacre still they would not be in a position to accomplish the mammoth tasks that have yet to be achieved. Decades of corrupt practices, incompetencies and indifference cannot be defeated in few years especially by retaining the same bureaucratic and ministerial structure.

Although there are hundreds of issues of national importance yet I would like to confine myself to a single issue that is closely and intrinsically related to our national security. The issue that I am talking about is the cyber security of India that is in a really bad shape (PDF). For decades our bureaucrats and Indian government did not consider cyber security as an essential part of national security policy of India. As a result cyber security has been grossly neglected and this has created a situation of high alert.

Even on the legislation front, India has failed to do the needful. For instance, we need to repeal the laws like Information Technology Act, 2000 (IT Act 2000), Indian Telegraph Act, 1885, etc but for some strange reasons our bureaucrats and Indian government kept them intact. I have been suggesting this recourse for the past five years but till now nothing concrete has happened in this regard. Similarly, crucial laws are absent from Indian statute books. These include law regarding privacy, data protection (PDF), telecom security, encryption, cloud computing, etc.

Mr. Modi would be required to not only overhaul his cabinet structure but also cleanse the bureaucratic circles that have been plaguing Indian reforms. Bureaucrats and politicians with clean image, hard working reputation and reforms oriented approach must alone be part and parcel of the Prime Minister’s Office (PMO) that may emerge as a “centralised national reforms point” of India. The approach regarding the proposed PMO is much required as that may be a game changer for India.

The previous PMO of India has already sanctioned a plan to spend 1,000 crore over the next four years to strengthen the cyber security capabilities of India. All Mr. Modi has to do is to make it sure that this may not be another proposal with no actual implementation. It must also be ensured that the allocated money is not only utilised but corrupt practices must also not take place while executing the cyber security project.

Obviously India needs to establish both offensive and defensive cyber security capabilities. This is important to protect the critical infrastructures (PDF) of India that are dependent upon information technology. A cyber warfare policy of India (PDF) must also be formulated as Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc are far beyond the reach of present cyber security mechanisms. These Malware are stealth in nature and till the time they are discovered the damage is already done.

Skilled workforce is also need of the hour and for this purpose cyber security courses must be introduced at the university level. Online education must be encouraged so that online cyber security courses can be imparted in India.

In short, the cyber security challenges before the Modi Government are institutional, skills driven, time sensitive and urgent in nature. We have already delayed strengthening of our cyber security capabilities and any further delay should not be tolerated by him.

Cyber Attacks Against India Have Significantly Increased: Is India Well Prepared?

Cyber Crimes and Cyber Attacks have become very common these days for multiple reasons. Some engage in Cyber Crimes and Cyber Attacks for commercial reasons while others indulge in the same on behalf of other stakeholders. At times, even Nations are involved in launching of sophisticated Cyber Attacks.

Cyber Security Challenges in India are not easy to manage in the absence of a robust and resilient Cyber Security Infrastructure. The truth is that Cyber Security Infrastructure in India is inadequate to tackle sophisticated Cyber Attacks and Malware. Indian Government's pet project Digital India is also suffering from many shortcomings and weaknesses.

For instance, Smart Cities Cyber Security is still not part of the Smart Cities Policies and Strategies of India. In the absence of Cyber Breaches Disclosure Norms in India, Companies and their Directors are not following either Cyber Law Due Diligence (PDF) or reporting back the Cyber Breach Incidences to Indian Government and its Agencies.

Cyber attacks have not only become sophisticated but they have also increased significantly in terms of numbers. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc are example of the contemporary Malware that are far beyond the reach of present cyber security mechanisms. These Malware are stealth in nature and till the time they are discovered the damage is already done.

It has been reported by the ICS-CERT of United States that a U.S. public utility was cyber attacked and its control system network were compromised. Similarly, E-Bay has asked for change of passwords after breach of its database containing account information. Before that Target Corporation was targeted by cyber criminals and as a result of that Target Corporation faced litigation threats around the world.

The cyber attack scenario has shifted its nature and territorial scope from being fun and regional to become a potential tool of cyber warfare and cyber espionage. We have no globally acceptable international legal regimes for cyber attacks as on date. Thus, international legal issues of cyber attacks are yet to be resolved.

Cyberspace also put forward complex problems of authorship attribution for cyber attacks and anonymity. Cyberspace also gives rise to conflict of laws in cyberspace where multiple laws of different jurisdictions may be applicable at the same time. Thus, cyber security and international cooperation cannot be separated in these circumstances.

Meanwhile, nations around the world are streamlining their respective cyber security capabilities. We must also develop offensive and defensive cyber security capabilities of India. As per the cyber security trends and developments of India 2013 (PDF) India is lagging far behind than required cyber security initiatives. Cyber security in India is still not upto the mark in the absence of a dedicated cyber security law of India.

Even compulsory cyber security breaches notification norms are missing in India. Recently the National Security Council Secretariat (NSCS) requested Reliance Jio Infocomm to share potential cyber security threats on India’s telecom networks. India has announced that cyber security breach disclosure norm would be formulated very soon. However, till now no such disclosure norms are applicable in India against companies/telecom companies/ISPs of India and this could raise serious cyber security issues for India in the near future.

These cyber security breach disclosures are important as critical infrastructures of India like automated power grids, thermal plants, satellites, etc are vulnerable to diverse forms of cyber attacks. This is the reason why NTRO has been assigned the task of protecting the critical infrastructure of India. Till the National Cyber Coordination Centre (NCCC) is put into place, national level cyber security coordination would be missing. The cyber crisis management plan of India and the cyber security policy of India must also be made operational as soon as possible.

Strict enforcement of the license conditions (PDF) against telecom companies operating in India and the proposed national telecom security policy of India 2014 may strengthen the cyber security infrastructure of India. However, nothing is better than formulating a good cyber security law of India that can establish a regulatory regime for compulsory cyber security breach notifications on the part of companies/telecom companies/ISPs. Let us hope that the new Indian government would do the needful as soon as possible.

Legal Immunity Against Cyber Deterrent Acts In India And Intelligence Agencies Functioning

Intelligence Agencies generally perform functions that are of "National Interest" to any Nation. However, not all functions of Intelligence Agencies pertain to National Interest and such functions that are not strictly in National Interest can be safely categorised as "Non Sovereign Functions". All "Non Sovereign Functions" must be part and parcel of "Public Domain" and not protected in the "Veil of Secrecy".

Even for "Sovereign Functions" pertaining to National Security and National Interest, Intelligence Agencies must be made "Accountable" to Parliament of the respective Nation. An Intelligence Agency that is not made "Accountable to the Parliament" is nothing but an "Oppressive Arm" of the Executive and works in active violation of Human Rights and Civil Liberties.

Intelligence Agencies around the World are facing difficulties while managing "Technology Issues". These include dealing with Encryption, Cyber Attacks, Cyber Espionage, Cyber Terrorism, etc. As Cyber Security is a Techno Legal field, it is difficult for the Intelligence Agencies to meet the Problems and Challenges of Cyber Security and other technological innovations.

India has been working in the direction of strengthening its Cyber Security Capabilities. As India is a late entrant in this field, Cyber Security in India is still not upto the mark. The Cyber Security Trends and Developments in India 2013 (PDF) provided by Perry4Law’s Techno Legal Base (PTLB) have proved that India is weak in the field of Cyber Security. The Offensive and Defensive Cyber Security Capabilities of India are yet to be achieved.

We have no dedicated Cyber Security Laws in India as on date. The Information Technology Act, 2000 (IT Act 2000) is the sole Cyber Law of India that also indirectly talks about Cyber Security.  The IT Act 2000 is silent on the issue of conferring legal immunity to hackers and other Law Enforcement Agencies while countering cyber attacks and this is a cause of concern for the Intelligence Agencies of India. It is also true that the Intelligence Agencies of India are also not subject to Parliamentary Oversight that is need of the hour.

International Legal Issues of Cyber Attacks are a cause of concern for India and India need to upgrade her Cyber Security Capabilities. Intelligence Agencies of India are planning to acquire such capabilities with “No Legal Obligation Attached Whatsoever”. This is a draconian power that cannot be conferred to them as that would violate the Civil Liberties Protection in Cyberspace of Indian Citizens. To make the matter worst, we have no dedicated Privacy Laws in India and Data Protection Laws in India (PDF). Even the Right to Information Act, 2005 is not applicable to Intelligence Agencies and many Law Enforcement Agencies of India. India “Must Reconcile” the Civil Liberties and National Security Requirements that is presently not happening.

It has been reported that following security agencies’ demand for legal immunity in cyber deterrence cases, the Deputy National Security Adviser is working on setting up An Inter-Ministerial Group to look into the issue. The Intelligence Bureau has said legal authority for cyber deterrence is very important for agencies in dealing with matters like terrorism. Citing the example of some countries, which have oversight mechanism, agencies have demanded legal immunity.

For example, the United States has a mechanism in place to monitor foreign accounts. However, U.S. is also making its Intelligence Agencies “Accountable” to the Parliament and there are many Statutory Protections against “Abuse of Powers” of these Intelligence Agencies. In India there is no such “Procedural Safeguards” and Intelligence Agencies are openly violating various “Constitutional Protections” and Civil Liberties.

India’s own Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc are violative of Civil Liberties Protection in Cyberspace. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny.

Now the Intelligence Agencies are demanding the power of “Hack at Will” without any “Legal Ramifications”. National security is not a “Blanket Protection” against Illegal and Unconstitutional E-0Surveillance and Eavesdropping. It seems the Intelligence Agencies of India are asking for this “Illegal and Unconstitutional Power” that “No Sensible Government in its Right Mind” would allow.

In a recent meeting on Cyber Security, a representative of the Department of Telecommunication (DOT) said the Department could make some provisions in the Calling Line Identification (CLI) Guidelines that will enable monitoring of at least Foreign Nationals in the country.

The Deputy National Security Adviser, Nehchal Sandhu, is working on setting up an Inter-Ministerial Group comprising the Law Ministry, the Department of Electronics and IT, the Department of Telecom (DOT), IB and the Home Ministry to identify gaps in existing legislation and regulations as well as measures to bridge them.

However, there are “No Such Gaps” as are contemplated by the Deputy National Security Adviser. In effect, the Group is considering how to “Further Confer” Illegal and Unconstitutional Powers upon the Intelligence Agencies. This is really unfortunate as the Group must consider how to make the Intelligence Agencies and Law Enforcement Agencies of India Accountable to the Parliament and how to “Safeguard” the “Constitutional Rights” of India Citizens that are openly violated by these Agencies.

Techno Legal National Security Policy Of India Is Needed

The traditional concept of "National Security" has undergone a sea change these days. National Security in the contemporary times include areas like Finance, Technology, Know How and Trade Secrets, Intellectual Property Rights (IPRs), Cyber Security and much more. Even the so called "Enemy" is "Invisible" these days.

Technology was part of the National Security in old times only to the extent it provided advantage over the "Warfare Capabilities" of a Nation or to gain control over "Sensitive Strategic Information" of such Nation. However, Technology is seen in a totally differently perspective these days. Technology has become "Target, Victim, Goal and Tool" of Cyber Attacks, Cyber Security and National Security.

National Security is a very vast and complicated field to manage as it encompasses various facets of security. It includes traditional security of borders and infrastructure to Cyber Security of the Indian Infrastructure and Cyberspace. India has been lax on the front of National Security in general and Cyber Security in particular. The National Cyber Security Policy of India 2013 has been drafted recently and its actual and full implementation is still missing.

Further, various components of National Security are still operating in vacuum and independent of each other making the entire concept of National Security a façade. For instance, the Cyber Security Policy of India is still not a part of the National Security Policy of India. In fact, we have no National Security Policy of India that is presently implemented by Indian Government. The Cyber Security Policy of India must be an “Essential and Integral Part” of the National Security Policy of India.

DNA India has reported that the current UPA Government led by Prime Minister Manmohan Singh is set to unveil a draft of National Security Policy for public debate. The National Security Advisor Shiv Shankar Menon has already started working in this regard so that a well defined strategic policy framework can be adopted by the new Government after a public debate. It seems the intention is to make the National Security Policy of India operational after the 2014 Elections are over. This is logical as well as such crucial policies cannot be implemented at time of uncertainties. The National Security Council (NSC) has already proposed three pronged Cyber Security Action Plan for India.

The UPA Government has its own share of successes like securing Indian borders and avoiding any big threat from outside, getting the non-permanent member status of the UN Security Council, obtaining a permanent seat at the Arctic Council and a chair at G-8 negotiations, etc. So the “Failures and Achievements” of the present UPA Government are somewhat balanced in nature.

India already has a doctrine for its defence as well as strategic forces, both for conventional and sub-conventional wars. But the new doctrine will be over-arching, comprehensive and will incorporate elements of foreign and internal security policies.

Though the proposed draft of the Policy is still at the infancy stage yet it may act as a resource guide to deal with Indian National Security issues. The proposed Policy would look at all aspects of National Security including the Economic, Technological, Political, Cyber as well as Scientific. It would also streamline the Security Strategy and address the systemic lacunae in the absence of a clear and comprehensive policy.

A “Special Focus” upon Cyber Security is need of the hour. To start with a dedicated Cyber Security Law of India must be formulated. A robust and comprehensive Telecom Security Policy of India must also be immediately formulated. Further, Draconian and Disabling Laws like Information Technology Act, 2000 and Indian Telegraph Act, 1885 must be “Repealed” as soon as possible. Civil Liberties and National Security Requirements must be “Reconciled”. A dedicated Privacy Law of India must also be formulated immediately to strengthen Privacy Rights in India.

During the exposure of engagement of E-Surveillance by the National Security Agency (NSA) of U.S., James Clapper confirmed that NSA is targeting Foreign Citizens for Surveillance. This E-Surveillance is further “Combined” with Tactics and Techniques of Cyber Warfare, Cyber Espionage and Cyber Terrorism, etc. The traditional Cold War Era may be over but the Technology Assisted Cold War is still in vogue. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, etc have simply proved this point.

These Malware are not the tasks of a group or company but expert malware makers that are supported by Developed Nations. The United States has been accused of making these Malware in the past and it is also believed that U.S. is the biggest buyer of Malware in the World. U.S. has also been accused of using a combination of Radio Waves and Malware to spy upon other Countries. It is well known that Global Cyber Espionage Networks are being actively and covertly used to Spy on other Nations. This is evident from the fact that the Command and Control Servers of Malware FinFisher were also found in 36 Countries, including India.

These Malware used Cyber Attack Methods and Vectors that are far beyond the Capacity of Traditional Cyber Security Mechanisms to Trace and Prevent. This becomes a serious Cyber Security Issue when Critical ICT infrastructures are at stake. For instance, the critical Infrastructure Protection in India and its Problems, Challenges and Solutions (PDF) are still to be looked into with Great Priority by Indian Government. It is only now that India has declared that NTRO would protect the Critical ICT Infrastructures of India. Similarly, a Tri Service Cyber Command for Armed Forces of India is in Pipeline. Nevertheless, the Cyber Security Infrastructure of India is Weak and it must be improved as soon as possible.

Countries across the World have started to strengthen their Cyber Security Capabilities. While protecting their own Cyberspace domain, various Countries must understand that Cyber Security is an International Issue (PDF) and not a National one. Therefore, an International Cyber Security Treaty is Required (PDF). As far as India is concerned, the Cyber Warfare Policy of India (PDF) and E-Surveillance Policy of India (PDF) must be urgently drafted and implemented. Similarly, Self Defence and Privacy Protection in India must be ensured.

India’s own Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc are violative of Civil Liberties Protection in Cyberspace. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. The proposed National Security Policy of India must address this issue as well on a priority basis.

Tuesday, December 8, 2015

Cyber Espionage Malware Named Uroburos/Snake Detected By Cyber Security Researchers

Cyber threats have affected various stakeholders in different manner. From corporate espionage to cyber warfare, cyber attacks have become a common practice. As more and more information technology is being used for various purposes, cyber security issues have also become critical.

For instance, the Digital India project of Indian government is suffering from many shortcomings including lack of cyber security infrastructure. In fact, the cyber security infrastructure of India is not adequate at all. The cyber security problems and challenges in India must be urgently tackled by Indian government on a priority basis.

The traditional Cold War Era may be over but the Technology Assisted Cold War is still in vogue. Developed Nations have been making and using Sophisticated Malware that is well beyond traditional and modern Cyber Security Mechanisms. Even well trained Cyber Security Professionals cannot detect them till these Malware have already achieved their Surveillance and Espionage tasks.

For instance, Malware like Stuxnet, Duqu and Flame have simply proved this point. They kept on creating havoc for many years in an undetectable and covert manner. They were detected only recently and since then their variants have been making rounds in the Cyberspace.

These Malware are not the tasks of a group or company but expert malware makers that are supported by Developed Nations. The United States has been accused of making these Malware in the past and it is also believed that U.S. is the biggest buyer of Malware in the World. U.S. has also been accused of using a combination of Radio Waves and Malware to spy upon other Countries. It is well known that Global Cyber Espionage Networks are being actively and covertly used to Spy on other Nations. This is evident from the fact that the Command and Control Servers of Malware FinFisher were also found in 36 Countries, including India.

Countries across the World have started to strengthen their Cyber Security Capabilities. While protecting their own Cyberspace domain, various Countries must understand that Cyber Security is an International Issue (PDF) and not a National one. Therefore, an International Cyber Security Treaty is Required (PDF). In the absence of international harmonisation in this crucial field, countries would keep on attacking one another in the Cyberspace.

In the latest news in this regard, G Data Security experts have analysed (PDF) a very complex and sophisticated piece of malware, designed to steal confidential data. G Data refers to it as Uroburos, in correspondence with a string found in the malware’s code and following an ancient symbol depicting a serpent or dragon eating its own tail.

According to G Data Uroburos is a rootkit, composed of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities. It can steal information (most notably: files) and it is also able to capture network traffic. Its modular structure allows extending it with new features easily, which makes it not only highly sophisticated but also highly flexible and dangerous. Uroburos’ driver part is extremely complex and is designed to be very discrete and very difficult to identify.

BAE systems have labelled it as “Snake” (PDF) and it has identified two distinct variants, both highly flexible but with two different techniques for establishing and maintaining a presence on the target system. In general, its operation relies on kernel mode drivers, making it a rootkit. It is designed to covertly install a backdoor on a compromised system, hide the presence of its components, provide a communication mechanism with its command and control (C&C) servers, and enables an effective data exfiltration mechanism. At the same time, Snake exposed a flexibility to conduct its operations by engaging these noticeably different architectures.

According to media reports, ‘Uroburos’ has been stalking its victims since as far back as 2005 and large enterprises and governments need to pay urgent attention to the threat it. It now transpires that Snake has been slithering silently around networks in the U.S. and its NATO allies and former Soviet states for almost a decade, stealing data, getting ever more complex and modular and remaining almost invisible.

Culling data from malware research sites (i.e. those to which suspected malware samples are submitted for inspection), it has been spotted 32 times in the Ukraine since 2010, 11 times in Lithuania, 4 times in the UK, and a handful of times altogether from the US, Belgium, Georgia, Romania, Hungary and Italy.

These are very small numbers but cyber security firm(s) believes that on past experience they are highly indicative. While they represent a tiny fraction of the number of infections that will have occurred in these countries and beyond, they can be used to reliably infer that Snake has been aimed at Western and Western-aligned countries pretty much exclusively. While none have specifically named Russia as the originator for this malware yet some have put the country under suspicion.

Hints of the malware’s provenance have surfaced from time to time. In 2008, the U.S. Department of Defense (DoD) reported that something called, Agent.btz had attacked its systems, an incident later attributed on more than one occasion to the Russian state without further elaboration. Beyond that the evidence is circumstantial and it is very difficult to attribute Cyber Criminality with great certainty.