Warning: Creating default object from empty value in /nfs/c03/h07/mnt/56080/domains/filtercoffee.nationalinterest.in/html/wp-content/themes/canvas/functions/admin-hooks.php on line 160
Archive | Guestpost RSS feed for this section

Guestpost: Privacy laws and legal interception in India

India needs to evolve comprehensive privacy laws that protect individual rights before implementing a framework for legal interception, argues Ranjeet Rane, who works with the Public Affairs team at Edelman India and is a Research Assistant at Takshashila Institution.

In my previous post, I had stressed on the need for an urgent debate between the government and citizens on privacy rights and limitations in India, given the recently implemented Centralized Monitoring System (CMS). A counter agreement being presented is that the CMS will be a better option for  the Indian citizen as it provides a legal framework for lawful interception, against the current practice of content monitoring and filtering through unregulated, ad-hoc processes involving intermediaries such as telecom companies and ISPs.

The CMS is intended to ensure that each interception request is tracked and the recorded content duly destroyed within six months as required under law.   In this post, however, I will try to present a case against the implementation of the CMS by looking at the existing provisions in the Information Technology Act 2000 (and subsequent amendments) that make an effort to address issues of privacy.

Section 72 of the Information Technology Act 2000 in its original form penalized the breaches of confidentiality and privacy of data. Essentially, the scope of the provision covered those empowered by the Act to gain access to any electronic record, book, register, correspondence, information document or other material seized for investigation. It was aimed at preventing accidental leaks of such information during the course of investigations.

This was later amended to include Section 72A to penalize “any person” (including an intermediary) who has obtained personal information while providing services under a lawful contract and discloses the personal information without consent of the person, with the intent to cause, or knowing it is likely to cause wrongful gain or wrongful loss.

When this clause is read together with Section 69B of the Act, it squarely puts the responsibility of securing personal data on the intermediary, which in this case could be a wide spectrum of actors from cyber cafes to telecom companies and ISPs. Indeed, if this Act is used to justify the implementation of CMS, it would need significant amendments to clearly identify those central and state agencies authorized to access such information. The recent case of National Technical Research Organization being at the forefront of snooping activities is still fresh in public memory.

The next set of amendments came into force by the addition Section 43A which obliges corporate bodies which possess, deal or handle any sensitive personal data to implement and maintain “reasonable security practices,” failing which they would be liable for disclosure.  The Act defines “corporate bodies” as those involved in “commercial or professional activities.”

The definitions of “sensitive personal data” and “reasonable security practices” are narrow and hence prevents courts from interpreting a contextual definition.  Most importantly, government agencies and non-profit organizations are entirely excluded from the ambit of this section.

The act further lays down the Rules for:

  • Privacy Policy
  • Collection of Information
  • Transfer of Information
  • Reasonable Security Practices and Procedures

Elaborate rules to address the points above are still only in draft phrase.

It is only in the Section 66E (Violation of Privacy) that we find privacy concerns addressed.  The euphoria doesn’t last long as this section only covers electronic voyeurism and penalizes acts of capturing, publishing and transmission of images of the “private area” of any person without their consent, “under circumstances violating the privacy” of that person.

This section falls short of acknowledging the importance of protecting personally identifiable information (name, passport number, date of birth, biometric information, etc.) and deals only with disclosure of potentially compromising photographs.

It is clear that the status of a legal framework to protect the privacy of citizens in India is inadequate. The Information Technology Act does not have any provision for penalizing government agencies for overreach. Implementing any program like the CMS in the absence of clauses on privacy, regulation and oversight over government conduct will be concerning.  Indeed,  recent media controversies point to the possibility of political misuse of new tools and resources.

The government ought to consider bringing a comprehensive Privacy Bill to the floor for debate, instead of piecemeal additions to the Information Technology Act. This Bill should ensure adequate oversight for all activities of surveillance. This oversight should be coupled with providing information in public domain about convictions happening through such monitoring.

This will not only make it mandatory for the agencies concerned to justify their actions but will also lead to more efficient results than those expected from blanket monitoring. Such a bill will seek to also limit political abuse of resources at the disposal of national security & investigation agencies.

The United Nations Declaration of Human Rights mentions under Article 12 that:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.

As a signatory and one of the founding nations behind the UN Human Rights Declaration, we haven’t set the kind of example in our commitment to individuals’ privacy expected from a liberal democracy like ours. The need of the hour is for India to develop adequate and effective privacy legislation based on a set of clearly defined principles. Privacy as an entitlement ought to be an end result of this comprehensive reform.

Read full story · Comments { 0 }

Guestpost — The Weakest Link (II)

The importance of prompt governmental action on cybersecurity threats.

In Part-II of The Weakest Link, Srikanth R., Senior Research Associate for Cyber Security Studies, writes about how India and other countries have reacted and should continue to act to counter cybersecurity threats (also read Part I).

While the attack on RSA was in progress, a slew of attacks on companies and governments all over the world were taking place. These attacks were credited to anonymous groups of people who are not necessarily hackers, but with sufficient skills to detect sites running older versions of software with publicly known exploits. These attacks compromised the data stored in websites that were not up to date with patches to fix known security holes. Unlike zero day attacks that require sufficient technical competence, these attacks were the result of exploiting well-known weaknesses of website software, and did not require much technical competence.

Such attacks have already resulted in the publication of private databases of various web sites all over the world, including NIC in India, indicating that organizations in India will also be potential targets for such groups. In fact, Such organizations need to secure their networks by applying patches for all known security holes, i.e., not zero day.

These events point to an urgent need for organizations/companies specializing in cybersecurity services in India that can provide services such as penetration testing, website audits, and IT security audits for a fee. Such organizations can also be valuable in bringing best practices to all people in an organization — a chain is only as strong as the weakest link, and this is especially true of implementing secure processes and practices in any organization.

All of the above events raise obvious questions about the current status of the security of the corporate and government networks that may be considered high value targets to adversarial state and non-state actors. In considering these targets, it helps to be realistic about the actual importance of a target, and not “official importance”.

Taking down a government agency’s website is an annoyance but it does not actually affect the daily activity of Indians in real terms. The value of disrupting the networks and functioning of an organization increases as the use of technology in governance increases, as it directly affects citizens using such governance schemes. In particular, schemes such as Aadhaar will soon be a high value target as it becomes more central to the functioning of large numbers of organizations, governmental and corporate, as their own services become dependent on the Aadhaar networks functioning as designed.

It would be beneficial to have an independent organization that is in charge of testing and fixing the security of such flagship schemes that hold private information of a growing number of citizens. On this note, it should be noted that data security must be viewed in a comprehensive manner, which in this case would mean security of all paper copies of data collected from the citizenry to be entered into the Aadhaar databases.

Citizens groups need to question the government on whether all the data collected for the UID databases are destroyed once in the Aadhar databases, and if not, demand information on the safeguards taken by the Indian Government to protect this data from being abused in the future. Failing such assurances from the government, citizens must resist any moves to make UID mandatory for all citizens.

The other key infrastructure that will be target to hackers will be telephone networks that are tied to internet data networks. The most obvious way to place the entire network at risk is to run the network using products from foreign corporations without access to the exact source code that run on the hardware on the network and the hardware design of the chips used. Such backdoors can be built into the hardware too.

If an entire network of machines is built from such hardware, a literal flick of the switch can shut down the network when it is most needed. The recent announcement by Reliance Industries to build their company cellular networks based completely on Huawei products is very alarming, because there is no indication that Huawei has parted with the source code for the networks to Reliance.

Short of Reliance building and installing Huawei Source code on their products, there is no way to ensure that Huawei has not installed hardware or software Trojans in the systems sold to Reliance. Operating any hardware/software without the source code in sensitive domains that will be targets to enemy hackers is an exercise in extremely poor judgement.

Summarily, physical security of a State and its cyber security are both complementary aspects of overall National Security. Organizations that provide crucial services to important entities or the public at large must take immediate steps to secure internal processes and procedures of all their employees that have access to their networks.

Furthermore, Indian organizations must eschew incorporating proprietary, i.e., non open source, hardware and software platforms from competitor states such as China, unless they acquire complete knowledge of what hardware and software is being deployed to build public infrastructure. Instead of creating myriad new governmental organizations that do little to improve the security of the nation’s networks, the Indian Government would do well to provide incentives for private businesses that provide critical services and information in securing corporate and governmental networks.

Read full story · Comments { 0 }

Guestpost — The Weakest Link (I)

The state of cybersecurity and governmental response.

After Stuxnet and a series of high profile attacks against government and corporate cyber infrastructure this past year, it is clear that a new age of warfare is here, where state- and non-state actors increasingly use cyberspace to perpetrate attacks against their adversaries. These actions should remind us of the inexorable link between cyber-security and national security. Recently, the U.S. Department of Defense stated in a press release that cyberattacks constituted an “act of war,” if they originated from a foreign country, and that these acts of war could be responded to with conventional military force.

However, given the increase in frequency and sophistication of cyberattacks, and the proliferation of technology in India, there is little indication that the Government of India truly understands the nature of warfare being imposed on States in the world. Indeed, while the Government of India recently released a cybersecurity policy draft, that draft is effectively a policy orphan, as India does not have a national security policy. Cybersecurity is a subset of national security; the former cannot meaningfully exist without the latter.

Takshashila Institution’s Srikanth R., Senior Research Associate for Cyber Strategy Studies writes in a two-part series on The Filter Coffee, about the nature of the threat, and actions India and other governments must take to prevent attacks or effectively mitigate damage.

After last year’s Stuxnet attack on Iran’s facilities, it was revealed recently that the attack was  the result of efforts by the governments of US and Israel.  In March 2011, an “independent Iranian hacker ” took credit for hacking into RSA Corporation’s  master “token seed” database for one of their flagship products, ostensibly retaliating against the Stuxnet attack.  The stolen data from RSA was used to attack other major US corporations, raising fears of escalating attacks on critical US infrastructure.

In response, Pentagon released an official statement that “cyberattacks can count as acts of war if it originates from a foreign country,” most likely directed at the State that hacked into RSA’s databases. However, this did not deter a cyberattack on defense contractor Lockheed Martin on June 2.  Lockheed revealed that stolen information from RSA was used to attack their network. RSA’s official response ambiguously emphasized that “the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology“.   Given that RSA database theft was stolen on March 17th, this attack would by definition be categorized as a “known” threat, and thus not a “new threat”.

While this may appear to be just another database that was hacked into, it has serious implications for all RSA’s customers, which include companies such as Comodo, which provide authentication certificates for users to interact with corporations such as Google, Yahoo, Skype, Mozilla, etc.  Customers of RSA such as Comodo depend on the robustness of RSA’s services to guarantee the integrity of the authenticated SSL certificates issued to Comodo’s customers.  In fact, all the above customers that depend on RSA’s security platform were breached in the weeks after the loss of RSA data.

Token based authentication is a common and popular scheme used to provide  a  user to access specific resources from a site by interacting with an authentication server.  An authentication server provides temporary access to a set of resources or capabilities based on  user’s name and  password by generating a “token”  that allows the user temporary access to  specific resources on the web, and companies like RSA base their products on “seeds” that generate an infinite number of secure tokens. Secure tokens are required for any organization that needs to provide secure access to databases on its servers or secure access to their VPN networks.

The most serious implication of a stolen master database of token seeds is that the stolen information can be used to create “cloned” tokens that can be misused by intruders to attack, for example, a VPN network that is vulnerable to hacker attacks.   On May 29, Reuters reported a defense company  acknowledging it had detected a “tenacious cyberattack” which was eventually thwarted successfully.

It should be noted that  RSA had taken for physical safety of its data, such as “(a) keeping the token records containing the token seed values (secret keys) offline; (b) hardening the SecureID server’s operating system; (c) strictly limiting administrative access to it per RSA’s guidance, and (d) monitoring the SecureID server for signs of fraud and abuse. We felt that the residual risk to our customers as a result of these measures was fairly low.” However, these precautions were insufficient to thwart RSA-type attacks, also known as Advanced Persistent Threats (APT).

Advanced Persistent Threat (APT) attacks are initiated by gaining entry into a network and then remains hidden for a long period of time, actively collecting information but hiding all the stolen information within a machine in the network before shipping all of it out at the very end.  APTs can arise by exploiting zero-day attacks or  fooling known users of the network to part with information to gain entry to a secured network.

Once inside a secure network, this malicious entity hides within the organization’s network silently collecting information for days maybe years before abruptly leaving with all the stolen information.  Given that there are no solutions to avoid zero-day attacks, it is not possible to thwart APT attacks.  However, there could be limited use for network monitoring tools to filter off-hours activity not initiated by a known user in the network — this is not sufficient to thwart APT attacks but can at least detect malicious presence in the network sooner rather than later.

In Part II, Srikanth will discuss what India and other governments must do to effectively prevent exploitation of these security vulnerabilities, or mitigate damage, if they are indeed exploited.

Read full story · Comments { 8 }

Guestpost: Stuxnet and India

[This is a guest blogpost by Srikanth R., Senior Research Associate at the Takshashila Institution. In this blogpost, Srikanth provides context to the Stuxnet Trojan and highlights preventive measures India can take to minimize collateral damage.]

News on the impact of what has come to be known as the Stuxnet Trojan on Iran’s nuclear facilities at Natanz and Bushehr has generated a considerable amount of media and academic interest on its origins.  In a briefing to the U.S. Senate Homeland Security and Governmental Affairs Committee, Sean McGurk, director of Homeland Security’s national cybersecurity operations center, described Stuxnet as a “game changer.”

According to the Siemens product support site, Stuxnet affects Microsoft Windows PCs with WinCC and PCS 7.  The malware spreads via mobile data carriers, for example USB sticks, and networks. The Trojan is activated solely by viewing the contents of the USB stick.  The website also suggests that Stuxnet was not developed by a hacker but “with the product of a team of experts who must have IT expertise as well as specific know-how about industrial controls, their deployment in industrial production processes and corresponding engineering knowledge” and “This means that the malware is able, under certain boundary conditions, to influence the processing of operations in the control system.”

There is a procedure to clean a system infected with Stuxnet, but the Trojan can be activated by plugging in a USB device that has been infected, and cleaning a network of infected machines cannot be done without disrupting all activity and shutting down the entire network. As explained in the support website:

It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications. [Siemens]

Indeed, Iran’s centrifuge program had to go through a shutdown and restart process to cleanup its infected system, delaying its schedule. The implications of the Trojan for the India’s own nuclear program have thus far been unreported.  Since the Trojan’s target is system-specific (WinCC and PCS7), the impact is likely minimal unless India employs the same software to program its spinning machines.  However, it is still conceivable that similar SCADA systems are used in Indian industry for a variety of other purposes and could potentially be vulnerable to Stuxnet-like attacks in the future.

Given the inherent vulnerability of WinCC-based processes to such attacks, it is prudent to take precautions and design processes to ensure that no unverified software can be loaded onto the system, either over the Internet or via USB memory sticks.  Industries that are currently vulnerable to such attacks must consider moving to non-WinCC systems in the long run.

What Stuxnet tells us is that a malignant organization or country can put together a team of experts to create Stuxnet-like Trojans to target SCADA systems in India or elsewhere.   While cybersecurity policy makers assess the long term implications of Stuxnet-like Trojans, short term precautionary measures are necessary to prevent further collateral damage.  Sites operating such systems should segment their different SCADA systems in different isolated subnets to ensure that infection of one system does not spread to others. Furthermore, it may be useful to institute security protocols to prevent the ingestion of USB devices into any machine in the network. USB devices of unknown origin must be forbidden from being used.

It is also advisable to move towards more secure Unix-based platforms for Industrial Control systems, where the security architecture is more robust than those in Windows-based SCADA systems. Windows-based systems are affected by about 2 million known malware, with Linux a distant second with 1,178 vulnerabilities.

Read full story · Comments { 1 }