Warning: Creating default object from empty value in /nfs/c03/h07/mnt/56080/domains/filtercoffee.nationalinterest.in/html/wp-content/themes/canvas/functions/admin-hooks.php on line 160
Tag Archives | cyber security

Namaste, India

Implications to India of Britain’s alleged telecommunications spy base.

The Register reports on Britain’s covert cyber surveillance program in the Middle East.  The report is unconfirmed and there’s really no way to verify the veracity of any of the Register‘s claims, but it does make for interesting reading.  The report claims that Britain’s submarine Internet cable surveillance program is based out of Muscat, Oman (at Seeb station).  It further claims that “probes” are installed on optical cable networks belonging to two British telecommunications heavyweights — BT and Vodafone, thus allowing snooped data to be accessed by cyber-surveillance personnel in the UK.

According to documents revealed by Edward Snowden to journalists including Glenn Greenwald among others, the intelligence agency annually pays selected companies tens of millions of pounds to run secret teams which install hidden connections which copy customers’ data and messages to the spooks’ processing centres. The GCHQ-contracted companies also install optical fibre taps or “probes” into equipment belonging to other companies without their knowledge or consent. Within GCHQ, each company has a special section called a “Sensitive Relationship Team” or SRT. [The Register]

This is particularly interesting because two of the four eastbound submarine cables from Seeb station in Muscat (GIBS and FLAG FALCON), provide backbone connectivity to western India via Mumbai (wild guess, probably at Prabhadevi).  This map will better illustrate the route of the eastern half of Seeb station’s connectivity.  The report alleges that BT and Vodafone are two top earners of secret payments from Britain’s SIGINT organization, GCHQ.   Lest we forget, India represents Vodafone’s largest customer base and the company’s second-largest country in terms of data traffic.

This begs the question: if any of this is true, just how badly compromised is India’s Internet and telecommunications data if the integrity of two of its ingress and egress points is in question?  The Luddites among us, I’m sure, look on with barely-concealed glee.

 

Read full story · Comments { 0 }

Guestpost: Do we care about privacy?

India’s privacy policy cannot be formulated only in the privacy of the corridors of power.

Ranjeet Rane, Research Assistant with Takshashila Institution’s Cyber Security Team, argues for an urgent debate between the government and citizens on privacy rights and limitations in India, given the recently implemented Centralized Monitoring System

While Mr. Edward Joseph Snowden gets to spend a year in Russia thanks to political asylum granted to him by the Russian president, the world is still recovering from the aftermath of the diplomatic quagmire his revelations of the U.S. Mass Surveillance Project brought in its wake.  To some, Mr. Snowden is a hero who exposed the machinations of Big Brother.  Regardless, the irony in Mr. Snowden’s choice of Russia as the staging ground for his apparent war against clandestine surveillance should not be lost on us.

If one looks beyond the news articles on clandestine surveillance,  it would be fair to say that the Snowden incident has now made it necessary to initiate a debate on balancing the concerns of privacy and security in India.  Indeed, the need for such is debate is even more pressing given the recent announcement of the Government of India to implement a Centralized Monitoring System (CMS) for the “lawful interception and monitoring” of electronic communication channels in the country comes at a time when the contours of a Privacy law are ill-defined in the country.

The Takshashila Institution’s discussion paper on the CMS highlights important concerns about the nature of privacy in the country. These concerns have found voice in recent news reports as well.

In the absence of laws that provide for the safeguarding of privacy and regulating data retention, ordinary citizens lack clarity on how their personal information is collected, stored, used and shared. Such practices are contradictory to the various interpretations of Article 19 & Article 21 of the Indian Constitution by the Supreme Court that indirectly uphold the Right to Privacy.

At present, lawful interception is vaguely defined within various Sections of the colonial-era Telegraph Act 1885. Among the more recent laws, Sections 69 & 69B of the Information Technology Act 2008 further expand the mandate for lawful interception, which may be exercised “when [the authorized officers] are satisfied that it is necessary or expedient” to do so in the interest of:

  1. The sovereignty or integrity of India;

  2. defense of India;

  3. security of the State;

  4. friendly relations with foreign States;

  5. public order;

  6. preventing incitement to the commission of any cognizable offence relating to above; or

  7. for investigation of any offence.

The directions under Section 69 can be issued by officers both at the central and state level, directions under Section 69B can only be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology. The analogous wording in the section coupled with the lack of exact definitions makes the nature of the powers of the Intercepting Officers synonymous with “discretionary.”

As for Data Retention, Section 67C of the Information Technology Act requires ‘intermediaries’ to maintain and preserve information. The nature of this information and the duration for the same was to be specified in a separate set of Rules to be issued by the Central Government. Apart from the Cyber Café Rules 2011 no such rules have been framed.  These Rules have led to a vast database of photo-copies of “ID proof” documents getting collected with cyber cafes across the country. Incidents of such documents been used for acquiring mobile SIM cards have also been highlighted by news reports.

It is clear from the examples above that there is complete lack of accountability and responsibility when it comes to the government controlling private data of the citizens. If the Government of India plans to implement the CMS or is already using Lawful Intercept and Monitoring (LIM) systems, then there is an urgent need for public discourse on this issue.

While current controls and accountability around lawful interception of personal data are not assuring, the ‘voluntary’ collection of citizen data through UID programs require further security provisions and clarity on how such data collected will be stored, which agencies will have access to it and with whom it will be shared. While a one-size-fits-all rule cannot be applied for data collected through interception systems or data voluntarily provided by citizens to avail various government benefits, it doesn’t take away the need to address the issues of privacy associated with both the categories.

Indeed, concerns of privacy cannot be wished away merely by citing vague threats to national security.  National security, can of course, trump concerns of privacy in extraordinary circumstances, but these ought to be the exception rather than the rule.  The status quo will only add to the rapidly escalating trust-deficit between the Government and its citizens.  While the draft of the Right to Privacy Bill has been making the rounds for quite some time, it hasn’t yet been opened for public consultation.

Policies on privacy cannot be formulated only in the privacy of the corridors of power.  Ultimately, it is imperative that the Government involve and consider the views of a much wider spectrum of stakeholders while formulating legislation on the basic rights of 1.2 billion people to own, control and share information about themselves.

 

Read full story · Comments { 3 }

Calling all stations

Why are Indian “techies” conspicuously absent from India’s debates on cyber-security?

In an attempt to regulate conduct and provide security over electronic media, the Indian government enacted the Information Technology (IT) Act (2000) and implemented the Central Monitoring System (CMS).  The IT Act, which contains clauses such as Section 66A, which challenges the spirit of the Constitution of the country, was passed in Parliament with no debate.

Similarly, the CMS, whose mandate encompassed the lawful interception of telecommunications and Internet traffic, was implemented at an initial cost of well over $120 million.  We are now given to understand that due to technological limitations, the scope of the CMS, at least in the interim, will be restricted to the interception of telecommunication and unencrypted Internet traffic.  OK, except freely-available open-source security tools and a pool of cyber-security professionals could deliver results sought by the restricted mandate of the CMS at a negligible cost.

The question that emerges is this: did the government of India (and those that advise it) know of the inherent technological limitations that inhibit full-spectrum interception of electronic data?  If they didn’t, we should be astounded by the level of incompetence.  If they did, India’s citizens should be challenging wasteful expenditure towards a program whose mandate no one appears to be able to deliver upon. Curiously, much of the public debate on cyber-security in India seems to be led mostly by legal experts or by open society advocates.  But where are India’s technophiles?  Why is there almost no articulation of the technological challenges such a program presents to those that govern us?

We are told that India is a global software leader and that IT and IT-enabled service sectors provide employment to millions of citizens. Indians are taking to the Internet at a faster rate than any other major economy in the world; India’s mobile penetration rate is off the charts at 70 per cent (870 million subscribers).

Heck, the IT revolution in India has also led us to coin and mass-accept the term “techie,” used by almost no one else in the world in that context (a “techie” in the U.S., for example, is technician involved in setting up sound and lighting for film/TV production sets).  An army of Indian technophiles dominates social media and multi-media sharing websites such as Youtube.  Yet, these technophiles have been silent in an already-muted debate on the governance of cyberspace in India.

This is not to say that legal experts and open society champions have no role to play in in the discourse.  Indeed, legal experts and open-society advocates provide perspective and expertise that others in India may not have.  Their participation in the debate, therefore, is not only beneficial but essential.  At the same time though, we are missing critical perspectives from technology experts if legal and open-society advocates continue to dominate the discourse as they do now in India.  The narrative of the discourse today is skewed in favor of debates over privacy and the spirit of the Constitution and doesn’t feature in any meaningful way, critiques of the government of India’s approach from a technological standpoint.

It should be a matter of concern that India’s broad and vibrant base of technology professionals is mostly absent from debates on how India governs technology.  What do we put this down to — a lack of awareness?  Or disinterest?  More importantly, what can we do to entice them into participating and enriching the discourse?

Read full story · Comments { 2 }

‘Tis the season for hacking

Cyber-security asymmetries 101: Hacking is easier than defending.

Indian and Pakistani hackers are out defacing websites of each others’ countries.  On the second anniversary of the 26/11 attacks in Mumbai, an Indian group calling itself the “Indian Cyber Army” (ICA) carried out an attack on 36 Pakistani websites, including the websites of the Pakistani Navy, the National Accountability Bureau (NAB) and Ministry of Foreign Affairs.

In response, a group called Pakistan Cyber Army (PCA) launched an attack on about 200 Indian websites, including the CBI (littering it with trash-talk that should, quite frankly, embarrass the hackers more than the compromise should, the CBI).  The very next day, Indian groups retaliated by hacking Pakistan’s Oil & Gas Regulatory Authority (OGRA) and a Pakistani Army recruitment website.

A review of the list of 200 websites hacked by the PCA reveals that a majority of sites were private small-business websites.  Embarrassing perhaps, but of low strategic value.  The goal of any large-scale defacement is to hurt the reputation of the victim.  If PCA’s victim was the Indian state, then its targets were poorly chosen.

Yes, websites owned by Indians were hit, but they are hardly representative of the Indian state in the same way that the government or the military is. This could indicate that the attack itself was poorly planned and motivated more by a desire to show that Pakistani hackers could retaliate quickly, by hitting out at low-hanging fruit, than an orchestrated attempt to deliver the same quality of response as ICA did on 26/11.  By all measures, compromising the website of Khanna Constructions isn’t remotely of the same strategic value as defacing the Pakistani Ministry of Foreign Affairs website.

But the world of cyber-security is faced with certain asymmetries.  Hacking is easier than defending.  For any government to be able to defend its “universe” of websites requires it to have three things — an appreciation for the challenge it faces, determination to address the challenge, and good counsel on how to address the challenge. If the first two are absent, the third is almost irrelevant.

It is no secret that the first two are almost entirely missing in India. In an apparent response to the hacking of the CBI website, we were given this bit of information from DRDO, via PTI:

Close on the heels of hacking of the CBI website, Defence Research and Development Organisation (DRDO) on Sunday said it was developing a mechanism to make websites hacking-proof. “It is always better to use indigenously developed systems than using others’ designs,” he said. The DRDO chief expressed optimism that its engineers could certainly develop hacking proof devices. [NDTV] (Credit: Parth Bakshi)

That’s just brilliant. Not only do they not know what they are talking about, they also don’t know what hit them nor how to defend against it.

And pray, what is a “hacking-proof” website?

Based on the attack on the CBI website, we know that a vulnerability management program isn’t in place right now.  The CBI attack was a standard SQL-injection exploit.  Out-of-the-box solutions (some, even free) exist today that assess whether websites are susceptible to SQL-injection and other attacks.  Even a basic vulnerability management program would have detected and alerted those responsible for security about the existing vulnerability.

That dovetails nicely into my closing question: who owns the security of India’s websites and supporting infrastructure, across the Centre and State? The answer is no one. And everyone. The blind lead the blind. With that being the case, there really is no reason not to believe that Indian websites will continue to get hit over the coming days and months, just as they have over the past many years.  Cyber-security is uphill battle to begin with. With the current levels of apathy and ignorance to such issues prevalent in our government, we should be prepared for nothing less.

Read full story · Comments { 2 }