The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 111 to 115.
Guidelines for the Protection of National Critical Information Infrastructure: How Much Regulation?
http://editors.cis-india.org/internet-governance/blog/guidelines-for-protection-of-national-critical-information-infrastructure
<b>July has been a busy month for cyber security in India. Beginning with the release of the country’s first National Cyber Security Policy on July 2 and followed just this past week by a set of guidelines for the protection of national critical information infrastructure (CII) developed under the direction of the National Technical Research Organization (NTRO), India has made respectable progress in its thinking on national cyber security.</b>
<p style="text-align: justify; ">Yet the National Cyber Security Policy, taken together with what little is known of the as-yet restricted guidelines for CII protection, raises troubling questions, particularly regarding the regulation of cyber security practices in the private sector. Whereas the current Policy suggests the imposition of certain preferential acquisition policies, India would be best advised to maintain technology neutrality to ensure maximum security.</p>
<p style="text-align: justify; ">According to Section 70(1) of the Information Technology Act, Critical Information Infrastructure (CII) is defined as a “computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.” In one of the 2008 amendments to the IT Act, the Central Government granted itself the authority to “prescribe the information security practices and procedures for such protected system[s].” These two paragraphs form the legal basis for the regulation of cyber security within the private sector.</p>
<p style="text-align: justify; ">Such basis notwithstanding, private cyber security remains almost completely unregulated. According to the <a href="http://deity.gov.in/sites/upload_files/dit/files/GSR314E_10511%281%29.pdf">Intermediary Guidelines</a> [pdf], intermediaries are required to report cyber security incidents to India’s national-level computer emergency response team (CERT-In). Other than this relatively small stipulation, the only regulation in place for CII exists at the sector level. Last year the Reserve Bank of India <a href="http://perry4law.org/blog/?p=93">mandated</a> that each bank in India appoint a chief information officer (CIO) and a steering committee on information security. The finance sector is also the only sector of the four designated “critical” by the Department of Electronics and Information Technology (DEIT) <a href="http://deity.gov.in/content/strategic-approach">Cyber Security Strategy</a> to have established a sector-level CERT, which released a set of non-compulsory <a href="http://www.idrbt.ac.in/PDFs/ISG_Booklet_Nov_2011.pdf">guidelines</a> [pdf] for information security governance in late 201</p>
<p style="text-align: justify; ">The new guidelines for CII protection seek to reorganize the government’s approach to CII. According to a <a href="http://articles.timesofindia.indiatimes.com/2013-07-20/india/40694913_1_cyber-attacks-ntro-guidelines">Times of India article</a> on the new guidelines, the NTRO will outline a total of <i>eight</i> sectors (including energy, aviation, telecom and National Stock Exchange) of CII and then “monitor if they are following the guidelines.” Such language, though vague and certainly unsubstantiated, suggests the NTRO may ultimately be responsible for enforcing the “[mandated] security practices related to the design, acquisition, development, use and operation of information resources” described in the Cyber Security Policy. If so, operators of systems deemed critical by the NTRO or by other authorized government agencies may soon be subject to cyber security regulation—with teeth.</p>
<p style="text-align: justify; ">To be sure, some degree of cyber security regulation is necessary. After all, large swaths of the country’s CII are operated by private industry, and poor security practices on the part of one operator can easily undermine the security of the rest. To quote security expert <a href="http://www.schneier.com/blog/archives/2012/10/stoking_cyber_f.html">Bruce Schneier</a>, “the externalities in cybersecurity are so great that even the freest free market would fail.” In less academic terms, networks are only as secure as their weakest links. While it is true that many larger enterprises take cyber security quite seriously, small and medium-sized businesses either lack immediate incentives to invest in security (e.g. no shareholders to answer to) or more often lack the basic resources to do so. Some form of government transfer for cyber security related investments could thus go a long way toward shoring up the country’s overall security.</p>
<p style="text-align: justify; ">Yet regulation may well extend beyond the simple “fiscal schemes and incentives” outlined in section IV of the Policy and “provide for procurement of indigenously manufactured ICT products that have security implications.” Such, at least, was the aim of the Preferential Market Access (PMA) Policy recently <a href="http://articles.economictimes.indiatimes.com/2013-07-08/news/40443725_1_pma-policy-preferential-market-access-policy-private-sector">put on hold</a> by the Prime Minister’s Office (PMO). Under pressure from international industry groups, the government has promised to review the PMA Policy, with the PMO indicating it may strike out clauses “regarding preference to domestic manufacturer[s] on security related products that are to be used by private sector.” If the government’s aim is indeed to ensure maximum security (rather than to grow an <a href="http://en.wikipedia.org/wiki/Infant_industry_argument">infant industry</a>), it would be well advised to extend this approach to the Cyber Security Policy and the new guidelines for CII protection.</p>
<p style="text-align: justify; ">Although there is a national security argument to be made in favor of such policies—namely that imported ICT products may contain “backdoors” or other nefarious flaws—there are equally valid arguments to be made <i>against</i> preferential acquisition policies, at least for the private sector. First and foremost, it is unlikely that India’s nascent cyber security institutions will be able to regulate procurement in such a rapidly evolving market. Indeed, U.S. authorities have been <a href="http://blog.heritage.org/2013/05/10/cybersecurity-government-regulations-cant-keep-up/">at pains</a> to set cyber security standards, especially in the past several years. Secondly, by mandating the procurement of indigenously manufactured products, the government may force private industry to forgo higher quality products. Absent access to source code or the ability to effectively reverse engineer imported products, buyers should make decisions based on the products’ performance records, not geo-economic considerations like country of origin. Finally, limiting procurement to a specific subset of ICT products likewise restricts the set of security vulnerabilities available to hackers. Rather than improve security, however, a smaller, more distinct set of vulnerabilities may simply make networks <a href="http://csis.org/blog/diffusion-and-discrimination-global-it-marketplace">easier targets</a> for the sorts of “debilitating” attacks the Policy aims to avert.</p>
<p style="text-align: justify; ">As India broaches the difficult task of regulating cyber security in the private sector, it must emphasize flexibility above all. On one hand, the government should avoid preferential acquisition policies which risk a) overwhelming limited regulatory resources, b) saddling CII operators with subpar products, and/or c) differentiating the country’s <a href="http://www.sans.edu/research/security-laboratory/article/did-attack-surface">attack surface</a>. On the other hand, the government should encourage certain performance standards through precisely the sort of “fiscal schemes and incentives” alluded to in the Cyber Security Policy. Regulation should focus on what technology does and does not do, not who made it or what rival government might have had their hands in its design. Ultimately, India should adopt a policy of technology neutrality, backed by the simple principle of <i>trust but verify</i>. Only then can it be truly secure.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/guidelines-for-protection-of-national-critical-information-infrastructure'>http://editors.cis-india.org/internet-governance/blog/guidelines-for-protection-of-national-critical-information-infrastructure</a>
</p>
No publisherjonCyber SecurityInternet GovernancePrivacy2013-08-01T04:48:01ZBlog EntryIndia's National Cyber Security Policy in Review
http://editors.cis-india.org/internet-governance/blog/indias-national-cyber-security-policy-in-review
<b>Earlier this month, the Department of Electronics and Information Technology released India’s first National Cyber Security Policy. Years in the making, the Policy sets high goals for cyber security in India and covers a wide range of topics, from institutional frameworks for emergency response to indigenous capacity building.</b>
<p style="text-align: justify; ">What the Policy achieves in breadth, however, it often lacks in depth. Vague, cursory language ultimately prevents the Policy from being anything more than an aspirational document. In order to translate the Policy’s goals into an effective strategy, a great deal more specificity and precision will be required.</p>
<h3 style="text-align: justify; ">The Scope of National Cyber Security</h3>
<p style="text-align: justify; ">Where such precision is most required is in <i>definitions</i>. Having no legal force itself, the Policy arguably does not require the sort of legal precision one would expect of an act of Parliament, for example. Yet the Policy deals in terms plagued with ambiguity, <i>cyber security</i> not the least among them. In forgoing basic definitions, the Policy fails to define its own scope, and as a result it proves remarkably broad and arguably unfocused.</p>
<p style="text-align: justify; ">The Policy’s preamble comes close to defining <i>cyber security</i> in paragraph 5 when it refers to "cyber related incident[s] of national significance" involving "extensive damage to the information infrastructure or key assets…[threatening] lives, economy and national security." Here at least is a picture of cyber security on a national scale, a picture which would be quite familiar to Western policymakers: computer security practices "fundamental to both protecting government secrets and enabling national defence, in addition to protecting the critical infrastructures that permeate and drive the 21st century global economy."<a href="#fn*" name="fr*">[*]</a> The paragraph 5 definition of sorts becomes much broader, however, when individuals and businesses are introduced, and threats like identity theft are brought into the mix.</p>
<p style="text-align: justify; ">Here the Policy runs afoul of a common pitfall: conflating threats to the state or society writ large (e.g. cyber warfare, cyber espionage, cyber terrorism) with threats to businesses and individuals (e.g. fraud, identity theft). Although both sets of threats may be fairly described as cyber security threats, only the former is worthy of the term <i>national</i> cyber security. The latter would be better characterized as cyber <i>crime</i>. The distinction is an important one, lest cyber crime be “securitized,” or elevated to an issue of national security. National cyber security has already provided the justification for the much decried Central Monitoring System (CMS). Expanding the range of threats subsumed under this rubric may provide a pretext for further surveillance efforts on a national scale.</p>
<p style="text-align: justify; ">Apart from mission creep, this vague and overly broad conception of national cyber security risks overwhelming an as yet underdeveloped system with more responsibilities than it may be able to handle. Where cyber crime might be left up to the police, its inclusion alongside true national-level cyber security threats in the Policy suggests it may be handled by the new "nodal agency" mentioned in section IV. Thus clearer definitions would not only provide the Policy with a more focused scope, but they would also make for a more efficient distribution of already scarce resources.</p>
<h3 style="text-align: justify; ">What It Get Right</h3>
<p style="text-align: justify; ">Definitions aside, the Policy actually gets a lot of things right — at least as an aspirational document. It certainly covers plenty of ground, mentioning everything from information sharing to procedures for risk assessment / risk management to supply chain security to capacity building. It is a sketch of what could be a very comprehensive national cyber security strategy, but without more specifics, it is unlikely to reach its full potential. Overall, the Policy is much of what one might expect from a first draft, but certain elements stand out as worthy of special consideration.</p>
<p style="text-align: justify; ">First and foremost, the Policy should be commended for its commitment to “[safeguarding] privacy of citizen’s data” (sic). Privacy is an integral component of cyber security, and in fact other states’ cyber security strategies have entire segments devoted specifically to privacy. India’s Policy stands to be more specific as to the <i>scope</i> of these safeguards, however. Does the Policy aim primarily to safeguard data from criminals? Foreign agents? Could it go so far as to protect user data even from its <i>own</i> agents? Indeed this commitment to privacy would appear at odds with the recently unveiled CMS. Rather than merely paying lip service to the concept of online privacy, the government would be well advised to pass <a href="http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback">legislation</a> protecting citizens’ privacy and to use such legislation as the foundation for a more robust cyber security strategy.</p>
<p style="text-align: justify; ">The Policy also does well to advocate “fiscal schemes and incentives to encourage entities to install, strengthen and upgrade information infrastructure with respect to cyber security.” Though some have argued that such regulation would impose inordinate costs on private businesses, anyone with a cursory understanding of computer networks and microeconomics could tell you that “externalities in cybersecurity are so great that even the freest free market would fail”—to quote expert <a href="http://www.schneier.com/blog/archives/2012/10/stoking_cyber_f.html">Bruce Schneier</a>. In less academic terms, a network is only as strong as its weakest link. While it is true that many larger enterprises take cyber security quite seriously, small and medium-sized businesses either lack immediate incentives to invest in security (e.g. no shareholders to answer to) or more often lack the basic resources to do so. Some form of government transfer for cyber security related investments could thus go a long way toward shoring up the country’s overall security.</p>
<p style="text-align: justify; ">The Policy also “[encourages] wider usage of Public Key Infrastructure (PKI) within Government for trusted communication and transactions.” It is surprising, however, that the Policy does not <i>mandate</i> the usage of PKI. In general, the document provides relatively few details on what specific security practices operators of Critical Information Infrastructure (CII) can or should implement.</p>
<h3 style="text-align: justify; ">Where It Goes Wrong</h3>
<p style="text-align: justify; ">One troubling aspect of the Policy is its ambiguous language with respect to acquisition policies and supply chain security in general. The Policy, for example, aims to “[mandate] security practices related to the design, <i>acquisition</i>, development, use and operation of information resources” (emphasis added). Indeed, section VI, subsection A, paragraph 8 makes reference to the “procurement of indigenously manufactured ICT products,” presumably to the exclusion of imported goods. Although supply chain security must inevitably factor into overall cyber security concerns, such restrictive acquisition policies could not only deprive critical systems of potentially higher-quality alternatives but—depending on the implementation of these policies—could also <a href="http://csis.org/blog/diffusion-and-discrimination-global-it-marketplace">sharpen the vulnerabilities</a> of these systems.</p>
<p style="text-align: justify; ">Not only do these preferential acquisition policies risk mandating lower quality products, but it is unlikely they will be able to keep pace with the rapid pace of innovation in information technology. The United States provides a cautionary tale. The U.S. National Institute of Standards and Technology (NIST), tasked with producing cyber security standards for operators of critical infrastructure, <a href="http://www.computerweekly.com/news/2240183045/NIST-revises-US-federal-cyber-security-standards">made its first update</a> to a 2005 set of standards earlier this year. Other regulatory agencies, such as the Federal Energy Regulatory Commission (FERC) move at a marginally faster pace yet nevertheless are delayed by bureaucratic processes. FERC has already <a href="http://www.tripwire.com/state-of-security/compliance/nerc-cip/nerc-cip-version-5-one-giant-leap/">moved to implement</a> Version 5 of its Critical Infrastructure Protection (CIP) standards, nearly a year before the deadline for Version 4 compliance. The need for new standards thus outpaces the ability of industry to effectively implement them.</p>
<p style="text-align: justify; ">Fortunately, U.S. cyber security regulation has so-far been technology-neutral. Operators of Critical Information Infrastructure are required only to ensure certain functionalities and not to procure their hardware and software from any particular supplier. This principle ensures competition and thus security, allowing CII operators to take advantage of the most cutting-edge technologies regardless of name, model, etc. Technology neutrality does of course raise risks, such as those <a href="http://www.businessweek.com/magazine/content/10_20/b4178036082613.htm">emphasized by the Government of India</a> regarding Huawei and ZTE in 2010. Risk assessment must, however, remain focused on the technology in question and avoid politicization. India’s cyber security policy can be technology neutral as long as it follows one additional principle: <i>trust but verify</i>.</p>
<p style="text-align: justify; ">Verification may be facilitated by the use of free and open-source software (FOSS). FOSS provides <i>security through transparency </i>as opposed to <i>security through obscurity</i> and thus enables more agile responses to security responses. Users can identify and patch bugs themselves, or otherwise take advantage of the broader user community for such fixes. Thus open-source software promotes security in much the same way that competitive markets do: by accepting a wide range of inputs.</p>
<p style="text-align: justify; ">Despite the virtues of FOSS, there are plenty of good reasons to run proprietary software, e.g. fitness for purpose, cost, and track record. Proprietary software makes verification somewhat more complicated but not impossible. Source code escrow agreements have recently gained some traction as a verification measure for proprietary software, even with companies like Huawei and ZTE. In 2010, the infamous Chinese telecommunications giants <a href="http://www.ft.com/intl/cms/s/0/bd360448-7733-11e1-baf3-00144feab49a.html#axzz2ZUalpnWq">persuaded the Indian government</a> to lift its earlier ban on their products by concluding just such an agreement. Clearly<i> trust but verify</i> is imminently practicable, and thus technology neutrality.</p>
<h3 style="text-align: justify; ">What’s Missing</h3>
<p style="text-align: justify; ">Level of detail aside, what is most conspicuously absent from the new Policy is any framework for institutional cooperation beyond 1) the designation of CERT-In “as a Nodal Agency for coordination of all efforts for cyber security emergency response and crisis management” and 2) the designation of the “National Critical Information Infrastructure Protection Centre (NCIIPC) to function as the nodal agency for critical information infrastructure protection in the country.” The Policy mentions additionally “a National nodal agency to coordinate all matters related to cyber security in the country, with clearly defined roles & responsibilities.” Some clarity with regard to roles and responsibilities would certainly be in order. Even among these three agencies—assuming they are all distinct—it is unclear who is to be responsible for what.</p>
<p style="text-align: justify; ">More confusing still is the number of other pre-existing entities with cyber security responsibilities, in particular the National Technical Research Organization (NTRO), which in an earlier draft of the Policy was to have authority over the NCIIPC. The Ministry of Defense likewise has bolstered its cyber security and cyber warfare capabilities in recent years. Is it appropriate for these to play a role in securing civilian CII? Finally, the already infamous Central Monitoring System, justified predominantly on the very basis of cyber security, receives no mention at all. For a government that is only now releasing its first cyber security policy, India has developed a fairly robust set of institutions around this issue. It is disappointing that the Policy does not more fully address questions of roles and responsibilities among government entities.</p>
<p style="text-align: justify; ">Not only is there a lack of coordination among government cyber security entities, but there is no mention of how the public and private sectors are to cooperate on cyber security information—other than oblique references to “public-private partnerships.” Certainly there is a need for information sharing, which is currently facilitated in part by the sector-level CERTS. More interesting, however, is the question of liability for high-impact cyber attacks. To whom are private CII operators accountable in the event of disruptive cyber attacks on their systems? This legal ambiguity must necessarily be resolved in conjunction with the “fiscal schemes and incentives” also alluded to in the Policy in order to motivate strong cyber security practices among all CII operators and the public more broadly.</p>
<h3 style="text-align: justify; ">Next Steps</h3>
<p style="text-align: justify; ">India’s inaugural National Cyber Security Policy is by and large a step in the right direction. It covers many of the most pressing issues in national cyber security and lays out a number of ambitious goals, ranging from capacity building to robust public-private partnerships. To realize these goals, the government will need a much more detailed roadmap.</p>
<p style="text-align: justify; ">Firstly, the extent of the government’s proposed privacy safeguards must be clarified and ideally backed by a separate piece of <a href="http://editors.cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback" class="external-link">privacy legislation</a>. As Benjamin Franklin once said, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” When it comes to cyberspace, the Indian people must demand both liberty and safety.</p>
<p style="text-align: justify; ">Secondly, the government should avoid overly preferential acquisition policies and allow risk assessments to be technologically rather than politically driven. Procurement should moreover be technology-neutral. Open source software and source code escrow agreements can facilitate the verification measures that make technology neutrality work.</p>
<p style="text-align: justify; ">Finally, to translate this policy into a sound <i>strategy</i> will necessarily require that India’s various means be directed toward specific ends. The Policy hints at organizational mapping with references to CERT-In and the NCIIPC, but the roles and responsibilities of other government agencies as well as the private sector remain underdetermined. Greater clarity on these points would improve inter-agency and public-private cooperation—and thus, one hopes, security—significantly.</p>
<div id="_mcePaste">
<p class="MsoNormal" style="text-align:justify; "><span>Not only is there a lack of coordination among government cyber security entities, but there is no mention of how the public and private sectors are to cooperate on cyber security information—other than oblique references to “public-private partnerships.” Certainly there is a need for information sharing, which is currently facilitated in part by the sector-level CERTS. More interesting, however, is the question of liability for high-impact cyber attacks. To whom are private CII operators accountable in the event of disruptive cyber attacks on their systems? This legal ambiguity must necessarily be resolved in conjunction with the “fiscal schemes and incentives” also alluded to in the Policy in order to motivate strong cyber security practices among all CII operators and the public more broadly.</span></p>
</div>
<hr />
<p style="text-align: justify; ">[<a href="#fr*" name="fn*">*</a>]. Melissa E. Hathaway and Alexander Klimburg, “Preliminary Considerations: On National Cyber Security” in <i>National Cyber Security Framework Manual</i>, ed. Alexander Klimburg, (Tallinn, Estonia: Nato Cooperative Cyber Defence Centre of Excellence, 2012), 13</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/indias-national-cyber-security-policy-in-review'>http://editors.cis-india.org/internet-governance/blog/indias-national-cyber-security-policy-in-review</a>
</p>
No publisherjonCyber SecurityInternet GovernancePrivacy2013-07-31T10:40:22ZBlog EntryParsing the Cyber Security Policy
http://editors.cis-india.org/internet-governance/blog/the-hoot-july-13-2013-chinmayi-arun-parsing-the-cyber-security-policy
<b>An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble, says Chinmayi Arun.</b>
<hr />
<p style="text-align: justify; ">Chinmayi Arun's article was published in<a class="external-link" href="http://www.thehoot.org/web/Parsing-the-cyber-security-policy/6899-1-1-19-true.html"> the Hoot</a> on July 13, 2013 and later cross-posted in the <a class="external-link" href="http://thefsiindia.wordpress.com/2013/07/13/indias-national-cyber-security-policy-preliminary-comments/">Free Speech Initiative </a>the same day.</p>
<hr />
<p style="text-align: justify; "><span><span>We often forget how vulnerable the World Wide Web leaves us. If walls of code prevent us from entering each other’s systems and networks, there are those who can easily pick their way past them or disable essential digital platforms. We are reminded of this by the doings of </span></span><span><a href="http://www.thedailybeast.com/articles/2013/04/17/anonymous-next-move.html" target="_blank"><span>Anonymous</span></a><span>, which carried out a series of </span><a href="http://www.pcmag.com/article2/0,2817,2404554,00.asp" target="_blank"><span>attacks</span></a><span>, including the website <span>run by Computer Emergency Response Team India (CERT-In)<span> which is the government agency in charge of cyber-security. Even more serious, are cyber-attacks (arguably cyber warfare) carried out by other states, using digital weapons such as </span></span></span><span><a href="http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/" target="_blank"><span>Stuxnet</span></a><span>, the digital worm<span>. More proximate and personal are perhaps the </span></span></span><span><a href="http://articles.timesofindia.indiatimes.com/2013-06-22/internet/40133370_1_phishing-attacks-kaspersky-lab-unsuspecting-user" target="_blank"><span>phishing attacks</span></a><span>, which are on the rise. </span></span></span></p>
<div style="text-align: justify; "><span><span>We therefore run a great risk if we leave</span></span><span><span><a href="http://abcnews.go.com/US/story?id=95993&page=1" target="_blank"><span> air-traffic control</span></a><span>, </span></span><span><a href="http://www.bbc.co.uk/news/world-us-canada-22692778" target="_blank"><span>defense resources</span></a> <span> or databases containing several </span></span><span><a href="http://www.nytimes.com/2013/05/10/us/hackers-access-personal-data-in-washington-state.html" target="_blank"><span>citizens’ personal data</span></a><span> vulnerable. Sure, there is no doubt that efforts towards better cyber-security are needed. A cyber-security policy is meant to address this need, and to help manage threats to individuals, businesses and government agencies. We need to carefully examine the government’s efforts to handle cyber-security, how effective it is and whether its actions do not have too many negative spillovers.</span></span></span></div>
<div style="text-align: justify; "><span><span><span><br /></span></span></span></div>
<div style="text-align: justify; "></div>
<p style="text-align: justify; "><span><span>The National Cyber-Security Policy, unveiled last week, is merely a statement of intention in broad terms. Much of its real impact will be ascertainable only after the language to be used in the law is available.</span></span><span><span> </span></span><span><span> Nevertheless, the scope of the policy </span></span><span><span><a href="http://www.rediff.com/news/report/national-cyber-security-policy-fails-on-many-fronts/20130703.htm" target="_blank"><span>remains ambiguous</span></a><span> so far, leading to </span></span><span><a href="http://groundreport.com/privacy-ignored-by-the-cyber-security-policy-of-india/" target="_blank"><span>much speculation</span></a><span> about the different ways in which it might be intrusive. </span></span></span></p>
<div style="text-align: justify; "><br />
<div style="text-align: justify; "><span><i><span>One Size Fits All?</span></i></span></div>
<div style="text-align: justify; "><span><span>The policy covers very different kinds of entities: government agencies, private companies or businesses, non-governmental entities and individual users. These entities may need to be handled differently depending on their nature. Therefore, while direct state action may be most appropriate to secure government agencies’ networks, it may be less appropriate in the context of purely private business. </span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>For example, securing police records would involve the government directly purchasing or developing sufficiently secure technology. However, different private businesses and non-governmental entities may be left to manage their own security. Depending on the size of each entity, each may be differently placed to acquire sophisticated security systems. A good policy would encourage innovation by those with the capacity to do this, while ensuring that others have access to reasonably sound technology, and that they use it. Grey-areas might emerge in contexts where a private party is manages critical infrastructure. </span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>It will also be important to distinguish between smaller and larger organisations whilst creating obligations. Unless this distinction is made at the implementation stage, start-up businesses and civil society organisations may find requirements such as earmarking a budget for cyber security implementation or appointing a Chief Information Security Officer onerous. Additionally, the policy will need to translate into a regulatory solution that provides under-resourced entities with ready solutions to enable them to make their information systems secure, while encouraging larger entities with greater purchasing power to invest in procuring the best possible solutions. </span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><i><span>Race to the Top</span></i></span></div>
<div style="text-align: justify; "><span><span>Security on the Internet works only if it stays one step ahead the people trying to break in. An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble.</span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>The policy contemplates working with industry and supporting academic research and development to achieve this. However the actual manner in which resources are distributed and progress is monitored may make the crucial difference between a waste of public funds and acquisition of capacity to achieve a reasonable degree of cyber security.</span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>Additionally the flow of public funds under this policy, particularly to purchase technology, should be examined very carefully to see whether it is justified. For example, if the government chooses to fund (even by way of subsidy) a private company’s cyber-security research and development rather than an equivalent public university’s endeavour, this decision should be scrutinized to see whether it was necessary. Similarly, if extensive public funds are spent training young people as a capacity-building exercise, we should watch to see how many of these people stay in India and how many leave such that other countries end up benefiting from the Indian government’s investment in them!</span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><i><span>Investigation of Security Threats</span></i></span></div>
<div style="text-align: justify; "><span><span>Although much of the policy focuses on defensive measures that can be taken against security breaches, it is intended not only to cover investigation subsequent to an attack but also to pinpoint ‘potential cyber threats’ so that proactive measures may be taken. </span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>The policy has outlined the need for a ‘Cyber Crisis Management Plan’ to handle incidents that impact ‘critical national processes or endanger public safety and security of the nation’. This portion of the policy will need to be watched closely to ensure that the language used is very narrow and allows absolutely no scope for misinterpretation or misuse that would affect citizens’ rights in any manner. </span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>This caution will be necessary both in view of the manner in which restraints on freedom of speech permitted in the interests of public safety have been flagrantly abused, and because of the </span><span>kind of paternalistic </span></span><span><a href="https://www.eff.org/deeplinks/2009/04/cybersecurity-act" target="_blank"><span>state intrusion</span></a><span><span> that might be conceived to give effect to this.</span></span></span></div>
<div style="text-align: justify; "><span><span><span><br /></span></span></span></div>
<div style="text-align: justify; "><span><span>Additionally, since the policy also mentions information sharing with internal and international security, defence, law enforcement and other such agencies, it will also be important to find out the exact nature of information to be shared.</span></span> Of course, how the policy will be put into place will only become clear as the terms governing its various parts emerge. But one hopes the necessary internal direct action to ensure the government agencies’ information networks are secure is already well underway.</div>
<span><span> </span></span>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>It is also to be hoped that the government chooses to take implementation of privacy rights at least as seriously as cyber-security. If some parts of cyber security involve ensuring that user data is protected, the decision about what data needs protection will be important to this exercise. </span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>Additionally, although the policy discusses various enabling and standard-setting measures, it does not discuss the punitive consequences of failure to take reasonable steps to safeguard individuals’ personal data online. These consequences will also presumably form a part of the privacy policy, and should be put in place as early as possible.</span></span></div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-hoot-july-13-2013-chinmayi-arun-parsing-the-cyber-security-policy'>http://editors.cis-india.org/internet-governance/blog/the-hoot-july-13-2013-chinmayi-arun-parsing-the-cyber-security-policy</a>
</p>
No publisherchinmayiCyber SecurityInternet GovernancePrivacy2013-07-22T06:37:56ZBlog EntryCII Conference on "ACT": Achieve Cyber Security Together"
http://editors.cis-india.org/internet-governance/blog/cii-conference-on-act
<b>The Confederation of Indian Industries (CII) organized a conference on facing cyber threats and challenges at Hotel Hilton in Chennai on July 13, 2013. Kovey Coles attended this conference and shares a summary of the event in this blog post.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i></p>
<hr />
<p>The conference hosted by CII in the Hotel Hilton, was well attended, and featured a range of industry experts, researches and developers, and members of the Indian armed forces.</p>
<p style="text-align: justify; ">Participants focused on the importance of Indian entities reaching new, adequate levels of cyber security. It was stated early in the event that India is one of the world's most targeted areas for cyber-attacks, and its number of domestic internet users is known to be rapidly increasing in an age which many view as a new era of international information warfare. Despite this, the speakers considered India to be too far behind other countries in its understanding of cyber security. In the opening remarks, CII Chairman Santhanam implored "We need hard core techies in this field… we are not producing them." Another speaker, Savitha Kesav Jagadeesan, a practicing lawyer in Chennai, asked if India would wait until the "9/11 of cyberspace" occurrence before we establish the same level of precautionary measures online as it exists now in transportation security.</p>
<p style="text-align: justify; ">With the presence of both the government’s executive forces and the private industries, the aura circulating the conference room was that of a collective Indian defense, a secure nation only achieved through both secure governmental and industrial aspects. Similar to the previous day’s DSCI cyber security conference, many speakers discussed security issues pertinent to the financial and banking industries, and other cyber crimes which had pecuniary goals. For people seeking to avoid the array of scams and frauds online, some talks shared some of the most basic advice, like safe password practices. "Passwords are like toothbrushes," said A.S. Murthy of the CDAC, "use them often, never share them with anyone, change them often." Other talks went into the intricacies of various hacking schemes, including tab-nabbing and Designated Denial of Service (DDoS) attacks, describing their tactics and how to moderate them.</p>
<p style="text-align: justify; ">In the end, the conference had certainly informed the attendees of the goals, and the challenges, that India will face in the coming months and years. The speakers (all of them) showed how the world of cyber security was quickly evolving, and demonstrated the imperative in government and industry entities evolving their own practices and defenses in stride. The ambitions of several presentations matched the well-publicized "5 lakh cyber professionals in 5 years" plan, placing a strong emphasis in the current and future training of young students in cyber security. Ultimately, I think, the conference helped convince that cyber security is neither a futile, nor completely infallible concept. As CISCO Vice President Col. K.P.M. Das said towards the end of the evening, the most ideal form of cyber security is truly "all about trust, the ability to recover, and transparency/visibility."</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cii-conference-on-act'>http://editors.cis-india.org/internet-governance/blog/cii-conference-on-act</a>
</p>
No publisherkoveyCyber SecurityInternet GovernancePrivacy2013-07-26T08:17:40ZBlog EntryCIS Cybersecurity Series (Part 6) - Lhadon Tethong
http://editors.cis-india.org/internet-governance/cis-cybersecurity-series-part-6-lhadon-tethong
<b>CIS interviews Lhadon Tethong, Tibetan human rights activist, as part of the Cybersecurity Series</b>
<p><i>"In authoritarian states, and in this case, in Tibet, I think that every person that we can teach and pass knowledge to, that can help them stay out of jail, stay in the streets, for one, two, three days longer, one week longer, that is a valuable time of time and resources. And I think we cannot rely on only tools and technology solutions to protect people. I think we can't just rely on government policies at the highest levels, and on export controls... the approach to digital security has to be comprehensive and we have to engage citizens. And not just in cases like the Tibetans or for activists or for people living under repression, but for people in free and open societies too." - Lhadon Tethong, Tibetan human rights activist.</i></p>
<p>Centre for Internet and Society presents its sixth installment of the CIS Cybersecurity Series.</p>
<p>The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.</p>
<p>In this installment, CIS interviews Lhadon Tethong, Tibetan human rights activist. Lhadon is the Director of the Tibet Action Institute, where she leads a team of technologists and human rights advocates in developing and advancing open-source communication technologies, nonviolent strategies and innovative training programs for Tibetans and other groups facing heavy repression and human rights abuses.</p>
<p>Link for Tibet Action Institute: <a href="https://tibetaction.net/">https://tibetaction.net/</a></p>
<p> </p>
<p><iframe frameborder="0" height="315" src="http://www.youtube.com/embed/RzlvdY_DAe8" width="560"></iframe></p>
<p><b><i><br /></i></b></p>
<p><b><i>This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.</i></b></p>
<div><b><i><br /></i></b></div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/cis-cybersecurity-series-part-6-lhadon-tethong'>http://editors.cis-india.org/internet-governance/cis-cybersecurity-series-part-6-lhadon-tethong</a>
</p>
No publisherpurbaCybersecurityInternet GovernanceCyberculturesCyber SecurityCyber Security Interview2013-08-01T09:54:46ZBlog Entry