The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 61 to 75.
Incident Response Requirements in Indian Law
http://editors.cis-india.org/internet-governance/blog/incident-response-requirements-in-indian-law
<b>Cyber incidents have serious consequences for societies, nations, and those who are victimised by them. The theft, exploitation, exposure or otherwise damage of private, financial, or other sensitive personal or commercial data and cyber attacks that damage computer systems are capable of causing lasting harm. </b>
<p style="text-align: justify; ">A recent example of such an attack that we have seen from India is the recent data breach involving an alleged 3.2 million debit cards in India.<a href="#_ftn1" name="_ftnref1"><sup>[1]</sup></a> In the case of this hack the payment processing networks such as National Payments Corporation of India, Visa and Mastercard, informed the banks regarding the leaks, based on which the banks started the process of blocking and then reissuing the compromised cards. It has also been reported that the banks failed to report this incident to the Computer Emergency Response Team of India (CERT-In) even though they are required by law to do so.<a href="#_ftn2" name="_ftnref2"><sup>[2]</sup></a> Such risks are increasingly faced by consumers, businesses, and governments. A person who is a victim of a cyber incident usually looks to receive assistance from the service provider and government agencies, which are prepared to investigate the incident, mitigate its consequences, and help prevent future incidents. It is essential for an effective response to cyber incidents that authorities have as much knowledge regarding the incident as possible and have that knowledge as soon as possible. It is also critical that this information is communicated to the public. This underlines the importance of reporting cyber incidents as a tool in making the internet and digital infrastructure secure.. Like any other crime, an Internet-based crime should be reported to those law enforcement authorities assigned to tackle it at a local, state, national, or international level, depending on the nature and scope of the criminal act. This is the first in a series of blog posts highlighting the importance of incident reporting in the Indian regulatory context with a view to highlight the Indian regulations dealing with incident reporting and the ultimate objective of having a more robust incident reporting environment in India.</p>
<p style="text-align: justify; "><b>Incident Reporting under CERT Rules</b></p>
<p style="text-align: justify; ">In India, section 70-B of the Information Technology Act, 2000 (the “<b>IT Act</b>”) gives the Central Government the power to appoint an agency of the government to be called the Indian Computer Emergency Response Team. In pursuance of the said provision the Central Government issued the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “<b>CERT Rules</b>”) which provide the location and manner of functioning of the Indian Computer Emergency Response Team (CERT-In). Rule 12 of the CERT Rules gives every person, company or organisation the option to report cyber security incidents to the CERT-In. It also places an obligation on them to mandatorily report the following kinds of incidents as early as possible:</p>
<ul style="text-align: justify; ">
<li>Targeted scanning/probing of critical networks/systems;</li>
<li>Compromise of critical systems/information;</li>
<li>Unauthorized access of IT systems/data;</li>
<li>Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, etc.;</li>
<li>Malicious code attacks such as spreading of virus/worm/Trojan/botnets/spyware;</li>
<li>Attacks on servers such as database, mail, and DNS and network devices such as routers;</li>
<li>Identity theft, spoofing and phishing attacks;</li>
<li>Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks;</li>
<li>Attacks on critical infrastructure, SCADA systems and wireless networks;</li>
<li>Attacks on applications such as e-governance, e-commerce, etc.</li>
</ul>
<p style="text-align: justify; ">The CERT Rules also impose an obligation on service providers, intermediaries, data centres and body corporates to report cyber incidents within a reasonable time so that CERT-In may have scope for timely action. This mandatory obligation of reporting incidents casts a fairly wide net in terms of private sector entities, however it is notable that prima facie the provision does not impose any obligation on government entities to report cyber incidents unless they come under any of the expressions “service providers”, “data centres”, “intermediaries” or “body corporate”. This would mean that if the data kept with the Registrar General & Census Commissioner of India is hacked in a cyber incident, then there is no statutory obligation under the CERT Rules on it to report the incident. It is pertinent to mention here that although there is no obligation on a government department under law to report such an incident, such an obligation may be contained in its internal rules and guidelines, etc. which are not readily available.</p>
<p style="text-align: justify; ">It is pertinent to note that although the CERT Rules provide for a mandatory obligation to report the cyber incidents listed therein, the Rules themselves do not provide for any penalty for non compliance. However this does not mean that there are no consequences for non compliance, it just means that we have to look to the parent legislation i.e. the IT Act for the appropriate penalties for non compliance. Section 70B(6) gives the CERT-In the power to call for information and give directions for the purpose of carrying out its functions. Section 70B(7) provides that any service provider, intermediary, data center, body corporate or person who fails to provide the information called for or comply with the direction under sub-section (6), shall be liable to imprisonment for a period up to 1 (one) year or fine of up to 1 (one) lakh or both.</p>
<p style="text-align: justify; ">It is possible to argue here that sub-section (6) only talks about calls for information by CERT-In and the obligation under Rule 12 of the CERT Rules is an obligation placed by the central government and not CERT-In. It can also be argued that sub-section (6) is only meant for specific requests made by CERT-In for information and sub-section (7) only penalises those who do not respond to these specific requests. However, even if these arguments were to be accepted and we were to conclude that a violation of the obligation imposed under Rule 12 would not attract the penalty stipulated under sub-section (7) of section 70B, that does not mean that Rule 12 would be left toothless. Section 44(b) of the IT Act provides that where any person is required under any of the Rules or Regulations under the IT Act to furnish any information within a particular time and such person fails to do so, s/he may be liable to pay a penalty of upto Rs. 5,000/- for every day such failure continues. Further section 45 provides for a further penalty of Rs.25,000/- for any contravention of any of the rules or regulations under the Act for which no other penalty has been provided.</p>
<p style="text-align: justify; "><b>Incident Reporting under Intermediary Guidelines</b></p>
<p style="text-align: justify; ">Section 2(1)(w) of the IT Act defined the term “intermediary” in the following manner;</p>
<p style="text-align: justify; ">“intermediary” with respect to any particular electronic record, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.</p>
<p style="text-align: justify; ">Rule 3(9) of the Information Technology (Intermediaries Guidelines) Rules, 2011 (the “<b>Intermediary Guidelines</b>”) also imposes an obligation on any intermediary to report any cyber incident and share information related to cyber security incidents with the CERT-In. Since neither the Intermediary Guidelines not the IT Act specifically provide for any penalty for non conformity with Rule 3(9) therefore any enforcement action against an intermediary failing to report a cyber security incident would have to be taken under section 45 of the IT Act containing a penalty of Rs. 25,000/-.</p>
<p style="text-align: justify; "><b>Incident Reporting under the Unified License</b></p>
<p style="text-align: justify; ">Clause 39.10(i) of the Unified License Agreement obliges the telecom company to create facilities for the monitoring of all intrusions, attacks and frauds on its technical facilities and provide reports on the same to the Department of Telecom (DoT). Further clause 39.11(ii) provides that for any breach or inadequate compliance with the terms of the license, the telecom company shall be liable to pay a penalty amount of Rs. 50 crores (Rs. 50,00,00,000) per breach.</p>
<p style="text-align: justify; "><b>Conclusion</b></p>
<p style="text-align: justify; ">It is clear from the above discussion that there is a legal obligation service providers to report cyber incidents to the CERT-In. Presently, the penalty prescribed under Indian law may not be enough to incentivise companies to adopt comprehensive and consistent incident response programmes. , except in cases of telecom companies under the Unified License Agreement. A fine of Rs. 25,000/- appears to be inconsequential when compared to the possible dangers and damages that may be caused due to a security breach of data containing, for example, credit card details.. Further, it is also imperative that apart from the obligation to report the cyber incident to the appropriate authorities (CERT-In) there should also be a legal obligation to report it to the data subjects whose data is stolen or is put at risk due to the said breach. A provision requiring notice to the data subjects could go a long way in ensuring that service providers, intermediaries, data centres and body corporates implement the best data security practices since a breach would then be known by general consumers leading to a flurry of bad publicity which could negatively impact the business of the data controller, and for a business entity an economic stimulus may be an effective way to ensure compliance.</p>
<p style="text-align: justify; ">As we continue to research incident response, the questions and areas we are exploring include the ecosystem of incidence response including what is reported, how, and when, appropriate incentives to companies and governments to report incidents, various forms of penalties, the role of cross border sharing of information and jurisdiction and best practices for incident reporting and citizen awareness.</p>
<p style="text-align: justify; "><i>Published under Creative Commons License CC BY-SA. Anyone can distribute, remix, tweak, and build upon this document, even for commercial purposes, as long as they credit the creator of this document and license their new creations under the terms identical to the license governing this document</i></p>
<hr />
<p style="text-align: justify; "><a href="#_ftnref1" name="_ftn1"><sup>[1]</sup></a> <a href="http://www.huffingtonpost.in/2016/10/21/atm-card-hack-what-banks-are-saying-about-india-s-biggest-data/">http://www.huffingtonpost.in/2016/10/21/atm-card-hack-what-banks-are-saying-about-india-s-biggest-data/</a></p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2"><sup>[2]</sup></a> <a href="http://tech.economictimes.indiatimes.com/news/internet/cert-in-had-warned-banks-on-oct-7-about-expected-targeted-attacks-from-pakistan/54991025">http://tech.economictimes.indiatimes.com/news/internet/cert-in-had-warned-banks-on-oct-7-about-expected-targeted-attacks-from-pakistan/54991025</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/incident-response-requirements-in-indian-law'>http://editors.cis-india.org/internet-governance/blog/incident-response-requirements-in-indian-law</a>
</p>
No publishervipulCyber SecurityInternet GovernancePrivacy2016-12-28T01:19:28ZBlog EntryDeveloper team fixed vulnerabilities in Honorable PM's app and API
http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app
<b>The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.</b>
<p><strong>This blog post has been authored by Bhavyanshu Parasher</strong>. The original post can be<a class="external-link" href="https://bhavyanshu.me/major-security-flaw-pm-app/09/29/2015"> read here</a>.</p>
<hr />
<h2 style="text-align: justify; ">What were the issues?</h2>
<p style="text-align: justify; "><span>The main issue was how the app was communicating with the API served by narendramodi.in.</span></p>
<div id="_mcePaste" style="text-align: justify; "><ol>
<li>I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.</li>
<li>There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.</li>
<li>The API was still being served over HTTP instead of HTTPS.</li>
</ol></div>
<h3 style="text-align: justify; ">Fixed</h3>
<ol style="text-align: justify; ">
<li>The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.</li>
<li>A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.</li>
<li>Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.</li>
</ol>
<h2 style="text-align: justify; ">Detailed Vulnerability Disclosure</h2>
<p style="text-align: justify; ">Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app,<strong> I would suggest you to change your password immediately</strong>. Can’t leave out a possibility of it being compromised.</p>
<p style="text-align: justify; ">Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.</p>
<p style="text-align: justify; ">The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/App.png/@@images/7bec3ca6-0808-4d19-9711-bc084b507f61.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/copy_of_App.png/@@images/2e499adb-b621-4bc4-a490-f8957c9ac1d7.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Disclosure to officials</h2>
<p style="text-align: justify; ">The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.</p>
<p style="text-align: justify; ">Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet1.png" alt="Tweet 1" class="image-inline" title="Tweet 1" /></p>
<p style="text-align: justify; ">After about 30 hours of reporting the vulnerabillity</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet2.png" alt="Tweet 2" class="image-inline" title="Tweet 2" /></p>
<h2 style="text-align: justify; ">Proposed Solution</h2>
<p style="text-align: justify; "><span>Consulted </span><a href="https://twitter.com/pranesh_prakash">@pranesh_prakash</a><span> as well regarding the issue.</span></p>
<p style="text-align: justify; "><span><img src="http://editors.cis-india.org/home-images/Tweet3.png" alt="Tweet 3" class="image-inline" title="Tweet 3" /></span></p>
<p style="text-align: justify; ">After this, I mailed them a solution regarding the issues.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Discussion with developer</h2>
<p style="text-align: justify; ">Received <strong>phone call</strong> from a developer. Discussed possible solutions to fix it.</p>
<p style="text-align: justify; "><strong>The solution that I proposed could not be implemented </strong>since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that <strong>people don’t upgrade to latest versions leaving themselves vulnerable to security flaws</strong>. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet4.png" alt="Tweet 4" class="image-inline" title="Tweet 4" /></p>
<p style="text-align: justify; ">On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. <strong>I can now confirm they have fixed all three issues</strong>.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Update 12/02/2016</h2>
<p style="text-align: justify; "><a class="external-link" href="http://www.dailyo.in/variety/narendra-modi-namo-app-hacker-security-concerns-javed-khatri-demonetisation-survey-bjp-voter-data/story/1/14347.html">This vulnerability</a> in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.</p>
<p style="text-align: justify; ">Also read:</p>
<ul>
<li><a class="external-link" href="http://www.newindianexpress.com/nation/2016/dec/02/narendra-modi-app-hacked-by-youngster-points-out-risk-to-7-million-users-data-1544933--1.html">Narendra Modi app hacked by youngster, points out risk to 7 million users’ data</a> (New Indian Express; December 2, 2016)</li>
<li><a class="external-link" href="http://indiatoday.intoday.in/story/security-22-year-old-hacks-modi-app-private-data-7-million/1/825661.html">Security flaw: 22-year-old hacks Modi app and accesses private data of 7 million people</a> (India Today; December 2, 2016)</li>
<li><a class="external-link" href="http://thewire.in/84148/tech-security-namo-api/">The NaMo App Non-Hack is Small Fry – the Tech Security on Government Apps Is Worse</a> (The Wire; December 3, 2016)</li>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app'>http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app</a>
</p>
No publisherpraneshPrivacySecurityInternet GovernanceData ProtectionCyber SecurityHackingMobile AppsData Management2016-12-04T19:08:56ZBlog EntryThe thrill of saving India from cybercrime
http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-november-20-2016-the-thrill-of-saving-india-from-cybercrime
<b>Geeks seize the chance to help the government, defence forces and banks draw up fences against tech crimes.</b>
<p class="body" style="text-align: justify; ">The <a class="external-link" href="http://www.thehindu.com/business/Industry/the-thrill-of-saving-india-from-cybercrime/article9367640.ece">article by Peerzada Abrar was published in the Hindu </a>on November 20, 2016.</p>
<hr />
<p class="body" style="text-align: justify; ">Saket Modi loves long flights. The 26-year-old hacker likes to do most of his reasoning while criss-crossing the world. It was on one such flight from the United States to India that the co-founder of cybersecurity start-up Lucideus Tech read about India's largest data security breaches. While surfing the in-flight Internet he came to know that the security of about 3.2 million debit cards had been compromised.</p>
<p class="body" style="text-align: justify; ">“I was not surprised but I started thinking about how it would have happened. What was the ‘exploit’ used, how long was it there,” said Mr. Modi. Soon after reaching New Delhi, he received multiple requests from several banks and organisations to protect them from the hacking incident, which is just one of the thousands of cybercrimes that the country is facing.</p>
<p class="body" style="text-align: justify; ">In India, there has been a surge of approximately 350 per cent of cybercrime cases registered under the Information Technology (IT) Act, 2000 from the year of 2011 to 2014, according to a joint study by The Associated Chambers of Commerce and Industry of India and consulting firm PricewaterhouseCoopers. The Indian Computer Emergency Response Team (CERT-In) has also reported a surge in the number of incidents handled by it, with close to 50,000 security incidents in 2015, noted the Assocham-PwC joint study.</p>
<p style="text-align: justify; "><b>Ethical hackers</b></p>
<p class="body" style="text-align: justify; ">Mr. Modi is among a new breed of ethical hackers-turned-entrepreneurs who are betting big on this opportunity. An ethical hacker is a computer expert who hacks into a computer network on the behalf of its owner in order to test or evaluate its security, rather than with malicious or criminal intent.</p>
<p class="body" style="text-align: justify; ">“You cannot live in a world where you think that you can't be hacked. It doesn’t matter who you are,” said Mr. Modi who cofounded Lucideus four years ago. The company clocked revenues of Rs.4 crore in the last fiscal. This compares with the Rs.2.5 lakh revenues in the first year. The New Delhi-based firm now counts Reserve Bank of India, Ministry of Defence and Standard Chartered among its top clients.</p>
<p class="body" style="text-align: justify; ">Mr. Modi, who is also a pianist, discovered his skills for hacking into secure computer systems while preparing for his board exams. He hacked into his school computer and stole the chemistry question paper, after realising that he would not be able to clear the test conducted by his school. However, a guilty conscience compelled him to confess to his teacher who permitted him to still take the test. The incident transformed him to use his skills to protect and not misuse them. This year, Lucideus was hired by National Payments Corporation of India (NPCI) along with other information security specialists to protect its most ambitious project, the Unified Payment Interface (UPI) platform, from cyber attacks. UPI aims to bring digital banking to 1.2 billion people in the country. Lucideus has a team of 70 people mostly fresh college graduates who do hacking with authorisation.</p>
<p class="body" style="text-align: justify; ">“The reason behind choosing Lucideus was their young, energetic and knowledgeable team," said Bhavesh Lakhani, chief technology officer of DSP BlackRock, one of the premier asset management companies. Mr. Lakhani said that India is currently the epicentre of financial and technological advancements which make it a probable target of cyber-attacks.</p>
<p style="text-align: justify; "><b>Hacking lifeline</b></p>
<p class="body" style="text-align: justify; ">Indeed, a new breed of cyber criminals has emerged, whose main aim is not just financial gains but also cause disruption and chaos to businesses in particular and the nation at large, according to the Assocham-PwC study. Attackers can gain control of vital systems such as nuclear plants, railways, transportation and hospitals. This can subsequently lead to dire consequences such as power failures, water pollution or floods, disruption of transportation systems and loss of life, noted the study.</p>
<p class="body" style="text-align: justify; ">“The hacker doesn’t care whether he is attacking an Indian or a U.S. company. It is bread and butter for him and he wants to eat it wherever he gets it from,” said Trishneet Arora, a 22-year-old ethical hacker. In an office tucked away in Mohali, a commercial hub lying adjacent to the city of Chandigarh in Punjab, Mr.Arora fights these cyberattacks on a daily basis to protect his clients. His start-up TAC Security provides an emergency service to customers who have been hacked or are anticipating a cyberattack. It alerted a hospital in the U.S. after detecting vulnerabilities in their computer network.</p>
<p class="body" style="text-align: justify; ">Mr.Arora said that the hackers could have easily shut down the intensive care unit which was connected to it and remotely killed the patients. TAC said the data server of a bank in the UAE containing critical information got hacked recently. The bank also lost access to the server. TAC said that it not only helped the organisation to get back access to the server but also traced the hacker’s identity.</p>
<p class="body" style="text-align: justify; ">A school drop out, Mr.Arora founded TAC three years ago. But he initially found it tough to convince enterprises about his special skills. “I was a backbencher in the classroom and not good in studies, but I loved playing video games and hacking,” he said. He conducted workshops on hacking and provided his expertise to law enforcement agencies such as the Central Bureau of Investigation and various State police departments. His firm now provides its services to customers such as Reliance Industries, dairy brand Amul and tractor manufacturer Sonalika.</p>
<p class="body" style="text-align: justify; ">“We were surprised by their expertise,” said R.S. Sodhi, managing director of Amul. “We wanted to be sure that the company’s vital IT infrastructure is in the right hands – the big question was, ‘Who can that be?’ In TAC, we found that team.”</p>
<p class="body" style="text-align: justify; ">TAC expects to cross revenues of $5 million (Rs.33 crore) and employ about 100 ethical hackers by next year.</p>
<p style="text-align: justify; "><b>Budget woes</b></p>
<p class="body" style="text-align: justify; ">Security watchers such as Sunil Abraham, executive director of Bengaluru-based think tank Centre for Internet and Society said that India’s cybersecurity budget is woefully inadequate when compared to the spending by other countries. In 2014-15, the government doubled its cybersecurity budget by earmarking Rs.116 crore. “We require a budget of $1 billion per annum or every two years to build the cybersecurity infrastructure. The current cyber security policy has no such budget,” said Mr. Abraham.</p>
<p class="body" style="text-align: justify; ">According to Data Security Council of India (DSCI), India's cybersecurity market is expected to grow nine-fold to $35 billion by 2025, from about $4 billion. This would mainly be driven by an ecosystem to promote the growth of indigenous security product and services start-up companies.</p>
<p class="body" style="text-align: justify; ">The Cyber Security Task Force (CSTF) set up by DSCI and industry body Nasscom expects to create a trained base of one million certified and skilled cybersecurity professionals. It also aims to build more than 100 successful security product companies from India. Investors who normally focus on e-commerce ventures or public markets are now taking note of this opportunity and are betting on such ventures. Amit Choudhary, director, MotilalOswal Private Equity and an investor in Lucideus, said he saw tremendous opportunity in the cybersecurity market as hackers are shifting their focus from developed countries to emerging countries like India.</p>
<p class="body" style="text-align: justify; ">“There is a huge opportunity. The recent security breaches of a few Indian banks are an example,” said Vijay Kedia an ace stock picker and an investor in TAC Security. He said that organisations are still unaware of the widespread damage that can be caused by hackers. “The next war will be a ‘cyberwar’,” he said.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-november-20-2016-the-thrill-of-saving-india-from-cybercrime'>http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-november-20-2016-the-thrill-of-saving-india-from-cybercrime</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernanceIT Act2016-11-21T02:42:48ZNews ItemCERT-In's Proactive Mandate - A Report on the Indian Computer Emergency Response Team’s Proactive Mandate in the Indian Cyber Security Ecosystem
http://editors.cis-india.org/internet-governance/blog/cert-ins-proactive-mandate-a-report-on-indian-computer-emergency-response-teams-proactive-mandate-in-indian-cyber-security-ecosystem
<b>CERT-IN’s proactive mandate is defined in the IT Act, 2000 as well as in the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Function and Duties ) Rules, 2013 (CERT-In Rules, 2013) both of which postdate the existence of the organisation itself, which has been operational since 2004. </b>
<p style="text-align: justify; ">Regarding the proactive mandate, the IT Act and CERT-In Rules include the following areas where CERT-In is required to carry out proactive measures in the interests of cyber security:</p>
<ol>
<li>Forecast and alert cyber security incidents (IT Act, 2000) & Predict and prevent cyber security incidents (CERT-In Rules, 2013)</li>
<li>Issue guidelines, advisories and vulnerability notes etc. relating to information security practices, procedures, prevention, response and reporting (IT Act, 2000)</li>
<li>Information Security Assurance (CERT-In Rules, 2013)</li>
</ol>
<p style="text-align: justify; ">This article will track and analyse the CERT-In’s operations in each of these areas over the past twelve years, by analysing the information available on CERT-In’s website as well as other media in the public domain.</p>
<p style="text-align: justify; ">The analysis will be carried out using a mixed methodology. The basic quantitative analysis of the information available on the CERT-In’ website will be carried out in the form of simple comparatives of updates, bulletins and other forms of publicly available interaction and critical information dispersal on CERT-In’s website. The qualitative sections, on the other hand, will contain a comparative analysis of the content present in the technical documents of the CERT-In with the equivalent documentation (where present) of similar bodies in the USA and EU. Each section will then illustrate normative suggestions as to how CERT-In’s performance of that respective obligation can be improved to better serve its cyber security mandate.</p>
<hr />
<p style="text-align: justify; "><b><a class="external-link" href="http://cis-india.org/internet-governance/files/cert-ins-proactive-mandate.pdf">Read the full article</a></b></p>
<p style="text-align: justify; "><i>The image is published under Creative Commons License CC BY-SA. Anyone can distribute, remix, tweak, and build upon this document, even for commercial purposes, as long as they credit the creator of this document and license their new creations under the terms identical to the license governing this document</i>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cert-ins-proactive-mandate-a-report-on-indian-computer-emergency-response-teams-proactive-mandate-in-indian-cyber-security-ecosystem'>http://editors.cis-india.org/internet-governance/blog/cert-ins-proactive-mandate-a-report-on-indian-computer-emergency-response-teams-proactive-mandate-in-indian-cyber-security-ecosystem</a>
</p>
No publishertiwariCyber SecurityInternet Governance2016-11-19T04:14:51ZBlog EntryHow Long Have Banks Known About The Debit Card Fraud?
http://editors.cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud
<b>The recent security breach in an Indian payment switch provider, confirmed earlier this week by the National Payments Corporation of India Ltd (NPCIL), has forced domestic banks into damage control mode over the past few days.</b>
<p>The article was <a class="external-link" href="http://www.bloombergquint.com/opinion/2016/10/21/how-long-have-banks-known-about-the-debit-card-fraud">published by Bloomberg</a> on October 22, 2016.</p>
<hr />
<p style="text-align: justify; ">The breach was detected when various customers began to lodge complaints with their banks about unauthorised transactions on their accounts, which upon investigation were said to originate from a foreign location such as China. The security breach has affected actively at least 641 customers to the tune of Rs 1.8 crore, with lakhs more being affected by the pro-active measures (including card revocation) being taken by banks to prevent further financial losses.</p>
<p style="text-align: justify; ">Surprisingly little is known, however, about the nature of the attack responsible for the breach, the extent or scope of damage it has caused and the sufficiency of the countermeasures being initiated by the banks against the attacks. This article will talk about these aspects of the attack and also suggest normative measures that can be carried out to minimize harm and prevent such attacks in the future.</p>
<h3 style="text-align: justify; ">The Modus Operandi</h3>
<p style="text-align: justify; ">According to reports, the compromise may have happened at the level of the Hitachi Payment Services, which is a payment services provider which operates, among other financial services, ATMs for a variety of banks across the country. One or a certain number of ATMs were apparently compromised by a malware, which then infected the payment services provider network, leading to a far larger potential target area than just the physical ATMs for malware to act against. The malware could have infected the payment switch provider via physically being uploaded onto vulnerable ATM machines, which are known to run out-dated embedded operating systems with various documented loopholes that are rarely patched. The malware then could have recorded the details of the cards used on the infected ATMs (or even in the network generally) and then, via the same compromised network, transmitted confidential details, including ATM pins and CVV numbers, to the operators of the malware.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Malware.jpg/@@images/13c6e6b2-e9be-4056-bd2d-ad540cff88dc.jpeg" alt="Malware" class="image-inline" title="Malware" /></p>
<p style="text-align: justify; ">The attack could have also occurred from some other vulnerable part of the payment network, such as a payment switch within the bank itself, making it far more dangerous as it still maybe be active on parts of the network within the bank and would have access to a far wider range & variety of information than a mere ATM. There is no real way to know if the threat has been even contained, forget neutralised, as the audits being carried out by PCI-DSS authorised agencies have been on-going for the past month and their reports are not due at least another 15 days, as intimated by NPCIL.</p>
<h3 style="text-align: justify; ">Massive Financial Implications</h3>
<table class="invisible">
<tbody>
<tr>
<th>
<p><img src="http://editors.cis-india.org/home-images/Bank.png/@@images/5a9bda35-ccdc-4895-a841-609c4c7c0958.png" alt="Bank" class="image-inline" title="Bank" /></p>
</th>
</tr>
<tr>
<td>Policemen guard the banking hall of a State Bank of India branch in New Delhi. (Photographer: Sondeep Shankar/Bloomberg News) <br /></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The compromise of these details, regardless of the source of the compromise, has massive financial implications. This is because various international services allow debit/credit cards to be used only with the card number, expiry date, name & CVV number. They do not require the use of ATM Pins or an OTP (one time password) sent to a mobile phone for online transactions. In fact, unlike India where the RBI mandates OTPs for debit cards, this CVV based simplified online usage is the standard practice of using ATM Cards digitally in most of the developed world.</p>
<p style="text-align: justify; ">This would mean that merely changing ATM pins, something which SBI alleges less than 7 percent of its customers had done prior to all 6 lakh cards being blocked, would serve as almost no protection if the cards are enabled for international online transactions. The fact that most of the dubious, unauthorised financial transactions are occurring from foreign locations probably demonstrates that it is these kinds of internationally enabled cards that are being targeted for this sort of an attack.</p>
<h3 style="text-align: justify; ">Are Banks Concealing Information?</h3>
<table class="invisible">
<tbody>
<tr>
<th>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/copy_of_Bank.png/@@images/0f5235cb-4909-4885-b12e-d83bb4202230.png" alt="Bank" class="image-inline" title="Bank" /></p>
</th>
</tr>
<tr>
<td>A customer exits a Yes Bank Ltd. automated teller machine (ATM) in Ahmedabad. (Photographer: Dhiraj Singh/Bloomberg)</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The absence of data/security breach laws in India is being sharply felt as there as has been an abject lack of clarity and information from the banking sector and the government regarding the attack. Over 47 states in the USA and most of the countries in the EU have enacted strict data security breach laws that mandate public intimation & disclosure of key information pertaining to the attack along with detailed containment measures. The presence of such a law in India would have gone a long way in preventing the breach from being under the wraps for so long (it occurred at the bank level in September, almost a month ago) and also ensured far more vigilant active compliance by corporations & banks to international security standards and best practices. For now, the only true countermeasure to prevent future harm to affected card holders is for all affected cards to be revoked by the banks and new cards being issued to affected customers.</p>
<p style="text-align: justify; ">Constant vigilance & comprehensive security audits by banks to detect affected cards and active protection for customers, using financial and identity insurance services such as AllClear ID Plus (used by Sony in the 2011 Playstation Hack) will go a long way in mitigating the harm of the breach. The banking industry, government & security agencies should all learn from this breach and a combination of new legislation, updated industry practices and consumer awareness is necessary for proactive & reactive actions in the future.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud'>http://editors.cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud</a>
</p>
No publishertiwariCyber SecurityInternet GovernancePrivacy2016-10-22T08:06:51ZBlog EntryThe Big Debit Card Breach: Three Things Card Holders Need To Understand
http://editors.cis-india.org/internet-governance/news/bloomberg-alex-mathew-october-20-2016-the-big-debit-card-breach
<b>A total of 32 lakh debit cards across 19 banks could have been compromised on account of a purported fraud, the National Payment Corporation of India said in a statement.</b>
<p style="text-align: justify; ">The article by Alex Mathew was <a class="external-link" href="http://www.bloombergquint.com/business/2016/10/20/indias-biggest-security-breach-32-lakh-debit-cards-across-19-banks-may-have-been-compromised">published by Bloomberg</a> on October 20, 2016. Udbhav Tiwari was quoted.</p>
<hr />
<p style="text-align: justify; ">The issue was brought to light when State Bank of India blocked the debit cards of 6 lakh customers on October 14. This was done after the bank was alerted to a possible fraud by the National Payment Corporation of India, MasterCard and Visa, said Managing Director Rajnish Kumar in a telephonic interview with BloombergQuint.</p>
<p style="text-align: justify; ">In a statement released on Thursday evening, the NPCI clarified that the problem was brought to their attention when they received complaints from a few banks that customers’ cards were used fraudulently, mainly in China and the U.S., while those cardholders were in India.</p>
<p style="text-align: justify; ">“The complaints of fraudulent withdrawal are limited to cards of 19 banks and 641 customers. The total amount involved is Rs 1.3 crore as reported by various affected banks to NPCI,” the payments corporation said.</p>
<div class="story__element__wrapper">
<div class="story__element__image story__element"><figure> <img src="http://editors.cis-india.org/home-images/Card.png" alt="Card" class="image-inline" title="Card" /><br /> </figure></div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p style="text-align: justify; ">SISA Security, a Bengaluru-based company is currently undertaking a forensic study to identify the extent of the problem and will submit a final report in November.</p>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-blockquote">
<div>
<blockquote>Based on the advisory issued by NPCI and other schemes, it is gathered that banks have advised their customers to change their debit card PIN. In situations where customers could not be contacted, the cards have been blocked and fresh cards are being issued by member banks.</blockquote>
<span class="attribution">NPCI statement</span></div>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p style="text-align: justify; ">State Bank of India has blocked 6 lakh cards, while other banks have sent notifications to customers advising them to change their personal identification numbers.</p>
<h3>How The Breach Could Have Occured</h3>
<p>The breach that has apparently given hackers access to the PIN codes of several bank customers is likely to be on account of a malware attack. This attack is believed to have originated at an ATM.</p>
<p style="text-align: justify; ">The actual modus operandi of the hackers will only become clear once the forensic audit is released in November, but BloombergQuint spoke to cyber security expert Udbhav Tiwari to find out how the attack could have been orchestrated.</p>
<p style="text-align: justify; ">First, the hacker would have had to gain physical access to an ATM. The malware was then likely injected by connecting a laptop or another special device to a port on the cash disbursing machine, said Tiwari, a consultant at Centre For Internet & Society in Bengaluru.</p>
<p style="text-align: justify; ">Once the malware is injected, it automatically spreads across the network and infects other devices that are not protected against it. In this case, the malware could have infected a payment switch provider’s network.</p>
<p style="text-align: justify; ">A payment switch provider is an entity that facilitates a transaction either from an ATM or an online payment gateway. The service provider decides to whom the request for authorisation will be sent and then transmits the request back to the merchant or the ATM where the transaction originated.</p>
<p style="text-align: justify; ">In this case, one payment switch provider, Hitachi Payment Services, which manages close to 50,000 ATMs across the country, was asked by banks to investigate 30 of its ATMs on account of around 400 suspicious transactions that took place outside India, Managing Director Loney Antony told BloombergQuint in a telephonic interview.</p>
<p>The company had earlier said in a statement that an interim report by the audit agency does not suggest any breach or compromise in its systems.</p>
<h3>The Scale Of The Breach</h3>
<p style="text-align: justify; ">According to a study conducted by NPCI in collaboration with the banks, the number of debit cards that were infected by the malware has been set at 32 lakh. But Tiwari said this number could be higher.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div>
<blockquote>The hypothetical limit to how much the malware can spread is dependent on the vulnerability of the systems, and if one of the payment switch provider’s systems was vulnerable and they still haven’t decided how many systems are vulnerable, it is quite possible that the malware is spreading at this point.</blockquote>
</div>
<p><span class="attribution">Udbhav Tiwari, Consultant, Centre For Internet & Society</span></p>
<h3><span class="attribution">What A Customer Should Do</span></h3>
<p>The first, and most important step a customer should take is to immediately change their debit card PIN, Tiwari pointed out.</p>
<p style="text-align: justify; ">State Bank of India has said that its customers can opt to restrict the usage of their debit cards, for example whether it can be used both internationally and domestically or only domestically. Also, the daily limit of the debit card can be changed.</p>
<p style="text-align: justify; ">Once these steps have been taken, according to Tiwari, it is most important that customers stay vigilant and keep monitoring their bank statements. If an unauthorised transaction takes place, a customer should immediately contact their bank and block their card.</p>
</div>
</div>
</div>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/bloomberg-alex-mathew-october-20-2016-the-big-debit-card-breach'>http://editors.cis-india.org/internet-governance/news/bloomberg-alex-mathew-october-20-2016-the-big-debit-card-breach</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2016-10-21T13:43:17ZNews ItemHakon 2016
http://editors.cis-india.org/internet-governance/news/hakon-2016
<b> Udbhav Tiwari attended attended Hakon 2016, a conference held between September 30 and October 2, 2016 at Indore, Madhya Pradesh, India,on behalf of CIS under the Hewlett Cyber Security Project. </b>
<p dir="ltr" style="text-align: justify; ">Hakon 2016 was the third edition of the conference which has been organised by Ninja Information Security Systems, an ISO 27001:2013 & 9001:2008 certified training organisation and the primary sponsor of the conference from Indore. The conference was efficiently organised, had about 150 to 200 people attending overall and provided an unique window into the non-tech hub/big city ethical hacker ecosystem and their place within the cyber security setup in India. The agenda of this year's conference was the Underground Digital Black Market & Digital Terrorism, with a fair mix of participants from the industry, academia and the government. The conference website can be looked up at <a href="http://www.hakonindia.org/">http://www.hakonindia.org/</a> for further details, including a look at past editions of the conference.</p>
<p dir="ltr" style="text-align: justify; ">The technical workshops held during the first two days of the conference were well organised and networking with the teachers during and mostly at the end of the conference was very helpful in understanding a practitioners perspective on cutting edge aspects of cyber security. This was particularly true for <a class="external-link" href="http://www.chuckeasttom.com/">Chuck Easttom Williams</a>, an accomplished cyber security expert from the USA who regularly trains government agencies and in a fairly reputed industry veteran who has been an invited speaker at DEFCON and even has a couple of patents to his name.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/hakon-2016'>http://editors.cis-india.org/internet-governance/news/hakon-2016</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2016-10-15T10:04:41ZNews ItemNational Cyber Defence Summit 2016
http://editors.cis-india.org/internet-governance/news/national-cyber-defence-summit-2016
<b>National Cyber Defence Summit – 2016 was organized by the National Cyber Safety and Security Standards in association with State & Central Governments, Ministry of Defence, Government of India, AICTE & Anna University on 30 September and 1 October 2016 in Chennai. Vanya Rakesh attended the summit.</b>
<p style="text-align: justify; ">The Summit focused on multiple issues linked with the current use of cyberspace by the various stake holders and creating awareness of the responsibility associated with the judicious use of this significant and powerful tool, without endangering the fragile security and social framework. The mission of the Summit is to establish a multi-stakeholder consortium that brings together Industry, Government, and Academic interests in an effort to improve the state of Cyber Security on both a domestic and international level. Primarily, the Summit focuses on multiple issues linked with the current use of cyberspace by the various stake holders and creating awareness of the responsibility associated with the judicious use of this significant and powerful tool, without endangering the fragile security and social framework.<br /><br />In fact this is the one and only High Level Summit which gathers the presence of Multi-Stakeholders from State/Central Governments, Defence, MNCs, PSUs, Academics, PSBs, Intelligence Agencies, Enforcement Agencies and etc. For more info see the website <a class="external-link" href="http://ncdrc.res.in/summit/">here</a>. Agenda can be <a class="external-link" href="http://www.ncdrc.res.in/summit/docs/national-cyber-defence-summit-invitation.pdf">viewed here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/national-cyber-defence-summit-2016'>http://editors.cis-india.org/internet-governance/news/national-cyber-defence-summit-2016</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2016-10-10T12:54:29ZNews ItemIs India Prepared for a Cyber Attack? Suckfly And Other Past Responses Say No
http://editors.cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks
<b>From mandatory disclosures to improving CERT-IN’s functioning and transparency, there is much to be done in the event of future cyber attacks.</b>
<p style="text-align: justify; ">The article by Sushil Kambampati was <a class="external-link" href="http://thewire.in/67398/india-is-unprepared-for-future-cyber-attacks/">published in the Wire</a> on September 21, 2016. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In early September, details about India’s top secret Scorpene submarine program were published online. This presumed data breach brought the issue of cyber security into the headlines.</p>
<p style="text-align: justify; "><span>However, earlier this year, news of potentially catastrophic breaches of Indian networks barely made a blip. On </span><span>May 17, the cyber-security firm Symantec </span><a href="http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" rel="external nofollow" target="_blank" title="stated"><span>stated</span></a><span> in a blog post that it had traced breaches of several Indian organisations to a cyber-espionage group called Suckfly. The targeted systems belonged to the central government, a large financial institution, a vendor to the largest stock exchange and an e-commerce company. The espionage activity began in April 2014 and continued through 2015, Symantec said. Based on the targets that were penetrated, Symantec speculated that the espionage was targeted at the economic infrastructure of India. Such allegations should be ringing alarm bells inside the government and amongst private businesses across the country. And yet, from the official public response, one would think nothing was amiss.</span></p>
<p style="text-align: justify; "><span>A week later, another cyber-security firm, Kaspersky Lab, </span><a href="http://www.kaspersky.co.in/about/news/virus/2016/Danti-and-Co" rel="external nofollow" target="_blank" title="announced"><span>announced</span></a><span> that it too had tracked at least one cyberespionage group, called Danti, that had penetrated Indian government systems through India’s diplomatic entities. </span></p>
<p style="text-align: justify; "><span>Breaches of corporate and government networks are nothing new. Usually, these breaches come to light if the perpetrators </span><a href="http://arstechnica.com/security/2016/04/how-hacking-team-got-hacked-phineas-phisher/" rel="external nofollow" target="_blank" title="reveal"><span>reveal</span></a><span> the attack, the target of the attack </span><a href="http://www.forbes.com/sites/davelewis/2014/10/14/sears-owned-kmart-discloses-data-breach/#3755df43540d" rel="external nofollow" target="_blank" title="discloses"><span>discloses</span></a><span> the breach, or because the leaked data </span><a href="https://www.washingtonpost.com/news/the-intersect/wp/2015/08/19/how-to-see-if-you-or-your-spouse-appear-in-the-ashley-madison-leak/" rel="external nofollow" target="_blank" title="shows"><span>shows</span></a><span> up on the Internet. The Suckfly and Danti breaches are unusual because they were reported by a third party while the targets (in this case, Indian organisations and the government) themselves have remained silent. The breaches reported by Symantec and Kaspersky of Indian organisations </span><a href="http://tech.firstpost.com/biztech/cyberespionage-group-suckfly-targeted-indian-govt-e-commerce-organisations-symantec-315538.html" rel="external nofollow" target="_blank" title="received"><span>received</span></a><span> tepid </span><a href="http://timesofindia.indiatimes.com/tech/tech-news/Cyber-spy-group-Suckfly-to-continue-targeting-Indian-government-Symantec/articleshow/52326126.cms" rel="external nofollow" target="_blank" title="coverage"><span>coverage</span></a><span> in India. A few news organisations </span><a href="http://www.hindustantimes.com/tech/cyber-spy-group-suckfly-to-keep-targeting-indian-government-symantec/story-F50rNLT2zYhkG90o7DGKaN.html" rel="external nofollow" target="_blank" title="published"><span>published</span></a><span> the same wire </span><a href="http://economictimes.indiatimes.com/tech/ites/government-units-top-it-firm-among-cyber-espionage-targetssymantec/articleshow/52312952.cms" rel="external nofollow" target="_blank" title="story"><span>story</span></a><span> that basically </span><a href="http://tech.firstpost.com/biztech/kaspersky-reports-cyber-espionage-attacks-on-indian-government-in-2016-317107.html" rel="external nofollow" target="_blank" title="rewrote"><span>rewrote</span></a><span> information in the original posts, but there was very little follow-up as there was not much follow-up investigation to determine the targets or an analysis to gauge how much damage the leaks could cause. </span></p>
<p style="text-align: justify; "><span>Part of the reason there was no fallout may have to do with the reluctance of the parties involved to provide information. Symantec, in response to multiple requests for more details, kept referring to the original blog post. The government made no statement either confirming or denying the report. Several banks, e-commerce companies and government agencies were asked whether they were aware of Suckfly, whether they had been breached by the organisation and whether Symantec had contacted them. Only Yatra, Axis Bank and Flipkart responded, denying that they had been penetrated by Suckfly. The National Stock Exchange also said it had not been penetrated, although the questions asked were about whether any of the stock exchange’s vendors had been penetrated and if they had been, whether the NSE knew about such a breach.</span></p>
<p style="text-align: justify; "><span>This collective lack of response across the board indicates a mindset that shows unpreparedness for the cyber threats that are very real, existent and ongoing. Compare the Suckfly reaction to the threat of a terrorist infiltration. In that scenario, the government </span><a href="http://zeenews.india.com/news/gujarat-on-high-alert-after-intelligence-input-on-infiltration-of-terrorists_1862830.html" rel="external nofollow" target="_blank" title="goes"><span>goes</span></a><span> on high alert, resources are </span><a href="http://timesofindia.indiatimes.com/india/Additional-BSF-battalion-on-Pakistan-border-to-avert-infiltration/articleshow/42081166.cms" rel="external nofollow" target="_blank" title="mobilised"><span>mobilised</span></a><span> and the public is </span><a href="http://timesofindia.indiatimes.com/city/ahmedabad/IB-warns-Gujarat-about-possible-infiltration-bid-at-Kutch/articleshow/50495655.cms" rel="external nofollow" target="_blank" title="warned"><span>warned</span></a><span>. The government then tries to identify the threat and stop it from doing any harm. Citizens </span><a href="http://idsa.in/idsacomments/IndiasCounterTerrorismPoliciesareMiredinSystemicWeaknesses_gkanwal_140512" rel="external nofollow" target="_blank" title="demand"><span>demand</span></a><span> that in the future the government take proactive steps to catch infiltrators and prevent any future threats.</span></p>
<p style="text-align: justify; "><b>Weak government response</b></p>
<p style="text-align: justify; "><span>One method that Suckfly uses to gain access, according to Symantec, is by signing its malware with stolen digital certificates. This is the same method that was </span><a href="http://bits.blogs.nytimes.com/2015/10/14/deadline-to-disclose-data-breaches-raises-concerns-in-europe/" rel="external nofollow" target="_blank" title="used"><span>used</span></a><span> to infect and sabotage the Iranian nuclear centrifuges with the Stuxnet virus, so the potential for harm of these breaches cannot be understated. Several security experts confirmed the plausibility of such doomsday scenarios as two-factor authentication being turned off for credit card transactions, unauthorised money transfers, leakage of credit card details, stolen password hashes or personal information, massive numbers of fake e-commerce orders and the manipulation of the stock exchange. </span></p>
<p style="text-align: justify; "><span>All the targets taken together, the potential for economic damage that the Suckfly breach poses is immense. If another country or malevolent group wanted to wreak havoc in India, it could trigger banking panic by emptying accounts or a stock-market collapse by dumping stocks at fractional values. </span></p>
<p style="text-align: justify; "><span>Even more disturbing, though, is that if a foreign entity has access to government networks, it has the potential to collect passwords to critical systems using key-loggers and password scanners. From there the entity could steal national security data, </span><a href="http://www.idsa.in/system/files/book/book_indiacybersecurity.pdf" rel="external nofollow" target="_blank" title="disrupt"><span>disrupt</span></a><span> control systems of electrical grids or nuclear facilities and gain access to everything the government </span><a href="https://incometaxindiaefiling.gov.in/e-Filing/Services/KnowYourPanLink.html" rel="external nofollow" target="_blank" title="knows"><span>knows</span></a><span> about its citizens, including personal details, financial information and </span><a href="https://uidai.gov.in/beta/enrolment-update/aadhaar-enrolment.html" rel="external nofollow" target="_blank" title="identity information"><span>identity information</span></a><span>. On an only slightly less dangerous level, the central bank’s funds could be stolen, like the recent </span><a href="http://gizmodo.com/bangladesh-bank-hackers-created-malware-to-target-the-g-1772834299" rel="external nofollow" target="_blank" title="attempt"><span>attempt</span></a><span> to heist $800 million from the central bank of Bangladesh.</span></p>
<p style="text-align: justify; "><span>A report on risks facing India, </span><a href="https://home.kpmg.com/in/en/home/insights/2016/08/de-risking-india-in-the-new-age-of-technology.html" rel="external nofollow" target="_blank" title="published"><span>published</span></a><span> in August by KPMG and the Confederation of Indian Industry said: “While traditionally cyber attacks were largely used for causing financial and reputational loss, today they have a potential of posing a threat to human life. While the perpetrators behind these attacks traditionally were a few challenge loving ‘hackers’ with unbridled curiosity, we see an increasing number of state sponsored cyber terrorists and organised criminals behind the attacks today.” </span></p>
<p style="text-align: justify; "><span>In light of such serious threats, the government needs to take more action to mitigate the threat and reassure the public that it is on top of the situation. Reports of encounters between the armed forces and alleged terrorists are frequently relayed to the press. Similarly, the National Informatics Centre (NIC) or its parent organisation, the Department of Electronics and Information Technology, needs to make a public statement when breaches of government systems or of private organisations at this scale come to light. The investigative agencies need to open an enquiry into the matter.</span></p>
<p style="text-align: justify; "><span><img src="http://editors.cis-india.org/home-images/copy_of_Network.jpg" alt="Network" class="image-inline" title="Network" /></span></p>
<p style="text-align: justify; "><span>In the Suckfly case, it took a right-to-information </span><a href="https://yourti.in/document/gu9wgny7" rel="external nofollow" target="_blank" title="query"><span>query</span></a><span> from this author to get a response from the NIC. In the response, the NIC stated that it was unaware of any breach of its systems by Suckfly, that it did not use Symantec’s services and that Symantec had not notified NIC of any breach. Of course, the response also raises many more questions, which could be asked if the government took an attitude of openness and disclosure.</span></p>
<p style="text-align: justify; "><span>The government also needs to step up its efforts of identifying and neutralising the threat. The Indian government’s </span><a href="http://www.cert-in.org.in" rel="external nofollow" target="_blank" title="Computer Emergency Response Team"><span>Computer Emergency Response Team</span></a><span> (CERT-IN) is responsible, according to its website, for “responding to computer security incidents as and when they occur” and also collecting information on and issuing “guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.” Yet, as of September 12, its website does not mention the Backdoor.Nidoran exploit which Suckfly allegedly used to gain access during at least one of its attacks. The CVE-2015-2545 vulnerability that Danti used, according to Kaspersky, is also unlisted. Any organisation or person relying on CERT-IN to get notifications of vulnerabilities would be in the dark and exposed to a breach.</span></p>
<p style="text-align: justify; "><span>CERT-IN is a perfect example of where the government could really do so much more, starting with some very basic things. For example, by design, contact e-mail addresses listed on the site cannot be clicked on or copied, and so have to be retyped. Such a measure would barely stop even a novice hacker. E-mail messages sent to one of the contact email address bounce back. While it laudably posts its e-mail encryption hash on its contact page, one of the identifiers does not match what is </span><a href="http://pgp.mit.edu/pks/lookup?search=cert-in.org.in&op=index" rel="external nofollow" target="_blank" title="registered"><span>registered</span></a><span> in the public KeyStores (usually that would be a sign of a hack). Most glaringly, anyone searching for information on a vulnerability on the site will have to click in and out of every document because the site does not have a search function. Collectively, these flaws give the impression that while the government has thought about cyber-security, it is not putting enough resources and effort into making that a credible initiative. </span></p>
<p style="text-align: justify; "><span>The government’s regulatory agencies also need to get into the fray. For example, one of the organisations that Suckfly allegedly breached is a large financial institution. It makes sense, therefore that the Reserve Bank of India (RBI), which oversees all financial institutions, should make it mandatory that a bank notify the RBI whenever there is a security breach. The RBI did just that in a notification </span><a href="https://rbidocs.rbi.org.in/rdocs/notification/PDFs/LBS300411F.pdf" rel="external nofollow" target="_blank" title="issued"><span>issued</span></a><span> on </span><span>June 2, 2016, after the Suckfly breach. However, the notification does not address the need to inform the public. The RBI itself also needs to be more forthcoming. In the Suckfly instance the RBI has not made any statements about whether financial institutions under its supervision are secure. It took an </span><a href="https://yourti.in/document/ien8cd4r" rel="external nofollow" target="_blank" title="RTI query "><span>RTI query </span></a><span>to get a statement from the RBI, and there it responded that it had no information on the matter. </span></p>
<p style="text-align: justify; "><span>The Securities and Exchange Board of India (SEBI), which oversees the country’s stock exchanges, initially did not respond directly as to whether it knew of the breach at any IT firm that supplies an Indian stock exchange. However, SEBI reacted to an RTI query by asking all the stock exchanges under its mantle to verify with each of their IT vendors whether there had been any breach. They all denied it. If any of them are being untruthful, they have made a false statement to SEBI. However, if taken at their word, the public can take comfort in the fact that the stock market was not compromised by this attack. </span></p>
<p style="text-align: justify; "><span>SEBI also </span><a href="about:blank" target="_blank"><span>issued</span></a><span> a cyber-security policy framework for its stock exchanges in July 2015, around the time when Suckfly may have been actively attacking systems. Where the RBI asks financial institutions to report breaches within six hours of detection, SEBI requires the reports to be quarterly. Given how fast information travels and how many transactions can be done in mere minutes, that seems like too much time for SEBI to take any effective action. SEBI’s policy also does not address the need to inform the public.</span></p>
<p style="text-align: justify; "><span>What is needed is a coordinated, comprehensive and unified policy that applies to stock exchanges, financial institutions, government organisations and private companies. It doesn’t matter from where the data is being stolen, what matters is how quickly the organisation learns of it and lets people know so that they too can take any action they need to.</span></p>
<p style="text-align: justify; "><b>Right or wrong?</b></p>
<p style="text-align: justify; "><span>The across-the-board denials of any breach raise the question whether Symantec was mistaken. Skeptics could even wonder whether the company exaggerated the situation to increase sales of its products and services. For its part, Symantec refuses to provide any further information about the breach beyond what is in its initial post; crucial information in this regard would include more forensic details, which could identify whether the breach actually took place. Symantec also would not confirm whether it had notified the targets of the attacks, though the government says it has not been alerted by Symantec. </span></p>
<p style="text-align: justify; "><span>On the other hand, according to Sastry Tumuluri, a former Chief Information Security Officer for the state of Haryana, Symantec probably did correctly identify the breaches. Symantec collects vast amounts of information at every point where it has a presence, such as on individual computers, at internet interconnection points and web hosts globally. All that data can give a fairly accurate and reliable indication of systems being penetrated. Depending on their capabilities and level of sophistication, the target organisations could also truthfully say that they have not detected a breach. </span></p>
<p style="text-align: justify; "><span>If Symantec’s is correct in conjecturing that the Suckfly breach targeted India’s economic sector, its lack of further action is disturbing. India </span><a href="http://money.cnn.com/news/economy/world_economies_gdp/index.html" rel="external nofollow" target="_blank" title="is one"><span>is one</span></a><span> of the world’s ten largest economies and instability here would have ripple effects globally. Then there is the potential of catastrophic cyberterrorism. It is in everyone’s interest that Symantec reach out to the government and to let the public know which organisations may be compromised.</span></p>
<p style="text-align: justify; "><span>According to Pranesh Prakash, Policy Director at the Centre for Internet and Society and Bruce Schneier, a globally recognised security expert, the lack of knowledge regarding which organisations were targeted reduces people’s trust in the Internet across the board. In an email response, Schneier wrote, “Symantec has an obligation to disclose the identities of those attacked. By leaving this information out, Symantec is harming us all. We all have to make decisions on the Internet all the time about who to trust and who to rely on. The more information we have, the better we can make those decisions.”</span></p>
<p style="text-align: justify; "><span>Looking at it in the other direction, it is not apparent whether the government has asked Symantec and Kaspersky for more information and a disclosure of who the targets were. After all, if government systems were breached, it is a matter of national security. If the government has indeed reached out and received more information, it has an obligation to let the public know. </span></p>
<p style="text-align: justify; "><span>What other governments and private companies are belatedly learning is that it is better to proactively disclose the breaches before the information gets out through other parties. When US retailer Target came under attack, its data breach was first </span><a href="http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/" rel="external nofollow" target="_blank" title="revealed"><span>revealed</span></a><span> by security reporter Michael Krebs. Target was </span><a href="http://mashable.com/2014/01/17/retailers-security-breach-timing/#XN.TRtygnEqf" rel="external nofollow" target="_blank" title="criticised"><span>criticised</span></a><span> for not coming forth itself and </span><a href="https://topclassactions.com/lawsuit-settlements/lawsuit-news/32647-target-data-breach-class-action-lawsuit-trial-set-april-2016/" rel="external nofollow" target="_blank" title="faced"><span>faced</span></a><span> several lawsuits. In the US, most states and jurisdictions </span><a href="http://www.reuters.com/article/us-target-data-notification-idUSBREA0F1LO20140116" rel="external nofollow" target="_blank" title="have"><span>have</span></a><span> laws that require companies to disclose data breaches, although transparency advocates point out that there is great variation on how long companies can wait to disclose and what events trigger a mandatory disclosure. In Europe, telecoms and Internet Service Providers must </span><a href="http://bits.blogs.nytimes.com/2015/10/14/deadline-to-disclose-data-breaches-raises-concerns-in-europe/" rel="external nofollow" target="_blank" title="report"><span>report</span></a><span> a breach within 24 hours and other organisations have 72 hours.</span></p>
<p style="text-align: justify; "><span>India has no mandatory disclosure law in the case of data breaches at government or private organisations, Prakash said. It is something that CIS supports and had proposed since 2011, he added. </span></p>
<p style="text-align: justify; "><span>According to Schneier, a mandatory disclosure law would also be valuable if confidentiality agreements would otherwise prevent a security firm such as Symantec from disclosing names of targets.</span></p>
<p style="text-align: justify; "><span>Finally, private companies need to understand that they are not doing themselves any favours by remaining silent on the matter. Even if Suckfly or its clients do not use the information they may have gained, the lack of disclosure by the targets will weaken trust in online commerce and financial transactions, says Prakash. For example, looking at e-commerce, while it is true that e-commerce has </span><a href="http://www.assocham.org/newsdetail.php?id=5669" rel="external nofollow" target="_blank" title="grown"><span>grown</span></a><span> rapidly in India, a study in 2014 by <i>YourStory</i> and Kalaari Capital </span><a href="http://yourstory.com/2014/06/infographic-indian-e-commerce-consumers-want-2014/" rel="external nofollow" target="_blank" title="found"><span>found</span></a><span> that lack of trust and doubt about online security were hurdles for 80% of people who had never made an online purchase. </span></p>
<p style="text-align: justify; "><span>When an organisation lets the public know that it has been breached, users of the service or site can evaluate what action they need to take. For example if a person uses the same password across multiple sites, they would know they needed to change the password at the other sites. Depending on the breach they would also be able to alert credit card companies as well as friends and family.</span></p>
<p style="text-align: justify; "><span>As the KPMG report states, cyber attacks are only going to become more common. Despite </span><a href="http://thediplomat.com/2014/06/india-scrambles-on-cyber-security/" rel="external nofollow" target="_blank" title="multiple"><span>multiple</span></a> <a href="http://www.firstpost.com/business/danger-india-faces-shortage-lakh-cyber-security-pros-2482958.html" rel="external nofollow" target="_blank" title="warnings"><span>warnings</span></a><span>, the response on the part of the Indian government and private organisations has been quite underwhelming. The government needs to proactively monitor and respond to attacks. Lawmakers need to pass laws establishing privacy policies and mandatory disclosures. Companies will also need to invest in better security practices as well as gain public trust by reacting to breaches promptly and letting the public know what they are doing to recover from them.</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks'>http://editors.cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2016-09-22T00:57:02ZNews ItemCYFY 2016 - The India Conference on Cyber Security and Internet Governance
http://editors.cis-india.org/internet-governance/news/cyfy-2016-the-india-conference-on-cyber-security-and-internet-governance-4th-edition
<b>Sunil Abraham will participate as a panelist at CYFY 2016 event organized by Observer Research Foundation in New Delhi from September 28 to 30, 2016. </b>
<p style="text-align: justify; ">Into its fourth edition this year, CyFy: The India Conference on Cyber Security and Internet Governance has emerged as a global platform to discuss, debate and deliver digital policy solutions. CyFy 2015 featured nearly 110 participants from over 33 countries, with nearly 800 delegates in attendance. Prominently, the conference sessions featured several experts from Africa and the Asia Pacific, who addressed the policy priority of connecting the next billion. The 2016 iteration of CyFy will highlight the political, economic and strategic questions that underpin this imperative.</p>
<p style="text-align: justify; "><a class="external-link" href="http://cis-india.org/internet-governance/files/cyfy-2016-agenda/view">Download the Agenda </a></p>
<hr />
<p style="text-align: justify; ">See the announcement on <a class="external-link" href="http://cyfy.org/">CYFY website</a> or write to Samir Saran at <a class="mail-link" href="mailto:ssaran@orfonline.org?subject=CyFy 2016">ssaran@orfonline.org</a> or Arun at <a class="mail-link" href="mailto:arun.sukumar@orfonline.org?subject=CyFy 2016">arun.sukumar@orfonline.org</a> for more details on the conference.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/cyfy-2016-the-india-conference-on-cyber-security-and-internet-governance-4th-edition'>http://editors.cis-india.org/internet-governance/news/cyfy-2016-the-india-conference-on-cyber-security-and-internet-governance-4th-edition</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2016-09-13T15:23:59ZNews ItemCyber Security of Smart Grids in India
http://editors.cis-india.org/internet-governance/blog/dataquest-april-25-2016-vanya-rakesh-and-elonnai-hickok-cyber-security-of-smart-grids-in-india
<b>An integral component of the ambitious flagship programme of the Indian Government- Digital India, which paves way for a digital data avalanche in the country, is a well-designed digital infrastructure ensuring high connectivity and integration of services, the potential areas being smart cities, smart homes, smart energy and smart grids, to list a few. Likewise, the 100 Smart Cities Mission envisions changing the face of urbanization in India, to manage the exponential growth of population in the cities by creating smart cities with ICT driven solutions, along with big data analytics. Smart grid technologies are key for both these schemes.</b>
<p>The article by Elonnai Hickok and Vanya Rakesh was published by <a class="external-link" href="http://www.dqindia.com/cyber-security-of-smart-grids-in-india/">Dataquest</a> on April 25, 2016</p>
<hr />
<p style="text-align: justify; ">Smart grid is a promising power delivery infrastructure integrated with communication and information technologies which enables monitoring, prediction and management of energy usages. Establishment of smart grids becomes highly important for the Indian economy, as the present grid losses are one of the highest in the world at upto 50% and costing India upto 1.5% of its GDP. India operates one of the largest synchronous grids in the world – covering an area of over 3 million sq km, 260 GW capacity and over 200 million customers with the estimated demand of India increasing 4 times by the year 2032.</p>
<p style="text-align: justify; ">In the year 2013, the Ministry of Power (MoP), in consultation with India Smart Grid Forum and India Smart Grid Task Force released a smart grid vision and roadmap for India, a key policy document aligned to MoP’s overarching objectives of “Access, Availability and Affordability of Power for All”. It lays plans for a framework to address cyber security concerns in smart grids as well. To achieve goals envisaged in the roadmap, the Government of India established the National Smart Grid Mission in the year 2015 for planning, monitoring and implementation of policies and programs related to Smart Grid activities.</p>
<p style="text-align: justify; ">A number of smart grid projects have been introduced, and are currently underway. KEPCO in Kerala has established smart meter/intelligent power transmission and distribution equipment system in the year 2011 and the smart grid operations focus on peak reduction, load standardization, reduction in power transmission/distribution loss, response to new/renewable energy and reduction in black-out time. Gujarat was introduced to India’s first modernized electrical grid in the year 2014, to study consumer behaviour of electricity usage and propose a tariff structure based on usage and load on the power utility by installing new meters embedded with SIM card to monitor the data. The Bangalore Electricity Supply Company Ltd. (BESCOM) project in Bangalore envisaged the Smart Grid Pilot Project for integration of renewable and distributed energy resources into the grid, which is vital to meet growing electricity demands of the country, curb power losses, and enhance accessibility to quality power.</p>
<h3 style="text-align: justify; ">Cybersecurity challenges</h3>
<p style="text-align: justify; ">At the same time, the introduction of a smart grid brings with it certain security risks and concerns, particularly to a nation’s cyber security. Increased interconnection and integration may render the grids vulnerable to cyber threats, putting stored data and computers at great risk.With sufficient cyber security measures, policies and framework in place, a Smart Grid can be made more efficient, reliable and secure as failure to address these problems will hinder the modernization of the existing power system. Smart Grids, comprising of numerous communication, intelligent, monitoring and electrical elements employed in power grid, have a greater exposure to cyber-attacks that can potentially disrupt power supply in a city.</p>
<div style="text-align: justify; "></div>
<div style="text-align: justify; ">Cyber security and data privacy are some of the key challenges for smart grids in India, as establishment of digital electricity infrastructure entails the challenge of communication security and data management. Digital network and systems are highly prone to malicious attacks from hackers which can lead to misutilisation of consumers’ data, making cyber security the key issue to be addressed. Vulnerabilities allow an attacker to break a system, corrupt user privacy, acquire unauthorized access to control the software, and modify load conditions to destabilize the grid. Hackers or attackers, who compromise a smart meter can immediately alter their energy costs or change generated energy meter readings to monetize it by help of remote PCs. Also, inserting false information could mislead the electric utility into making incorrect decisions about the local usage and capacity.</div>
<div style="text-align: justify; "></div>
<div style="text-align: justify; "></div>
<h3 style="text-align: justify; ">Initiatives in India</h3>
<div style="text-align: justify; ">As cybersecurity is critical for Digital India and the Smart City Concept note highlights a smart grid to be resilient to cyber attacks, a National Cyber Coordination Centre is being established by the Indian Government. Also, National Cyber Safety and Security Standards has been started with a vision to safeguard the nation from the current threats in the cyberspace, undertaking research to understand the nature of cyber threats and Cyber Crimes by facilitating a common platform where experts shall provide an effective solution for the complex and alarming problems in the society towards cyber security domain. Innovative strategies and compliance procedures are being developed to curb the increasing complexity of the Global Cyber Threats faced by countries at large.</div>
<div style="text-align: justify; "></div>
<p style="text-align: justify; ">The National Cyber Security Policy 2013 was released with an umbrella framework for providing guidance for actions related to security of cyberspace, by the Department of Electronics and Information Technology (DeitY). The Working Group on Information Technology established under the Planning Commission has also published a 12 year plan on IT development in India with a road map for cyber security, stating six key priority and focus areas for cyber security including:Enabling Legal Framework ; Security Policy, Compliance and Assurance; Security R&D; Security Incident – Early Warning and Response ; Security awareness, skill development and training, and Collaboration.</p>
<div style="text-align: justify; "></div>
<p style="text-align: justify; ">In case of Bangalore, to ensure smooth implementation of BESCOM’s vision, the company realised the need to put a cyber-security system in place to protect the smart grid installations in Bangalore city. To ensure security, BESCOM has come out with a separate IT security policy and dedicated trained IT cadre to safeguard its data and servers, becoming one of the few Discoms in India to take such measures for safeguarding the servers and data network from cyber crimes and threats.</p>
<h3 style="text-align: justify; ">Way forward</h3>
<p style="text-align: justify; ">An electric system like Smart grids has enormous and far-reaching economic and social benefits. However, increased interconnection and integration tends to introduce cyber-vulnerabilities into the grid. With the evolution of cyber threats/attacks over time, it can be said that there are a lot of challenges for implementing cyber security in Indian smart grid. Considering importance of secure smart grid networks for flagship projects in India, the existing regulatory framework does not seem to adequately take into consideration the cyber security implications.</p>
<div style="text-align: justify; "></div>
<p style="text-align: justify; ">In light of this, the government must aim to develop and adopt high level cybersecurity policy to withstand cyber-attacks. Also, India must focus on skills development in this domain and have a capable workforce to achieve the targets set by Indian Government. The country must look up to develop an overall intelligence framework that brings together industry, governments and individuals with specific capabilities for this purpose.</p>
<div style="text-align: justify; "></div>
<p style="text-align: justify; ">The National Cyber Security Policy 2013, protecting public and private infrastructure from cyber attacks, along with all kinds of information, such as personal information of web users, banking and financial information,etc. is yet to be implemented by the Government properly. In the Indian Power sector, the cyber security regulations or mandates are absent in the National Electricity Policy (NEP) as well as the Electricity Act 2003 and its amendment in 2007, with no reference to cyber security concerns. These key legislations must be amended to take into account the growing challenges due to increased use of ICT in the power sector.</p>
<div style="text-align: justify; "></div>
<div style="text-align: justify; ">As the concept of smart grids is still evolving in India, professional intervention from various domains has pushed for adoption and development of standard process and products. Many international standard setting organisations like IEC, IEEE, NIST, CENELEC are engaged in standardization activities of Smart Grids and in India, the Bureau of Indian Standards (BIS) has been rolling out several varieties of standards targeting various technologies. Therefore, BIS must develop standards taking into account the security challenges in the cyberspace as well.</div>
<div style="text-align: justify; "></div>
<div style="text-align: justify; "></div>
<p style="text-align: justify; ">Apart from policy and regulatory measure, the system on which the smart grids are built and networked must be made architecturally strong and secure.One of the areas where due attention is required is making the Supervisory Control and Data Acquisition (SCADA) secure, a system that operates with coded signals to provide control of remote equipment and is entirely based on computer systems and network. Numerous systems also employ the Public Key Infrastructure (PKI) to secure the Smart Grids and address the security challenges by enabling identification, verification, validation and authentication of connected meters for network access. This can be leveraged for securing data integrity, revenue streams and service continuity. The key vulnerable areas prone to cyber attacks on information transmission are network information, data integrity and privacy of information. The information transmission networks must be well-designed as the network unavailability may result in the loss of real-time monitoring of critical smart grid infrastructures and power system disasters.</p>
<div style="text-align: justify; "></div>
<p style="text-align: justify; ">Addressing these fast growing challenges and cyber security needs of the country by adopting suitable regulatory, policy and architectural steps would help achieve the objectives of Digital India and Smart Cities enabling “Access, Availability and Affordability for All”.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/dataquest-april-25-2016-vanya-rakesh-and-elonnai-hickok-cyber-security-of-smart-grids-in-india'>http://editors.cis-india.org/internet-governance/blog/dataquest-april-25-2016-vanya-rakesh-and-elonnai-hickok-cyber-security-of-smart-grids-in-india</a>
</p>
No publisherElonnai Hickok and Vanya RakeshCyber SecurityInternet Governance2016-04-28T15:34:17ZBlog EntryNASSCOM-DSCI Annual Information Security Summit 2015 - Notes
http://editors.cis-india.org/internet-governance/blog/nasscom-dsci-annual-information-security-summit-2015-notes
<b>NASSCOM-DSCI organised the 10th Annual Information Security Summit (AISS) 2015 in Delhi during December 16-17. Sumandro Chattapadhyay participated in this engaging Summit. He shares a collection of his notes and various tweets from the event.</b>
<p> </p>
<h2>Details about the Summit</h2>
<p>Event page: <a href="https://www.dsci.in/events/about/2261">https://www.dsci.in/events/about/2261</a>.</p>
<p>Agenda: <a href="https://www.dsci.in/sites/default/files/Agenda-AISS-2015.pdf">https://www.dsci.in/sites/default/files/Agenda-AISS-2015.pdf</a>.</p>
<p> </p>
<h2>Notes from the Summit</h2>
<blockquote class="twitter-tweet">
<p dir="ltr">Mr.G.K.Pillai ,Chairman DSCI addressing the audience @ 10th Annual Information Security Summit '15 <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/JVcwct3HSF">pic.twitter.com/JVcwct3HSF</a></p>
— DSCI (@DSCI_Connect) <a href="https://twitter.com/DSCI_Connect/status/676979952277987328">December 16, 2015</a></blockquote>
<p>Mr. G. K. Pillai, Chairman of Data Security Council of India (DSCI), set the tone of the Summit at the very first hour by noting that 1) state and private industries in India are working in silos when it comes to preventing cybercrimes, 2) there is a lot of skill among young technologists and entrepreneurs, and the state and the private sectors are often unaware of this, and 3) there is serious lack of (cyber-)capacity among law enforcement agencies.</p>
<p>In his Inaugural Address, Dr. Arvind Gupta (Deputy National Security Advisor and Secretary, NSCS), provided a detailed overview of the emerging challenges and framework of cybersecurity in India. He focused on the following points:</p>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/India?src=hash">#India</a> Dy NSA Dr Arvind Gupta calls 4 <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a> by <a href="https://twitter.com/hashtag/design?src=hash">#design</a> in <a href="https://twitter.com/hashtag/ICT?src=hash">#ICT</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/79kq9lWGtk">pic.twitter.com/79kq9lWGtk</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/676980799347023872">December 16, 2015</a></blockquote>
<ul>
<li>Security is a key problem in the present era of ICTs as it is not in-built. In the upcoming IoT era, security must be built into ICT systems.</li>
<li>In the next billion addition to internet population, 50% will be from India. Hence cybersecurity is a big concern for India.</li>
<li>ICTs will play a catalytic role in achieving SDGs. Growth of internet is part of the sustainable development agenda.</li>
<li>We need a broad range of critical security services - big data analytics, identity management, etc.</li>
<li>The e-governance initiatives launched by the Indian government are critically dependent on a safe and secure internet.</li>
<li>Darkweb is a key facilitator of cybercrime. Globally there is a growing concern regarding the security of cyberspace.
</li><li>On the other hand, there exists deep divide in access to ICTs, and also in availability of content in local languages.</li>
<li>The Indian government has initiated bilateral cybersecurity dialogues with various countries.</li>
<li>Indian government is contemplating setting up of centres of excellence in cryptography. It has already partnered with NASSCOM to develop cybersecurity guidelines for smart cities.</li>
<li>While India is a large global market for security technology, it also needs to be self-reliant. Indian private sector should make use of government policies and bilateral trust enjoyed by India with various developing countries in Africa and south America to develop security technology solutions, create meaningful jobs in India, and export services and software to other developing countries.</li>
<li>Strong research and development, and manufacturing base are absolutely necessary for India to be self-reliant in cybersecurity. DSCI should work with private sector, academia, and government to coordinate and realise this agenda.</li>
<li>In the line of the Climate Change Fund, we should create a cybersecurity fund, since it is a global problem.</li>
<li>Silos are our bane in general. Bringing government agencies together is crucial. Trust issues (between government, private sector, and users) remain, and can only be resolved over time.</li>
<li>The demand for cybersecurity solutions in India is so large, that there is space for everyone.</li>
<li>The national cybersecurity centre is being set up.</li>
<li>Thinktanks can play a crucial role in helping the government to develop strategies for global cybersecurity negotiations. Indian negotiators are often capacity constrained.</li></ul>
<p>Rajendra Pawar, Chair of the NASSCOM Cyber Security Task Force, NASSCOM Cybersecurity Initiative, provided glimpses of the emerging business opportunity around cybersecurity in India:</p>
<ul>
<li>In next 10 years, the IT economy in India will be USD 350 bn, and <a href="https://blogs.dsci.in/building-usd-35-billion-cyber-security-industry-how-do-we-do-it/">10% of that will be the cybersecurity pie</a>. This means a million job only in the cybersecurity space.</li>
<li>Academic institutes are key to creation of new ideas and hence entrepreneurs. Government and private sectors should work closely with academic institutes.
<blockquote class="twitter-tweet">
<p dir="ltr">'Companies+Govt+Academia= High growth of the cybersecurity industry' - Rajendra Pawar at <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a></p>
— Shivangi Nadkarni (@shivanginadkarn) <a href="https://twitter.com/shivanginadkarn/status/676995090955530246">December 16, 2015</a></blockquote>
</li>
<li>Globally, cybersecurity innovation and industries happen in clusters. Cities and states must come forward to create such clusters.</li>
<li>2/3rd of the cybersecurity market is provision of services. This is where India has a great advantage, and should build on that to become a global brand in cybersecurity services.</li>
<li>Everyday digital security literacy and cultures need to be created.</li>
<li>Publication of cybersecurity best practices among private companies is a necessity.
<blockquote class="twitter-tweet">
<p dir="ltr">Corporate disclosures of breaches being considered with Nasscom under cybersec task force: Rajendra Pawar <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a> <a href="https://twitter.com/ETtech">@ETtech</a></p>
— Neha Alawadhi (@NehaAlawadhiET) <a href="https://twitter.com/NehaAlawadhiET/status/676994553799417856">December 16, 2015</a></blockquote>
</li>
<li>Dedicated cybersecurity spending should be made part of the e-governance budget of central and state governments.</li>
<li>DSCI should function as a clearing house of cybersecurity case studies. At present, thought leadership in cybersecurity comes from the criminals. By serving as a use case clearing house, DSCI will inform interested researchers about potential challenges for which solution needs to be created.</li></ul>
<p>Manish Tiwary of Microsoft informed the audience that India is in the top 3 positions globally in terms of malware proliferation, and this ensures that India is a big focus for Microsoft in its global war against malware. Microsoft India looks forward to work closely with CERT-In and other government agencies.</p>
<blockquote class="twitter-tweet">
<p dir="ltr">RSA's Kartik Shahani <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> Adopt a Deep & Pervasive Level of True Visibility Everywhere <a href="https://t.co/2U8J8WkWsI">pic.twitter.com/2U8J8WkWsI</a></p>
— Debjani Gupta (@DebjaniGupta1) <a href="https://twitter.com/DebjaniGupta1/status/676999786722156544">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Data localization; one of the stumbling blocks that undermine investments in <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a>. <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/vrff3Amcv0">pic.twitter.com/vrff3Amcv0</a></p>
— Appvigil (@appvigil_co) <a href="https://twitter.com/appvigil_co/status/677043180731301888">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Trust verification 4 embedded devices isnt complex bt much desired as people lives r dependent on that-cld cause physical damage <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677057992831860736">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">"Most compromised OS in 2k15: iOS"-Riyaz Tambe, Palo Alto Networks <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Indira Sen (@drealcharbar) <a href="https://twitter.com/drealcharbar/status/677015382356533249">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Security by default in IOS architecture tho' can't verify code as noṭ open - is it security by obscurity? <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/kbPZgH8oA0">pic.twitter.com/kbPZgH8oA0</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677055086611173376">December 16, 2015</a></blockquote>
<p>The session on <strong>Catching Fraudsters</strong> had two insightful presentations from Dr. Triveni Singh, Additional SP of Special Task Force of UP Police, and Mr. Manoj Kaushik, IAS, Additional Director of FIU.</p>
<p>Dr. Singh noted that a key challenge faced by police today is that nobody comes to them with a case of online fraud. Most fraud businesses are run by young groups operating BPOs that steal details from individuals. There exists a huge black market of financial and personal data - often collected from financial institutions and job search sites. Almost any personal data can be bought in such markets. Further, SIM cards under fake names are very easy to buy. The fraudsters are effective using all fake identity, and is using operational infrastructures outsourced from legitimate vendors under fake names. Without a central database of all bank customers, it is very difficult for the police to track people across the financial sector. It becomes even more difficult for Indian police to get access to personal data of potential fraudsters when it is stored in a foreign server. which is often the case with usual web services and apps. Many Indian ISPs do not keep IP history data systematically, or do not have the technical expertise to share it in a structured and time-sensitive way.</p>
<blockquote class="twitter-tweet">
<p dir="ltr">Mr. Triveni Singh talks about raiding fake call centres in Delhi NCR that scam millions every year <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/EmE4y3jux2">pic.twitter.com/EmE4y3jux2</a></p>
— pradyumn nand (@PradyumnNand) <a href="https://twitter.com/PradyumnNand/status/677063276442738689">December 16, 2015</a></blockquote>
<p>Mr. Kaushik explained that no financial fraud is uniquely committed via internet. Many fraud begin with internet but eventually involve physical fraudulent money transaction. Credit/debit card frauds all involve card data theft via various internet-based and physical methods. However, cybercrime is continued to be mistakenly seen as frauds undertaken completely online. Further, mobile-based frauds are yet another category. Almost all apps we use are compromised, or store transaction history in an insecure way, which reveals such data to hackers. FIU is targeting bank accounts to which fraud money is going, and closing them down. Catching the people behind these bank accounts is much more difficult, as account loaning has become a common practice - where valid accounts are loaned out for a small amount of money to fraudsters who return the account after taking out the fraudulent money. Better information sharing between private sector and government will make catching fraudsters easier.</p>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/AkhileshTuteja">@AkhileshTuteja</a> With data overload and big data being prevalent are we considering privacy elements <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/hashtag/KpmgIndiaCyber?src=hash">#KpmgIndiaCyber</a></p>
— Atul Gupta (@AtulGup15843145) <a href="https://twitter.com/AtulGup15843145/status/677082045701488640">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">'Tech solns today designed to protect security - solns for privacy need to evolve'- <a href="https://twitter.com/Mayurakshi_Ray">@Mayurakshi_Ray</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a></p>
— Shivangi Nadkarni (@shivanginadkarn) <a href="https://twitter.com/shivanginadkarn/status/677066470325534721">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">In-house tools important but community collaboration critical to fight security threats <a href="https://twitter.com/tata_comm">@tata_comm</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/ZjbCnaROXC">pic.twitter.com/ZjbCnaROXC</a></p>
— aparna (@aparnag14) <a href="https://twitter.com/aparnag14/status/677067260268187648">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">'Orgns in India have a long way to go b4 they internalise privacy principles' Subhash S, CISO ICICI <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a></p>
— Shivangi Nadkarni (@shivanginadkarn) <a href="https://twitter.com/shivanginadkarn/status/677066928880410624">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Prof PK giving an interesting brief on Academia role in Cyber Security. <a href="https://twitter.com/ponguru">@ponguru</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a> at <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/MEiO6sCJwu">pic.twitter.com/MEiO6sCJwu</a></p>
— Vikas Yadav (@VikasSYadav) <a href="https://twitter.com/VikasSYadav/status/677088566871101440">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Potential for interaction between Academia, Government and Industry but not an established reality yet. <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/hashtag/MappingCyberEducation?src=hash">#MappingCyberEducation</a></p>
— Indira Sen (@drealcharbar) <a href="https://twitter.com/drealcharbar/status/677089590717517824">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">I have figured out why information security is not in any boardroom discussions. Cause there are no good speakers / orators . <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Virag Thakkar (@viragthakkar) <a href="https://twitter.com/viragthakkar/status/677078491699871745">December 16, 2015</a></blockquote>
<p>The session on <strong>Smart Cities</strong> focused on discussing the actual cities coming up India, and the security challenges highlighted by them. There was a presentation on Mahindra World City being built near Jaipur. Presenters talked about the need to stabilise, standardise, and securitise the unique identities of machines and sensors in a smart city context, so as to enable secured machine-to-machine communication. Since 'smartness' comes from connecting various applications and data silos together, the governance of proprietary technology and ensuring inter-operable data standards are crucial in the smart city.</p>
<p>As Special Purposed Vehicles are being planned to realise the smart cities, the presenters warned that finding the right CEOs for these entities will be critical for their success. Legacy processes and infrastructures (and labour unions) are a big challenge when realising smart cities. Hence, the first step towards the smart cities must be taken through connected enforcement of law, order, and social norms.</p>
<p>Privacy-by-design and security-by-design are necessary criteria for smart cities technologies. Along with that regular and automatic software/middleware updating of distributed systems and devices should be ensured, as well as the physical security of the actual devices and cables.</p>
<p>In terms of standards, security service compliance standards and those for protocols need to be established for the internet-of-things sector in India. On the other hand, there is significant interest of international vendors to serve the Indian market. All global data and cloud storage players, including Microsoft Azure cloud, are moving into India, and are working on substantial and complete data localisation efforts.</p>
<blockquote class="twitter-tweet">
<p dir="ltr">Session - Why should you hire Women Security Professionals?... Balancing gender diversity
<a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/hashtag/DSCI_Connect?src=hash">#DSCI_Connect</a> <a href="https://t.co/uIMfG9PvAb">pic.twitter.com/uIMfG9PvAb</a></p>
— Jagan Suri (@jsuri90) <a href="https://twitter.com/jsuri90/status/677109792679157760">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">gender Diversity in cybersecurity critical 4 India's future. <a href="https://twitter.com/symantec">@symantec</a> partnered with <a href="https://twitter.com/nasscom">@nasscom</a> via 1000 women scholarships <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677118674197602304">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Dialogue with CERT-In
.. Starting 2nd Day of <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a>
.. B J Srinath, DG, CERT
<a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a> <a href="https://twitter.com/hashtag/security?src=hash">#security</a> <a href="https://twitter.com/hashtag/privacy?src=hash">#privacy</a> <a href="https://t.co/cvDcrgkein">pic.twitter.com/cvDcrgkein</a></p>
— Vinayak Godse (@godvinayak) <a href="https://twitter.com/godvinayak/status/677342972170493952">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">New <a href="https://twitter.com/hashtag/problems?src=hash">#problems</a> can't b solved w old <a href="https://twitter.com/hashtag/solutions?src=hash">#solutions</a>: <a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT DG BJ Srinath <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677341246281539585">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">17 entities within <a href="https://twitter.com/hashtag/Indian?src=hash">#Indian</a> <a href="https://twitter.com/hashtag/government?src=hash">#government</a> engaged in <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a>: <a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT head <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677341728282533888">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Scope of activities by CERT in <a href="https://twitter.com/hashtag/India?src=hash">#India</a> way more than its counterparts elsewhere <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677342193854451712">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT looks 8 prediction & <a href="https://twitter.com/hashtag/prevention?src=hash">#prevention</a> <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a> <a href="https://twitter.com/hashtag/emergency?src=hash">#emergency</a> not just <a href="https://twitter.com/hashtag/response?src=hash">#response</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677343140630540288">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT willing to <a href="https://twitter.com/hashtag/share?src=hash">#share</a> <a href="https://twitter.com/hashtag/information?src=hash">#information</a> rather than just receiving <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677343512833101824">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Savita CERTin outlines drill initiatives taken 4 preparedness-detect (protect), defend attacks wth response <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/wXrkgoLzr2">pic.twitter.com/wXrkgoLzr2</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677346822449303553">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">CERTin also offers incident predicatibility,Crisis mgmt plans, <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a> assurance ladder (7 levels) besides 24 x 7 prevention <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677348506869239809">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/India?src=hash">#India</a> has 7.2 million bot infected <a href="https://twitter.com/hashtag/machines?src=hash">#machines</a>: <a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT DG Srinath <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677355051308871680">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Seizure & protection of electronic devices as admissible evidence (certificate u Sec 65B) imperative under Forensics investigation <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677364713005576192">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">'Law enforcement agency&corporate world must collaborate to fight cybercrime'-Atul Gupta,Partner-Risk Adv. @ <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/GwAQWhYMmK">pic.twitter.com/GwAQWhYMmK</a></p>
— KPMG India (@KPMGIndia) <a href="https://twitter.com/KPMGIndia/status/677373217711919104">December 17, 2015</a></blockquote>
<p>Mr. R. Chandrasekhar, President of NASSCOM, foregrounded the recommendations made by the Cybersecurity Special Task Force of NASSCOM, in his Special Address on the second day. He noted:</p>
<ul>
<li>There is a great opportunity to brand India as a global security R&D and services hub. Other countries are also quite interested in India becoming such a hub.</li>
<li>The government should set up a cybersecurity startup and innovation fund, in coordination with and working in parallel with the centres of excellence in internet-of-things (being led by DeitY) and the data science/analytics initiative (being led by DST).</li>
<li>There is an immediate need to create a capable workforce for the cybersecurity industry.</li>
<li>Cybersecurity affects everyone but there is almost no public disclosure. This leads to low public awareness and valuation of costs of cybersecurity failures. The government should instruct the Ministry of Corporate Affairs to get corporates to disclose (publicly or directly to the Ministry) security breeches.</li>
<li>With digital India and everyone going online, cyberspace will increasingly be prone to attacks of various kinds, and increasing scale of potential loss. Cybersecurity, hence, must be part of the core national development agenda.</li>
<li>The cybersecurity market in India is big enough and under-served enough for everyone to come and contribute to it.</li></ul>
<p>The Keynote Address by Mr. Rajiv Singh, MD – South Asia of Entrust Datacard, and Mr. Saurabh Airi, Technical Sales Consultant of Entrust Datacard, focused on trustworthiness and security of online identities for financial transactions. They argued that all kinds of transactions require a common form factor, which can be a card or a mobile phone. The key challenge is to make the form factor unique, verified, and secure. While no programme is completely secure, it is necessary to build security into the form factor - security of both the physical and digital kind, from the substrates of the card to the encryption algorithms. Entrust and Datacard have merged in recent past to align their identity management and security transaction workflows, from physical cards to software systems for transactions. The advantages of this joint expertise have allowed them to successfully develop the National Population Register cards of India. Now, with the mobile phone emerging as a key financial transaction form factor, the challenge across the cybersecurity industry is to offer the same level of physical, digital, and network security for the mobile phone, as are provided for ATM cards and cash machines.</p>
<p>The following Keynote Address by Dr. Jared Ragland, Director - Policy of BSA, focused on the cybersecurity investment landscape in India and the neighbouring region. BSA, he explained, is a global trade body of software companies. All major global software companies are members of BSA. Recently, BSA has produced a study on the cybersecurity industry across 10 markets in the Asia Pacific region, titled <a href="http://cybersecurity.bsa.org/2015/apac/">Asia Pacific Cybersecurity Dashboard</a>. The study provides an overview of cybersecurity policy developments in these countries, and sector-specific opportunities in the region. Dr. Ragland mentioned the following as the key building blocks of cybersecurity policy: legal foundation, establishment of operational entities, building trust and partnerships (PPP), addressing sector-specific requirements, and education and awareness. As for India, he argued that while steady steps have been taken in the cybersecurity policy space by the government, a lot remains to be done. Operationalisation of the policy is especially lacking. PPPs are happening but there is a general lack of persistent formal engagement with the private sector, especially with global software companies. There is almost no sector-specific strategy. Further, the requirement for India-specific testing of technologies, according to domestic and not global standards, is leading to entry barrier for global companies and export barrier for Indian companies. Having said that, Dr. Ragland pointed out that India's cybersecurity experience is quite representative of that of the Asia Pacific region. He noted the following as major stumbling blocks from an international industry perspective: unnecessary and unreasonable testing requirements, setting of domestic standards, and data localisations rules.</p>
<blockquote class="twitter-tweet">
<p dir="ltr">The Policy Makers' panel in <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> in progress. Arvind Gupta, Head, BJP IT cell (<a href="https://twitter.com/buzzindelhi">@buzzindelhi</a>) speaks. <a href="https://t.co/9yWR0gMwf5">pic.twitter.com/9yWR0gMwf5</a></p>
— Nandkumar Saravadé (@saravade) <a href="https://twitter.com/saravade/status/677437443356798977">December 17, 2015</a></blockquote>
<p>One of the final sessions of the Summit was the Public Policy Dialogue between <a href="https://twitter.com/rajeevgowda">Prof. M.V. Rajeev Gowda</a>, Member of Parliament, Rajya Sabha, and <a href="https://twitter.com/buzzindelhi">Mr. Arvind Gupta</a>, Head of IT Cell, BJP.</p>
<p>Prof. Gowda focused on the following concerns:</p>
<ul>
<li>We often freely give up our information and rights over to owners of websites and applications on the web. We need to ask questions regarding the ownership, storage, and usage of such data.</li>
<li>While Section 66A of Information Technology Act started as a anti-spam rule, it has actually been used to harass people, instead of protecting them from online harassment.</li>
<li>The bill on DNA profiling has raised crucial privacy concerns related to this most personal data. The complexity around the issue is created by the possibility of data leakage and usage for various commercial interests.</li>
<li>We need to ask if western notions of privacy will work in the Indian context.</li>
<li>We need to move towards a cashless economy, which will not only formalise the existing informal economy but also speed up transactions nationally. We need to keep in mind that this will put a substantial demand burden on the communication infrastructure, as all transactions will happen through these.</li></ul>
<p> Mr. Gupta shared his keen insights about the key public policy issues in <em>digital India</em>:</p>
<ul>
<li>The journey to establish <em>the digital</em> as a key political agenda and strategy within BJP took him more than 6 years. He has been an entrepreneur, and will always remain one. His approached his political journey as an entrepreneur.
</li><li>While we are producing numerous digitally literate citizens, the companies offering services on the internet often unknowingly acquire data about these citizens, store them, and sometimes even expose them. India perhaps produces the greatest volume of digital exhaust globally.</li>
<li>BJP inherited the Aadhaar national identity management platform from UPA, and has decided to integrate it deeply into its digital India architecture.</li>
<li>Financial and administrative transactions, especially ones undertake by and with governments, are all becoming digital and mostly Aadhaar-linked. We are not sure where all such data is going, and who all has access to such data.</li>
<li>Right now there is an ongoing debate about using biometric system for identification. The debate on privacy is much needed, and a privacy policy is essential to strengthen Aadhaar. We must remember that the benefits of Aadhaar clearly outweigh the risks. Greatest privacy threats today come from many other places, including simple mobile torch apps.</li>
<li>India is rethinking its cybersecurity capacities in a serious manner. After Paris attack it has become obvious that the state should be allowed to look into electronic communication under reasonable guidelines. The challenge is identifying the fine balance between consumers' interest on one hand, and national interest and security concerns on the other. Unfortunately, the concerns of a few is often getting amplified in popular media.</li>
<li>MyGov platform should be used much more effectively for public policy debates. Social media networks, like Twitter, are not the correct platforms for such debates.</li></ul>
<p> </p>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a>: <a href="https://twitter.com/rajivgowda">@rajivgowda</a> & <a href="https://twitter.com/buzzindelhi">@buzzindelhi</a> are talking abt proactive disclosure as a key part of <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a> strategy <a href="https://twitter.com/hashtag/openData?src=hash">#openData</a> <a href="https://twitter.com/DataPortalIndia">@DataPortalIndia</a></p>
— sumandro (@ajantriks) <a href="https://twitter.com/ajantriks/status/677447609502445568">December 17, 2015</a></blockquote>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/nasscom-dsci-annual-information-security-summit-2015-notes'>http://editors.cis-india.org/internet-governance/blog/nasscom-dsci-annual-information-security-summit-2015-notes</a>
</p>
No publishersumandroCybersecurityNASSCOMDSCIInformation SecurityCyber Security2016-01-19T07:58:56ZBlog EntryGround Zero Summit
http://editors.cis-india.org/internet-governance/blog/ground-zero-summit
<b>The Ground Zero Summit which claims to be the largest collaborative platform in Asia for cyber-security was held in New Delhi from 5th to 8th November. The conference was organised by the Indian Infosec Consortium (IIC), a not for profit organisation backed by the Government of India. Cyber security experts, hackers, senior officials from the government and defence establishments, senior professionals from the industry and policymakers attended the event. </b>
<h3 style="text-align: justify; ">Keynote Address</h3>
<p style="text-align: justify; ">The Union Home Minister, Mr. Rajnath Singh, inaugurated the conference. Mr Singh described cyber-barriers that impact the issues that governments face in ensuring cyber-security. Calling the cyberspace as the fifth dimension of security in addition to land, air, water and space, Mr Singh emphasised the need to curb cyber-crimes in India, which have grown by 70% in 2014 since 2013. He highlighted the fact that changes in location, jurisdiction and language made cybercrime particularly difficult to address. Continuing in the same vein, Mr. Rajnath Singh also mentioned cyber-terrorism as one the big dangers in the time to come. With a number of government initiatives like Digital India, Smart Cities and Make in India leveraging technology, the Home Minister said that the success of these projects would be dependent on having robust cyber-security systems in place.<br /><br />The Home Minister outlined some initiatives that Government of India is planning to take in order to address concerns around cyber security - such as plans to finalize a new national cyber policy. Significantly, he referred to a committee headed by Dr. Gulshan Rai, the National Cyber Security Coordinator mandated to suggest a roadmap for effectively tackling cybercrime in India. This committee has recommended the setting up of Indian Cyber Crime Coordination Centre (I-4C). This centre is meant to engage in capacity building with key stakeholders to enable them to address cyber crimes, and work with law enforcement agencies. Earlier reports about the recommendation suggest that the I-4C will likely be placed under the National Crime Records Bureau and align with the state police departments through the Crime and Criminal Tracking and Network Systems (CCTNS). I-4C is supposed to be comprised of high quality technical and R&D experts who would be engaged in developing cyber investigation tools. <br /><br />Other keynote speakers included Alok Joshi, Chairman, NTRO; Dr Gulshan Rai, National Cyber Security Coordinator; Dr. Arvind Gupta, Head of IT Cell, BJP and Air Marshal S B Dep, Chief of the Western Air Command.</p>
<h3 style="text-align: justify; ">Technical Speakers</h3>
<p style="text-align: justify; ">There were a number of technical speakers who presented on an array of subjects. The first session was by Jiten Jain, a cyber security analyst who spoke on cyber espionage conducted by actors in Pakistan to target defence personnel in India. Jiten Jain talked about how the Indian Infosec Consortium had discovered these attacks in 2014. Most of these websites and mobile apps posed as defence news and carried malware and viruses. An investigation conducted by IIC revealed the domains to be registered in Pakistan. In another session Shesh Sarangdhar, the CEO of Seclabs, an application security company, spoke about the Darknet and ways to break anonymity on it. Sarangdhar mentioned that anonymity on Darknet is dependent on all determinants of the equation in the communication maintaining a specific state. He discussed techniques like using audio files, cross domain on tor, siebel attacks as methods of deanonymization. Dr. Triveni Singh. Assistant Superintendent of Police, Special Task Force, UP Police made a presentation on the trends in cyber crime. Dr. Singh emphasised the amount of uncertainty with regard to the purpose of a computer intrusion. He discussed real life case studies such as data theft, credit card fraud, share trading fraud from the perspective of law enforcement agencies.<br /><br />Anirudh Anand, CTO of Infosec Labs discussed how web applications are heavily reliant on filters or escaping methods. His talk focused on XSS (cross site scripting) and bypassing regular expression filters. He also announced the release of XSS labs, an XSS test bed for security professionals and developers that includes filter evasion techniques like b-services, weak cryptographic design and cross site request forgery. Jan Siedl, an authority on SCADA presented on TOR tricks which may be used by bots, shells and other tools to better use the TOR network and I2P. His presentation dealt with using obfuscated bridges, Hidden Services based HTTP, multiple C&C addresses and use of OTP. Aneesha, an intern with the Kerala Police spoke about elliptical curve cryptography, its features such as low processing overheads. As this requires elliptic curve paths, efficient Encoding and Decoding techniques need to be developed. Aneesha spoke about an algorithm called Generator-Inverse for encoding and decoding a message using a Single Sign-on mechanism. Other subjects presented included vulnerabilities that remained despite using TLS/SSL, deception technology and cyber kill-chain, credit card frauds, Post-quantum crypto-systems and popular android malware.</p>
<h3 style="text-align: justify; ">Panels</h3>
<p style="text-align: justify; ">There were also two panels organised at the conference. Samir Saran, Vice President of Observer Research Foundation, moderated the first panel on Cyber Arms Control. The panel included participants like Lt. General A K Sahni from the South Western Air Command; Lt. General A S Lamba, Retired Vice Chief Indian Army, Alok Vijayant, Director of Cyber Security Operation of NTRO and Captain Raghuraman from Reliance Industries. The panel debated the virtues of cyber arms control treaties. It was acknowledged by the panel that there was a need to frame rules and create a governance mechanism for wars in cyberspace. However, this would be effective only if the governments are the primary actors with the capability for building cyber-warfare know-how and tools. The reality was that most kinds of cyber weapons involved non state actors from the hacker community. In light of this, the cyber control treaties would lose most of their effectiveness. <br /><br />The second panel was on the Make for India’ initiatives. Dinesh Bareja, the CEO of Open Security Alliance and Pyramid Cyber Security was the moderator for this panel which also included Nandakumar Saravade, CEO of Data Security Council of India; Sachin Burman, Director of NCIIPC; Dr. B J Srinath, Director General of ICERT and Amit Sharma, Joint Director of DRDO. The focus of this session was on ‘Make in India’ opportunities in the domain of cyber security. The panelist discussed the role the government and industry could play in creating an ecosystem that supports entrepreneurs in skill development. Among the approaches discussed were: involving actors in knowledge sharing and mentoring chapters which could be backed by organisations like NASSCOM and bringing together industry and government experts in events like the Ground Zero Summit to provide knowledge and training on cyber-security issues.</p>
<h3 style="text-align: justify; ">Exhibitions</h3>
<p class="Normal1" style="text-align: justify; ">The conference was accompanied by a exhibitions showcasing indigenous cybersecurity products. The exhibitors included Smokescreen Technologies, Sempersol Consultancy, Ninja Hackon, Octogence Technologies, Secfence, Amity, Cisco Academy, Robotics Embedded Education Services Pvt. Ltd., Defence Research and Development Organisation (DRDO), Skin Angel, Aksit, Alqimi, Seclabs and Systems, Forensic Guru, Esecforte Technologies, Gade Autonomous Systems, National Critical Information Infrastructure Protection Centre (NCIIPC), Indian Infosec Consortium (IIC), INNEFU, Forensic Guru, Event Social, Esecforte Technologies, National Internet Exchange of India (NIXI) and Robotic Zone.</p>
<p class="Normal1" style="text-align: justify; ">The conference also witnessed events such Drone Wars, in which selected participants had to navigate a drone, a Hacker Fashion Show and the official launch of the Ground Zero’s Music Album.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/ground-zero-summit'>http://editors.cis-india.org/internet-governance/blog/ground-zero-summit</a>
</p>
No publisherAmber SinhaCyber SecurityInternet Governance2016-01-03T06:06:56ZBlog EntryCyber Security Summit 2015
http://editors.cis-india.org/internet-governance/news/cyber-security-summit-2015
<b>The Government of Karnataka in association with Biz Wingz Production House organized this Summit on November 27, 2015 at JW Marriott, Bangalore from 10.30 a.m. to 5.30 p.m. Sunil Abraham was a panelist. </b>
<p style="text-align: justify; ">Cloud-based applications are often the darling of the CFO and the nemesis of the CISO & CIOs. How can an organization migrate to the cloud, thus relinquishing control, but still maintain <span class="highlightedSearchTerm">security</span>? Are we sacrificing <span class="highlightedSearchTerm">security</span> and robustness in exchange for other priorities? How do ‘Snowden’ disclosures change the legal and risk nature of cloud decision making and governance? What can proactive cloud providers do to capture the opportunity in the disruption? The panel explored these topics and more to provide the cutting edge thinking and perspectives you need to shape your own cloud strategies in ways that balance multiple priorities.</p>
<h3 style="text-align: justify; ">Panelists</h3>
<ul>
<li>Parag Deodhar, Chief Risk Officer, Bharti AXA General Insurance & Chief Operational Risk Officer India</li>
<li>Sunil Abraham, Executive Director, Centre for Internet and Society</li>
<li>Atul kumar, GM IT, Syndicate Bank</li>
<li>Lopa Mudra Basu, AVP & Head of Enterprise <span class="highlightedSearchTerm">Security</span> & Risk Governance, SLK Global</li>
<li>Sagar Karan, Chief Information <span class="highlightedSearchTerm">Security</span> Officer, Fullerton India Credit Co. Ltd.</li>
<li>R Vijay, CISO –Technology, Mahindra & Mahindra Financial Services Limited</li>
<li>Sanjivan S Shirke, Senior Vice President-Information Technology, Head -Information <span class="highlightedSearchTerm">Security</span>, UTI Asset Management Company Limited.</li>
<li>Sanjay Sahay, IPS, ADGP, Grievances & Human Rights, Police Dept, Govt of Karnataka (moderator).</li>
</ul>
<p><a class="external-link" href="https://www.eventshigh.com/detail/Bangalore/f8cf8b1a68202dca7543ec973f7ae2c0-cyber-security-summit-2015">More information about this event</a></p>
<ul>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/cyber-security-summit-2015'>http://editors.cis-india.org/internet-governance/news/cyber-security-summit-2015</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2015-12-16T02:10:24ZNews ItemSummary Report Internet Governance Forum 2015
http://editors.cis-india.org/internet-governance/blog/summary-report-internet-governance-forum-2015
<b>Centre for Internet and Society (CIS), India participated in the Internet Governance Forum (IGF) held at Poeta Ronaldo Cunha Lima Conference Center, Joao Pessoa in Brazil from 10 November 2015 to 13 November 2015. The theme of IGF 2015 was ‘Evolution of Internet Governance: Empowering Sustainable Development’. Sunil Abraham, Pranesh Prakash & Jyoti Panday from CIS actively engaged and made substantive contributions to several key issues affecting internet governance at the IGF 2015. The issue-wise detail of their engagement is set out below. </b>
<p align="center" style="text-align: left;"><strong>INTERNET
GOVERNANCE</strong></p>
<p align="justify">
I. The
Multi-stakeholder Advisory Group to the IGF organised a discussion on
<em><strong>Sustainable
Development Goals (SDGs) and Internet Economy</strong></em><em>
</em>at
the Main Meeting Hall from 9:00 am to 12:30 pm on 11 November, 2015.
The
discussions at this session focused on the importance of Internet
Economy enabling policies and eco-system for the fulfilment of
different SDGs. Several concerns relating to internet
entrepreneurship, effective ICT capacity building, protection of
intellectual property within and across borders were availability of
local applications and content were addressed. The panel also
discussed the need to identify SDGs where internet based technologies
could make the most effective contribution. Sunil
Abraham contributed to the panel discussions by addressing the issue
of development and promotion of local content and applications. List
of speakers included:</p>
<ol>
<li>
<p align="justify">
Lenni
Montiel, Assistant-Secretary-General for Development, United Nations</p>
</li><li>
<p align="justify">
Helani
Galpaya, CEO LIRNEasia</p>
</li><li>
<p align="justify">
Sergio
Quiroga da Cunha, Head of Latin America, Ericsson</p>
</li><li>
<p align="justify">
Raúl
L. Katz, Adjunct Professor, Division of Finance and Economics,
Columbia Institute of Tele-information</p>
</li><li>
<p align="justify">
Jimson
Olufuye, Chairman, Africa ICT Alliance (AfICTA)</p>
</li><li>
<p align="justify">
Lydia
Brito, Director of the Office in Montevideo, UNESCO</p>
</li><li>
<p align="justify">
H.E.
Rudiantara, Minister of Communication & Information Technology,
Indonesia</p>
</li><li>
<p align="justify">
Daniel
Sepulveda, Deputy Assistant Secretary, U.S. Coordinator for
International and Communications Policy at the U.S. Department of
State </p>
</li><li>
<p align="justify">
Deputy
Minister Department of Telecommunications and Postal Services for
the republic of South Africa</p>
</li><li>
<p align="justify">
Sunil
Abraham, Executive Director, Centre for Internet and Society, India</p>
</li><li>
<p align="justify">
H.E.
Junaid Ahmed Palak, Information and Communication Technology
Minister of Bangladesh</p>
</li><li>
<p align="justify">
Jari
Arkko, Chairman, IETF</p>
</li><li>
<p align="justify">
Silvia
Rabello, President, Rio Film Trade Association</p>
</li><li>
<p align="justify">
Gary
Fowlie, Head of Member State Relations & Intergovernmental
Organizations, ITU</p>
</li></ol>
<p align="justify">
Detailed
description of the workshop is available here
<a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">http</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">://</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">www</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">.</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">intgovforum</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">.</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">org</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">/</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">cms</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">/</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">igf</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">2015-</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">main</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">-</a><a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">sessions</a><u>
</u></p>
<p align="justify">
Transcript
of the workshop is available here
<u><a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2327-2015-11-11-internet-economy-and-sustainable-development-main-meeting-room">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2327-2015-11-11-internet-economy-and-sustainable-development-main-meeting-room</a></u></p>
<p align="justify">
Video
link Internet
economy and Sustainable Development here
<a href="https://www.youtube.com/watch?v=D6obkLehVE8">https://www.youtube.com/watch?v=D6obkLehVE8</a></p>
<p align="justify"> II.
Public
Knowledge organised a workshop on <em><strong>The
Benefits and Challenges of the Free Flow of Data </strong></em>at
Workshop Room
5 from 11:00 am to 12:00 pm on 12 November, 2015. The discussions in
the workshop focused on the benefits and challenges of the free flow
of data and also the concerns relating to data flow restrictions
including ways to address
them. Sunil
Abraham contributed to the panel discussions by addressing the issue
of jurisdiction of data on the internet. The
panel for the workshop included the following.</p>
<ol>
<li>
<p align="justify">
Vint
Cerf, Google</p>
</li><li>
<p align="justify">
Lawrence
Strickling, U.S. Department of Commerce, NTIA</p>
</li><li>
<p align="justify">
Richard
Leaning, European Cyber Crime Centre (EC3), Europol</p>
</li><li>
<p align="justify">
Marietje
Schaake, European Parliament</p>
</li><li>
<p align="justify">
Nasser
Kettani, Microsoft</p>
</li><li>
<p align="justify">
Sunil
Abraham, CIS
India</p>
</li></ol>
<p align="justify">
Detailed
description of the workshop is available here
<a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">http</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">://</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">www</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">.</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">intgovforum</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">.</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">org</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">/</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">cms</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">/</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">workshops</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">/</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">list</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">of</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">published</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">workshop</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">proposals</a><u>
</u></p>
<p align="justify">
Transcript
of the workshop is available here
<a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2467-2015-11-12-ws65-the-benefits-and-challenges-of-the-free-flow-of-data-workshop-room-5">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2467-2015-11-12-ws65-the-benefits-and-challenges-of-the-free-flow-of-data-workshop-room-5</a></p>
<p align="justify">
Video link https://www.youtube.com/watch?v=KtjnHkOn7EQ</p>
<p align="justify"> III.
Article
19 and
Privacy International organised a workshop on <em><strong>Encryption
and Anonymity: Rights and Risks</strong></em>
at Workshop Room 1 from 11:00 am to 12:30 pm on 12 November, 2015.
The
workshop fostered a discussion about the latest challenges to
protection of anonymity and encryption and ways in which law
enforcement demands could be met while ensuring that individuals
still enjoyed strong encryption and unfettered access to anonymity
tools. Pranesh
Prakash contributed to the panel discussions by addressing concerns
about existing south Asian regulatory framework on encryption and
anonymity and emphasizing the need for pervasive encryption. The
panel for this workshop included the following.</p>
<ol>
<li>
<p align="justify">
David
Kaye, UN Special Rapporteur on Freedom of Expression</p>
</li><li>
<p align="justify">
Juan
Diego Castañeda, Fundación Karisma, Colombia</p>
</li><li>
<p align="justify">
Edison
Lanza, Organisation of American States Special Rapporteur</p>
</li><li>
<p align="justify">
Pranesh
Prakash, CIS India</p>
</li><li>
<p align="justify">
Ted
Hardie, Google</p>
</li><li>
<p align="justify">
Elvana
Thaci, Council of Europe</p>
</li><li>
<p align="justify">
Professor
Chris Marsden, Oxford Internet Institute</p>
</li><li>
<p align="justify">
Alexandrine
Pirlot de Corbion, Privacy International</p>
</li></ol>
<p align="justify"><a name="_Hlt435412531"></a>
Detailed
description of the workshop is available here
<a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">http</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">://</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">www</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">.</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">intgovforum</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">.</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">org</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">/</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">cms</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">/</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">worksh</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">o</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">ps</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">/</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">list</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">of</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">published</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">workshop</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">-</a><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">proposals</a><u>
</u></p>
<p align="justify">
Transcript
of the workshop is available here
<a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2407-2015-11-12-ws-155-encryption-and-anonymity-rights-and-risks-workshop-room-1">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2407-2015-11-12-ws-155-encryption-and-anonymity-rights-and-risks-workshop-room-1</a></p>
<p align="justify">
Video link available here https://www.youtube.com/watch?v=hUrBP4PsfJo</p>
<p align="justify"> IV.
Chalmers
& Associates organised a session on <em><strong>A
Dialogue on Zero Rating and Network Neutrality</strong></em>
at the Main Meeting Hall from 2:00 pm to 4:00 pm on 12 November,
2015. The Dialogue provided access to expert insight on zero-rating
and a full spectrum of diverse
views on this issue. The Dialogue also explored alternative
approaches to zero rating such as use of community networks. Pranesh
Prakash provided
a
detailed explanation of harms and benefits related to different
approaches to zero-rating. The
panellists for this session were the following.</p>
<ol>
<li>
<p align="justify">
Jochai
Ben-Avie, Senior Global Policy Manager, Mozilla, USA</p>
</li><li>
<p align="justify">
Igor
Vilas Boas de Freitas, Commissioner, ANATEL, Brazil</p>
</li><li>
<p align="justify">
Dušan
Caf, Chairman, Electronic Communications Council, Republic of
Slovenia</p>
</li><li>
<p align="justify">
Silvia
Elaluf-Calderwood, Research Fellow, London School of Economics,
UK/Peru</p>
</li><li>
<p align="justify">
Belinda
Exelby, Director, Institutional Relations, GSMA, UK</p>
</li><li>
<p align="justify">
Helani
Galpaya, CEO, LIRNEasia, Sri Lanka</p>
</li><li>
<p align="justify">
Anka
Kovacs, Director, Internet Democracy Project, India</p>
</li><li>
<p align="justify">
Kevin
Martin, VP, Mobile and Global Access Policy, Facebook, USA</p>
</li><li>
<p align="justify">
Pranesh
Prakash, Policy Director, CIS India</p>
</li><li>
<p align="justify">
Steve
Song, Founder, Village Telco, South Africa/Canada</p>
</li><li>
<p align="justify">
Dhanaraj
Thakur, Research Manager, Alliance for Affordable Internet, USA/West
Indies</p>
</li><li>
<p align="justify">
Christopher
Yoo, Professor of Law, Communication, and Computer & Information
Science, University of Pennsylvania, USA</p>
</li></ol>
<p align="justify">
Detailed
description of the workshop is available here
<a href="http://www.intgovforum.org/cms/igf2015-main-sessions" target="_top">http://www.intgovforum.org/cms/igf2015-main-sessions</a></p>
<p align="justify">
Transcript
of the workshop is available here
<a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2457-2015-11-12-a-dialogue-on-zero-rating-and-network-neutrality-main-meeting-hall-2">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2457-2015-11-12-a-dialogue-on-zero-rating-and-network-neutrality-main-meeting-hall-2</a></p>
<p align="justify"> V.
The
Internet & Jurisdiction Project organised a workshop on
<em><strong>Transnational
Due Process: A Case Study in MS Cooperation</strong></em>
at Workshop Room
4 from 11:00 am to 12:00 pm on 13 November, 2015. The
workshop discussion focused on the challenges in developing an
enforcement framework for the internet that guarantees transnational
due process and legal interoperability. The discussion also focused
on innovative approaches to multi-stakeholder cooperation such as
issue-based networks, inter-sessional work methods and transnational
policy standards. The panellists for this discussion were the
following.</p>
<ol>
<li>
<p align="justify">
Anne
Carblanc Head of Division, Directorate for Science, Technology and
Industry, OECD</p>
</li><li>
<p align="justify">
Eileen
Donahoe Director Global Affairs, Human Rights Watch</p>
</li><li>
<p align="justify">
Byron
Holland President and CEO, CIRA (Canadian ccTLD)</p>
</li><li>
<p align="justify">
Christopher
Painter Coordinator for Cyber Issues, US Department of State</p>
</li><li>
<p align="justify">
Sunil
Abraham Executive Director, CIS India</p>
</li><li>
<p align="justify">
Alice
Munyua Lead dotAfrica Initiative and GAC representative, African
Union Commission</p>
</li><li>
<p align="justify">
Will
Hudsen Senior Advisor for International Policy, Google</p>
</li><li>
<p align="justify">
Dunja
Mijatovic Representative on Freedom of the Media, OSCE</p>
</li><li>
<p align="justify">
Thomas
Fitschen Director for the United Nations, for International
Cooperation against Terrorism and for Cyber Foreign Policy, German
Federal Foreign Office</p>
</li><li>
<p align="justify">
Hartmut
Glaser Executive Secretary, Brazilian Internet Steering Committee</p>
</li><li>
<p align="justify">
Matt
Perault, Head of Policy Development Facebook</p>
</li></ol>
<p align="justify">
Detailed
description of the workshop is available here
<a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals">http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals</a></p>
<p align="justify">
Transcript
of the workshop is available here
<a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2475-2015-11-13-ws-132-transnational-due-process-a-case-study-in-ms-cooperation-workshop-room-4">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2475-2015-11-13-ws-132-transnational-due-process-a-case-study-in-ms-cooperation-workshop-room-4</a></p>
<p align="justify">
Video
link Transnational
Due Process: A Case Study in MS Cooperation available here <a href="https://www.youtube.com/watch?v=M9jVovhQhd0">https://www.youtube.com/watch?v=M9jVovhQhd0</a></p>
<p align="justify"> VI.
The Internet Governance Project organised a meeting of the
<em><strong>Dynamic
Coalition on Accountability of Internet Governance Venues</strong></em>
at Workshop Room 2 from 14:00
– 15:30 on
12 November, 2015. The coalition
brought together panelists to highlight the
challenges in developing an accountability
framework
for internet governance
venues that include setting up standards and developing a set of
concrete criteria. Jyoti Panday provided the perspective of civil
society on why acountability is necessary in internet governance
processes and organizations. The panelists for this workshop included
the following.</p>
<ol>
<li>
<p>
Robin
Gross, IP Justice</p>
</li><li>
<p>
Jeanette
Hofmann, Director
<a href="http://www.internetundgesellschaft.de/">Alexander
von Humboldt Institute for Internet and Society</a></p>
</li><li>
<p>
Farzaneh
Badiei,
Internet Governance Project</p>
</li><li>
<p>
Erika
Mann,
Managing
Director Public PolicyPolicy Facebook and Board of Directors
ICANN</p>
</li><li>
<p>
Paul
Wilson, APNIC</p>
</li><li>
<p>
Izumi
Okutani, Japan
Network Information Center (JPNIC)</p>
</li><li>
<p>
Keith
Drazek , Verisign</p>
</li><li>
<p>
Jyoti
Panday,
CIS</p>
</li><li>
<p>
Jorge
Cancio,
GAC representative</p>
</li></ol>
<p>
Detailed
description of the workshop is available here
<a href="http://igf2015.sched.org/event/4c23/dynamic-coalition-on-accountability-of-internet-governance-venues?iframe=no&w=&sidebar=yes&bg=no">http://igf2015.sched.org/event/4c23/dynamic-coalition-on-accountability-of-internet-governance-venues?iframe=no&w=&sidebar=yes&bg=no</a></p>
<p>
Video
link https://www.youtube.com/watch?v=UIxyGhnch7w</p>
<p> VII.
Digital
Infrastructure
Netherlands Foundation organized an open forum at
Workshop Room 3
from 11:00
– 12:00
on
10
November, 2015. The open
forum discussed the increase
in government engagement with “the internet” to protect their
citizens against crime and abuse and to protect economic interests
and critical infrastructures. It
brought
together panelists topresent
ideas about an agenda for the international protection of ‘the
public core of the internet’ and to collect and discuss ideas for
the formulation of norms and principles and for the identification of
practical steps towards that goal.
Pranesh Prakash participated in the e open forum. Other speakers
included</p>
<ol>
<li>
<p>
Bastiaan
Goslings AMS-IX, NL</p>
</li><li>
<p>
Pranesh
Prakash CIS, India</p>
</li><li>
<p>
Marilia
Maciel (FGV, Brasil</p>
</li><li>
<p>
Dennis
Broeders (NL Scientific Council for Government Policy)</p>
</li></ol>
<p>
Detailed
description of the open
forum is available here
<a href="http://schd.ws/hosted_files/igf2015/3d/DINL_IGF_Open%20Forum_The_public_core_of_the_internet.pdf">http://schd.ws/hosted_files/igf2015/3d/DINL_IGF_Open%20Forum_The_public_core_of_the_internet.pdf</a></p>
<p>
Video
link available here <a href="https://www.youtube.com/watch?v=joPQaMQasDQ">https://www.youtube.com/watch?v=joPQaMQasDQ</a></p>
<p>
VIII.
UNESCO, Council of Europe, Oxford University, Office of the High
Commissioner on Human Rights, Google, Internet Society organised a
workshop on hate speech and youth radicalisation at Room 9 on
Thursday, November 12. UNESCO shared the initial outcome from its
commissioned research on online hate speech including practical
recommendations on combating against online hate speech through
understanding the challenges, mobilizing civil society, lobbying
private sectors and intermediaries and educating individuals with
media and information literacy. The workshop also discussed how to
help empower youth to address online radicalization and extremism,
and realize their aspirations to contribute to a more peaceful and
sustainable world. Sunil Abraham provided his inputs. Other speakers
include</p>
<p>
1.
Chaired by Ms Lidia Brito, Director for UNESCO Office in Montevideo</p>
<p>
2.Frank
La Rue, Former Special Rapporteur on Freedom of Expression</p>
<p>
3.
Lillian Nalwoga, President ISOC Uganda and rep CIPESA, Technical
community</p>
<p>
4.
Bridget O’Loughlin, CoE, IGO</p>
<p>
5.
Gabrielle Guillemin, Article 19</p>
<p>
6.
Iyad Kallas, Radio Souriali</p>
<p>
7.
Sunil Abraham executive director of Center for Internet and Society,
Bangalore, India</p>
<p>
8.
Eve Salomon, global Chairman of the Regulatory Board of RICS</p>
<p>
9.
Javier Lesaca Esquiroz, University of Navarra</p>
<p>
10.
Representative GNI</p>
<p>
11.
Remote Moderator: Xianhong Hu, UNESCO</p>
<p>
12.
Rapporteur: Guilherme Canela De Souza Godoi, UNESCO</p>
<p>
Detailed
description of the workshop
is available here
<a href="http://igf2015.sched.org/event/4c1X/ws-128-mitigate-online-hate-speech-and-youth-radicalisation?iframe=no&w=&sidebar=yes&bg=no">http://igf2015.sched.org/event/4c1X/ws-128-mitigate-online-hate-speech-and-youth-radicalisation?iframe=no&w=&sidebar=yes&bg=no</a></p>
<p>
Video
link to the panel is available here
<a href="https://www.youtube.com/watch?v=eIO1z4EjRG0">https://www.youtube.com/watch?v=eIO1z4EjRG0</a></p>
<p> <strong>INTERMEDIARY
LIABILITY</strong></p>
<p align="justify">
IX.
Electronic
Frontier Foundation, Centre for Internet Society India, Open Net
Korea and Article 19 collaborated to organize
a workshop on the <em><strong>Manila
Principles on Intermediary Liability</strong></em>
at Workshop Room 9 from 11:00 am to 12:00 pm on 13 November 2015. The
workshop elaborated on the Manila
Principles, a high level principle framework of best practices and
safeguards for content restriction practices and addressing liability
for intermediaries for third party content. The
workshop
saw particpants engaged in over lapping projects considering
restriction practices coming togetehr to give feedback and highlight
recent developments across liability regimes. Jyoti
Panday laid down the key details of the Manila Principles framework
in this session. The panelists for this workshop included the
following.</p>
<ol>
<li>
<p align="justify">
Kelly
Kim Open Net Korea,</p>
</li><li>
<p align="justify">
Jyoti
Panday, CIS India,</p>
</li><li>
<p align="justify">
Gabrielle
Guillemin, Article 19,</p>
</li><li>
<p align="justify">
Rebecca
McKinnon on behalf of UNESCO</p>
</li><li>
<p align="justify">
Giancarlo
Frosio, Center for Internet and Society, Stanford Law School</p>
</li><li>
<p align="justify">
Nicolo
Zingales, Tilburg University</p>
</li><li>
<p align="justify">
Will
Hudson, Google</p>
</li></ol>
<p align="justify">
Detailed
description of the workshop is available here
<a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals</a></p>
<p align="justify">
Transcript
of the workshop is available here
<a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2423-2015-11-13-ws-242-the-manila-principles-on-intermediary-liability-workshop-room-9">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2423-2015-11-13-ws-242-the-manila-principles-on-intermediary-liability-workshop-room-9</a></p>
<p align="justify">
Video link available here <a href="https://www.youtube.com/watch?v=kFLmzxXodjs">https://www.youtube.com/watch?v=kFLmzxXodjs</a></p>
<p align="justify"> <strong>ACCESSIBILITY</strong></p>
<p align="justify">
X.
Dynamic
Coalition
on Accessibility and Disability and Global Initiative for Inclusive
ICTs organised a workshop on <em><strong>Empowering
the Next Billion by Improving Accessibility</strong></em><em>
</em>at
Workshop Room 6 from 9:00 am to 10:30 am on 13 November, 2015. The
discussion focused on
the need and ways to remove accessibility barriers which prevent over
one billion potential users to benefit from the Internet, including
for essential services. Sunil
Abraham specifically spoke about the lack of compliance of existing
ICT infrastructure with well established accessibility standards
specifically relating to accessibility barriers in the disaster
management process. He discussed the barriers faced by persons with
physical or psychosocial disabilities. The
panelists for this discussion were the following.</p>
<ol>
<li>
<p align="justify">
Francesca
Cesa Bianchi, G3ICT</p>
</li><li>
<p align="justify">
Cid
Torquato, Government of Brazil</p>
</li><li>
<p align="justify">
Carlos
Lauria, Microsoft Brazil</p>
</li><li>
<p align="justify">
Sunil
Abraham, CIS India</p>
</li><li>
<p align="justify">
Derrick
L. Cogburn, Institute on Disability and Public Policy (IDPP) for the
ASEAN(Association of Southeast Asian Nations) Region</p>
</li><li>
<p align="justify">
Fernando
H. F. Botelho, F123 Consulting</p>
</li><li>
<p align="justify">
Gunela
Astbrink, GSA InfoComm</p>
</li></ol>
<p align="justify">
Detailed
description of the workshop is available here
<u><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals</a></u></p>
<p align="justify">
Transcript
of the workshop is available here
<u><a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2438-2015-11-13-ws-253-empowering-the-next-billion-by-improving-accessibility-workshop-room-3">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2438-2015-11-13-ws-253-empowering-the-next-billion-by-improving-accessibility-workshop-room-3</a></u></p>
<p align="justify">
Video
Link Empowering
the next billion by improving accessibility <a href="https://www.youtube.com/watch?v=7RZlWvJAXxs">https://www.youtube.com/watch?v=7RZlWvJAXxs</a></p>
<p align="justify"> <strong>OPENNESS</strong></p>
<p align="justify">
XI.
A
workshop on <em><strong>FOSS
& a Free, Open Internet: Synergies for Development</strong></em>
was organized at Workshop Room 7 from 2:00 pm to 3:30 pm on 13
November, 2015. The discussion was focused on the increasing risk to
openness of the internet and the ability of present & future
generations to use technology to improve their lives. The panel shred
different perspectives about the future co-development
of FOSS and a free, open Internet; the threats that are emerging; and
ways for communities to surmount these. Sunil
Abraham emphasised the importance of free software, open standards,
open access and access to knowledge and the lack of this mandate in
the draft outcome document for upcoming WSIS+10 review and called for
inclusion of the same. Pranesh Prakash further contributed to the
discussion by emphasizing the need for free open source software with
end‑to‑end encryption and traffic level encryption based
on open standards which are decentralized and work through federated
networks. The
panellists for this discussion were the following.</p>
<ol>
<li>
<p align="justify">
Satish
Babu, Technical Community, Chair, ISOC-TRV, Kerala, India</p>
</li><li>
<p align="justify">
Judy
Okite, Civil Society, FOSS Foundation for Africa</p>
</li><li>
<p align="justify">
Mishi
Choudhary, Private Sector, Software Freedom Law Centre, New York</p>
</li><li>
<p align="justify">
Fernando
Botelho, Private Sector, heads F123 Systems, Brazil</p>
</li><li>
<p align="justify">
Sunil
Abraham, CIS
India</p>
</li><li>
<p align="justify">
Pranesh
Prakash, CIS
India</p>
</li><li>
<p align="justify">
Nnenna
Nwakanma- WWW.Foundation</p>
</li><li>
<p align="justify">
Yves
MIEZAN EZO, Open Source strategy consultant</p>
</li><li>
<p align="justify">
Corinto
Meffe, Advisor to the President and Directors, SERPRO, Brazil</p>
</li><li>
<p align="justify">
Frank
Coelho de Alcantara, Professor, Universidade Positivo, Brazil</p>
</li><li>
<p align="justify">
Caroline
Burle, Institutional and International Relations, W3C Brazil Office
and Center of Studies on Web Technologies</p>
</li></ol>
<p align="justify">
Detailed
description of the workshop is available here
<u><a href="http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals" target="_top">http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals</a></u></p>
<p align="justify">
Transcript
of the workshop is available here
<u><a href="http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2468-2015-11-13-ws10-foss-and-a-free-open-internet-synergies-for-development-workshop-room-7" target="_top">http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2468-2015-11-13-ws10-foss-and-a-free-open-internet-synergies-for-development-workshop-room-7</a></u></p>
<p align="justify">
Video
link available here <a href="https://www.youtube.com/watch?v=lwUq0LTLnDs">https://www.youtube.com/watch?v=lwUq0LTLnDs</a></p>
<p align="justify">
<br /><br /></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/summary-report-internet-governance-forum-2015'>http://editors.cis-india.org/internet-governance/blog/summary-report-internet-governance-forum-2015</a>
</p>
No publisherjyotiAccess to KnowledgeBig DataFreedom of Speech and ExpressionEncryptionInternet Governance ForumIntermediary LiabilityAccountabilityInternet GovernanceCensorshipCyber SecurityDigital GovernanceAnonymityCivil SocietyBlocking2015-11-30T10:47:13ZBlog Entry