The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 15.
RBI Ban on Cryptocurrencies not backed by any data or statistics
http://editors.cis-india.org/internet-governance/blog/rbi-ban-on-cryptocurrencies-not-backed-by-any-data-or-statistics
<b>In March 2020, the Supreme Court of India quashed the RBI order passed in 2018 that banned financial services firms from trading in virtual currency or cryptocurrency.
Keeping this policy window in mind, the Centre for Internet & Society will be releasing a series of blog posts and policy briefs on cryptocurrency regulation in India
</b>
<p id="docs-internal-guid-9ddef591-7fff-b8f5-3c20-c4a78d53d066" style="text-align: justify;" dir="ltr"> </p>
<p style="text-align: justify;" dir="ltr">On April 6, 2018 <a href="https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11243&Mode=0">the RBI issued a circular</a> preventing all Commercial and Co-operative Banks, Payments Banks, Small Finance Banks, NBFCs, and Payment System Providers not only from dealing in virtual currencies themselves but also directing them to stop providing services to all entities which deal with virtual currencies. The RBI had issued a Press Release cautioning the public against dealing in virtual currencies including Bitcoin in 2013. However, the growing popularity of cryptocurrencies and its adoption by large numbers of Indian users, may have been the reason which forced the RBI to issue another Press Release in February 2017 reiterating its earlier concerns regarding cryptocurrencies raised in its earlier circular of 2013. In December 2017 both the RBI as well as the Ministry of Finance issued Press Releases cautioning the general public about the dangers and risks associated with cryptocurrencies, finally culminating in the circular dated April 6, 2018 banning financial institutions from dealing with cryptocurrency traders. As a result of this circular the operations of cryptocurrency exchanges took a severe hit and the number of transactions on these exchanges reduced substantially. The cryptocurrency market in India all but disappeared with only a few extremely determined enthusiasts still dealing in cryptocurrencies, at the risk of potentially depriving themselves of banking services altogether.</p>
<p style="text-align: justify;" dir="ltr">The RBI circular was challenged in the Supreme Court by the Internet and Mobile Association of India; final arguments in the case were concluded only in the last week of January, 2020 with the judgment of the Supreme Court being awaited. Generally speaking, whenever such policy decisions of the executive branch are challenged in the courts, a well accepted defense for the executive authorities, specifically in highly complicated fields such as finance, etc. is that the decision was taken by an expert body using its expertise in the field. The basic rationale underlying this argument is that the authority has relied on verifiable data and used its expertise to analyse the same in order to arrive at its decision.</p>
<p style="text-align: justify;" dir="ltr">However, it appears from the response by the RBI to an RTI query by Centre for Internet and Society, that requested the RBI for a copy of all reports, papers, opinions and advice that was relied upon for issuing the April 6, 2018 circular, that the RBI has not relied upon any such data to come to a conclusion that banking services should be denied to all those entities dealing in cryptocurrencies. It appears from the response to the RTI query that it was the RBI’s own previous circulars and press releases which formed the basis for the April 6, 2018 circular. This response completely undermines the argument that the decision by the RBI was taken after an analysis of all the facts and statistics concerned with cryptocurrency trading.</p>
<p style="text-align: justify;" dir="ltr">Not only does the RTI response weaken the commonly accepted defense of an expert body making a well-reasoned decision, but it also strengthens another legal ground for challenging the decision of the RBI, viz. arbitrariness. One of the grounds on which executive decisions can be challenged is that the decision was made without taking into account relevant material and without the application of mind. The admission by the RBI in its RTI response that there is no material relied upon by the RBI, except its own previous Press Releases, only strengthens the argument that the decision was made in an arbitrary manner.</p>
<p style="text-align: justify;" dir="ltr">Such an admission by the RBI regarding the process followed before issuing the April 6, 2018 circular reduces the credibility of the decision itself. However it remains to be seen whether the Supreme Court of India agrees with the arguments of the petitioners challenging the April 6, 2018 circular, even though the petitioners may not have been able to produce this RTI response from the RBI to further bolster their case.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/rbi-ban-on-cryptocurrencies-not-backed-by-any-data-or-statistics'>http://editors.cis-india.org/internet-governance/blog/rbi-ban-on-cryptocurrencies-not-backed-by-any-data-or-statistics</a>
</p>
No publishervipulCybersecurityinternet governanceBitcoinInternet GovernanceCryptocurrenciesCyber Security2020-03-05T18:35:48ZBlog EntryCryptocurrency Regulation in India – A brief history
http://editors.cis-india.org/internet-governance/blog/cryptocurrency-regulation-in-india-2013-a-brief-history
<b>In March 2020, the Supreme Court of India quashed the RBI order passed in 2018 that banned financial services firms from trading in virtual currency or cryptocurrency.
Keeping this policy window in mind, the Centre for Internet & Society will be releasing a series of blog posts and policy briefs on cryptocurrency regulation in India
</b>
<p id="docs-internal-guid-18286fb9-7fff-c656-6a5b-a01a2e2b3682" style="text-align: justify;" dir="ltr"> </p>
<p style="text-align: justify;" dir="ltr">The story of cryptocurrencies
started in 2008 when a paper titled “Bitcoin: A Peer to Peer Electronic
Cash System” was published by a single or group of pseudonymous
developer(s) by the name of Satoshi Nakamoto. The actual network took
some time to start with the first transactions taking place only in
January 2009. The first actual sale of an item using Bitcoin took place a
year later with a user swapping 10,000 Bitcoin for two pizzas in 2010,
which attached a cash value to the cryptocurrency for the first time. By
2011 other cryptocurrencies began to emerge, with Litecoin, Namecoin
and Swiftcoin all making their debut. Meanwhile, Bitcoin the
cryptocurrency that started it all started getting criticised after
claims emerged that it was being used on the so-called “dark web”,
particularly on sites such as Silk Road as a means of payment for
illegal transactions. Over the next five years cryptocurrencies steadily
gained traction with increased number of transactions and the price of
Bitcoin, the most popular cryptocurrency shot up from around 5 Dollars
in the beginning of 2012 to almost 1000 Dollars at the end of 2017.</p>
<p style="text-align: justify;" dir="ltr">Riding on the back of this
wave of popularity, a number of cryptocurrency exchanges started
operating in India between 2012 and 2017 providing much needed depth and
volume to the Indian cryptocurrency market. These included popular
exchanges such as Zebpay, Coinsecure, Unocoin, Koinex, Pocket Bits and
Bitxoxo. With the price of cryptocurrencies shooting up and because of
its increased popularity and adoption by users outside of its
traditional cult following, regulators worldwide began to take notice of
this new technology; in India the RBI issued a Press Release cautioning
the public against dealing in virtual currencies including Bitcoin way
back in 2013. However, the transaction volumes and adoption of
cryptocurrencies in India really picked up in earnest only after the
demonetisation of high value currency notes in November of 2016, with
the government’s emphasis on digital payments leading to alternatives to
traditional online banking such as cryptocurrencies forcing their way
into the public consciousness. Indian cryptocurrency exchanges started
acquiring users at a much higher pace which drove up volume for
cryptocurrency transactions on all Indian exchanges. The growing
popularity of cryptocurrencies and its adoption by large numbers of
Indian users forced the RBI to issue another Press Release in February
2017 reiterating its concerns regarding cryptocurrencies raised in its
earlier Press Release of 2013. </p>
<p style="text-align: justify;" dir="ltr">In October and November, 2017
two Public Interest Petitions were filed in the Supreme Court of India,
one by Siddharth Dalmia and another by Dwaipayan Bhowmick, the former
asking the Supreme Court to restrict the sale and purchase of
cryptocurrencies in India, and the latter asking for cryptocurrencies in
India to be regulated. Both the petitions are currently pending in the
Supreme Court.</p>
<p style="text-align: justify;" dir="ltr">In November, 2017 the
Government of India constituted a high level Inter-ministerial Committee
under the chairmanship of Shri Subhash Chandra Garg, Secretary,
Department of Economic Affairs, Ministry of Finance and comprising of
Shri Ajay Prakash Sawhney (Secretary, Ministry of Electronics and
Information Technology), Shri Ajay Tyagi (Chairman, Securities and
Exchange Board of India) and Shri B.P. Kanungo (Deputy Governor, Reserve
Bank of India). The mandate of the Committee was to study various
issues pertaining to Virtual Currencies and to propose specific actions
that may be taken in relation thereto. This Committee submitted its
report in July of 2019 recommending a ban on private cryptocurrencies in
India.</p>
<p style="text-align: justify;" dir="ltr">In December 2017 both the RBI
as well as the Ministry of Finance issued Press releases cautioning the
general public about the dangers and risks associated with
cryptocurrencies, with the Ministry of Finance Press Release saying that
cryptocurrencies are like ponzi schemes and also declaring that they
are not currencies or coins. It should be mentioned here that till the
end of March 2018, the RBI and the Finance Ministry had issued various
Press Releases on cryptocurrencies cautioning people against their
risks, however none of them ever took any legal action or gave any
enforceable directions against cryptocurrencies. All of this changed
with the RBI circular dated April 6, 2018 whereby the RBI prevented
Commercial and Co-operative Banks, Payments Banks, Small Finance Banks,
NBFCs, and Payment System Providers not only from dealing in virtual
currencies themselves but also directing them to stop providing services
to all entities which deal with virtual currencies.</p>
<p style="text-align: justify;" dir="ltr">The effect of the circular was
that cryptocurrency exchanges, which relied on normal banking channels
for sending and receiving money to and from their users, could not
access any banking services within India. This essentially crippled
their business operations since converting cash to cryptocurrencies and
vice versa was an essential part of their operations. Even pure
cryptocurrency exchanges which did not deal in fiat currency, were
unable to carry out their regular operations such as paying for office
space, staff salaries, server space, vendor payments, etc. without
access to banking services. </p>
<p>As a the operations of cryptocurrency exchanges took a severe hit and
the number of transactions on these exchanges reduced substantially.
People who had bought cryptocurrencies on these exchanges as an
investment were forced to sell their crypto assets and cash out before
they lost access to banking facilities. The cryptocurrency exchanges
themselves found it hard to sustain operations in the face of the dual
hit of reduced transaction volumes and loss of access banking services.
Faced with such an existential threat, a number of exchanges who were
members of the Internet and Mobile Association of India (IMAI), filed a
writ petition in the Supreme Court on May 15, 2018 titled Internet and
Mobile Association of India v. Reserve Bank of India, the final
arguments in which were heard by the Supreme Court of India in January,
2020 and the judgment is awaited. If the Supreme Court agrees with the
arguments of the petitioners, then cryptocurrency exchanges would be
able to restart operations in India; as a result the cryptocurrency
ecosystem in India may be revived and cryptocurrencies may become a
viable investment alternative again.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cryptocurrency-regulation-in-india-2013-a-brief-history'>http://editors.cis-india.org/internet-governance/blog/cryptocurrency-regulation-in-india-2013-a-brief-history</a>
</p>
No publishervipulCybersecurityinternet governanceBitcoinInternet GovernanceCryptocurrenciesCyber Security2020-03-05T18:36:09ZBlog EntryAutomated Facial Recognition Systems and the Mosaic Theory of Privacy: The Way Forward
http://editors.cis-india.org/internet-governance/automated-facial-recognition-systems-and-the-mosaic-theory-of-privacy-the-way-forward
<b> Arindrajit Basu and Siddharth Sonkar have co-written this blog as the third of their three-part blog series on AI Policy Exchange under the parent title: Is there a Reasonable Expectation of Privacy from Data Aggregation by Automated Facial Recognition Systems? </b>
<p> </p>
<p><strong>The Mosaic Theory of Privacy</strong></p>
<p>Whether the data collected by the AFRS should be treated similar to
face photographs taken for the purposes of ABBA is not clear in the
absence of judicial opinion. The AFRS would ordinarily collect
significantly more data than facial photographs during authentication.
This can be explained with the help of the <em><a href="https://www.lawfareblog.com/defense-mosaic-theory" rel="noreferrer noopener" target="_blank">mosaic theory of privacy</a></em>.</p>
<p>The mosaic theory of privacy suggests that data collected for long
durations of an individual can be qualitatively different from single
instances of observation. It argues that aggregating data from different
instances can create a picture of an individual which affects her
reasonable expectation of privacy. This is because a mere slice of
information reveals a lot less if the same is contextualised in a broad
pattern — a mosaic. </p>
<p>The mosaic theory of privacy does not find explicit reference in
Puttaswamy II. The petitioners had argued that seeding of Aadhaar data
into existing databases would bridge information across silos so as to
make real time surveillance possible. This is because information when
integrated from different silos becomes more than the sum of its parts.</p>
<p>The Court, however, dismissed this argument, accepting UIDAI’s
submission that the data collected remains in different silos and
merging is not permitted within the Aadhaar framework. Therefore, the
Court did not examine whether it is constitutionally permissible to
integrate data from different silos; it simply rejected the possibility
of surveillance as a result of Aadhaar authentication.</p>
<p>Jurisprudence in other jurisdictions is more advanced. In <em>United States v. Jones</em>,
the United States Supreme Court had observed that the insertion of a
global positioning system into Antoine Jones’ Jeep in the absence of a
warrant and without his consent invaded his privacy, entitling him to
Fourth Amendment Protection. In this case, the movement of Jones’
vehicle was monitored for a period of twenty-eight days. Five concurring
opinions in Jones acknowledges that aggregated and extensive
surveillance is capable of violating the reasonable expectation of
privacy irrespective of whether or not surveillance has taken place in
public.</p>
<p>The Court distinguished between prolonged surveillance and short term
surveillance. Surveillance in the short run does not reveal what a
person repeatedly does, as opposed to sustained surveillance which can
reveal significantly more about a person. The Court takes the example of
how a sequence of trips to a bar, a bookie, a gym or a church can tell a
lot more about a person than the story of any single visit viewed in
isolation.</p>
<p>Most recently, in<a href="https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf" rel="noreferrer noopener" target="_blank"> <em>Carpenter v. United States</em></a>,
the Supreme Court of the United States held that the collection of
historical cell data by the government exposes the physical movements
of an individual to potential surveillance, and an individual holds a
reasonable expectation of privacy against such collection. The Court
admitted that historical-cell site information allows the government to
go back in time in order to retract the exact whereabouts of a person.</p>
<p>Judicial decisions have not addressed specifically whether facial
recognition through law enforcement constitutes a search under the
Fourth Amendment or a “mere visual observation”.</p>
<p>The common thread linking CCTV footages and cellular data is the
unique ability to track the movement of an individual from one place to
another, enabling extreme forms of surveillance. It is perhaps this
crucial link that would make ARFS-enabled CCTVs prejudicial to
individual privacy.</p>
<p> The mosaic theory as understood in <em>Carpenter</em> helps one
understand the extent to which an AFRS can augment the capacities of law
enforcement in India. This in turn can help in understanding whether it
is constitutionally permissible to install such systems across the
country.</p>
<p>AFRS enabled-CCTV footages from different CCTVs. if viewed in
conjunction could reveal a sequence of movements of an individual,
enabling long-term surveillance of a nature that is qualitatively
distinct from isolated observances observed across unrelated CCTV
footages.</p>
<p>Subsequent to <em>Carpenter</em>, <a href="https://www.lawfareblog.com/four-months-later-how-are-courts-interpreting-carpenter" rel="noreferrer noopener" target="_blank">federal district courts</a>
in the United States have declined to apply Carpenter to video
surveillance cases since the judgement did not “call into question
conventional surveillance techniques and tools, such as security
cameras.”</p>
<p>The extent of processing that an AFRS-enabled CCTV exposes an
individual to would be significantly greater. This is because every time
an individual is in the zone of a AFRS-enabled CCTV, the facial image
will be compared to a common database. Snippets from different CCTVs
capturing the individual’s physical presence in two different locations
may not be meaningful per se. When observed together, the AFRS will make
it possible to identify the individual’s movement from one place to
another.</p>
<p>For instance, the AFRS will be able to identify the person when they
are on Street A at a particular time and when they are Street B in the
immediately subsequent hour recorded by respective CCTV cameras,
indicating the person’s physical movement from A to B. While a CCTV
camera only records movement of an individual in video format, AFRS
translates that digital information into individualised data with the
help of a comparison of facial features with a pre-existing database.</p>
<p>Through data aggregation, which appears to be the aim of the Indian
government in their tender that links three databases, it is apparent
that the right to privacy is in danger. Yet, at present, there does not
exist any case law or legislation that can render such efforts illegal
at this juncture.</p>
<p><strong>Conclusions and The Way Forward</strong></p>
<p>Despite a lack of judicial recognition of the potential
unconstitutionality of deploying AFRS, it is clear that the introduction
of these systems pose a clear and present danger to civil rights and
human dignity. Algorithmic surveillance alters a human being’s life in
ways that even the subject of this surveillance cannot fully comprehend.
As an individual’s data is manipulated and aggregated to derive a
pattern about that individual’s world, the individual or his data no
longer exists for itself<sup> </sup>but are massaged into various categories.</p>
<p>Louis Amoore terms this a ‘<a href="https://journals.sagepub.com/doi/abs/10.1177/0263276411417430?journalCode=tcsa" rel="noreferrer noopener" target="_blank">data-derivative</a>’,
which is an abstract conglomeration of data that continuously shapes
our futures without us having a say in their framing. The branding of an
individual as a criminal and then aggregating their data causes
emotional distress as individuals move about in fear of the state gaze
and their association with activities that are branded as potentially
dangerous — thereby suppressing a right to dissent — as exemplified by
their use reported use during the recent protests in Hong Kong.</p>
<p>Case law both in India and abroad has clearly suggested that a right
to privacy is contextual and is not surrendered merely because an
individual is in a public place. However, the jurisprudence protecting
public photography or videography under the umbrella of privacy remains
less clear globally and non-existent in India.</p>
<p>The mosaic theory of privacy is useful in this regard as it prevents
mass ‘data-veillance’ of individual behaviour and accurately identifies
the unique power that the volume, velocity and variety of Big Data
provides to the state. Therefore, it is imperative that the judiciary
recognise safeguards from data aggregation as an essential component of a
reasonable expectation of privacy. At the same time, legislation could
also provide the required safeguards.</p>
<p>In the US, Senators Coons and Lee recently introduced a draft Bill titled ‘<a href="https://www.coons.senate.gov/imo/media/doc/ALB19A70.pdf" rel="noreferrer noopener" target="_blank">The Facial Recognition Technology Warrant Act of 2019’</a>.
The Bill aims to impose reasonable restrictions on the use of facial
recognition technology by law enforcement. The Bill creates safeguards
against sustained tracking of physical movements of an individual in
public spaces. The Bill terms such tracking ‘ongoing surveillance’ when
it occurs for over a period of 72 hours in real time or through
application of technology to historical records. The Bill requires that
ongoing surveillance only be conducted for law enforcement purposes <em>and</em> in pursuance of a Court Order (unless it is impractical to do so).</p>
<p>While the Bill has its textual problems, it is definitely worth
considering as a model going forward and ensure that AFR systems are
deployed in line with a rights-respecting reading of a reasonable
expectation of privacy. <a href="http://datagovernance.org/report/adoption-and-regulation-of-facial-recognition-technologies-in-india" rel="noreferrer noopener" target="_blank">Parsheera</a>
suggests that the legislation should narrow tailoring of the objects
and purposes for deployment of AFRS, restrictions on the person whose
images may be scanned from the databases, judicial approval for its use
on a case by case basis and effective mechanisms of oversight, analysis
and verification.</p>
<p>Appropriate legal intervention is crucial. A failure to implement
this effectively jeopardizes the expression of our true selves and the
core tenets of our democracy.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/automated-facial-recognition-systems-and-the-mosaic-theory-of-privacy-the-way-forward'>http://editors.cis-india.org/internet-governance/automated-facial-recognition-systems-and-the-mosaic-theory-of-privacy-the-way-forward</a>
</p>
No publisherArindrajit Basu, Siddharth SonkarCybersecurityCyber Securityinternet governanceInternet Governance2020-01-02T14:12:38ZBlog EntryAutomated Facial Recognition Systems (AFRS): Responding to Related Privacy Concerns
http://editors.cis-india.org/internet-governance/automated-facial-recognition-systems-afrs-responding-to-related-privacy-concerns
<b>Arindrajit Basu and Siddharth Sonkar have co-written this blog as the second of their three-part blog series on AI Policy Exchange under the parent title: Is there a Reasonable Expectation of Privacy from Data Aggregation by Automated Facial Recognition Systems? </b>
<p> </p>
<p> </p>
<p>The Supreme Court of India, in <a href="https://indiankanoon.org/doc/91938676/">Puttaswamy I</a><em> </em>recognized<em> </em>that
the right to privacy is not surrendered merely because the individual
is in a public place. Privacy is linked to the individual as it is an
essential facet of human dignity. Justice Chelameswar further clarified
that privacy is contextual. Even in a public setting, people trying to
converse in whispers would signal a claim to the right to privacy.
Speaking on a loudspeaker would naturally not signal the same claim.</p>
<p>The Supreme Court of Canada has also affirmed the notion of
contextual privacy. As recently as on 7 March, 2019, the Supreme Court
of Canada <a href="http://www.thecourt.ca/r-v-jarvis-carving-out-a-contextual-approach-to-privacy/" rel="noreferrer noopener" target="_blank">in a landmark decision</a> defined privacy rights in public areas implicitly applying <a href="https://crypto.stanford.edu/portia/papers/RevnissenbaumDTP31.pdf">Helena Nissenbaum’s theory of contextual integrity</a>.
Helena Nissenbaum explains that the extent to which the right to
privacy is eroded in public spaces with the help of her theory of
contextual integrity.</p>
<p>Nissenbaum suggests that labelling information as exclusively public
or private fails to take into account the context which rationalises the
desire of the individual to exercise her privacy in public. To explain
this with an illustration, there exists a reasonable expectation of
privacy in the restroom of a restaurant, even though it is in a public
space.</p>
<p>In <a href="http://www.thecourt.ca/r-v-jarvis-carving-out-a-contextual-approach-to-privacy/"><em>R v Jarvis</em></a> (Jarvis), the Court overruled a Court of Appeal for Ontario <a href="https://www.canlii.org/en/on/onca/doc/2017/2017onca778/2017onca778.pdf">decision</a>
to hold that people can have a reasonable expectation of privacy even
in public spaces. In this case, Jarvis was charged with the offence of
voyeurism for secretly recording his students. The primary issue that
the Supreme Court of Canada was concerned with was whether the students
filmed by Mr. Jarvis enjoyed a reasonable expectation of privacy at
their school.</p>
<p>The Court in this case unanimously held that students did indeed have
a reasonable expectation of privacy. The Court concluded nine
contextual factors relevant in determining whether a person has a
reasonable expectation to privacy would arise. The listed factors were:</p>
<p>“1. The location the person was in when he or she was observed or recorded,</p>
<p>2. The nature of the impugned conduct (whether it consisted of observation or recording),</p>
<p>3. Awareness of or consent to potential observation or recording,</p>
<p>4. The manner in which the observation or recording was done,</p>
<p>5. The subject matter or content of the observation or recording,</p>
<p>6. Any rules, regulations or policies that governed the observation or recording in question,</p>
<p>7. The relationship between the person who was observed or recorded and the person who did the observing or recording,</p>
<p>8. The purpose for which the observation or recording was done, and</p>
<p>9. The personal attributes of the person who was observed or recorded.” (paragraph 29 of the judgement).</p>
<p>The Court emphasized that the factors are not an exhaustive list, but
rather were meant to be a guiding tool in determining whether a
reasonable expectation of privacy existed in a given context. It is not
necessary that each of these factors is present in a given situation to
give rise to an expectation of privacy.</p>
<p>Compared to the above-mentioned factors in Jarvis, the Indian Supreme Court in <a href="https://indiankanoon.org/doc/127517806/">Justice K.S Puttaswamy (Retd.) v. Union of India</a>: Justice Sikri (Puttaswamy II) <strong>—</strong>
the case which upheld the constitutionality of the Aadhaar project
relied on the following factors to determine a reasonable expectation of
privacy in a given context:</p>
<p>“(i) What is the context in which a privacy claim is set up?</p>
<p>(ii) Does the claim relate to private or family life, or a confidential relationship?</p>
<p>(iii) Is the claim a serious one or is it trivial?</p>
<p>(iv) Is the disclosure likely to result in any serious or significant injury and the nature and extent of disclosure?</p>
<p>(v) Is disclosure relates to personal and sensitive information of an identified person?</p>
<p>(vi) Does disclosure relate to information already disclosed publicly? If so, its implication?”</p>
<p>These factors (acknowledged in Puttaswamy II in paragraph 292) seem
to be very similar to the ones laid down in Jarvis, i.e., there is a
strong reliance on the context in both cases. While there is no explicit
mention of individual attributes of the individual claiming a
reasonable expectation, the holding that children should be given an opt
out indicates that the Court implicitly takes into account personal
attributes (e.g. age) as well.</p>
<p>The Court in Jarvis further (in paragraph 39) took the example of a
woman in a communal change room at a public pool. She may expect other
users to incidentally observe her undress but she would continue to
expect only other women in the change room to observe her and reserve
her rights against the general public. She would also expect not to be
video recorded or photographed while undressing, both from other users
of the pool and by the general public. </p>
<p>If it is later found out that the change room had a one-way glass
which allowed the pool staff to view the users change — or if there was a
concealed camera recording persons while they were changing, she could
claim a breach of her reasonable expectation of privacy under such
circumstances and it would constitute an invasion of privacy.</p>
<p><strong>So, in the context of an AFRS, an individual walking down a
public road may still signal that they wish to avail of their right to
privacy. In such contexts, a concerted surveillance mechanism may come
up against constitutional roadblocks.</strong></p>
<p><strong>What is the nature of information being collected?</strong></p>
<p>The second big question <strong>—</strong> the nature of information
which is being collected plays a role in determining the extent to which
a person can exercise their reasonable expectation of privacy.
Puttaswamy II laid down that collection of core biometric information
such as fingerprints, iris scans in the context of the Aadhaar-Based
Biometric Authentication (‘ABBA’) is constitutionally permissible. The
basis of this conclusion is that the Aadhaar Act does not deal with the
individual’s intimate or private sphere.</p>
<p>The judgement of the Supreme Court in Puttaswamy II is in a very
specific context (i.e. the ABBA). It does not explain or identify the
contextual factors which determine the extent to which privacy may be
reasonably expected over biometrics generally. In this judgment, the
Court observed that demographic information and photographs do not raise
a reasonable expectation of privacy under Article 21 unless there exist
special circumstances such as the disclosure of juveniles in conflict
of law or a rape victim’s identity.</p>
<p><strong>Most importantly, the Court held that face photographs for
the purpose of identification are not covered by a reasonable
expectation of privacy. The Court distinguished face photographs from
intimate photographs or those photographs which concern confidential
situations. </strong></p>
<p><strong>Face photographs, according to the Court, are shared by
individuals in the ordinary course of conduct for the purpose of
obtaining a driving </strong>l<strong>icense, voter id, passport,
examination admit cards, employment cards, and so on. Face photographs
by themselves reveal no information.</strong></p>
<p>Naturally, this pronouncement of the Apex Court is a huge boost for the introduction of AFRS in India.</p>
<p>Abroad, however, on 4 September 2019, in <a href="https://www.judiciary.uk/wp-content/uploads/2019/09/bridges-swp-judgment-Final03-09-19-1.pdf">Edward Bridges v. Chief Constable of South Wales Police</a>, a Division Bench of the High Court in England and Wales heard a challenge against an AFRS introduced by law enforcement (<em>see</em>
Endnote 1). The High Court rejected a claim for judicial review holding
that the AFRS in question does not violate inter alia the right to
privacy under Article 8 of the European Convention of Human Rights
(‘ECHR’).</p>
<p>According to the Court, the AFRS was used for specific and limited
purposes, i.e., only when the image of the public matched a person on an
existing watchlist. The use of the AFRS was therefore considered a
lawful and fair restriction.</p>
<p>The Court, however, acknowledged that extracting biometric data
through AFRS is “well beyond the expected and unsurprising”. This seems
to be a departure from the Indian Supreme Court’s observation in
Puttaswamy II that there is no reasonable expectation of privacy over
biometric data in the context of ABBA, and may be a wiser approach for
the Indian courts to adopt.</p>
<h6><strong>Endnote </strong></h6>
<p>1. The challenge was put forth by Edward Bridges, a civil liberties
campaigner from Cardiff for being caught on camera in two particular
deployments of the AFRS a) when he was at Queen Street, a busy shopping
area in Cardiff and b) when he was at the Defence Procurement, Research,
Technology and Exportability Exhibition held at the Motorpoint Arena.</p>
<p> </p>
<p>This was published by <a class="external-link" href="https://aipolicyexchange.org/2019/12/28/automated-facial-recognition-systems-afrs-responding-to-related-privacy-concerns/">AI Policy Exchange</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/automated-facial-recognition-systems-afrs-responding-to-related-privacy-concerns'>http://editors.cis-india.org/internet-governance/automated-facial-recognition-systems-afrs-responding-to-related-privacy-concerns</a>
</p>
No publisherArindrajit Basu, Siddharth SonkarCybersecurityCyber Securityinternet governanceInternet Governance2020-01-02T14:09:14ZBlog EntryDecrypting Automated Facial Recognition Systems (AFRS) and Delineating Related Privacy Concerns
http://editors.cis-india.org/internet-governance/decrypting-automated-facial-recognition-systems-afrs-and-delineating-related-privacy-concerns
<b>Arindrajit Basu and Siddharth Sonkar have co-written this blog as the first of their three-part blog series on AI Policy Exchange under the parent title: Is there a Reasonable Expectation of Privacy from Data Aggregation by Automated Facial Recognition Systems?</b>
<p> </p>
<p> </p>
<p>The use of aggregated Big Data by governments has the potential to
exacerbate power asymmetries and erode civil liberties like few
technologies of the past. In order to guard against the aggressive
aggregation and manipulation of the data generated by individuals who
are branded as suspect, it is critical that our firmly established
constitutional rights protect human dignity in the face of this
potential erosion.</p>
<p>The increasing ubiquity of Automated Facial Recognition Systems
(AFRS) serve as a prime example of the rising desire of governments to
push fundamental rights to the brink. With AFRS, the core fundamental
right in question is privacy, although questions have been posed
regarding the potential violation of other related rights, such as the
Right to Equality and the Right to Free Speech and Expression, as well.</p>
<p>There is a rich corpus of literature, (see <a href="https://indianexpress.com/article/opinion/columns/digital-identification-facial-recognition-system-ncrb-5859072/" rel="noreferrer noopener" target="_blank">here</a>, <a href="http://www.unswlawjournal.unsw.edu.au/wp-content/uploads/2017/09/40-1-11.pdf" rel="noreferrer noopener" target="_blank">here</a> and an excellent recent paper by Smriti Parsheera <a href="http://datagovernance.org/report/adoption-and-regulation-of-facial-recognition-technologies-in-india" rel="noreferrer noopener" target="_blank">here)</a>
from a diverse coterie of scholars that call out the challenges posed
by AFRS, particularly with respect to its proportionality as a
restriction over the right to privacy. Our contribution to this
discourse focuses on a very specific question around a ‘reasonable
expectation of privacy’ — the standard identified for the protection of
privacy in public spaces across jurisdictions, including in India. This
is because at this juncture, the precise nature of the AFRS which will
eventually be used and the regulations it will be subject to are not
clear. </p>
<p>In <a href="https://indiankanoon.org/doc/91938676/'">Retd. K.S </a><a href="https://indiankanoon.org/doc/91938676/" rel="noreferrer noopener" target="_blank">Puttaswamy (Retd.) v. Union of India</a>:
Justice Chandrachud (Puttaswamy I), the Indian Supreme Court was
concerned with the question whether there exists a fundamental right to
privacy under the Indian Constitution. A nine-judge bench of the Court
recognized that the right to privacy is a fundamental right implicit
inter alia in the right to life within Article 21 of the Constitution.</p>
<p>The right to privacy protects people and not places. Every person is
entitled, however, to a reasonable expectation of privacy. The
expectation of privacy must be twofold. First, the person must prove
that the alleged act could inflict some harm. Such harm must be real and
not be speculative or imaginary. Second, society must recognize this
expectation as reasonable. The test of reasonable expectations is
contextual, i.e., the extent to which it safeguards privacy depends on
the place at which the individual is.</p>
<p>In order to pass any constitutional test, therefore, AFRS must
satisfy the ‘reasonable expectation’ test articulated in Puttaswamy.
However, in this context, the test itself has multiple contours. Do we
have a right to privacy in a public place? Is AFRS collecting any data
that specifically violates a right to privacy? Is the aggregation of
that data a potential violation?</p>
<p>After providing a brief introduction to the use cases of AFRS in
India and across the world, we embark upon answering all these
questions.</p>
<p><strong>Primer on Automated Facial Recognition Systems (AFRS)</strong></p>
<p>Facial recognition is a biometric technology that utilises cameras to
match stored or live footage of individuals (including both stills and
moving footage) with images or video from an existing database. Some
systems might also be used to analyze broader demographic trends or
conduct sentiment analysis through crowd scanning.</p>
<p>While the use of photographs and video footage have been core
components of police investigation, the use of algorithms to process
vast tracts of Big Data (characterized by ‘Volume, Velocity, and
Variety), and compare disparate and discrete data points allows for the
derivation of hitherto unfeasible insights on the subjects of Big Data.</p>
<p>The utilisation of AFRS for law enforcement is rapidly spreading around the world. <a href="https://carnegieendowment.org/2019/09/17/global-expansion-of-ai-surveillance-pub-79847" rel="noreferrer noopener" target="_blank">A Global AI Surveillance Index</a>
compiled by the Carnegie Endowment for International Peace found that
at least sixty-four countries are incorporating facial recognition
systems into their AI surveillance programs.</p>
<p>Chinese technology company Yitu has entered into a partnership with
security forces in Malaysia to equip police officers with facial
recognition body cameras that, powered by enabling technologies, would
allow a comparison of images caught by the live body cameras with images
from several central databases.</p>
<p>In <a href="https://news.sky.com/story/met-polices-facial-recognition-tech-has-81-error-rate-independent-report-says-11755941" rel="noreferrer noopener" target="_blank">England and Wales</a>,
London Metropolitan Police, South Wales Police, and Leicestershire
Police are all in the process of developing technologies that allow for
the identification and comparison of live images with those stored in a
database.</p>
<p>The technology is being developed by Japanese firm NEC and the police
force has limited ability to oversee or modify the software, given its
proprietary nature. The Deputy Chief of South Wales Police stated that
“the tech is given to [them] as a sealed box… [and the police force
themselves] have no input – whatever it does, it does what it does.”</p>
<p>In the US, <a href="https://www.americanbar.org/groups/criminal_justice/publications/criminal-justice-magazine/2019/spring/facial-recognition-technology/" rel="noreferrer noopener" target="_blank">Baltimore’s police</a>
set up facial recognition cameras to track and arrest protestors — a
system that reached its zenith during the 2018 riots in the city. </p>
<p>It is suspected that authorities in <a href="https://www.japantimes.co.jp/news/2019/10/23/asia-pacific/hong-kong-protests-ai-facial-recognition-tech/#.Xf1Fs_zhVPY" rel="noreferrer noopener" target="_blank">Hong Kong</a> are also using AFRS to clamp down on the ongoing pro-democracy protests.</p>
<p>In India, the Ministry of Home Affairs, through the National Crime Records Bureau put out a <a href="http://ncrb.gov.in/TENDERS/AFRS/RFP_NAFRS.pdf" rel="noreferrer noopener" target="_blank">tender for a new AFRS</a>,
whose stated objective is to “act as a foundation for national level
searchable platform of facial images.” The AFRS will pull facial image
data from CCTV feeds and compare these with existing records across
databases including the Crime and Criminal Tracking Networks and Systems
(CCTNS), Inter-operable Criminal Justice System (or ICJS), Immigration
Visa Foreigner Registration Tracking (IVFRT), Passport, Prisons and
state police records.</p>
<p>Plans are also afoot to integrate this with the yet to be deployed
National Automated Fingerprint Identification System (NAFIS), thereby
creating a multi-faceted surveillance system.</p>
<p>Despite raising eyeballs due to its potential all-pervasive scope,
this tender is not the first instance of AFRS being used by Indian
authorities. Punjab Police, <a href="https://www.livemint.com/AI/DIh6fmR6croUJps6x7JW5K/Meet-Staqu-a-startup-helping-Indian-law-enforcement-agencie.html" rel="noreferrer noopener" target="_blank">in partnership with Gurugram-based start-up Staqu</a>
has launched and commenced implementation of the Punjab Artificial
Intelligence System (PAIS) which uses digitised criminal records and
automated facial recognition to retrieve information on a suspected
criminal and essentially tracks their public whereabouts, which poses
potential constitutional questions.</p>
<p> </p>
<p>This was published by <a class="external-link" href="https://aipolicyexchange.org/2019/12/26/decrypting-automated-facial-recognition-systems-afrs-and-delineating-related-privacy-concerns/">AI Policy Exchange</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/decrypting-automated-facial-recognition-systems-afrs-and-delineating-related-privacy-concerns'>http://editors.cis-india.org/internet-governance/decrypting-automated-facial-recognition-systems-afrs-and-delineating-related-privacy-concerns</a>
</p>
No publisherArindrajit Basu, Siddharth SonkarCybersecurityCyber Securityinternet governanceInternet Governance2020-01-02T14:01:48ZBlog EntryExtra-Territorial Surveillance and the Incapacitation of Human Rights
http://editors.cis-india.org/internet-governance/extra-territorial-surveillance-and-the-incapacitation-of-human-rights
<b>This paper was published in Volume 12 (2) of the NUJS Law Review. </b>
<div> </div>
<div>Our
networked data trails dictate, define, and modulate societies in hitherto
inconceivable ways. The ability to access and manipulate that data is a
product of stark power asymmetry in geo-politics, leading to a dynamic
that privileges the interests of a few over the right to privacy and
dignity of the many. I argue that the persistent de facto violation of
human rights norms through extraterritorial surveillance conducted by
western intelligence agencies, compounded by the failure of judicial
intervention in the West has lead to the incapacitation of international
human rights law. Despite robust jurisprudence including case law,
comments by the United Nations, and widespread state practice on the
right to privacy and the application of human rights obligations to
extraterritorial stakeholders, extraterritorial surveillance continues
with aplomb. Procedural safeguards and proportionality tests regularly
sway towards a ‘ritual incantation’ of national security even in
scenarios where a less intrusive option is available. The vulnerable
citizen abroad is unable to challenge these processes and becomes an
unwitting victim of nefarious surveillance practices that further widens
global power asymmetry and entrenches geo-political fissures.</div>
<div><br />The full article can be found <a href="http://editors.cis-india.org/internet-governance/extraterritorial-algorithmic-surveillance-and-the-incapacitation-of-international-human-rights-law" class="internal-link" title="EXTRATERRITORIAL ALGORITHMIC SURVEILLANCE AND THE INCAPACITATION OF INTERNATIONAL HUMAN RIGHTS LAW">here</a>.</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/extra-territorial-surveillance-and-the-incapacitation-of-human-rights'>http://editors.cis-india.org/internet-governance/extra-territorial-surveillance-and-the-incapacitation-of-human-rights</a>
</p>
No publisherArindrajit BasuCybersecurityCyber SecurityInternet Governance2020-01-02T11:02:26ZBlog EntryCall for Comments: Model Security Standards for the Indian Fintech Industry
http://editors.cis-india.org/internet-governance/call-for-comments-model-security-standards-for-the-indian-fintech-industry
<b></b>
<p>The Centre for Internet and Society is pleased to make available the Draft document of Model Security Standards for the Indian Fintech Industry, for feedback and comments from all stakeholders. The objective of this document which was first published in November 2019, is to ensure that the data of users is dealt with in a secure and safe manner by the Fintech Industry, and that smaller businesses in the Fintech industry have a specific standard to look at in order to limit their liabilities for any future breaches. <br /><br />We invite any parties interested in the field of technology policy, including but not limited to lawyers, policy researchers, and engineers, to send in your feedback/comments on the draft document by the 16th of January 2020. We intend to publish our final draft by the end of January 2020. We look forward to receiving your contributions to make this document more comprehensive and effective. Please find a copy of the draft document <a href="http://editors.cis-india.org/internet-governance/resources/security-standards-for-the-financial-technology-sector-in-india" class="internal-link" title="Security Standards for the Financial Technology Sector in India">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/call-for-comments-model-security-standards-for-the-indian-fintech-industry'>http://editors.cis-india.org/internet-governance/call-for-comments-model-security-standards-for-the-indian-fintech-industry</a>
</p>
No publisherpranavFinancial TechnologyCybersecurityinternet governanceInternet GovernanceCyber Security2019-12-16T13:16:25ZBlog EntryCybersecurity Visuals Media Handbook: Launch Event
http://editors.cis-india.org/internet-governance/blog/cybersecurity-visuals-media-handbook-launch-event
<b>6th December | 6 pm | Centre for Internet and Society, Bangalore</b>
<p> </p>
<p>The existing cybersecurity imagery in media publications has been observed to be limited in its communication of the discourse prevailing in cybersecurity policy circles, relying heavily on stereotypes such as hooded men, padlocks, and binary codes.</p>
<p><br />In order to enable a clearer, more nuanced representation of cybersecurity concepts, we, at CIS, along with <a class="external-link" href="http://designbeku.in/">Design Beku</a> are launching the Cybersecurity Visuals Media Handbook. This handbook has been conceived to be a concise guide for media publications to understand the specific concepts within cybersecurity and use it as a reference to create visuals that are more informative, relevant, and look beyond stereotypes.</p>
<p>We will be launching the interactive digital handbook on 6th December, 2019, at the Centre for Internet and Society, Bangalore, at 6 pm. The event would include a discussion on the purpose, process, and concepts behind this illustrated guide by CIS researchers and Design Beku.</p>
<p>The launch will be followed by a panel discussion on Digital Media Illustrations & the Politics of Technology. We will be joined by Padmini Ray Murray, Paulanthony George, and Kruthika N S in the panel. It will be moderated by Saumyaa Naidu.</p>
<p dir="ltr"><strong>Padmini Ray Murray</strong></p>
<p dir="ltr">Padmini founded the Design Beku collective in 2018 to help not-for-profit organisations explore their potential through research-led design and digital development. Trained as an academic researcher, Padmini currently as the head of communications at Obvious, a design studio. She regularly gives talks and publishes on the necessity of technology and design to be decolonial, local, and ethical. <strong><br /></strong></p>
<p dir="ltr"><strong>Paulanthony George</strong></p>
<p dir="ltr">Paulanthony hates writing bios in the third person.<br />My research focuses on the relationships between made objects, the maker and the behaviour of making, in the context of spreadable digital media (and behaviours stemming from it). I study internet memes inside and outside of India and phenomenon such as dissent, satire, free expression and ambivalent behaviour fostered by them. The research is at the intersection of digital ethnography, culture studies, human-computer interaction, humour studies and critical theory. I spend my time watching people. I draw them, the way they are, the way some people want to be and sometimes I have interesting conversations with them.</p>
<p><span id="gmail-docs-internal-guid-5cb9e515-7fff-777e-6b99-8a216379ee39">
</span></p>
<p dir="ltr"><strong>Kruthika N S</strong></p>
<p dir="ltr">Kruthika NS is a lawyer at LawNK and researcher at the Sports Law & Policy Centre, Bengaluru. She uses art as a medium to explore the intersections of the law and society, with gender justice featuring as the central theme of her work. Her art has included subjects such as the #MeToo movement in India, and the feminist principles of the internet, among several other doodles.</p>
<p dir="ltr"><strong>Saumyaa Naidu</strong></p>
<p dir="ltr">Saumyaa is a designer and researcher at the Centre for Internet and Society. <strong> </strong></p>
<p> </p>
<p><br /><strong>Agenda</strong><br />6:00 - 6:15 pm - Introduction <br />6:15 - 6:45 pm - Presentation on the Media Handbook by Paulanthony George<br />6:45 - 7:00 pm - Tea/ Coffee <br />7:00 - 8:00 pm - Panel discussion on Digital Media Illustrations & the Politics of Technology<br />8:00 - 8:30 pm - Tea/ Coffee and Snacks</p>
<p>The interactive version of handbook can be accessed <a class="external-link" href="http://cis-india.github.io/cybersecurityvisuals/index">here</a>. The print versions of the handbook can be accessed at: <a class="external-link" href="https://drive.google.com/file/d/13Llq1vD5Eb-yo2YE3X6dRPaZ_WsMYhfa/view?usp=sharing">Single Scroll Printing</a>, <a class="external-link" href="https://drive.google.com/file/d/1mK_lxA0Eeb7GWxqZk4IM3cBxKdWakKS9/view?usp=sharing">Tiled-Paste Printing</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cybersecurity-visuals-media-handbook-launch-event'>http://editors.cis-india.org/internet-governance/blog/cybersecurity-visuals-media-handbook-launch-event</a>
</p>
No publishersaumyaaCybersecurityCyber SecurityEventInternet Governance2019-12-06T09:27:37ZEventIntroducing the Cybersecurity Visuals Media Handbook
http://editors.cis-india.org/internet-governance/blog/introducing-the-cybersecurity-visuals-media-handbook
<b>The need for intervention in the cybersecurity imagery in media publications was realised during a brainstorming workshop that was conducted by CIS with illustrators, designers, and cybersecurity researchers.</b>
<p id="docs-internal-guid-f6dbda88-7fff-48b2-b929-86369f9d201b" dir="ltr"> </p>
<p dir="ltr">Handbook concept, content and design by: <strong>Padmini Ray Murray and Paulanthony George</strong></p>
<p dir="ltr">Blog post authored by: <strong>Saumyaa Naidu </strong>and<strong> Arindrajit Basu</strong></p>
<p dir="ltr">With inputs from: <strong>Karan Saini<br /></strong></p>
<p dir="ltr">Edited by: <strong>Shweta Mohandas</strong></p>
<hr />
<p id="docs-internal-guid-59922688-7fff-a1d0-fe00-604684f18a9a" dir="ltr"><img src="http://editors.cis-india.org/internet-governance/resources/cpage.jpg/image_large" alt="Cybersecurity Visuals Media Handbook" class="image-inline" title="Cybersecurity Visuals Media Handbook" /></p>
<p dir="ltr">The need for intervention in the cybersecurity imagery in media publications was realised during a brainstorming workshop that was conducted by CIS with illustrators, designers, and cybersecurity researchers. The details and learnings from the workshop can be read <a href="https://cis-india.org/internet-governance/blog/paromita-bathija-padmini-ray-murray-and-saumyaa-naidu">here</a>. The discusisons led to the initiative of creating a media handbook in collaboration with the designers at <a class="external-link" href="http://designbeku.in/">Design Beku</a>, and the researchers at CIS.</p>
<p dir="ltr">This handbook was conceived to be a concise guide for media publications to understand the specific concepts within cybersecurity and use it as a reference to create visuals that are more informative, relevant, and look beyond stereotypes. </p>
<h3 dir="ltr">The limits of visibility and the need for relevant cybersecurity imagery</h3>
<p dir="ltr">Due to the <a href="https://journals.sagepub.com/doi/10.1177/0967010613484955">"limits of visibility" </a>and relative complexity inherent in any representation of cybersecurity, objects and concepts in this field have no immediate visual representation. A <a href="https://www.google.com/search?biw=1088&bih=532&tbm=isch&sxsrf=ACYBGNTzGAoRkFgLQqWAC1BONRpQ0m57Yg%3A1573735586730&sa=1&ei=okzNXa2YLKvTz7sPnPimiAI&q=cybersecurity&oq=cybersecurity&gs_l=img.3..35i39j0l2j0i10j0l4j0i10j0.1323.4106..4209...1.0..0.671.3151.2-3j2j1j2......0....1..gws-wiz-img.....10..35i362i39j0i67.AdmHly8ktxs&ved=0ahUKEwit8ff03enlAhWr6XMBHRy8CSEQ4dUDCAY&uact=5">Google Search</a> of the term cybersecurity reveals padlocks, company logos, and lines of numbers indicating code-stereotypes that have very little with the substantive discourse prevailing in cybersecurity policy circles. This stereotype can be further understood by exploring the portrayal of a 'hacker' in the media, both in newspapers and popular culture.</p>
<p dir="ltr">Shires <a href="https://www.tandfonline.com/doi/pdf/10.1080/13523260.2019.1670006?needAccess=true">argues</a> that a dominant association with ‘danger’ has made the hacker image a "rich repository of noir influences". Therefore, a hacker is usually depicted as a male figure in a dark-coloured hoodie, with no considerations of spatial, temporal, or cultural contexts.</p>
<p dir="ltr">Visuals influence various actors in any conflict. In traditional non-cyber domains, spatial representations of conflict often omit the blood and gore that is a core facet of reality, and therefore, in some ways ‘legitimize war.’ An impersonal, unrealistic depiction of cybersecurity threats vectors or substantive discussions have two key negatives. </p>
<p dir="ltr">First, it re-entrenches the notion of cybersecurity as distant and undecipherable discourse that eludes the individual. This undermines the critical importance of the participatory nature of the process. The goal of decision-making around cybersecurity should focus on individuals feeling secure and not be driven by policy-makers who decide technical parameters without broader consultation..</p>
<p dir="ltr">Second, it undermines the concept being discussed in the news article. If the visual is accompanying an op-ed, often the visual serves as a trigger for comprehending the content of the op-ed. Presently, op-eds on the<a href="https://www.thehindubusinessline.com/opinion/private-public-partnership-for-cyber-security/article25821899.ece"> global agreements in cyberspace</a>, <a href="https://www.thehindubusinessline.com/opinion/lessons-from-us-response-to-cyber-attacks-ep/article25372326.ece">attribution of cyber attacks,</a> and <a href="https://www.livemint.com/technology/tech-news/what-is-pegasus-the-chosen-tool-for-total-surveillance-11572578636720.html">‘total surveillance’</a> by Pegasus are depicted very similarly. These over-simplifications are inaccurate and undermine the nuances of the substantive content in each case, thereby impacting negatively the influence that each piece can have on public awareness and on the state of cybersecurity discourse.</p>
<p dir="ltr">Realistic descriptions of cybersecurity enable a granular understanding of threat vectors. There is also a need for signalling that celebrates and encourages greater diversity in this space. Cybersecurity discourse globally remains dominated by experts who are white and male. Explicitly re-conceptualizing these visuals to celebrate a variety of identities could be a push for other countries and communities (especially in the Global South)</p>
<p dir="ltr">This would enable the hitherto ‘disregarded communities’ in global cybersecurity discourse to understand and participate in the policy-making process.Our design handbook aims to guide media-persons in facilitating these goals.</p>
<p dir="ltr">An initial design brief for the media handbook was arrived at through our conversations with the designers at Design Beku. It was decided that the handbook would be concise and use a lighter tone in terms of language and be more visual than textual. For greater access, a digital, interactive format was seen as the most suitable option. </p>
<p dir="ltr">In order to scope the existing visuals, a sampling of cybersecurity coverage under different subjects in various media publications over the last one year was carried out. This included both global and Indian publications such as <a href="https://www.livemint.com/">Livemint</a>, <a href="https://scroll.in/">Scroll</a>, <a href="https://techcrunch.com/">Tech Crunch</a>, <a href="https://www.vice.com/en_us/section/tech">Motherboard - Vice</a>, and the <a href="https://www.economist.com/">Economist</a>. Research and op-eds by CIS researchers were also considered to broadly determine the most relevant subjects within cybersecurity.</p>
<p dir="ltr">The subjects selected based on the coverage were Cyberwarfare (Data Localisation), Cyber Attacks, Blockchain, Misinformation, Data Protection, Ethical Hacking, and Internet shutdowns. It was also gathered that there are several sub-topics within these subjects which would be indicated in the handbook. </p>
<p dir="ltr">The structure of the handbook was detailed out further to include a panorama image comprising illustrations that would speak to all the selected subjects, and text to explain the intention and process of making these illustrations. The handbook would begin with introducing its purpose, and go on to describe the concepts within each illustration, along with recommendations for illustrators working on such images. It would also consist of the definitions for each cybersecurity concept being visualised. </p>
<p dir="ltr">The handbook and accompanying illustrations were conceptualised and designed by <strong>Padmini Ray Murray</strong> and <strong>Paulanthony George</strong> from Design Beku. It was our great privilege to be a part of this process. We would also like to thank <strong>Karan Saini</strong> for his invaluable inputs that helped us commission this publication.</p>
<p dir="ltr">A draft of the handbook is hereby being published <a href="https://cis-india.org/internet-governance/resources/cyber-security-media-handbook">here</a>. This would be followed by a final version which will be in the form of an interactive web platform for both desktop and mobile devices. </p>
<p dir="ltr">We thank the Hewlett Foundation for funding this research.</p>
<hr />
<div> </div>
<div> </div>
<h2 dir="ltr">Annexure</h2>
<div>While commissioning the research, we had deliberated upon a series of definitions that we felt would be useful for the designers in conceptualizing their illustrations. These are provided below, and will form a part of the final handbook described above.</div>
<h3 dir="ltr"><br /></h3>
<h3 dir="ltr">Data Localisation</h3>
<p dir="ltr">Data localisation can broadly be defined as 'any legal limitation on data moving globally and compelling it to remain locally’. These policies can take a variety of forms. This could include a specific requirement to locally store copies of data, local content production requirements, or imposing conditions on cross border data transfers that in effect act as a localization mandate.</p>
<h3 dir="ltr">Cyber Attacks/Warfare</h3>
<p dir="ltr">Terms: Critical infrastructure, state-sponsored attackers, disruption and/or espionage, attribution, data leaks, bugs, zero days, misconfigurations</p>
<p dir="ltr">Cyber attacks are a hostile act using computer or related networks or systems, and intended to disrupt and/or destroy an adversary’s critical cyber systems, assets, or functions. The intended effects of cyber attack are not necessarily limited to the targeted computer systems or data themselves.</p>
<h3 dir="ltr">Blockchain</h3>
<p dir="ltr">Terms: Crypto-currency, immutable infrastructure, node compromise</p>
<p dir="ltr">Blockchain is a list of records linked using cryptography. It relies on three core elements in order to function effectively-decentralization, proof of work consensus and practical immutability.</p>
<h3 dir="ltr">Misinformation</h3>
<p dir="ltr">Terms: Propagation and spread, large-scale & inauthentic coordinated activities</p>
<p dir="ltr">The concerted spread of inaccurate information through one (or more) of four methods of propagation-doctored or manipulated primary information, genuine information shared in a false context,selective or misleading use of information and the misinterpretation of information.</p>
<h3 dir="ltr">Data Protection</h3>
<p dir="ltr">Terms: Cryptographic protection, access controls, privacy</p>
<p dir="ltr">Data Protection is protection through legal means accorded to private data from misuse by private or state actors. It includes processes such as collection and dissemination of data and technology, the public perception and expectation of privacy, and the political and legal underpinnings surrounding that data. </p>
<h3 dir="ltr">Ethical Hacking</h3>
<p dir="ltr">Terms: Diverse representation, and normalization/de-otherization of an “ethical hacker”</p>
<p dir="ltr">The term implies an ethical responsibility on the part of the hacker which compels them to inform the maintainers of a particular system about any discovered security flaws or vulnerabilities. While the ethics of "ethical hacking" differ for each individual, ethical hackers traditionally practice their craft out of a moral imperative. Ethical hackers are also described as independent computer security professionals who evaluate the system’s security and report back to the owners with the vulnerabilities they found and instructions for how to remedy them.</p>
<h3 dir="ltr">Internet shutdowns</h3>
<p dir="ltr">An internet shutdown is an intentional disruption of internet or electronic communications, rendering them inaccessible or effectively unusable, for a specific population or within a location, often to exert control over the flow of information.</p>
<hr />
<p> </p>
<p><strong>The interactive version of the handbook can be accessed <a class="external-link" href="https://cis-india.github.io/cybersecurityvisuals/index">here.</a></strong><strong> The print versions of the handbook can be accessed at: <a class="external-link" href="https://drive.google.com/file/d/13Llq1vD5Eb-yo2YE3X6dRPaZ_WsMYhfa/view?usp=sharing">Single Scroll Printing</a>, <a class="external-link" href="https://drive.google.com/file/d/1mK_lxA0Eeb7GWxqZk4IM3cBxKdWakKS9/view?usp=sharing">Tiled-Paste Printing</a>. </strong></p>
<p> </p>
<p> </p>
<p> </p>
<p dir="ltr"> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/introducing-the-cybersecurity-visuals-media-handbook'>http://editors.cis-india.org/internet-governance/blog/introducing-the-cybersecurity-visuals-media-handbook</a>
</p>
No publisherSaumyaa Naidu and Arindrajit BasuCybersecurityVisualizationHandbook2019-12-06T09:29:27ZBlog EntryGuest post: Before cyber norms, let’s talk about disanalogy and disintermediation
http://editors.cis-india.org/internet-governance/blog/guest-post-before-cyber-norms-let2019s-talk-about-disanalogy-and-disintermediation
<b>In a guest post in relation to CIS’s recently held roundtable onIndia’s cyber defense strategy, Pukhraj Singh looks at the critical fissures – at the technical and policy levels – in global normative efforts to secure cyberspace. By charting out the key vectors and power asymmetries among key stakeholders – both leading state actors and private actors like Microsoft – Singh posits that there is much to be done before we circumscribe cyber operations within legal strictures.</b>
<p> </p>
<p>By: <strong>Pukhraj Singh</strong><br />Reviewed and Edited by: <strong>Elonnai Hickok, Arindrajit Basu, </strong>and<strong> Karan Saini</strong></p>
<h3 id="docs-internal-guid-91bbb0b3-7fff-f86d-2f0c-43dae1a21a49" dir="ltr">The ongoing decoupling of norms </h3>
<p style="text-align: justify;" dir="ltr">In September 2019, the French ministry of defense <a href="https://www.defense.gouv.fr/content/download/565895/9750877/file/Droit+internat+appliqu%C3%A9+aux+op%C3%A9rations+Cyberespace.pdf">published</a> a document stating its views on the applicability of international law to cyber operations. While it makes an unequivocal espousal of the rules-based order in cyberspace, some of the distinctions made by the paper within the ambit of international law could be of interest to technical experts. </p>
<p style="text-align: justify;" dir="ltr">The document makes two key contributions. First, it <a href="https://www.justsecurity.org/66318/an-overview-of-international-humanitarian-law-in-frances-new-cyber-document/">addresses</a> two modes of power projection within cyberspace: cyber operations acting as a force multiplier in a hot war that is strictly delineated by kinetic and geographical redlines; and below-threshold, single-domain “dematerialized” operations leveraging cyber intrusions. Secondly, the document has made an attempt to gently <a href="https://blog.lukaszolejnik.com/french-application-of-international-rules-to-cyberwarfare/">decouple</a> itself from the Tallinn Manual on some aspects.</p>
<p style="text-align: justify;" dir="ltr">In an unrelated development, Microsoft joined hands with a group of peers within the technology industry, civil society and government to set up the <a href="https://blogs.microsoft.com/on-the-issues/2019/09/26/cyberpeace-institute-fills-a-critical-need-for-cyberattack-victims/">CyberPeace Institute</a> – a private sector initiative to strengthen the rules-based order. </p>
<p style="text-align: justify;" dir="ltr">It is an outcome of the sustained, unrelenting effort of Microsoft in thwarting what it believes to be the unchecked weaponization of cyberspace. Suffering a major reputational loss after the Snowden leaks, the company has <a href="https://www.wired.com/story/us-vs-microsoft-supreme-court-case-data/">gradually cultivated</a> fiercely <a href="https://www.irishtimes.com/business/technology/microsoft-s-brad-smith-talks-privacy-snowden-and-international-law-1.2816460">contrarian</a> <a href="https://www.cyberscoop.com/microsoft-cyber-peace-institute-hewlitt-foundation-brad-smith/">positions</a> on issues like state-enabled surveillance. </p>
<p style="text-align: justify;" dir="ltr">Microsoft’s daring contests and cases against the US government have been intimately recorded in the recently released book <a href="https://news.microsoft.com/on-the-issues/tools-and-weapons/">Tools and Weapons</a>, authored by its chief legal officer Brad Smith.</p>
<p style="text-align: justify;" dir="ltr">Seen through the lens of the future, the aforementioned developments highlight the ongoing readjustment of the legal discourse on cyber operations to account for its incongruous technical dynamics. </p>
<p style="text-align: justify;" dir="ltr">As the structures of cyber power are peeled layer-by-layer, the need to address this technical divergence in the overly legal interpretations of cyber norms would only increase.</p>
<h3 style="text-align: justify;" dir="ltr">Disanalogy & disintermediation</h3>
<p style="text-align: justify;" dir="ltr">Take the case of two fundamental dimensions – disanalogy and disintermediation – which have the potential to alter our understanding of how power is wedded with cyberspace.</p>
<p style="text-align: justify;" dir="ltr">Disanalogy is a logical postulation that challenges the primacy of “reasoning by analogy” using which international law is mapped to cyber conflict. Disintermediation highlights how the power dynamics of cyberspace have disrupted statism. </p>
<p style="text-align: justify;" dir="ltr">Understanding when and how the realization that international law is reasonably applicable to cyber operations dawned upon the international community leads one to an unending maze. It becomes a cyclical process where one set of initiatives only cross-reference the others, in a self-fulfilling sort of way. </p>
<p style="text-align: justify;" dir="ltr">The <a href="https://www.unidir.org/files/medias/pdfs/developments-in-the-field-of-information-and-telecommunications-in-the-context-of-international-security-2012-2013-a-68-98-eng-0-518.pdf">notes</a> of the 2013 session of the United Nations’ Governmental Group of Experts, affirming the sanctity of international law in cyberspace, look like an exercise in teleology. </p>
<p style="text-align: justify;" dir="ltr">Not to be distracted by the deeply philosophical nature of war, Kubo Mačák of the University of Exeter did <a href="https://ccdcoe.org/uploads/2018/10/Art-09-The-Impact-of-the-Development-of-the-Cyber-Law-of-War-on-General-International-Law.pdf">point out</a> that “the unique teleological underpinning of the law of war” should be considered before it is exported to new normative frameworks.</p>
<p style="text-align: justify;" dir="ltr">The deductive process inspired by reasoning by analogy that lies at the heart of the cyber norms discourse has not undergone much scrutiny. </p>
<p style="text-align: justify;" dir="ltr">In his 2013 <a href="https://www.youtube.com/watch?v=NdhhZcDk6aw">talk</a> at NATO’s CCDCOE, Selmer Bringsjord, cognitive sciences professor at the Rensselaer Polytechnic Institute, introduced the idea of disanalogy. Citing the <a href="https://plato.stanford.edu/entries/reasoning-analogy/">general schema of an analogical argument</a>, Bringsjord arrived at a disproof divorcing the source domain (the just war theory for conventional war) and target domain (just war theory for cyberwar). </p>
<p style="text-align: justify;" dir="ltr">He mapped jus in bello in a conventional war across the dimensions of Control, Proportionality, Accessibility, and Discrimination. </p>
<p style="text-align: justify;" dir="ltr">Bringsjord further added that these source attributes would not be evident in the target domain for two reasons: the inevitable digitization of every analog object and its interfaces; and the inherent propensity of artificial intelligence to wage attacks on its own.</p>
<p style="text-align: justify;" dir="ltr">In a supporting <a href="http://kryten.mm.rpi.edu/SB_JL_cyberwarfare_disanalogy_112113IT.pdf">paper</a>, he exhorts that while “Augustine and Aquinas (and their predecessors) had a stunningly long run…today’s world, based as it is on digital information and increasingly intelligent information-processing, points the way to a beast so big and so radically different, that the core of this duo’s insights needs to be radically extended.”</p>
<p style="text-align: justify;" dir="ltr">Celebrated malware reverse engineer Thomas Dullien, too, is of the <a href="https://www.youtube.com/watch?v=BWFdxAG_TGk">opinion</a> that machine learning and artificial intelligence are more suited for cyber offence as it has remained a “stable-in-time distribution.”</p>
<p style="text-align: justify;" dir="ltr">Brandon Valeriano of the Marine Corps University has drawn upon the case of incendiary balloons to <a href="https://www.cfr.org/blog/reasoning-analogy-cyberspace-deadly-balloons-and-avoiding-digital-doom">question</a> the overreliance on reasoning by analogy. Sadly, such viewpoints remain outliers.</p>
<p style="text-align: justify;" dir="ltr">Senior computer scientist David Aucsmith wrote in <a href="https://www.brookings.edu/book/bytes-bombs-and-spies/">Bytes, Bombs and Spies</a> that “one of the major challenges in cyberspace is the disintermediation of government.” He adds that while cyberspace has become the “global center of gravity for all aspects of national power,” it further removes the government from the “traditional functions of safety and security.”</p>
<p style="text-align: justify;" dir="ltr">The commercialized nature of the Internet is obvious to many. But steadily over the years, the private sector has also acquired vast swathes of cyber power in a manner that strangely mirrors the military concepts of counterintelligence, defense and deterrence. </p>
<p style="text-align: justify;" dir="ltr">In Tools and Weapons, Brad Smith recalls a meeting of top technology executives at the White House. As the executives pushed for surveillance reform after the Snowden leaks, Obama defensively retorted that “the companies at the table collectively had far more data than the government.” The “<a href="https://cybersecpolitics.blogspot.com/2016/06/can-google-do-cyber-deterrence.html">signals intelligence</a>” capabilities of <a href="https://www.wsj.com/articles/inside-googles-team-battling-hackers-11548264655">Google</a> and <a href="https://www.youtube.com/watch?v=OpTGFcJXL8g">Microsoft</a> rival that of a nation state. </p>
<p style="text-align: justify;" dir="ltr">Former deputy director of the NSA Chris Inglis writes in Bytes, Bombs and Spies: </p>
<p style="text-align: justify;" dir="ltr">In cyberspace, a small change in configuration of the target machine, system, or network can often negate the effectiveness of a cyber weapon against it. This is not true with weapons in other physical domains…The nature of target-weapon interaction with kinetic weapons can usually be estimated on the basis of physics experimentation and calculation. Not so with cyber weapons. For offensive cyber operations, this extreme “target dependence” means that intelligence information on target characteristics must be precise, high-volume, high-quality, current, and available at the time of the weapon’s use.</p>
<p style="text-align: justify;" dir="ltr">Inglis argues that fielding “ubiquitous, real-time and persistent” intelligence, surveillance and reconnaissance (ISR) frameworks is crucial for mustering the ability to produce cyber effects at a place and time of choosing. </p>
<p style="text-align: justify;" dir="ltr">Daniel Moore of King’s College London broadly <a href="https://ccdcoe.org/uploads/2018/10/Art-05-Targeting-Technology.-Mapping-Military-Offensive-Network-Operations.pdf">categorizes</a> cyber operations into event-based and presence-based.</p>
<p style="text-align: justify;" dir="ltr">The ISR framework envisioned by Inglis pre-positions implants with presence-based operations to make sure that the adversarial infrastructure -- perpetually in a state of flux -- remains primed for event-based operations. Falling prey to an analogy, this is as challenging as a group of river-rafters trying to keep their raft still at one position in a raging torrent of water.</p>
<p style="text-align: justify;" dir="ltr">However, it is worthy to note that a major component of such an ISR framework would manifest over privately-owned infrastructure. </p>
<p style="text-align: justify;" dir="ltr">It is exactly why the commercial threat intelligence industry lead by the likes of Fireeye, Kaspersky and Crowdstrike has flourished the way it has. </p>
<p style="text-align: justify;" dir="ltr">Joe Slowik, principal adversary hunter at Dragos, Inc., <a href="https://pylos.co/2019/09/28/cyber-leviathan/">corroborates</a> it: “An entire ecosystem of defense and security developed within the private space…essentially, private (defensive) ‘armies’ grew up and proliferated in the cyber security space over the course of many years.”</p>
<p style="text-align: justify;" dir="ltr">Jason Healey of Columbia’s School of International and Public Affairs has <a href="https://twitter.com/Jason_Healey/status/1181961759155994624">another way</a> of looking at it: “In counterinsurgency, host nation must take lead & U.S. role is to provide aid & support. USG not seen as legitimate, may lack the local & cultural knowledge, & lack sufficient resources. In cyberspace, the private sector, esp tech & security companies, are the host nation (sic)”.</p>
<p style="text-align: justify;" dir="ltr">Initiatives like the CyberPeace Institute and Cybersecurity Tech Accord are to be seen as emerging geopolitical formations pivoted around the power vacuum created by growing disintermediation.</p>
<p style="text-align: justify;" dir="ltr">While Microsoft avows the applicability of international law, the decreasing technological dependence on it to enforce the rules-based order may herald data-driven normative frameworks solely originating from the private sector.</p>
<p style="text-align: justify;" dir="ltr">Take the specific case of fashionable “black-letter rules” – like barring cyber actors from hacking into adversary’s election infrastructure – variedly promulgated by the <a href="https://www.wired.com/2013/03/the-tallinn-manual-on-the-international-law-applicable-to-cyber-warfare/">Tallinn Manual</a>, <a href="https://www.microsoft.com/en-us/cybersecurity/content-hub/a-digital-geneva-convention-to-protect-cyberspace">Microsoft</a> and <a href="https://cyberstability.org/news/global-commission-introduces-six-critical-norms-towards-cyber-stability/">Global Commission on the Stability of Cyberspace</a>. They could very well act as impediments to the success of the norms process.</p>
<p style="text-align: justify;" dir="ltr">Cyber actors can be variedly be divided into various <a href="https://cybersecpolitics.blogspot.com/2016/09/the-chinese-get-real.html">capability tiers</a>: A, B, C or D Teams, etc. Such categorizations could be derived from multiple <a href="https://cybersecpolitics.blogspot.com/2017/08/strategic-plateaus-in-cyber-domain.html">variables</a> like operational structure, concept of operations, capabilities and toolchains, and operating budget, etc. </p>
<p style="text-align: justify;" dir="ltr">In what may sound paradoxical, mindless enforcement of such rules creates an inherently inequitable environment where actors would be compelled to flout them. Targeting and target discrimination are possibly the most expensive components of the cyber offensive toolchain. As intelligence analyst Grugq <a href="https://www.youtube.com/watch?v=wP2J9aYM6Oo">said</a>, “You need a lot of people to have a small numbers of hackers hacking.”</p>
<p style="text-align: justify;" dir="ltr">The ability to avoid a vulnerable target or an attack surface without sacrificing the initiative is a luxury that only an A-team could afford, further disincentivizing smaller players from participating in confidence-building measures.</p>
<p style="text-align: justify;" dir="ltr">In such cases, the private sector could lead the way in the neutral and transparent interpretation of the dynamics and thresholds of power projection in cyberspace. Companies, not countries, have the vantage point and commercial interest to create a level playing field. </p>
<p style="text-align: justify;" dir="ltr">Taking the original case of France’s new dossier on cyber operations, its gradual rollback from the strictly black-and-white world of, say, the Tallinn Manual hints at a larger devolution of legally interpreted cyber operations, influenced by technical incongruities like disanalogy and disintermediation. </p>
<p style="text-align: justify;" dir="ltr">While the said document answers many questions relating to the applicability of international law to cyber operations with uncanny confidence, the devil still lies in the details. </p>
<p style="text-align: justify;" dir="ltr">For example, it talks about creating militaristic cyber effects by altering the confidentiality and availability of data on adversarial systems, but skirts around integrity – as if the three dimensions of data security are not symbiotic. Such picket-fencing may be trying to carefully avoid the legal ambiguity on information operations, post-ICJ US vs Nicaragua. </p>
<p style="text-align: justify;" dir="ltr">Ask any cyber operator, can a cyber operation proceed <a href="https://grugq.github.io/presentations/short%20course.pdf">without sabotaging</a> the integrity of log artifacts or other such stealthy or deceptive maneuvering?</p>
<p style="text-align: justify;" dir="ltr">It also postulates the export of “non-international armed conflict” to the territory of consenting nation states, as if such factors are completely controllable. </p>
<p style="text-align: justify;" dir="ltr">Discussed earlier, a majority of the cyber-ISR frameworks manifest over globally scattered private infrastructure. And almost every layer of the computing architecture is now network-enabled. </p>
<p style="text-align: justify;" dir="ltr">In cyberspace, the ‘territory’ of a nation state expands and contracts in real time. It may exist online as the sum of all the global information flows, across the many millions of interfaces, associated with it at any given moment. The sheer <a href="http://geer.tinho.net/geer.secot.7v14.txt">emergent complexity</a> of this organism has baffled many.</p>
<p style="text-align: justify;" dir="ltr">The adversarial environment fluxes at such a rapid pace that taking “territorial” sanctity into account during an ongoing operation is nigh impossible. This, in fact, is the <a href="https://www.justsecurity.org/67079/top-dod-lawyer-stresses-u-s-compliance-with-the-rule-of-law-in-military-operations/">very premise</a> of Defend Forward.</p>
<p style="text-align: justify;" dir="ltr">The French document is a good attempt at decoupling cyber operations from legal strictures, but it should be seen as the mere beginning of that process.</p>
<h3 style="text-align: justify;" dir="ltr">Cognitive cyber offence</h3>
<p style="text-align: justify;" dir="ltr">Lastly, the complete absence of the cognitive dimension in the norms process is something that should be outrightly addressed. </p>
<p style="text-align: justify;" dir="ltr">Keith Dear, a research fellow at Oxford’s Changing Character of War Program, <a href="https://www.youtube.com/watch?v=Nl_shMx8Yrs">feels</a> that war – as “a continuation of politics by other means” – is essentially persuasive and has predominantly psychological effects. They get aggravated more so by the scale and speed of cyber-enabled behavioral modelling.</p>
<p style="text-align: justify;" dir="ltr">The threat landscape is at a stage where we are going to see the increasing exploitation of <a href="https://www.teachthought.com/critical-thinking/the-cognitive-bias-codex-a-visual-of-180-cognitive-biases/">cyber-cognitive attack surfaces</a> – the cost-benefits are now heavily tilted towards their side. It is like what conventional cyber operations used to be 20 years ago: cheap and easy over scale and speed.</p>
<p style="text-align: justify;" dir="ltr">The cyber norms community only considers the first or second order effects of cyberattacks. The reality is that causation could be separated by many, many degrees – also missing out on the fact that a cyberattack is generally an indiscernible mixture of not just effects, but also perceptions. Every cyber operation could be <a href="https://dl.acm.org/citation.cfm?id=3316742&dl=ACM&coll=DL">deemed</a> as an information operation even after full denouement. </p>
<p style="text-align: justify;" dir="ltr">We have only begun to understand the significance of the cognitive dimension. Leading thinkers like former Secretary of the Navy Richard Danzig had for long proposed perceptive instead of spatial redlines for cyber conflict, aptly capturing its emergent properties.</p>
<p style="text-align: justify;" dir="ltr">His <a href="https://s3.amazonaws.com/files.cnas.org/documents/CNAS_PoisonedFruit_Danzig.pdf?mtime=20161010215746">suggested</a> baseline was: “The United States cannot allow the insecurity of our cyber systems to reach a point where weaknesses in those systems would likely render the United States unwilling to make a decision or unable to act on a decision fundamental to our national security.”</p>
<p style="text-align: justify;" dir="ltr">Danzig’s paradigm neatly fits into the Defend Forward philosophy of the US Cyber Command. Former director of the NSA Michael Hayden once <a href="https://www.usnews.com/news/articles/2013/02/20/former-cia-director-cyber-attack-game-changers-comparable-to-hiroshima">said</a> that Stuxnet had the “whiff of August 1945,” while former NSA exploitation engineer Dave Aitel <a href="https://cybersecpolitics.blogspot.com/2016/09/the-stern-stewart-summit-germany-and.html">labelled</a> it as the “announcement of a team.” The theatres of war, <a href="https://www.cfr.org/blog/not-cyber-deterrence-united-states-wants">frameworks</a> for deterrence and <a href="https://www.cfr.org/blog/sony-hack-north-koreas-toughest-counteraction-obamas-proportional-response">parameters</a> for proportional response may turn out to be purely perceptive in nature.</p>
<p style="text-align: justify;" dir="ltr">As the cyber option gets increasingly expended by militaries, we have <a href="https://www.washingtonpost.com/gdpr-consent/?destination=%2fpolitics%2f2019%2f10%2f01%2fare-cyber-operations-us-retaliatory-option-september-oilfield-strikes-would-this-deter-iran%2f%3f">come to understand</a> that the esoteric cognitive parameters of digital conflict could be crucial enough to decide victory or defeat.</p>
<h3 style="text-align: justify;" dir="ltr">Conclusion</h3>
<p style="text-align: justify;" dir="ltr">As the United Nations’ Governmental Group of Experts’ dialogue came to a grinding halt in 2016, Michelle Markoff, former deputy coordinator for Cyber Issues in the US State Department, gave a <a href="https://www.youtube.com/watch?v=nAuehrVCBBU&feature=youtu.be&t=4m10shttps://www.youtube.com/watch?v=nAuehrVCBBU&feature=youtu.be&t=4m10s">candid account</a> of what went wrong. </p>
<p style="text-align: justify;" dir="ltr">She also went on to recommend “interleaving strategies” like defence, declaratory policies, alliance activities, and norms of behaviour. It is interesting to note all the four dimensions proffered by her neatly fit into the remit of the private sector when it comes to fostering cyber stability. </p>
<p style="text-align: justify;" dir="ltr">The threat intelligence industry, by its indirect participation in the great power play, is already carving a rudimentary framework for declaratory signaling. Private sector alliances – by being more open and neutral about attack attribution, adversarial intent and capabilities, and targeting criteria – may lower the incentives while increasing the costs of cyber actions. That may force various actors to the negotiating table.</p>
<p style="text-align: justify;" dir="ltr">The emergence of customary international law in cyberspace, as a precursor to effective normative frameworks, is a necessity that may squarely fall on the shoulders of corporations. In that sense, diplomatic initiatives and alliance activities by Microsoft and others must be keenly observed.</p>
<p style="text-align: justify;" dir="ltr"> </p>
<hr />
<p> </p>
<p><em><strong>Pukhraj Singh is a cyber threat intelligence analyst who has worked with the Indian government and security response teams of global companies. He blogs at www.pukhraj.me. Views posited are the author’s alone.</strong></em></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/guest-post-before-cyber-norms-let2019s-talk-about-disanalogy-and-disintermediation'>http://editors.cis-india.org/internet-governance/blog/guest-post-before-cyber-norms-let2019s-talk-about-disanalogy-and-disintermediation</a>
</p>
No publisherPukhraj SinghCybersecurityNorms Formulation2019-11-18T10:14:07ZBlog EntryRegulating the Internet: The Government of India & Standards Development at the IETF
http://editors.cis-india.org/internet-governance/blog/regulating-the-internet-the-government-of-india-standards-development-at-the-ietf
<b>The institution of open standards has been described as a formidable regulatory regime governing the Internet. Given the regulatory and domestic policy implications that technical standards can have, there is a need for Indian governmental agencies to focus adequate resources geared towards achieving favourable outcomes at standards development fora.</b>
<p>This brief was authored by Aayush Rathi, Gurshabad Grover and Sunil Abraham. Click <a class="external-link" href="http://cis-india.org/internet-governance/files/regulating-the-internet">here</a> to download the policy brief.</p>
<hr />
<h2>Executive Summary</h2>
<div> </div>
<p style="text-align: justify;">The institution of open standards has been described as a formidable regulatory regime governing the Internet. As the Internet has moved to facilitate commerce and communication, governments and corporations find greater incentives to participate and influence the decisions of independent standards development organisations.</p>
<p style="text-align: justify;">While most such bodies have attempted to systematise fair and transparent processes, this brief highlights how they may still be susceptible to compromise. Documented instances of large private companies like Microsoft, and governmental instrumentalities like the US National Security Agency (NSA) exerting disproportionate influence over certain technical standards further the case for increased Indian participation.</p>
<p style="text-align: justify;">The debate around Transport Layer Security (TLS) 1.3 at the Internet Engineering Task Force (IETF) forms an important case for studying how a standards body responded to political developments, and how the Government of India participated in the ensuing discussions. Lasting four years, the debate ended in favour of greater communications security. One of the security improvements in TLS 1.3 over its predecessor is that is makes less information available to networking middleboxes. Considering that Indian intelligence agencies and government departments have expressed fears of foreign-manufactured networking equipment being used by foreign intelligence to eavesdrop on Indian networks, the development is potentially favourable for the security of Indian communication in general, and the security of military and intelligence systems in particular. India has historically procured most networking equipment from foreign manufacturers. While there have been calls for indigenised production of such equipment, achieving these objectives will necessarily be a gradual process. Participating in technical standards can, then, be an effective interim method for intelligence agencies, defence wings and law enforcement for establishing trust in critical networking infrastructure sourced from foreign enterprises.</p>
<p style="text-align: justify;">Outlining some of the existing measures the Indian government has put in place to build capacity for and participate in standard setting, this brief highlights that while these are useful starting points, they need to be harmonised and strengthened to be more fruitful. Given the regulatory and domestic policy implications that technical standards can have, there is a need for Indian governmental agencies to focus adequate resources geared towards achieving favourable outcomes at standards development fora.</p>
<hr />
<p>Click <a class="external-link" href="http://cis-india.org/internet-governance/files/regulating-the-internet">here</a> to download the policy brief.</p>
<p style="text-align: justify;">Note: The recommendations in the brief were updated on 17 December 2018 to reflect the relevance of technical standard-setting in the recent discussions around Indian intelligence concerns about foreign-manufactured networking equipment.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/regulating-the-internet-the-government-of-india-standards-development-at-the-ietf'>http://editors.cis-india.org/internet-governance/blog/regulating-the-internet-the-government-of-india-standards-development-at-the-ietf</a>
</p>
No publisherAayush Rathi, Gurshabad Grover and Sunil AbrahamOpen StandardsCryptographyCybersecurityInternet GovernanceSurveillanceIETFEncryption Policy2019-01-22T07:29:39ZBlog EntryAmutha Arunachalam - Stand Shielded of Digital Rights (Delhi, May 05, 4 pm)
http://editors.cis-india.org/internet-governance/events/firstfridayatcis-amutha-arunachalam-stand-shielded-of-digital-rights-may-05
<b>We are proud to announce that Amutha Arunachalam will be the speaker at the May #FirstFriday event at the CIS Delhi office. Amutha is Principal Technical Officer in the Council Of Scientific and Industrial Research. The talk will be on digital signatures, traceability of time-stamps, and setting up an Indian Standard (Digital) Time. If you are joining us, please RSVP at the soonest as we have only limited space in our office.</b>
<p> </p>
<h3><strong>Amutha Arunachalam</strong></h3>
<h4>Principal Technical Officer, Council of Scientific and Industrial Research</h4>
<p> </p>
<p><img src="http://editors.cis-india.org/internet-governance/files/amutha-arunachalam/image" alt="Amutha Arunachalam" class="image-inline" title="Amutha Arunachalam" /></p>
<p> </p>
<p>Amutha Arunachalam entered the Indian Government service as an Intelligence Officer in Ministry of Home Affairs in 1988 after working at the Indian Institute of Technology Madras in Fibre Optic communication Laboratory. She later moved to the Council of Scientific and Industrial Research in the field of Information Technology. She managed the IT infrastructure of the CSIR lab (Central Road Research Institute) till 2006 and moved to CSIR Head Quarters and contributed in the ICT refurbishment drive, mainly in the IT with a major contribution in establishing DATA Centre, implementing network security, linking CSIR HQ to the National Knowledge Network facility extended by National Information Centre(NIC) before joining UIDAI.</p>
<p>In UIDAI (National Identity Project) she managed the Data Center operations that includes critical CIDR (Central Identification Repository) and was responsible for setting up Infrastructure to roll out Disaster recovery centre, Aadhaar Enrolment Service, Benchmarking of UIDAI Enrolment , Authentication Applications and setting up of Backend infrastructure of the Authentication Service for Roll out to citizens. After the five year Deputation at UIDAI (Feb 2016), she is currently posted in the Council of Scientific and Industrial Research working in the Area of Policy in Cyber Security for CSIR, Enhancing Research with collaborative, networking and Building unified CSIR Ecosystem with Enterprise platform.</p>
<p> </p>
<h3><strong>RSVP</strong></h3>
<iframe src="https://docs.google.com/forms/d/e/1FAIpQLSfWGNDezfJOi3UU7GpAWkrKn0uOMlCsV2P_6QEHqPWCb6JSqA/viewform?embedded=true" frameborder="0" marginwidth="0" marginheight="0" height="666" width="600">Loading...</iframe>
<p> </p>
<h3><strong>Location</strong></h3>
<iframe src="https://www.google.com/maps/embed?pb=!1m18!1m12!1m3!1d876.157470894426!2d77.20553462919722!3d28.550842498903158!2m3!1f0!2f0!3f0!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0x0%3A0x834072df81ffcb39!2sCentre+for+Internet+and+Society!5e0!3m2!1sen!2sin!4v1493818109951" frameborder="0" height="450" width="600"></iframe>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/events/firstfridayatcis-amutha-arunachalam-stand-shielded-of-digital-rights-may-05'>http://editors.cis-india.org/internet-governance/events/firstfridayatcis-amutha-arunachalam-stand-shielded-of-digital-rights-may-05</a>
</p>
No publishersumandroCybersecurityInternet GovernanceDigital India#FirstFridayAtCISE-Governance2017-05-03T13:30:32ZEventMapping of Sections in India’s MLAT Agreements
http://editors.cis-india.org/internet-governance/blog/india-mlat-agreements-sections-map-dec-2016
<b>This set of infographics by Leilah Elmokadem and Saumyaa Naidu maps out and compares the various sections that exist in the 39 MLATs (mutual legal assistance treaty) between India and other countries. An MLAT is an agreement between two or more countries, drafted for the purpose of gathering and exchanging information in an effort to enforce public or criminal laws.
</b>
<p> </p>
<h4>Download: <a href="https://github.com/cis-india/website/raw/master/docs/CIS_IndiaMLATAgreementsSectionsMap_Dec2016.pdf">Infographic</a> (PDF) and <a href="https://github.com/cis-india/website/raw/master/docs/CIS_IndiaMLATAgreementsSectionsMap_Dec2016.xlsx">data</a> (XLSX)</h4>
<hr />
<p>We have found that India’s 39 MLAT documents are worded, formatted and sectioned differently. At the same time, many of the same sections exist across several MLATs. This diagram lists the sections found in the MLAT documents and
indicates the treaties in which they were included or not included. To keep the list of sections concise and to more easily pinpoint the key differences between the agreements, we have merged sections that are synonymous in meaning but
were worded slightly differently. For example: we would combine “Entry into force and termination” with “Ratification and termination” or “Expenses” with “Costs”.</p>
<p>At the same time, some sections that seemed quite similar and possible to merge were kept separate due to potential key differences that could be overlooked as a result. For example: “Limitation on use” vs. “Limitation on compliance” or “Serving of documents” vs. “Provision of (publicly available) documents/records/objects” remained separate for further analysis and comparison.</p>
<p>These differences in sectioning can be analysed to facilitate a thorough comparison between the effectiveness, efficiency, applicability and enforceability of the various provisions across the MLATs. The purpose of this initial mapping is to provide an overall picture of which sections exist in which MLAT documents. There will be further analysis of these sections to produce a more holistic content-based comparison of the MLATs.</p>
<p> </p>
<h2>Aggregated Analysis of Sections of MLAT Agreements</h2>
<img src="https://github.com/cis-india/website/raw/master/img/CIS_IndiaMLATAgreementsSectionsMap_Dec2016_Aggregate_01.png" alt="Aggregated analysis of sections of MLAT agreements by India" />
<img src="https://github.com/cis-india/website/raw/master/img/CIS_IndiaMLATAgreementsSectionsMap_Dec2016_Aggregate_02.png" alt="Aggregated analysis of sections of MLAT agreements by India" />
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/india-mlat-agreements-sections-map-dec-2016'>http://editors.cis-india.org/internet-governance/blog/india-mlat-agreements-sections-map-dec-2016</a>
</p>
No publisherLeilah Elmokadem and Saumyaa NaiduInternational RelationsCybersecurityBilateral AgreementInternet GovernanceMLATCyber Security2016-12-31T06:52:46ZBlog EntryMapping of India’s Cyber Security-Related Bilateral Agreements
http://editors.cis-india.org/internet-governance/blog/india-cyber-security-bilateral-agreements-map-dec-2016
<b>With the rapid spread of cloud computing and the growth of cyber spaces, large masses of information are now easily transmittable transnationally, necessitating the ratification of new agreements and cooperation efforts amongst states in order to secure cyber spaces and regulate exchanges of information. In an attempt to understand the nature and extent of current international collaborative efforts in cyber security, we have compiled the following data regarding India’s cyber security-related bilateral agreements. The intention of this exercise is to offer a dynamic visualization that demonstrates which countries India has collaborated with on cyber security efforts and initiatives. This is an ongoing map that we will be updating as our research continues.</b>
<h4 style="text-align: justify; ">Download: <a class="external-link" href="http://cis-india.org/internet-governance/files/CyberSecurityAgreements_Infographic_04.pdf">Infographic</a> (PDF) and <a href="https://github.com/cis-india/website/raw/master/docs/CIS_IndiaCyberSecBilateralAgreementMap_Dec2016.xlsx">data</a> (XLSX)</h4>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><br /> The data used for the info-graphic consists of India’s MLATs, cyber security-related MoUs and Joint Statements, and Cyber Frameworks. An MLAT is an agreement between two or more countries, drafted for the purpose of gathering and exchanging information in an effort to enforce public or criminal laws. A MoU (Memorandum of Understanding) is a nonbinding agreement between two or more states outlining the terms and details of an understanding, including each party’s requirements and responsibility; it is often the first stage in the formation of a formal contract. For the purpose of this research, we have grouped Joint Statements with MoUs, as they both generally entail the informal agreement between two states to strengthen cooperation on certain issues. Lastly, a Cyber Framework consists of standards, guidelines and practices to promote protection of critical infrastructure. The data accounts for agreements centered on cyber security as well as any agreements mentioning cooperation efforts in Cyber Security, information security or cybercrime.</p>
<p style="text-align: center; "><img src="http://editors.cis-india.org/home-images/MLATAgreement.png/@@images/169c25c6-57a4-48c8-a33e-71aa36ea97ea.png" alt="MLAT Agreement" class="image-inline" title="MLAT Agreement" /></p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The Mapping of India’s Cybersecurity-related bilateral agreement has been updated on April 12, 2017 with the following changes:</p>
<ol style="text-align: justify; ">
<li>A new MoU was signed between Australia and India in April 2017, focusing on combating terrorism and civil aviation security. Cybersecurity cooperation is mentioned in the MoU<a href="#_ftn1" name="_ftnref1">[1]</a>.</li>
<li>A new MoU was signed between Bangladesh and India in April 2017. The Indian Computer Emergency Response Team (CERT-In), Indian Ministry of Electronics and Information Technology and the ICT Division of Bangladesh are the signing parties of the MoU. The agreement focuses on Cooperation in the area of Cyber Security<a href="#_ftn2" name="_ftnref2">[2]</a>.</li>
<li>A preexisting MoU between France and India was added to the mapping, signed in January of 2016. Officials of both countries agreed to intensify cooperation between the Indian and French security forces in the fields of homeland security, cyber security, Special Forces and intelligence sharing to fight against criminal networks and tackle the common threat of terrorism<a href="#_ftn3" name="_ftnref3">[3]</a>.</li>
<li>A new MoU was signed between Indonesia and India in March 2017. It focuses on enhancing cooperation in cyber security and intelligence sharing<a href="#_ftn4" name="_ftnref4">[4]</a>.</li>
<li>A new MoU was signed between Kenya and India in January 2017, with “cyber security” mentioned as one of the key areas of cooperation<a href="#_ftn5" name="_ftnref5">[5]</a>.</li>
<li>A preexisting MoU between Malaysia and India was added to the mapping, signed in November of 2015. Both sides agreed to promote cooperation and the exchange of information regarding cyber security incident management, technology cooperation and cyber attacks, prevalent policies and best practices and mutual response to cyber security incidents<a href="#_ftn6" name="_ftnref6">[6]</a>.</li>
<li>A preexisting MoU between Mauritius and India, signed July 2016, was added to the mapping. This is a non-governmental MoU. Leading bourse BSE signed an agreement with Stock Exchange of Mauritius (SEM) for collaboration in areas including cyber security<a href="#_ftn7" name="_ftnref7">[7]</a>.</li>
<li>A new joint statement between India and Portugal was signed in March 2017. The two countries agreed to set up an institutional mechanism to collaborate in the areas of electronic manufacturing, ITeS, startups, cyber security and e-governance.<a href="#_ftn8" name="_ftnref8">[8]</a></li>
<li>A preexisting MoU, signed between Qatar and India in December of 2016, was added to the mapping. The agreement was regarding a protocol on technical cooperation in cyberspace and combatting cybercrime<a href="#_ftn9" name="_ftnref9">[9]</a>.</li>
<li>A new MoU was signed between Serbia and India in January 2017, focusing on cooperation in the field of IT, Electronics. The MoU itself does not explicitly mention cybersecurity. However, the MoU calls for cooperation and exchanges in capacity building institutions, which should entail cyber security strengthening<a href="#_ftn10" name="_ftnref10">[10]</a>.</li>
<li>A preexisting MoU between Singapore and India was added to the mapping. The MoU was signed in January 2016, focusing on the establishment of a formal framework for professional dialogue, CERT-CERT related cooperation for operational readiness and response, collaboration on cyber security technology and research related to smart technologies, exchange of best practices, and professional exchanges of human resource development<a href="#_ftn11" name="_ftnref11">[11]</a>.</li>
<li>A new joint statement was signed between UAE and India in January 2017, following up on their previous Technical Cooperation MoU signed in February 2016. To further deepen cooperation in this area, they agreed to set up joint Research & Development Centres of Excellence<a href="#_ftn12" name="_ftnref12">[12]</a>.</li>
<li>A preexisting MoU has been included in the mapping, signed in May of 2016. CERT-In agreed with the UK Ministry of Cabinet Office to promote close cooperation between both countries in the exchange in knowledge and experience in detection, resolution and prevention of security related incidents<a href="#_ftn13" name="_ftnref13">[13]</a>.</li>
<li>A new MoU between India and the US was signed in March 2017. CERT-In and CERT-US signed a MoU agreeing to promote closer co-operation and exchange of information pertaining to cyber security in accordance with relevant laws, rules and regulations and on the basis of equality, reciprocity and mutual benefit<a href="#_ftn14" name="_ftnref14">[14]</a>.</li>
<li>A new MoU was signed between Vietnam and India in January 2017, agreeing to promote closer cooperation for exchange of knowledge and experience in detection, resolution and prevention of cyber security incidents between both countries<a href="#_ftn15" name="_ftnref15">[15]</a>.</li>
</ol>
<p style="text-align: justify; ">NOTE: Some preexisting MoUs were added as we were initially only including the most recent agreements in the mapping. Upon adding newly signed MoUs, we decided to also keep the preexisting ones and revisit the other entries to include any preexisting MoUs that were initially excluded due to not being the most-recent. In this respect, the visualization will be adjusted to indicate the number of MoUs per country.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><a href="#_ftnref1" name="_ftn1">[1]</a><a href="http://www.dnaindia.com/india/report-india-australia-sign-mous-on-combating-terrorism-civil-aviation-security-2393843">http://www.dnaindia.com/india/report-india-australia-sign-mous-on-combating-terrorism-civil-aviation-security-2393843</a></p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2">[2]</a><a href="http://www.theindependentbd.com/arcprint/details/89237/2017-04-09">http://www.theindependentbd.com/arcprint/details/89237/2017-04-09</a></p>
<p style="text-align: justify; "><a href="#_ftnref3" name="_ftn3">[3]</a><a href="http://www.thehindu.com/news/resources/Full-text-of-Joint-Statement-issued-by-India-France/article14019524.ece">http://www.thehindu.com/news/resources/Full-text-of-Joint-Statement-issued-by-India-France/article14019524.ece</a></p>
<p style="text-align: justify; "><a href="#_ftnref4" name="_ftn4">[4]</a><a href="http://indianexpress.com/article/india/indianhome-ministry-indonesian-ministry-of-security-and-coordination/">http://indianexpress.com/article/india/indianhome-ministry-indonesian-ministry-of-security-and-coordination/</a></p>
<p style="text-align: justify; "><a href="#_ftnref5" name="_ftn5">[5]</a><a href="https://telanganatoday.news/india-kenya-focus-defence-security-cooperation-pm">https://telanganatoday.news/india-kenya-focus-defence-security-cooperation-pm</a></p>
<p style="text-align: justify; "><a href="#_ftnref6" name="_ftn6">[6]</a><a href="http://economictimes.indiatimes.com/news/economy/foreign-trade/india-and-malaysia-sign-3-mous-including-cyber-security/articleshow/49891897.cms">http://economictimes.indiatimes.com/news/economy/foreign-trade/india-and-malaysia-sign-3-mous-including-cyber-security/articleshow/49891897.cms</a></p>
<p style="text-align: justify; "><a href="#_ftnref7" name="_ftn7">[7]</a><a href="http://indiatoday.intoday.in/story/bse-mauritius-stock-exchange-tie-up-to-promote-financial-mkts/1/723635.html">http://indiatoday.intoday.in/story/bse-mauritius-stock-exchange-tie-up-to-promote-financial-mkts/1/723635.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref8" name="_ftn8">[8]</a><a href="http://www.tribuneindia.com/news/business/india-portugal-to-collaborate-in-ites-cyber-security/373666.html">http://www.tribuneindia.com/news/business/india-portugal-to-collaborate-in-ites-cyber-security/373666.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref9" name="_ftn9">[9]</a><a href="http://naradanews.com/2016/12/india-qatar-sign-agreements-on-visa-cybersecurity-investments/">http://naradanews.com/2016/12/india-qatar-sign-agreements-on-visa-cybersecurity-investments/</a></p>
<p style="text-align: justify; "><a href="#_ftnref10" name="_ftn10">[10]</a><a href="http://ehub.newsforce.in/cabinet-approves-mou-india-serbia-cooperation-field-electronics/">http://ehub.newsforce.in/cabinet-approves-mou-india-serbia-cooperation-field-electronics/</a></p>
<p style="text-align: justify; "><a href="#_ftnref11" name="_ftn11">[11]</a><a href="http://www.businesstimes.com.sg/government-economy/singapore-and-india-strengthen-cooperation-on-cyber-security">http://www.businesstimes.com.sg/government-economy/singapore-and-india-strengthen-cooperation-on-cyber-security</a></p>
<p style="text-align: justify; "><a href="#_ftnref12" name="_ftn12">[12]</a><a href="http://mea.gov.in/bilateral-documents.htm?dtl/27969/India++UAE+Joint+Statement+during+State+visit+of+Crown+Prince+of+Abu+Dhabi+to+India+January+2426+2017">http://mea.gov.in/bilateral-documents.htm?dtl/27969/India++UAE+Joint+Statement+during+State+visit+of+Crown+Prince+of+Abu+Dhabi+to+India+January+2426+2017</a></p>
<p style="text-align: justify; "><a href="#_ftnref13" name="_ftn13">[13]</a><a href="http://www.bestcurrentaffairs.com/india-uk-mou-cyber-security/">http://www.bestcurrentaffairs.com/india-uk-mou-cyber-security/</a></p>
<p style="text-align: justify; "><a href="#_ftnref14" name="_ftn14">[14]</a><a href="http://www.dqindia.com/india-cert-signs-an-mou-with-us-cert/">http://www.dqindia.com/india-cert-signs-an-mou-with-us-cert/</a></p>
<p style="text-align: justify; "><a href="#_ftnref15" name="_ftn15">[15]</a><a href="http://pib.nic.in/newsite/PrintRelease.aspx?relid=157458">http://pib.nic.in/newsite/PrintRelease.aspx?relid=157458</a></p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/india-cyber-security-bilateral-agreements-map-dec-2016'>http://editors.cis-india.org/internet-governance/blog/india-cyber-security-bilateral-agreements-map-dec-2016</a>
</p>
No publisherLeilah Elmokadem and Saumyaa NaiduInternational RelationsCybersecurityBilateral AgreementInternet GovernanceMLAT2017-04-27T15:14:55ZBlog EntryNASSCOM-DSCI Annual Information Security Summit 2015 - Notes
http://editors.cis-india.org/internet-governance/blog/nasscom-dsci-annual-information-security-summit-2015-notes
<b>NASSCOM-DSCI organised the 10th Annual Information Security Summit (AISS) 2015 in Delhi during December 16-17. Sumandro Chattapadhyay participated in this engaging Summit. He shares a collection of his notes and various tweets from the event.</b>
<p> </p>
<h2>Details about the Summit</h2>
<p>Event page: <a href="https://www.dsci.in/events/about/2261">https://www.dsci.in/events/about/2261</a>.</p>
<p>Agenda: <a href="https://www.dsci.in/sites/default/files/Agenda-AISS-2015.pdf">https://www.dsci.in/sites/default/files/Agenda-AISS-2015.pdf</a>.</p>
<p> </p>
<h2>Notes from the Summit</h2>
<blockquote class="twitter-tweet">
<p dir="ltr">Mr.G.K.Pillai ,Chairman DSCI addressing the audience @ 10th Annual Information Security Summit '15 <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/JVcwct3HSF">pic.twitter.com/JVcwct3HSF</a></p>
— DSCI (@DSCI_Connect) <a href="https://twitter.com/DSCI_Connect/status/676979952277987328">December 16, 2015</a></blockquote>
<p>Mr. G. K. Pillai, Chairman of Data Security Council of India (DSCI), set the tone of the Summit at the very first hour by noting that 1) state and private industries in India are working in silos when it comes to preventing cybercrimes, 2) there is a lot of skill among young technologists and entrepreneurs, and the state and the private sectors are often unaware of this, and 3) there is serious lack of (cyber-)capacity among law enforcement agencies.</p>
<p>In his Inaugural Address, Dr. Arvind Gupta (Deputy National Security Advisor and Secretary, NSCS), provided a detailed overview of the emerging challenges and framework of cybersecurity in India. He focused on the following points:</p>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/India?src=hash">#India</a> Dy NSA Dr Arvind Gupta calls 4 <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a> by <a href="https://twitter.com/hashtag/design?src=hash">#design</a> in <a href="https://twitter.com/hashtag/ICT?src=hash">#ICT</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/79kq9lWGtk">pic.twitter.com/79kq9lWGtk</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/676980799347023872">December 16, 2015</a></blockquote>
<ul>
<li>Security is a key problem in the present era of ICTs as it is not in-built. In the upcoming IoT era, security must be built into ICT systems.</li>
<li>In the next billion addition to internet population, 50% will be from India. Hence cybersecurity is a big concern for India.</li>
<li>ICTs will play a catalytic role in achieving SDGs. Growth of internet is part of the sustainable development agenda.</li>
<li>We need a broad range of critical security services - big data analytics, identity management, etc.</li>
<li>The e-governance initiatives launched by the Indian government are critically dependent on a safe and secure internet.</li>
<li>Darkweb is a key facilitator of cybercrime. Globally there is a growing concern regarding the security of cyberspace.
</li><li>On the other hand, there exists deep divide in access to ICTs, and also in availability of content in local languages.</li>
<li>The Indian government has initiated bilateral cybersecurity dialogues with various countries.</li>
<li>Indian government is contemplating setting up of centres of excellence in cryptography. It has already partnered with NASSCOM to develop cybersecurity guidelines for smart cities.</li>
<li>While India is a large global market for security technology, it also needs to be self-reliant. Indian private sector should make use of government policies and bilateral trust enjoyed by India with various developing countries in Africa and south America to develop security technology solutions, create meaningful jobs in India, and export services and software to other developing countries.</li>
<li>Strong research and development, and manufacturing base are absolutely necessary for India to be self-reliant in cybersecurity. DSCI should work with private sector, academia, and government to coordinate and realise this agenda.</li>
<li>In the line of the Climate Change Fund, we should create a cybersecurity fund, since it is a global problem.</li>
<li>Silos are our bane in general. Bringing government agencies together is crucial. Trust issues (between government, private sector, and users) remain, and can only be resolved over time.</li>
<li>The demand for cybersecurity solutions in India is so large, that there is space for everyone.</li>
<li>The national cybersecurity centre is being set up.</li>
<li>Thinktanks can play a crucial role in helping the government to develop strategies for global cybersecurity negotiations. Indian negotiators are often capacity constrained.</li></ul>
<p>Rajendra Pawar, Chair of the NASSCOM Cyber Security Task Force, NASSCOM Cybersecurity Initiative, provided glimpses of the emerging business opportunity around cybersecurity in India:</p>
<ul>
<li>In next 10 years, the IT economy in India will be USD 350 bn, and <a href="https://blogs.dsci.in/building-usd-35-billion-cyber-security-industry-how-do-we-do-it/">10% of that will be the cybersecurity pie</a>. This means a million job only in the cybersecurity space.</li>
<li>Academic institutes are key to creation of new ideas and hence entrepreneurs. Government and private sectors should work closely with academic institutes.
<blockquote class="twitter-tweet">
<p dir="ltr">'Companies+Govt+Academia= High growth of the cybersecurity industry' - Rajendra Pawar at <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a></p>
— Shivangi Nadkarni (@shivanginadkarn) <a href="https://twitter.com/shivanginadkarn/status/676995090955530246">December 16, 2015</a></blockquote>
</li>
<li>Globally, cybersecurity innovation and industries happen in clusters. Cities and states must come forward to create such clusters.</li>
<li>2/3rd of the cybersecurity market is provision of services. This is where India has a great advantage, and should build on that to become a global brand in cybersecurity services.</li>
<li>Everyday digital security literacy and cultures need to be created.</li>
<li>Publication of cybersecurity best practices among private companies is a necessity.
<blockquote class="twitter-tweet">
<p dir="ltr">Corporate disclosures of breaches being considered with Nasscom under cybersec task force: Rajendra Pawar <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a> <a href="https://twitter.com/ETtech">@ETtech</a></p>
— Neha Alawadhi (@NehaAlawadhiET) <a href="https://twitter.com/NehaAlawadhiET/status/676994553799417856">December 16, 2015</a></blockquote>
</li>
<li>Dedicated cybersecurity spending should be made part of the e-governance budget of central and state governments.</li>
<li>DSCI should function as a clearing house of cybersecurity case studies. At present, thought leadership in cybersecurity comes from the criminals. By serving as a use case clearing house, DSCI will inform interested researchers about potential challenges for which solution needs to be created.</li></ul>
<p>Manish Tiwary of Microsoft informed the audience that India is in the top 3 positions globally in terms of malware proliferation, and this ensures that India is a big focus for Microsoft in its global war against malware. Microsoft India looks forward to work closely with CERT-In and other government agencies.</p>
<blockquote class="twitter-tweet">
<p dir="ltr">RSA's Kartik Shahani <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> Adopt a Deep & Pervasive Level of True Visibility Everywhere <a href="https://t.co/2U8J8WkWsI">pic.twitter.com/2U8J8WkWsI</a></p>
— Debjani Gupta (@DebjaniGupta1) <a href="https://twitter.com/DebjaniGupta1/status/676999786722156544">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Data localization; one of the stumbling blocks that undermine investments in <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a>. <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/vrff3Amcv0">pic.twitter.com/vrff3Amcv0</a></p>
— Appvigil (@appvigil_co) <a href="https://twitter.com/appvigil_co/status/677043180731301888">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Trust verification 4 embedded devices isnt complex bt much desired as people lives r dependent on that-cld cause physical damage <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677057992831860736">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">"Most compromised OS in 2k15: iOS"-Riyaz Tambe, Palo Alto Networks <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Indira Sen (@drealcharbar) <a href="https://twitter.com/drealcharbar/status/677015382356533249">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Security by default in IOS architecture tho' can't verify code as noṭ open - is it security by obscurity? <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/kbPZgH8oA0">pic.twitter.com/kbPZgH8oA0</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677055086611173376">December 16, 2015</a></blockquote>
<p>The session on <strong>Catching Fraudsters</strong> had two insightful presentations from Dr. Triveni Singh, Additional SP of Special Task Force of UP Police, and Mr. Manoj Kaushik, IAS, Additional Director of FIU.</p>
<p>Dr. Singh noted that a key challenge faced by police today is that nobody comes to them with a case of online fraud. Most fraud businesses are run by young groups operating BPOs that steal details from individuals. There exists a huge black market of financial and personal data - often collected from financial institutions and job search sites. Almost any personal data can be bought in such markets. Further, SIM cards under fake names are very easy to buy. The fraudsters are effective using all fake identity, and is using operational infrastructures outsourced from legitimate vendors under fake names. Without a central database of all bank customers, it is very difficult for the police to track people across the financial sector. It becomes even more difficult for Indian police to get access to personal data of potential fraudsters when it is stored in a foreign server. which is often the case with usual web services and apps. Many Indian ISPs do not keep IP history data systematically, or do not have the technical expertise to share it in a structured and time-sensitive way.</p>
<blockquote class="twitter-tweet">
<p dir="ltr">Mr. Triveni Singh talks about raiding fake call centres in Delhi NCR that scam millions every year <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/EmE4y3jux2">pic.twitter.com/EmE4y3jux2</a></p>
— pradyumn nand (@PradyumnNand) <a href="https://twitter.com/PradyumnNand/status/677063276442738689">December 16, 2015</a></blockquote>
<p>Mr. Kaushik explained that no financial fraud is uniquely committed via internet. Many fraud begin with internet but eventually involve physical fraudulent money transaction. Credit/debit card frauds all involve card data theft via various internet-based and physical methods. However, cybercrime is continued to be mistakenly seen as frauds undertaken completely online. Further, mobile-based frauds are yet another category. Almost all apps we use are compromised, or store transaction history in an insecure way, which reveals such data to hackers. FIU is targeting bank accounts to which fraud money is going, and closing them down. Catching the people behind these bank accounts is much more difficult, as account loaning has become a common practice - where valid accounts are loaned out for a small amount of money to fraudsters who return the account after taking out the fraudulent money. Better information sharing between private sector and government will make catching fraudsters easier.</p>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/AkhileshTuteja">@AkhileshTuteja</a> With data overload and big data being prevalent are we considering privacy elements <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/hashtag/KpmgIndiaCyber?src=hash">#KpmgIndiaCyber</a></p>
— Atul Gupta (@AtulGup15843145) <a href="https://twitter.com/AtulGup15843145/status/677082045701488640">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">'Tech solns today designed to protect security - solns for privacy need to evolve'- <a href="https://twitter.com/Mayurakshi_Ray">@Mayurakshi_Ray</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a></p>
— Shivangi Nadkarni (@shivanginadkarn) <a href="https://twitter.com/shivanginadkarn/status/677066470325534721">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">In-house tools important but community collaboration critical to fight security threats <a href="https://twitter.com/tata_comm">@tata_comm</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/ZjbCnaROXC">pic.twitter.com/ZjbCnaROXC</a></p>
— aparna (@aparnag14) <a href="https://twitter.com/aparnag14/status/677067260268187648">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">'Orgns in India have a long way to go b4 they internalise privacy principles' Subhash S, CISO ICICI <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a></p>
— Shivangi Nadkarni (@shivanginadkarn) <a href="https://twitter.com/shivanginadkarn/status/677066928880410624">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Prof PK giving an interesting brief on Academia role in Cyber Security. <a href="https://twitter.com/ponguru">@ponguru</a> <a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a> at <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/MEiO6sCJwu">pic.twitter.com/MEiO6sCJwu</a></p>
— Vikas Yadav (@VikasSYadav) <a href="https://twitter.com/VikasSYadav/status/677088566871101440">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Potential for interaction between Academia, Government and Industry but not an established reality yet. <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/hashtag/MappingCyberEducation?src=hash">#MappingCyberEducation</a></p>
— Indira Sen (@drealcharbar) <a href="https://twitter.com/drealcharbar/status/677089590717517824">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">I have figured out why information security is not in any boardroom discussions. Cause there are no good speakers / orators . <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Virag Thakkar (@viragthakkar) <a href="https://twitter.com/viragthakkar/status/677078491699871745">December 16, 2015</a></blockquote>
<p>The session on <strong>Smart Cities</strong> focused on discussing the actual cities coming up India, and the security challenges highlighted by them. There was a presentation on Mahindra World City being built near Jaipur. Presenters talked about the need to stabilise, standardise, and securitise the unique identities of machines and sensors in a smart city context, so as to enable secured machine-to-machine communication. Since 'smartness' comes from connecting various applications and data silos together, the governance of proprietary technology and ensuring inter-operable data standards are crucial in the smart city.</p>
<p>As Special Purposed Vehicles are being planned to realise the smart cities, the presenters warned that finding the right CEOs for these entities will be critical for their success. Legacy processes and infrastructures (and labour unions) are a big challenge when realising smart cities. Hence, the first step towards the smart cities must be taken through connected enforcement of law, order, and social norms.</p>
<p>Privacy-by-design and security-by-design are necessary criteria for smart cities technologies. Along with that regular and automatic software/middleware updating of distributed systems and devices should be ensured, as well as the physical security of the actual devices and cables.</p>
<p>In terms of standards, security service compliance standards and those for protocols need to be established for the internet-of-things sector in India. On the other hand, there is significant interest of international vendors to serve the Indian market. All global data and cloud storage players, including Microsoft Azure cloud, are moving into India, and are working on substantial and complete data localisation efforts.</p>
<blockquote class="twitter-tweet">
<p dir="ltr">Session - Why should you hire Women Security Professionals?... Balancing gender diversity
<a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://twitter.com/hashtag/DSCI_Connect?src=hash">#DSCI_Connect</a> <a href="https://t.co/uIMfG9PvAb">pic.twitter.com/uIMfG9PvAb</a></p>
— Jagan Suri (@jsuri90) <a href="https://twitter.com/jsuri90/status/677109792679157760">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">gender Diversity in cybersecurity critical 4 India's future. <a href="https://twitter.com/symantec">@symantec</a> partnered with <a href="https://twitter.com/nasscom">@nasscom</a> via 1000 women scholarships <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677118674197602304">December 16, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Dialogue with CERT-In
.. Starting 2nd Day of <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a>
.. B J Srinath, DG, CERT
<a href="https://twitter.com/DSCI_Connect">@DSCI_Connect</a> <a href="https://twitter.com/hashtag/security?src=hash">#security</a> <a href="https://twitter.com/hashtag/privacy?src=hash">#privacy</a> <a href="https://t.co/cvDcrgkein">pic.twitter.com/cvDcrgkein</a></p>
— Vinayak Godse (@godvinayak) <a href="https://twitter.com/godvinayak/status/677342972170493952">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">New <a href="https://twitter.com/hashtag/problems?src=hash">#problems</a> can't b solved w old <a href="https://twitter.com/hashtag/solutions?src=hash">#solutions</a>: <a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT DG BJ Srinath <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677341246281539585">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">17 entities within <a href="https://twitter.com/hashtag/Indian?src=hash">#Indian</a> <a href="https://twitter.com/hashtag/government?src=hash">#government</a> engaged in <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a>: <a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT head <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677341728282533888">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Scope of activities by CERT in <a href="https://twitter.com/hashtag/India?src=hash">#India</a> way more than its counterparts elsewhere <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677342193854451712">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT looks 8 prediction & <a href="https://twitter.com/hashtag/prevention?src=hash">#prevention</a> <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a> <a href="https://twitter.com/hashtag/emergency?src=hash">#emergency</a> not just <a href="https://twitter.com/hashtag/response?src=hash">#response</a> <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677343140630540288">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT willing to <a href="https://twitter.com/hashtag/share?src=hash">#share</a> <a href="https://twitter.com/hashtag/information?src=hash">#information</a> rather than just receiving <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677343512833101824">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Savita CERTin outlines drill initiatives taken 4 preparedness-detect (protect), defend attacks wth response <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/wXrkgoLzr2">pic.twitter.com/wXrkgoLzr2</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677346822449303553">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">CERTin also offers incident predicatibility,Crisis mgmt plans, <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a> assurance ladder (7 levels) besides 24 x 7 prevention <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677348506869239809">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/India?src=hash">#India</a> has 7.2 million bot infected <a href="https://twitter.com/hashtag/machines?src=hash">#machines</a>: <a href="https://twitter.com/hashtag/India?src=hash">#India</a> CERT DG Srinath <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Deepak Maheshwari (@dmcorpaffair) <a href="https://twitter.com/dmcorpaffair/status/677355051308871680">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">Seizure & protection of electronic devices as admissible evidence (certificate u Sec 65B) imperative under Forensics investigation <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a></p>
— Lokesh Mehra (@lokesh_mehra) <a href="https://twitter.com/lokesh_mehra/status/677364713005576192">December 17, 2015</a></blockquote>
<blockquote class="twitter-tweet">
<p dir="ltr">'Law enforcement agency&corporate world must collaborate to fight cybercrime'-Atul Gupta,Partner-Risk Adv. @ <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> <a href="https://t.co/GwAQWhYMmK">pic.twitter.com/GwAQWhYMmK</a></p>
— KPMG India (@KPMGIndia) <a href="https://twitter.com/KPMGIndia/status/677373217711919104">December 17, 2015</a></blockquote>
<p>Mr. R. Chandrasekhar, President of NASSCOM, foregrounded the recommendations made by the Cybersecurity Special Task Force of NASSCOM, in his Special Address on the second day. He noted:</p>
<ul>
<li>There is a great opportunity to brand India as a global security R&D and services hub. Other countries are also quite interested in India becoming such a hub.</li>
<li>The government should set up a cybersecurity startup and innovation fund, in coordination with and working in parallel with the centres of excellence in internet-of-things (being led by DeitY) and the data science/analytics initiative (being led by DST).</li>
<li>There is an immediate need to create a capable workforce for the cybersecurity industry.</li>
<li>Cybersecurity affects everyone but there is almost no public disclosure. This leads to low public awareness and valuation of costs of cybersecurity failures. The government should instruct the Ministry of Corporate Affairs to get corporates to disclose (publicly or directly to the Ministry) security breeches.</li>
<li>With digital India and everyone going online, cyberspace will increasingly be prone to attacks of various kinds, and increasing scale of potential loss. Cybersecurity, hence, must be part of the core national development agenda.</li>
<li>The cybersecurity market in India is big enough and under-served enough for everyone to come and contribute to it.</li></ul>
<p>The Keynote Address by Mr. Rajiv Singh, MD – South Asia of Entrust Datacard, and Mr. Saurabh Airi, Technical Sales Consultant of Entrust Datacard, focused on trustworthiness and security of online identities for financial transactions. They argued that all kinds of transactions require a common form factor, which can be a card or a mobile phone. The key challenge is to make the form factor unique, verified, and secure. While no programme is completely secure, it is necessary to build security into the form factor - security of both the physical and digital kind, from the substrates of the card to the encryption algorithms. Entrust and Datacard have merged in recent past to align their identity management and security transaction workflows, from physical cards to software systems for transactions. The advantages of this joint expertise have allowed them to successfully develop the National Population Register cards of India. Now, with the mobile phone emerging as a key financial transaction form factor, the challenge across the cybersecurity industry is to offer the same level of physical, digital, and network security for the mobile phone, as are provided for ATM cards and cash machines.</p>
<p>The following Keynote Address by Dr. Jared Ragland, Director - Policy of BSA, focused on the cybersecurity investment landscape in India and the neighbouring region. BSA, he explained, is a global trade body of software companies. All major global software companies are members of BSA. Recently, BSA has produced a study on the cybersecurity industry across 10 markets in the Asia Pacific region, titled <a href="http://cybersecurity.bsa.org/2015/apac/">Asia Pacific Cybersecurity Dashboard</a>. The study provides an overview of cybersecurity policy developments in these countries, and sector-specific opportunities in the region. Dr. Ragland mentioned the following as the key building blocks of cybersecurity policy: legal foundation, establishment of operational entities, building trust and partnerships (PPP), addressing sector-specific requirements, and education and awareness. As for India, he argued that while steady steps have been taken in the cybersecurity policy space by the government, a lot remains to be done. Operationalisation of the policy is especially lacking. PPPs are happening but there is a general lack of persistent formal engagement with the private sector, especially with global software companies. There is almost no sector-specific strategy. Further, the requirement for India-specific testing of technologies, according to domestic and not global standards, is leading to entry barrier for global companies and export barrier for Indian companies. Having said that, Dr. Ragland pointed out that India's cybersecurity experience is quite representative of that of the Asia Pacific region. He noted the following as major stumbling blocks from an international industry perspective: unnecessary and unreasonable testing requirements, setting of domestic standards, and data localisations rules.</p>
<blockquote class="twitter-tweet">
<p dir="ltr">The Policy Makers' panel in <a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a> in progress. Arvind Gupta, Head, BJP IT cell (<a href="https://twitter.com/buzzindelhi">@buzzindelhi</a>) speaks. <a href="https://t.co/9yWR0gMwf5">pic.twitter.com/9yWR0gMwf5</a></p>
— Nandkumar Saravadé (@saravade) <a href="https://twitter.com/saravade/status/677437443356798977">December 17, 2015</a></blockquote>
<p>One of the final sessions of the Summit was the Public Policy Dialogue between <a href="https://twitter.com/rajeevgowda">Prof. M.V. Rajeev Gowda</a>, Member of Parliament, Rajya Sabha, and <a href="https://twitter.com/buzzindelhi">Mr. Arvind Gupta</a>, Head of IT Cell, BJP.</p>
<p>Prof. Gowda focused on the following concerns:</p>
<ul>
<li>We often freely give up our information and rights over to owners of websites and applications on the web. We need to ask questions regarding the ownership, storage, and usage of such data.</li>
<li>While Section 66A of Information Technology Act started as a anti-spam rule, it has actually been used to harass people, instead of protecting them from online harassment.</li>
<li>The bill on DNA profiling has raised crucial privacy concerns related to this most personal data. The complexity around the issue is created by the possibility of data leakage and usage for various commercial interests.</li>
<li>We need to ask if western notions of privacy will work in the Indian context.</li>
<li>We need to move towards a cashless economy, which will not only formalise the existing informal economy but also speed up transactions nationally. We need to keep in mind that this will put a substantial demand burden on the communication infrastructure, as all transactions will happen through these.</li></ul>
<p> Mr. Gupta shared his keen insights about the key public policy issues in <em>digital India</em>:</p>
<ul>
<li>The journey to establish <em>the digital</em> as a key political agenda and strategy within BJP took him more than 6 years. He has been an entrepreneur, and will always remain one. His approached his political journey as an entrepreneur.
</li><li>While we are producing numerous digitally literate citizens, the companies offering services on the internet often unknowingly acquire data about these citizens, store them, and sometimes even expose them. India perhaps produces the greatest volume of digital exhaust globally.</li>
<li>BJP inherited the Aadhaar national identity management platform from UPA, and has decided to integrate it deeply into its digital India architecture.</li>
<li>Financial and administrative transactions, especially ones undertake by and with governments, are all becoming digital and mostly Aadhaar-linked. We are not sure where all such data is going, and who all has access to such data.</li>
<li>Right now there is an ongoing debate about using biometric system for identification. The debate on privacy is much needed, and a privacy policy is essential to strengthen Aadhaar. We must remember that the benefits of Aadhaar clearly outweigh the risks. Greatest privacy threats today come from many other places, including simple mobile torch apps.</li>
<li>India is rethinking its cybersecurity capacities in a serious manner. After Paris attack it has become obvious that the state should be allowed to look into electronic communication under reasonable guidelines. The challenge is identifying the fine balance between consumers' interest on one hand, and national interest and security concerns on the other. Unfortunately, the concerns of a few is often getting amplified in popular media.</li>
<li>MyGov platform should be used much more effectively for public policy debates. Social media networks, like Twitter, are not the correct platforms for such debates.</li></ul>
<p> </p>
<blockquote class="twitter-tweet">
<p dir="ltr"><a href="https://twitter.com/hashtag/AISS15?src=hash">#AISS15</a>: <a href="https://twitter.com/rajivgowda">@rajivgowda</a> & <a href="https://twitter.com/buzzindelhi">@buzzindelhi</a> are talking abt proactive disclosure as a key part of <a href="https://twitter.com/hashtag/cybersecurity?src=hash">#cybersecurity</a> strategy <a href="https://twitter.com/hashtag/openData?src=hash">#openData</a> <a href="https://twitter.com/DataPortalIndia">@DataPortalIndia</a></p>
— sumandro (@ajantriks) <a href="https://twitter.com/ajantriks/status/677447609502445568">December 17, 2015</a></blockquote>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/nasscom-dsci-annual-information-security-summit-2015-notes'>http://editors.cis-india.org/internet-governance/blog/nasscom-dsci-annual-information-security-summit-2015-notes</a>
</p>
No publishersumandroCybersecurityNASSCOMDSCIInformation SecurityCyber Security2016-01-19T07:58:56ZBlog Entry