The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 31 to 45.
A Critical Look at the Visual Representation of Cybersecurity
http://editors.cis-india.org/internet-governance/blog/paromita-bathija-padmini-ray-murray-and-saumyaa-naidu
<b>The Centre for Internet and Society and design collective Design Beku came together on the 15th of November for a workshop on Illustrations and Visual Representations of Cybersecurity. Images in the public sphere such as visuals in the media, Wikipedia commons, and stock images - play a vital role in the public’s perception of cybercrime and cybersecurity. </b>
<ul>
<li>Edited by Karan Saini / Illustrations by - Paul Anthony George, and Roshan Shakeel</li></ul>
<ul>
<li>Download the <a class="external-link" href="https://cis-india.org/internet-governance/files/critical-look-at-visual-representation-of-cybersecurity/">file here</a></li></ul>
<hr />
<p style="text-align: justify;">The existing imagery comprises of largely stereotypical images of silhouettes of men in hoodies, binary codes, locks, shields; all in dark tones of blue and green. The workshop aimed at identifying the concerns with these existing images and ideating on creating visuals that capture the nuanced concepts within cybersecurity as well as to contextualise them for the Global South. It began with a discussion on the various concepts within cybersecurity including disinformation, surveillance in the name of security, security researchers, regulation of big technology companies, gender and cybersecurity, etc. This was followed by a mapping of different visual elements in the existing cybersecurity imagery to infer the biases in them. Further, an ideation session was conducted to create alternate visualisations that counter these biases. A detailed report of the workshop can be read <a href="https://cis-india.org/internet-governance/workshop-on-cyber-security-illustrations">here</a>.</p>
<p style="text-align: justify;">The participants began by discussing the concerning impacts of present visualisations – there is a lack of representation and context of the global south. Misrepresentation of cybersecurity leads people to be susceptible to disinformation, treats cybercrime as an abstract concept that does not have a direct impact, and oversimplifies the problem and its solutions. The ecosystem in which this imagery exists also presented a larger issue. A majority of the images are created as clickbait alongside media articles. Media houses thus benefit from the oversimplification and mystification of cybersecurity in such images.</p>
<p style="text-align: justify;">Through the mapping of existing images present online, several concerns were identified. The vague elements and unclear representation add to the mystification of cybersecurity as a concept. In present depictions, the use of technological devices and objects, leads to the lack of a human element, distancing the threat from any real impact to people using these devices. The metaphor of a physical threat is often used to depict cybersecurity using elements such as a lock and key. Recurring use of these elements gives a false idea of what is being secured or breached and how. Representations rely on tropes regarding the identity of hackers, and fail to capture the vulnerability of the system. The imagery gives the impression that systems which are breached are immensely secure to begin with and are compromised only as a result of sophisticated attacks carried out by malicious actors. The identity of hackers is commonly associated with cyber attacks and breaches, and the existing imagery reinforces this. Visuals showing a masked man or a silhouette of a man in dark background are the usual markers of a malicious hacker in conventional cybersecurity imagery. While there is a lack of representation of women in stock cybersecurity images, another trope found was that of a cheerful woman coder. There were also images of faceless women with laptops<a name="_ftnref1" href="#_ftn1"><sup><sup>[1]</sup></sup></a>. The reductive nature of these images point to deeper concerns around gender representation in cybersecurity.</p>
<p style="text-align: justify;">The participants examined what the implications of such visual representation would be, and why there is a need to change the imagery. How can visual depictions be more representative? Can they avoid subscribing to a homogenised idea of an Indian context – specific without being reductive? Can better depiction broaden understanding of cybercrime and emphasize the proximity of those threats? With technology, concepts are often understood through metaphors – how data is explained impacts how people perceive it. Visual imagery can play a critical role in demystifying concepts when done well; illustrations can change the discourse. They must begin to incorporate intersecting aspects of gender, privacy, susceptibility of vulnerable populations, generational and cultural gaps, as well as manifestations of the described crimes to make technological laypersons more aware of the threat.</p>
<p style="text-align: justify;">Potential new imagery would need to address aspects such as disinformation, the importance of privacy and who has a right to it, change representation of hackers, depict the cybersecurity community, explain specific concepts to both – the general user and to the people part of cybersecurity efforts in the country, the implications of cybercrime on vulnerable populations, and more in an attempt to deconstruct and disseminate what cybersecurity looks like today.</p>
<p style="text-align: justify;">The ideation session involved rethinking specific concepts such as disinformation, and ethical hacking to create alternate imagery. For instance, disinformation was visually imagined as a distortion of an already distorted message being perceived by the viewer. In order to bring attention to the impact of devices, a phone was thought of as a central object to which different concepts of cybersecurity can be connected.</p>
<p style="text-align: justify;"><img src="http://editors.cis-india.org/home-images/FakeNewsCascade.jpg" alt="null" class="image-inline" title="Fake News Cascade" /></p>
<p><em>‘Fake News Cascade’ by Paul Anthony George</em></p>
<p><img src="http://editors.cis-india.org/home-images/FakeNews.jpg" alt="null" class="image-inline" title="Fake News" /></p>
<p><em>‘Fake News’ by Paul Anthony George</em></p>
<p><img src="http://editors.cis-india.org/home-images/Disinformation1.jpg" alt="null" class="image-inline" title="Disinformation 1" /></p>
<p><img src="http://editors.cis-india.org/home-images/Disinformation2.jpg" alt="null" class="image-inline" title="Disinformation 2" /></p>
<p><em>‘Disinformation/ Fake News’ by Roshan Shakeel; The sketch is about questioning the validity of what we see online, and that every message we see is constructed in some form or the other by someone else.</em></p>
<p><em><img src="http://editors.cis-india.org/home-images/Disinformation3.jpg" alt="null" class="image-inline" title="Disinformation 3" /></em></p>
<p><em>‘Disinformation/ Fake News’ by Roshan Shakeel; </em>The sketch visualizes how the source of information ('the original') gets distorted after a certain point.</p>
<p>For ethical hacking, a visualisation depicting a day in the life of an ethical hacker was thought of to normalize hacking and to focus on their contribution in security research.</p>
<p><img src="http://editors.cis-india.org/home-images/ADayinLife.jpg" alt="null" class="image-inline" title="A Day in Life" /></p>
<p><em>‘A Day in the Life of an Indian Hacker’ by Paul Anthony George</em></p>
<p><em><img src="http://editors.cis-india.org/home-images/SurveillanceinthenameofSecurity.jpg" alt="null" class="image-inline" title="Surveillance in the name of Security" /></em></p>
<p><em>'Surveillance in the Name of Security' by</em> <em>Roshan Shakeel</em></p>
<p style="text-align: justify;">Resources on ethical hacking (HackerOne)<a name="_ftnref2" href="#_ftn2"><sup>[2]</sup></a> and hacker culture (2600.com)<a name="_ftnref3" href="#_ftn3"><sup>[3]</sup></a> were also consulted as part of the exercise to gather references on the work done by hackers. This allowed a deeper understanding of how the hacker community depicts itself. Check Point Research<a name="_ftnref4" href="#_ftn4"><sup>[4]</sup></a> and Kerala Police Cyberdome<a name="_ftnref5" href="#_ftn5"><sup>[5]</sup></a> were also examined for further insight into cybersecurity. With regard to gender representation, sources that use visual techniques to communicate concerns and advocacy campaigns were also referred to. The Gendering Surveillance<a name="_ftnref6" href="#_ftn6"><sup>[6]</sup></a> initiative by the Internet Democracy project<a name="_ftnref7" href="#_ftn7"><sup>[7]</sup></a>, which looks at how surveillance harms and restricts women, also offered insights on the use of illustrations supporting the case studies. Another reference was the "Visualising Women's Rights in the Arab World"<a name="_ftnref8" href="#_ftn8"><sup>[8]</sup></a> project by the Tactical Technology Collective<a name="_ftnref9" href="#_ftn10"><sup>[9]</sup></a>. The project aims to “strengthen the use of visual techniques by women's rights advocates in the Arab world, and to build a network of women with these skills”.<a name="_ftnref10" href="#_ftn10"><sup>[10]</sup></a></p>
<p style="text-align: justify;">More visual explainers and animations<a name="_ftnref11" href="#_ftn11"><sup><sup>[11]</sup></sup></a> from the Tactical Technology Collective were noted for their broader engagement with digital security and privacy. A video by the Internet Democracy Project that explains the Internet through <em>rangoli</em><a name="_ftnref12" href="#_ftn12"><sup><sup>[12]</sup></sup></a>, was observed specifically for setting the concept in Indian context through the use of aesthetics.</p>
<p style="text-align: justify;">The workshop concluded with a discussion of potential visual iterations – imagery of cybersecurity that is not technology-oriented but focussed on the behavioural implications of access to such technology, illustrated public service announcements enhancing the profile of cybersecurity researchers or the everyday hacker. The impact of the discussion itself can indicate the relevance of such an effort. Artists and designers can be encouraged to create a body of imagery that shifts discourse and perception, to begin visualising for advocacy, demystify and stop the abstraction of cybercrime that can lead to a false sense of security, incorporate unique aspects of the debate within the Indian context, and generate new dialogue and understanding of cybersecurity. A potential step forward from this workshop would be to engage with the design community at large along with the domain experts to create more effective imagery for cybersecurity.</p>
<hr />
<p><a name="_ftn1" href="#_ftnref1"><sup><sup>[1]</sup></sup></a> https://www.hackerone.com/</p>
<p><a name="_ftn2" href="#_ftnref2"><sup><sup>[2]</sup></sup></a> https://2600.com/</p>
<p><a name="_ftn3" href="#_ftnref3"><sup><sup>[3]</sup></sup></a> https://research.checkpoint.com/about-us/</p>
<p><a name="_ftn4" href="#_ftnref4"><sup><sup>[4]</sup></sup></a> http://www.cyberdome.kerala.gov.in/</p>
<p><a name="_ftn5" href="#_ftnref5"><sup><sup>[5]</sup></sup></a> https://genderingsurveillance.internetdemocracy.in/</p>
<p><a name="_ftn6" href="#_ftnref6"><sup><sup>[6]</sup></sup></a> https://internetdemocracy.in/</p>
<p><a name="_ftn7" href="#_ftnref7"><sup><sup>[7]</sup></sup></a> https://visualrights.tacticaltech.org/index.html</p>
<p><a name="_ftn8" href="#_ftnref8"><sup><sup>[8]</sup></sup></a> https://tacticaltech.org/</p>
<p><a name="_ftn9" href="#_ftnref9"><sup><sup>[9]</sup></sup></a> https://visualrights.tacticaltech.org/content/about-website.html</p>
<p><a name="_ftn10" href="#_ftnref10"><sup><sup>[10]</sup></sup></a> https://tacticaltech.org/projects/survival-in-the-digital-age-ono-robot-2012/</p>
<p><a name="_ftn11" href="#_ftnref11"><sup><sup>[11]</sup></sup></a> https://internetdemocracy.in/2018/08/dots-and-connections/</p>
<p><a name="_ftn12" href="#_ftnref12"><sup><sup>[12]</sup></sup></a> https://www.independent.co.uk/life-style/gadgets-and-tech/features/women-in-tech-its-time-to-drop-the-old-stereotypes-7608794.html</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/paromita-bathija-padmini-ray-murray-and-saumyaa-naidu'>http://editors.cis-india.org/internet-governance/blog/paromita-bathija-padmini-ray-murray-and-saumyaa-naidu</a>
</p>
No publisherParomita Bathija, Padmini Ray Murray, and Saumyaa NaiduCyber SecurityInternet Governance2019-08-21T08:00:11ZBlog EntryCyberspace and External Affairs:A Memorandum for India Summary
http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-and-elonnai-hickok-november-30-2018-cyberspace-and-external-affairs
<b>This memorandum seeks to summarise the state of the global debate in cyberspace; outline how India can craft it’s global strategic vision and finally, provides a set of recommendations for the MEA as they craft their cyber diplomacy strategy.</b>
<p class="moz-quote-pre" style="text-align: justify; ">It limits itself to advocating certain procedural steps that the Ministry of External Affairs should take towards propelling India forward as a leading voice in the global cyber norms space and explains why occupying this leadership position should be a vital foreign policy priority. It does not delve into content-based recommendations at this stage. Further, this memorandum is not meant to serve as exhaustive academic research on the subject but builds on previous research by the Centre for Internet & Society in this area to highlight key policy windows that can be driven by India.</p>
<p class="moz-quote-pre" style="text-align: justify; ">This memorandum provides a background to global norms formation focussing on key global developments over the past month; traces the opportunities s for India to play a lead role in the global norms formulation debate and then charts out process related recommendations on next steps towards India taking this forward.</p>
<hr />
<p class="moz-quote-pre" style="text-align: justify; "><a class="external-link" href="http://cis-india.org/internet-governance/files/cyberspace-and-external-affairs">Click here</a> to read more</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-and-elonnai-hickok-november-30-2018-cyberspace-and-external-affairs'>http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-and-elonnai-hickok-november-30-2018-cyberspace-and-external-affairs</a>
</p>
No publisherArindrajit Basu and Elonnai HickokCyber SecurityInternet GovernancePrivacy2018-12-01T04:10:51ZBlog EntryBudapest Convention and the Information Technology Act
http://editors.cis-india.org/internet-governance/blog/budapest-convention-and-the-information-technology-act
<b>The Convention on Cybercrime adopted in Budapest (“Convention”) is the fist and one of the most important multilateral treaties addressing the issue of internet and computer crimes.</b>
<p style="text-align: justify; "><b>Introduction</b><br />It was drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America.<a href="#_ftn1" name="_ftnref1">[1]</a> The importance of the Convention is also indicated by the fact that adherence to it (whether by outright adoption or by otherwise making domestic laws in compliance with it) is one of the conditions mentioned in the Clarifying Lawful Overseas Use of Data Act passed in the USA (CLOUD Act) whereby a process has been established to enable security agencies of in India and the United States to directly access data stored in each other’s territories. Our analysis of the CLOUD Act vis-à-vis India can be found <a href="https://cis-india.org/internet-governance/blog/an-analysis-of-the-cloud-act-and-implications-for-india">here</a>. It is in continuation of that analysis that we have undertaken here a detailed comparison of the Information Technology Act, 2000 (“<b>IT Act</b>”) and how it stacks up against the provisions of Chapter I and Chapter II of the Convention.<a href="#_ftn2" name="_ftnref2"><sup><sup>[2]</sup></sup></a></p>
<p style="text-align: justify; ">Before we get into a comparison of the Convention with the IT Act, we must point out the distinction between the two legal instruments, for the benefit of readers from a non legal background. An international instrument such as the Convention on Cybercrime (generally speaking) is essentially a promise made by the States which are a party to that instrument, that they will change or modify their local laws to get them in line with the requirements or principles laid out in said instrument. In case the signatory State does not make such amendments to its local laws, (usually) the citizens of that State cannot enforce any rights that they may have been granted under such an international instrument. The situation is the same with the Convention on Cybercrime, unless the signatory State amends its local laws to bring them in line with the provisions of the Convention, there cannot be any enforcement of the provisions of the Convention within that State.<a href="#_ftn3" name="_ftnref3">[3]</a> This however is not the case for India and the IT Act since India is not a signatory to the Convention on Cybercrime and therefore is not obligated to amend its local laws to bring them in line with the Convention.</p>
<p style="text-align: justify; ">Although India and the Council of Europe cooperated to amend the IT Act through major amendments brought about vide the Information Technology (Amendment) Act, 2008, India still has not become a signatory to the Convention on Cybercrime. The reasons for this appear to be unclear and it has been suggested that these reasons may range from the fact that India was not involved in the original drafting, to issues of sovereignty regarding the provisions for international cooperation and extradition.<a href="#_ftn4" name="_ftnref4">[4]</a></p>
<p> </p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
</td>
</tr>
<tr>
<td>
<p><b>Article 2 – Illegal access</b></p>
<p style="text-align: justify; ">Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system.</p>
</td>
<td>
<p><b>Section 43</b></p>
<p style="text-align: justify; ">If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -</p>
<p style="text-align: justify; ">(a) accesses or secures access to such computer, computer system or computer network or computer resource</p>
<p> </p>
<p><b>Section 66</b></p>
<p style="text-align: justify; ">If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two <b>three </b>years or with fine which may extend to five lakh rupees or with both.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p style="text-align: justify; ">The Convention gives States the right to further qualify the offence of “illegal access” or “hacking” by adding elements such as infringing security measures, special intent to obtain computer data, other dishonest intent that justifies criminal culpability, or the requirement that the offence is committed in relation to a computer system that is connected remotely to another computer system.<a href="#_ftn5" name="_ftnref5"><sup><sup>[5]</sup></sup></a> However, Indian law deals with the distinction by making the act of unathorised access without dishonest or fraudulent intent a civil offence, where the offender is liable to pay compensation. If the same act is done with dishonest and fraudulent intent, it is treated as a criminal offence punishable with fine and imprisonment which may extend to 3 years.</p>
<p>It must be noted that this provision was included in the Act only through the Amendment of 2008 and was not present in the Information Technology Act, 2000 in its original iteration.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
</td>
</tr>
<tr>
<td>
<p><b>Article 3 – Illegal Interception</b></p>
<p style="text-align: justify; ">Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system.</p>
<p> </p>
</td>
<td>
<p>NA</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Although the Information Technology Act, 2000 does not specifically criminalise the interception of communications by a private person. It is possible that under the provisions of Rule 43(a) the act of accessing a “computer network” could be interpreted as including unauthorised interception within its ambit.</p>
<p style="text-align: justify; ">The other way in which illegal interception may be considered to be illegal is through a combined reading of Sections 69 (Interception) and 45 (Residuary Penalty) with Rule 3 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 which prohibits interception, monitoring and decryption of information under section 69(2) of the IT Act except in a manner as provided by the Rules. However, it must be noted that section 69(2) only talks about interception by the government and Rule 3 only provides for procedural safeguards for such an interception. It could therefore be argued that the prohibition under Rule 3 is only applicable to the government and not to private individuals since section 62, the provision under which Rule 3 has been issued, itself is not applicable to private individuals.</p>
<p> </p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr style="text-align: justify; ">
<td>
<p><b>Article 4 – Data interference</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, deterioration, alteration or suppression of computer data without right.</p>
<p>2 A Party may reserve the right to require that the conduct described in paragraph 1 result in serious harm.</p>
</td>
<td>
<p>Section 43</p>
<p>If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -</p>
<p>(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;</p>
<p>(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;</p>
<p>(j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage,</p>
<p>he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. (change vide ITAA 2008)</p>
<p><b>Section 66</b></p>
<p>If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two <b>three </b>years or with fine which may extend to five lakh rupees or with both.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p style="text-align: justify; ">Damage, deletion, diminishing in value and alteration of data is considered a crime as per Section 66 read with section 43 of the IT Act if done with fraudulent or dishonest intention. <b>While the Convention only requires such acts to be crimes if committed intentionally, however the Information Technology Act requires that such intention be either dishonest or fraudulent only then such an act will be a criminal offence, otherwise it will only incur civil consequences requiring the perpetrator to pay damages by way of compensation.</b></p>
<p style="text-align: justify; ">It must be noted that the optional requirement of such an act causing serious harm has not been adopted by Indian law, i.e. the act of such damage, deletion, etc. by itself is enough to constitute the offence, and there is no requirement of such an act causing serious harm.</p>
<p style="text-align: justify; ">As per the Explanatory Report to the Convention on Cybercrime, “<b>Suppressing</b> of computer data means any action that prevents or terminates the availability of the data to the person who has access to the computer or the data carrier on which it was stored.” Strictly speaking the act of suppression of data in another system is not covered by the language of section 43, but looking at the tenor of the section it is likely that if a court is faced with a situation of intentional/malicious denial of access to data, the court could expand the scope of the term “damage” as contained in sub-section (d) to include such malicious acts.</p>
<p> </p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 5 – System interference</b></p>
<p style="text-align: justify; ">Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, <b>when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data</b>.</p>
</td>
<td>
<p style="text-align: justify; ">Section 43</p>
<p style="text-align: justify; ">If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -</p>
<p style="text-align: justify; ">(e) disrupts or causes disruption of any computer, computer system or computer network;</p>
<p style="text-align: justify; "><b>Explanation </b>- for the purposes of this section -</p>
<p style="text-align: justify; ">(i) "Computer Contaminant" means any set of computer instructions that are designed -</p>
<p style="text-align: justify; ">(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or</p>
<p style="text-align: justify; ">(b) by any means to usurp the normal operation of the computer, computer system, or computer network;</p>
<p style="text-align: justify; ">(iii) "Computer Virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;</p>
<p style="text-align: justify; "> </p>
<p><b>Section 66</b></p>
<p style="text-align: justify; ">If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two <b>three </b>years or with fine which may extend to five lakh rupees or with both.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p style="text-align: justify; ">The offence of causing hindrance to the functioning of a computer system with fraudulent or dishonest intention is an offence under the IT Act. <b>While the Convention only requires such acts to be crimes if committed intentionally, however the IT Act requires that such intention be either dishonest or fraudulent only then such an act will be a criminal offence, otherwise it will only incur civil consequences requiring the perpetrator to pay damages by way of compensation.</b></p>
<p style="text-align: justify; ">The IT Act does not require such disruption to be caused in any particular manner as is required under the Convention, although the acts of introducing computer viruses as well as damaging or deleting data themselves have been classified as offences under the IT Act.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 6 – Misuse of devices</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:</p>
<p style="text-align: justify; ">a the production, sale, procurement for use, import, distribution or otherwise making available of:</p>
<p>i a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5;</p>
<p style="text-align: justify; ">ii a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and</p>
<p>b the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.</p>
<p style="text-align: justify; ">2 This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.</p>
<p style="text-align: justify; ">3 Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article.</p>
</td>
<td>
<p>NA</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p style="text-align: justify; ">This provision establishes as a separate and independent criminal offence the intentional commission of specific illegal acts regarding certain devices or access data to be misused for the purpose of committing offences against the confidentiality, the integrity and availability of computer systems or data. While the IT Act does not by itself makes the production, sale, procurement for use, import, distribution of devices designed to be adopted for such purposes, sub-section (g) of section 43 along with section 120A of the Indian Penal Code, 1860 which deals with “conspiracy” could perhaps be used to bring such acts within the scope of the penal statutes.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 7 – Computer related forgery</b></p>
<p style="text-align: justify; ">Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches.</p>
</td>
<td>
<p>NA</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p style="text-align: justify; ">The acts of deletion, alteration and suppression of data by itself is a crime as discussed above, there is no specific offence for doing such acts for the purpose of forgery. However this does not mean that the crime of online forgery is not punishable in India at all, such crimes would be dealt with under the relevant provisions of the Indian Penal Code, 1860 (Chapter 18) read with section 4 of the IT Act.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 8 – Computer-related fraud</b></p>
<p>Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the causing of a loss of property to another person by:</p>
<p>a any input, alteration, deletion or suppression of computer data,</p>
<p>b any interference with the functioning of a computer system,</p>
<p>with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.</p>
</td>
<td>
<p>NA</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Just as in the case of forgery, there is no specific provision in the IT Act whereby online fraud would be considered as a crime, however specific acts such as charging services availed of by one person to another (section 43(h), identity theft (section 66C), cheating by impersonation (section 66D) have been listed as criminal offences. Further, as with forgery, fraudulent acts to procure economic benefits would also get covered by the provisions of the Indian Penal Code that deal with cheating.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 9 – Offences related to child pornography</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the following conduct:</p>
<p>a producing child pornography <b>for the purpose of its distribution </b>through a computer system;</p>
<p>b offering or making available child pornography through a computer system;</p>
<p>c distributing or transmitting child pornography through a computer system;</p>
<p>d procuring child pornography through a computer system for oneself or for another person;</p>
<p>e possessing child pornography in a computer system or on a computer-data storage medium.</p>
<p style="text-align: justify; ">2 For the purpose of paragraph 1 above, the term "child pornography" shall include pornographic material that visually depicts:</p>
<p>a a minor engaged in sexually explicit conduct;</p>
<p>b a person appearing to be a minor engaged in sexually explicit conduct;</p>
<p>c realistic images representing a minor engaged in sexually explicit conduct.</p>
<p style="text-align: justify; ">3 For the purpose of paragraph 2 above, the term "minor" shall include all persons under 18 years of age. A Party may, however, require a lower age-limit, which shall be not less than 16 years.</p>
<p style="text-align: justify; ">4 Each Party may reserve the right not to apply, in whole or in part, paragraphs 1, subparagraphs d and e, and 2, sub-paragraphs b and c.</p>
</td>
<td>
<p style="text-align: justify; "><b>67 B Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form. </b></p>
<p>Whoever,-</p>
<p>(a) publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children engaged in sexually explicit act or conduct or</p>
<p style="text-align: justify; ">(b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or</p>
<p>(c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or</p>
<p>(d) facilitates abusing children online or</p>
<p>(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children,</p>
<p style="text-align: justify; ">shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:</p>
<p style="text-align: justify; ">Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-</p>
<p style="text-align: justify; ">(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or</p>
<p>(ii) which is kept or used for bonafide heritage or religious purposes</p>
<p>Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The publishing, transmission, creation, collection, seeking, browsing, etc. of child pornography is an offence under Indian law punishable with imprisonment for upto 5 years for a first offence and upto 7 years for a subsequent offence, along with fine.</p>
<p style="text-align: justify; ">It is important to note that bona fide depictions for the public good, such as for publication in pamphlets, reading or educational material are specifically excluded from the rigours of the section, Similarly material kept for heritage or religious purposes is also exempted under this section. Such exceptions are in line with the intent of the Convention, since the Explanatory statement itself states that “The term "pornographic material" in paragraph 2 is governed by national standards pertaining to the classification of materials as obscene, inconsistent with public morals or similarly corrupt. Therefore, material having an artistic, medical, scientific or similar merit may be considered not to be pornographic.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 10 – Offences related to infringements of copyright and related rights</b></p>
<p style="text-align: justify; ">1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of copyright, as defined under the law of that Party, pursuant to the obligations it has undertaken under the Paris Act of 24 July 1971 revising the Bern Convention for the Protection of Literary and Artistic Works, the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Copyright Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system.</p>
<p style="text-align: justify; ">2 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of related rights, as define under the law of that Party, pursuant to the obligations it has undertaken under the International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organisations (Rome Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Performances and Phonograms Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system.</p>
<p style="text-align: justify; ">3 A Party may reserve the right not to impose criminal liability under paragraphs 1 and 2 of this article in limited circumstances, provided that other effective remedies are available and that such reservation does not derogate from the Party’s international obligations set forth in the international instruments referred to in paragraphs 1 and 2 of this article.</p>
</td>
<td>
<p><b>81 Act to have Overriding effect </b></p>
<p style="text-align: justify; ">The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.</p>
<p style="text-align: justify; ">Provided that nothing contained in this Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957 or the Patents Act, 1970</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The use of the term "pursuant to the obligations it has undertaken" in both paragraphs makes it clear that a Contracting Party to the Convention is not bound to apply agreements cited (TRIPS, WIPO, etc.) to which it is not a Party; moreover, if a Party has made a reservation or declaration permitted under one of the agreements, that reservation may limit the extent of its obligation under the present Convention.</p>
<p style="text-align: justify; ">The IT Act does not try to intervene in the existing copyright regime of India and creates a special exemption for the Copyright Act and the Patents Act in the clause which provides this Act overriding effect. India’s obligations under the various treaties and conventions on intellectual property rights are enshrined in these legislations.<a href="#_ftn6" name="_ftnref6"><sup><sup>[6]</sup></sup></a></p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 11 – Attempt and aiding or abetting</b></p>
<p style="text-align: justify; ">1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, aiding or abetting the commission of any of the offences established in accordance with Articles 2 through 10 of the present Convention with intent that such offence be committed.</p>
<p style="text-align: justify; ">2 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, an attempt to commit any of the offences established in accordance with Articles 3 through 5, 7, 8, and 9.1.a and c of this Convention.</p>
<p>3 Each Party may reserve the right not to apply, in whole or in part, paragraph 2 of this article.</p>
</td>
<td>
<p><b>84 B Punishment for abetment of offences </b></p>
<p style="text-align: justify; ">Whoever abets any offence shall, if the act abetted is committed in consequence of the abetment, and no express provision is made by this Act for the punishment of such abetment, be punished with the punishment provided for the offence under this Act.</p>
<p style="text-align: justify; ">Explanation: An Act or offence is said to be committed in consequence of abetment, when it is committed in consequence of the instigation, or in pursuance of the conspiracy, or with the aid which constitutes the abetment.</p>
<p> </p>
<p><b>84 C Punishment for attempt to commit offences </b></p>
<p style="text-align: justify; ">Whoever attempts to commit an offence punishable by this Act or causes such an offence to be committed, and in such an attempt does any act towards the commission of the offence, shall, where no express provision is made for the punishment of such attempt, be punished with imprisonment of any description provided for the offence, for a term which may extend to one-half of the longest term of imprisonment provided for that offence, or with such fine as is provided for the offence or with both.</p>
</td>
</tr>
</tbody>
</table>
<p>As can be seen, both attempts as well as abetment of criminal offences under the IT Act have also been criminalised.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 12 – Corporate liability</b></p>
<p style="text-align: justify; ">1 Each Party shall adopt such legislative and other measures as may be necessary to ensure that legal persons can be held liable for a criminal offence established in accordance with this Convention, committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person, who has a leading position within it, based on:</p>
<p>a a power of representation of the legal person;</p>
<p>b an authority to take decisions on behalf of the legal person;</p>
<p>c an authority to exercise control within the legal person.</p>
<p style="text-align: justify; ">2 In addition to the cases already provided for in paragraph 1 of this article, each Party shall take the measures necessary to ensure that a legal person can be held liable where the lack of supervision or control by a natural person referred to in paragraph 1 has made possible the commission of a criminal offence established in accordance with this Convention for the benefit of that legal person by a natural person acting under its authority.</p>
<p>3 Subject to the legal principles of the Party, the liability of a legal person may be criminal, civil or administrative.</p>
<p>4 Such liability shall be without prejudice to the criminal liability of the natural persons who have committed the offence.</p>
</td>
<td>
<p><b>85 Offences by Companies. </b></p>
<p style="text-align: justify; ">(1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made there under is a Company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly:</p>
<p style="text-align: justify; "><b>Provided </b>that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention.</p>
<p style="text-align: justify; ">(2) Notwithstanding anything contained in sub-section (1), where a contravention of any of the provisions of this Act or of any rule, direction or order made there under has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.</p>
<p><b>Explanation</b>-</p>
<p>For the purposes of this section</p>
<p>(i) "Company" means any Body Corporate and includes a Firm or other Association of individuals; and</p>
<p>(ii) "Director", in relation to a firm, means a partner in the firm.</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The liability of a company or other body corporate has been laid out in the IT Act in a manner similar to the Budapest Convention. While, the test to determine the relationship between the legal entity and the natural person who has committed the act on behalf of the legal entity is a little more detailed<a href="#_ftn7" name="_ftnref7">[7]</a> in the Convention, the substance of the test is laid out in the IT Act as “a person who is in charge of, and was responsible to, the company”.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 14</b></p>
<p style="text-align: justify; ">1 Each Party shall adopt such legislative and other measures as may be necessary to establish the powers and procedures provided for in this section for the purpose of specific criminal investigations or proceedings.</p>
<p style="text-align: justify; ">2 Except as specifically provided otherwise in Article 21, each Party shall apply the powers and procedures referred to in paragraph 1 of this article to:</p>
<p style="text-align: justify; ">a the criminal offences established in accordance with Articles 2 through 11 of this Convention;</p>
<p style="text-align: justify; ">b other criminal offences committed by means of a computer system; and</p>
<p style="text-align: justify; ">c the collection of evidence in electronic form of a criminal offence.</p>
<p style="text-align: justify; ">3 a Each Party may reserve the right to apply the measures referred to in Article 20 only to offences or categories of offences specified in the reservation, provided that the range of such offences or categories of offences is not more restricted than the range of offences to which it applies the measures referred to in Article 21. Each Party shall consider restricting such a reservation to enable the broadest application of the measure referred to in Article 20.</p>
<p style="text-align: justify; ">b Where a Party, due to limitations in its legislation in force at the time of the adoption of the present Convention, is not able to apply the measures referred to in Articles 20 and 21 to communications being transmitted within a computer system of a service provider, which system:</p>
<p style="text-align: justify; ">i is being operated for the benefit of a closed group of users, and</p>
<p style="text-align: justify; ">ii does not employ public communications networks and is not connected with another computer system, whether public or private, that Party may reserve the right not to apply these measures to such communications.</p>
<p style="text-align: justify; ">Each Party shall consider restricting such a reservation to enable the broadest application of the measures referred to in Articles 20 and 21.</p>
</td>
<td>
<p>NA</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">This is a provision of a general nature that need not have any equivalence in domestic law. The provision clarifies that all the powers and procedures provided for in this section (Articles 14 to 21) are for the purpose of “specific criminal investigations or proceedings”.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 15 – Conditions and safeguards</b></p>
<p style="text-align: justify; ">1 Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality.</p>
<p style="text-align: justify; ">2 Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, <i>inter alia</i>, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.</p>
<p style="text-align: justify; ">3 To the extent that it is consistent with the public interest, in particular the sound administration of justice, each Party shall consider the impact of the powers and procedures in this section upon the rights, responsibilities and legitimate interests of third parties.</p>
</td>
<td>
<p>NA</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">This again is a provision of a general nature which need not have a corresponding clause in the domestic law. India is a signatory to a number of international human rights conventions and treaties, it has acceded to the International Covenant on Civil and Political Rights (ICCPR), 1966, International Covenant on Economic, Social and Cultural Rights (ICESCR), 1966, ratified the International Convention on the Elimination of All Forms of Racial Discrimination (ICERD), 1965, with certain reservations, signed the Convention on the Elimination of All Forms of Discrimination against Women (CEDAW), 1979 with certain reservations, Convention on the Rights of the Child (CRC), 1989 and signed the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment (CAT), 1984. Further the right to life guaranteed under Article 21 of the Constitution takes within its fold a number of human rights such as the right to privacy. Freedom of expression, right to fair trial, freedom of assembly, right against arbitrary arrest and detention are all fundamental rights guaranteed under the Constitution of India, 1950.<a href="#_ftn8" name="_ftnref8"><sup><sup>[8]</sup></sup></a></p>
<p style="text-align: justify; ">In addition, India has enacted the Protection of Human Rights Act, 1993 for the constitution of a National Human Rights Commission, State Human Rights Commission in States and Human Rights Courts for better protection of “human rights” and for matters connected therewith or incidental thereto. Thus, there does exist a statutory mechanism for the enforcement of human rights<a href="#_ftn9" name="_ftnref9"><sup><sup>[9]</sup></sup></a> under Indian law. It must be noted that the definition of human rights also incorporates rights embodied in International Covenants and are enforceable by Courts in India.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr style="text-align: justify; ">
<td>
<p><b>Article 16 – Expedited preservation of stored computer data</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, that has been stored by means of a computer system, in particular where there are grounds to believe that the computer data is particularly vulnerable to loss or modification.</p>
<p>2 Where a Party gives effect to paragraph 1 above by means of an order to a person to preserve specified stored computer data in the person’s possession or control, the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of ninety days, to enable the competent authorities to seek its disclosure. A Party may provide for such an order to be subsequently renewed.</p>
<p>3 Each Party shall adopt such legislative and other measures as may be necessary to oblige the custodian or other person who is to preserve the computer data to keep confidential the undertaking of such procedures for the period of time provided for by its domestic law.</p>
<p>4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.</p>
<p><b>Article 17 – Expedited preservation and partial disclosure of traffic data</b></p>
<p>1 Each Party shall adopt, in respect of traffic data that is to be preserved under Article 16, such legislative and other measures as may be necessary to:</p>
<p>a ensure that such expeditious preservation of traffic data is available regardless of whether one or more service providers were involved in the transmission of that communication; and</p>
<p>b ensure the expeditious disclosure to the Party’s competent authority, or a person designated by that authority, of a sufficient amount of traffic data to enable the Party to identify the service providers and the path through which the communication was transmitted.</p>
<p>2 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.</p>
</td>
<td>
<p><b>29 Access to computers and data. </b></p>
<p>(1) Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any person authorized by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this chapter made there under has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system. (Amended vide ITAA 2008)</p>
<p> </p>
<p>(2) For the purposes of sub-section (1), the Controller or any person authorized by him may, by order, direct any person in charge of, or otherwise concerned with the operation of the computer system, data apparatus or material, to provide him with such reasonable technical and other assistant as he may consider necessary.</p>
<p> </p>
<p><b>67 C</b> <b>Preservation and Retention of information by intermediaries </b></p>
<p>(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.</p>
<p> </p>
<p><b>Rule 3(7) of the Information Technology (Intermediary Guidelines) Rules, 2011</b></p>
<p>3(7) - When required by lawful order, the intermediary shall provide information <b>or any such assistance</b> to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.</p>
<p> </p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">It must be noted that Article 16 and Article 17 refer only to data preservation and not data retention. “Data preservation” means to keep data, which already exists in a stored form, protected from anything that would cause its current quality or condition to change or deteriorate. Data retention means to keep data, which is currently being generated, in one’s possession into the future.<a href="#_ftn10" name="_ftnref10"><sup><sup>[10]</sup></sup></a> In short, the article provides only for preservation of existing stored data, pending subsequent disclosure of the data, in relation to specific criminal investigations or proceedings.</p>
<p style="text-align: justify; ">The Convention uses the term "order or similarly obtain", which is intended to allow the use of other legal methods of achieving preservation than merely by means of a judicial or administrative order or directive (e.g. from police or prosecutor). In some States, preservation orders do not exist in the procedural law, and data can only be preserved and obtained through search and seizure or production order. Flexibility was therefore intended by the use of the phrase "or otherwise obtain" to permit the implementation of this article by the use of these means.</p>
<p style="text-align: justify; ">While Indian law does not have a specific provision for issuing an order for preservation of data, the provisions of section 29 as well as sections 99 to 101 of the Code of Criminal Procedure, 1973 may be utilized to achieve the result intended by Articles 16 and 17. Although section 67C of the IT Act uses the term “preserve and retain such information”, this provision is intended primarily for the purpose of data retention and not data preservation.</p>
<p style="text-align: justify; ">Another provision which may conceivably be used for issuing preservation orders is Rule 3(7) of the Information Technology (Intermediary Guidelines) Rules, 2011 which requires intermediaries to provide “any such assistance” to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. However, in the absence of a power of preservation in the main statute (IT Act) it remains to be seen whether such an order would be enforced if challenged in a court of law.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr style="text-align: justify; ">
<td>
<p><b>Article 18 – Production order</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order:</p>
<p>a. a person in its territory to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium; and</p>
<p>b. a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider’s possession or control.</p>
<p>2 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.</p>
<p>3 For the purpose of this article, the term “subscriber information” means any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:</p>
<p>a the type of communication service used, the technical provisions taken thereto and the period of service;</p>
<p>b the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;</p>
<p>c any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.</p>
<p> </p>
</td>
<td>
<p><b>Section 28(2)</b></p>
<p>(2) The Controller or any officer authorized by him in this behalf shall exercise the like powers which are conferred on Income-tax authorities under Chapter XIII of the Income-Tax Act, 1961 and shall exercise such powers, subject to such limitations laid down under that Act.</p>
<p><b>Section 58(2)</b></p>
<p>(2) The Cyber Appellate Tribunal shall have, for the purposes of discharging their functions under this Act, the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, while trying a suit, in respect of the following matters, namely -</p>
<p>(b) requiring the discovery and production of documents or other electronic records;</p>
<p> </p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">While the Cyber Appellate Tribunal and the Controller of Certifying Authorities both have the power to call for information under the IT Act, these powers can be exercised only for limited purposes since the jurisdiction of both authorities is limited to the procedural provisions of the IT Act and they do not have the jurisdiction to investigate penal provisions. In practice, the penal provisions of the IT Act are investigated by the regular law enforcement apparatus of India, which use statutory provisions for production orders applicable in the offline world to computer systems as well. It is a very common practice amongst law enforcement authorities to issue orders under the Code of Criminal Procedure, 1973 (section 91) or the relevant provisions of the Income Tax Act, 1961 to compel production of information contained in a computer system. The power to order production of a “document or other thing” under section 91 of the Criminal Procedure Code is wide enough to cover all types of information which may be residing in a computer system and can even include the entire computer system itself.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 19 – Search and seizure of stored computer data</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access:</p>
<p>a a computer system or part of it and computer data stored therein; and</p>
<p>b a computer-data storage medium in which computer data may be stored in its territory.</p>
<p style="text-align: justify; ">2 Each Party shall adopt such legislative and other measures as may be necessary to ensure that where its authorities search or similarly access a specific computer system or part of it, pursuant to paragraph 1.a, and have grounds to believe that the data sought is stored in another computer system or part of it in its territory, and such data is lawfully accessible from or available to the initial system, the authorities shall be able to expeditiously extend the search or similar accessing to the other system.</p>
<p>3 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to seize or similarly secure computer data accessed according to paragraphs 1 or 2. These measures shall include the power to:</p>
<p>a seize or similarly secure a computer system or part of it or a computer-data storage</p>
<p>medium;</p>
<p>b make and retain a copy of those computer data;</p>
<p>c maintain the integrity of the relevant stored computer data;</p>
<p>d render inaccessible or remove those computer data in the accessed computer system.</p>
<p style="text-align: justify; ">4 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order any person who has knowledge about the functioning of the computer system or measures applied to protect the computer data therein to provide, as is reasonable, the necessary information, to enable the undertaking of the measures referred to in paragraphs 1 and 2.</p>
<p>5 The powers and procedures referred to in this article shall be subject to Articles 14 and15.</p>
</td>
<td>
<p><b>76 Confiscation </b></p>
<p style="text-align: justify; ">Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act, rules, orders or regulations made thereunder has been or is being contravened, shall be liable to confiscation:</p>
<p style="text-align: justify; "><b>Provided </b>that where it is established to the satisfaction of the court adjudicating the confiscation that the person in whose possession, power or control of any such computer, computer system, floppies, compact disks, tape drives or any other accessories relating thereto is found is not responsible for the contravention of the provisions of this Act, rules, orders or regulations made there under, the court may, instead of making an order for confiscation of such computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, make such other order authorized by this Act against the person contravening of the provisions of this Act, rules, orders or regulations made there under as it may think fit.</p>
<p> </p>
<p> </p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">While Article 19 provides for the power to search and seize computer systems for the investigation into criminal offences of any type of kind, section 76 of the IT Act is limited only to contraventions of the provisions of the Act, rules, orders or regulations made thereunder. However, this does not mean that Indian law enforcement authorities do not have the power to search and seize a computer system for crimes other than those contained in the IT Act; just as in the case of Article 18, the authorities in India are free to use the provisions contained in the Criminal Procedure Code and other sectoral legislations which allow for seizure of property to seize computer systems when investigating criminal offences.</p>
<table>
<tbody>
<tr>
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr style="text-align: justify; ">
<td>
<p><b>Article 20 – Real-time collection of traffic data</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to:</p>
<p>a collect or record through the application of technical means on the territory of that Party, and</p>
<p>b compel a service provider, within its existing technical capability:</p>
<p>i to collect or record through the application of technical means on the territory of that Party; or</p>
<p>ii to co-operate and assist the competent authorities in the collection or recording of,</p>
<p> </p>
<p>traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer system.</p>
<p>2 Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of traffic data associated with specified communications transmitted in its territory, through the application of technical means on that territory.</p>
<p>3 Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it.</p>
<p>4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.</p>
</td>
<td>
<p><b>69B Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security </b></p>
<p>(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.</p>
<p>(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating , transmitting, receiving or storing such traffic data or information.</p>
<p>(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.</p>
<p>(4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.</p>
<p>Explanation: For the purposes of this section, (i) "Computer Contaminant" shall have the meaning assigned to it in section 43.</p>
<p>(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.</p>
<p> </p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Section 69B in the IT Act enables the government to authorise the monitoring and collection of traffic data through any computer system. Under the Convention, orders for collection and recording of traffic data can be given for the purposes mentioned in Articles 14 and 15. On the other hand, as per the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009, an order for monitoring may be issued for any of the following purposes relating to cyber security:</p>
<p>(a) forecasting of imminent cyber incidents;</p>
<p>(b) monitoring network application with traffic data or information on computer resource;</p>
<p>(c) identification and determination of viruses or computer contaminant;</p>
<p>(d) tracking cyber security breaches or cyber security incidents;</p>
<p>(e) tracking computer resource breaching cyber security or spreading virus or computer contaminants;</p>
<p>(f) identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security;</p>
<p>(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resources;</p>
<p>(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;</p>
<p>(i) any other matter relating to cyber security.</p>
<p style="text-align: justify; ">As can be seen from the above, the reasons for which an order for monitoring traffic data can be issued are extremely wide, this is in stark contrast to the reasons for which an order for interception of content data may be issued under section 69. The Rules also provide that the intermediary shall not disclose the existence of a monitoring order to any third party and shall take all steps necessary to ensure extreme secrecy in the matter of monitoring of traffic data.</p>
<table>
<tbody>
<tr style="text-align: justify; ">
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 21 – Interception of content data</b></p>
<p>1 Each Party shall adopt such legislative and other measures as may be necessary, in relation to a range of serious offences to be determined by domestic law, to empower its competent authorities to:</p>
<p>a collect or record through the application of technical means on the territory of that Party, and</p>
<p>b compel a service provider, within its existing technical capability:</p>
<p style="text-align: justify; ">i to collect or record through the application of technical means on the territory of that Party, or</p>
<p style="text-align: justify; ">ii to co-operate and assist the competent authorities in the collection or recording of,</p>
<p style="text-align: justify; ">content data, in real-time, of specified communications in its territory transmitted by means of a computer system.</p>
<p style="text-align: justify; ">2 Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of content data on specified communications in its territory through the application of technical means on that territory.</p>
<p>3 Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it.</p>
<p style="text-align: justify; ">4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.</p>
</td>
<td>
<p><b>69 Powers to issue directions for interception or monitoring or decryption of any information through any computer resource </b></p>
<p style="text-align: justify; ">(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.</p>
<p style="text-align: justify; ">(2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed</p>
<p>(3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to -</p>
<p style="text-align: justify; ">(a) provide access to <b>or secure access to </b>the computer resource containing such information; generating, transmitting, receiving or storing such information; or</p>
<p>(b) intercept or monitor or decrypt the information, as the case may be<b>; </b>or</p>
<p>(c) provide information stored in computer resource.</p>
<p>(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.</p>
</td>
</tr>
</tbody>
</table>
<p>There has been a lot of academic research and debate around the exercise of powers under section 69 of the IT Act, but the current piece is not the place for a standalone critique of section 69.<a href="#_ftn11" name="_ftnref11">[11]</a> The analysis here is limited to a comparison of the provisions of Article 20 vis-à-vis section 69 of the IT Act.</p>
<p style="text-align: justify; ">In that background, it needs to be pointed out that two important issues mentioned in Article 20 of the Convention are not specifically mentioned in section 69B, viz. (i) that the order should be only for specific computer data, and (ii) that the intermediary should keep such an order confidential; these requirements are covered by Rules 9 and 20 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, respectively.</p>
<table>
<tbody>
<tr style="text-align: justify; ">
<td>
<p>Convention on Cybercrime</p>
</td>
<td>
<p>Information Technology Act, 2000</p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p><b>Article 22 – Jurisdiction</b></p>
<p style="text-align: justify; ">1 Each Party shall adopt such legislative and other measures as may be necessary to establish jurisdiction over any offence established in accordance with Articles 2 through 11 of this Convention, when the offence is committed:</p>
<p>a in its territory; or</p>
<p>b on board a ship flying the flag of that Party; or</p>
<p>c on board an aircraft registered under the laws of that Party; or</p>
<p>d by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State.</p>
<p>2 Each Party may reserve the right not to apply or to apply only in specific cases or conditions the jurisdiction rules laid down in paragraphs 1.b through 1.d of this article or any part thereof.</p>
<p>3 Each Party shall adopt such measures as may be necessary to establish jurisdiction over the offences referred to in Article 24, paragraph 1, of this Convention, in cases where an alleged offender is present in its territory and it does not extradite him or her to another Party, solely on the basis of his or her nationality, after a request for extradition.</p>
<p style="text-align: justify; ">4 This Convention does not exclude any criminal jurisdiction exercised by a Party in accordance with its domestic law.</p>
<p style="text-align: justify; ">5 When more than one Party claims jurisdiction over an alleged offence established in accordance with this Convention, the Parties involved shall, where appropriate, consult with a view to determining the most appropriate jurisdiction for prosecution.</p>
</td>
<td>
<p><b>1. Short Title, Extent, Commencement and Application </b></p>
<p style="text-align: justify; ">(2) It shall extend to the whole of India and, save as otherwise provided in this Act, it applies also to any offence or contravention hereunder committed outside India by any person.</p>
<p><b>75 Act to apply for offence or contraventions committed outside India </b></p>
<p style="text-align: justify; ">(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or contravention committed outside India by any person irrespective of his nationality.</p>
<p style="text-align: justify; ">(2) For the purposes of sub-section (1), this Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The Convention provides for extra territorial jurisdiction only for crimes committed outside the State by nationals of that State. However, the IT Act applies even to offences under the Act committed by foreign nationals outside India, as long as the act involves a computer system or computer network located in India.</p>
<p style="text-align: justify; ">Unlike para 3 of Article 22 of the Convention, the IT Act does not touch upon the issue of extradition. Cases involving extradition would therefore be dealt with by the general law of the land in respect of extradition requests contained in the Extradition Act, 1962. The Convention requires that in cases where the state refuses to extradite an alleged offender, it should establish jurisdiction over the offences referred to in Article 21(1) so that it can proceed against that offender itself. In this regard, it must be pointed out that Section 34A of the Extradition Act, 1962 provides that “Where the Central Government is of the opinion that a fugitive criminal cannot be surrendered or returned pursuant to a request for extradition from a foreign State, it may, as it thinks fit, take steps to prosecute such fugitive criminal in India.” Thus the Extradition Act gives the Indian government the power to prosecute an individual in the event that such individual cannot be extradited.</p>
<p><b>International Cooperation</b></p>
<p style="text-align: justify; ">Chapter III of the Convention deals specifically with international cooperation between the signatory parties. Such co-operation is to be carried out both "in accordance with the provisions of this Chapter" and "through application of relevant international agreements on international cooperation in criminal matters, arrangements agreed to on the basis of uniform or reciprocal legislation, and domestic laws." The latter clause establishes the general principle that the provisions of Chapter III do not supersede the provisions of international agreements on mutual legal assistance and extradition or the relevant provisions of domestic law pertaining to international co-operation.<a href="#_ftn12" name="_ftnref12"><sup><sup>[12]</sup></sup></a> Although the Convention grants primacy to mutual treaties and agreements between member States, in certain specific circumstances it also provides for an alternative if such treaties do not exist between the member states (Article 27 and 28). The Convention also provides for international cooperation on certain issues which may not have been specifically provided for in mutual assistance treaties entered into between the parties and need to be spelt out due to the unique challenges posed by cyber crimes, such as expedited preservation of stored computer data (Article 29) and expedited disclosure of preserved traffic data (Article 30). Contentious issues such as access to stored computer data, real time collection of traffic data and interception of content data have been specifically left by the Convention to be dealt with as per existing international instruments or arrangements between the parties.</p>
<p><b>Conclusion</b></p>
<p style="text-align: justify; ">The broad language and wide terminology used IT Act seems to cover a number of the cyber crimes mentioned in the Budapest Convention, even though India has not signed and ratified the same. Penal provisions such as illegal access (Article 2), data interference (Article 4), system interference (Article 5), offence related to child pornography (Article 9), attempt and aiding or abetting (Article 11), corporate liability (Article 12) are substantially covered and reflected in the IT Act in a manner very similar to the requirements of the Convention. Similarly procedural provisions such as search and seizure of stored computer data (Article 19), real-time collection of traffic data (Article 20), interception of content data (Article 21) and Jurisdiction (Article 22) are also substantially reflected in the IT Act.</p>
<p style="text-align: justify; ">However certain penal provisions mentioned in the Convention such as computer related forgery (Article 7), computer related fraud (Article 8) are not provided for specifically in the IT Act but such offences are covered when provisions of the Indian Penal Code, 1860 are read in conjugation with provisions of the IT Act. Similarly procedural provisions such as expedited preservation of stored computer data (Article 16) and production order (Article 18) are not specifically provided for in the IT Act but are covered under Indian law through the provisions of the Code of Criminal Procedure, 1973.</p>
<p style="text-align: justify; ">Apart from the above two categories there are certain provisions such as misuse of devices (Article 6) and Illegal interception (Article 3) which may not be specifically covered at all under Indian law, but may conceivably be said to be covered through an expansive reading of provisions of the Indian Penal Code and the IT Act. It may therefore be said that even though India has not signed or ratified the Budapest Convention, the legal regime in India is substantially in compliance with the provisions and requirements contained therein.</p>
<p style="text-align: justify; ">Thus, the Convention on Cybercrime is perhaps the most important international multi state instruments that may be used to combat cybercrime, not merely because the provisions thereunder may be used as a model to bolster national/local laws by any State, be it a signatory or not (as in the case of India) but also because of the mechanism it lays down for international cooperation in the field of cyber terrorism. In an increasingly interconnected world where more and more information of individuals is finding its way to the cloud or other networked infrastructure the international community is making great efforts to generate norms for increased international cooperation to combat cybercrime and cyber terrorism. While the Convention is one such multilateral effort, States are also proposing to use bilateral treaties to enable them to better fight cybercrime, the United States CLOUD Act, being one such effort. In the backdrop of these novel efforts the role to be played by older instruments such as the Convention on Cybercrime as well as by important States such as India is extremely crucial.</p>
<hr />
<p><a href="#_ftnref1" name="_ftn1">[1]</a> Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b.</p>
<p><a href="#_ftnref2" name="_ftn2">[2]</a> The analysis here has been limited to only Chapter I and Chapter II of the Convention, as it is only adherence to these two chapters that is required under the CLOUD Act.</p>
<p><a href="#_ftnref3" name="_ftn3">[3]</a> The only possible enforcement that may be done with regard to the Convention on Cybercrime is that the Council of Europe may put pressure on the signatory State to amend its local laws (if it is refusing to do so) otherwise it would be in violation of its obligations as a member of the European Union.</p>
<p><a href="#_ftnref4" name="_ftn4">[4]</a> Alexander Seger, “India and the Budapest Convention: Why Not?”, <a href="https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/">https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/</a></p>
<p><a href="#_ftnref5" name="_ftn5">[5]</a> Explanatory Report to the Convention on Cybercrime, Para 50, https://rm.coe.int/16800cce5b.</p>
<p><a href="#_ftnref6" name="_ftn6">[6]</a> India is a party to the Berne Convention on Literary and Artistic Works, the Agreement on Trade Related Intellectual Property Rights and the Rome Convention. India has also recently (July 4, 2018) announced that it will accede to the WIPO Copyright Treaty as well as the WIPO Performances and Phonographs Treaty.</p>
<p><a href="#_ftnref7" name="_ftn7">[7]</a> The test under the Convention is that the relevant person would be the one who has a leading position within the company, based on:</p>
<ul>
<li>a power of representation of the legal person;</li>
<li>an authority to take decisions on behalf of the legal person;</li>
<li>an authority to exercise control within the legal person.</li>
</ul>
<p><a href="#_ftnref8" name="_ftn8">[8]</a>Vipul Kharbanda and Elonnai Hickock, “MLATs and the proposed Amendments to the US Electronic Communications Privacy Act”, <a href="https://cis-india.org/internet-governance/blog/mlats-and-the-proposed-amendments-to-the-us-electronic-communications-privacy-act">https://cis-india.org/internet-governance/blog/mlats-and-the-proposed-amendments-to-the-us-electronic-communications-privacy-act</a></p>
<p><a href="#_ftnref9" name="_ftn9">[9]</a> The term “human rights” has been defined in the Act as “rights relating to life, liberty, equality and dignity of the individual guaranteed by the Constitution or embodied in the International Covenants and enforceable by courts in India”.</p>
<p><a href="#_ftnref10" name="_ftn10">[10]</a> Explanatory Report to the Convention on Cybercrime, Para 151, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>. .</p>
<p><a href="#_ftnref11" name="_ftn11">[11]</a> A similar power of interception is available under section 5 of the Telegraph Act, 1885, but that extends only to interception of telegraphic communication and does not extend to communications exchanged through computer networks.</p>
<p><a href="#_ftnref12" name="_ftn12">[12]</a> Explanatory Report to the Convention on Cybercrime, Para 244, <a href="https://rm.coe.int/16800cce5b">https://rm.coe.int/16800cce5b</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/budapest-convention-and-the-information-technology-act'>http://editors.cis-india.org/internet-governance/blog/budapest-convention-and-the-information-technology-act</a>
</p>
No publishervipulCyber SecurityInternet Governance2018-11-20T16:18:51ZBlog EntryLessons from US response to cyber attacks
http://editors.cis-india.org/internet-governance/blog/hindu-businessline-arindrajit-basu-october-30-2018-lessons-from-us-response-to-cyber-attacks
<b>Publicly attributing the attacks to a state or non-state actor is vital for building a credible cyber deterrence strategy.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="https://www.thehindubusinessline.com/opinion/lessons-from-us-response-to-cyber-attacks-ep/article25372326.ece">Hindu Businessline</a> on October 30, 2018. The article was edited by Elonnai Hickok.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In September, amidst the brewing of a new found cross-continental romance between Kim Jong-Un and Donald Trump, the US Department of Justice filed a criminal complaint indicting North Korean hacker Park Jin Hyok for playing a role in at least three massive cyber operations against the US. This included the Sony data breach of 2014; the Bangladesh bank heist of 2016 and the WannaCry ransomware attack in 2017. This indictment was followed by one on October 4, of seven officers in the GRU, Russia’s military agency, for “persistent and sophisticated computer intrusions.” Evidence adduced in support included forensic cyber evidence like similarities in lines of code or analysis of malware and other factual details regarding the relationship between the employers of the indicted individuals and the state in question.</p>
<p style="text-align: justify; ">While it is unlikely that prosecutions will ensue, indicting individuals responsible for cyber attacks offers an attractive option for states looking to develop a credible cyber deterrence strategy.</p>
<h2 style="text-align: justify; ">Attributing cyber attacks</h2>
<p style="text-align: justify; ">Technical uncertainty in attributing attacks to a specific actor has long fettered states from adopting defensive or offensive measures in response to an attack and garnering support from multilateral fora. Cyber attacks are multi-stage, multi-step and multi-jurisdictional, which complicates the attribution process and removes the attacker from the infected networks.</p>
<p style="text-align: justify; ">Experts at the RAND Corporation have argued that technical challenges to attribution should not detract from international efforts to adopt a robust, integrated and multi-disciplinary approach to attribution, which should be seen as a political process operating in symbiosis with technical efforts. A victim state must communicate its findings and supporting evidence to the attacking state in a bid to apply political pressure.</p>
<p style="text-align: justify; ">Clear publication of the attribution process becomes crucial as it furthers public credibility in investigating authorities; enables information exchange among security researchers and fosters deterrence by the adversary and potential adversaries.</p>
<p style="text-align: justify; ">Although public attributions need not take the form of a formal indictment and are often conducted through statements by foreign ministries, a criminal indictment is more legitimate as it needs to comply with the rigorous legal and evidentiary standards required by the country’s legal system. Further, an indictment allows for the attack to be conceptualised as a violation of the rule of law in addition to being a geopolitical threat vector.</p>
<h2 style="text-align: justify; ">Lessons for India</h2>
<p style="text-align: justify; ">India is yet to publicly attribute a cyber attack to any state or non-state actor. This is surprising given that an overwhelming percentage of attacks on Indian websites are perpetrated by foreign states or non-state actors, with 35 per cent of attacks emanating from China, as per a report by the Indian Computer Emergency Response Team (CERT-IN), the national nodal agency under the Ministry of Electronics and Information Technology (MEITY) which deals with cyber threats.</p>
<p style="text-align: justify; ">Along with other bodies, such as the National Critical Information Protection Centre (NCIIPC) which is the nodal central agency for the protection of critical information infrastructure, CERT-IN forms part of an ecosystem of nodal agencies designed to guarantee national cyber security.</p>
<p style="text-align: justify; ">There are three key lessons that policy makers involved in this ecosystem can take away from the WannaCry attribution process and the Park indictment. First, there is a need for multi-stakeholder collaboration through sharing of research, joint investigations and combined vulnerability identification among the various actors employed by the government, law enforcement authorities and private cyber security firms.</p>
<p style="text-align: justify; ">The affidavit suggested that the FBI had used information from various law enforcement personnel, computer scientists at the FBI; Mandiant — a cyber security firm retained by the US Attorney’s Office and publicly available materials produced by cyber security companies. Second, the standards of attribution need to demonstrate compliance both with the evidentiary requirements of Indian criminal law and the requirements in the International Law on State Responsibility. The latter requires an attribution to demonstrate that a state had ‘effective control’ over the non-state actor.</p>
<p style="text-align: justify; ">Finally, the attribution must be communicated to the adversary in a manner that does not risk military escalation. Despite the delicate timing of the indictment, Park’s prosecution by the FBI did not dampen the temporary thaw in relations between US and North Korea.</p>
<p style="text-align: justify; ">While building capacity to improve resilience, detect attacks and improve attribution capabilities should be a priority, we need to remember that regardless of the breakthrough in both human and infrastructural capacities, attributing cyber attacks will never be an exercise in certainty.</p>
<p style="text-align: justify; ">India will need to marry its improved capacity with strategic geopolitical posturing. Lengthy indictments may not deter all potential adversaries but may be a tool in fostering a culture of accountability in cyberspace.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/hindu-businessline-arindrajit-basu-october-30-2018-lessons-from-us-response-to-cyber-attacks'>http://editors.cis-india.org/internet-governance/blog/hindu-businessline-arindrajit-basu-october-30-2018-lessons-from-us-response-to-cyber-attacks</a>
</p>
No publisherArindrajit BasuCyber SecurityInternet Governance2018-11-01T05:53:42ZBlog EntryConceptualizing an International Security Regime for Cyberspace
http://editors.cis-india.org/internet-governance/blog/conceptualizing-an-international-security-regime-for-cyberspace
<b>This paper was published as part of the Briefings from the Research and Advisory Group (RAG) of the Global Commission on the Stability of Cyberspace (GCSC) for the Full Commission Meeting held at Bratislava in 2018.</b>
<p style="text-align: justify; ">Policy-makers often use past analogous situations to reshape questions and resolve dilemmas in current issues. However, without sufficient analysis of the present situation and the historical precedent being considered, the effectiveness of the analogy is limited.This applies across contexts, including cyber space. For example, there exists a body of literature, including The Tallinn Manual, which applies key aspects (structure, process, and techniques) of various international legal regimes regulating the global commons (air, sea, space and the environment) towards developing global norms for the governance of cyberspace.</p>
<p style="text-align: justify; ">Given the recent deadlock at the Group of Governmental Experts (GGE), owing to a clear ideological split among participating states, it is clear that consensus on the applicability of traditional international law norms drawn from other regimes, will not emerge if talks continue without a major overhaul of the present format of negotiations. The Achilles Heel of the GGE thus far has been a deracinated approach to the norms formulation process. There has been excessive focus on the content and the language of the applicable norm rather than the procedure underscoring its evolution, limited state and non state participation, and a lack of consideration for social, cultural, economic and strategic contexts through which norms emerge at the global level. Even if the GGE process became more inclusive and included all United Nations members, strategies preceding the negotiation process must be designed in a manner to facilitate consensus.</p>
<p style="text-align: justify; ">There exists to date, no scholarship that traces the negotiation processes that lead to the forging of successful analogous universal regimes or an investigation into the nature of normative contestation that enabled the evolution of the core norms that shaped these regimes. To develop an effective global regime governing cyberspace, we must consider if and how existing international law or norms for other global commons might also apply to ‘cyberspace’, but also transcend this frame into more nuanced thinking around techniques and frameworks that have been successful in consensus building. This paper focuses on the latter and embarks on an assessment of how regimes universally maximized functional utility through global interactions and shaped legal and normative frameworks that resulted, for some time, at least, in broad consensus.</p>
<hr />
<p style="text-align: justify; "><b><a class="external-link" href="http://cis-india.org/internet-governance/files/gcsc-research-advisory-group.pdf">Click to read more</a></b></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/conceptualizing-an-international-security-regime-for-cyberspace'>http://editors.cis-india.org/internet-governance/blog/conceptualizing-an-international-security-regime-for-cyberspace</a>
</p>
No publisherElonnai Hickok and Arindrajit BasuCyber SecurityInternet Governance2018-10-26T15:09:23ZBlog EntryRoundtable on Cyber-security and the Private Sector
http://editors.cis-india.org/internet-governance/events/roundtable-on-cyber-security-and-the-private-sector
<b>The Centre for Internet & Society (CIS) invites you to a roundtable discussion on cyber-security and the private sector. The event will be held at Omidyar Network office in Bangalore from 10.00 a.m. to 4.00 p.m.</b>
<p style="text-align: justify;">An increased proliferation of cyber attacks from multiple vectors and a variety of actors has necessitated a multi-stakeholder response to cyber-security that requires private sector involvement, both at the policy and technical fields. This contribution has come in the recent past not only through active involvement at the domestic levels but also through norm-setting in the international arena.</p>
<p style="text-align: justify;">This symposium seeks to discuss the various cyber-security concerns in the Indian private sector and maps initiatives being undertaken by various actors towards furthering cyber-security in an attempt to identify challenges, points of tension, brainstorm solutions-thereby mapping the way forward through engagement not only with private sector actors but also in dialogue with civil society and policy-makers. CIS has undertaken some preliminary research in this area to further discussion in this area and serve as a forum for sharing perspectives for various stakeholders.</p>
<p style="text-align: justify;">The symposium will be divided into three sessions, broadly in the form of a roundtable with different modus operandi in each session.</p>
<p style="text-align: justify;">A Concept Note for the event can be found <a href="http://editors.cis-india.org/internet-governance/concept-note-pvt-sector-cybersecurity-roundtable" class="internal-link" title="Concept Note: Pvt Sector Cybersecurity Roundtable">here</a>, and the agenda can be found <a href="http://editors.cis-india.org/internet-governance/pvt-sector-cyber-security-agenda" class="internal-link" title="Pvt Sector Cyber-security Agenda">here</a>. If you would like to attend, please rsvp pranav@cis-india.org, or register <a class="external-link" href="https://goo.gl/forms/j3PSo56sdLyX8aNw2">here</a>.</p>
<p style="text-align: justify;"> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/events/roundtable-on-cyber-security-and-the-private-sector'>http://editors.cis-india.org/internet-governance/events/roundtable-on-cyber-security-and-the-private-sector</a>
</p>
No publisherpranavCyber SecurityEventInternet Governance2018-10-15T09:18:35ZEventCyFy 2018
http://editors.cis-india.org/internet-governance/news/cyfy-2018
<b>Swaraj Paul Barooah and Arindrajit Basu participated in CyFy 2018 organized by Observer Research Foundation at Hotel Taj Mahal, New Delhi from October 3 - 5, 2018.</b>
<p><a class="external-link" href="http://cis-india.org/internet-governance/files/cyfy-2018-agenda">Click to see the agenda</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/cyfy-2018'>http://editors.cis-india.org/internet-governance/news/cyfy-2018</a>
</p>
No publisherAdminCyber SecurityInternet Governance2018-10-08T15:36:40ZNews ItemCyber-Security in the Age of Smart Manufacturing
http://editors.cis-india.org/internet-governance/news/cyber-security-in-the-age-of-smart-manufacturing
<b>Arindrajit Basu attended the event 'Cyber-security in the age of Smart Manufacturing.' The event 'BTS - CyberComm 2018' was organised by the Federation of Indian Chamber of Commerce & industry (FICCI) in association with Karnataka Innovation and Technology Society, and Government of Karnataka at The Lalit Ashok, Bengaluru on September 26, 2018.</b>
<p style="text-align: justify; ">The event was aimed at understanding the cyber security threats revolving around Industry 4.0 and smart manufacturing. The speakers included Mr. Gaurav Gupta, Principal Secretary, IT, BT and S&T Department, Government of Karnataka;Mr. Sanjay Mujoo, Vice President, Pointnext Global Centre Bangalore, Hewlett Packard Enterprise, India;Mr. Yogesh Andlay, Founder, Nucleus Software & Polaris Financial Technology and Mr. Ambrish Bakaya, Co-Chair, ICT and Digital Economy Committee FICCI.</p>
<p style="text-align: justify; ">Apart from discussing how to cover the threat vectors as businesses increasingly become digitised and use digital supply chains,the event was also useful in terms of obtaining an understanding of how the Karnataka government is approaching the digital ecosystem. The Centres of Excellence aim to bring on board academics, industry bodies and practitioners to develop best practices. FICCI, which was co-hosting this event indicated that they will continue to work with the government to further this agenda.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/cyber-security-in-the-age-of-smart-manufacturing'>http://editors.cis-india.org/internet-governance/news/cyber-security-in-the-age-of-smart-manufacturing</a>
</p>
No publisherAdminCyber SecurityInternet Governance2018-10-02T00:23:45ZNews ItemSymposium on India’s Cyber Strategy
http://editors.cis-india.org/internet-governance/events/symposium-on-india2019s-cyber-strategy
<b>CIS organised a Symposium on India’s Cyber Strategy.</b>
<p style="text-align: justify; ">The event saw a total of around 30 participants from industry, academia, law/policy, media, and civil society, and had a panel comprised of Asoke Mukerji, Madhulika Srikumar, and Parminder Jeet Singh.</p>
<h3 style="text-align: justify; ">Presentations</h3>
<ul>
<li style="text-align: justify; "><a class="external-link" href="http://cis-india.org/internet-governance/files/cis-presentation-on-cyber-security">India’s Strategic Interests in the Norms Setting Process in Cyberspace</a> (Presentation by Ambassador Asoke Kumar Mukerji, Former Permanent Representative of India to the United Nations)</li>
<li><a class="external-link" href="http://cis-india.org/internet-governance/files/arindrajit-presentation">The Potential for the Normative Regulation of Cyberspace</a> (Presentation by Arindrajit Basu)</li>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/events/symposium-on-india2019s-cyber-strategy'>http://editors.cis-india.org/internet-governance/events/symposium-on-india2019s-cyber-strategy</a>
</p>
No publisherAdminCyber SecurityEventInternet Governance2018-10-02T06:02:59ZEventIEEE-SA InDITA Conference 2018
http://editors.cis-india.org/internet-governance/news/ieee-sa-indita-conference-2018
<b>Gurshabad Grover participated in the IEEE-SA InDITA Conference 2018 organized by IEEE Standards Association held IIIT-Bangalore on July 10 and 11, 2018.</b>
<p>Gurshabad gave a brief presentation on how we could apply or reject 'Trust Through Technology' principles in the design of public biometric authentication. The agenda for the event can be <a class="external-link" href="https://ieee-dita.org/indita18/agenda/">accessed here</a>. More details on event <a class="external-link" href="https://ieee-dita.org/indita18/">website here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/ieee-sa-indita-conference-2018'>http://editors.cis-india.org/internet-governance/news/ieee-sa-indita-conference-2018</a>
</p>
No publisherAdminCyber SecurityInternet Governance2018-08-01T23:04:18ZNews ItemCIS contributes to the Research and Advisory Group of the Global Commission on the Stability of Cyberspace (GCSC)
http://editors.cis-india.org/internet-governance/blog/cis-contributes-to-the-research-and-advisory-group-of-the-global-commission-on-the-stability-of-cyberspace-gcsc
<b>The Global Commission on the Stability of Cyberspace (GCSC) is an initiative of the Hague Centre for Strategic Studies and the East West Institute that seeks to promote mutual awareness and understanding among various cyberspace communities. It seeks to develop norms and policies that advance the stability and security of cyberspace.</b>
<p style="text-align: justify; ">Chaired by Marina Kaljurand, and Co-Chaired by Michael Chertoff and Latha Reddy, the Commission comprises 26 prominent Commissioners who are experts hailing from a wide range of geographic regions representing multiple communities including academia industry, government, technical and civil society.</p>
<p style="text-align: justify; ">As a part of their efforts, the GCSC sent out a call for proposals for papers that sought to analyze and advance various aspects of the cyber norms debate.</p>
<p style="text-align: justify; ">Elonnai Hickok and Arindrajit Basu’s paper ‘ Conceptualizing an International Security Architecture for Cyberspace’ was selected by the Commissioners and published as a part of the Briefings of the Research and Advisory Group.</p>
<p style="text-align: justify; ">Arindrajit Basu represented CIS at the Cyberstability Hearings held by the GCSC at the sidelines of the <a href="https://www.globsec.org/projects/globsec-2018/">GLOBSEC forum </a>in Bratislava-a multilateral conference seeking to advance dialogue on various issues of international peace and security.</p>
<p style="text-align: justify; ">The published paper and the Power Point may be accessed <a href="https://cyberstability.org/research/issue-brief-2-bratislava/">here.</a></p>
<p style="text-align: justify; ">The agenda for the hearings is reproduced below</p>
<p style="text-align: justify; ">GCSC HEARINGS, 19 MAY 2018</p>
<p style="text-align: justify; ">HEARINGS: TOWARDS INTERNATIONAL CYBERSTABILITY</p>
<p style="text-align: justify; ">Venue: “Habsburg” room, Grand Hotel River Park 15:00-15:15</p>
<p style="text-align: justify; ">Welcome Remarks by Marina Kaljurand, Chair of the Global Commission on the Stability of Cyberspace (GCSC) and former Foreign Minister of Estonia 15:15-16:45</p>
<p style="text-align: justify; ">Hearing I: Expert Hearing</p>
<p style="text-align: justify; "><i>This session focuses on the topic Cyberstability and the International Peace and Security Architecture and includes scene settings, food-for-thought presentations on the new GCSC commissioned research, briefings and open statements by government and nongovernmental</i> speakers.</p>
<p style="text-align: justify; ">“Scene setting: ”Cyber Diplomacy in Transition” by Carl Bildt, former Prime Minister of Sweden</p>
<p style="text-align: justify; ">“Commissioned Research I: Lessons learned from three historical case studies on establishing international norms” by Arindrajit Basu, Centre for Internet and Society, India</p>
<p style="text-align: justify; ">Commission Research II: The “pre-normative” framework and options for cyber diplomacy” by Elana Broitman, New America Foundation</p>
<p style="text-align: justify; ">“Some Remarks on current thinking within the United Nations”, by Renata Dwan, Director United Nations Institute for Disarmament Research (UNIDIR) (Registered Statements by Government Advisors) (Statements by other experts)</p>
<p style="text-align: justify; ">(Open floor discussion) 16:45-17:15</p>
<p style="text-align: justify; ">Coffee Break</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cis-contributes-to-the-research-and-advisory-group-of-the-global-commission-on-the-stability-of-cyberspace-gcsc'>http://editors.cis-india.org/internet-governance/blog/cis-contributes-to-the-research-and-advisory-group-of-the-global-commission-on-the-stability-of-cyberspace-gcsc</a>
</p>
No publisherArindrajit BasuCyber SecurityInternet GovernanceCyberspace2018-07-05T16:00:02ZBlog EntryCybersecurity: The Intersection of Policy and Technology
http://editors.cis-india.org/internet-governance/news/cybersecurity-the-intersection-of-policy-and-technology
<b>Sunil Abraham and Aayush Rathi attended a round-table on 'Cybersecurity: The Intersection of Policy and Technology'. The event was organised by Synergia Foundation, Bengaluru.</b>
<p style="text-align: justify; ">The speakers for the round-table were Deborah Housen-Couriel, Professor at the Kennedy School of Government, Gaurav Gupta - Principal Secretary for IT, BT, and S&T, Government of Karnataka, and Dana Kursh, Consul General of Israel to South India.</p>
<p style="text-align: justify; ">The discussion at the round-table centred around developing approaches aimed at resolving the 'grand challenge' of cyber security. The role of deeper collaborations between various stakeholders such as academia, corporate enterprises, law enforcement and the government in arriving at cogent solutions was emphasised upon. For more on the discussion at the round-table, a press note can be found <a class="external-link" href="https://www.synergiafoundation.in/news-analysis/cybersecurity-intersection-policy-technology">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/cybersecurity-the-intersection-of-policy-and-technology'>http://editors.cis-india.org/internet-governance/news/cybersecurity-the-intersection-of-policy-and-technology</a>
</p>
No publisherAdminCyber SecurityInternet Governance2018-03-25T03:24:23ZNews ItemPeople Driven and Tech Enabled – How AI and ML are Changing the Future of Cyber Security in India
http://editors.cis-india.org/internet-governance/blog/people-driven-and-tech-enabled-2013-how-ai-and-ml-are-changing-the-future-of-cyber-security-in-india
<b>On the 27th of February, Peter Sparkes the Senior Director, Cyber Security Services, Symantec conducted a webinar on the ‘5 Essentials of Every Next-Gen SOC’. In this webinar, he evaluated the problems that Security Operations Centers (SOCs) are currently facing, and explored possible solutions to these problems. The webinar also put emphasis on AI and ML as tools to improve cyber security. This blog draws key insights from the webinar, and explains how AI and ML can improve the cyber security process of Indian enterprises.</b>
<p style="text-align: justify; "><strong>Introduction</strong></p>
<p style="text-align: justify; ">In a study conducted by Cisco, it was found that in the past 12-18 months, cyber attacks have caused Indian companies to incur financial damages amounting to USD 500,000. <a name="fr1"></a></p>
<p style="text-align: justify; ">There is a need to strengthen the nodal agencies in an enterprise that can deal with these threats to prevent irreparable damage to enterprises and their customers. An SOC within any organization is the team responsible for detecting, monitoring, analyzing, communicating and remedying security threats. The SOC technicians employ a combination of technologies and processes to ensure that an enterprise’s security is not compromised. As instances of cyber attacks increase both in number and sophistication, SOCs need to use state of the art technologies to stay one step ahead of the attackers. Presently, SOCs face a number of infrastructural problems such as the low priority given to a cyber security budget, slower and passive response to threats, dearth of skilled technicians, and the absence of a global intelligence network for cyber-threats. This is where technologies such as Artificial Intelligence and Machine learning are helping, by monitoring the system to identify cyber attacks, and analyse the severity of the threat, and in some cases by blocking such threats. <a name="fr2"></a></p>
<p style="text-align: justify; "><strong>Evolution of Security Operations Centers</strong></p>
<p style="text-align: justify; ">In the same study, Cisco looked at the evolution of cyber threats and how companies were using technologies such as AI and ML to ameliorate those threats. Another key insight the study brought out was that 53 and 51 percent of the subject companies were reliant on ML and AI respectively. One of the reasons behind AI and ML’s effectiveness in cyber security is their capacity not only to detect known threats but also to use their learnings from data to detect unknown threats. In his webinar, Peter Sparkes also stated that SOCs were evolving into a ‘people driven and tech enabled’ system.</p>
<p style="text-align: justify; "><strong>People Driven and Tech Enabled</strong></p>
<p style="text-align: justify; ">In the case of cyber security, which in itself is a relatively new field, technologies such as AI and ML are helping companies to not only overcome infrastructural barriers but also to respond proactively to threats. A study conducted by the Enterprise Strategy Group, revealed that one-third of the respondents believed that ML technology could detect new and unknown malware.<a name="fr3"></a></p>
<p style="text-align: justify; ">The study also stated that the use of machine learning to detect and prevent threats from unknown malware reduced the number of cases the cyber security team had to investigate.<a name="fr4"></a></p>
<p style="text-align: justify; ">Similarly, the tasks of monitoring and blocking which were earlier conducted by entry level analysts were now done by systems, using machine learning. Typically, the AI acts as the first monitoring system after which the threat is examined by the company’s technicians who possess the requisite skill set and experience. By delegating the time consuming task of continuous monitoring to an ML system, the technicians now have time to look at serious threats. In this way AI and humans are working together to build a stronger and responsive security protocol.</p>
<p style="text-align: justify; "><strong>Detecting the Unknown</strong></p>
<p style="text-align: justify; ">Cyber criminals are becoming increasingly sophisticated, and in order to prevent attacks the monitoring systems (both human and automated) need to be able to detect them before the security is compromised. The detection of threats through AI and ML is done in a similar way as it is done for the identification of spam, where the system is trained on a large amount of data which teaches the algorithm to identify right from wrong.<a name="fr5"></a></p>
<p style="text-align: justify; ">There have been numerous cases of stealthy cyber attacks such as wannacry and ransomware, that have evaded detection by conventional security firewalls and caused crippling damage. There is also the need to use deception technology which involves automatic detection and analysis of attacks. This technology then tricks the attackers and defeats them to bring back normalcy to the system.</p>
<p style="text-align: justify; ">The systems that can handle threats by themselves do so by following a predetermined procedure, or playbook where the AI detects activities that go against the procedure/playbook. This is more effective compared to the earlier system where the technicians would analyse the attacks on a case by case basis.<a name="fr6"></a></p>
<p style="text-align: justify; ">AI and ML can help in reducing the time required to detect threats enabling technicians to act proactively and prevent damage. As AI and ML systems are less prone to make mistakes compared to human beings, each threat is dealt with in a prompt and accurate manner. AI systems also help by categorising attacks based on their propensity for damage. These systems can use the large volumes of data collected about previous attacks and adapt over time to give enterprises a strong line of defence against attacks.</p>
<p style="text-align: justify; "><strong>Passive to Active Defense</strong></p>
<p style="text-align: justify; ">Threat to cyber security can emerge even in seemingly safe departments, such as Human Resources. It is therefore important to proactively hunt for threats across all departments uniformly.<a name="fr7"></a></p>
<p style="text-align: justify; ">In order to detect an anomaly, the AI and ML system will require both large volumes of data as well as a significant amount of processing power, which is difficult for smaller companies to provide. A possible solution to improve defense is to have a system of sharing SOC data between companies, and thereby creating a global database of intelligence. A system of global intelligence and threat data sharing could help smaller companies combat cyber threats without having to compromise on core business development.</p>
<p style="text-align: justify; "><strong>Use of AI in Cyber Security in India</strong></p>
<p style="text-align: justify; ">In 2017, Indian enterprises were infected by two lethal cyber attacks called Nyetya that crept through a trusted software - Ccleaner and infected computers<a name="fr8"></a></p>
<p style="text-align: justify; ">. These attacks may just be the tip of the iceberg , since there may be many other attacks that might have gone unreported, or worse, undetected. Cisco reported that less than 55 per cent of the Indian enterprises were reliant on AI or ML for combating cyber threats. Although the current numbers seem bleak, there are a number of Indian enterprises that have recently begun using AI and ML in cyber security.<a name="fr9"></a></p>
<p style="text-align: justify; ">One such example is HDFC bank which is in the process of introducing an AI based Cyber Security Operations Centre (CSOC).<a name="fr10"></a></p>
<p style="text-align: justify; ">This CSOC is based on a four point approach to dealing with threats - prevent, detect, respond and recover. The government of India has also taken its first step towards the use of AI in cyber security through a project that aims to provide cyber forensic services to the various agencies of the government including law enforcement.<a name="fr11"></a></p>
<p style="text-align: justify; ">Indian intelligence agencies have also entered into an agreement with tech startup Innefu, which utilizes AI, to process data and decipher threats by looking at the patterns of past threats.<a name="fr12"></a></p>
<p style="text-align: justify; ">As India is increasingly becoming data dense both private and public organizations need to consider cyber security with utmost seriousness and protect the data from crippling attacks.</p>
<p style="text-align: justify; "><strong>Conclusion</strong></p>
<p style="text-align: justify; ">Enterprises have become storehouses of user data and the SOCs have a responsibility to protect this data. The companies’ SOCs have been plagued with several problems such as lack of skilled technicians, delay in response time and the inability to proactively respond to attacks. AI and ML can help in a system of continuous monitoring as well as take over the more repetitive and time consuming tasks, leaving the technicians with more time to work on damage control. Although it must be kept in mind that AI is not a silver bullet, since attackers will try their best to confuse the AI systems through evasion techniques such as adversarial AI (where the attackers design machine learning models that are intended to confuse the AI model into making a mistake).<a name="fr13"></a></p>
<p style="text-align: justify; ">Hence, human intervention and monitoring of AI and ML systems in cyber security is essential to maintain the defence and protection mechanisms of enterprises.</p>
<p style="text-align: justify; ">A few topics that Indian SOCs need to consider while using AI and ML <strong>:</strong></p>
<p style="text-align: justify; ">1. The companies need to understand that AI and ML need human expertise and supervision to be effective and hence substituting people for AI is not ideal.</p>
<p style="text-align: justify; ">2. The companies need to give equal if not more importance to data security.</p>
<p style="text-align: justify; ">3. The companies need to constantly upgrade their systems and re-skill their technicians to combat cyber security threats.</p>
<p style="text-align: justify; ">4. The AI and ML systems need to be regularly audited to ensure that they are not compromised by cyber attacks and also to ensure that they are not generating false positives.</p>
<div style="text-align: justify; ">
<hr />
<p style="text-align: justify; ">[<a name="fn1"></a>]. <span>Cisco, (2018, February). Annual Cybersecurity Report. Retrieved March 8, 2018, from https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2</span></p>
</div>
<p style="text-align: justify; ">[<a name="fn2"></a>]. <span>Ibid.</span></p>
<p style="text-align: justify; ">[<a name="fn3"></a>]. <span>Enterprise Strategy Group (2017, March ). Top-of-mind Threats and Their Impact on Endpoint Security Decisions. Retrieved March 8, 2018 from https://www.cylance.com/content/dam/cylance/pdfs/reports/ESG-Research-Insights-Report-Summary-Cylance-Oct-2017.pdf</span></p>
<p style="text-align: justify; ">[<a name="fn4"></a>]. <span>Ibid.</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn5" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>Vorobeychik,Y (2016). Adversarial AI. Retrieved March 8, 2018, from https://www.ijcai.org/Proceedings/16/Papers/609.pdf</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn6" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>Quora. ( 2081, February 15). How Will Artificial Intelligence And Machine Learning Impact Cyber Security? Retrieved March 8, 2018, from https://www.forbes.com/sites/quora/2018/02/15/how-will-artificial-intelligence-and-machine-learning-impact-cyber-security/#569454786147</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn7" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>Sparkes, P. (2018, February 27). The 5 Essentials of Every Next-Gen SOC. Retrieved March 8, 2018, from https://www.brighttalk.com/webcast/13389/303251/the-5-essentials-of-every-next-gen-soc</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn8" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>PTI. ( 2018, February 21).Indian companies lost $500,000 to cyber.Retrieved March 8, 2018, from https://economictimes.indiatimes.com/tech/internet/indian-companies-lost-500000-to-cyber-attacks-in-1-5-years-cisco/articleshow/63019927.cms</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn9" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>Cisco, (2018, February). Annual Cybersecurity Report. Retrieved March 8, 2018, from https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn10" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>Raval, A. ( 2018,January 30). AI takes cyber security to a new level for HDFC Bank.Retrieved March 8, 2018, from http://computer.expressbpd.com/magazine/ai-takes-cyber-security-to-a-new-level-for-hdfc-bank/23580/</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn11" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>“The Centre for Development of Advanced Computing (C-DAC) under the Ministry of Electronics and Information Technology (MeitY) is working on a project to provide cyber forensic services to law-enforcing and other government and non-government agencies.” Ohri, R. (2018, February 15. Government readies AI-muscled cyber security plan. Retrieved March 8, 2018, from https://economictimes.indiatimes.com/news/politics-and-nation/government-readies-ai-muscled-cyber-security-plan/articleshow/62922403.cms utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn12" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>Chowdhury, P.A. (2017, January 30). Cyber Warfare at large in Southeast Asia, India leverages AI for the same cause Retrieved March 8, 2018, from https://analyticsindiamag.com/cyber-warfare-large-southeast-asia-india-leverages-ai-cause/</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn13" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>Open AI.(2017 February 24). Attacking Machine Learning with Adversarial Examples. Retrieved March 8, 2018, from https://blog.openai.com/adversarial-example-research/</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/people-driven-and-tech-enabled-2013-how-ai-and-ml-are-changing-the-future-of-cyber-security-in-india'>http://editors.cis-india.org/internet-governance/blog/people-driven-and-tech-enabled-2013-how-ai-and-ml-are-changing-the-future-of-cyber-security-in-india</a>
</p>
No publisherShweta MohandasCyber SecurityInternet Governance2018-03-11T15:30:50ZBlog EntryMultinational Cyber Security Forum at University of Haifa
http://editors.cis-india.org/internet-governance/news/multinational-cyber-security-forum-at-university-of-haifa
<b>Sunil Abraham participated in a meeting in Israel on Multinational Cyber Security Forum hosted by Center for Cyber, Law and Policy and University of Haifa in collaboration with the Hewlett Foundation Cyber Initiative. </b>
<p style="text-align: justify; ">The workshop was held from November 5 to 7, 2017. The objective of the workshop was to facilitate a free and open exchange among participants under the Chatham House Rules. The workshop sought to identify areas of agreement and dissent pertaining to cyber security regulation and to explore issues that require further research, clarification and development.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/multinational-cyber-security-forum-at-university-of-haifa'>http://editors.cis-india.org/internet-governance/news/multinational-cyber-security-forum-at-university-of-haifa</a>
</p>
No publisherAdminCyber SecurityInternet Governance2017-11-27T14:34:59ZNews ItemGovt working to set up financial CERT to tackle cyber threats
http://editors.cis-india.org/internet-governance/news/livemint-november-16-2017-komal-gupta-govt-working-to-set-up-financial-cert-to-tackle-cyber-threats
<b>IT secretary Ajay Prakash Sawhney says the government is getting the framework in place for financial CERT, which will be followed by other sectoral CERTs later.</b>
<p style="text-align: justify; ">The article by Komal Gupta was <a class="external-link" href="http://www.livemint.com/Industry/KMK5eQsbcJpYvEMPfp5MHI/Govt-working-to-set-up-financial-CERT-to-tackle-cyber-threat.html">published in Livemint</a> on November 16, 2017</p>
<hr />
<p style="text-align: justify; ">The government is working to set up a financial Computer Emergency Response Team (CERT) to tackle a rise in cyber threats to India’s financial institutions.</p>
<p style="text-align: justify; ">This will be the first sectoral CERT to be introduced in India, said IT secretary Ajay Prakash Sawhney on Wednesday.</p>
<p style="text-align: justify; ">“Right now, the one which is directly being worked on is the financial CERT. We are getting the framework in place and once that is there, we will look at other sectors, said Sawhney, responding to a question on the progress of setting up of sectoral CERTs in the country. “It will oversee the entire financial sector including banks and financial institutions,” he added.</p>
<p style="text-align: justify; ">He was addressing the Asia Pacific Computer Emergency Response Team (APCERT) Open Conference in the capital on Wednesday.</p>
<p style="text-align: justify; ">In March, the power ministry had announced setting up of four sectoral CERTs for cyber security in power systems—CERT (Transmission), CERT (Thermal), CERT (Hydro) and CERT (Distribution).</p>
<p style="text-align: justify; ">According to Sawhney, as of now, there is a national CERT and no other sectoral CERTs. While addressing the conference, he said one of the themes to be discussed will be “How sectoral CERTs can function in conjunction with the national CERT.”</p>
<p style="text-align: justify; ">CERT-In is the national nodal agency under the ministry of electronics and IT (MeitY), which deals with cyber security threats such as hacking and phishing. The agency is tasked with the collection, analysis and dissemination of information on cyber incidents and even taking emergency measures for handling cyber security incidents.</p>
<p style="text-align: justify; ">“The biggest task of sectoral CERT is to share information with the others in the industry. For example, if a bank undergoes an attack; normally the bank will perform all the necessary actions to limit the attack and to prevent it from happening in the future. But the obligation of sharing how the attack happened with all the other banks in India to make sure that they can protect their respective systems from such an attack, can be carried out by a financial CERT,” said Udbhav Tiwari, programme manager at the Centre for Internet and Society, a Bengaluru-based think tank</p>
<p style="text-align: justify; ">“From April to October 2017, around 50,000 cyber security incidents have been handled by CERT-In; including phishing, malware attacks, attacks on digital payments and targeted attacks on some of the critical industries,” said cyber security chief Gulshan Rai, who was also present at the event.</p>
<p style="text-align: justify; ">A total of 50 incidents of cyber attacks affecting 19 financial organizations have been reported from 2016 till June 2017, <a href="http://www.livemint.com/Industry/MBqlWLIFkpR4W34sdA6TqN/50-cyber-attack-incidents-reported-in-financial-sector-govt.html" target="_blank">PTI </a>reported in August.</p>
<p style="text-align: justify; "><span> </span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-november-16-2017-komal-gupta-govt-working-to-set-up-financial-cert-to-tackle-cyber-threats'>http://editors.cis-india.org/internet-governance/news/livemint-november-16-2017-komal-gupta-govt-working-to-set-up-financial-cert-to-tackle-cyber-threats</a>
</p>
No publisherAdminCyber SecurityInternet Governance2017-11-25T02:28:18ZNews Item