Security, Governments, and Data: Technology

and Policy
Ensuring the security of the Indias cyber space is a complex,
challenging, and ever changing responsibility that the government is tasked
with. Doing so effectively requires a number of factors to come together in a
harmonized strategy including: laws & policies, technical capabilities, markets,
and a skilled workforce. It also requires collaboration on multiple levels
including with foreign governments, domestic and foreign industry, and law
enforcement. The first of these is particularly important given the ability of
attackers to penetrate across borders and the global nature of data. Any strategy
developed by India must be proactive and reactive evolving defences to
prevent a potential threat and applying tactics to respond to a real time threat. To
do so, the government of India must legally have the powers to take action and
must have the technical capability to do so. Yet, many of these powers and
technical capabilities require a degree of intrusion into the lives of citizens and
residents of India through means such as surveillance. Thus, such measures
must be considered in light of principles of proportionality and necessity, and
legal safeguards are needed to protect against the violation of privacy.
Furthermore, a principle of optimization must be considered i.e, how much
surveillance achieves the most amount of security and how can this security be
achieved with the optimal mix of technology, policy and enforcement.
Challenges & Present Scenario
Protecting and enhancing the cyber security of India is a complex and dynamic
responsibility. The challenge of securing cyber space is magnified by the
demarcated nature of the internet, the multiplicity of vulnerabilities that can be
exploited at the national level, the magnitude of infrastructure damage possible
from a cyber attack, and the complexity of application of a jurisdictions law to
a space that is technologically borderless. A comprehensive cyber security
ecosystem is required to address such challenges one that involves technology,
skills, and capabilities including surveillance capabilities. The Government of
India has taken numerous steps to address and resolve such challenges. In July
2013, the National Cyber Security Policy was published for the purpose of
creating an enabling framework for the protection of Indias cyber security. In
February 2014, the 52nd Standing Committee on Information Technology issued
a report assessing the implementation of this policy in which they found that a
number of areas needed strengthening. The Government of India has also
proposed the establishment of a number of centers focused on cyber security
such as the National Cyber Coordination Center and the National Critical

Information Infrastructure Protection Centre. CERT-IN, under the

Department of Electronics and Information Technology is presently the body
responsible for overseeing and enforcing cyber security in India, while other
bodies such as the Resource Centre for Cyber Forensic and TERM cells
under the Department of Telecommunications play critical roles in overseeing
and undertaking capabilities related to cyber security.
Law & Policy
India has five statutes regulating the collection and use of data for surveillance
purposes. These laws define circumstances on which the government is justified
in accessing and collecting real time and stored data as well as procedural
safeguards they must adhere to when doing so. The Department of
Telecommunications has also issued the Unified Access License which, among
other things, mandates service providers to provide technical support to enable
such collection. The Indian judicial system has also provided a number of
Rulings that set standards for the access, collection, and use of data as well as
defining limitations and safeguards that must be respected in doing so. The draft
Privacy Bill 2011, released by the Department of Personnel and Training, also
contained provisions addressing surveillance in the context of interception and
the use of electronic video recording devices. In the Report of the Group of
Experts on Privacy, the AP Shah Committee found that the legal regime for
surveillance in India was not harmonized and lacked safeguards. Furthermore,
in the era where the direct collection of large volumes of data is easily possible,
there is a growing need to re-visit questions about the legitimate and
proportionate collection and use (particularly as evidence) of such data.
Questions are also arising about the applicability of standards and safeguards to
the state. At a global level, catalyzed by the leaks by Edward Snowden, there
has been a strong push for governments to review and structure their
surveillance regimes to ensure that they are in line with international human
rights standards.
Architecture & Technology
India is in the process of architecting a number of initiatives that seek to enable
the collection and sharing of intelligence such as the CMS, NATGRID, and
NETRA. At a regional level, the Ministry of Home Affairs is in the process of
implementing Mega Policing Cities which include the instalment of CCTVs
and centralized access to crime related information. Globally, law enforcement
and governments are beginning to take advantage of the possibilities created by
Big Data and open source policing. The architecture and technology behind
any surveillance and cyber security initiative are key to its success. Intelligently

and appropriately designed projects and technology can also minimize the
possibility of intrusions into the private lives of citizens. Strong access controls,
decentralized architecture, and targeted access are all principles that can be
incorporated into the architecture and technology behind a project or initiative.
At the same time, the technology or process around a project can serve as the
weakest link as it is vulnerable to attacks and tampering. Such possibilities
raise concerns about the use of foreign technology and dependencies on foreign
governments and companies.
International and Domestic Markets
Globally, the security market is growing with companies offering a range of
services and products that facilitate surveillance and can be used towards
enhancing cyber security. In India, the security market is also growing with
studies predicting that it will reach $1.06 billion by 2015. Recognizing the
potential threat posed by imported security and telecom equipment, India also
develops its own technologies through the Centre for Development of
Telematics attached to the Department of Telecommunications, and the Centre
for Development of Advanced Computing attached to the Department of
Electronics and Information Technology. At times India has also imposed bans
on the import of technologies believed to be compromised. Towards this end,
the Government of India has a number of bodies responsible for licensing,
auditing, and certifying the use of security and telecommunication equipment.
Though India has recognized the security vulnerabilities posed by these
technologies, as of yet it has not formally recognized the human rights
violations that are made possible. Indeed, though India has submitted a request
to be a signing member of the Wassenaar agreement, they have yet to be
accepted.

Notes from 52nd Standing Committee on IT

As of now, it can be said that the benefits, costs and dangers of the internet, are
poorly understood and appreciated by the general public.
The key conributors to online risks for an individual can be summarized as
follows:

Lack of knowledge
Carelessness
Unintentional exposure of or by others
Flaws in technology for instance, in the service offered online

 Criminal acts.
Most of the internet frauds reported in the country are relating to phishing,
usage of stolen Credit cards / debit cards, unauthorised fraudulent Real Time
Gross Settlement (RTGS) transactions, fictitious offers of fund transfer,
remittance towards participation in lottery, money circulation schemes and other
fictitious offers of cheap funds etc.
Type of cyber
crime

How it is carried
out

Legal measures
as per IT Act
2000 and
Amendments.

Technical and
other measures.

Cyber Stalking

Email, IM web
post etc.

43, 66

Chatting with
known people
only.

Compensation
and punishment
for three years.

Intellectual
property crime

Source code
manipulation and
tampering

43, 65, 66

By means of
unauthorised
access to source
code and
deducting small
amounts from
account without

43, 66

- Sour
ce code
tampering
etc.
Salami Attack
(theft of data or
manipulating
banking account)

Taking up the
matter with
concerned service
providers in
stopping cyber
stalking
activities.

Strong
authentication
and technical
Compensation
measures for
and punishment
of three years fine prevention of
data leakage.

Compensation
and punishment
of three years fine

Strong
authentication
measures etc as
mentioned above

getting noticed
Email bombing
and Phishing

Flooding the
email account
with innumerable
number of emails
to disable to
notice important
message at times,
using automated
tools

43, 66, 66c

Anti spam filters.

Strong financial
authentication
transfer measures
Taking down of
phishing websites

Bank financial
frauds in
electronic
banking using
social
engineering
techniques to
commit identity
theft.
Pornography,
Child
pornography
Video voyeurism
and violation of
privacy
Offensive
messages

Publishing
pornographic
materials to
social media sites
etc

67A

Taking down

67B (child porno)

66E (video
voyeurism)

(for Offensive
Communication
66A
of offensive
messages through
computer of
phone

Hacking of
Hacking the
protected systems computer system
through various
systems

70
(10 years
punishment with
fine)

Strong layer of
security.

As per the information given by the Department for the last five
years the number of reported incidents of website compromise
has grown 5.5 times and india is today among the first five
countries with respect to spam mail. Phishing incidents have
increased from 392 to 887.
Efforts by the DeitY: an overall framework for the National
Cyber Security, looked after by National Security Council
Secretariat (NSCS)
Our systems like Nuclear establishment are no on the internet
yet, so so far its safe for now. And power systems are not
connected yet so there is less vulnerability for now but as the
sytems get complex and later on connected by internet then
the threat looms large. But there are possibilities that the
systems may have certain malware embedded in it so that
once those infrastructure gets connected online the systems
could be vulnerable like Stuxnet incident.