Cyber Security Framework For Banks In India By RBI

Cyber Security Framework For Banks In India By RBICyber security of banks in India is not upto the mark. Whether it is phishing, cyber attacks, malware infection or any other cyber contravention, banks in India are not interested in bringing and establishing a cyber security environment. Even Reserve Bank of India (RBI) is trying to deal with contemporary cyber security issues pertaining to banks and financial institutions. RBI has in the past declared that it would establish an IT subsidiary dedicated to cyber security issues and matters. However, RBI needs to take a stringent approach towards non compliance of cyber security related guidelines and rules by banks in India. Banks in India have been given almost 5 years to ensure cyber security for their operations but there is little development on the part of banks in this regard.

For instance, RBI has been streamlining the financial and banking Sector of India. It constituted the RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (Working Group). The Working Group issued Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (pdf) to be followed by banks of India. The guidelines have also directed that all banks would have to create a position of Chief Information Officers (CIOs) as well as Steering Committees on Information Security at the board level at the earliest.

Although the direction to have CIOs and Steering Committee is very clear yet till now banks in India has failed to comply with this direction. RBI said that the banks need to ensure implementation of basic IT organisational framework and put in place policies and procedures which do not require extensive budgetary support, infrastructural or technology changes, by October 31, 2011. The rest of the guidelines need to be implemented within period of one year unless a longer time-frame is indicated. Even after almost five years of these guidelines. Banks are still lagging far behind as far compliance with these guidelines is concerned.

Perry4Law Organisation (P4LO) suggested in the year 2011 that banks in India need to formulate a cyber security policy as soon as possible. Cyber security policy is an issue that is very important for banks of India. With the growing use of Internet banking, ATM machines, credit and debit cards, mobile banking, etc, banks of India must also upgrade their cyber security infrastructure and establish a cyber security policy. This is more so when Indian government is pushing digital India and mobile governance in India.

P4LO also recommended that banks and financial institutions must regularly engage in forensics audit and incidence response. Presently, banks and financial institutions engage in these “essential exercises” when something fraudulent or wrong have already taken place. If banks and financial institutions conduct regular cyber law due diligence (pdf) then incidences like Citibank fraud case could be minimised.

RBI has accepted many of the suggestions of P4LO and these suggestions have been incorporated into the cyber security framework for Indian banks (pdf) as prescribed by RBI. A notification (pdf) has been issued by RBI in this regard and now cyber security obligations of banks in India have significantly increased. This is in addition to the cyber law and cyber security obligations of directors of Indian companies as prescribed under the Indian Companies Act, 2013 (pdf). A dominant majority of directors in banking and non banking companies in India are ignoring the cyber security obligations as prescribed by the Information Technology Act, 2000, Indian Companies Act, 2013, etc.

RBI has also directed that banks must immediately formulate a techno legal cyber security policy that must have support and guidance of the top management. P4LO welcomes this initiative of RBI but there is a problem associated with cyber security of banks in India. Banks are not serious in ensuring cyber security for their businesses and RBI is also not inclined to punish the defaulting banks. Till the time there is a mandatory reporting system that RBI actually implements, the proposed cyber security policy would be just a paper document. RBI has to take the lead in ensuring cyber security for banks in India and if it finds any lacuna or inadequacy in the cyber security initiatives of Indian banks, the same must be taken very seriously by RBI.

RBI has given a deadline of September 30, 2016 to the Indian banks to implement techno legal cyber security policy. Let us hope that RBI would not be lenient and indifferent in this regard this time.

Posted in Uncategorized | Comments Off

81% Of FTSE 100 Companies In UK Are Vulnerable To Brand Spoofing And Malicious Domain Registrations

FTSE 100 Companies In UK Are Vulnerable To Brand Spoofing And Malicious Domain RegistrationsBusiness in United Kingdom (UK) is passing through a tough period. This is evident from the developments that are taking place at the Financial Times Stock Exchange (FTSE) 100 index. FTSE 100 index is a share index of the 100 companies listed on the London Stock Exchange with the highest market capitalisation. Their position in the index is decisive in determining how well UK businesses are performing for the companies themselves and the UK economy.

The FTSE 100 closed lower on Wednesday after the Organisation for Economic Co-operation and Development (OECD) predicted a reduction in its earlier UK economic forecasts. The OECD downgraded its forecast for UK growth this year to 1.7%, from the 2.2% that it estimated in February. OECD is hoping that UK would vote in affirmative to remain in the European Union in the 23 June referendum. OECD has warned that a vote to leave the EU would see the UK economy suffer a “large economic shock”. It said by 2020 gross domestic product could be 3% below the level it might be otherwise if it voted to remain in the EU.

If this is not enough problem, a recent threat intelligence report has revealed that 81% of FTSE 100 companies are vulnerable to brand spoofing and malicious domain registrations. These companies are increasingly targeted for malicious domain registrations against them so that cyber criminals can capitalise from the same. Cyber criminals are setting up exact duplicate copies of the websites of these companies and unwary and innocent users are victim of cyber frauds and cyber crimes due to this process.

The story does not ends here. The report has found 5,275 compromised email and unencrypted password accounts in total, on hacking forums, paste sites and deep web. This means on an average 50 employees at each FTSE 100 company have unintentionally exposed their details to cyber criminals.

The modus operandi of cyber criminals is very simple and is already in use all across the world. The cyber criminals register a domain name very identical to the targeted company’s website. When innocent users log in to such fraud websites, they unintentionally part way with the crucial log in and other details. The data could then either be sold or used to access a company’s network. 71% of the targeted companies were companies in financial services. Retail and critical infrastructure were the other targeted companies. The deceptively similar domains were registered most commonly to addresses in China, with the US coming second and Panama third.

The evidence gathered across the threat intelligence platforms demonstrates that some basic security measures are not being adopted or followed at some of the largest and most prominent companies in the UK. The results of the report should be a wake-up call for these organisations, highlighting just how vulnerable they are in ways they might not even have considered.

Please see the report titled The FTSE 100: Targeted Brand Attacks and Mass Credential Exposures (pdf) for more details.

Posted in Uncategorized | 1 Comment

Smart Cities Cyber Security And Legal Issues In India

Smart Cities Cyber Security And Legal Issues In IndiaSmart cities are gaining attention of both national and international business community. Indian government has decided to spend crores of money on smart cities to ensure best urbanisation environment. Since the concept is new, there would be many techno legal challenges that Indian government would face in this regard. Cyber security, civil liberties protection and techno legal regulatory compliances are just few of such challenges. There is no doubt that India must have made suitable policies and strategies regarding the proposed smart cities. However, till now the Indian Government has not made public a smart city policy that meets the cyber security and civil liberties requirements.

For instance, in 2015 the central government announced plans to develop 100 smart cities over the next five years, with an outlay of Rs 1 lakh crore. However, the mission statement and guidelines from the ministry of urban development are silent on the legal framework to regulate and manage these. Town planning and legal experts are more in favour of tweaking and strengthening the current municipal and state laws, rather than any new legislative framework to govern these changed cities. However, we at Perry4Law Organisation (P4LO) believe that smart cities would require smart laws rather than following the outdated and traditional laws. We cannot tweak existing laws because we have no laws regarding cyber security and cyber forensics and our cyber law is grossly outdated. Even the need to have a cyber security policy of India 2016 not met so far by Indian government. There is no sense in tweaking non relevant and inapplicable existing laws in this situation.

World over, smart cities and countries are facing techno legal issues pertaining to healthcare, cloud computing, e-commerce disputes, bitcoins, privacy protection, data protection (pdf), e-discovery, cyber forensics, etc. The Indian Companies Act, 2013 (pdf) would guide and manage the operational framework of any smart city project in India. It envisages setting up of a Special Purpose Vehicle (SPV), registered under the Companies Act, which will plan, appraise, approve, release funds, implement, manage, operate, monitor and evaluate any smart city development. The SPV, incorporated at the city level, will have the state or Union Territory and the urban local body as promoters, having 50:50 equity shareholding.

Smart cities are also closely related to the Internet of Things (IoT) concept. India has issued the Draft Policy on Internet of Things (IoT) (PDF) and a Revised Draft Policy on Internet of Things (IoT) (PDF). The IoT Policy of India is yet to be finalised and implemented after analysing and incorporating the public suggestions and inputs. While India is embracing the concept of Digital India and electronic delivery of services to its citizens yet its actual implementation requires strong and effective techno legal framework. Digital India and initiatives based upon it cannot be successful till the foundation of Digital India itself is strong, legal and flexible. Unfortunately, Digital India project is not only suffering from many shortcomings but it is also heading towards rough waters.

Cyber security in an interconnected world is a difficult task to manage. This is more so when the enemy is almost invisible and anonymous. It has been a considerable time since India has been using e-governance for various public services. However, cyber security of e-governance services in India is still missing to a large extent. This is equally true regarding critical infrastructures that require resilient and robust cyber security. For instance, cyber security of smart grids in India is still not adequate. We cannot use insecure smart grids for smart cities as they would create more problems than solutions. Similarly, smart cities also require smart law enforcement machinery where the law enforcement agencies are well versed in techno legal issues like cyber law, cyber security, cyber forensics, etc.

There are many cyber security challenges before the Narendra Modi Government that have to be addressed on a priority basis. A quick analysis of the National Cyber Security Policy of India 2013 reveals that it is suffering from many shortcomings. There are no Cyber Security Disclosure Norms in India that may require individuals and companies to share details of cyber attacks and cyber breaches. There is also an urgent need to formulate the Cyber Security Policy of India 2016 as the Cyber Security Trends are very alarming in India. Even there is no implementable Telecom Security Policy of India as on date and telecom related issues are getting complex day by day.

However, Indian Government and other stakeholders have also initiated many good projects to facilitate public delivery of services through e-governance and use of information and communication technologies (ICT). For instance, an E-Police Station in Delhi has been established that would register online FIR for motor vehicle theft cases of Delhi. The Reserve Bank of India (RBI) has also decided to set up an IT Subsidiary to deal with technology related banking issues. The Technical Advisory Committee (TAC) of SEBI would address cyber security issues as well. The Grid Security Expert System (GSES) of India has also been proposed by Indian Government. Indian Government has also banned private e-mail services for official communications in Government Departments. Indian Government would also launch Internet Safety Campaign very soon to spread awareness about cyber security among various stakeholders. However, the best effort of Indian Government via-a-vis cyber security is the appointment of Dr. Gulshan Rai as the first Chief Information Security Officer (CISO) of India by the Prime Minister Office (PMO) of India. This would definitely strengthen the cyber security infrastructure of India.

Another area of concern regarding Smart Cities would be protection of Civil Liberties in Cyberspace where India is lagging far behind than its international and constitutional obligations. Recently the Supreme Court of India has asked for a clarification from the central government regarding privacy invasive software and mobile applications. India has no dedicated privacy and data protection laws. Privacy protection in the information era has to be ensured by Indian government for the success of smart cities in India.

The smart cities project of Indian government has both negative and positive aspects. It is for the Indian government to remove the negative aspects and stress more upon the positive and development aspects. I hope and wish that this would be the approach of Indian government regarding smart cities in India.

Posted in Uncategorized | Comments Off

Cyber Security Of Smart Grids In India

Cyber Security Of Smart Grids In IndiaUtitility industry around the world is undergoing radical changes in its structure and business models. It is being reshaped by disruptive technologies, environmental pressures and social expectations. Traditional electric grids are now replaced with smart grids that are controlled by information and communication technology (ICT). In many cases, these utilities are managed through remote administration as well.

Power grids are also centrally connected and integrated in nature from the stage of power generation to it transmission and distribution. A compromise of such power grids can lead to power outages/blackout or even damage to power system devices and thereby huge loss to the utilities. This is also the stage and process that makes these utilities vulnerable to cyber attacks.

Naturally smart grids cyber security has become a top priority for governments around the world in these circumstances. The contemporary malware are very sophisticated in nature and they are easily defeating the cyber security products and services. As a result cyber attacks and malware have become a big nuisance for businesses and individuals alike. Smart grids are also facing sophisticated cyber attacks from around the world.

Cyber security issues in India are emerging day by day. Similarly, the cyber security awareness in India is also increasing. However, cyber security capabilities of India are still not up to the mark. Cyber security skills developments in India are urgently required so that both offensive and defensive cyber security capabilities of India can be developed. Keeping this fact in mind, critical infrastructure protection in India in general and cyber security of automated power grids of India in particular must be ensured with latest technology and international best practices. In the past Indian government declared that a Grid Security Expert System (GSES) of India would be developed in India. The same may be a reality very soon keeping in mind the focus upon Digital India project of Indian government.

There would be many cyber security challenges for future smart grids of India. The evolution of SCADA system, deficiencies and shortcomings of existing power devices and vulnerabilities of software managing SCADA systems are areas of special concern for India. Internet is full of unprotected and unsafe devices, SCADA systems and computers. Critical infrastructures protection has also become a major challenge with the SCADA systems still remaining exposed and unprotected. For instance, healthcare industry is facing increased cyber attacks against its critical infrastructures. Cloud computing is also facing low adoption and regulatory issues in India.

Further, renewable energy/distributed generation demands are the added feature of smart grid and due to networked control future power system will be much more vulnerable to cyber terrorism attacks, cyber warfare activities and cyber espionage attempts. Therefore, before switching to smart grids, India must consider cyber security challenges for them as well.

Although India has recognised the significance of cyber security yet its efforts in this direction are still scattered, unstructured and inadequate. Perry4Law Organisation (P4LO) has been advocating for establishing a strong, robust and resilient cyber security infrastructure in India for almost a decade. P4LO also believes that international legal issues of cyber security must be resolved on mutual cooperation basis among various countries. Countries may work in the direction of formulating international cyber law treaty and international cyber security treaty (PDF). Similarly, international legal issues of cyber security and conflict of laws in cyberspace must also be resolved by Indian government. We hope Indian government would resolve the cyber security issues related to smart grids very soon.

Posted in Uncategorized | 1 Comment

Online Cyber Law Courses, Education And Training In India

Cyber law is a branch of technology law that regulates matters pertaining to technology and cyberspace. Since it is a combination of technology and law, cyber law is essentially techno legal in nature. Any cyber law expert must be well versed with both technology and legal aspects. Neither a technology acumen nor a legal knowledge in itself is sufficient. This is the reason that there are very few cyber law experts or specialists in India and world wide.

If we wish to increase the number of cyber law experts in India we need to make suitable changes in our educational system. Our present educational system is academic in nature that is heavily relying upon theoretical aspects. The requirement, on the other hand, is to produce qualitative techno legal professionals who have practical experience of the real life situations.

The traditional schools and educational institutions are tied up with the traditional syllabus and education methods. However, India is planning to use information and communication technology (ICT), e-governance and Digital India concepts. This means education, training and skills development are no more limited to brick and mortar buildings and institutions. We at Perry4Law Organisation (P4LO) believe that a single online skills development and training related website and portal can provide a much wider and elaborative cyber law training, education and skills development than traditional educational institution as mentioned above.

P4LO has been managing two unique and world class online techno legal training, education and skills development portals. These are Perry4Law’s Techno Legal Base (PTLB) and Perry4Law’s Techno Legal ICT Training Centre (PTLITC). PTLB manages the basic level online techno legal cyber law trainings, education and skills development in India and abroad. PTLITC runs the online techno legal cyber law trainings, education and skills development in India and abroad for domain specific and highly specialised segments and stakeholders.

PTLB has launched a dedicated online techno legal trainings, education and skills development platform for Indian and foreign stakeholders. Online courses like cyber law, cyber security, cyber forensics, ethical hacking, etc are managed by the virtual campus of PTLB. The advantage of the virtual campus of PTLB is that even foreign residents can enroll for the techno legal courses of PTLB.

Cyber law education and training starts at the schooling stage. There are many cyber law related issues like cyber bullying, online harassment, etc that school children must be well equipped to deal with. In fact, the CBSE has directed the schools to constitute an anti bullying committee to deal with harassment that school children faces in the contemporary cyberspace and Internet times. These issues were part of the techno legal discussion that we had with school children during the Jigyasa Career Mela organised by the Hans Raj Model School, New Delhi. Even the Indian Government has decided to launch Internet safety campaign at various schools to spread cyber law and cyber security awareness among school children.

At P4LO we believe that the purpose of any cyber law education and training must be to build a responsible cyber society and culture on the one hand and making every stakeholder a responsible netizen on the other. We inculcate these values into our courses, trainings, education and skills development programs that we impart through our virtual campuses. PTLB uses a variety of tools for conducting its online and virtual classes like Learning Management Systems (LMS), Content/Course Management Systems (CMS), etc. Collectively they provide a comprehensive, holistic and intuitive learning environment for various stakeholders.

Courses of PTLB are also customised as per the requirements of a a particular segment. For instance, separate arrangements have been made for school children, college students, professionals, corporate executives, etc. Similarly, foreign students can also be enrolled for our courses through distance learning mode. We keep on experimenting with our LMS/CMS, software and tools, course contents, etc to make them contemporary and of practical utility.

The virtual campus of PTLB also uses various types of online learning activities such as tutorials, lectures, homework, discussions, readings, assignments, etc. Tests and other assignments are available online in specific formats made available by various programs used for online classes. Whenever required, we also engage in live sessions, videoconferencing, online discussions and sharing of various online contents and materials. The students and stakeholders can access the materials as per the rules of virtual campus and as per the privileges made available to them by PTLB. Sharing of the account details, password, credentials, etc by the students/stakeholders with others is not permissible as per rules of virtual campus.

E-mail is an integral part of the virtual campus of PTLB and is often used before, during and after online sessions. This helps our students and various stakeholders in better understanding our courses and trainings. Techno legal experts and teachers who are on our panel will be available to guide the students and other stakeholders. Students and teachers can interact as often as necessary during the course, because communication takes place through e-mail. Those who have not enrolled for our courses and trainings, would not be helped through our e-mail system. A dedicated e-mail id would be provided to our students so that they would get crucial inputs and suggestions on a priority basis. PTLB is also experimenting with other open source tools and software to effectively provide online cyber law education and training in India.

Some of the subject areas covered by our courses and trainings include analysis of Information and Communication Technology Act, 2000 (IT Act 2000), e-commerce, e-governance, analysis of cyber crimes, cyber crimes investigation methodologies, conflict of laws in cyberspace, intellectual property rights (IPRs), cyber forensics, cyber security, privacy and data protection, data security, etc. At the end of the course/training, students receive a certificate acknowledging completion of the course/training.

The students enrolled for our courses/trainings would be assigned an online account through which he/she can access the course materials and complete the same. It is only through this online account that the virtual campus will be interacting with the students/stakeholders. After creating the online account, each student would be supplied online study material and be given assignments from time to time during the course duration. No hard/paper copy of either the study material or assignment would be sent to the students or accepted from the students.

The candidate needs to score at least 50% marks to clear the course/training. The candidates obtaining less than 50% marks shall not be given the certificate but will have the option to reappear with the next batch, for which (s)he needs to deposit the readmission fee. Only one chance will be given to reappear with the next batch. If he/she fails to take readmission in the next batch or fails to clear the exam with next batch, (s)he shall not be able to take the exam again and will have to take afresh admission. Students or other stakeholders may find the segments titled FAQs, students enrollment, application form (Doc), payment mechanism, etc. useful.

Posted in Uncategorized | Comments Off

Online Skills Development Methods Are Required In India

Online Skills Development Methods Are Required In India Skills development has become a top priority for governments around the world. While foreign countries are slightly better situated yet India has to cover a long gap before its workforce can compete at the world level. The task of skills development is not easy to achieve and a public private partnership (PPP) is inevitable in this regard.

We at Perry4Law’s Techno Legal Base (PTLB) believe that the true challenge before the Indian government would be to “identify and engage” those stakeholders who can really make a difference. For instance, we interacted with national and international cyber professionals and the most common point of dissatisfaction among them was that Indian government is totally indifferent towards their “suggestions and contributions”. In other words Indian government is least bothered about the cyber security and cyber forensics requirements of India.

We would not have shared these observations publically but for the compelling circumstances that India is presently facing. Cyber attacks are international in nature and so must be preparation against it. The cyber security trends in India 2015 by Perry4Law Organisation (P4LO) have clearly shown that India must be cyber prepared to deal with the present day cyber attacks. There is no doubt that cyber security challenges in India would further increase in the coming years and we need skilled workforce to tackle the same.

Skills development is a top priority for Indian government. However, this is not an easy task and Indian government may use the public private partnership (PPP) model to achieve its skills development objectives. Online education, distance learning and e-learning would play a significant role in achieving the skills development goal of Indian government. In short, online skills development in India is need of the hour and the same must be recognised by Indian government as well.

We have launched the PTLB Virtual Campus to impart techno legal knowledge, skills development and training to school children, college professional, professionals like lawyers, judges, company secretary, chartered accountants, etc. There would be a separate category for these stakeholders and we would customise our knowledge, skills development and training modules accordingly. Please see Perry4Law’s Techno Legal Base (PTLB) Online Skills Development and Training Platform for more details.

Posted in Uncategorized | 1 Comment