Threats to
Cyber Security
Vision-2009
Naavi
[Gist of
Speech delivered by Naavi on 29th Nov 2008 at the International
Conference on Cyber Security organized by Indian Academy of Law and World
Council for Corporate Governance]
National Security has been a matter of concern for all patriotic citizens
of India. Today we see threat to this national security from many sides.
The most visible of them is the Terrorism in the Physical Space. The
country has been trying to find a solution to the threat of terrorism but
has not been able to make as much progress as one could wish.
However, it is necessary for us to recognize that one or some of the keys
to national security against terrorism may perhaps be fond in the Cyber
Space.
Cyber Space
hosts significant parts of our economy and any threat to Cyber space
security is therefore a threat to our economy.
Cyber Space also is a gateway to many of our critical assets both financial
and infrastructural. It is also a major communication channel. Cyber wars
are launched to destabilize the country and to secure advantages during a
conventional war.
Cyber Space security is therefore a part of the National Security. If we
are weak in Cyber Security, we cannot be strong in physical security.
Cyber Security has many
dimensions. One of the dimensions is having the required technical
expertise. Another dimension is to have an effective legal regime. Third
dimension is to have an effective security infrastructure that can use the
technology and the law towards achieving the objective of securing the
information assets of the country.
While discussing the role
of laws in cyber space, there are two main objectives. Firstly the laws
should be drafted in such a manner that they
Ø
do not provide loopholes for criminals to
escape
Ø
do not make it difficult for Police to
investigate and
Ø
provide power with discretion to judiciary to
impose appropriate punishments…
Additionally, framing of a good law
also requires promotion of “Security Culture” in the community
Ø
By providing appropriate guidance to the
society
Ø
By providing solutions for security
Ø
By making compliance mandatory
The Indian scenario is on
Cyber Laws is that we have the Information Technology Act 2000 (ITA 2000)
which provides
Ø
3 years imprisonment (+Rs 2 lakhs fine) for
“diminishing the value of information or utility”
Ø
10 years for attempting to access a protected
system
Ø
Rs 1 crore compensation for any loss arising
out of unauthorized access
Ø
Makes Intermediaries and Companies
responsible for practicing “Due Diligence”
ITA 2000 may not be as stringent as in
some other countries where cyber terrorism may be punishable with life
imprisonment but may be considered reasonable.
In fact the current version of ITA
2000 must be considered more than reasonable when we consider what may be
in store when it is amended with ITAA 2006
Ø
Punishment for most of the offences to be
reduced to 2 years
Ø
Preconditions imposed for some sections
Ø
Dishonesty, Fraud and malicious intention for
Sec 66
Ø
Conspiracy and abetment for Sec 79
Also, a Personal Data Protection Act
is under anvil both through some of the amendments proposed in ITAA 2006
through Sec 43 A and Sec 72 A as well as the proposed new law called
personal Data Protection Act 2006.
Ø
43 A providing compensation of Rs 5 crore
Ø
72A providing imprisonment of 2 years and Rs
5 lakh fine for negligent or intentional disclosure of private information
Ø
PDPA 2006 providing 3 years imprisonment, Rs
5 lakh fine and compensation for the victim
However, what is also required is
promotion of a Compliance Culture in our society like what HIPAA tries to
achieve.
Such a Compliance culture
needs to be promoted through
Ø
Security Education
Ø
Security accountability
Ø
Security Practices
Ø
Security audit and certification
In addition, we may need
appropriate security standards to be developed for different types of
industries.
Ø
Like LIPS1008 developed by Cyber Law
College for Legal Information Protection in LPOs in India
Ø
IFIPS-Standards for Financial Services, Small
Banks, Stock broking firms, Insurance..under development
We also require new approaches
to cyber security such as development of an effective Cyber Crime
Insurance system as a financial incentive for initiating best security
practices.
We also require Law Compliance
software/Services to facilitate compliance
As a final but important
step we need an integrated National Cyber Security Infrastructure
that can be an umbrella organization coordinating cyber security efforts
against
Ø
Cyber Wars against Indian Cyber assets
Ø
Cyber terrorist attacks
Ø
Cyber Crimes
Ø
Data security breaches
Some of the Challenges we need
to foresee in this effort are managing
Ø
Coordination of Police in different
States
Ø
Cooperation of ISPs in India and
abroad
Ø
Cooperation between private sector and
Police
Ø
Cooperation from all IT Users-
Ø
E-Commerce, E-Governance and Individuals
Need of the Hour is therefore an “Indian National Cyber Security
Force” which can achieve a sustainable bondage between naturally repelling
entities to bring about a synergy in their operation, a strategy to make
this happen in a predefined time frame perhaps a Vision 2009.
Na.Vijayashankar
November 29
2008
Related Article:
Digital Society Day 2008
Cyber Threat Report 2009
Kudos to the Parliamentary Committee
Recipe for
Killing Journalistic Ethics
Why Times of
India is Wrong
Please do
not try to manipulate public opinion with planted stories