International Conference on Cyber Security in India
Nov 29-30, 2008
A Brief Report on the Recommendations
An international conference on Cyber Security was held at New Delhi on
November 29th and Nov 30th organized by the World Council of Corporate
Governance and Institute of Directors. After the debate a set of
recommendations were developed on behalf of the participants.. The
recommendations (which will be shared with the Government) along with some
rationale for the same are provided herewith for general information.
...Naavi
Regional Cooperation
1. It is recommended that India should take the lead in developing a
Cyber Crime Cooperation pact between counties in this region on a priority
basis.
2. It is recommended that the Cyber Crime cooperation pact should in due
course be ratified as a Mutual Assistance Treaty along with harmonization
of Cyber Laws.
Rationale: The need for international cooperation in tracking down
perpetrators of Cyber Crimes is well understood. India is also deliberating
joining the EU treaty and other International treaties. One of the reasons
why this may be taking time is because of the difference in laws of these
countries. While these efforts may continue, an effort to bring the
regional countries together is considered a step in the required direction.
Since India is the largest country in the region it is well placed to take
the role of a facilitator for regional cooperation in Cyber Crime
investigations. This will also help in knowledge sharing to improve the
investigation skills as well as forensic practices.
National Cyber Law Enforcement Agency
3. In order to effectively deal with concerns and challenges of Cyber
Space, inter state Police cooperation and effective use of trained manpower
through a longer career, it is recommended that a national set up for Cyber
Crime policing is recommended.
Rationale: Cyber Crime investigations require not only cooperation
between different countries but also between cyber crime police personnel
in India. Further most of the Police personnel get trained in Cyber Crime
investigations and before their expertise is fully available for the
department their term in the Cyber Crime division often comes to a close.
In order to provide long term career options for trained Cyber Crime Police
and to provide a federal set up for investigation within a country, it is
considered necessary to have a national cadre of Cyber Crime Police.
Capacity Building
4. It is recommended that capacity building initiatives are initiated on
a large scale covering Legal, Judicial and Enforcement authorities on all
aspects of Cyber Law, Cyber Crimes and Enforcement Challenges.
Rationale: The present set of law enforcement officers as well as
the prosecutors and judicial officers need to be trained so that the
complexities of technology crimes as well as the Evidentiary and the
forensic requirements are properly understood by the entire law enforcement
machinery. This is required to be achieved on a large scale with the
creation of at least 5 or 6 cyber crime police stations in each State. In
the event amendments to ITA 2000 are approved, the expertise needs to be
built up in every Police Station. This huge task needs to be addressed in a
systematic manner by an army of instructors under a special training
schedule. The task is beyond the routine training capacity of the current
system with the Police and Judiciary and a special programme needs to be
drawn up for the purpose if necessary with the assistance of private
sector.
Monitoring of Illegal Financial Transactions in Cyber Space
5. Cyber Space is being used increasingly for Money Laundering and other
illegal purposes. It is recommended that a suitable Cyber
monitoring/regulatory mechanism for money transfer through non-banking
channel using cyber space be set up urgently to contain the problem.
Rationale: In order to effectively tackle the menace of Cyber
Crimes, it is felt necessary that the Cyber Crime economy is dismantled by
choking avenues of transfer of crime proceeds. It is estimated that nearly
60% of the crime fund transfers are affected using non Banking financial
intermediaries. Hence apart from tightening up the Anti Money Laundering
control mechanism in Banks, a separate plan of action needs to be drawn up
for monitoring the fund transfers through non banking sources.
Corporate Accountability
6. It is recommended that Corporate should designate Compliance officers
to ensure mandatory data protection/preservation in private sector
Rationale: In order to ensure that information security loopholes in
the private sector are plugged and that the private sector effectively
shares sensitive Cyber Crime related information with the Police, there is
a need to build accountability in the corporate circles through designated
persons who may also be the liaison persons for cooperation.
Simultaneously, a good data protection legislation that ensures that any
data shared by the private sector with the Police is not mis handled by the
Police will be required to provide confidence to the private sector that
any sharing of data with the law enforcement shall not result in damage to
their own interests.
Cyber Ethics
7. Awareness building and education program among net users on cyber
ethics is expected to help young ignorant cyber space users who are
vulnerable to the risks in Cyber Space. It is recommended that this should
be part of regular education at all levels.
Rationale: In order to build a "Security Culture" in the society, it
is considered essential to ensure that employees of all organizations as
well as youngsters in schools and colleges are well aware of the dangers of
Cyber Crimes and adopt an ethical approach to use IT with
responsibility and ethical commitment. A suitable educational input is
therefore considered necessary at different level of education and in the
employment place.
Cyber Crime Insurance
8. Although large corporations and financial institutions can protect
themselves from losses arising out of Cyber Crimes through various means, a
majority of the vulnerable sections of population have no protection
against Cyber Crimes. It is recommended that the Government may take the
lead in building a Cyber Crime insurance infrastructure covering
development of best security practices, development of security tools and
coverage of losses arising out of cyber crimes to the insured.
Rationale: In order to incentivize use of secure measures of
handling information, and to provide security for IT users, it is
considered necessary and beneficial to develop a Cyber Crime insurance
system. Such a system will ensure that proper security standards are
developed, proper security tools are available, users are suitably educated
and in return provide a certain risk coverage. In respect of vulnerable
sections such as rural users of e-Governance applications, Government
can even provide free insurance. Banks can be made to insure losses to
customers on account of frauds and users may also be able to take their own
insurance if they hold valuable information in their systems.
Indigenous Security Standards
9. It is recommended that Indigenous Information Security standards be
developed to suit the requirements of SMEs and different user segments in
India.
Rationale: In order to provide affordable and appropriate
security standards for different segments of users and the SMEs, it is
considered necessary that indigenous information security standards are
developed as a substitute for expensive standards such as ISO 27001. Small
segments such as Medical Transcription units, LPOs, Cooperative Banks,
Online Brokers etc require such standards. If such standards are already
available in the indigenous market, the same may be adopted.
ISP Cooperation
10. It is recommended that ISPs are mandated to introduce appropriate
mechanisms to filter SPAM and Malicious e-mails and to maintain transaction
logs for a reasonable period.
11. It is recommended that ISPs are mandated for filtering illegal web
content.
Rationale: The role of ISPs including the mobile service providers
in cracking Cyber Crimes is well known. Currently the intermediaries are
not taking enough steps to reduce SPAM and distribution of malicious
viruses even when they are notified. Substantial reduction of crimes
can be achieved if ISPs institute appropriate filtering mechanisms.
Similarly, malicious websites containing illegal content proliferate on the
web and ISPs need to be forced to take steps to prevent their facilities
from being mis used. Simultaneously there is a need to mandate a minimum of
3 year term for holding activity logs by ISPs which serve as evidences in
case of Cyber Crimes. Since these measures reduce the profitability of the
ISP operations, they will not be implemented unless mandated in law.
Cyber Security Knowledge Base
12. It is recommended that the Cyber Security knowledge base maintained
by CERT-IN is expanded to ensure greater public awareness about Cyber
Crimes.
Rationale: Presently, CERT-IN is the organization that is entrusted
with the responsibility of maintaining a cyber security knowledge base and
ensure its availability to the public. Since the resources available
to CERT-IN is limited there is a need to supplement the work of CERT-IN
regarding public education through other means.
Technology Neutrality and IP Assurance
13. It is recommended that in order to ensure greater participation of
the private sector in national security initiatives of the Government,
appropriate measures are initiated regarding Technology neutrality and IP
assurance in Public Private partnerships.
Rationale: Successful development of a national cyber security plan
requires the assistance of private sector participation. There is however a
reluctance by the private sector to share knowledge because of a fear of
losing IP. Some times their participation is also affected since projects
are allocated on the basis of specific technologies instead of the end
goals. A re look at the system to enable more private participation is
therefore considered necessary.
Research Support
14. It is recommended that Government should earmark resources to
encourage research and development towards development of indigenous
security software in collaboration with Indian security product companies.
Rationale: Adequate Cyber Security raises issues of the risks in use
of proprietary hardware and software. Unless open source software,
escrowing of codes as well as indigenous production of Chips and software
are encouraged, it is difficult to achieve self dependency in securing our
systems.
National Cyber Security Command
15. It is recommended that in order to coordinate all activities under a
national security programme, a "National Cyber Security Command" on the
lines of the US Cyber Command be considered as an umbrella organization.
Rationale: Last year US has created a separate defense command
called "Cyber Command" to focus on the national cyber security. In India
also such a set up is required for securing the national cyber space.
Unlike the physical space where borders can be clearly identified and army
can guard it, cyber space borders are difficult to identify. Every computer
connected to Internet represents a cyber space border post. Hence securing
the national cyber space requires integration of the efforts of the defense
forces, cyber crime police, private sector infromation security efforts and
an individuals security of his desktop/laptop. An umbrella organization is
therefore considred necessary for Unified command.
National Cyber Security Advisory Group
16. It is recommended that in order to continuously advise the
Government on all issues related to Cyber Security, a "National Cyber
Security Advisory Group" with public private participation is recommended
to be set up as a professional advisory body.
Rationale: Since the development of national cyber security is
a complicated and a long drawn process, there is a need for
continuous guidance to the Government and other agencies involved so that
the convergence of efforts of different organizations is ensured. This
requires a Core Advisory Group such as a "National Cyber Security Advisory
Group" constituted with professionals from different segments of
Information Security industry and stakeholders. A set up like TRAI with
some advisory powers is considered desirable though the process can be
started with an informal group of professionals identified for the purpose.
Na.Vijayashankar
November 30
2008
Related Article: 5 key Steps to
National Security