Naavi.org

Digital Dependence today is on the increase. Both professionals and ordinary citizens are today dependent on Internet for connectivity, Computers and Cloud for Storing of Data and  Electronic Documents as the data storing form. New Technologies such as AI have provided many conveniences but at the same time hardened the dependence.

As a result, the vulnerability of the society for Cyber Crimes has also increased to the extent that it is no longer a surprise if a company faces a ransomware attack  or an individual becomes a victim of  a cyber crime. There is a danger of the society becoming immune to the Cyber crime threat and taking it for granted.

If we allow this to happen, we will create a Digital Jungleraj. We need to prevent this.

Resilience essentially means how quickly and effectively we recover from a Cyber disaster. It is a fact that if we have lost reputation, it is difficult to recover. But atleast if we have lost money, we should be able to recover it. If we have lost  data we should be able to recover it. If our business has been disrupted, we should be able to get back on rails.

Cyber Space being what  it is, we work on a global network. While individuals are connected to the local ISPs, privileged  entities may be connected  directly to global networks through direct satellite  connections.

Hence regulating the space as if it is manageable within  a region  is not possible. But the nearest we can do is to create a Pan-India collaboration of stake holders so that an informal regulatory network can be created.

If the stakeholders consist of both Private Sector as well as the Government, then there is a need to build  trust between the two entities.

For this Public-Private trust to be effective, there has to be no internal trust deficit between the constituents themselves. Hence there has to be collaboration between one state with the other, one company with the other.

We therefore need to work towards this Intra Private Sector collaboration and Intra State cooperation at different levels.

If we presume that this is possible then there has to be a national leadership which has to come from one all India institution which every one of us trusts.

Just as we trust the defence forces to secure our borders we need to trust the defence  forces to secure our cyber space as well. Unlike our physical boundaries which  can be recognized, Cyber Boundaries exist every where and in every device connected to internet. Hence Cyber Security failures can enable intrusion of Cyber enemies into our Cyber space. It is therefore natural to expect that the “Défense Cyber Authority” has to take the lead.  It ow has a military component and we need to create a Civil Defence arm of this Défense Cyber Authority.

Under this, we need bring  in the CERT In  as well as organizations like NTRO, I4C , the Cyber Crime police stations etc.

Similarly in the industry side, we need to create sectoral leadership and there after a federation of Cyber Security leaders. The CISO community can be a starting point. We need to first create a federation of CISO entities. The DPO community and CISO community  have to be part of this federation and the federation should take up the responsibility of a Private Sector Cyber Defence  system which can collectively work with the Civil Cyber Defence Authority in public interest.

Today, CERT IN is the legal authority which can enforce data breach notifications. The DPB will shortly have its own  authority. But private sector will continue to be wary of the reputation loss that occurs when  a breach is reported and hence will always have a tendency to hide breaches. This tendency may be reduced if the private sector forms its own Private Sector Cyber Defence system.

Probably we need to think in terms of a Private sector CERT and a Cyber Resilience Act as two instruments to pursue.

Let us therefore try to work towards this entity and if possible get a legal recognition from the Central Government.

Naavi

(Continued)

In continuation of our discussions on the IN-CRA act, the next big hurdle we need to tackle is bringing  about the integration of the private sector into this initiative.

The Private sector is important for Cyber Resilience since the expertise in threat hunting and information security lies in private sector, some academic institutions and NGOs. Government has to borrow these  resources besides developing their own expertise.

Private Sector however has the  commercial constraints and the fear of loss of reputation if any security weaknesses become public. Hence even the data breach notification systems donot work efficiently due to large scale under reporting of incidents.

We need to therefore build one industry level institution and link it to the Government infrastructure to infuse more confidence. These should consist  of sector wise  leaders who collaborate  as a federation of Cyber Security agencies.

The Government organizations like CERT In  can work more smoothly with such industry representing organizations. Academic institutions and NGOs can provide leadership of such sectoral committees and act as buffer zones to build trust in ensuring flow of sensitive security information from the victims of Cyber attacks which are commercial entities to the agencies like CERT In.

A serious debate is required on this type of industry bodies.

In the past MeitY did dry to promote self regulatory bodies for digital media regulation but the industry did not respond positively. We need to continue our efforts to persuade the industry to shed their inhibitions and start  cooperating with the Government as a duty towards national security.

This can be done only through an enforceable law with deterrents and recognition of a constitutional right “Right to Security” as an  apex component of  “Right to life”. The Judiciary needs to accept this “Right” as part of our constitutional Right. No  other  Right exists when we no longer exist. This truth is today forgotten by our Judiciary and they need to realize this.

Please feel free to comment.

Naavi

Naavi

(Continued from previous Post)

India already has a National Cyber Security Policy 2013. In 2020, DSCI also brought out an updated suggested Cyber Security Strategy 2020. Karnataka also published a Karnataka State  Cyber Security policy 2024. Earlier Tamil Nadu had published a similar policy. We need to keep all these under our radar to develop the draft Indian Cyber  Resilience Act.

The National Cybersecurity Policy of 2013 is a comprehensive framework established by the Government of India aimed at protecting the country’s information infrastructure and managing the associated risks. This policy was introduced in response to the increasing threat landscape and the need for a robust cybersecurity strategy to safeguard critical information infrastructure.

The National Cyber Security Strategy suggested by DSCI highlighted  21 key focus areas aimed at creating a secure, reliable, resilient, and growth-and-trust-fostering cyberspace for India.

The Karnataka Cybersecurity Policy 2024 aims to build a secure and resilient digital ecosystem in the state. It focuses on safeguarding critical infrastructure, promoting cybersecurity awareness, and fostering innovation in security technologies. The policy encourages collaboration between the government, industry, and academia, and provides incentives to cybersecurity startups. By strengthening data protection and implementing global best practices, Karnataka seeks to become a leading hub for cybersecurity, ensuring the safety and trust of its digital economy.

In the light of these past efforts let us see what should be the contours of the Indian Cyber Resilience Act. We shall place our suggestions in a series of articles here and codify it in the end.

The first principle we need to adopt is to define the “Cyber Space” and the law making jurisdiction.

When Indian Constitution was drawn , there was no recognition of Cyber Space. Hence  the law enforcement obligations were divided  built into Union List, State List and concurrent list. As a result States are assuming legislative powers and State Police is assuming powers to handle Cyber Crimes as if they are crimes associated with the geographical boundaries of the State.

This is the biggest hurdle in Cyber Crime management that needs to be removed.

Cyber Space is like the extended geographical boundaries on the sea in air etc and has to be addressed as a separate law making jurisdiction.

The powers of the State should be only for implementation  of law made by the Union which should be considered as the only law making power.

All Cyber Policing activity should be brought under the “National Cyber Police Force”. The  I4C and  NTRO may be functioning as National  agencies but they need to be brought under proper National authority so that Interstate crimes and Cyber Terrorism can be handled.

Since Cyber Space has no boundaries, the National Cyber Space boundary is not limited to the geographical boundaries. The entry and exit points  of our Cyber Space boundary lies in every internet connected device. Hence our military needs to be responsible  for protecting every Cyber attack including what we are today recognizing as Cyber attacks on individual systems.

We already have a Cyber Command in the form of Defence Cyber Agency which acts like a Cyber Command for military operations. We need to create a unit of this as Cyber Border Security Force so that the apex control rests with the military to tackle State actors.

Thus one of the first efforts should be to integrate the activities of multiple agencies like the DCyA, I4C, NTRO, CERT In, NCIIPC etc into a single unified “National Cyber Resilience Command Authority”. While individual autonomy can be preserved, the overall policy has to be synchronized with a unified structure.

This is one of the prime  responsibilities of the IN-CRA.

Naavi

(Continued)

The DPDPA 2023 is now put  on track and the  Indian Personal Data Eco system is preparing itself to adopt the obligations under the Act.

In the meantime, the issue of “Securing” the Cyber Space which consists of non personal data as well as the production and use of cyber devices, the upcoming technologies such as AI , Quantum Computing, Crypto Currencies etc remain under the ToDo list.

The Digital India Act which was spoken off for some time was intended to address this issue either as an amendment to ITA 2000 or a new act.

With the India -EU trade deal opening up doors of opportunity for Indian software and hardware companies the industry’s attention has been drawn to the EU-Cyber Resilience Act 2024 which is gaining traction through implementation deadlines in 2026 and 2027 and possibly impacting the Indian manufactures of Software and hardware.

In this context, there is a need to take a fresh look at the possibility of our reacting to the EU-CRA with our own IN-CRA or Cyber Resilience Act of India.

We should start thinking about the broad contours of such an Act, its objectives, the scope, obligations, penal provisions, the regulatory authority etc.

 “Cyber Resilience” is a layer above “Cyber Security” and the IN-CRA needs to build  a National capability to respond to Cyber Security threats.

The EU-CRA focusses on imposing obligations on manufacturers of Cyber Products and imposes a penalty of 2.5% of global turnover or Euro 15 million as a deterrence and includes manufactures outside EU who place their products in EU. Hence compliance of EU CRA becomes mandatory for Indian suppliers of Cyber products to the EU.

IN-CRA should prepare the Indian industry to develop an Indian standard of Cyber Resilience first which can be upgraded to the Eu standards in due course.

While we need to take the cue from the EU-CRA and adopt the security guidelines mentioned  there in, we need to  also use this as an opportunity to strengthen our Cyber  Security Eco System so that there is a perceptible difference created for enhancing the Indian Cyber Security system also.

One of the objectives of the IN-CRA should be to prevent product manufacturers from releasing defective products in the market and using the users as guineapigs. This should increase the Digital Trust for customers using products which are CRA Compliant.

Another  objective of IN-CRA should be to improve the operational efficiencies of the existing institutional framework creating a unified command  structure.

Yet another  objective is  to ensure that emerging technologies like AI and Quantum Computing donot become tools of crime before they become tools of  progress.

We need to explore this further . Your comments are welcome.

(To Be continued)

Naavi

India has just signed two important trade deals. One the mother of all deals with EU and now the father of all deals with USA.  Additionally the budget has also provided some push to exporters of tech products Both may aid and assist growth of exports of tech products.

These developments could incentivise new manufacturing investments in Cyber Products who may look for prosperous export opportunities to harness EU markets both directly and through US.

Amidst these positive developments we need to also keep in mind that this year that EU passed a Cyber Security regulation namely the EU Cyber Resilience Act 2024 (EU-CRA) which becomes partly operative during 2026 and fully operative from December 11, 2027. The act will impact exporters of  Cyber products to the EU Market and require them to incorporate certain compliance measures. Penalty for non compliance could reach upt0 Euro 15 million or 2.5% of global annual turnover.

EU-CRA applies to all economic operators placing digital products on the EU market, regardless of where the company is headquartered.

That means Indian manufacturers, software producers, and suppliers whose products are sold in the EU must comply with CRA requirements. They must embed robust cybersecurity practices into product lifecycles if they want continued access to the EU market.

The requirements of CRA pushes manufacturers towards “Proactive Cyber Security Engineering” during the  software development.

CRA may require mandatory third-party conformity assessment audits in respect of certain critical products such as smart cards, Critical infrastructure components etc. In other cases, self assessment and documentation may be essential.

The CRA Compliance by design approach may require threat modelling at design stage and adoption of secure coding standards.

Secure Coding  Standards try to prevent vulnerabilities like SQL injection, Cross-site Scripting, Buffer overflow etc.

Under the DGPSI-AI framework for developers, we had indicated the following implementation specification

“The AI developer shall document a Risk Assessment of the model indicating its susceptibility to third party security compromise and the potential harm to the user or data principals whose personal data may be processed as well as the society at large.” (MIS-4 ; DGPSI-AI for AI developers)

“The AI model shall be audited by an independent third party auditor using an acceptable audit standard”  (MIS-11:DGPSI-AI for AI Developers)

Under these specifications, if any AI developer or any exporter who is embedding AI into his products, it would be considered necessary to add a CRA Compliance assessment.

While this is a Governance burden for the Exporters to manage, it can also be looked upon as an opportunity for professionals to develop services towards improving the compliance to Cyber Resilience Act.

It is time we explore opportunities in this direction.

We also request the MeitY to develop a note for “Digital Exporters” on EU-CRA Compliance.

FDPPI recently developed the DGPSI-GDPR as a compliance framework for GDPR compliance under an indigenously developed framework.

Now it is time to work on the compliance of EU-CRA compliance also….

(To Be continued)

Naavi

Healthcare industry in India is increasingly exploring the use of Blockchain technology for managing Electronic health Records. Blockchain, Smart Contracts and AI are the new technologies that the industry is trying to adopt as they move ahead.

At the same time, the DPDPA is hanging like a Damocles Sword on all health care companies such as Hospitals, Health Research Labs, Diagnostic Centers etc. Most of these health care organizations deal with sensitive and ultra sensitive personal data including DNA records, Generic abnormalities,  life threatening decease information etc. By virtue of the sensitivity even with a smaller volume of data being processed, most of the Health Care companies fall into the category of “Significant Data Fiduciaries”  who  are required to follow a stringent compliance requirement.

The exemption of DPDPA 2023 is limited to Research institutions who are exempted from Consent and Rights clauses. But certain standards of security would be applicable and the exemption is restricted to instances where the data is not used for taking any decision on the data principal. In the case of a pure research laboratory, this condition may be applicable. But Hospitals and research institutions which share their research to their associate hospitals or drug testing companies, will not be able to take the benefit of these exemptions.

The legitimate  use as an  alternative to Consent may be available in certain cases for the Hospitals handling medical emergencies and life threatening situations but not  in all cases.

When organizations use Blockchain technology, they have a challenge in managing the Data Principal’s consent during the lifecycle of the data and the management of consent modification, withdrawal, Right of Access etc.

Some Blockchain architecture like IPFS (Inter Planetary Filing System” or RBTS (Reference Based Tree Structure) tries to overcome this problem of deletion of data after it has  gone into a Block chain by keeping an off-chain  storage of data with a hash value alone going into the Block chain or placing a Reference pointer in the main block, keeping the data in a different sub-chain.

The problem of managing the block  chain where the chain continues with 50% or 67% consensus of the nodes instead of 100% is another risk that these systems may  pose to the data fiduciaries.

When Smart Contracts and AI is also used along with the block chain, the combination may enlarge the risks rather than limiting them.

It is therefore necessary for the technology advisors to the Health care industry to understand the law and adopt it to the new technologies used in the industry.  While “Innovation” in technology is welcome, we must understand that the responsibility for compliance increases with technology instead of reducing. Hence there has to be a proper Governance mechanism that should go with the use of frontier technologies.

We need to watch  out how organizations manage this conflict between Innovation and Responsibility.

Naavi