Naavi.org

(Continued)

In continuation of our discussions on the IN-CRA act, the next big hurdle we need to tackle is bringing  about the integration of the private sector into this initiative.

The Private sector is important for Cyber Resilience since the expertise in threat hunting and information security lies in private sector, some academic institutions and NGOs. Government has to borrow these  resources besides developing their own expertise.

Private Sector however has the  commercial constraints and the fear of loss of reputation if any security weaknesses become public. Hence even the data breach notification systems donot work efficiently due to large scale under reporting of incidents.

We need to therefore build one industry level institution and link it to the Government infrastructure to infuse more confidence. These should consist  of sector wise  leaders who collaborate  as a federation of Cyber Security agencies.

The Government organizations like CERT In  can work more smoothly with such industry representing organizations. Academic institutions and NGOs can provide leadership of such sectoral committees and act as buffer zones to build trust in ensuring flow of sensitive security information from the victims of Cyber attacks which are commercial entities to the agencies like CERT In.

A serious debate is required on this type of industry bodies.

In the past MeitY did dry to promote self regulatory bodies for digital media regulation but the industry did not respond positively. We need to continue our efforts to persuade the industry to shed their inhibitions and start  cooperating with the Government as a duty towards national security.

This can be done only through an enforceable law with deterrents and recognition of a constitutional right “Right to Security” as an  apex component of  “Right to life”. The Judiciary needs to accept this “Right” as part of our constitutional Right. No  other  Right exists when we no longer exist. This truth is today forgotten by our Judiciary and they need to realize this.

Please feel free to comment.

Naavi

Naavi

(Continued from previous Post)

India already has a National Cyber Security Policy 2013. In 2020, DSCI also brought out an updated suggested Cyber Security Strategy 2020. Karnataka also published a Karnataka State  Cyber Security policy 2024. Earlier Tamil Nadu had published a similar policy. We need to keep all these under our radar to develop the draft Indian Cyber  Resilience Act.

The National Cybersecurity Policy of 2013 is a comprehensive framework established by the Government of India aimed at protecting the country’s information infrastructure and managing the associated risks. This policy was introduced in response to the increasing threat landscape and the need for a robust cybersecurity strategy to safeguard critical information infrastructure.

The National Cyber Security Strategy suggested by DSCI highlighted  21 key focus areas aimed at creating a secure, reliable, resilient, and growth-and-trust-fostering cyberspace for India.

The Karnataka Cybersecurity Policy 2024 aims to build a secure and resilient digital ecosystem in the state. It focuses on safeguarding critical infrastructure, promoting cybersecurity awareness, and fostering innovation in security technologies. The policy encourages collaboration between the government, industry, and academia, and provides incentives to cybersecurity startups. By strengthening data protection and implementing global best practices, Karnataka seeks to become a leading hub for cybersecurity, ensuring the safety and trust of its digital economy.

In the light of these past efforts let us see what should be the contours of the Indian Cyber Resilience Act. We shall place our suggestions in a series of articles here and codify it in the end.

The first principle we need to adopt is to define the “Cyber Space” and the law making jurisdiction.

When Indian Constitution was drawn , there was no recognition of Cyber Space. Hence  the law enforcement obligations were divided  built into Union List, State List and concurrent list. As a result States are assuming legislative powers and State Police is assuming powers to handle Cyber Crimes as if they are crimes associated with the geographical boundaries of the State.

This is the biggest hurdle in Cyber Crime management that needs to be removed.

Cyber Space is like the extended geographical boundaries on the sea in air etc and has to be addressed as a separate law making jurisdiction.

The powers of the State should be only for implementation  of law made by the Union which should be considered as the only law making power.

All Cyber Policing activity should be brought under the “National Cyber Police Force”. The  I4C and  NTRO may be functioning as National  agencies but they need to be brought under proper National authority so that Interstate crimes and Cyber Terrorism can be handled.

Since Cyber Space has no boundaries, the National Cyber Space boundary is not limited to the geographical boundaries. The entry and exit points  of our Cyber Space boundary lies in every internet connected device. Hence our military needs to be responsible  for protecting every Cyber attack including what we are today recognizing as Cyber attacks on individual systems.

We already have a Cyber Command in the form of Defence Cyber Agency which acts like a Cyber Command for military operations. We need to create a unit of this as Cyber Border Security Force so that the apex control rests with the military to tackle State actors.

Thus one of the first efforts should be to integrate the activities of multiple agencies like the DCyA, I4C, NTRO, CERT In, NCIIPC etc into a single unified “National Cyber Resilience Command Authority”. While individual autonomy can be preserved, the overall policy has to be synchronized with a unified structure.

This is one of the prime  responsibilities of the IN-CRA.

Naavi

(Continued)

The DPDPA 2023 is now put  on track and the  Indian Personal Data Eco system is preparing itself to adopt the obligations under the Act.

In the meantime, the issue of “Securing” the Cyber Space which consists of non personal data as well as the production and use of cyber devices, the upcoming technologies such as AI , Quantum Computing, Crypto Currencies etc remain under the ToDo list.

The Digital India Act which was spoken off for some time was intended to address this issue either as an amendment to ITA 2000 or a new act.

With the India -EU trade deal opening up doors of opportunity for Indian software and hardware companies the industry’s attention has been drawn to the EU-Cyber Resilience Act 2024 which is gaining traction through implementation deadlines in 2026 and 2027 and possibly impacting the Indian manufactures of Software and hardware.

In this context, there is a need to take a fresh look at the possibility of our reacting to the EU-CRA with our own IN-CRA or Cyber Resilience Act of India.

We should start thinking about the broad contours of such an Act, its objectives, the scope, obligations, penal provisions, the regulatory authority etc.

 “Cyber Resilience” is a layer above “Cyber Security” and the IN-CRA needs to build  a National capability to respond to Cyber Security threats.

The EU-CRA focusses on imposing obligations on manufacturers of Cyber Products and imposes a penalty of 2.5% of global turnover or Euro 15 million as a deterrence and includes manufactures outside EU who place their products in EU. Hence compliance of EU CRA becomes mandatory for Indian suppliers of Cyber products to the EU.

IN-CRA should prepare the Indian industry to develop an Indian standard of Cyber Resilience first which can be upgraded to the Eu standards in due course.

While we need to take the cue from the EU-CRA and adopt the security guidelines mentioned  there in, we need to  also use this as an opportunity to strengthen our Cyber  Security Eco System so that there is a perceptible difference created for enhancing the Indian Cyber Security system also.

One of the objectives of the IN-CRA should be to prevent product manufacturers from releasing defective products in the market and using the users as guineapigs. This should increase the Digital Trust for customers using products which are CRA Compliant.

Another  objective of IN-CRA should be to improve the operational efficiencies of the existing institutional framework creating a unified command  structure.

Yet another  objective is  to ensure that emerging technologies like AI and Quantum Computing donot become tools of crime before they become tools of  progress.

We need to explore this further . Your comments are welcome.

(To Be continued)

Naavi

India has just signed two important trade deals. One the mother of all deals with EU and now the father of all deals with USA.  Additionally the budget has also provided some push to exporters of tech products Both may aid and assist growth of exports of tech products.

These developments could incentivise new manufacturing investments in Cyber Products who may look for prosperous export opportunities to harness EU markets both directly and through US.

Amidst these positive developments we need to also keep in mind that this year that EU passed a Cyber Security regulation namely the EU Cyber Resilience Act 2024 (EU-CRA) which becomes partly operative during 2026 and fully operative from December 11, 2027. The act will impact exporters of  Cyber products to the EU Market and require them to incorporate certain compliance measures. Penalty for non compliance could reach upt0 Euro 15 million or 2.5% of global annual turnover.

EU-CRA applies to all economic operators placing digital products on the EU market, regardless of where the company is headquartered.

That means Indian manufacturers, software producers, and suppliers whose products are sold in the EU must comply with CRA requirements. They must embed robust cybersecurity practices into product lifecycles if they want continued access to the EU market.

The requirements of CRA pushes manufacturers towards “Proactive Cyber Security Engineering” during the  software development.

CRA may require mandatory third-party conformity assessment audits in respect of certain critical products such as smart cards, Critical infrastructure components etc. In other cases, self assessment and documentation may be essential.

The CRA Compliance by design approach may require threat modelling at design stage and adoption of secure coding standards.

Secure Coding  Standards try to prevent vulnerabilities like SQL injection, Cross-site Scripting, Buffer overflow etc.

Under the DGPSI-AI framework for developers, we had indicated the following implementation specification

“The AI developer shall document a Risk Assessment of the model indicating its susceptibility to third party security compromise and the potential harm to the user or data principals whose personal data may be processed as well as the society at large.” (MIS-4 ; DGPSI-AI for AI developers)

“The AI model shall be audited by an independent third party auditor using an acceptable audit standard”  (MIS-11:DGPSI-AI for AI Developers)

Under these specifications, if any AI developer or any exporter who is embedding AI into his products, it would be considered necessary to add a CRA Compliance assessment.

While this is a Governance burden for the Exporters to manage, it can also be looked upon as an opportunity for professionals to develop services towards improving the compliance to Cyber Resilience Act.

It is time we explore opportunities in this direction.

We also request the MeitY to develop a note for “Digital Exporters” on EU-CRA Compliance.

FDPPI recently developed the DGPSI-GDPR as a compliance framework for GDPR compliance under an indigenously developed framework.

Now it is time to work on the compliance of EU-CRA compliance also….

(To Be continued)

Naavi

Healthcare industry in India is increasingly exploring the use of Blockchain technology for managing Electronic health Records. Blockchain, Smart Contracts and AI are the new technologies that the industry is trying to adopt as they move ahead.

At the same time, the DPDPA is hanging like a Damocles Sword on all health care companies such as Hospitals, Health Research Labs, Diagnostic Centers etc. Most of these health care organizations deal with sensitive and ultra sensitive personal data including DNA records, Generic abnormalities,  life threatening decease information etc. By virtue of the sensitivity even with a smaller volume of data being processed, most of the Health Care companies fall into the category of “Significant Data Fiduciaries”  who  are required to follow a stringent compliance requirement.

The exemption of DPDPA 2023 is limited to Research institutions who are exempted from Consent and Rights clauses. But certain standards of security would be applicable and the exemption is restricted to instances where the data is not used for taking any decision on the data principal. In the case of a pure research laboratory, this condition may be applicable. But Hospitals and research institutions which share their research to their associate hospitals or drug testing companies, will not be able to take the benefit of these exemptions.

The legitimate  use as an  alternative to Consent may be available in certain cases for the Hospitals handling medical emergencies and life threatening situations but not  in all cases.

When organizations use Blockchain technology, they have a challenge in managing the Data Principal’s consent during the lifecycle of the data and the management of consent modification, withdrawal, Right of Access etc.

Some Blockchain architecture like IPFS (Inter Planetary Filing System” or RBTS (Reference Based Tree Structure) tries to overcome this problem of deletion of data after it has  gone into a Block chain by keeping an off-chain  storage of data with a hash value alone going into the Block chain or placing a Reference pointer in the main block, keeping the data in a different sub-chain.

The problem of managing the block  chain where the chain continues with 50% or 67% consensus of the nodes instead of 100% is another risk that these systems may  pose to the data fiduciaries.

When Smart Contracts and AI is also used along with the block chain, the combination may enlarge the risks rather than limiting them.

It is therefore necessary for the technology advisors to the Health care industry to understand the law and adopt it to the new technologies used in the industry.  While “Innovation” in technology is welcome, we must understand that the responsibility for compliance increases with technology instead of reducing. Hence there has to be a proper Governance mechanism that should go with the use of frontier technologies.

We need to watch  out how organizations manage this conflict between Innovation and Responsibility.

Naavi

There are two rumours/news-plants that are running in the media about DPDPA Rules. They are

a) Government may accelerate the time line for implementation from 18 months to 12 months in some respects.

b) TCS is likely to apply for Consent Manager license.

Let us briefly review these two issues.

It would be welcome if the Government goes for a faster implementation time line particularly for the large companies who are already compliant with global laws and are capable of implementing the law within the next 6-9 months. Given the fact that DPB is yet to be formed, a period of 1 year seems reasonable.

It is possible that for SMEs the implementation can be kept at the present level of 18 months so that they will have the benefit of observing the implementation challenges as resolved by the large entities before the smaller entities can jump in with lesser resources for software selection and implementation. This could even be part of the promise in the budget today.

Second aspect is the TCS applying for being a Consent  Manager. While it appears logical that a conglomerate like TCS would consider it attractive to have an in-house consent manager for its group entities, the “Conflict” situation could be very tough to handle.

Secondly we are aware that TCS has the record of entering the business of Certifying Authorities and later exiting. This is not a good track record to boast for a business like Consent Manager and the group may have to disclose the reasons for their surrendering the  Certifying Authority license since similar possibilities may also exist in TCS surrendering the Consent Manager license in the future.

Now that the Government is considering revision of some of the rules, I suggest some changes to the consent manager rules.

The Current Consent Manager rules under Rule 4 suggest that data can be transferred from one data fiduciary to another at the instance of the consent manager. This amounts to “Data Portability” which the parent law has omitted as a “Right of the Data Principal”.  The rule therefore is “Ultra-Vires” the law at least in legislative intent.

Secondly, we have pointed out that if the Consent Manager does not have “Visibility” to the data, the rigorous conflict related conditions appear to be an overkill. It can be modified if the Government comes out of its blinkers that Consent Manager is like an Aggregator in the DEPA framework.

Yesterday, I was discussing with the “Spastic Society of Karnataka”  on the possibility of such NGOs to become specialist Consent Managers for “Disabled Data Principals”.  These institutions know who is entitled to be in this category, what they need from the Internet and what is the law of guardianship for such persons better than any other commercial organizations. It therefore appears that such organizations should be allowed to be “Consent Managers” for some niche category of data principals. However such organizations may not be able to fulfill say the Capital requirement nor they may be “Companies incorporated in India”.

Hence we suggest that the Government should consider providing exemptions from some conditions of the Rules under Rule number 4 to enable such genuine NGOs to be the consent managers for their niche areas of operation.

Hope the MeitY considers these suggestions when they think of making some changes to the November 13 rules for which they have had a closed door meeting with the privileged Tech Giants.

Naavi