Naavi.org

USA has passed a federal Act called “Quantum Computing Cybersecurity Preparedness Act”. The Act was signed on December 21 2022 with different timelines for implementation. The concept of a legislation urging the Federal Agencies in US to be prepared for Quantum attacks even before the use of Quantum computing has become commercially relevant is a principle that needs a special commendation.

It is natural for organizations like FDPPI or Naavi to say “Be Ready” and start compliance from today since DPDPA 2023 is “Due Diligence” under ITA 2000. But what USA has done with its Quantum Computing Cybersecurity Preparedness Act is that there is a legislative compulsion to make Federal agencies start their security preparedness in advance.

This “Preparedness Act” has mandated certain agencies like OMB (Office of Management and Budget), CISA (Cyber Security and Infrastructure Agency) and NIST (National Institute of Standards and Technology) to start acting and given them time lines.

It has mandated that within 180 days, the OMB shall issue guidance on the migration of IT to post-quantum cryptography and to set budgets. Such efforts are expected to include creating an inventory of assets where there is an exposure of Quantum Cryptographic risks. Again, within 1 year the heads of CISA and National Cyber Director shall provide information on the inventory of such assets to OMB. The NIST shall also issue guidelines for post quantum cryptography standards. It is under this mandate that NIST came out with three standards on August 13, 2024. The Private sector though not part of this mandate is likely to follow suit to enhance their reputation and be eligible for Government Contracts.

This law requires federal agencies to migrate their systems to “Post-Quantum” Cryptography, which is resilient against attacks from Quantum Computers and classical computers.

The RSA (Rivest-Shamir-Adleman) algorithm which is the most commonly used cryptographic algorithm which even India uses in the Digital Signatures is considered vulnerable under Quantum attacks.

If any organization is using cryptographic algorithms like RSA at present then they are considered as not compliant with the “Quantum Computing Cybersecurity Preparedness Act”.

On August 13, 2024, NIST announced approval of three algorithms which are considered “Quantum Safe” Cryptographical algorithms.

These are :

1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard
2. FIPS204, Module-Lattice-Based Digital Signature Standard
3. FIPS205, Stateless Hash-Based Digital Signature Standard

FIPS 203 is a general encryption standard, and FIPS 204 and 205 are digital signature standards for authenticating users. Unlike RSA, FIPS 203 and 204 rely on lattice cryptography, which relies on the difficulty of finding the lowest common multiple in a set of numbers. FIPS 205 uses hash functions as its core mathematical problem. Neither cryptographic approach is thought to be susceptible to quantum computing.

NIST’s release of the final post-quantum cryptography standards sets a one-year clock ticking for Office of Management and Budget OMB to issue further guidance preparing agencies for the migration of their data to the new, quantum-resilient standards. 

Agencies are expected to start migrating to post-quantum cryptography quickly once OMB issues further guidance.

The Private Sector needs to follow the new Cryptographic standards at the earliest if they have to remain compliant with the new Act and is able to meet the Quantum risks.

The auditors are now required to provide some guidance to organizations on “Quantum Readiness”.

FDPPI presently has its framework namely DGPSI which is a process based Compliance system. Under DGPSI framework, “Cryptographic Systems” is one process which can be assessed for compliance separately to whatever compliance is required.

In the case of “Quantum Readiness Assessment”, we try to check if the organization is prepared to move to the post quantum cryptographic algorithms. Along with this the awareness of Quantum risks and the inventory of Cryptographic algorithms need to be kept ready before scouting for vendors who can provide replacement of the crypto algorithms.

This type of assessment is new and the SOPs need to be developed. FDPPI is trying to put together an SIG to create such SOPs. Interested members can get in touch with the undersigned.

Naavi

In India it would have been preferable if there had been a similar “DPDPA Preparedness Act”. Instead the DPDPA Rules itself may substitute this requirement and set timelines for the setting up of DPB and for them to roll out certain provisions.

Certain agencies such as SEBI and IRDAI have already issued their own sectoral guidelines for their sectoral organizations to incorporate DPDPA Compliance. Further when the rules are released, the organizations that will be aspiring to apply for registration as “Consent Manager” will require to prepare their platform to comply with the rules.

We are aware that Quantum Computing has been a technology development that has disturbed the Cyber Security community. The reason why the Cyber Security community is worried is that the enormous power of computing that is generated in quantum computing could be used to break cryptographic algorithms used for data security purpose in classical computing.

I donot think the security problems associated with Quantum entanglement or Quantum Interference have been explored enough but some work seems to be in progress for impact of Quantum computing on Cryptographic security arising due to the quantum property of “Super positioning”. It is recognized that encryption tools currently used to protect Banking and retail transactions and digital signatures may be rendered ineffective due to Quantum Attacks.

We are in 2024 end and a survey recently suggested that 78% of large US corporations expect Quantum computing to be in the mainstream by 203o. 73% of the respondents believe that Cyber Criminals will start using the power of quantum computing to decrypt and disrupt today’s cyber security protocols.

Long term security preparedness therefore has to factor in the possibility of Quantum risks in Cyber Security space. Some of the exfiltration attacks occurring now where encrypted files might have been stolen from sensitive organizations may be held by criminals for decryption on a later date when quantum tools are available. “Harvest Now-Decrypt Later” could be a strategy the criminals could be after. The risk is more in the case of data with a long life time value such as financial records, Government records and will be of interest to bad actors.

The risks could be evident in the use of Digital Signatures as well as for Crypto Currency holders.

Even in India where we are still struggling with finding the rules for DPDPA 2023 and the means to identify “Significant Data Fiduciaries”, corporations connected internationally are hearing the questions of “Are you Quantum Ready?”.

One may respond… I am not even Privacy Ready or Digital Signature ready but how can I be expected to be ready for the future risks?..but some organizations are being forced to ask for “Quantum Readiness Audit” and we the Audit community are posing a question to ourselves if we are “Quantum Audit Ready?”

As it always happens, Naavi.org thinks today what others start thinking tomorrow. Hence we start asking this question “Are we Quantum Ready” in terms of providing consultancy and audit directions to clients who may be thinking ahead of others.

We have in the past discussed the Quantum Computing and its impact in legal implementation of an evidence. Some of the earlier articles are given below. We have discussed Super positioning and Entanglement properties in detail but not the “Quantum Interference”. We shall fill up this gap soon. At the same time time has come to go beyond discussing the superficial aspects of Quantum Properties into the aspects of “Quantum Readiness Audit”.

Let us start our journey into expanding the horizon of our DGPSI audit to beyond AI into Quantum Computing Readiness Audit.

Previous Articles:

10th March 2018: Quantum Computing and Emerging Cyber Law Challenges…Are we ready?

16th March 2028: Section 65B in Quantum Computing Scenario

20th June 2018: The Vast and Far Reaching Applications of Quantum Computing

Also Read: Quantum Computing takes a step further

On December 9, 1999, Naavi released his first book, “Cyber Laws for Every Netizen in India”. The book was released in Chennai at the PIB on the same day Information Technology Bill 1999 was presented in the Parliament to replace the Draft E Commerce Act 1998 which was under discussion till then. The book represented my entry into the world of Cyber Laws and even established the trademark character of “Naavi” for the first time.

Then in May 2000, following the outbreak of the “I Love You Virus”, the Bill was quickly passed into a Law and later notified on 17th October 2000 as Information Technology Act 2000. (ITA 2000).

It is this law that was modified in 2008, with ITA amendment act of 2008 and notified on 27th October 2009 in which Section 43A and 72A were present as specific clauses for Data Protection.

Now in 2023, on August 11, the Digital Personal Data Protection Act was passed and anytime in 2024 it is likely to be notified. When this is notified, Section 43A of ITA 2000/8 will be deleted and DPDPA 2023 with its 44 sections will become effective.

All the provisions of the rules of “Reasonable Security Practices” often referred to as SDPI rules which was notified on 11th April 2011, are now contained in the DPDPA 2023. This makes DPDPA 2023 a law that has evolved from ITA 2000. The Section 43A was applicable only for “Sensitive Personal Data” as defined in the ITAA 2008 while Section 72A and several other sections applied to “Personal Data” both sensitive or otherwise.

DPDPA 2023 is therefore a bigger and better version of Section 43A and comes within the current definition of “Due Diligence” or “Reasonable Security Practice” under ITA 2000 making the date of notification of DPDPA 2023 less relevant than many think.

Hence Compliance of DPDPA 2023 is already a mandate of Compliance of ITA 2000/8.

This transition was also reminded to me in another way when I met a journalist (Mr Srikant Govindarajan of CIOL) , yesterday at Bengaluru in a conference related to DPDPA 2023 and he reminded me that he had attended the book launch of the book “Cyber Laws for Every Netizen in India” in Chennai on December 9, 1999.

It was this interaction that reminded me that my career as an ” Author” has actually completed 25 years and has transitioned from the first book on ITA 2000/Cyber Laws to the first book on Data Protection/DPDPA 2023.

It was a reminder of how the 25 years had passed evangelizing the concept of Cyber Law Compliance which is now turned into Privacy and Data Protection Compliance. I suppose in the next one or two years the Data protection phase will merge into DGPSI phase and another book on DGPSI is due as soon as the DPDPA Rules are released.

I hope the almighty provides the opportunity to complete the DGPSI mission successfully in 2025.

When I wrote thee book on Cyber Laws in India, there was no body to even check the proof and point out any corrections. Even when the book “Guardians of Privacy… was published”, there were not many to assist me in proof reading and suggesting improvements. But now we have an army of Data Protection Professionals and hopefully my next book venture will have more experts to assist me.

Naavi

One of our visitors asked me why FDPPI is terming its flagship certification program as C.DPO.DA. (Certified Data Protection Officer and Data Auditor) while all others are only conducting C.DPO. (Certified Data Protection Officer) program. The person also commented if this is another indication of ” What Naavi thinks today, others will think a few years later” and a bit ahead of times? I understand the honest intention of the gentleman but I think I owe an explanation to this comment.

It is true that in the Cyber Law domain, many of my thoughts took years for others to accept and adopt. The concept of CEAC and Section 65B (IEA) Certification was one such which was initiated by me in 2000, presented in a Court in 2004 but it was only in 2012 that Supreme Court recognized the principles of Section 65B certification.

In the Data Protection domain, others are catching up fast and it is expected that others will catch up much faster. Today if Naavi and FDPPI are thinking of C.DPO.DA. as the skill to be developed and certified and DGPSI as the frame of reference for DPDPA compliance to be adopted, DTS as the assessment framework for compliance status of DPDPA, it is expected that others will soon accept and adopt.

We feel that DPO has the responsibility to implement DPDPA compliance within his organization while Data Auditor is the external auditor who has to verify compliance and certify if required.

It is true that the DPDPA 2023 as an act has been passed but it is yet to be notified with rules. Everyone including the Minister responsible believes that draft rules will be released in the next 15 days. On October 14 Delhi High Court is preparing to hear the petition of WhatsApp and Meta challenging the Intermediary Guidelines of ITA 2000. The same companies may be now preparing for challenging the DPDPA Rules and the Act itself in some manner stating that it is unconstitutional.

But Naavi or FDPPI ignores such hurdles placed by “Andolan Jeevies” and proceed with an assumption that MeitY will be mighty enough to roll out the implementation of DPDPA 2023 not withstanding the lobbying by the MNCs.

We therefore expect that DPDPA Compliance requirement will become a reality in 2024 and DPOs will be in action. Data Audit may come in the year 2025 but no skill gets developed overnight. Naavi/FDPPI therefore expects that the need to train one self with the Data Audit requirements will be concurrent with the need to develop DPO skills.

Let those who relish procrastination think that DPDPA 2023 will not be notified in near future, the date of implementation will not be in our lifetime and the Data Auditor concept is unlikely to be implemented by the MeitY, continue to wait .

Let those who think that their GDPR related certifications by international organizations are good enough for DPDPA, continue to think so.

But Naavi and FDPPI will look at the future with the optimism that DPDPA notification is round the corner and there will be a mad rush for compliance there after. It would be a good time for sub optimal automated tools to flood the market but the real fun begins when a good DPB Chairman takes charge. Andolan Jeevies need some body who is happy occupying the position and bide his time for some body some where to lodge a complaint before DPB starts an Inquiry.

It could be a nightmare for the industry if we have an active DPB with a T.N Sheshan kind of Chairman in place. Those who follow the futuristic principles of FDPPI will laugh at that time.

The biggest challenge we see is that in the journey towards being a Data Auditor, the current set of auditors trained and developed on other frameworks will find it difficult to adapt to the requirements of Data Audit under DPDPA. They will still think ISO 27001 is the framework to be used because the 2022 version claims to include “Privacy” and ISO 27701 is more than adequate to meet DPDPA requirement. Only time will tell if it is correct. We donot think so.

But to unlearn the past and re-learn for the future is a tough task which only the wise auditors will be able to understand.

Some of them will be there in the FDPPI Certification program on September 27, 28 and 29 exclusively designed for CERT In Auditors but good enough for others who want to be expert DPO s.

Look for details and register before it is too late.

Naavi

Californian Senate has reportedly approved Bill SB 1223 which is meant to protect the individual’s neural data from misuse. The Bill was authored in the name of Josh Becker and co-sponsored by Professor Rafael Yuste who incidentally had virtually addressed the IDPS 2022.

The copy of the Bill is available here.

The bill places neural data in the category of sensitive personal data within the provisions of CCPA.

“Neural Data” is defined as information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.

Naavi had similarly suggested that India should bring neural data under protection within the DPDPA 2023.

At present, DPDPA 2023 does not define “Sensitive Personal Data”. It also has tried to avoid the defining of “Harm” to include “Psychological manipulation” which was present in the previous versions of the PDPB. Now the Consumer Protection Act has by defining the “Dark Pattern” as a prohibited consumer practice stepped in to fill up the void left by DPDPA 2023.

However the nature of “Privacy” is such that the definition of “Sensitivity” and “harm” cannot be completely avoided . In 2005 when people proposed amendment of ITA 2000 to avoid liabilities of the industry like in the case of the “Bazee.com” case, it boomeranged on the industry as the title of the section was changed but the essence remained.

The intermediaries continue to be liable under the Guidelines of 6th April 2023 and the concept of “Due Diligence” is haunting the industry sufficient enough to take the issue to Supreme Court and contend that the Intermediary guidelines notification unconstitutional.

A similar situation seems to have arisen in DPDPA. The industry wanted to dilute the law and ensured that PDPB 2018/2019 was simplified to DPDPA 2023.

But by removing the definition of “Sensitive Personal Data”, MeitY has made all the general obligations apply to all Data Fiduciaries. At first glance it appeared that SDPI guidelines will go and industries can breath freely. But the situation now is different.

Now it appears that all obligations under Section 8 and 9 of the Act are applicable for processing of non sensitive personal data also.

The “Significant Data Fiduciaries” to whom the requirement of DPO, Data Auditor and DPIA apply, bring the concept of sensitivity of information back in contention for determining whether an organization is a significant data fiduciary or not.

In the first version of the “Draft of the Draft Rules” made available for discussion, there was no definition of “Significant Data Fiduciary” (SDF) and it is possible that even in the final version, Meity may refrain from defining a “Significant Data Fiduciary”.

It would therefore be left to a Data Fiduciary (DF) to decide if he is a SDF or not. When things go wrong, the DF who should have been SDF but classified himself as DF may be liable for penalties related to the special obligations of a SDF. It is natural to consider that a DF which is processing Neural Data needs to be classified as posing a significant risk and the organization should be considered as SDF.

Since Section 10 (1) states that the Central Government may “notify” any DF based on the “Risk to the rights of Data Principal” as a SDF, absence of such notification can also be interpreted as if there will be no SDFs at all. But such an argument would be fallacious and would be difficult for Courts to accept. At best, Government may take some time to notify the criteria for determining a SDF but it would be difficult to avoid it all together.

Under Section 16, Government has decided to give a “Negative List” of countries to which transfer of personal data from India could be restricted. If the Government wants to avoid defining what constitutes “SDF”, they can chose to declare which types of industries are exempted from being considered as Significant Data Fiduciaries.

Unless the MeitY declares that “Processors of Neural Data” are not Significant Data Fiduciaries, it would be unwise for DFs processing Neural data not to consider themselves as SDFS.

Let us wait if Government takes this route of avoiding a decision.

In the meantime, DGPSI will consider processors of Neural Data as Significant Data Fiduciaries only.

Naavi