Naavi.org

The notification from MeitY dated 16th June 2022 declaring the CBS system, RTGS System, NEFT System and the Structured Financial Messaging Server as protected systems and imposing the information security guidelines of 22nd May 2018 is a watershed moment in the history of Cyber Security Management in the country.

The decision indicates that from now onwards, a representative of CERT-IN will sit in the Information Security Governance Committee of ICICI Bank and supervise all policies and their implementation regarding the information security in the Bank.

This development is similar to “Nationalisation of the Information Security System of ICICI Bank” and is a huge embarrassment to the Bank’s credentials as a trusted repository of public funds.

The Press reports that the systems of HDFC Bank and NPCI has been simultaneously declared as “Protected Systems” but details of the gazette notification is available only in respect of ICICI Bank.

Some members of the public would mis-understand this development and consider as if the Government has bestowed an honour on ICICI Bank by giving it’s systems the status of a “Protected System”. Perhaps ICICI Bank would also like to propagate the same perception.

But the truth is different.

Declaration of a system as a “Protected System” is to enable the Government to exercise a close control on the security of the system because the Government apprehends that the the incapacitation or destruction of the system , shall have debilitating impact on national security, economy, public health or safety.

We must observe that most of the Government financial assets such as the Treasury accounts are presently held in State Bank of India and except by market capitalization ICICI Bank is not more critical than SBI in terms of national security or security of national economy.

ICICI Bank on the other hand has been saddled with thousands of data breach incidents in the form of phishing complaints from their customers and we have already pointed out one documentary evidence of how a Phishing website was run from within the ICICI Bank server itself. ICICI Bank was also in the forefront of Crypto transactions and was enabling Bitcoin remittances from abroad.

We can perhaps consider that the Government might have taken notice of these Bitcoin transactions and the thousands of phishing transactions as potential money laundering incidents which may need a closer scrutiny and investigation on a day to day basis.  The ongoing investigation on Mrs Chanda Kochhar also may require a close oversight on the operations of the Bank, the information deletions that have been made in recent times, the background of the custodians of the transaction servers etc.

Unless properly denied, the existence of a huge scam which is about to be unravelled cannot be ruled out.

I trust that the development  is big enough to need a notice to the stock markets under Clause 49 of the listing rules and there has already been a delay in this regard.

ICICI Bank has to also come out with its own official explanation and disclosure of how this development could affect the investors and affect the share price.

Unless immediate action is taken by the Bank to manage the reputational damage through appropriate public messaging, the share prices of the Bank are in the danger of being adversely affected.

It is an immediate necessity that ICICI Bank makes a public disclosure of it having been notified as a “Protected System” and the changes in the policies and information security  Governance system on its website.

I understand that it is a painful situation for the Bank but the gazette notification has already been made and the clock cannot be turned back.

It is an unenviable situation for  ICICI Bank. Substantial damage has already been done and cannot be reversed. Now only containment of further damage is possible and it may require a careful communication strategy avoiding any false statements that can further damage the organization.

I pity the life of the CISO in ICICI Bank which will change permanently and could  be a bed of thorns with the CERT In breathing down its neck on a minute to minute basis. We can also watch out for some attrition in IS workforce in the Bank.

I expect a series of press articles planted by the Bank in the next week highlighting as if the notification is a “Padma Award” for its Information Security department. Good time for journalists.

(P.S: The situation in HDFC Bank is similar. We are yet to access the notification regarding HDFC Bank and NPCI and hence not commented on the impact of the decision on these organizations in detail. There are many other large Banks such as PNB where also a largescale risk of data breach exists and may require a CERT-IN supervision of the security systems)

Naavi

On 16th of June, 2022, the Government of India issued a Gazette Notification declaring some of the digitals assets of ICICI Bank as “Protected System” under Section 70 of ITA 2000.

At present only a copy of the Gazette Notification regarding ICICI Bank is available in  public, though the press reports suggest that HDFC bank and NPCI systems have also been declared as protected systems. There is no information on SBI though SBI maintains most of the Government accounts.

The Meity Website and the egazette.nic.in are yet to publish the notifications for public knowledge.

The ICICI Bank website does not report the development.

This information needs to be notified by ICICI Bank to the stock exchanges and SEBI and so far no such indications are available on the NSE website.

It appears that ICICI Bank is stunned by these developments and does not know how to react.

It is not clear why the Government took this action and whether there was any credible intelligence that the Bank was under attack and NIA has to investigate the same in national security interest. This possibility alone seems to justify why the Government has not notified SBI which is the Bank which holds most of the Government treasury accounts and other assets.

The notification related to ICICI Bank available through another source has been reproduced here.

MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY
NOTIFICATION
New Delhi, the 16th June, 2022

S.O. 2808(E).— In exercise of the powers conferred by sub-section (1) of section 70 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby declares the computer resources relating to the Core Banking Solution, Real Time Gross Settlement and National Electronic Fund Transfer comprising Structured Financial Messaging Server, being Critical Information Infrastructure of the ICICI Bank, and the computer resources of its associated dependencies to be protected systems for the purpose of the said Act and authorises the following
personnel to access the protected systems, namely: –

(a) any designated employee authorised by the ICICI Bank;
(b) any authorised team members of contractual managed service provider or third-party vendor who have been authorised by the ICICI Bank for need-based access; and
(c) any consultant, regulator, government official, auditor and stakeholder authorised by the ICICI Bank on case to case basis.

2. This notification shall come into force on the date of its publication in the Official Gazette.

[F. No. AA-11018/2/2021-CL&ES]
Dr. RAJENDRA KUMAR, Addl. Secy.

Since this is the first time a private sector network has been declared as a “Critical IT Infrastructure” and Section 70 invoked, it is necessary to study the impact of the declaration on the organization.

We can reproduce Section 70 of ITA 2000 to understand the objective of the section.

Section 7o: Protected system (Amended Vide ITAA-2008)

(1)The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system.

Explanation: For the purposes of this section, “Critical Information Infrastructure” means the computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety.

(Substituted vide ITAA-2008)

(2)The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-section (1)

(3) Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.

(4) The Central Government shall prescribe the information security practices and procedures for such protected system. (Inserted vide ITAA 2008)

After the amendment of ITA 2000 in 2008/9, Section 70 can be invoked only for “Critical Information Infrastructure”. Critical  Information infrastructure needs to be a “computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.”

A justification of why the declared system is considered “Critical Information Infrastructure”  needs to be provided along with the notification. So far we donot see such justification in the notification.

It is necessary for the Government by order in writing to authorize the persons who are authorized to access the declared system and also prescribe the information security practices and procedures for such a protected system.

This written instructions should ideally accompany the notification since any attempt to access the system  in contravention of the section could be punished with an imprisonment of 10 years.

In other words the notification is introducing a serious criminal law provision which could impact several persons associated directly or indirectly with the system.

At present the instruction is vaguely expressed in the notification in generic terms such as that the declared systems (resources relating to the Core Banking Solution, Real Time Gross Settlement and National Electronic Fund Transfer comprising Structured Financial Messaging Server,) may be accessed by

(a) any designated employee authorised by the ICICI Bank;
(b) any authorised team members of contractual managed service provider or third-party vendor who have been authorised by the ICICI Bank for need-based access; and
(c) any consultant, regulator, government official, auditor and stakeholder authorised by the ICICI Bank on case to case basis.

In other words the notification is authorizing ICICI Bank to designate the employees or contract persons any consultant, any regulator, any government official, any auditor and any stakeholder authorized by the Bank . The “Stakeholder” may include the customers of the Bank who have to access the CBS system for managing their accounts.

The order therefore abdicates the responsibility of the Government and delegates the powers under the section to the Bank itself.

This appears to be ultra-vires the Act.

On 22nd May 2018, Meity had notified (S.).2235(E) the information Security Practices and Procedures for Protected system.

Now this notification will be binding on ICICI Bank and over ride any other policy that may be in place.

One of the requirements of this policy is that the Bank should constitute an Information Security Steering Committee (ISSC) which should include a representative/s of CERT IN, the Director General of which has been declared as the Nodal officer NCIIPC under Section 70A and 70B of the ITA 2000.

The detailed IS policy as provided in the notification of May 2018 needs to be implemented by the CISO of the Bank who should continuously report to the CERT-IN.

In other words, the CISO of ICICI Bank will now be considered as a subordinate of the CERT-IN and CERT-IN effectively takes over the responsibility for guiding the bank on all its IS measures.

This arrangement is similar to the system where Financial Institutions nominate their representatives in the Boards of companies which they have financed and perhaps turned sick.

In other words, the Government of India has expressed loss of confidence in the ability of the Bank to maintain the security of its systems and found it necessary to exercise a direct supervision.

The “Access Control” mechanism of the Bank will now come directly under the scrutiny of the CERT IN.

The current vague instructions in the Gazette notification which allows any ‘Tom Dick and Harry’ to access the system is highly dangerous to the CERT In since it now becomes answerable to any system intrusions.

The undersigned has brought a sample of an intrusion to the notice of CERT IN and sought its reaction to the same. This refers to an e-mail which the Bank has identified as a “Phishing Email” which however indicates that the phishing URLs are hosted in the ICICI Bank server itself.

The email is reproduced here for the information of the security professionals

One can observe the URL https://verification.icicibank.com through which the malicious web page appears to have been has been activated.

Now such incidents become the responsibility of CERT IN and if they fail to exercise adequate control on such happenings, the officials of CERT IN would be liable for their negligence.

Further, if Section 70 is invoked on ICICI Bank, HDFC Bank today, there is no reason why it should not be invoked on SBI or PNB or even large hospital chains etc.

Whether CERT IN be able to handle the responsibilities of multiple large private companies is a moot question. Perhaps they need to expand their work force several times to handle such responsibilities.

We shall watch the developments of how this new trend of Government Security infrastructure being extended to protect private digital assets work on the ground.

I wish a proper assessment of the Risks to CERT IN arising out of such responsibilities had been made before such a momentous decision was taken.

(Comments invited)

The MeitY had announced Intermediary Guidelines and Digital Media Ethics guidelines on 25th February 2021 which had evoked the Anti-CAA kind of response from the industry. Several High Courts (Kerala, Bombay and Madras)came up with their own interim orders  truncating the notification and the matter landed up in Supreme Court.

Now an amendment notification has been issued on 6th June 2022 for which public comments have been invited. A public consultation meeting with stakeholders was also conducted yesterday by the honourable minister Mr Rajeev Chandrashekar.

The window for public comments will be open upto July 6th.

The amendment mainly related to the Grievance Appellate Committee to be set up under the following rule:

Appeal to Grievance Appellate Committee(s): –

(a) The Central Government shall constitute one or more Grievance Appellate Committees, which shall consist of a Chairperson and such other Members, as the Central Government may, by notification in the Official Gazette, appoint;1

(b) Any person aggrieved by an order made by the Grievance Officer under clause (a) and clause (b) of sub-rule (2) of rule 3 may prefer an appeal to the Grievance Appellate committee having jurisdiction in the matter within a period of 30 days of receipt of communication from the Grievance Officer;

 (c) The Grievance Appellate Committee shall deal with such appeal expeditiously and shall make an endeavour to dispose of the appeal finally within 30 calendar days from the date of receipt of the appeal;

 (d) Every order passed by the Grievance Appellate Committee shall be complied by the concerned Intermediary.

The objective of this appellate committee is to address the complaints about content removal received by an intermediary when its decision to remove or not remove a content may be dissented to by a platform user or member of public.

During the public consultation, several thoughts were exchanged. However the discussion failed to address the action that can follow the decision of the Grievance Appellate Committee.

Also some of the discussions revolved around the constitution of the committee and whether it has to be managed by legal/judicial officers or members of the Government.

It appeared that no thought has been spared on the acceptability of the proposal without amendment to the ITA 2000 itself.

At present ITA 2000 has a statutory mechanism of grievance redressal which includes the Adjudicator and the Appellate Tribunal. Though the effectiveness of this system may be questioned, the fact remains that these are part of the law and cannot be superseded by the notification.

However before the dispute reaches the Adjudication, any effort at resolving the dispute through ADR process including Ombudsman, Mediation or With recourse Arbitration can be tried. However at the end of such process if the dispute remains unresolved, it has to be referred to the statutory grievance redressal system which in this case is the Adjudication under Section 46 of ITA 2000.

Hence the proposed Grievance Appellate Committee has a subordinate relationship with the Adjudication process and need not be manned by a high level committee with judicial officers. It can be handled by the officials of Meity with or without some representation from outside experts. If the Meity adopts an ODR approach, it can involve experts from the industry and resolve disputes like a sub committee of the Meity subject to further appeal lying before the Adjudicator.  It would be sufficient if the sub committee is headed by an officer of the rank equivalent to the IT Secretaries of the State or below.

Any attempt to make this committee’s decision binding on the Adjudicators would be ultra-vires the Act. A clarification that appeals about the decision of the committee lies with the Adjudicator would be in order.

I hope the Meity takes this view into consideration.

Naavi

It was a great pleasure for me to read the article today written by Advocate Dr Mahendra Limaye of Nagpur highlighting the need to strengthen the recipient side process of digital payments.

As many of the readers know, Naavi has been pursuing the historical case of S Umashankar Vs ICICI Bank since 2008 in which some money was lost due to unauthorized access of an NRE account at Tuticorin and laundered through another current account of ICICI Bank at Fort Mumbai branch.

In this case the deficiency of security at ICICI Bank at both branches were clearly highlighted. The negligence of the account holding branch at Tuticorin and the negligence and complicity of the Fort Branch were presented with evidence gathered from the Bank’s own records.

The Adjudicator of Tamil Nadu gave the award in favour of the customer based primarily on the negligence of the Tuticorin branch while highlighting the deficiencies of the Fort Branch.

In the appeal, TDSAT highlighted the negligence of the Fort Branch and dismissed the appeal of the Bank once again confirming the award in favour of the customer and against the Bank.

Now the matter is before the Madras High Court and in the final stages of a decision on the further appeal of ICICI Bank. For the time being it is inappropriate to discuss the issues as being presented in the Madras High Court and as we wait for the final decision of the honourable Court.

But what Mr Limaye has written will  surely come for further discussion in the Court.

Naavi

According to a report in Economic Times, SEBI has reportedly advised all mutual fund AMCs to report any information on Cyber incidents within 6 hours to CERT IN and SEBI, within 6 hours of noticing such incidents.

This is keeping with the CERT IN data breach guidelines released on 28th April 2022.

With this the Six hour norm has been set for data breach notification by CERT IN, RBI and SEBI as against the DPA 2021 suggesting a 72 hours window.

Naavi

Madurai Bench of Madras High Court cancelled the bail grated earlier to a youtuber Sattai Durai Murugan for posting an offending video. The Court (Justice B Pugalendhi) observed that the records show Mr Durai Murugan to be a habitual offender in posting videos with derogatory comments against political personalities.

Though political sensitivities were involved in this case, in the process of adjudging the bail cancellation petition filed by the Police, the Court observed ” Intermediaries Duty bound to regulate content”.

The Court has inter-alia stated

“It is duty of the intermediaries to ascertain whether those videos are in accordance with their policies and guidelines and in terms of the contract and to block the channels if the videos are not in accordance with the terms and policies. … If it is not blocked or removed even after it was brought to their knowledge, the intermediaries are committing the offence under Section 69A (3) of the Information Technology Act,”

In delivering the judgement which related to a political comment, the Court referred to the possibility of posting of videos related to making of Bombs and Obscenity etc and quoted Albert Einstein on Atom Bomb.

The Court was assisted in the case by an amicus curie advocate K K Ramakrishnan. The amicus pointed out to the community  guidelines formulated by the platforms and indicated that the action to block offending videos is part of the guidelines and the terms of the platform usage.

At a time when the Intermediary Guidelines of the Central Government are being vigorously challenged as being against the  constitutionally guaranteed freedom of speech, this judgement making sweeping observations beyond the specifics of the case could raise further controversies.

Copy of  the Judgement

The allegation involves comments made in Tamil and has certain political connotations and hence we would not like to comment on the same at this point.

However,  it appears that invoking Section 69A(3) for the order was not perhaps  appropriate. This section empowers the Government to issue certain directions in the interest of sovereignty and integrity of the nation etc… It does not automatically empower the police to act without such directions. Such directions can be issued by a “Designated Officer” who is the group coordinator of the Cyber law division

Recently, on June 1st, the Government had issued a draft amendment to the Intermediary Guidelines of February 25th , later withdrew it and again requested for comments on 6th June 2022

The essence of these guidelines (with respect to Digital Media) which are opposed in several courts including Madras High Court was to oppose the self regulatory and administrative mechanism suggested for regulating the digital content and imposing a code of ethics.

In the light of these developments at the national level, the judgement of the Madurai Bench appears to stick out as an aberration.

Further whether a judgement related to certain basic principles of constitution were relevant to be made in the cancellation of bail plea is also a point of debate.

Providing power of “Censorship” to the channel has its own counter applications and has to be therefore viewed more closely. The platform of twitter is already accused of biased decisions to block some messages and not block some other messages and the license for such arbitrary action is taken from the assumed power of regulation of the content.

Any such powers will convert the platform into “Not an Intermediary” as per ITA 2000 and hence will invoke the “Digital Media Ethics Code” which is now under scrutiny of the Supreme Court. Hence the current decision appears to interfere with an ongoing broader debate.

It would therefore be interesting to observe if this decision gets appealed against in a division bench or in Supreme Court.

In this bail related petition, the Court appears to have focussed more on the Intermediary liability. It would have been more appropriate if the Court had focussed on the grounds for cancelling the bail application.

Also there appears to be a confusion between the “Designated Officer” under rule 3 of the GSR 781 (E) notification and the nodal officer of an organization. The power of the nodal officer is only to make recommendations to the Designated officer requesting for blocking of any service. However, the judgement quotes provisions of Information Technology (Procedure and Safe guards for Blocking for Access of Information by Public) Rules, 2009, vide G.O(D)No.20, Information Technology (B4) Department, dated 18.03.2020. [The notification was not found on the website (Government of Tamil Nadu : Government Orders | Tamil Nadu Government Portal (tn.gov.in).] and indicates that the SP has been nominated as the nodal officer. The authority for such appointment at the state level may not be binding under Section 69A. Also if YouTube cannot be persuaded to remove any content, it cannot be considered as a ground for denial of bail to a person who has posted the content. The case against the YouTuber ought to have been made out only with his not meeting the earlier bail conditions if any.

By alluding to Section 69A, 79 and 84B, the judgement seems to have placed some confusion in the minds of the cyber law observers about the intermediary responsibilities which was perhaps avoidable.

(A detailed discussion on this may be taken up later)

Naavi