32
Cyber Era Securing the future 11th India Knowledge Summit 2013 14 -15 October 2013 New Delhi

Cyber Era - Securing the Future

Embed Size (px)

DESCRIPTION

Instability in cyber space means economic instability no nation can afford, therefore it is essential not just to have a policy but to operationalise it. This report is aimed to provide more insight to emerging cyber related challenges and their appropriate solutions for further securing the cyber space.

Citation preview

Page 1: Cyber Era - Securing the Future

Cyber EraSecuring the future

11th India Knowledge Summit 2013

14 -15 October 2013

New Delhi

Page 2: Cyber Era - Securing the Future
Page 3: Cyber Era - Securing the Future

Cyber EraSecuring the future

11th India Knowledge Summit 2013

14 -15 October 2013

New Delhi

Page 4: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Message from Ministry

“…Instability in cyber space means economic instability no nation can afford, therefore it is essential not just to have a policy but to operationalise it,”

With an aim to protect information and build capabilities to prevent cyber attacks, the Government in July, 2013 released the National Cyber Security Policy 2013 to safeguard both physical and business assets of the country.

India has stressed upon the need for greater global cooperation and exchange of information among nations to enhance cyber security and to address issues related to the management of the Internet.

“In the ultimate analysis, we have to develop global standards because there is no way that we can have a policy within the context of India which is not connected with the rest of the world because information knows no territorial boundaries”.

As ASSOCHAM, India’s Apex Chamber for Commerce & Industry is organizing the 11th India Knowledge Summit -2013 with the theme Cyber Era: Securing the Future”, I believe this Summit is very timely and will certainly help in creating more awareness on the subject amongst the stakeholders.

I convey my good wishes for the success of the 11th India Knowledge Summit 2013.

Kapil Sibal Minister

Communications and IT & Law and Justice,

Government of India

Page 5: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Message from President, ASSOCHAM

The internet has revolutionized the way people communicate and access information. The convenience and speed afforded by Internet has closely integrated businesses extended value chains across geographies dispersed. It has also enabled an unprecedented exchange of ideas, information and culture across the world. Its virtues notwithstanding, the rising Penetration of the internet has also resulted in the propagation of risks and security threats.

Exponential growth and dependence on technology has also exposed the vulnerability of our institutions to imminent threats like cyber attacks which can severely cripple vital systems, and can bring the entire Nations to a grinding halt, thereby severely compromising National Security. Institutions focused on addressing National Security including communication networks, hospitals, energy and defense installations are increasingly prone to such cyber threats. It is therefore critical to provide robust security apparatus, to ensure their smooth functioning. Cyber security is a serious concern and merits indepth discussion amongst thought leaders, domain experts, Government and policy makers and also Cooperation across various agencies.

India has the world’s third largest community of internet users, with a vast majority now accessing internet through their mobile phones. Mobile phone security, due to increased adoption, presents a different set of challenges. However, cyber regulation and supervision must accord due consideration to the “Right to individual privacy and freedom of speech” without compromising National Security. As the Knowledge Chamber of India, ASSOCHAM endeavours to mobilize industry opinion to further strengthen the legal and regulatory regime so that citizens’ rights are safeguarded along with security of vital National systems.

The Chamber has adopted the theme of ‘Cyber Security’ for the 11th India Knowledge Summit. I am confident that the Summit will address several key issues related to Cyber Security and present key policy recommendations to the Government and other stakeholders. I compliment KPMG and ASSOCHAM for presenting a background paper on the theme.

I convey my best wishes for the success of the India Knowledge Summit and look forward to the Summit outcomes and recommendations to further strengthen our Nation’s cyber infrastructure for National Security.

Rana Kapoor President

ASSOCHAM

Page 6: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Message from Chairman, ASSOCHAM

As we increasingly become a hyper-connected cyber society where massive amounts of information is moved across people, locations, time, devices, and networks at super-fast speeds; the importance of information technology as one of the top drivers of global progress, is becoming visible to all. From narrowband to broadband, from kilobits to gigabits, from devices like laptops, tablets, smart-phones to mobile services, our networked world is changing forever – the way we communicate, the way we socialise and the way we conduct business. Indeed, we have become increasingly dependent on the cyber world as the backbone of all our interactions, both personal and business.

This dependence comes with a double-edged sword. The very power which can help a farmer find better yields, enable banking in the rural sectors, or spread positive social messages, in mere seconds, can disrupt critical communications and services, or spread mis-information and malware at the same velocity. We, as an industry and as a nation stand to lose against these malicious forces that know no physical boundaries. Our progress in protecting our cyber space must therefore stay a step ahead of these disruptive forces. This poses a steep challenge, requiring unprecedented, collective and innovative action.

Cyber security is one domain where competitive advantage will come from collaboration. At ASSOCHAM, we recognize that this collaboration is multi-dimensional - social, academic, commercial, industrial and most of all

technological. Citizens, government, military networks and industry must be equipped and educated with the incisive intelligence, tools and technologies, to cope with and to counter cyber threats so that we may continue to derive the advantage that has propelled us into the 21st century.

During this 11th India Knowledge Summit we as a group, hope to share expertise on the critical subject of cyber security and surveillance, and establish the foundation for such future discourses. I am sure you will also find the paper prepared by ASSOCHAM and KPMG very useful.

Pratyush Kumar Chairman

ASSOCHAM National Council on Cyber Security and Law

Page 7: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Message from Co-Chairman, ASSOCHAM

We are breathing in times where miles have been converted into bytes, kilobytes, megabytes and gigabytes. Our Information Communication Technology journey from hefty computers to sleek smart phones has been phenomenal. Today, getting connected to the large pool of data flowing on the world wide web is just a touch away. Consequently, the vulnerability in the cyberspace has also increased considerably; it is very easy to attack someone privacy and data in the virtual world.

Hence, in this 21st century, when internet has become an integral part of our life, it is wise to access the same with due precautions and preparedness.

Keeping in pace with the international acceptability and the status that India has got in IT sector globally, we need to have a consciousness about a legal framework to check the violations on the web as well as a vision document for the implementation and updation of the same; matching the speed at which things change in the cyber world.

Evidently, the need of the hour is to create awareness in the society which in turn will urge the development of such a framework. Simultaneously, to create a delivery mechanism we need to develop a pool of professionals and train them to meet the day to day challenges of ever evolving cyber world and its associated threats. These activities have to go hand in hand by creating an understanding about its importance and unlike common perception the change has to start from every individual, every organization, be it private or Government, handling sensitive information, to make them cyber secured. By making small changes we can create a more cyber secured society.

The 11th Knowledge Summit on “Cyber Era - Securing the Future” by ASSOCHAM will set the stage for development of perspectives, designing of mechanisms and promotion of implementation actions towards a more cyber aware and secured India.

I look forward to it as the first step in taking India closer to being a cyber aware and secured nation.

S. K. Agarwal Co-Chairman

ASSOCHAM National Council on Cyber Security and Law

Page 8: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Message from Secretary General, ASSOCHAM

The growing use of ICT for administration and in other spheres of our daily life cannot be ignored. Further, we also cannot ignore the need to secure the ICT infrastructure used for meeting the social functions.

In the era of E-Governance and E-Commerce a lack of common security standards can create havoc for the global trade in goods and services.

The threat from cyber attacks and malware is not only apparent but also very worrisome. There cannot be a single solution to counter such threats. We need a techno legal “Harmonized Law” to address these challenges.

A good combination of law and technology must be established and then an effort be made to harmonize the laws of various countries keeping in mind common security standards. In this respect ASSOCHAM lauds the efforts made by the Ministry of Communications and IT, Government of India in recently releasing the National Cyber Security Policy 2013 to ensure a secure and resilient cyber space for citizens, businesses, and the Government.

We at ASSOCHAM, have been discussing and deliberating with the concerned authorities and stakeholders about the need for security compliance and a legal system for effective dealing with internal and external cyber security threats.

ASSOCHAM has been a member of the National Security Council, Joint Working Group (JWG) on Public Private Partnership on Cyber Security and we deeply appreciate the efforts made by the JWG in inviting private industries’ views and suggestions on Cyber Security related issues.

We are confident that the deliberations at the India Knowledge Summit – 2013, with the theme ‘Cyber Era, Securing the Future’ will provide more insight to emerging cyber related challenges and their appropriate solutions for further securing the cyber space.

ASSOCHAM is committed to creating more awareness about the Cyber related issues and this Background Paper jointly prepared by KPMG and ASSOCHAM is a step in that direction and we congratulate the team for their efforts.

We convey our very best for the success of the India Knowledge Summit, 2013.

D. S. Rawat Secretary General

ASSOCHAM

Page 9: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Message from KPMG

We are living in a connected era where the governments and organisations are making their services available online to citizens like never before. Governments have taken strides in delivering citizen services online. Organisations continue to earn revenues only out of their online presence. These have brought in efficiency and convenience in our daily lives. The entire smart phone market growth has been one of the catalysts for the dawn of the connected era. As the country’s infrastructure and the citizens keep getting online, the opportunities for cyber criminals to conduct their attacks also increase. This has tested the security measures of the governments and organizations.

The mindset of ‘compliance-based’ approach towards security needs to be unlearned to deal with the sophistication of cyber attacks. Relying on tools and scripts may not help tackle security issues unless there is some intelligence built in it. Of course, all of these steps will fail if there is not enough skilled manpower to manage cyber security. This requires an assessment of the overall maturity of the cyber security program of the organizations and the governments.

Many cyber attacks are part of online protests or cross-border retaliations against countries. There has to be a mechanism for real-time intelligence to handle security threats. In order to be better prepared to handle such cyber attacks, it is important to understand their modus-operandi.

The laws around cyber crime in India are also being tested for their ability to deter and tackle such crimes. While the government has taken couple of steps at the policy-level in recent times, these may become dated unless they are being reviewed on a regular basis. The government alone cannot tackle the issue of cyber crimes. An ecosystem for regular consultation workshops with industry and experts and a mechanism to develop threat-intelligence needs to be developed. More than ever now, the industry and the government now need to come together on the issues of dealing with cyber security.

Navin Agrawal Partner and Head

Government and Public SectorKPMG in India

Page 10: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Page 11: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

1. Cyber Security in India: Setting the context

2. Improving the security of nation’s Critical Infrastructure• Ten things you should know about National Cyber Security

Policy• NTRO’s guidelines for protection of Critical Information

Infrastructure

3. IT Amendment Act 2008

4. India’s cyber monitoring setup: Few legal aspects

5. Privacy and civil liberty protection

6. Inculcating robust cyber security practices through PPP

7. Cyber security practices in few other countries

8. Epilogue

Contents

1

3 4 5

7

9

11

13

15

17

Page 12: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

It is now widely-accepted and acknowledged that cyber crime has been affecting individuals as well as organizations in the country and the world over. There have been several instances of systems getting hacked in both public and the private sector.

India’s is third in terms of internet users and is forecasted that the IP traffic will grow 6-fold from 2012 to 2017, a compound annual growth rate of 44%. In July 2013, the government published its National Cyber Security Policy. This was followed by news of progress in the implementation of a framework for lawful electronic interception, referred to as the Central Monitoring System (CMS). Cyber-security is already a component of the US-India Homeland Security Dialogue. It is also important to note that both India and the U.S. are leading sources of spam emails. There are several reports of shortage of trained manpower for cyber security in India. There has been a huge increase in online card payments which are set to overtake physical card transactions in some years.

Source: India Has 15M Broadband Connections; 712.5M Active Mobile Connections – Medianama, Feb 2013

Cyber Security in India Setting the Context

Source: Trend Labs 2Q 2013 Security Roundup, Govt to chart road map to safeguard India’s cyber security architecture – DNA, August 2013

1 KPMG-ASSOCHAM – Cyber Era: Securing the future

Page 13: Cyber Era - Securing the Future

At present, one in four card transactions takes place online and the number has been growing at 50 percent year on year as against the 35 percent growth in ‘card present’ transactions1. Recently, SEBI has also approved e-IPO procedure for electronic bidding in public offers.

While the internet facing transactions are growing every day, there is a dire need of securing the underlying infrastructure from cyber attacks.

Cyber crime cases in the country registered under the IT Act last year rose by about 61 percent to 2,876 with Maharashtra recording the most number of cases.

The country had witnessed 1,791 cases registered under the Information Technology (IT) Act in 2011, Minister of State for Communication and IT Shri Milind Deora said in a written reply to Rajya Sabha.

“As per the cyber crime data maintained by National Crime Records Bureau (NCRB), a total of 288, 420, 966, 1,791 and 2,876 cyber crime cases were registered under IT Act during 2008, 2009, 2010, 2011 and 2012, respectively,” he added.

Maharashtra registered a total of 471 cases in 2012 followed by Andhra Pradesh (429), Karnataka (412), Kerala (269) and Uttar Pradesh (205) under the IT Act, Deora said.

A total of 176, 276, 356, 422 and 601 cases were registered under cyber crime related sections of the Indian Penal Code (IPC) during 2008, 2009, 2010, 2011 and 2012, respectively, the Minister added.

Source: zeenews.india.com

Electronic Delivery of Services Bill, 2011The Bill requires public authorities to deliver all public services electronically within a maximum period of eight years. There are two exceptions to this requirement: (a) services that cannot be delivered electronically; and (b) services that public authorities, in consultation with the Commissions, decide not to deliver electronically. The Bill establishes Central and State Electronic Service Delivery Commissions to monitor compliance of government departments and hear representations. Public authorities have to establish a mechanism to redress complaints.

The Bill requires all government departments to provide services electronically. This may involve the storage and communication of information in an electronic form. While the right to privacy is a fundamental right, India does not have a law on privacy.

In the absence of such a law, data that is stored electronically may be misused. The IT Act was enacted to facilitate e-commerce by providing legal recognition to electronic transactions. It only penalizes wrongful disclosure of information collected under that Act. It does not penalize disclosure of information collected by the government under other laws, such as under this Bill.

The Bill empowers the government to prescribe ‘e-governance standards’. However, these standards may not include safeguards for privacy. The Standing Committee that examined the Bill recommended that suitable amendments be made either to this Bill or to the IT Act to address this issue.

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

1 25% credit card payments take place online – Economic Times, September 2013

KPMG-ASSOCHAM – Cyber Era: Securing the future 2

Page 14: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Improving the Security of Nation’s Critical information infrastructure

The month of July, 2013 saw a couple of initiatives by the Government of India towards securing the cyber space of India. The month began with the release of the National Cyber Security Policy (NSCP) of India followed by the release of guidelines by the National Critical Information Infrastructure Protection Centre of the National Technical Research Organization (NTRO), the country’s elite technical intelligence agency.

3 KPMG-ASSOCHAM – Cyber Era: Securing the future

Page 15: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

National Cyber Security Policy of India In July 2013, Minister of Communications and IT, Mr. Kapil Sibal released the much-awaited National Cyber Security Policy of India 2013. In the wake of increasing attacks from state and non-state actors, on public as well as private infrastructure, this policy was essential to prevent and reduce such attacks. This policy also intends to circumvent any resultant economic instability arising due to cyber attacks. While the authority has acknowledged that the real challenge will be in operationalising this policy, the Cyber Security Policy still provides a strong vision to secure the critical infrastructure of the country.

Key points from the draft version missing in the final policy:

• Initiative to establish a countrywide secure intranet for connecting strategic installations with CERT for emergency response and coordination

• The draft policy had objectively set out actions for ensuring security by Service Providers, Corporate and SOHO

• Of the 12 stakeholders identified in the draft, only four are mentioned in the policy.

Here are ten things you should know about India’s National Cyber Security Policy 2013:

Set up a 24x7 National Critical Information Infrastructure Protection Centre (NCIIPC) for protecting critical infrastructure of the country

Create a taskforce of 5,00,000 cyber security professionals in next five years

Provide fiscal schemes and benefits to businesses for adoption of standard security practices

Designate CERT-In as the national nodal agency to co-ordinate cyber security related matters and have the local (state) CERT bodies to co—ordinate at the respective levels

All organizations to designate a CISO and allot a security budget

Use of Open Standards for Cyber Security

Develop a dynamic legal framework to address cyber security challenges (Note: The National Cyber Security Policy 2013 does not have any mention of the IT Act 2000)

Encourage wider use of Public Key Infrastructure (PKI) for government services

Engage infosec professionals / organizations to assist e-Governance initiatives, establish Centers of Excellence, cyber security concept labs for awareness and skill development through PPP - a common theme across all initiatives mentioned in this policy

Apart from the common theme of PPP across the cyber security initiatives, the policy frequently mentions of developing an infrastructure for evaluating and certifying trustworthy ICT security products.

1

2

3

4

5

6

7

8

9

10

KPMG-ASSOCHAM – Cyber Era: Securing the future 4

Page 16: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Guidelines for the protection of National Critical Information Infrastructure Government of India, has designated ‘National Critical Information Infrastructure Protection Centre’ (NCIIPC) of National Technical Research Organisation (NTRO) as the nodal agency under Section 70A(1) of the Information Technology (Amendment) Act 2008 for taking all measures including associated Research and Development for the protection of CIIs in India.

The guidelines have been drawn up by the NTRO’s National Critical Information Infrastructure Protection Centre to protect the country’s digitized information networks — in public and private sectors — from cyber attacks. Among these Critical Information Infrastructures (CIIs) which are intricately interrelated and interdependent are defence, finance, power, transport, communications, water supply etc. The NTRO will also monitor if they are following the guidelines.

At present, the guideline has forty controls and respective guiding principles for the protection of CIIs. These controls and guiding principles will help Critical Sectors to draw a CIIP roadmap to achieve safe, secure and resilient CII of the nation. These guidelines have been framed through public private partnership. India will also create a Cyber Crisis Management Plan to respond to major breaches of cyber security.

Controls of the NTRO’s Guidelines

Governance Controls

1 Identification of Critical Information Infrastructure

2 Vertical and Horizontal Interdependencies

3 Information Security Department

4 Information Security Policy

5 Training and Skill up-gradation

6 Data Loss Prevention

7 Risk Assessment Management

8 Maintenance Plans

9 Feedback Mechanism for threat reporting to Govt. Agencies

10 Contingency Planning

11 Predictable Failure Prevention

12 Information/Data Leakage Protection

13 Checks and Balances for Negligence

14 Outsourcing and Vendor Security

15 Critical Information Disposal and Transfer

Governance Controls

16 Disaster Recovery Site

17 DOS/DDOS Protection

18 Wi-Fi Security

19 Data Back-up Plan

20 Testing and Evaluation of Hardware and Software

21 Hardening of Hardware and Software

22 Secure Architecture Deployment

23 Web Application Security

24 Periodic Audit and Vulnerability assessment

25 Compliance of security Recommendation

26 APT protection

27 Network Device Protection

28 Cloud Protection

29 Intranet Security

30 Access Control Policies

31 Limiting Admin Privileges

32 Perimeter Protection

33 Incident Response

34 Physical Security

35 Identification and authentication

36 Maintaining, Monitoring and Analysing logs

37 Penetration Testing

38 Data storage : Hashing and Encryption

39 Security Certifications

40 Asset and Inventory Management

5 KPMG-ASSOCHAM – Cyber Era: Securing the future

Page 17: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

KPMG-ASSOCHAM – Cyber Era: Securing the future 6

Page 18: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

IT Amendment Act 2008

The Government of India has brought major amendments to ITA-2000 in the form of the Information Technology Amendment Act, 2008. It has added several new sections on offences including Cyber Terrorism and Data Protection. A set of Rules relating to Sensitive Personal Information and Reasonable Security Practices (mentioned in section 43A of the ITAA, 2008) was released in April 2011. The ITAA 2008 adds eight offences,five of which are added to the ITA 2000 and three to IPC.

Many cybercrimes for which no express provisions existed in the IT Act, 2000 now stand included by the IT (Amendment) Act, 2008. Sending of offensive or false messages (66A), receiving stolen computer resource (66B), identity theft (66C), cheating by personation (66D), violation of privacy (66E). A new offence of Cyber terrorism is added in Section 66 F which prescribes punishment that may extend to imprisonment for life. Section 66 F covers any act committed with intent to threaten unity, integrity, security or sovereignty of India or cause terror by

causing DoS attacks, introduction of computer contaminant, etc.

The Information Technology Amendment Act 2008 also defines the term ‘intermediary’ which includes telecom service providers, internet service providers, web-hosting service providers, search engines, online-payment sites, online auction sites, online market places and cyber cafes. Under the amended section 79 of the IT Act, the requirement of ‘knowledge’ has now been expressly changed to ‘receipt of actual knowledge’. A limit of 36 hours is specified to respond to such a request. If an intermediary refuses to do so, it can be dragged to the court as a co-accused.1

The amended Act also enables setting up of a nodal agency for critical infrastructure protection, and strengthens the role of CERT-In. This Act creates provision for the central government to define encryption policy for strengthening security of electronic communications. Presently, encryption of upto 40 bits is allowed under the telecom policy.

The cyber security and data protection provisions in IT (Amendment) Act, 2008 are also supported by various other enactments, namely:

• The Indian Telegraph Act, 1885

• The Indian Contract Act, 1872

• The Specific Relief Act, 1963

• The Public Financial Institutions Act, 1983

• The Consumer Protection Act, 1986

• The Credit Information Companies (Regulations) Act, 2005.

1 IT Act 2000 vs 2008 - Karnika Seth, May 2010

7 KPMG-ASSOCHAM – Cyber Era: Securing the future

Page 19: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Highlights of the IT Act and present need• The IT (Amendment) Act

2008, reduced the quantum of punishment for a majority of cyber crimes. Majority of cyber crimes have been made bailable offences, with punishment of three years and fine. This needs to be appropriately reviewed.

• The IT Act does not cover a majority of crimes committed through mobiles.

• Cyber war as an offence needs to be covered under the IT Act.

• A comprehensive data protection mechanism needs to be incorporated in the law to make it more effective.

• A detailed privacy act needs to be enacted to protect privacy of individuals and institutions.

• Reflecting on recent news, Section 66A of the IT Act has been part of many controversies and has invited criticisms from many sections of the society. Terms like - ‘causes inconvenience, annoyance’ are deemed open-ended by certain sections of the society. The government has introduced guidelines that, in metropolitan areas, the approval of police officers ranked inspector general of police or higher will be required to register complaints under Section 66A. They will also have to justify in writing why the case is being registered. In non-metropolitan areas, the approval of officials ranked deputy commissioners of police or higher is required. But it’s unclear whether the new guidelines are legally binding without an Amendment in the Act.

KPMG-ASSOCHAM – Cyber Era: Securing the future 8

Page 20: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

India’s Cyber monitoring setup Few legal aspects

In April 2013, the Union government began rolling out a central monitoring system,

or CMS, which will enable it to monitor all phone and internet communication in the country.

Section 69 of the IT Act, that deals with power of Controller to intercept information being transmitted through a computer resource when necessary in national interest, is amended by Section 69 of the IT Amendment Act 2008. In fact the power vests now with the Central Government or State Government that empowers it to appoint for reasons in writing, any agency to intercept, monitor or decrypt any information generated, transmitted received or stored in any computer resource.

This power is to be exercised under great caution and only when it is satisfied that it is necessary or expedient to do so in interests of sovereignty, or integrity of India, defence of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.

The procedure and safeguards to exercise this power are laid out by the Information Technology Rules, 2009 (procedure and safeguards for interception, monitoring and decryption of Information).

The subscriber or intermediary that fails to extend cooperation in this respect is punishable offence with a term which may extend to seven years and imposition of fine. The element of fine did not exist in the erstwhile Section 691.

1 IT Act 2000 vs 2008 - Karnika Seth, May 2010

9 KPMG-ASSOCHAM – Cyber Era: Securing the future

Page 21: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Section 79 of the IT (Amendment) Act 2008 thus deals with immunity of intermediaries. It is purported to be a safe harbour provision modelled on EU Directive 2000/31. The Safe Harbour provisions found in the IT Act are similar to that found in the US Laws which essentially say that the intermediaries who merely provide a forum weren’t liable for what users did. The only condition being that they respond promptly to a notice telling them about a violation. If the website took that file off then they were in the clear.1

Section 69B added to confer Power to collect, monitor traffic data.

As a result of the amendments in 2008, Section 69B confers on the Central government power to appoint any agency to monitor and collect traffic data or information generated, transmitted, received, or stored in any computer resource in order to enhance its cyber security and for identification, analysis, and prevention of intrusion or spread of computer contaminant in the country. The Information Technology Rules, 2009 (procedure and safeguard for monitoring and collecting traffic data or information) have been laid down to monitor and collect the traffic data or information for cyber security purposes under Section 69B.

It places responsibility to maintain confidentiality on intermediaries, provides for prohibition of monitoring or collection of data without authorization. This prescribes stringent permissions required to exercise the powers under this Section which are fully justified as abuse of this power can infringe the right to privacy of netizens. It also provides for review of its decisions and destruction of records.

The intermediary that fails to extend cooperation in this respect is punishable offence with a term which may extend to 3 yrs and imposition of fine.

SEBI has long sought the right to monitor phone call data without a court’s intervention to investigate claims of insider trading and manipulation in the country’s capital markets. The cabinet has decided to extend the powers of the country’s market regulator Securities and Exchange Board of India (SEBI), allowing it to monitor investors’ call records and conduct searches at companies suspected of wrongdoing. Under an executive order approved for issue by the cabinet, SEBI would also be authorised to carry out searches at company premises it suspects of wrongdoing2.

1 Intermediaries under the Information Technology (Amendment) Act 2008, Mondaq, March 20132 SEBI gets more powers to weed out suspect investors – Reuters, July 2013

KPMG-ASSOCHAM – Cyber Era: Securing the future 10

Page 22: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The Privacy Act should put into place a regulatory framework for both public and private sector organisations. The ambit of the privacy legislation will extend to data being processed within India, and data that originated in India, even when it is transferred internationally. To do this, the Act should establish the offices of the privacy commissioner. Additionally, the Act should enable a system of co-regulation through self-regulating organizations and their member organizations.

These bodies should each play a distinct role in implementing the provisions of the Act. The Privacy Act should establish offenses and penalties, and list exceptions to the right of privacy. Any exception should be necessary in a democratic society, proportional, and in accordance with laws in force.

The framework should enable quick redress by allowing individuals to resolve their complaints through alternative dispute mechanisms, the Privacy Commissioner, or the Courts. Once the Privacy Act is approved by Parliament, the regulatory bodies in the Act should be accountable to Parliament.

Different geographies across the globe have defined their privacy requirements, articulating the requirements for the protection of personal data and prevent harm to an individual whose data is at stake.

The table on following page represents the derivation of privacy requirements as articulated by the OECD Privacy Guidelines, EU Data Protection Directives, APEC Privacy Framework, Canada PIPEDA (Personal Information Protection and Electronic Documents Act), and Australia ANPP (Australia National Privacy Principles).

The privacy principles represent the foundation for any regime to protect privacy. With regard to the principles in force the world over, there is a high degree of agreement among various approaches, most specifically, the principles followed by the US, OECD, EU and APEC, where transparency, enforcement and accountability are considered the cornerstone for privacy protection.

While there are minor variations between these various formulations, it would not be inaccurate to suggest that there is a set of globally accepted privacy principles on which the India’s Privacy Law should be based on.

Privacy and Civil Liberty Protection

11 KPMG-ASSOCHAM – Cyber Era: Securing the future

Page 23: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

OECD Guidelines

EU Data Protection

APEC Framework

Canada PIPEDA

Australia ANPP

Privacy Requirements

Accountability Organization’s accountability towards personal information

Notice Notice in clear language for collection, policy notification

Consent For collection and use

Collection Limitation Restricting the collection to the identified purpose only

Use Limitation Restricting the use for the stated purpose only

Disclosures Terms to disclosure to third parties & any other reason

Access and Corrections Individual’s access to his infoand update/ correct his info

Security / Safeguards To prevent loss, misuse, Unauthorized Access

Data Quality To ensure info is accurate, complete & up-to-date

Enforcement Assurance over adherence to policies & Complaint resolution

Openness Policies clearly published & available

Additional Requirements

Anonymity De-identification of personal information

Trans-border Data Flow Personal data transfer across geographies

Sensitivity Specified info that requires specific controls

KPMG-ASSOCHAM – Cyber Era: Securing the future 12

Page 24: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The Joint Working Group (JWG) Report on Engagement with Private Sector on Cyber Security highlights the need for a pivotal body that will co-ordinate the cyber security measures between the private and public sector. This will not only help in sharing the intelligence of cyber security but also help align the maturity of cyber security across the country. The industry should also coordinate with CERT-In or the sectoral CERTs that the NCSP outlines. Critical shortage of cyber security professionals need to be tackled in mission mode with innovative recruitment and placement procedures along with specialized training of existing manpower. This programme can be implemented in PPP mode.1 Private sector may be associated with establishment of training facilities; apart for the regular security exercises that are conducted.

Given the role of security standards and audit in enhancing the level of preparedness and assurance in cyber security, the private sector can be an active partner in defining baseline security standards and practices/guidelines for the critical sectors both in the public and private sectors. There should also be security standards and guidelines for acquisition of IT products and services. In this regard, Joint Working Group on Cyber Security also recommends making cyber security audit mandatory by appropriate amendment in the listing requirements under the Companies Act.

Inculcating Robust Cyber Security Practices through PPP

1 Recommendations of Joint Working Group on Cyber Security – Justice Shah

Coduct Consultation Workshops

Share Cyber Intelligence

Fund Research programs

Develop Capacity building and Training Centers

Collaborate during cyber-attacks

13 KPMG-ASSOCHAM – Cyber Era: Securing the future

Page 25: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

KPMG-ASSOCHAM – Cyber Era: Securing the future 14

Page 26: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Leading Cyber Security Practices

Legal Frameworks

• The proposed Cyber Intelligence Sharing and Protection Act (CISPA) in the United States would establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and utilities and to encourage the sharing of such intelligence. Based on this Executive order of the President of the U.S., the National Institute of Standards and Technology (NIST) released a preliminary cyber security draft framework outlining standards, best practices and guidance for cyber security. The draft Cyber Security Act of USA intends to on an ongoing basis, facilitate and support the development of a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks to critical infrastructure of America.

• The National Security Strategy of the UK has categorized cyber attacks as a Tier One threat to national security, alongside international terrorism.

Sectoral Developments

• The U.K. has allocated £650 million over four years to establish a new National Cyber Security Programme to strengthen the UK’s cyber capacity setting up a National Cyber Crime Unit1 and also intends to form UK National Computer Emergency Response Team (CERT-UK)2. UK is behind India in terms of setting up a CERT but intends to do so in the near future.1

Cyber Security Practices in few other countries

1 Launch of national cybercrime unit a significant moment - The Guardian, March 20132 Keeping the UK safe in cyber space – Government of UK

15 KPMG-ASSOCHAM – Cyber Era: Securing the future

Page 27: Cyber Era - Securing the Future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Capacity Development

• Similar to India’s Cyber Security Policy, the Cyber Security Act3 of U.S. sets forth the need of developing a cyber security research and development program, offer cyber security scholarships and how to test and verify that software and hardware, is free of significant known security flaws.

• In line with U.K.’s Cyber Security Challenge, the Cyber Security Act of the U.S. states to support competitions and challenges to identify, develop, and recruit talented individuals to perform duties relating to the security of information infrastructure in Federal, State, and local government agencies, and the private sector.

• The Act has clearly defined the roles and expectations of the various agencies of the government that are involved in national security. The Act has defined timelines to report and review the activities directed to such agencies.

• Government of U.K. envisages setting up a ‘Global Centre for Cyber Security Capacity Building’ and developing a ‘cyber reserve’ of computer experts.

Public Private Partnerships

• By relying on practices developed, managed, and updated by industry, the NIST’s Cyber Security Framework will evolve with technological advances and will align with business needs. This includes industry driven standards, best practices and implementation measures to manage cyber security risks to information technology and operational technology.3

• As a result, the Framework is not designed to replace existing processes of an organization does not have an existing risk management process for cyber security, the Framework provides the tools to build one.

• Government of U.K. intends to building a ‘Cyber Information Sharing Partnership’ with businesses to allow the government and industry to exchange information on cyber threats in a trusted environment

• The Welsh model – e-Crime Wales – is one example of a public-private sector initiative, led by a designated unit within the Welsh government, that harnesses the insight of businesses, academia and industry experts. E-Crime Wales has brought

together the four Welsh police forces, and holds an annual e-crime summit at which leading experts, including ex-FBI employees, share their knowledge. The unit also hosts a full suite of practical, downloadable tools that businesses can use – everything from an acceptable internet-user policy for staff to a “preventing e-crime for dummies” handbook. More than half of businesses that have interacted with the e-Crime Wales initiative report putting e-security higher on their business priorities as a result. This work has proved such a success that Scotland followed suit with its own version – e-Crime Scotland.4

International Relationships

• Through its various acts and policies, both U.S. and U.K. acknowledge the need of international information sharing for building stronger cyber intelligence.

3 S. 1353: Cybersecurity Act of 20134 U.K. for less government role in cyber security - The Hindu, September 2013

KPMG-ASSOCHAM – Cyber Era: Securing the future 16

Page 28: Cyber Era - Securing the Future

While India has taken tangible measures to secure the cyber space in recent months, there is always a lingering question over the Return on Investment (RoI) of security measures. While security issues such as data theft can be quantified, say, in terms of monetary losses, issues such as the defacements of websites by the so-called ‘hobbyists’ is a bit subjective. There are instances where hacker groups only deface the content in a bid to boast their presence or to retaliate / voice their opinions.

The monetary loss in these cases is not much but results in reputations losses. Depending on the organization that is attacked, the ‘value’ of defacement may differ. While ISO 27001 has been comprehensive enough to meet the need of a ‘reasonable’ security standard across different sectors, there is a need for sector-specific standards which addresses the intricacies and levels of technology of the specific sectors.

This requires an independent ‘Cyber Maturity Assessment’ in the industry and governments which will evaluate the overall governance and response mechanisms along with the people aspect of the cyber security. In order to thwart cyber crime, the previously adopted way of ‘compliance-based’ approach has to now slowly give way to a more systematic and pragmatic approach to tackle cyber security.

It is an utmost need for enterprises, SMEs and the government bodies to not only adopt the various guidelines and advisories issued by the security agencies but also to regularly review the implementation of the same. There needs to be a timely review of the IT act to keep pace with the developments and sophistications in cyber crime. At the policy level, India needs to conduct consultation workshops with the private sectors and the cyber security equipment manufacturers to regularly track the developments in the cyber security space.

Apart from striving to augment its own capabilities, India also needs to counter cyber attacks through international cooperation rather than doing it alone. Public Private Partnerships and robust policy frameworks from the Centre are both key in this endeavor.

Epilogue

17 KPMG-ASSOCHAM – Cyber Era: Securing the future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Page 29: Cyber Era - Securing the Future

About ASSOCHAMThe Knowledge Architect of Corporate India

Evolution of Value Creator

ASSOCHAM initiated its endeavour of value creation for Indian industry in 1920. Having in its fold more than 400 Chambers and Trade Associations, and serving more than 4,00,000 members from all over India. It has witnessed upswings as well as upheavals of Indian Economy, and contributed significantly by playing a catalytic role in shaping up the Trade, Commerce and Industrial environment of the country.

Today, ASSOCHAM has emerged as the fountainhead of Knowledge for Indian industry, which is all set to redefine the dynamics of growth and development in the technology driven cyber age of ‘Knowledge Based Economy’. ASSOCHAM is seen as a forceful, proactive, forward looking institution equipping itself to meet the aspirations of corporate India in the new world of business. ASSOCHAM is working towards creating a conducive environment of India business to compete globally.

ASSOCHAM derives its strength from its Promoter Chambers and other Industry/ Regional Chambers/Associations spread all over the country.

Vision

Empower Indian enterprise by inculcating knowledge that will be the catalyst of growth in the barrierless technology driven global market and help them upscale, align and emerge as formidable player in respective business segments.

Mission

As a representative organ of Corporate India, ASSOCHAM articulates the genuine, legitimate needs and interests of its members. Its mission is to impact the policy and legislative environment so as to foster balanced economic, industrial and social development. We believe education, IT, BT, Health, Corporate Social responsibility and environment to be the critical success factors.

Members – Our Strength

ASSOCHAM represents the interests of more than 4,00,000 direct and indirect members across the country. Through its heterogeneous membership, ASSOCHAM combines the entrepreneurial spirit and business acumen of owners with management skills and expertise of professionals to set itself apart as a Chamber with a difference.

Currently, ASSOCHAM has more than 100 National Councils covering the entire gamut of economic activities in India. It has been especially acknowledged as a significant voice of Indian industry in the field of Corporate Social Responsibility, Environment & Safety, HR & Labour Affairs, Corporate Governance, Information Technology, Biotechnology, Telecom, Banking & Finance, Company Law, Corporate Finance, Economic and International Affairs, Mergers & Acquisitions, Tourism, Civil Aviation, Infrastructure, Energy & Power, Education, Legal Reforms, Real Estate and Rural Development, Competency Building & Skill Development to mention a few.

Insight into ‘New Business Models’

ASSOCHAM has been a significant contributory factor in the emergence of newage Indian Corporates, characterized by a new mindset and global ambition for dominating the international business. The Chamber has addressed itself to the key areas like India as Investment Destination, Achieving International Competitiveness, Promoting International Trade, Corporate Strategies for Enhancing Stakeholders Value, Government Policies in sustaining India’s Development, Infrastructure Development for enhancing India’s Competitiveness, Building Indian MNCs, Role of Financial Sector the Catalyst for India’s Transformation. ASSOCHAM derives its strengths from the following Promoter Chambers: Bombay Chamber of Commerce & Industry, Mumbai; Cochin Chambers of Commerce & Industry, Cochin: Indian

Merchant’s Chamber, Mumbai; The Madras Chamber of Commerce and Industry, Chennai; PHD Chamber of Commerce and Industry,

New Delhi and has over 4 Lakh Direct / Indirect members. Together, we can make a significant difference to the burden that our nation carries and bring in a bright, new tomorrow for our nation.

D. S. Rawat

Secretary General

email : [email protected]

The Associated Chambers of Commerce & Industry of India

ASSOCHAM Corporate Office:

5, Sardar Patel Marg, Chanakyapuri, New Delhi-110 021

Tel: 011-46550555 (Hunting Line)

Fax: 011-23017008, 23017009

KPMG-ASSOCHAM – Cyber Era: Securing the futurez 18

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Page 30: Cyber Era - Securing the Future

About KPMG in IndiaKPMG in India, a professional services firm, is the Indian member firm of KPMG International and was established in September 1993. Our professionals leverage the global network of firms, providing detailed knowledge of local laws, regulations, markets and competition. KPMG in India provide services to over 4,500 international and national clients, in India. KPMG has offices across India in Delhi, Chandigarh, Ahmedabad, Mumbai, Pune, Chennai, Bangalore, Kochi, Hyderabad and Kolkata. The Indian firm has access to more than 7,000 Indian and expatriate professionals, many of whom are internationally trained. We strive to provide rapid, performance-based, industry-focused and technology-enabled services, which reflect a shared knowledge of global and local industries and our experience of the Indian business environment.

KPMG is a global network of professional firms providing Audit, Tax and Advisory services. We operate in 156 countries and have 152,000 people working in member firms around the world.

Our Audit practice endeavors to provide robust and risk based audit services that address our firms' clients' strategic priorities and business processes.

KPMG's Tax services are designed to reflect the unique needs and objectives of each client, whether we are dealing with the tax aspects of a cross-border acquisition or developing and helping to implement a global transfer pricing strategy. In practical terms that means, KPMG firms' work with their clients to assist them in achieving effective tax compliance and managing tax risks, while helping to control costs.

KPMG Advisory professionals provide advice and assistance to enable companies, intermediaries and public sector bodies to mitigate risk, improve performance, and create value. KPMG firms provide a wide range of Risk Consulting, Management Consulting and Transactions & Restructuring services that can help clients respond to immediate needs as well as put in place the strategies for the longer term.

17 KPMG-ASSOCHAM – Cyber Era: Securing the future

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Page 31: Cyber Era - Securing the Future

KPMG-ASSOCHAM – Cyber Era: Securing the futurez 18

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Page 32: Cyber Era - Securing the Future

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

Printed in India.

KPMG Contacts

Pradeep UdhasPartner and Head Markets T: +91 22 3090 2040E: [email protected]

Navin AgrawalPartner and Head Government and Public Sector T: + 91 22 3090 1720E: [email protected]

Follow us on: Twitter - @KPMGIndia

kpmg.com/in

Cyber EraSecuring the future

11th India Knowledge Summit 2013

14 -15 October 2013

New Delhi

Latest insights and updates are now available on the KPMG India app. Scan the QR code below to download the app on your smart device.

Google Play | App Store