Friday, January 2, 2015

(Indian Government) Strategy / Planning Deficiency in Cybersecurity

Jan 04, 2014. This article has been updated based on feedback from friends in government.
The India news media is going ga-ga over the proposed cybercrime panel announced by the Home Minister.. but, not me! I have serious reservations about this activity hope good sense prevails before the panel gets to work!In case you missed the news, read it here on Deccan Herald, and here on TOI or search online

It is an accepted fact that the world is technology dependent, and, that governments and infrastructure will come to a halt in event of non-availability of IT resources. Doomsday and Pearl Harbor scenarios are thrown up by world leaders and every malicious incident is termed as cyberwar accompanied by appropriate war-drum type noises by Presidents, ministers and ministries.

Governments, globally, have a common objective of the necessity of securing their information – whether to keep state secrets or keep their black deeds secret or to steal someone else's secrets. Some are creating armies of cyber-warriors while some are deploying cyber-mercenaries to achieve their goal.  

A number of ‘so-called’ third world countries are defining their IT and Cyber Security policies and working hard (and fast) at building internal capacity and capability. These are strategically planned efforts with clearly defined objectives (we want to be the technology powerhouse in our region in 10 years time).

When we compare such activities with those at home one can only hangour heads in shame! Since the advent of the internet in 1995 and the IT Act we are yet to see any national strategy or workable plan. Yes we have seen non-working policies and delusional visions of our leaders (India is IT Superpower, Mumbai will be Shanghai, BRTS in Mumbai, Ban Google etc)

Last week the Home Minister announced the formation of a panel of experts to define a policy for cybercrime. This august panel was to comprise academics and industry professionals, but has academics and bureaucrats and not a single cybercrime officer

The action itself smacks of self-aggrandizement and demonstrates the continuing deficiency of strategic thought OR common sense at the high levels of a supposedly 'aware' government.  Without a SINGLE member having cybercrime and/or cyberlaw experience (pray) how does this august panel expect to define a national cybercrime policy which will actually work.

We can expect another big load of balderdash, alien concepts or impractical and inane directives on the same lines as the much touted National Cyber Security Policy (NCSP).

To refresh our memories, the NCSP was announced with much fanfare in mid 2013 and has, thankfully, remained dormant till now. It has provisions which are far reaching in thought and reality. So far, we do not seem to have taken our first steps. A few concern areas from the NCSP worth mentioning are:
  • Suggestion for PPP: without talking about how will the Private entities benefit from the Public Participation. The government expects free services – just because they are what? Government?
  • The policy says “enabling creation and operationalization of sectoral CERTs as well as facilitating communication and coordination actions”. These are very noble intentions that sound great but just one line in a national policy for such an important function! It had to be lost at birth!
  • Using PKI for Government communication – we haven’t been able to get government to stop using public email services and we talk about PKI. 
  • NCIIPC … where is this gone?
  • The piece de resistance is the last paragraph “This policy shall be operationalised by way of detailed guidelines and plans of action at various level  such as national, sectoral, state, ministry, department and enterprise, as may be appropriate, to address the challenging requirements of security of the cyberspace.” 
    • that's great and who is responsible, how this will be done, when will this be done and is there a penalty for non-compliance?

Frankly, I can keep going on but this is another story altogether. If interested you can ask me for my clause-by-clause analysis of the NCSP. 

Before I move ahead to the present topic, I must mention another governmental activity for brownie points to get media attention - around the same time as the NCSP in 2013, the National Critical Infrastructure Guidelines document was released. It was not really a set of guidelines but was a bad clone of ISO27001 and was actually a set of controls suggested for the CI Institutions. How effectively it has been used in the establishment is evident from the fact that it is not talked about at all. One simple question - does NCIIPC exist? Yes but is it staffed appropriately, and does the staff know what they are supposed to do? Personally I have yet to hear about baby steps of this organization. 

Returning to the subject of the proposed Cybercrime Policy development panel and the serious deficiency on the part of the government establishment. 

It seems no one thought it appropriate to apply their mind to create a strategy, objective / vision BEFORE nominating names and forming panels to create national policies. Especially nominating names of persons from unrelated domains. A knee jerk reaction to the world events around cybersecurity or what? And it seems our government is just doing what it always does .. create new security organizations, panels, policies as a knee-jerk reaction whenever a new incident happens!

Doing a root cause analysis of such fiasco type acts it is obvious these are political actions designed to sound and feel good. It ends here as political masters are seriously deficient in cybersecurity knowledge and have short-term memories. 

Another surprising factor (for me) is the acceptance of the nomination by these persons of eminence. None of them felt the need to object saying that cybercrime was not his/her domain. None felt the need to ask the same Government establishment and functionaries to include additional members, especially cybercrime specialists.

I do not want to name names but is it so much of a problem for all nominees to raise a flag against such decisions if working within the government establishment.

Today there are cybercrime cells across the country and these are manned by uniformed junior and senior officers of various Law Enforcement Agencies. The personnel are qualified and professionally trained and face multiple challenges everyday in the course of their investigations and fight to control the menace of cybercrime. These cybercrime professionals have to struggle against the stonewalling tactics of domestic and foreign corporations in the business of ISP, web hosting etc and have developed an intimate knowledge of local and international laws, treaties and regulations.

These personnel are acutely aware of the limitations of Indian laws and policies and possess the leadership of thought for development of domestic rules and regulations that will help in cybercrime control at all levels and will help build the image of the country as a resilient nation that will deal strictly with new-age criminals.

I can only hope that better sense will prevail and that the powers-that-be will consider a change in their decision making process when looking at the cyber domain. This is new-age and cutting edge, stuff which has not been experienced in real life and (seriously) needs to be handled differently.

High time the establishment undertakes cyber training / learning and does a reality check to clear their mindset of conventional thinking so that the knowledge deficiencies are cleared. High time, India claimed it’s place in the Internet / Technology space as a real leader and not just a self-proclaimed one. 

The internet age needs a new pair of spectacles and no one is buying. It needs a central agency to own and operate security, it needs leaders to think but leaders do not think! It needs governance and transparency but every government is loathe to accept this. It does not need an alphabet soup of organizations with each pushing personal agendas and claiming to be the ultimate cybersecurity organization. 

High time, we become the keepers of security in cyberspace and thought leaders. 

Sunday, December 21, 2014

Sony oh Sony.. your mess is all over

Life is a bitch! And if  you are a leader it's lonely at the top and every other guy in the universe is trying to pull you down (even if he is not capable of taking up your chair).

The Sony management must be praying their guts out calling for divine intervention hoping lightning strikes the people who hacked them. The question God is bound to ask them - should I strike the guys who came first, second or the third time? And, who are they?

Wow! That's a big question and no one knows the answer. The FBI seems to know (for certain) it is North Korea.. but then these guys in US agencies are so sure of things that are reasons used for going to war.
Remember the WMDs everyone was screaming about before the attack on Iraq. Years later that President has gone and there are no WMDs and no one is asking! Who cares! Defense suppliers made billions and the bottom line is what matters. Who cares if a few third world countries have been reduced to ghettos and slums. 

The Mr Obama tells Sony - you did the wrong thing, You should have called me and I would have sent my bombers to unleash destruction. Does anyone have a clue about what happened and from where and who did that what happened thingy.

Oh yes, these very same players (Mr O, FBI and other intelligence agencies and security companies) have been lampooning China until recently. Pointing fingers at their capability and their unethical hacking of networks around the world. A fundamental question for the US Administration is that until a few weeks earlier you were talked about China being the biggest villian of them all. And now it is North Korea.

Read the article and laugh at the statement of the government saying that the US and China believe that destructive attacks violate the norms of appropriate behavior in cyberspace! ROTFL ! Imagine the US talking about appropriateness in cyberspace. So what was Prism and Stuxnet ? Good behavior? This is hilarious.

Anyway to come back to dear Sony - this has become bad. And what is worse is that a threat is issued by some unknown entity and every single theater owner across the US is too scared to run the movie, And Sony is too scared to release the movie too.

Till date enough dirt and sh*** has already been revealed by the hackers through the emails made public. The opinion of Sony executives for people like Angelina Jolie is now common knowledge and one would like to believe that there cannot be more dirtier smelling dirt still to come! Apparently there is more disastrous stuff so this big corporation has had to go down on it'e knees.

Along with the theater owners across the nation!

Such is the power of the unwritten word, such is the power of a breach - how it hits you, you will not know. Sony thought it was a hack, they did something. Another happened, and they again did something. And now this is BIG and they jusy dom't know how bad it will be.
- It has turned out to be a reputation blaster and the reps of most Sony top executives is in tatters.
- It has turned out to be a financial stinker and with the release stalled and with the IP (unreleased movies, stories) that have been stolen, it is anyone's guess.
- It has become the biggest corporate threat made in public ... and accepted by a frightened world.

One of the risks of cyber security was ransomware but this is a different type of ransomware! No hard drive has been encrypted. Instead, data has been stolen and the companies are paying ransom because they are scared of the revelations that are in the stolen data!

Now the US President is also in the fray and calls is a national issue.and the administration has said they will take action, What will they do... remains to be seen.

In the meanwhile, it is important for organizations and governments to relook at their security strategy, budgets and plans and make sure that things are in place, They must make sure that if things are in place it is not just for the sake of being in place but in reality!

Else, they all have to be prepared for doomsday type scenarios... times like the one at Sony where no one has a place to hide.

Saturday, June 21, 2014

The case of objectionable FB posts - time to change

Some miscreants put up objectionable posts on FB and the state erupted with riots and ham handed police response. 

It is time to change the way we think about online life because the lines have blurred making the virtual personae as much a part of real life as real life is of the virtual! 

I put together a compendium of news articles starting from June 01... and the headlines speak for themselves (my comments are in red):

Protest against objectionable post on social media hits expressway traffic  - how will traffic disruption help catch the culprit? There are many other ways to protest... why the e'way which is miles away from the police station! Times of India
Tech experts hunt author of FB post which led to violence across state  - Really ! Can they "hunt"  Mumbai Mirror 
Cyber crime cell takes over probe  - this is the department which should have been given the responsibility on day 1 instead of trying to "hunt"  Times of India
Maharashtra police to crack whip on those who ‘like’ offensive Facebook posts - so one guy commits an offense and the government wants to show it's muscle just because it can do little else. 
The government just wants to crack whips - did any minister stand up and make a responsible statement about the posts and calm down the emotionally charged citizens?

Times of India
Origin of offensive posts unclear, cops seek details from Facebook - reality bites! Times of India
Pune mob violence over 'Bal Thackeray pics' kills 1 - an unfortunate killing by a mob. What was the police doing when the mob was getting their act together? The loose handling allows lumpen elements to come in and take advantage of citizen emotions.  Hindustan Times
Don’t let Pune techie’s killers & their leaders get away  Mumbai Mirror 
Pune murder -Six more held Times of India
Servers abroad used to make offensive Facebook posts, Mumbai cyber crime investigation cell says - everyone knows FB servers are abroad. Whats new! Just some inane statements to keep the news papers printing. 

Times of India
Maha Govt Under Siege Over Techie Killing - with irresponsible handling of the law and order situation and refusing to make changes in the face of technology pervasiveness this is bound to happen.

Times of India
Pune techie murder case -  8 more arrests made, 2 minors detained DNA
Pune techie murder case - Another man was attacked by same gang the night Mohsin was killed - what an undeserved death. Poor man was killed for no fault of his.  Times of India
ATS probing reason behind Pune violence -Why are we bringing the ATS ? What next SIT and NIA? This is political FUD - just make it sound so big and show how responsibly you are handling the case. Call the army and tell the world I called them... what more can I do!

Times of India
Offensive FB posts 187 rioting cases filed, 710 held -Great statistics to be proud about. Fundamentalist lumpens go on riot. Government sleeps and makes no statement. No one helps any of the affected and everyone from CyberCell to ATS and technical experts are "hunting" the culprit! Will they find someone?

Times of India
Court extends HRS leader Desai's police custody till tomorrow Times of India
After killing Pune executive, mob attacked bakeries and shops - Whats wrong with us? how will this riot find the culprit? Who does all this and why are these guys not locked up for good. Frankly I would like to know if any of the 700 guys who have been arrested know what is FB and what is objectionable!!

Times of India
Another FB post sparks protests across state Times of India
Cops blocked 113 of 198 ‘offensive’ social media posts since Jan -Great job - this is the capability we have to increase to the level where problems are nipped in the bud. The police and central authorities must create an ecosystem to discover such anti-national posts before they damage the country's peace.

Mumbai Mirror 
My son's murder not just a law & order issue -  Mohsin's father  Times of India
Those behind inflammatory Facebook posts identified  R R Patil -Wow! Great. Mr Patil - now we must throw the biggest book at the culprits and make sure that they get the death penalty. 

Times of India
2 crore of taxpayer money lost as mobs target buses in state Times of India
Like, share ‘objectionable posts and face prosecution Mumbai Mirror 
Facebook posts- Mumbai police say leads did not pan out, trail gone cold - Oh really! What happened to Mr Patil's statement two days earlier that they have been identified! How irresponsible - shows the lack of respect for the dead and the riot affected.

Times of India
Offensive FB posts may be from Pak - YES ! Blame it on Pak. They are the root cause of every evil in India - from robberies to increase in train fares !

Times of India

This is not how one handles communication and government outreach in times of crisis. 

Rumors (normally) move fast in the normal world, especially malicious and mischievous ones that are meant to create strife. In the internet world they move faster and further so the impact is greater in a shorter period of time. 

The slow reaction of the establishment is the first culprit in this case and the situation was compounded by the lack of responsible communication by the ministers. Our problem is that the government first goes to sleep and hopes that the problem will be wished away.. and then they come out making inane statements. 

Check the table above - blame it on Pak! How convenient to sweep everything under the table and go back to fiddling while Maharashtra burns. 

Friday, March 7, 2014

Foot in the mouth disease afflicts the establishment - shameful statements for national security

Today is a sad and shameful day when a person no less than the National Security Advisor (Mr Shivshankar Menon) of the country has trivialized security breaches in the (supposedly) most secure confines of the Indian Government infrastructure. 

As reported in the media he has made irresponsible statements like 
"A mere fact that some computer is open in North Block and South Block and is accessible, does not mean that therefore there is big gap in security."
"not every leaked password is a big threat to security"

I really do not know whether to cry or jump off a cliff especially when I know I am living with such people heading security for the country. First we had our Minister (Mr Khurshid) who was very quick to forgive the Americans for their NSA-PRISM snooping calling it patterning and that they were "really not snooping".

Of course if someone shows you evidence of the holes in your underwear you will keep your mouth shut and happily take all the shit that is thrown at you. Then you will go to town claiming that this is not humiliation but is actually adding to your dignity .

No one has the guts to stand up and say we are being raped - this country which is supposed to be Incredible and what-not. Not even a whimper from any of the hallowed institutions which are supposedly responsible for cyber security in the country.

In any case who will stand up to the NSA or the Minister or the people in power and tell them they are not wearing their robes! 

The country is sold every other day with thousand crore scams by politicians and their cohorts. Innocent lives are lost because the defense forces do not have the money to spend on submarine repairs or MIG upgrades. Farmers commit suicide and floods and famine co-exist to wreak havoc on the motherland. 

And all the while we fart with false pride. In simple words, I am plain angry, hassled and I am sure this is the same state of many of my other fellow countrymen and women.

Does the country have any hope when the PMO, DRDO, MEA, MHA, CBI and other sensitive institutions are "haped" every now and then - and the powers that be take pride in their hour of humiliation.

If the people who are responsible for security in the country have such a cavalier attitude, how can we expect any sort of responsibility on the part of government institutions or law enforcement or judiciary?

Well it is a dark day for the country to realize that we have a funnily irresponsible NSA who also has the foot-in-the-mouth affliction. All that we can do is ... "havan karengey, havan karengey.." 

Wednesday, March 5, 2014

Cybersecurity lectures and safety days and weeks ... Part 1

About Cyber Security Lectures 

Everyday I read about lectures being conducted by so many people across the country, sponsored by the local police or some or the other security company using money from their CSR or any other budget. I find them to be good initiatives and applaud the effort of all the people who are doing this but (frankly) I am not impressed ! 

Reasons - these are flash in the pan efforts. Go give a talk and walk away. Did any one understand what you said, why etc ... these are all unanswered questions. From what I have heard these are "magic shows"and the presenters have to show some FB hack, some google hack, pwn someone's mobile phone, show some XXX stuff to get the audience laughing into their pocket. Who cares about the experience of the presenter so long as someone sent him and it is a funny free time for the participants. 

No one asked so no one set the objective for these so called awareness or training programs for the children in school or college. They have very different lives and pressures and did we identity these issues before going and doing a program with them. 
(I do know that for many it is a money making thing - do a 2 day program, give a certificate to the college student, make Rs 1000 per person - split with the college - go home with a cool lakh in your pocket) 

If you guys see Balika Vadhu - Colors  (this is a soap on Colors TV in India) you will appreciate their effort at showing a date rape and MMS crime. No dont laugh - go get the episodes from youtube and view them.  (I mean don't laugh at me for watching the soap!)

Then I came across this article from Rolling Stone (put up by my friend Shyama) and it provides a detailed analysis based on the investigation of a girl who was traumatized by her friends into committing suicide ...

We shall see such episodes in our country too and the need is to concentrate on social and personal problems, risks and threats that is posed by the Internet and technology rather than the technical aspects we seem to be focused upon. Yes the kids need to learn about technology or VAPT but not in grade 4 or 5 or 6! 

And the final question - do their teachers and principals know about the extent of the dangers ? What about their counselors ? Did anyone share the training program with the counselors and try to find out the type of problems that are being addressed?

I would like to know about your experiences and thoughts and shall welcome comment - in public or via private message. 

I shall soon write about the celebration of Internet Safety Days and weeks and months ... !

Saturday, December 28, 2013

In India - ATMs to be shut down at night

Incredible India! 

Incredible Indian people who run this country - they just morph into nincompoops when thinking about the country's progress. 

Today IBA and RBI have come up with a fantastically BS proposition to close ATMs at night and I can't help but laugh at their (lack of) wisdom, intelligence, whatever it is you have between your ears. 

What a great idea sirjee... identify low traffic ATMs and close them at night! It is surprising that on the one hand these guys are talking about private ATMs across the country and that every rural branch must have an ATM, and on the other hand this. 

(With due apologies) Besides it is also a reflection of the trust in the police department - which seems to be touching rock bottom. Or, the trust the police department has in itself - which seems to be even lower! 

First they said - place a guard at every ATM which meant employ and deploy 5000 people from where-ever within 2 weeks in Bangalore - from where? Which factory will provide so many human beings on order. 

We excel at jerking our knees and there is no better evidence than this - deploy overnight, close ATMs, open ATMs.... blah blah and double blah.

Is closing ATMs a solution - it is just IBA/RBI/Cops running away from the problem. No intelligent statement has come from these institutions to tackle the problem except jerking their knee. This is so typical - make a statement which sounds so high and mighty that everyone will be appeased, and nothing will be sorted out. 

So who will close 5000 ATMs at night? Will one doddering guy go to all these ATMs and down the shutters. Won't you have to hire people to do this! Or will you install a central system which will do this at the flick of a button!

Dear IBA/RBI/Police - what are you thinking? Do  you really think that the untrained, illiterate villagers who are given black and blue uniforms and seated at ATMs are capable of thwarting a robbery! Hah ! and Bah!! 

Sorry - take a Babaji Ka Thullu for that thought!!

I agree that hiring thousands of guards will blow a hole in the budget and (anyway) it is a short term solution. ATM count will keep increasing and the quality of guards will keep going down. Why cant IBA/RBI/Cops advise to work with the security agencies to create a rapid reaction force, install intruder alarms, upgrade the CCTV and make it good for the next five years. 

Close the ATMs today, hire your non-guards next and still suffer from the same disease and keep floundering all your blooming life. 

Closing your eyes to the problem will not resolve it! This is NOT risk / threat remediation it is containment.
Response from Nandkumar On another occasion, I had heard of a mind-boggling suggestion that ATMs be clustered in a centralised location in a town so that tight security can be provided!
Banks also need to do away the 'lounge-like' appearance of ATMs and make them 'box-in-the-wall' thingies, so that all transactions happen in the open with the real world precautions and protections for cash transactions.
Of course this is typical knee jerk reaction - you do not understand something - close it. Why bother finding a solution and making life easier for the customer. We are a bank, a big bank, customer will come to us and all we have to do is keep our flag flying high and showing how nice we are! 

This is India my friend, if you are a customer and your money is with me - you are a "keeda" (insect).

Tuesday, October 29, 2013

The US visa issue and more on governance and compliance

It is interesting to see the most admired Indian IT company, also revered as the model of governance demonstrate that it is not possible to shed your Indianness. The jalebi thought process that is genetic to our race and the concept of ‘jugaad’ which we are trying to push upwards in business thought as the ultimate tool for inventiveness.

Both, the jalebi and jugaad are words with start with a ‘j’ and in a pack of cards the j is a Joker. One does not need to ask a Tarot practitioner what the Joker represents. Sadly we hide behind the ever-smiling mask indulging ourselves in our individual fantasies of security, ‘Ramrajya’ roti kapda aur makaan’, incredible India, Shanghai to Bombay or whatever pleases us to blow our trumpets out loud.

Enough said about the joke on us, and to turn the spotlight on Infosys – it is being hit with a $35m fine for indulging in questionable visa practices. Recently it broke with “tradition” when Mr Murthy was called back to help the company stand on it’s two feet again. The first governance rule was not to go past a certain age and the second was not to have your kids in the same place! And, Mr Murthy brought his son along as his personal assistant, and the assistant has become independent and promoted to something (I do not know what).
Now I have nothing against Mr Murthy or Mr Nilekani, but guys, you are role models for millions across the world and if you cannot live by your word then WTF!

OK I accept that rules are not cast in stone and the world of business is dynamic and one has to move with the times and all that .. but then at least have the guts to issue a public statement explaining the change of stand, but no. This is not done in the Indian scenario – if you are successful or if you are boss, you do not stoop low as to offer explanations of your actions to the hoi polloi.

So it is fine to be hit with a fine, you are Indian working overseas and you never came to terms with the word compliance because you were fine with jugaad.

Now if we examine why the visa is misused, we have to blame the US Government and clients too, not just Infosys and other Indian companies. Oh come on, just because there are no other names does not mean other Indian companies do not indulge in such practices. Maybe they indulge in darker practices which are too deep to discover !

Well the US Government should realize that it is not easy to get an order from public or private organizations. And, once an RFP has been decided in it’s favour, no self respecting organization will make the first move until an iron clad purchase order is received. From receiving the first whiff of a requirement to getting the iron-clad Purchase Order is usually a very long period of time and can bring organization CxOs to the brink of insanity or to being committed.   
After this long drawn gestation period to get the order in hand, the client wakes up from deep slumber demanding overnight deployment of teams and program managers crack the whip at their Indian laborers. Yes this is a repeat of the slave trade, albeit in a different manner.

Now comes the crunch – the Indian IT behemoth keeps their ‘bench’ in India because this is home and costs are low. The moment the demand crops up the easiest visa is a B1 which is for a business visit and it is easily given out by the US Consular office which looks at income statements, pedigree of the employer and stamps the passport of the young 20+ year old kid. Of course the Consular officers are not so “duh” as to stamp every one meeting this frugal criteria – they seem to have some kind of sweepstake going on too. The reason I say this is because for every ten successful first-timers-with-visa there are 1.5 to 2.5 who are rejected summarily … these guys go back after 3 months and get a visa (same routine).

Now Uncle Sam (chachaji) has woken up and said that the visa is misused. So why cant they just recognize the fact that there are millions of team members who are to travel and get deployed on assignments in their system, or even in the dreaded dirty-tricks NSA. Why can’s a visa be tied to a contract?
Contracts are subject to import laws of the US of A which means that some or the other arms of Government have worked to approve the import of the service and that national interest (security) is protected. Additionally, they will have also done an impact analysis of the contract on US employment, skills and local excitement. If they can do all this then why cannot another department be brought in and a blanket “Contract related visa” – the vendor has made an estimate of the effort and also has a far idea of the number of people that will be deployed. Make sure that the  visa is issued for that contract, that the buyer is jointly responsible for the team members who are deployed and their movement is recorded.

There will be some team members who will qualify for multiple assignments and the Immigration office can include those contracts too.

With limited validity and traceability it will benefit the companies which are engaged in legitimately and are forced into visa non-compliance situations.

Until then the bellwethers of corporate governance should lower the volume on their drum beating and be a bit more patient when acceding to the client’s demand for deployment of the onsite team. 

Whatever course of action is taken by the US government, clearly they are working on an internal agenda. You need us but you want to act pricey and funny and make life miserable for us. Now Infy will be down by 30 odd million and that is not small change and the blame is not 100% on their doorstep.