|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Architecture for a Safe Information Society in India | ||||||||||||||||||
| Some Managerial Issues | ||||||||||||||||||
| Background | ||||||||||||||||||
| In India, we are witnessing rapid progress on technological front, but also a yawning gap regarding corresponding advances in organization, policy and doctrine. A healthy and robust policy framework is essential for proper growth of the economy. | ||||||||||||||||||
| Information Security (IS) breaches are on the rise in India. CII-PwC survey of 2002 brings out the magnitude of the problem. As many as 80% of the respondents to the survey admitted to having information security incidents. | ||||||||||||||||||
| Financial institutions, including banks, stock exchanges and limited companies, lead in adoption of information technology to transform their conventional business practices. Since this is a critical sector, any incident in it will impinge on the credibility of India’s financial infrastructure. | ||||||||||||||||||
| Software exports have become a dominant source in India’s foreign exchange earnings and the engine for India’s emergence as an economic superpower. NASSCOM estimates that by 2008, India’s software exports will reach $54 billion, up from $10 billion at present. These will primarily come from ITES/BPO operations. With this linking up of a major part of our economy with the Western financial systems, it is imperative that we adopt as strict norms for information security and privacy, as well as intellectual property rights, as exist in those countries, to inspire investor confidence. Further, it is not adequate to have stringent laws. The capability to enforce these, so that there is respect for law, keeping crime under control, has to match the legislation. The implementation of commensurate administrative structures and their empowerment is a Herculean task. | ||||||||||||||||||
| Telecom sector has grown spectacularly over last few years. There is a regulatory vacuum in this sector. For example, in the USA, a new Act (CALEA) was brought in, in 1994, to define the legal obligation of electronic interception cast upon the TelCos and the mechanism of the requisite funding. In India, the basic telecom policy itself has seen many twists and turns. There is no law regarding interception for the purpose for law enforcement. With the convergence of the various modes of communication, there is an urgent need for an administrative mechanism to anticipate, regulate and oversee the working of the entities. For example, total ISP licences issued: 570; total ISPs operating: 213. Norms for co-operation with law enforcement: Negligible. In fact, there are no rules/format for even basic log-keeping by the ISPs with the result that even serious cyber crimes may become impossible to investigate. | ||||||||||||||||||
| Existing legal framework for transactions in the electronic world is anaemic. Several new laws are required. Frauds have already emerged in e-commerce activities, which may threaten the nascent sector. Another important issue is that the conventional model of the law enforcement agencies relying on in-house expertise for investigation will have to be replaced by something more effective, as the rapidly changing technology leaves no time for law enforcement to absorb new skills. | ||||||||||||||||||
| A large percentage of the internet user population in India is serviced by cyber cafés, which are the weakest link of the internet infrastructure coming up in India. There are no uniform rules for regulating cyber cafés across the country. The identity of cyber café users remains shadowy, making it extremely attractive for hackers to use them as launching pads. The problem gets magnified if one adds the more numerous mobile phone users, who now access the internet on the move and whose identity and location may prove elusive in a real-time situation. | ||||||||||||||||||
| The Criminal Justice System is ill-equipped regarding collection of information of cyber incidents, their investigation, presentation of the evidence and ultimate prosecution of the cases. Massive inputs of funding in hardware and software, manpower and training will be required to have a functional Criminal Justice System in cyberspace. | ||||||||||||||||||
| Though all cyber incidents are trans-national in nature, international co-operation in law enforcement is very weak and there is a need to evolve more responsive and reliable legal systems. | ||||||||||||||||||
| No mandatory guidelines are in existence for security audits of information systems. Regulators like RBI have only advised banks to take information security seriously. There is no regulation of the IS practices of government organisations, telecom companies and public/private limited companies. | ||||||||||||||||||
| Information warfare has become as important a concept as a conventional war. In the Indian context, following questions remain unanswered: What is critical information infrastructure? How much of it is in the private sector? Are there uniform policies for its protection? What is the government-industry interface to ensure standards? | ||||||||||||||||||
| Privacy issues have started causing concern. More and more data is being collected about individuals and issues like spam and telemarketing are becoming important. There is a pent-up demand for regulating these activities. There is no law on protection of privacy in India. | ||||||||||||||||||
| The new legislation has to take into account new technologies and has to remain contemporary for a long time. Policy making paradigm also has to change from the traditional reactive mode to pro-active mode. There is a need to educate the people’s representatives and top policy makers regarding the potential and pitfalls of the new technology. | ||||||||||||||||||
| Motivation | ||||||||||||||||||
| There is a paradigm shift in the role of police, as perceived by the society and by the police themselves. From the earlier role as a force to maintain law and order, police are being seen as facilitators, responsible for delivering services essential to a civil society, which is primarily engaged in processing knowledge as its main economic activity. These services range from providing security for life and property, including data assets and intellectual property, crime investigation, traffic management, identity verification and being a co-ordinating body for concerned groups on various law enforcement issues. Police also have to perform the role of a social change agent, to adopt proactive measures to discern the trends affecting the society at large and to tackle them satisfactorily. It is important for the efficacy of police that they are provided with the requisite legal and managerial tools for dealing with the threats in the cyberspace and that they equip themselves appropriately in use of those tools. | ||||||||||||||||||
| The author is a senior officer of the Indian Police Service, who has an experience of over 16 years of policing, including crimes in electronic environments. He also has a strong background in technology, having completed his post-graduation from the Indian Institute of Technology, Bombay in 1984 and having supervised setting up of the wide area network in the Central Bureau of Investigation. He is passionate about policy reforms in the government and would like to contribute to advancement of scientific thought in the emerging and vital area of information security at the macro level. | ||||||||||||||||||
| Past work done | ||||||||||||||||||
| The developed countries have accorded Information Security the topmost priority. After the incidents of 11 September, 2001, a national Homeland Security Initiative has been announced by the US government, in which information security is a critical component. More than 50 US universities have begun offering graduate courses on Information Assurance. Similar work is yet to be carried out in India, where larger issues of legislation and policy remain unaddressed. The author has earlier published a paper on the need for a legal framework for electronic surveillance in criminal investigation. The paper is available at http://www.oocities.org/nsaravade/TelTap_article.htm. | ||||||||||||||||||
| Research gaps | ||||||||||||||||||
| Formal research in Public Policy in this area is not known and few of the well-known academic institutions in India have dedicated departments working in this area. There is substantial ongoing research in the area of the technology of information security. However, in the ultimate analysis, fail-safe information security is amenable only to a holistic view, requiring appropriate management strategies, backed by the right policies at both macro and micro levels. It is felt that the proposed topic requires an inter-disciplinary treatment of issues in technology, management and public policy, to identify, by a comparative study, the feasible solutions in the Indian context. | ||||||||||||||||||
| Objectives of the proposed research | ||||||||||||||||||
| The objective is to identify the needs for enactment of the right policies in India, by studying the available data in the country regarding information security breaches, eliciting opinions from the government, the industry and the academia, scrutinising the various legal and administrative models being set up in the various advanced countries and identifying models suitable for Indian conditions. The study will focus on management issues relating to protection of critical infrastructure. Illustratively, it may include following areas. | ||||||||||||||||||
| Gap Analysis and Needs Assessment for creating a model of the desired version of the system and aiding in the transition from the current to the future one: A detailed study will be made of models available in the US, the UK, the European countries as well as Asian countries like Singapore. The felt needs in Indian conditions will be identified by tapping the key stakeholders. | ||||||||||||||||||
| Identification of the framework for the appropriate legislation in areas of data security, privacy, empowerment of law enforcement agencies and laying down of standards for information security, along with a body of supporting regulations. Existing legislation in the aforesaid countries will be studied. Views of experts in the Government and the legal fraternity will be elicited and analysed. | ||||||||||||||||||
| Development for mandatory regulation for the financial institutions, limited companies and other entities dealing with public funds at large, on disclosure norms, third party security audit, due diligence certification and personal responsibility of the top management towards compliance. Inputs from the industry bodies, information security practitioners and the regulating bodies will be sought and collated. | ||||||||||||||||||
| Conceptualisation of an information sharing arrangement, within the government, the academia and the industry: The IT solution suitable for this endeavour will also be identified. | ||||||||||||||||||
| Identification of research areas requiring further work. | ||||||||||||||||||
| Identification of training needs. | ||||||||||||||||||