Structuring a National Strategy to secure
                             Cyberspace:
                       Solutions for In...
Part 1 - The need for a national strategy
•   Examining national objectives
•   Structuring a policy
•   Current law in In...
Opportunities
    for India
   Speed and Convenience
•   Technological advances in data
    storage and transmission               Mobile access
   ...
   Cyberspace> as introduced by William Gibson [A place
    governed by its own laws] - “a consensual
    hallucination” ...
   Securing “Indian” Cyberspace [regulations and the
    history of trade – towards pax mercatur]
   The basic premise: ...
   Understanding the role of the medium – incidental
    [blackmail, stalking]; content [obscene or sensitive
    materia...
   The Team [Member of the Board, Human Resources Manager, Chief Information
    Officer, Legal Counsel, E-Risk Managemen...
   A training process for law enforcement
   The Basics: the “machine” and the “medium” – What is
    a Cybercrime?
   ...
   Stake your territory: the applicable law
   Have the final say: the invitation to treat
   On your own terms
   Is ...
Data Privacy and
      Indian Law
A fundamental human right
the right of the individual to be let alone

•   Information Privacy (data protection) - persona...
Overview - major International and US regulations
1948        UN Universal Declaration of Human Rights
                   ...
There is no general privacy or data protection law in India:

•   Constitution Article 21
    Right to life and liberty, i...
Information Technology Act 2000
•   Section 43 (a)
    Penalty for unauthorised access to a computer system

•   Section 4...
•   Public Financial Institutions Act of 1993 codifies confidentiality of
    bank transactions


•   ISPs prohibited from...
Data Protection
     Worldwide
CENTRAL AFRICAN REPUBLIC      GIBRALTAR                           LITHUANIA          OURG           PAKISTAN              ...
Norway                          Finland
                                                                             Perso...
Data Protection
     in Europe
•   Directive 95/46/EC of the European Commission


•   Now implemented in almost all Member States


    e.g. UK
    prev...
1. Personal data must be processed fairly and lawfully

2. Personal data must be collected and used only for notified purp...
7. Appropriate technical and organisational measures must be in place
   to protect against unauthorised access, amendment...
The Eighth Principle


Personal information must not be transferred out of the European
Economic Area ("EEA") unless the r...
Notwithstanding lack of country adequate status, a Data Controller can
nevertheless conclude there is adequate protection ...
Data Protection
     in the USA
United States (Federal)
Fair Credit Reporting Act                            1970
Privacy Act                             ...
   However, only 356 companies in the whole of the United States
    have current Safe Harbor registrations

   This rai...
   Antiterrorism Acts:                      Issues
     USA <the Patriot Act>                     enhanced investigati...
The Best Solution?
•   Comprehensive Laws governing collection, use and dissemination of
    personal data


•   Sectoral laws - piecemeal ru...
•   To remedy past injustices (e.g. C.Europe, S.America, S.Africa)

•   To create confidence and promote e-commerce, m-com...
Technology, Media and Communications
Cyber security
Upcoming SlideShare
Loading in …5
×

Cyber security

3,124 views

Published on

cyber security slide

Published in: Technology
2 Comments
1 Like
Statistics
Notes
No Downloads
Views
Total views
3,124
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
280
Comments
2
Likes
1
Embeds 0
No embeds

No notes for slide

Cyber security

  1. 1. Structuring a National Strategy to secure Cyberspace: Solutions for India Netsecure Technology http://ww.netsecure.in
  2. 2. Part 1 - The need for a national strategy • Examining national objectives • Structuring a policy • Current law in India Part 2 – Case Study: Data Privacy and National Compliance [Challenges and Strategies] • Data Protection legislation around the world • European Commission Directive and the UK Act • Data Protection model: the United States • Balancing Privacy and Security
  3. 3. Opportunities for India
  4. 4.  Speed and Convenience • Technological advances in data storage and transmission  Mobile access  Personalised and tailored  Data mining sophistication • Globalisation of communications -  Loss of control the internet  Insecurity  Lack of confidence • Convergence and standardisation  Increased scepticism of technologies  Low uptake of eCommerce • Increasing importance of data processing
  5. 5.  Cyberspace> as introduced by William Gibson [A place governed by its own laws] - “a consensual hallucination” [William Gibson, Neuromancer]  A contradiction? Greek <kybernetes> means „steersman‟ of a ship  “Law and Borders”: the „independent‟ theory of cyberspace law [David Post and David Johnson, Stanford Law Review]  Benkler‟s layers – the physical, the code and content [in communications theory]  Lessig <Code and other laws of Cyberspace>
  6. 6.  Securing “Indian” Cyberspace [regulations and the history of trade – towards pax mercatur]  The basic premise: the machine or the medium  Adaptability and Enforcement of Indian law – lessons from the American experience [Adobe Systems v. Dmitry Skylarov]  Systematic collaboration between vendors and customers to secure interoperable government and industry enterprise information systems  Enhance collaboration between law enforcement and industry to prevent and prosecute cyber crimes
  7. 7.  Understanding the role of the medium – incidental [blackmail, stalking]; content [obscene or sensitive material]; integrity [unauthorised access and/or modification]  The criminal act – discovery [detection] and analysis  The Cybercrime Manual – fostering preparedness  Focussing on „relevant‟ issues and appropriate classification of offences  Cyber forensics and the collection of evidence  Crisis management [internal and external]
  8. 8.  The Team [Member of the Board, Human Resources Manager, Chief Information Officer, Legal Counsel, E-Risk Management Consultant, Internet Security Expert, Cyberinsurance broker]  Utilising and factoring security tools – Digital signatures are a ‘sign of our times’  Understanding and evaluating risks [internal and external]  Allocating roles and responsibilities - Structuring the audit process [examining use and abuse]  Ten Tips – [i] Firewalls with secure passwords; [ii] correct installation and maintenance [the human angle]; [iii] encryption; [iv] assign network administrators a security role; [v] External consultants and auditors; [vi] periodic security audits; [vii] do not ignore ‘small company’ security needs; [viii] limit access to the computer room; [ix] educate employees about the dangers of social engineering; [x] educate employees on potential threats.
  9. 9.  A training process for law enforcement  The Basics: the “machine” and the “medium” – What is a Cybercrime?  Develop programs that promote a culture of security within and across enterprises, including corporate governance, integration of physical and cyber security, and cyber ethics from school to the office  Engage with industry, academia and government in both countries to foster research and development and collaborative education efforts in information security
  10. 10.  Stake your territory: the applicable law  Have the final say: the invitation to treat  On your own terms  Is it secure?  The customer is always right!  Privacy policy and data protection  Protecting your brand: Domain names and trademarks in general  The copyright ‘catch’  Chat online [Bulletin Board/Service Provider Liability]
  11. 11. Data Privacy and Indian Law
  12. 12. A fundamental human right the right of the individual to be let alone • Information Privacy (data protection) - personal data • Bodily privacy - invasive procedures - search, drug testing; genetic testing; etc • Communications Privacy - mail, telephone, e-mail etc • Territorial privacy - domestic privacy; CCTV; ID checks etc “Public” aspects - surveillance, police powers and national security “Private” aspects - commercial use of data
  13. 13. Overview - major International and US regulations 1948 UN Universal Declaration of Human Rights HUMAN RIGHTS 1970 US Fair Credit Reporting Act 1974 US Privacy Act 1976 International Covenant on Civil and Political Rights 1980 OECD Guidelines on Protection of Privacy 1980 US Privacy Protection Act 1995 European Commission Directive on Data Protection 1994 US Communications Assistance to Law Enforcement Act 1996 US Health Insurance Portability and Accountability Act 1998 US Children's Online Privacy Protection Act 1998 European Member States implement Directive 1999 US Financial Services Modernization Act BUSINESS ISSUES
  14. 14. There is no general privacy or data protection law in India: • Constitution Article 21 Right to life and liberty, interpreted by Supreme Court as including the “right to be let alone” • International Covenant on Civil and Political Rights 1966 Article 17: No one shall be subject to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. • Law of privacy (Tort Law) – Action for unlawful invasion of privacy
  15. 15. Information Technology Act 2000 • Section 43 (a) Penalty for unauthorised access to a computer system • Section 43 (b) - Penalty for unauthorised downloading or copying of data without permission • Section 72 - Offence of accessing any electronic record, book, register, correspondence, information, document or other material and, without the consent of the person concerned, disclosing such information to another person
  16. 16. • Public Financial Institutions Act of 1993 codifies confidentiality of bank transactions • ISPs prohibited from violating privacy rights of subscribers by virtue of the licence to operate granted by the Department of Telecommunications • A general data protection law in India? National Task Force on IT and Software Development 1998 Submitted “IT Action Plan” calling for “National Policy on Information Security, Privacy and Data Protection Act for handling of computerised data” but no Act introduced to date
  17. 17. Data Protection Worldwide
  18. 18. CENTRAL AFRICAN REPUBLIC GIBRALTAR LITHUANIA OURG PAKISTAN SURINAME AFGHANISTAN CHAD GREECE PALAU SVALBARD AND JAN MAYEN ALBANIA CHILE GREENLAND LUXEMBOURG PALESTINIAN TERRITORY, OCCUPIED SWAZILAND ALGERIA CHINA GRENADA MACAU PANAMA SWEDEN AMERICAN SAMOA CHRISTMAS ISLAND MACEDONIA PAPUA NEW GUINEA SWITZERLAND COCOS (KEELING) ISLANDS GUADELOUPE MADAGASCAR PARAGUAY SYRIAN ARAB REPUBLIC ANDORRA COLOMBIA GUAM MALAWI PERU TAIWAN ANGOLA COMOROS GUATEMALA MALAYSIA PHILIPPINES TAJIKISTAN ANGUILLA CONGO GUINEA MALDIVES PITCAIRN TANZANIA, UNITED REPUBLIC OF ANTARCTICA GUINEA-BISSAU MALI POLAND THAILAND COOK ISLANDS GUYANA MALTA PORTUGAL TOGO ANTIGUA AND BARBUDA COSTA RICA HAITI MARSHALL ISLANDS PUERTO RICO TOKELAU COTE D'IVOIRE HEARD ISLAND AND MCDONALD ISLANDS MARTINIQUE QATAR TONGA ARGENTINA CROATIA HOLY SEE (VATICAN CITY STATE) MAURITANIA REUNION ARMENIA CUBA HONDURAS MAURITIUS ROMANIA TONGA ARUBA CYPRUS HONG KONG MAYOTTE RUSSIAN FEDERATION TRINIDAD AND TOBAGO CZECH REPUBLIC HUNGARY MEXICO RWANDA TUNISIA AUSTRALIA DENMARK ICELAND MICRONESIA, FEDERATED STATES OF SAINT HELENA TURKEY AUSTRIA DJIBOUTI INDIA MOLDOVA, REPUBLIC OF SAINT KITTS AND NEVIS TURKMENISTAN AZERBAIJAN DOMINICA INDONESIA MONACO SAINT LUCIA TURKS AND CAICOS ISLANDS BAHAMAS DOMINICAN REPUBLIC IRAN MONGOLIA SAINT PIERRE AND MIQUELON TUVALU EAST TIMOR IRAQ MONTSERRAT SAINT VINCENT AND THE GRENADINES UGANDA BAHRAIN ECUADOR IRELAND MOROCCO SAMOA UKRAINE BANGLADESH EGYPT ISRAEL MOZAMBIQUE SAN MARINO UNITED ARAB EMIRATES BARBADOS EL SALVADOR ITALY MYANMAR SAO TOME AND PRINCIPE UNITED KINGDOM BELARUS EQUATORIAL GUINEA JAMAICA NAMIBIA SAUDI ARABIA UNITED STATES (safe harbor) ERITREA JAPAN NAURU SENEGAL US MINOR OUTLYING ISLANDS BELGIUM ESTONIA JORDAN NEPAL SEYCHELLES URUGUAY BELIZE ETHIOPIA KAZAKSTAN NETHERLANDS SIERRA LEONE UZBEKISTAN BENIN FALKLAND ISLANDS (MALVINAS) KENYA NETHERLANDS ANTILLES SINGAPORE VANUATU BERMUDA FAROE ISLANDS KIRIBATI NEW CALEDONIA SLOVAKIA VENEZUELA FIJI KUWAIT NEW ZEALAND SLOVENIA VIET NAM BHUTAN FINLAND KYRGYZSTAN NICARAGUA SOLOMON ISLANDS VIRGIN ISLANDS, BRITISH BOLIVIA FRANCE LAO PEOPLE'S DEMOCRATIC REPUBLIC NIGER SOMALIA VIRGIN ISLANDS, U.S. BOSNIA AND HERZEGOVINA FRENCH GUIANA LATVIA NIGERIA SOUTH AFRICA WALLIS AND FUTUNA BOTSWANA FRENCH POLYNESIA LEBANON NIUE SOUTH GEORGIA WESTERN SAHARA FRENCH SOUTHERN TERRITORIES LESOTHO NORFOLK ISLAND SOUTH KOREA YEMEN BOUVET ISLAND GABON LIBERIA NORTH KOREA SPAIN YUGOSLAVIA BRAZIL GAMBIA LIBYAN ARAB JAMAHIRIYA NORTHERN MARIANA ISLANDS SRI LANKA ZAMBIA BRITISH INDIAN OCEAN GEORGIA LIECHTENSTEIN NORWAY SUDAN ZIMBABWE TERRITORY GERMANY OMAN BRUNEI DARUSSALAM GHANA BULGARIA BURKINA FASO BURUNDI CAMBODIA CAMEROON CANADA CAPE VERDE CAYMAN ISLANDS
  19. 19. Norway Finland Personal D Reg Act Personal DP Act In force 14 April 2000 In force 1 June 1999 Sweden Denmark Personal Data Act Act on Processing f PD In force 24 October 1998 In force 1 July 2000 Belgium Ireland Data Protection Act - In force 1 Sep 2001 Germany United Kingdom Data Protection Act Data Protection Act In force 23 May 2001 In force 1 March 2000 Austria Luxembourg Data Protection Act - In force 1 January 2000 Canada Mexico Italy Netherlands PIP&ED Act eCommerce Act Data Protection Act Law on Protection PD ct Commenced 1 Jan 2001 In force 7 June 2000 In force 8 May 1997 In force 1 Sep 2001 United States (includes) Hong Kong Australia Spain France CPP Act 1984 Personal Data (Privacy) Privacy Act Data Protection Act - VPP Act 1988 In force 20 Dec 1996 In force 21 Dec 2001 In force 13 January 2000 COPP Act 1998 In force 21 April 2000 Taiwan New Zealand Portugal Greece HIPA Act Computer Processed DP Privacy Act Personal DP Act Protection Processing In force 14 April 2001 In force 11 August 1995 In force 1 July 1993 In force 27 October 1998 In force 10 April 1997 GLB Act In force 1 July 2001 Switzerland South Korea Eastern Europe ‘General‟ Act Data Protection Act eCommerce Act Estonia (96) Poland (98) Solovak (98) Slovenia (99) Under consideration In force 1 June 1999 In force January 1999 Hungary (99) Czech (00) Latvia (00) Lithuania (00)
  20. 20. Data Protection in Europe
  21. 21. • Directive 95/46/EC of the European Commission • Now implemented in almost all Member States e.g. UK previously - UK Data Protection Act 1984 now - UK Data Protection Act 1998 (in force March 2000) (“DPA”)
  22. 22. 1. Personal data must be processed fairly and lawfully 2. Personal data must be collected and used only for notified purposes. 3. Personal data must be adequate, relevant and not excessive. 4. Personal data must be accurate and, where necessary, kept up-to- date. 5. Personal data must only be retained for as long as is necessary to carry out the purposes for which it is collected. 6. Personal data must be processed in accordance with the rights of data subjects as set out under the 1998 Act.
  23. 23. 7. Appropriate technical and organisational measures must be in place to protect against unauthorised access, amendment or loss of personal data. There must be a contractual obligation, in writing, upon any data processor to comply with the relevant legislation and to ensure that such measures have been put in place. 8. Personal information must not be transferred out of the European Economic Area ("EEA") unless the receiving country ensures "an adequate level of protection" for the rights and freedoms of the data subjects vis-à-vis the processing of personal data.
  24. 24. The Eighth Principle Personal information must not be transferred out of the European Economic Area ("EEA") unless the receiving country ensures "an adequate level of protection" for the rights and freedoms of the data subjects vis-à-vis the processing of personal data.
  25. 25. Notwithstanding lack of country adequate status, a Data Controller can nevertheless conclude there is adequate protection in respect of a particular transfer if: There is sufficient protection for individual data subjects Having regard to: - nature of data being transferred; - purposes for processing; - security measures in place; - individual rights to redress if things go wrong Note - all of these could be covered in a Seventh-Principle type contract
  26. 26. Data Protection in the USA
  27. 27. United States (Federal) Fair Credit Reporting Act 1970 Privacy Act 1974 Family Educational Rights and Privacy Act 1974 Cable TV Privacy Act 1974 Right to Financial Privacy Act 1978 Privacy Protection Act 1980 Cable Communications Policy Act 1984 Electronic Communications Privacy Act 1986 Video Privacy Protection Act 1988 Employee Polygraph Protection Act 1988 Safe Harbor In effect 2001 Telephone Consumer Protection Act 1991 Driver‟s Privacy Protection Act 1994 • Self certified compliance with Communications Assistance to Law Enforcement Act 1994 Health Insurance Portability and Accountability Act 1996 „adequate‟ principles Children's Online Privacy Protection Act 1998 • Regulatory enforcement of trade Deceptive Mail Prevention and Enforcement Act 1999 practices legislation Financial Services Modernization Act 1999 ‘General‟ Act Under consideration?
  28. 28.  However, only 356 companies in the whole of the United States have current Safe Harbor registrations  This raises questions as to the credibility of the safe harbor regime  Safe Harbor also only addresses transfers of data from abroad, and does not offer comprehensive protection for US citizens
  29. 29.  Antiterrorism Acts:  Issues  USA <the Patriot Act>  enhanced investigative powers 26 October 2001  will governments enforce privacy  Canada 16 October 2001 laws?  India <Prevention of Terrorism Act>  US, Canada, UK, EU, Australia  easier to use electronic surveillance  Thoughts  continue and clarify the mandate of  data protection enforcement is the law enforcement to collect generally complaint based foreign communications  public continually stress privacy  requires individuals who have concerns information related to a terrorist  good privacy is good business groups to appear before a judge to  erosion of privacy is a win for provide that information terrorism  extending DNA data bank to include terrorist crimes
  30. 30. The Best Solution?
  31. 31. • Comprehensive Laws governing collection, use and dissemination of personal data • Sectoral laws - piecemeal rules for particular industries, types of information or technologies - piecemeal protection • Self-regulation - e.g. Safe Harbor - mostly disappointing to date • Technological solutions - physical and logical security, encryption, etc - must be combined with legislative protections
  32. 32. • To remedy past injustices (e.g. C.Europe, S.America, S.Africa) • To create confidence and promote e-commerce, m-commerce, ITES and bioinformatics sectors • To remove barriers to data transfers from Europe, by ensuring India is granted “adequate” status • To ensure enforceability, through a central oversight agency • Because effectiveness of self-regulation is limited • Because State governments are already recognising need and considering own data protection legislation
  33. 33. Technology, Media and Communications

×