In a digitised world, data security has started becoming the most relevant topic affecting our day-today lives. This will become more pertinent in the years to come.
In a digitised world, data security has started becoming the most relevant topic affecting our day-today lives. This will become more pertinent in the years to come. While India has started its process of coming out with laws to protect personal data of its citizens, the government’s controversial ‘snooping order’ in the fag-end of 2018 stirred up a hornet’s nest. Governments around the world are still not clear about where to draw the line between privacy and monitoring.
The Union ministry of home affairs wants to enable 10 agencies to intercept, monitor and decrypt any information generated from any computer. "In exercise of the powers conferred by sub-section (1) of section 69 of the Information Technology Act, 2000 (21 of 2000) read with rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, the Competent Authority hereby authorises the following Security and Intelligence Agencies for the purposes of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource under the said Act," the recent order by the ministry said.
These agencies are Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, Cabinet Secretariat (R&AW), Directorate of Signal Intelligence (for service areas of Jammu and Kashmir, North-East and Assam only) and Commissioner of Police, Delhi.
Intelligence Bureau officials maintain that the government will not intercept information on computers en masse, but will keep a check on terror activities through the internet. A separate authorisation by the Home Secretary will be needed in each case. Those in favour of the new order argue that there were provisions for agencies to tap phones of suspicious people under the Telegraph Act. But similar provisions are not there under the IT Act. Hence the order corrects this anomaly.
The order also binds service providers or any person in charge of the computer resource to extend all facilities and technical assistance to the agencies, failure of which will invite penal action against the provider.
There is huge uproar against the “snooping order” as it goes against data privacy and efforts to secure data from cyber breach. The Supreme Court too has taken cognizance of the issue and is examining various aspects of the order.
Two different voices have emerged in this context — one considering the privacy of individual’s data as sacrosanct and the other being concerned about law enforcement during the times of data proliferation.
“It is a continuous debate as to how much privacy one should have and how much monitoring is justified. While government should not be interested in knowing what I am doing on a day-today basis, it is also true that all cyber attacks ultimately affect the end user. It is a two-sided coin. Yes, privacy is of utmost importance but national security and financial security too are important,’ said Pradipto Chakrabarty, regional director, CompTIA India.
Farrhad Acidwalla, founder of Cybernetiv Digital, Forward Thinking Cyber Security and Research, said privacy across the globe has been under stress due to the nature of the internet and its usage in frauds and attacks against states and enterprises.
“Governments need to set policies that protect citizens as well as their fundamental right to privacy. While the government of India may have the competency and legislation on its side to snoop on citizens, privacy is sustained by those who value it. The prime matter of concern is the Supreme Court upholding the right to privacy - many privacy advocates maintain that the recent empowerment of the named agencies seems too far-flung and requires judicial oversight to safeguard the privacy of citizens,” said Acidwalla.
Divakar Chittora, CEO and founder of Intellipaat, however, said it is important for the government to have information to ensure security of the country. “Such information can save a lot of time of the security agencies and help them provide a robust security,” he said.
Governments across the globe are worried about encrypted data. “In the past few years, the adoption of technology and encrypted application across the globe has been very rapid. This has posed a challenge to law enforcement agencies. Many countries are looking at ways to have a lawful interception. But we will have to wait to see what could be the effect of this,” said Sean Duca, Vice President and Chief Security Officer, Asia Pacific at Palo Alto Networks.
Data is a double-edged sword and all depends upon who uses it. “It is all about who gets the data and how he uses it. Individuals can be targeted once important data about them is breached. Political parties, organisations expressing displeasure against the ruling government and companies too face of threat of data being used for settle scores by the government. In my opinion, if at all government has to intercept data, an independent body constituted by the parliament should be authorized to give sanction in each case and not Home ministry which is part of the government,” said Chittora.
While ‘snooping order’ is creating a stir on one side, the country is also in the process of having a Personal Data Protection law which sees privacy as a fundamental right of the citizen. The proposed bill drafted by Justice Srikrishna Committee makes consent of the individual most important part of data sharing. Personal data should be processed only for the purposes intended for. The bill also proposes penal measures for failing to meet the norms. A company may end up paying up to Rs. 15 crore or four per cent of its global turnover as penalty.
The draft is being given shape in the lines of the General Data Protection Regulation (GDPR) enacted by the European Union last year. The GDPR too intends to regulate the way companies protect citizens' personal data. It has already set a benchmark for other countries in data privacy protection. The regulation will be applicable for all companies, including Indian entities, operating in the region. The regulation insists on getting the consent of subjects for data processing, anonymizing collected data to protect privacy, providing data breach notifications, safely handling the transfer of data across borders and on appointing data protection officer to oversee GDPR compliance. Once European subsidiaries of Indian companies start complying with the GDPR data, it will be easy for them to adhere to the Personal Data Protection law in India.
2018: looking back at data and security
In 2018, we saw several breaches rocking the cyber space, the biggest being those involving Facebook and Google, which affected the privacy of millions globally. India too did not remain unaffected as the reported Aadhaar data breach created a hue and cry.
In September last year, an attack on Facebook’s computer network exposed the personal information of nearly 50 million users. The breach was the largest in the company’s 14-year history. The attackers used a feature in Facebook’s code to gain access to user accounts and potentially take control of them. In 2017 also Facebook had become part of a scandal when Cambridge Analytica, a British analytics firm has come out with revelations about gaining access to private information of millions of users and using it for influencing election outcomes.
Google shut down Google+ after data of around five lakh users was breached. A bug had allowed third-party software developers to access data from Google accounts, including information marked as private on Google+ profiles, which included email addresses, age, gender, occupation and location.
Facebook, Twitter and Google were asked to testify before the US Congress on their use of data. Singapore also summoned Facebook and later it decided to come out with a law banning fake news.
Back home, UIDAI' database was compromised by a software patch that disabled critical security features of the software used to enrol new Aadhaar users. The software patch, that can change a computer programme or update, was available for mere Rs. 2,500 and it allowed unauthorised persons, based anywhere in the world, to generate Aadhaar numbers. The patch allowed users to bypass critical security features such as biometric authentication of enrolment operators to generate unauthorised Aadhaar numbers. It also disabled the enrolment software's GPS security feature which is used to identify the location of the enrolment centre.
Data to grab greater attention in 2019:
In the Indian context, data would be all the more important in 2019. In the election year, securing data and analyzing it will be a major strategy for all the political parties. The US and the UK saw data breaches happening around election time and such a situation cannot be ruled out in case of the largest democracy.
A recent report on the use of data in elections in India showed the rising trend of using data-driven techniques and how they are eclipsing the traditional methods of electioneering. In India, the 2014 election was of the first one to use data, technology, and digital platforms in a massive manner. It played a central role in the way the campaigns were designed, targeted, implemented and communicated. Over the years, data and technology have played a key role in strategically navigating the complexities of demographics, religion, politics and caste in India, the report said.
Further, using data for spreading fake news too will gain currency during election times. However, increased adoption of artificial intelligence and machine learning will come for help. “Use of AI and machine learning will help detect fake news better. However, there is also a threat of hackers using AI and machine learning,” said Chittora.
Avast, global player in digital security products, foresees the emergence of a class of attacks known as ‘DeepAttacks’, which use AI-generated content to evade AI security controls. In 2018, the team observed many examples where researchers used adversarial AI algorithms to fool humans. “Examples include the fake Obama video created by Buzzfeed where President Obama is seen delivering fake sentences, in a convincing fashion. We have also seen examples of adversarial AI deliberately confounding the smartest object detection algorithms. In 2019, we expect to see DeepAttacks deployed more commonly in an attempt to evade both human detection and smart defences,” predicts Avast.
“Applications of AI and Machine Learning in the field of cybersecurity are endless and they will enhance the functionality of current generation tools used by both the attackers and cybersecurity organisations alike. The year 2019 will witness a rise in Artificial Intelligence-based exploitation techniques, attackers want to make their attacks difficult to detect and prevent. On the other side, cybersecurity organisations will realise this threat and will take defensive measures capable of detecting and preventing such threats,” said Lohitya Pushkar, Cyber Security, analyst and researcher.
However, Chakrabarty begs to differ. “It is far-fetched to think that AI and ML will help fraudsters. In my opinion, these technologies will make systems more resilient. As in block chain, human intervention will be limited and in a more automated environment, detection of anomalies will be more efficient,” he said.
Cloud shrouds safety:
Most of the organizations are storing their data, even critical data, on cloud. In the era of apps, cloud has become even more important. According to Duca, cloud computing helps simplify a few areas of security, but it also presents newfound challenges.
“Implementing a cloud computing strategy often means that mission-critical data and systems will sit with third parties. These assets will need to be securely stored and transmitted and only accessible to authorised personnel. The security of the cloud is not the sole responsibility of the cloud service provider; but is shared with enterprises that also take care of security of data, applications, operating systems, network configurations and more. This intertwined ecosystem has made security a much more complex undertaking,” he said.
According to Chittora, the companies in countries with under-developed security systems are a higher risk of attacks on cloud data.
Businesses will implement multi-factor authentication:
Instead of simple passwords, businesses are likely to use multi-factor authentication and biometrics to secure data in 2019.
“Businesses will need to assess their internal flow of information and implement more comprehensive checks and approval processes, especially with regard to the movement of resources. As we have seen, passwords remain amongst the weakest links in computer security – easy to steal, difficult to secure and offering little proof of a user’s identity. In response to this, 2019 will see measures such as two-factor or multi-factor authentication and biometrics become increasingly commonplace,” said Duca.
Businesses, especially smaller and medium-sized ones with lesser security systems, are falling prey to cyber criminals. As per reports, more than $12 billion was stolen from such businesses globally in the past five years through fraud emails. However, the attackers are now using diverse and more sophisticated ways. Mimicking corporate websites is one such method commonly used by fraudsters.
Fake apps have become one threat for both individuals and companies. Fake apps had affected FMCG company Patanjali’s sales last year. According to Avast, fake apps are the zombies in mobile security, becoming so ubiquitous that new ones pop up to take the place of the ones already flagged for removal. They will continue to persist as a trend in 2019, exacerbated by fake versions of popular app brands doing their rounds on the Google Play Store.
Supply chain links become more vulnerable:
In an interconnected world, businesses are linked to suppliers and outsourced services from around the globe. While these links have led to increased efficiencies, this also is a boon to opportunistic attackers preying on weaknesses in existing security.
Pinpointing and avoiding cybersecurity risks will soon be nearly impossible as the global supply chain becomes increasingly complex. Organisations will not just have to be cognizant of which all suppliers, vendors or third party service providers they are connected with, they should also know what systems and services the vendors are using.
“As multiple unsecured devices connect to corporate networks, the internet of things, or IoT, can quickly become an ‘internet of cyberthreats’. Sensitive information has to be kept separate and secure, away from external devices and systems used by third party service providers,” said Duca. In 2019, companies will not limit their security checks to their own systems, but will start taking care of the entire network.
Avast research also has shown that security is often an afterthought in the manufacturing of IoT devices. While the big-name smart devices often do come with embedded security options, some producers skimp on security either to keep costs low for consumers or because they are not experts in security. So one can expect to see IoT malware evolve and become more sophisticated and dangerous, similar to how PC and mobile malware developed.
Data Protection Legislation to get enacted in many countries:
The European Union’s General Data Protection Regulation has served as a clarion call for organisations in the APAC region to pay attention to the data they collect and store. Businesses in this region can use the GDPR as a baseline to assess current gaps in compliance and help determine their overall prevention posture.
Asia-Pacific countries are also pledging greater cooperation with cybersecurity initiatives. Countries like Australia and Singapore have taken the first plunge, and others in the region will soon follow as they wake up to the urgency of national security and data protection for their citizens. As digital maturity varies across the region, the framework for these countries to roll out their own version of GDPR could take some time to develop. However, 2019 could be the year many countries take the first steps towards protecting their citizens’ data. India expects to have its Personal Data Protection Act in 2019.
Increased spend and awareness on cyber security
Most of the companies in India are confident that they are better prepared for cyber security threats than their competitors. But a survey by FICO found that almost one in three organizations have limited tools that can just provide a point-in-time assessment of their cyber security risk. They do not currently have a robust assessment programme.
However, 62 per cent of Indian firms say cyber security investment will increase in 2019. This is higher at 67 per cent amongst Indian financial services firms and 80 percent for utilities.
“IT leaders have greater funding than ever to protect organizations from the continuously evolving threat landscape and meet complex compliance demands," said Maxine Holt, research director at Ovum. "These same IT leaders are undoubtedly keen to believe that the money being spent provides their organization with a better security posture than any other – but the rapid pace of investment, often in point solutions, rarely takes an organization-wide view of security,” she added.