“Nine judges of this Court assembled to determine whether privacy is a constitutionally protected value. The issue reaches out to the foundation of a constitutional culture based on the protection of human rights and enables this Court to revisit the basic principles on which our Constitution has been founded and their consequences for a way of life it seeks to protect. This case presents challenges for constitutional interpretation. If privacy is to be construed as a protected constitutional value, it would redefine in significant ways our concepts of liberty and the entitlements that flow out of its protection.”
The Centre for Communication Governance at the National Law University Delhi (CCG) invites applications for various research positions across its teams on a full time basis.
About the Centre
The Centre for Communication Governance is the only academic research centre dedicated to working on information law and policy in India and in a short span of five years has become a leading centre on information policy in Asia. It seeks to embed human rights and good governance within communication policy and protect digital rights in India through rigorous academic research and capacity building.
The Centre routinely works with a range of international academic institutions and policy organizations. These include the Berkman Klein Center at Harvard University, the Programme in Comparative Media Law and Policy at the University of Oxford, the Center for Internet and Society at Stanford Law School, Hans Bredow Institute at the University of Hamburg and the Global Network of Interdisciplinary Internet & Society Research Centers. We engage regularly with government institutions and ministries such as the Law Commission of India, Ministry of Electronics & IT, Ministry of External Affairs, the Ministry of Law & Justice and the International Telecommunications Union. We work actively to provide the executive and judiciary with useful research in the course of their decision making on issues relating to civil liberties and technology.
CCG has also constituted two advisory boards, a faculty board within the University and one consisting of academic members of our international networks. These boards will oversee the functioning of the Centre and provide high level inputs on the work undertaken by CCG from time to time.
About Our Work
The work at CCG is designed to build competence and raise the quality of discourse in research and policy around issues concerning civil liberties and the Internet, cybersecurity and global Internet governance. The research and policy output is intended to catalyze effective, research-led policy making and informed public debate around issues in technology and Internet governance.
More details about the different teams at CCG can be found here.
CCG is a young and continuously evolving organization and the members of the centre are expected to be active participants in building a collaborative, merit led institution and a lasting community of highly motivated young researchers.
Selected applicants will ordinarily be expected to design and produce units of publishable research with Director(s)/ Senior Staff members. They will also be recommending and assisting with designing and executing policy positions and external actions on a broad range of information policy issues.
Equally, they will also be expected to participate in other work, including writing opinion pieces, blog posts, press releases, memoranda, and help with outreach. The selected applicants will also represent CCG in the media and at other events, roundtables, and conferences and before relevant governmental, and other bodies. In addition, they will have organizational responsibilities such as providing inputs for grant applications, networking and designing and executing Centre events.
- The Centre welcomes applications from candidates with advanced degrees in law, public policy and international relations.
- All candidates must preferably be able to provide evidence of an interest in human rights / technology law and / or policy / Internet governance/ national security law as well. In addition, they must have a demonstrable capacity for high-quality, independent work.
- From programme officer upwards, a Master’s degree from a highly regarded programme may count towards work experience.
- In addition to written work, a project/ programme manager within CCG will be expected to play a significant leadership role. This ranges from proactive agenda-setting to administrative and team-building responsibilities.
- Successful candidates for the Project / Programme Manager position should show great initiative in managing both their own and their team’s workloads. They will also be expected to lead and motivate their team through high stress periods and in responding to pressing policy questions.
However, the length of your resume is less important than the other qualities we are looking for. As a young, rapidly-expanding organization, CCG anticipates that all members of the Centre will have to manage large burdens of substantive as well as administrative work in addition to research. We are looking for highly motivated candidates with a deep commitment to building information policy that supports and enables human rights and democracy.
At CCG, we aim very high and we demand a lot of each other in the workplace. We take great pride in high-quality outputs and value individuality and perfectionism. We like to maintain the highest ethical standards in our work and workplace, and love people who manage all of this while being as kind and generous as possible to colleagues, collaborators and everyone else within our networks. A sense of humour will be most welcome. Even if you do not necessarily fit requirements mentioned in the two bulleted points but bring to us the other qualities we look for, we will love to hear from you.
[The Centre reserves the right to not fill the position(s) if it does not find suitable candidates among the applicants.]
Based on experience and qualifications, successful applicants will be placed in the following positions. Please note that our interview panel has the discretion to determine which profile would be most suitable for each applicant.
- Programme Officer (2-4 years’ work experience)
- Project Manager (4-6 years’ work experience)
- Programme Manager (6-8 years’ work experience)
- Associate Director (8+ years’ work experience)
A Master’s degree from a highly regarded programme might count towards work experience.
CCG staff work at the Centre’s offices at National Law University Delhi’s campus. The positions on offer are for duration of one year and we expect a commitment for two years.
The salaries will be competitive, and will usually range from ₹50,000 to ₹1,20,000 per month, depending on multiple factors including relevant experience, the position and the larger research project under which the candidate can be accommodated.
Where candidates demonstrate exceptional competence in the opinion of the interview panel, there is a possibility for greater remuneration.
Procedure for Application
Interested applicants are required to send the following information and materials by July 30, 2017 to firstname.lastname@example.org.
- Curriculum Vitae (maximum 2 double spaced pages)
- Expression of Interest in joining CCG (maximum 500 words).
- Contact details for two referees (at least one academic). Referees must be informed that they might be contacted for an oral reference or a brief written reference.
- One academic writing sample of between 1000 and 1200 words (essay or extract, published or unpublished).
Shortlisted applicants may be called for an interview.
Cyber crime has been rising across India. This post reviews advancements in policing technologically advanced crimes and considers potential next steps.
With rising instances of cybercrime being noted across the country, the need for vigilance in the cyber sphere has been highlighted by a number of commentators. These crimes have gained attention subsequent to the notification of demonetization, with rising online banking transactions and a governmental push towards a digital economy.
Several new issues stemming from the distrust in digital payment systems have been reported. For example, the cybercrime cell of the Mumbai Police has received several reports of a scam characterized by persons receiving fraudulent calls allegedly from banks, discussing a new RBI policy. These calls informed consumers that credit and debit cards were soon to be deactivated, but if they released their card details, they would be permitted to continue usage. Once released, these details were misused. While issues such as these do not require extensive cyber expertise to resolve, their incidence is on the rise. Countering them requires banks as well as law enforcement agencies to increase their efforts towards educating new adopters.
More concern may be caused by technology-intensive hacking attacks, both from within the country and outside. Recent instances include the hostilities faced by several Telangana-area software companies by alleged Pakistani attackers, as well as attacks by the group known as Legion. Their actions allegedly include the hacking of the twitter and email accounts of Rahul Gandhi, Vijay Mallya and Barkha Dutt, among others. There has also been an upswing in ransomware attacks recently, with over 11,000 attacks being reported in just three months. Reports of India’s first online Ponzi scheme are also now coming to light. This is despite the fact that that 80% of cybercrimes remain unreported according to recent news reports. This post will review some initiatives taken towards the more efficient investigation of cybercrime by law enforcement across the country.
Cyber Policing in India
Crime and Criminal Tracking Network and Systems (CCTNS)
Approved by the Cabinet Committee on Economic Affairs in 2009, with an allocation of INR 2 billion, the CCTNS is a project under the National e-Governance Plan. It aims at creating a nationwide networking infrastructure for an IT-enabled criminal tracking and crime detection system. The integration of about 15,000 police stations, district and state police headquarters and automated services was originally scheduled to be completed by 2012. However, this still remains incomplete.
Apart from the slow pace of implementation and budgetary problems, on-the-ground hurdles to fully operationalizing CCTNS include unreliable Internet connectivity and under-trained personnel at police stations. Other issues include unavailability of facilities for cyber forensic analysis in most locations, and lack of awareness regarding online citizens’ services such as verification of tenants and employees and clearance for processions and events.
The Central Government, in response to queries by the Supreme Court regarding measures taken to tackle cybercrime, recently announced that they would be setting up a ‘Centre Citizen Portal’. This portal will allow citizens to file complaints online with respect to cybercrimes, including cyber stalking, online financial fraud and others, suffered or observed by them.
The governmental response also details the proposed process, stating that any such complaint on the portal will trigger an alert at the relevant police station and allow the police department to track and update its status, while the complainant too would be able to view updates and escalate the complaint to higher officials.
Cyber Police Stations
Cyber police stations generally include trained personnel as well as the appropriate equipment to analyse and track digital crimes. Maharashtra, where cybercrime has risen over 140% in recent times, and which had the dismal distinction of only recording a single conviction related to cybercrime last year, is converting its existing cybercrime labs into cyber police stations. This will mean there is a cyber police station in each district of the state. The initiative in Maharashtra is useful especially because of the rise in online transactions in Tier II and Tier III cities and the rising cybercrime related thereto. However, despite the rise in cybercrime, complaints remain of low reportage and low success rates in solving crime. Police officers point to problems processing evidence, with complex procedures being required to retrieve data on servers stored abroad.
Further, there have been complaints in Bengaluru of the limited jurisdiction of cyber police stations. Pursuant to a standing order of the DG & IGP of Bengaluru City Police issued in June 2016, only cases with damages of over INR 5 lakh can be registered at cyber police stations in case of bank card fraud. In cases of online cheating, only those instances where damages exceed INR 50 lakh are amenable to the jurisdiction of cyber police stations. All other cases are to be registered with the local police station which, unlike cyber police stations, do not generally include trained personnel or the appropriate equipment to analyse and track digital crimes.
While the order is undoubtedly creating problems for cybercrime victims, it was made taking into account the woefully under-resourced cybercrime police station in Bengaluru which, at the time, consisted of a 15-member staff with two vehicles at its disposal.
Predictive policing involves the usage of data mining, statistical modeling and machine learning on datasets relating to crimes to make predictions about likely locations for police intervention. Examples of predictive policing include hot-spot mapping to identify temporal and spatial hotspots of criminal activity and regression models based on correlations between earlier, relatively minor, crimes and later, violent offences.
In 2013, the Jharkhand Police, in collaboration with the National Informatics Centre, began developing a data mining software for scanning online records to study crime trends. The Jharkhand Police has also been exploring business analytics skills and resources at IIM-Ranchi, in order to tackle crime in Jharkhand.
The Delhi Police has tapped into the expertise at the Indian Space Research Organisation in order to develop a predictive policing tool called CMAPS – Crime Mapping, Analytics and Predictive System. The system identifies crime hotspots by combining Delhi Police’s Dial 100 helpline calls data with ISRO’s satellite imagery and visualizing it as cluster maps. Using CMAPS, Delhi Police has slashed its analysis time from the 15 days it took with its erstwhile mechanical crime mapping to the three minutes it takes for the system to refresh its database.
The Hyderabad City Police is in the process of building a database, called the ‘Integrated People Information Hub’ which, according to the City Police Commissioner, would offer the police a “360-degree view” of citizens, including names, aliases, family details, addresses and information on various documents including passports, Aadhaar cards and driving licenses.
The data is combed from a wide-ranging variety of sources, including information on arrested persons, offenders’ list, FIRs, phone and electricity connections, tax returns, RTA registrations and e-challans. It is further indexed with unique identifiers, and is used to establish the true identity of a person, and present results to relevant authorities within minutes. While the system is aimed at curbing criminal activity and detecting fraud, a lack of clearly identified cyber security and privacy protocols is a worrying sign.
We recently reviewed the National Crime Records Bureau’s statistics relating to cybercrime, as set out in their Crime in India Report 2015. Some concerns that stemmed from the figures set out in the report were the low conviction rates and high pendency of cases. Experts have linked these issues, amongst other things, with the limited mechanisms available for cyber policing and the effectively-defunct status of the cyber tribunals. A recent report by the Bureau for Police Research and Development also highlighted resource constraints affecting police stations, with several stations lacking basic necessities such as a vehicle or a phone connection. Over five lakh posts sanctioned posts also remain vacant.
Given resource limitations, both in fiscal terms and relating to trained personnel, it is heartening to see the steps that have been taken towards efficient cyber-policing. While this post highlights some steps that have been taken in major jurisdictions, there are several initiatives even in non-metro cities towards tackling cybercrime. A National Cybersecurity Co-ordination Centre is also due to be launched around June this year. In a recent response to the Supreme Court, additional solicitor general Maninder Singh also informed the Court of substantial investments being made by the Central Government towards police and judicial training and towards the creation of cybercrime prevention cells. It is hoped that these measures will help to stem the growing tide of cybercrime in India.
In the Union Budget for 2017-18, Finance Minister Mr. Arun Jaitley announced the setting up of a dedicated Computer Emergency Response Team for the Financial Sector (Cert-Fin). The proposed emergency response team is slated to work in co-ordination with financial sector regulators and other stakeholders.
This announcement comes on the heels of the Government’s demonetisation initiative. Demonetisation led to a substantial rise in the volume of digital payments and the use of instruments such as mobile wallets. The cumulative growth of electronic transactions has been reported to range between 95 per cent and 4,025 per cent from November 8 till December 27, 2016. This transition towards digital payments in the financial sector is slated to continue, with one report predicting that by 2020, the digital payments industry will grow to over $500 billion and contribute 15% to the national GDP.
In a previous post, we had examined the legal and policy regime relating to digital payments in the country. In this post, we examine technological vulnerabilities in the financial sector, as well as measures taken towards strengthening cybersecurity.
Cyber Security Vulnerabilities in the Financial Sector
The exponential growth in digital payments in India and the push towards a cashless economy has renewed focus on the need to strengthen financial cybersecurity. Banks and financial institutions are extremely vulnerable to various forms of cyberattacks and online frauds. India has steadily moved up the ranking for countries with the highest number of financial Trojan infections over the past three years. At least forty percent of Banking, Financial Services and Insurance (‘BSFI’) businesses have been attacked at least once. A six-fold increase in credit and debit card fraud cases has been reported over the past three years. In addition to core banking, additional services like e-banking, ATM and retail banking are also increasingly vulnerable to cybercrime. Mobile frauds are also expected to grow to 60-65% in 2017, which is especially alarming because 40-45 % of financial transactions are being conducted on mobile devices today.
The Indian banking landscape has seen several large-scale cyberattacks over the past year. Since June 2016, the SWIFT systems of four Indian banks have been targeted. In October 2016, in what was the largest data breach in the country ever, 32 lakh debit cards of various banks were subject to a cyber malware attack. Earlier this year, it was reported that hackers had infiltrated the systems of three government-owned banks to generate false trade documents. The increased focus on cybersecurity in banks follows not only domestic incidents but global developments as well. In its bulletin on security measures, for instance, the Reserve Bank of India makes reference to the Carbanak Gang which targeted bank’s internal systems across Russia and Ukraine to conduct a robbery of around $ 1 billion. Closer home, in February 2016, there was an attempted heist of around $951 million from the Bangladesh Bank.
Cyber Security Framework for Banks
In October 2016, the Reserve Bank of India directed banks to implement a security policy containing detailing their strategy to for dealing with cyber threats and including tangible “cyber-hygiene” measures. This was following a renewed emphasis on the early implementation of the RBI’s Cyber Security Framework in banks. The RBI had first notified the Cyber Security Framework (‘Framework’) in Banks in June 2016. The Framework was a successor to broad guidelines on information security and cyber frauds which had been issued in line with the recommendations of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds in 2011.
The Framework is geared towards minimising data breaches and implementing immediate containment measures in the event of such breaches. It emphasises the urgent need to put in place a robust cyber security and resilience framework and to ensure continuous cybersecurity preparedness among banks. The Framework also mandates the adoption by banks of a distinct cybersecurity policy to combat threats in accordance with “complexity of business and acceptable levels of risk” within a set deadline. Further, the Framework requires the earliest setting up of Security Operations Centres within banks for continuous surveillance; disallowing unauthorised access to networks and databases; protection of customer information; and the evolution of a cyber crisis management plan.
Other Measures by the RBI and the Government
The RBI has also identified the need to evolve a framework for co-ordination and information sharing between financial institutions and public authorities in the event of cyber attacks. To this end, the RBI recently appointed its first information security officer and has formalised a sectoral sharing interface called the Indian Banks- Centre for Analysis of Risks and Threats (IB-CART). Further, the RBI also issued an ultimatum to banks, requiring them to report any breach of security immediately. Banks have been given until March 31, 2017 to put in place appropriate mechanisms.
Previously, there was limited reporting by banks as they were reluctant to report cyberattacks fearing devaluation of brand equity. Even in the event of large-scale cyberattacks, such as the above-mentioned malware infection which affected 32 lakh cards, it took six weeks to detect the fraudulent transactions. To counter this, and to enhance cyber resilience, the Institute for Development and Research in Banking Technology (‘IDBRT’) has been attacking vulnerabilities in banks’ security networks. This will enable them to share feedback with banks to improve their resilience. Further, the Chief Information Security Officers of banks have also set up a forum to discuss cyberattacks and to share information, manage and plan for issues related to information security. The Ministry for Electronics and Information Technology has also formally urged banks to co-operate with the CERT-In for carrying out audits and other measures to strengthen their cybersecurity systems.
While these proactive steps being taken by the RBI and the Government are timely and much-needed, the resilience of our banking infrastructure against cyber attacks will depend on co-ordinated action from all stakeholders. The Cyber Security Framework must be strictly implemented in a timely manner, with regular audits to ensure comprehensive compliance. Cybersecurity at banks and financial institutions needs to be prioritised as part of the design architecture and must not remain restricted to reactive fire fighting during crises. Cyber security solutions must be deliberately designed to enable stemming of cyber attacks in real time. Experts also suggest that the most effective ways to move forward with digitisation in order to ensure banks remain completely secure include the embracing of crypto-currencies and blockchain technology. Further, the Information Technology Act, 2000 is also ripe for a complete overhaul to counter the increased security risks in a cashless economy. These measures, of course, must also be accompanied by attempts to ensure widespread consumer education and awareness.
In a previous post, we critically examined the legislative and institutional framework for the protection of critical information infrastructures (“CIIs”) in India. The National Critical Information Infrastructure Protection Centre (“NCIIPC”) has since revamped its website. This is a heartening move towards transparency and increased public engagement. According to “data shared by a broad range of NCIIPC constituencies”, a total of around 7.5 million incidents, threat feeds and vulnerabilities were reported from CIIs in 2016. This was reported in the first NCIIPC newsletter. The newsletter further indicated the number of incidents on a monthly basis, the most impacted cities in terms of the volume of cyber attack incidents, the major forms of attacks and the country-wise share of the origins of cyber attacks on CIIs.
Sector-specific guidelines for CII
As recommended in our post, the NCIIPC has been increasing its efforts towards the protection of sectoral critical information infrastructures. There has been particular emphasis on designing sector-specific cyber security practices. For instance, the Ministry of Power has taken steps to sensitize critical organisations in the power sector, following instructions received from the NCIIPC. This includes the auditing of underlying information infrastructures by CERT-In accredited agencies and the setting up of a dedicated computer emergency response team for the transmission sector. This is especially significant as the deployment of smart grid technologies on a large scale poses unique cybersecurity risks. Similarly, it has been reported that the NCIIPC has conducted workshops on cyber security and critical information infrastructure protection for the oil and gas industry. Further, the NCIIPC has engaged with the Chief Information Security Officers in strategic and public enterprises (which includes heavy industry and public sector units) for the identification, protection and notification of their CII.
However, the NCIIPC’s attempts to address the claim that there is “an urgent need to evolve sector specific guidelines for handling cyber crises” remain piecemeal and reactive. The transportation sector, for instance, is particularly vulnerable to cyber threats on account of growing dependencies on network based systems for navigation, tracking and positioning, amongst others. There have been reports of Pakistani hackers who have been tapping into air traffic control systems in Jammu as well as gaining access to the GPS data of police vehicles in Madhya Pradesh. These instances represent only the tip of the iceberg when it comes to the capacity of malicious actors to disrupt CIIs in the transportation sector. However, despite these incidents, there have been no reports about the development of sector specific cybersecurity guidelines for the transportation sector. The Long Range Identification and Tracking (LRIT) system under the Ministry of Shipping remains the only transportation to be declared as a “protected system” under the Information Technology Act, 2000.
Information Sharing and Analysis
While the development of sector specific guidelines for cyber-security should continue, it is also necessary to focus on mechanisms for information sharing and analysis across sectors. Information sharing about vulnerabilities, threats and attacks is essential as security solutions cannot be built without shared threat intelligence or co-ordinated responses. In recognition of this, the National Cybersecurity Policy of 2013 (“the Policy”) noted the necessity of establishing a mechanism for sharing information on cyber-security incidents (Paragraph IV(A)(7)). The creation of such a mechanism, according to the Policy, will generate the necessary understanding of existing and potential threats to enable timely information sharing (Paragraph IV(E)(1)). Prior to the policy, the creation of Information Sharing & Analysis Centres (ISACs) had also been recommended by the Joint Working Group on Engagement with Private Sector on Cyber Security (“JWG”). The JWG conceived of ISACs within various industry verticals with the private sector to co-ordinate with sectoral CERTs as well as CERT-IN.
However, currently, institutional mechanisms for streamlined and prompt sharing of information are not in place for most sectors. An ISAC has been set up at the Institute for Development and Research in Banking Technology (IDRBT), but it remains restricted to financial services. While the Central Government stated that action was initiated in 2014 for the setting up of similar ISACs in the power and petroleum sector, there is no confirmation of the same in the public domain. There is also no clarity on whether ISACs will be instituted for other sectors. There have also been no reports dealing with steps that are being taken for cross-sectoral information sharing and analysis. In a move forward, the NCIIPC has now made available forms for reporting vulnerabilities as well as cyber attacks on critical information infrastructures on its website. However, this is a poor substitute for a mandatory and systematic mechanism for collating information on threats, vulnerabilities and attacks. To this end, it is essential to urgently initiate the setting up of sectoral ISACs, under the guidance of the NCIIPC. A cross-sectoral ISAC, modelled along the along the lines of the National Council of ISACs in the US, could grow to function as an effective platform. It may also prove to be useful to pursue collaborations with existing global information sharing networks (such as the Financial Services Information Sharing and Analysis Centre (FS-ISAC). Similarly, the merging of sectoral platforms to create a collaborative intelligence sharing platform under the National Cybersecurity Co-ordination Centre is recommended.
To conclude, it is heartening to observe the progressive changes the NCIIPC has made as well as the creation of sector specific guidelines in certain sectors. However, this must progress across various critical sectors in addition to being placed within broader information sharing mechanisms. It is hoped that the NCIIPC will continue on the path of transparency and information sharing in this regard.