ASSOCHAM - Cyber Era - 10102013

Cyber Era
Securing the future
11th India Knowledge

Summit 2013
14 -15 October 2013
New Delhi
Cyber Era
Securing the future
11th India Knowledge Summit 2013
14 -15 October 2013
New Delhi
Message from Ministry
“…Instability in cyber space means

economic instability no nation can
afford, therefore it is essential not just to
have a policy but to operationalise it,”
With an aim to protect information
and build capabilities to prevent cyber
attacks, the Government in July, 2013
released the National Cyber Security
Policy 2013 to safeguard both physical
and business assets of the country.
India has stressed upon the need
for greater global cooperation and
exchange of information among
nations to enhance cyber security
and to address issues related to the
management of the Internet.
“In the ultimate analysis, we have to
develop global standards because there
is no way that we can have a policy
within the context of India which is not
connected with the rest of the world Kapil Sibal
Minister
because information knows no territorial Communications and IT &
boundaries”. Law and Justice,
Government of India
As ASSOCHAM, India’s Apex Chamber
for Commerce & Industry is organizing
the 11th India Knowledge Summit -2013
with the theme Cyber Era: Securing
the Future”, I believe this Summit is
very timely and will certainly help in
creating more awareness on the subject
amongst the stakeholders.
I convey my good wishes for the
success of the 11th India Knowledge
Summit 2013.
© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Message from President, ASSOCHAM
The internet has revolutionized the The Chamber has adopted the theme
way people communicate and access of ‘Cyber Security’ for the 11th India
information. The convenience and Knowledge Summit. I am confident that
speed afforded by Internet has closely the Summit will address several key
integrated businesses extended value issues related to Cyber Security and
chains across geographies dispersed. present key policy recommendations to
It has also enabled an unprecedented the Government and other stakeholders.
exchange of ideas, information and I compliment KPMG and ASSOCHAM
culture across the world. Its virtues for presenting a background paper on
notwithstanding, the rising Penetration the theme.
of the internet has also resulted in
I convey my best wishes for the success
the propagation of risks and security
of the India Knowledge Summit and look
threats.
forward to the Summit outcomes and
Exponential growth and dependence recommendations to further strengthen
on technology has also exposed the our Nation’s cyber infrastructure for
vulnerability of our institutions to National Security.
imminent threats like cyber attacks
which can severely cripple vital
systems, and can bring the entire
Nations to a grinding halt, thereby
severely compromising National
Security. Institutions focused on Rana Kapoor
addressing National Security including President
ASSOCHAM
communication networks, hospitals,
energy and defense installations
are increasingly prone to such cyber
threats. It is therefore critical to provide
robust security apparatus, to ensure
their smooth functioning. Cyber security
is a serious concern and merits indepth
discussion amongst thought leaders,
domain experts, Government and policy
makers and also Cooperation across
various agencies.
India has the world’s third largest
community of internet users, with a
vast majority now accessing internet
through their mobile phones. Mobile
phone security, due to increased
adoption, presents a different set of
challenges. However, cyber regulation
and supervision must accord due
consideration to the “Right to individual
privacy and freedom of speech” without
compromising National Security. As
the Knowledge Chamber of India,
ASSOCHAM endeavours to mobilize
industry opinion to further strengthen
the legal and regulatory regime so that
citizens’ rights are safeguarded along
with security of vital National systems.
Message from Chairman, ASSOCHAM
As we increasingly become a hyper- technological. Citizens, government,

connected cyber society where military networks and industry must be
massive amounts of information is equipped and educated with the incisive
moved across people, locations, time, intelligence, tools and technologies, to
devices, and networks at super-fast cope with and to counter cyber threats
speeds; the importance of information so that we may continue to derive the
technology as one of the top drivers advantage that has propelled us into the
of global progress, is becoming visible 21st century.
to all. From narrowband to broadband,
During this 11th India Knowledge
from kilobits to gigabits, from devices
Summit we as a group, hope to share
like laptops, tablets, smart-phones
expertise on the critical subject of
to mobile services, our networked
cyber security and surveillance, and
world is changing forever – the way we
establish the foundation for such future
communicate, the way we socialise
discourses. I am sure you will also find
and the way we conduct business.
the paper prepared by ASSOCHAM and
Indeed, we have become increasingly
KPMG very useful.
dependent on the cyber world as the
backbone of all our interactions, both
personal and business.
This dependence comes with a double-
edged sword. The very power which
can help a farmer find better yields, Pratyush Kumar
Chairman
enable banking in the rural sectors, ASSOCHAM National Council
or spread positive social messages, on Cyber Security and Law
in mere seconds, can disrupt critical
communications and services, or spread
mis-information and malware at the
same velocity. We, as an industry and
as a nation stand to lose against these
malicious forces that know no physical
boundaries. Our progress in protecting
our cyber space must therefore stay
a step ahead of these disruptive
forces. This poses a steep challenge,
requiring unprecedented, collective and
innovative action.
Cyber security is one domain where
competitive advantage will come
from collaboration. At ASSOCHAM,
we recognize that this collaboration is
multi-dimensional - social, academic,
commercial, industrial and most of all
Message from Co-Chairman, ASSOCHAM
We are breathing in times where The 11th Knowledge Summit on

miles have been converted into bytes, “Cyber Era - Securing the Future” by
kilobytes, megabytes and gigabytes. ASSOCHAM will set the stage for
Our Information Communication development of perspectives, designing
Technology journey from hefty of mechanisms and promotion of
computers to sleek smart phones implementation actions towards a more
has been phenomenal. Today, getting cyber aware and secured India.
connected to the large pool of data
I look forward to it as the first step in
flowing on the world wide web is
taking India closer to being a cyber
just a touch away. Consequently, the
aware and secured nation.
vulnerability in the cyberspace has also
increased considerably; it is very easy to
attack someone privacy and data in the
virtual world.
Hence, in this 21st century, when
internet has become an integral part of
our life, it is wise to access the same
with due precautions and preparedness.
Keeping in pace with the international
acceptability and the status that India
has got in IT sector globally, we need S. K. Agarwal
to have a consciousness about a legal Co-Chairman
framework to check the violations on ASSOCHAM National Council
on Cyber Security and Law
the web as well as a vision document
for the implementation and updation of
the same; matching the speed at which
things change in the cyber world.
Evidently, the need of the hour is to
create awareness in the society which
in turn will urge the development of
such a framework. Simultaneously, to
create a delivery mechanism we need to
develop a pool of professionals and train
them to meet the day to day challenges
of ever evolving cyber world and its
associated threats. These activities
have to go hand in hand by creating an
understanding about its importance and
unlike common perception the change
has to start from every individual,
every organization, be it private or
Government, handling sensitive
information, to make them cyber
secured. By making small changes
we can create a more cyber secured
society.
Message from Secretary General, ASSOCHAM
The growing use of ICT for We are confident that the deliberations
administration and in other spheres of at the India Knowledge Summit – 2013,
our daily life cannot be ignored. Further, with the theme ‘Cyber Era, Securing
we also cannot ignore the need to the Future’ will provide more insight to
secure the ICT infrastructure used for emerging cyber related challenges and
meeting the social functions. their appropriate solutions for further
securing the cyber space.
In the era of E-Governance and
E-Commerce a lack of common security ASSOCHAM is committed to creating
standards can create havoc for the more awareness about the Cyber
global trade in goods and services. related issues and this Background
Paper jointly prepared by KPMG and
The threat from cyber attacks and
ASSOCHAM is a step in that direction
malware is not only apparent but also
and we congratulate the team for their
very worrisome. There cannot be a
efforts.
single solution to counter such threats.
We need a techno legal “Harmonized We convey our very best for the success
Law” to address these challenges. of the India Knowledge Summit, 2013.
A good combination of law and
technology must be established and
then an effort be made to harmonize
the laws of various countries keeping
in mind common security standards. D. S. Rawat
In this respect ASSOCHAM lauds Secretary General
ASSOCHAM
the efforts made by the Ministry of
Communications and IT, Government
of India in recently releasing the
National Cyber Security Policy 2013
to ensure a secure and resilient cyber
space for citizens, businesses, and the
Government.
We at ASSOCHAM, have been
discussing and deliberating with the
concerned authorities and stakeholders
about the need for security compliance
and a legal system for effective dealing
with internal and external cyber security
threats.
ASSOCHAM has been a member of
the National Security Council, Joint
Working Group (JWG) on Public Private
Partnership on Cyber Security and we
deeply appreciate the efforts made by
the JWG in inviting private industries’
views and suggestions on Cyber
Security related issues.
Message from KPMG
We are living in a connected era where The laws around cyber crime in India
the governments and organisations are are also being tested for their ability to
making their services available online to deter and tackle such crimes. While
citizens like never before. Governments the government has taken couple of
have taken strides in delivering citizen steps at the policy-level in recent times,
services online. Organisations continue these may become dated unless they
to earn revenues only out of their are being reviewed on a regular basis.
online presence. These have brought in The government alone cannot tackle the
efficiency and convenience in our daily issue of cyber crimes. An ecosystem
lives. The entire smart phone market for regular consultation workshops with
growth has been one of the catalysts industry and experts and a mechanism
for the dawn of the connected era. to develop threat-intelligence needs
As the country’s infrastructure and to be developed. More than ever now,
the citizens keep getting online, the the industry and the government now
opportunities for cyber criminals to need to come together on the issues of
conduct their attacks also increase. This dealing with cyber security.
has tested the security measures of the
governments and organizations.
The mindset of ‘compliance-based’
approach towards security needs to be
unlearned to deal with the sophistication
of cyber attacks. Relying on tools and Navin Agrawal
Partner and Head
scripts may not help tackle security Government and Public Sector
issues unless there is some intelligence KPMG in India
built in it. Of course, all of these steps
will fail if there is not enough skilled
manpower to manage cyber security.
This requires an assessment of the
overall maturity of the cyber security
program of the organizations and the
governments.
Many cyber attacks are part of online
protests or cross-border retaliations
against countries. There has to be a
mechanism for real-time intelligence to
handle security threats. In order to be
better prepared to handle such cyber
attacks, it is important to understand
their modus-operandi.
Contents
1. Cyber Security in India: Setting the context 1
2. Improving the security of nation’s Critical Infrastructure 3

• Ten things you should know about National Cyber Security
Policy 4
• NTRO’s guidelines for protection of Critical Information
Infrastructure 5
3. IT Amendment Act 2008 7
4. India’s cyber monitoring setup: Few legal aspects 9
5. Privacy and civil liberty protection 11
6. Inculcating robust cyber security practices through PPP 13
7. Cyber security practices in few other countries 15
8. Epilogue 17
1 KPMG-ASSOCHAM – Cyber Era: Securing the future
Cyber Security in India

Setting the Context
It is now widely-accepted and acknowledged that

cyber crime has been affecting individuals as well as
organizations in the country and the world over. There
have been several instances of systems getting hacked in
both public and the private sector.
India’s is third in terms of internet users and is forecasted
that the IP traffic will grow 6-fold from 2012 to 2017, a
compound annual growth rate of 44%. In July 2013,
the government published its National Cyber Security
Policy. This was followed by news of progress in the
implementation of a framework for lawful electronic
interception, referred to as the Central Monitoring
System (CMS). Cyber-security is already a component
of the US-India Homeland Security Dialogue. It is also
important to note that both India and the U.S. are leading
sources of spam emails. There are several reports of Source: India Has 15M Broadband Connections; 712.5M Active Mobile Connections –
shortage of trained manpower for cyber security in India. Medianama, Feb 2013
There has been a huge increase in online card payments

which are set to overtake physical card transactions in
some years.
Source: Trend Labs 2Q 2013 Security Roundup, Govt to chart road map to safeguard India’s
cyber security architecture – DNA, August 2013
KPMG-ASSOCHAM – Cyber Era: Securing the future 2
At present, one in four card transactions Electronic Delivery of Cyber crime cases in the country
takes place online and the number has
Services Bill, 2011 registered under the IT Act last year
been growing at 50 percent year on
year as against the 35 percent growth in The Bill requires public authorities to rose by about 61 percent to 2,876
‘card present’ transactions1. Recently, deliver all public services electronically with Maharashtra recording the
SEBI has also approved e-IPO procedure within a maximum period of eight most number of cases.
for electronic bidding in public offers. years. There are two exceptions to this The country had witnessed
requirement: (a) services that cannot be 1,791 cases registered under
While the internet facing transactions
delivered electronically; and (b) services the Information Technology (IT)
are growing every day, there is a
that public authorities, in consultation Act in 2011, Minister of State
dire need of securing the underlying
with the Commissions, decide not for Communication and IT Shri
infrastructure from cyber attacks.
to deliver electronically. The Bill Milind Deora said in a written
establishes Central and State Electronic reply to Rajya Sabha.
Service Delivery Commissions to
monitor compliance of government “As per the cyber crime data
departments and hear representations. maintained by National Crime
Public authorities have to establish a Records Bureau (NCRB), a total
mechanism to redress complaints. of 288, 420, 966, 1,791 and 2,876
cyber crime cases were registered
The Bill requires all government under IT Act during 2008, 2009,
departments to provide services 2010, 2011 and 2012, respectively,”
electronically. This may involve he added.
the storage and communication of
information in an electronic form. While Maharashtra registered a total
the right to privacy is a fundamental of 471 cases in 2012 followed by
right, India does not have a law on Andhra Pradesh (429), Karnataka
privacy. (412), Kerala (269) and Uttar Pradesh
(205) under the IT Act, Deora said.
In the absence of such a law, data
that is stored electronically may be A total of 176, 276, 356, 422 and 601
misused. The IT Act was enacted to cases were registered under cyber
facilitate e-commerce by providing legal crime related sections of the Indian
recognition to electronic transactions. Penal Code (IPC) during 2008, 2009,
It only penalizes wrongful disclosure 2010, 2011 and 2012, respectively,
of information collected under that the Minister added.
Act. It does not penalize disclosure Source: zeenews.india.com
of information collected by the
government under other laws, such as
under this Bill.
The Bill empowers the government to
prescribe ‘e-governance standards’.
However, these standards may not
include safeguards for privacy. The
Standing Committee that examined
the Bill recommended that suitable
amendments be made either to this Bill
or to the IT Act to address this issue.
1 25% credit card payments take place online – Economic

Times, September 2013
Improving the Security of Nation’s

Critical information infrastructure
The month of July, 2013 saw a couple of initiatives by

the Government of India towards securing the cyber
space of India. The month began with the release
of the National Cyber Security Policy (NSCP) of India
followed by the release of guidelines by the National
Critical Information Infrastructure Protection Centre
of the National Technical Research Organization
(NTRO), the country’s elite technical intelligence
agency.
National Cyber Security Here are ten things you should know about India’s National Cyber Security
Policy of India Policy 2013:
In July 2013, Minister of Set up a 24x7 National Critical Information Infrastructure Protection
Communications and IT, Mr. Kapil Sibal
1
Centre (NCIIPC) for protecting critical infrastructure of the country
released the much-awaited National
Cyber Security Policy of India 2013. In Create a taskforce of 5,00,000 cyber security professionals in next five
the wake of increasing attacks from 2 years
state and non-state actors, on public
as well as private infrastructure, this Provide fiscal schemes and benefits to businesses for adoption of
policy was essential to prevent and 3 standard security practices
reduce such attacks. This policy also
intends to circumvent any resultant Designate CERT-In as the national nodal agency to co-ordinate cyber
economic instability arising due to
4
security related matters and have the local (state) CERT bodies to co—
cyber attacks. While the authority has ordinate at the respective levels
acknowledged that the real challenge
will be in operationalising this policy, All organizations to designate a CISO and allot a security
the Cyber Security Policy still provides 5 budget
a strong vision to secure the critical
infrastructure of the country. 6 Use of Open Standards for Cyber Security
Develop a dynamic legal framework to address cyber security

7 challenges (Note: The National Cyber Security Policy 2013 does not have
any mention of the IT Act 2000)
8 Encourage wider use of Public Key Infrastructure (PKI) for government

services
9 Engage infosec professionals / organizations to assist e-Governance
initiatives, establish Centers of Excellence, cyber security concept labs
for awareness and skill development through PPP - a common theme
across all initiatives mentioned in this policy
10 Apart from the common theme of PPP across the cyber security
initiatives, the policy frequently mentions of developing an infrastructure
for evaluating and certifying trustworthy ICT security products.
Key points from the draft version missing in the final policy:
• Initiative to establish a countrywide secure intranet for connecting strategic
installations with CERT for emergency response and coordination
• The draft policy had objectively set out actions for ensuring security by
Service Providers, Corporate and SOHO
• Of the 12 stakeholders identified in the draft, only four are mentioned in the
policy.
Guidelines for the protection Controls of the NTRO’s

of National Critical Guidelines
Information Infrastructure Governance Controls Governance Controls
Government of India, has designated
Identification of Critical Information 16 Disaster Recovery Site
‘National Critical Information 1
Infrastructure
Infrastructure Protection Centre’ 17 DOS/DDOS Protection
2 Vertical and Horizontal Interdependencies
(NCIIPC) of National Technical Research
Organisation (NTRO) as the nodal 3 Information Security Department
18 Wi-Fi Security
agency under Section 70A(1) of the
19 Data Back-up Plan
Information Technology (Amendment) 4 Information Security Policy
Act 2008 for taking all measures Testing and Evaluation of Hardware and
5 Training and Skill up-gradation 20
including associated Research and Software
Development for the protection of CIIs 6 Data Loss Prevention 21 Hardening of Hardware and Software
in India.
7 Risk Assessment Management 22 Secure Architecture Deployment
The guidelines have been drawn
up by the NTRO’s National Critical 8 Maintenance Plans 23 Web Application Security
Information Infrastructure Protection
Feedback Mechanism for threat reporting Periodic Audit and Vulnerability
Centre to protect the country’s 9
to Govt. Agencies
24
assessment
digitized information networks — in
10 Contingency Planning
public and private sectors — from 25 Compliance of security Recommendation
cyber attacks. Among these Critical 11 Predictable Failure Prevention 26 APT protection
Information Infrastructures (CIIs)
which are intricately interrelated and 12 Information/Data Leakage Protection 27 Network Device Protection
interdependent are defence, finance,
13 Checks and Balances for Negligence
power, transport, communications, 28 Cloud Protection
water supply etc. The NTRO will 14 Outsourcing and Vendor Security 29 Intranet Security
also monitor if they are following the
guidelines. 15 Critical Information Disposal and Transfer 30 Access Control Policies
At present, the guideline has forty 31 Limiting Admin Privileges

controls and respective guiding
principles for the protection of CIIs. 32 Perimeter Protection
These controls and guiding principles

33 Incident Response
will help Critical Sectors to draw a
CIIP roadmap to achieve safe, secure 34 Physical Security
and resilient CII of the nation. These
guidelines have been framed through 35 Identification and authentication
public private partnership. India will also Maintaining, Monitoring and Analysing
36
create a Cyber Crisis Management Plan logs
to respond to major breaches of cyber
37 Penetration Testing
security.
38 Data storage : Hashing and Encryption
39 Security Certifications
40 Asset and Inventory Management
IT Amendment Act 2008
The Government of India has brought causing DoS attacks, introduction of The cyber security and data protection
major amendments to ITA-2000 in the computer contaminant, etc. provisions in IT (Amendment) Act, 2008
form of the Information Technology are also supported by various other
The Information Technology
Amendment Act, 2008. It has added enactments, namely:
Amendment Act 2008 also defines
several new sections on offences
the term ‘intermediary’ which includes • The Indian Telegraph Act, 1885
including Cyber Terrorism and Data
telecom service providers, internet
Protection. A set of Rules relating • The Indian Contract Act, 1872
service providers, web-hosting service
to Sensitive Personal Information
providers, search engines, online- • The Specific Relief Act, 1963
and Reasonable Security Practices
payment sites, online auction sites,
(mentioned in section 43A of the ITAA, • The Public Financial Institutions Act,
online market places and cyber cafes.
2008) was released in April 2011. The 1983
Under the amended section 79 of the
ITAA 2008 adds eight offences,five of
IT Act, the requirement of ‘knowledge’ • The Consumer Protection Act, 1986
which are added to the ITA 2000 and
has now been expressly changed to
three to IPC. • The Credit Information Companies
‘receipt of actual knowledge’. A limit of
(Regulations) Act, 2005.
Many cybercrimes for which no 36 hours is specified to respond to such
express provisions existed in the IT a request. If an intermediary refuses to
Act, 2000 now stand included by the do so, it can be dragged to the court as a
IT (Amendment) Act, 2008. Sending co-accused.1
of offensive or false messages (66A),
The amended Act also enables
receiving stolen computer resource
setting up of a nodal agency for
(66B), identity theft (66C), cheating
critical infrastructure protection, and
by personation (66D), violation of
strengthens the role of CERT-In. This
privacy (66E). A new offence of Cyber
Act creates provision for the central
terrorism is added in Section 66 F which
government to define encryption policy
prescribes punishment that may extend
for strengthening security of electronic
to imprisonment for life. Section 66 F
communications. Presently, encryption
covers any act committed with intent
of upto 40 bits is allowed under the
to threaten unity, integrity, security or
telecom policy.
sovereignty of India or cause terror by
1 IT Act 2000 vs 2008 - Karnika Seth, May 2010
Highlights of the IT Act

and present need
• The IT (Amendment) Act • Reflecting on recent news, Section
2008, reduced the quantum of 66A of the IT Act has been part of
punishment for a majority of cyber many controversies and has invited
crimes. Majority of cyber crimes criticisms from many sections of
have been made bailable offences, the society. Terms like - ‘causes
with punishment of three years and inconvenience, annoyance’ are
fine. This needs to be appropriately deemed open-ended by certain
reviewed. sections of the society. The
government has introduced
• The IT Act does not cover a majority
guidelines that, in metropolitan
of crimes committed through
areas, the approval of police officers
mobiles.
ranked inspector general of police
• Cyber war as an offence needs to or higher will be required to register
be covered under the IT Act. complaints under Section 66A. They
will also have to justify in writing
• A comprehensive data protection
why the case is being registered.
mechanism needs to be
In non-metropolitan areas, the
incorporated in the law to make it
approval of officials ranked deputy
more effective.
commissioners of police or higher
• A detailed privacy act needs to is required. But it’s unclear whether
be enacted to protect privacy of the new guidelines are legally
individuals and institutions. binding without an Amendment in
the Act.
India’s Cyber monitoring setup

Few legal aspects
In April 2013, the Union Section 69 of the IT Act, that deals The procedure and safeguards to
with power of Controller to intercept exercise this power are laid out by
government began rolling out information being transmitted through the Information Technology Rules,
a central monitoring system, a computer resource when necessary 2009 (procedure and safeguards for
or CMS, which will enable it to in national interest, is amended by interception, monitoring and decryption
Section 69 of the IT Amendment of Information).
monitor all phone and internet Act 2008. In fact the power vests
communication in the country. The subscriber or intermediary that fails
now with the Central Government or
to extend cooperation in this respect
State Government that empowers it
is punishable offence with a term
to appoint for reasons in writing, any
which may extend to seven years and
agency to intercept, monitor or decrypt
imposition of fine. The element of fine
any information generated, transmitted
did not exist in the erstwhile Section
received or stored in any computer
691.
resource.
This power is to be exercised under
great caution and only when it is
satisfied that it is necessary or
expedient to do so in interests of
sovereignty, or integrity of India,
defence of India, security of the State,
friendly relations with foreign states or
public order or for preventing incitement
to the commission of any cognizable
offence relating to above or for
investigation of any offence.
1 IT Act 2000 vs 2008 - Karnika Seth, May 2010
Section 79 of the IT (Amendment) It places responsibility to maintain

Act 2008 thus deals with immunity of confidentiality on intermediaries,
intermediaries. It is purported to be a provides for prohibition of monitoring or
safe harbour provision modelled on EU collection of data without authorization.
Directive 2000/31. The Safe Harbour This prescribes stringent permissions
provisions found in the IT Act are similar required to exercise the powers under
to that found in the US Laws which this Section which are fully justified
essentially say that the intermediaries as abuse of this power can infringe
who merely provide a forum weren’t the right to privacy of netizens. It also
liable for what users did. The only provides for review of its decisions and
condition being that they respond destruction of records.
promptly to a notice telling them about a
The intermediary that fails to extend
violation. If the website took that file off
cooperation in this respect is punishable
then they were in the clear.1
offence with a term which may extend
Section 69B added to confer Power to to 3 yrs and imposition of fine.
collect, monitor traffic data.
SEBI has long sought the right to
As a result of the amendments in monitor phone call data without a
2008, Section 69B confers on the court’s intervention to investigate claims
Central government power to appoint of insider trading and manipulation in the
any agency to monitor and collect country’s capital markets. The cabinet
traffic data or information generated, has decided to extend the powers
transmitted, received, or stored in any of the country’s market regulator
computer resource in order to enhance Securities and Exchange Board of India
its cyber security and for identification, (SEBI), allowing it to monitor investors’
analysis, and prevention of intrusion or call records and conduct searches at
spread of computer contaminant in the companies suspected of wrongdoing.
country. The Information Technology Under an executive order approved for
Rules, 2009 (procedure and safeguard issue by the cabinet, SEBI would also
for monitoring and collecting traffic data be authorised to carry out searches
or information) have been laid down to at company premises it suspects of 1 Intermediaries under the Information Technology
monitor and collect the traffic data or wrongdoing2. (Amendment) Act 2008, Mondaq, March 2013
2 SEBI gets more powers to weed out suspect investors –
information for cyber security purposes Reuters, July 2013
under Section 69B.
Privacy and Civil Liberty Protection
The Privacy Act should put into place Different geographies across the globe While there are minor variations
a regulatory framework for both public have defined their privacy requirements, between these various formulations,
and private sector organisations. articulating the requirements for the it would not be inaccurate to suggest
The ambit of the privacy legislation protection of personal data and prevent that there is a set of globally accepted
will extend to data being processed harm to an individual whose data is at privacy principles on which the India’s
within India, and data that originated stake. Privacy Law should be based on.
in India, even when it is transferred
The table on following page represents
internationally. To do this, the Act should
the derivation of privacy requirements
establish the offices of the privacy
as articulated by the OECD Privacy
commissioner. Additionally, the Act
Guidelines, EU Data Protection
should enable a system of co-regulation
Directives, APEC Privacy Framework,
through self-regulating organizations
Canada PIPEDA (Personal Information
and their member organizations.
Protection and Electronic Documents
These bodies should each play a distinct Act), and Australia ANPP (Australia
role in implementing the provisions National Privacy Principles).
of the Act. The Privacy Act should
The privacy principles represent the
establish offenses and penalties, and
foundation for any regime to protect
list exceptions to the right of privacy.
privacy. With regard to the principles
Any exception should be necessary in a
in force the world over, there is a high
democratic society, proportional, and in
degree of agreement among various
accordance with laws in force.
approaches, most specifically, the
The framework should enable quick principles followed by the US, OECD,
redress by allowing individuals to EU and APEC, where transparency,
resolve their complaints through enforcement and accountability are
alternative dispute mechanisms, the considered the cornerstone for privacy
Privacy Commissioner, or the Courts. protection.
Once the Privacy Act is approved by
Parliament, the regulatory bodies
in the Act should be accountable to
Parliament.
OECD EU Data APEC Canada Australia

Guidelines Protection Framework PIPEDA ANPP
Accountability Organization’s accountability     

towards personal information
Notice Notice in clear language for     

collection, policy notification
Consent For collection and use     
Collection Limitation Restricting the collection to the     

identified purpose only
Use Limitation Restricting the use for the     

stated purpose only
Privacy
Disclosures Terms to disclosure to third
Requirements     
parties & any other reason
Access and Corrections Individual’s access to his info     

and update/ correct his info
Security / Safeguards To prevent loss, misuse,     

Unauthorized Access
Data Quality To ensure info is accurate, complete     

& up-to-date
Enforcement Assurance over adherence to     

policies & Complaint resolution
Openness Policies clearly published &     

available
Anonymity De-identification of personal     

information
Additional Trans-border Data Flow Personal data transfer across     

Requirements geographies
Sensitivity Specified info that requires specific     

controls
Inculcating Robust Cyber Security

Practices through PPP
The Joint Working Group (JWG) Report Given the role of security standards
on Engagement with Private Sector and audit in enhancing the level of Coduct Consultation Workshops
on Cyber Security highlights the need preparedness and assurance in cyber
for a pivotal body that will co-ordinate security, the private sector can be
the cyber security measures between an active partner in defining baseline Share Cyber Intelligence
the private and public sector. This will security standards and practices/
not only help in sharing the intelligence guidelines for the critical sectors both
Fund Research programs
of cyber security but also help align in the public and private sectors. There
the maturity of cyber security across should also be security standards
the country. The industry should also and guidelines for acquisition of IT Develop Capacity building and
Training Centers
coordinate with CERT-In or the sectoral products and services. In this regard,
CERTs that the NCSP outlines. Critical Joint Working Group on Cyber Security
shortage of cyber security professionals also recommends making cyber Collaborate during cyber-attacks
need to be tackled in mission mode with security audit mandatory by appropriate
innovative recruitment and placement amendment in the listing requirements
procedures along with specialized under the Companies Act.
training of existing manpower. This
programme can be implemented in
PPP mode.1 Private sector may be
associated with establishment of
training facilities; apart for the regular
security exercises that are conducted.
1 Recommendations of Joint Working Group on Cyber Security –

Justice Shah
Cyber Security Practices in

few other countries
Leading Cyber Security Practices
Legal Frameworks
• The proposed Cyber Intelligence • The National Security Strategy
Sharing and Protection Act (CISPA) of the UK has categorized cyber
in the United States would establish attacks as a Tier One threat
procedures to allow elements of to national security, alongside
the intelligence community to international terrorism.
share cyber threat intelligence with
private-sector entities and utilities Sectoral Developments
and to encourage the sharing of • The U.K. has allocated £650 million
such intelligence. Based on this over four years to establish a new
Executive order of the President National Cyber Security Programme
of the U.S., the National Institute to strengthen the UK’s cyber
of Standards and Technology capacity setting up a National Cyber
(NIST) released a preliminary Crime Unit1 and also intends to form
cyber security draft framework UK National Computer Emergency
outlining standards, best practices Response Team (CERT-UK)2. UK is
and guidance for cyber security. behind India in terms of setting up
The draft Cyber Security Act of a CERT but intends to do so in the
USA intends to on an ongoing near future.1
basis, facilitate and support the
development of a voluntary,
industry-led set of standards,
guidelines, best practices,
methodologies, procedures, and
processes to reduce cyber risks to
critical infrastructure of America.
1 Launch of national cybercrime unit a significant moment - The

Guardian, March 2013
2 Keeping the UK safe in cyber space – Government of UK
Capacity Development Public Private Partnerships together the four Welsh police
• Similar to India’s Cyber Security • By relying on practices developed, forces, and holds an annual e-crime
Policy, the Cyber Security Act3 managed, and updated by summit at which leading experts,
of U.S. sets forth the need of industry, the NIST’s Cyber Security including ex-FBI employees,
developing a cyber security Framework will evolve with share their knowledge. The unit
research and development program, technological advances and will also hosts a full suite of practical,
offer cyber security scholarships align with business needs. This downloadable tools that businesses
and how to test and verify that includes industry driven standards, can use – everything from an
software and hardware, is free of best practices and implementation acceptable internet-user policy
significant known security flaws. measures to manage cyber security for staff to a “preventing e-crime
risks to information technology and for dummies” handbook. More
• In line with U.K.’s Cyber Security than half of businesses that have
operational technology.3
Challenge, the Cyber Security interacted with the e-Crime Wales
Act of the U.S. states to support • As a result, the Framework is initiative report putting e-security
competitions and challenges not designed to replace existing higher on their business priorities as
to identify, develop, and recruit processes of an organization a result. This work has proved such
talented individuals to perform does not have an existing risk a success that Scotland followed
duties relating to the security of management process for cyber suit with its own version – e-Crime
information infrastructure in Federal, security, the Framework provides Scotland.4
State, and local government the tools to build one.
agencies, and the private sector. International Relationships
• Government of U.K. intends to
• The Act has clearly defined the roles building a ‘Cyber Information • Through its various acts and
and expectations of the various Sharing Partnership’ with policies, both U.S. and U.K.
agencies of the government that businesses to allow the government acknowledge the need of
are involved in national security. The and industry to exchange international information sharing for
Act has defined timelines to report information on cyber threats in a building stronger cyber intelligence.
and review the activities directed to trusted environment
such agencies.
• The Welsh model – e-Crime Wales
• Government of U.K. envisages – is one example of a public-private
setting up a ‘Global Centre for sector initiative, led by a designated
Cyber Security Capacity Building’ unit within the Welsh government,
and developing a ‘cyber reserve’ of that harnesses the insight of
computer experts. businesses, academia and industry
experts. E-Crime Wales has brought
3 S. 1353: Cybersecurity Act of 2013

4 U.K. for less government role in cyber security - The Hindu,
September 2013
Epilogue
While India has taken tangible measures This requires an independent ‘Cyber Apart from striving to augment its own
to secure the cyber space in recent Maturity Assessment’ in the industry capabilities, India also needs to counter
months, there is always a lingering and governments which will evaluate cyber attacks through international
question over the Return on Investment the overall governance and response cooperation rather than doing it alone.
(RoI) of security measures. While mechanisms along with the people Public Private Partnerships and robust
security issues such as data theft can aspect of the cyber security. In order policy frameworks from the Centre are
be quantified, say, in terms of monetary to thwart cyber crime, the previously both key in this endeavor.
losses, issues such as the defacements adopted way of ‘compliance-based’
of websites by the so-called ‘hobbyists’ approach has to now slowly give way
is a bit subjective. There are instances to a more systematic and pragmatic
where hacker groups only deface the approach to tackle cyber security.
content in a bid to boast their presence
It is an utmost need for enterprises,
or to retaliate / voice their opinions.
SMEs and the government bodies to
The monetary loss in these cases is not not only adopt the various guidelines
much but results in reputations losses. and advisories issued by the security
Depending on the organization that is agencies but also to regularly review
attacked, the ‘value’ of defacement the implementation of the same. There
may differ. While ISO 27001 has been needs to be a timely review of the IT act
comprehensive enough to meet the to keep pace with the developments
need of a ‘reasonable’ security standard and sophistications in cyber crime. At
across different sectors, there is a need the policy level, India needs to conduct
for sector-specific standards which consultation workshops with the
addresses the intricacies and levels of private sectors and the cyber security
technology of the specific sectors. equipment manufacturers to regularly
track the developments in the cyber
security space.
KPMG-ASSOCHAM – Cyber Era: Securing the futurez 18
About ASSOCHAM
The Knowledge Architect of Corporate India
Evolution of Value Creator Members – Our Strength Merchant’s Chamber, Mumbai; The
Madras Chamber of Commerce and
ASSOCHAM initiated its endeavour ASSOCHAM represents the interests
Industry, Chennai; PHD Chamber of
of value creation for Indian industry in of more than 4,00,000 direct and
Commerce and Industry,
1920. Having in its fold more than 400 indirect members across the
Chambers and Trade Associations, and country. Through its heterogeneous New Delhi and has over 4 Lakh Direct
serving more than 4,00,000 members membership, ASSOCHAM combines / Indirect members. Together, we can
from all over India. It has witnessed the entrepreneurial spirit and business make a significant difference to the
upswings as well as upheavals of Indian acumen of owners with management burden that our nation carries and bring
Economy, and contributed significantly skills and expertise of professionals in a bright, new tomorrow for our nation.
by playing a catalytic role in shaping up to set itself apart as a Chamber with a
the Trade, Commerce and Industrial difference.
environment of the country.
Currently, ASSOCHAM has more than
Today, ASSOCHAM has emerged 100 National Councils covering the
as the fountainhead of Knowledge entire gamut of economic activities
for Indian industry, which is all set in India. It has been especially
to redefine the dynamics of growth acknowledged as a significant voice of
and development in the technology Indian industry in the field of Corporate
driven cyber age of ‘Knowledge Based Social Responsibility, Environment &
Economy’. ASSOCHAM is seen as a Safety, HR & Labour Affairs, Corporate
forceful, proactive, forward looking Governance, Information Technology,
institution equipping itself to meet the Biotechnology, Telecom, Banking &
aspirations of corporate India in the Finance, Company Law, Corporate
new world of business. ASSOCHAM is Finance, Economic and International
working towards creating a conducive Affairs, Mergers & Acquisitions,
environment of India business to Tourism, Civil Aviation, Infrastructure,
compete globally. Energy & Power, Education, Legal
Reforms, Real Estate and Rural
ASSOCHAM derives its strength
Development, Competency Building &
from its Promoter Chambers and
Skill Development to mention a few.
other Industry/ Regional Chambers/
Associations spread all over the country. Insight into ‘New Business Models’
Vision ASSOCHAM has been a significant
contributory factor in the emergence
Empower Indian enterprise by
of newage Indian Corporates,
inculcating knowledge that will be the
characterized by a new mindset
catalyst of growth in the barrierless
and global ambition for dominating
technology driven global market and
the international business. The
help them upscale, align and emerge as
Chamber has addressed itself to the
formidable player in respective business
key areas like India as Investment
segments.
Destination, Achieving International
Mission Competitiveness, Promoting D. S. Rawat
International Trade, Corporate
As a representative organ of Corporate Secretary General
Strategies for Enhancing Stakeholders
India, ASSOCHAM articulates the Value, Government Policies in sustaining email : d.s.rawat@assocham.com
genuine, legitimate needs and interests India’s Development, Infrastructure
of its members. Its mission is to impact Development for enhancing India’s The Associated Chambers of
the policy and legislative environment Competitiveness, Building Indian Commerce & Industry of India
so as to foster balanced economic, MNCs, Role of Financial Sector the ASSOCHAM Corporate Office:
industrial and social development. Catalyst for India’s Transformation. 5, Sardar Patel Marg, Chanakyapuri,
We believe education, IT, BT, Health, ASSOCHAM derives its strengths from New Delhi-110 021
Corporate Social responsibility and the following Promoter Chambers:
environment to be the critical success Bombay Chamber of Commerce & Tel: 011-46550555 (Hunting Line)
factors. Industry, Mumbai; Cochin Chambers of Fax: 011-23017008, 23017009
Commerce & Industry, Cochin: Indian
About KPMG in India

KPMG in India, a professional services KPMG Advisory professionals provide
firm, is the Indian member firm of KPMG advice and assistance to enable companies,
International and was established in intermediaries and public sector bodies to
September 1993. Our professionals leverage mitigate risk, improve performance, and
the global network of firms, providing create value. KPMG firms provide a wide
detailed knowledge of local laws, regulations, range of Risk Consulting, Management
markets and competition. KPMG in India Consulting and Transactions & Restructuring
provide services to over 4,500 international services that can help clients respond to
and national clients, in India. KPMG has immediate needs as well as put in place the
offices across India in Delhi, Chandigarh, strategies for the longer term.
Ahmedabad, Mumbai, Pune, Chennai,
Bangalore, Kochi, Hyderabad and Kolkata.
The Indian firm has access to more than 7,000
Indian and expatriate professionals, many of
whom are internationally trained. We strive to
provide rapid, performance-based, industry-
focused and technology-enabled services,
which reflect a shared knowledge of global
and local industries and our experience of the
Indian business environment.
KPMG is a global network of professional
firms providing Audit, Tax and Advisory
services. We operate in 156 countries and
have 152,000 people working in member
firms around the world.
Our Audit practice endeavors to provide
robust and risk based audit services that
address our firms' clients' strategic priorities
and business processes.
KPMG's Tax services are designed to reflect
the unique needs and objectives of each
client, whether we are dealing with the tax
aspects of a cross-border acquisition or
developing and helping to implement a global
transfer pricing strategy. In practical terms
that means, KPMG firms' work with their
clients to assist them in achieving effective
tax compliance and managing tax risks, while
helping to control costs.
KPMG-ASSOCHAM – Cyber Era: Securing the futurez 18
KPMG Contacts
Pradeep Udhas
Partner and Head
Markets
T: +91 22 3090 2040
E: pudhas@kpmg.com
Navin Agrawal
Partner and Head
Government and Public Sector
T: + 91 22 3090 1720
E: navinagrawal@kpmg.com
Follow us on:
Twitter - @KPMGIndia
kpmg.com/in
Latest insights and updates are now available on the KPMG India app.
Scan the QR code below to download the app on your smart device.
Google Play | App Store
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual
or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information
is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information
without appropriate professional advice after a thorough examination of the particular situation.
© 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.
Printed in India.

ASSOCHAM - Cyber Era - 10102013

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

ASSOCHAM - Cyber Era - 10102013

Hochgeladen von

Copyright:

Verfügbare Formate

Cyber Era

Securing the future

11th India Knowledge

14 -15 October 2013

“…Instability in cyber space means

As we increasingly become a hyper- technological. Citizens, government,

We are breathing in times where The 11th Knowledge Summit on

1. Cyber Security in India: Setting the context 1

2. Improving the security of nation’s Critical Infrastructure 3

3. IT Amendment Act 2008 7

4. India’s cyber monitoring setup: Few legal aspects 9

5. Privacy and civil liberty protection 11

6. Inculcating robust cyber security practices through PPP 13

7. Cyber security practices in few other countries 15

Cyber Security in India

It is now widely-accepted and acknowledged that

There has been a huge increase in online card payments

1 25% credit card payments take place online – Economic

Improving the Security of Nation’s

The month of July, 2013 saw a couple of initiatives by

Develop a dynamic legal framework to address cyber security

8 Encourage wider use of Public Key Infrastructure (PKI) for government

Guidelines for the protection Controls of the NTRO’s

At present, the guideline has forty 31 Limiting Admin Privileges

These controls and guiding principles

40 Asset and Inventory Management

IT Amendment Act 2008

1 IT Act 2000 vs 2008 - Karnika Seth, May 2010

Highlights of the IT Act

India’s Cyber monitoring setup

1 IT Act 2000 vs 2008 - Karnika Seth, May 2010

Section 79 of the IT (Amendment) It places responsibility to maintain

Privacy and Civil Liberty Protection

OECD EU Data APEC Canada Australia

Accountability Organization’s accountability     

Notice Notice in clear language for     

Consent For collection and use     

Collection Limitation Restricting the collection to the     

Use Limitation Restricting the use for the     

Access and Corrections Individual’s access to his info     

Security / Safeguards To prevent loss, misuse,     

Data Quality To ensure info is accurate, complete     

Enforcement Assurance over adherence to     

Openness Policies clearly published &     

Anonymity De-identification of personal     

Additional Trans-border Data Flow Personal data transfer across     

Sensitivity Specified info that requires specific     

Inculcating Robust Cyber Security

1 Recommendations of Joint Working Group on Cyber Security –

Cyber Security Practices in

Leading Cyber Security Practices

1 Launch of national cybercrime unit a significant moment - The

3 S. 1353: Cybersecurity Act of 2013

About KPMG in India

Google Play | App Store

Das könnte Ihnen auch gefallen