cyber security
DESCRIPTION
cyber security slideTRANSCRIPT
Structuring a National Strategy to secure Cyberspace:
Solutions for India
Netsecure Technologyhttp://ww.netsecure.in
Part 1 - The need for a national strategy• Examining national objectives
• Structuring a policy
• Current law in India
Part 2 – Case Study: Data Privacy and National Compliance [Challenges and Strategies]
• Data Protection legislation around the world
• European Commission Directive and the UK Act
• Data Protection model: the United States
• Balancing Privacy and Security
Opportunities for India
Speed and Convenience Mobile access Personalised and tailored Data mining
sophistication Loss of control Insecurity Lack of confidence Increased scepticism Low uptake of
eCommerce
• Technological advances in data storage and transmission
• Globalisation of communications - the internet
• Convergence and standardisation of technologies
• Increasing importance of data processing
Cyberspace> as introduced by William Gibson [A place governed by its own laws] - “a consensual hallucination” [William Gibson, Neuromancer]
A contradiction? Greek <kybernetes> means ‘steersman’ of a ship
“Law and Borders”: the ‘independent’ theory of cyberspace law [David Post and David Johnson, Stanford Law Review]
Benkler’s layers – the physical, the code and content [in communications theory]
Lessig <Code and other laws of Cyberspace>
Securing “Indian” Cyberspace [regulations and the history of trade – towards pax mercatur]
The basic premise: the machine or the medium Adaptability and Enforcement of Indian law –
lessons from the American experience [Adobe Systems v. Dmitry Skylarov]
Systematic collaboration between vendors and customers to secure interoperable government and industry enterprise information systems
Enhance collaboration between law enforcement and industry to prevent and prosecute cyber crimes
Understanding the role of the medium – incidental [blackmail, stalking]; content [obscene or sensitive material]; integrity [unauthorised access and/or modification]
The criminal act – discovery [detection] and analysis
The Cybercrime Manual – fostering preparedness Focussing on ‘relevant’ issues and appropriate
classification of offences Cyber forensics and the collection of evidence Crisis management [internal and external]
The Team [Member of the Board, Human Resources Manager, Chief Information Officer, Legal Counsel, E-Risk Management Consultant, Internet Security Expert, Cyberinsurance broker]
Utilising and factoring security tools – Digital signatures are a ‘sign of our times’
Understanding and evaluating risks [internal and external] Allocating roles and responsibilities - Structuring the audit process
[examining use and abuse] Ten Tips – [i] Firewalls with secure passwords; [ii] correct installation
and maintenance [the human angle]; [iii] encryption; [iv] assign network administrators a security role; [v] External consultants and auditors; [vi] periodic security audits; [vii] do not ignore ‘small company’ security needs; [viii] limit access to the computer room; [ix] educate employees about the dangers of social engineering; [x] educate employees on potential threats.
A training process for law enforcement The Basics: the “machine” and the “medium” –
What is a Cybercrime? Develop programs that promote a culture of
security within and across enterprises, including corporate governance, integration of physical and cyber security, and cyber ethics from school to the office
Engage with industry, academia and government in both countries to foster research and development and collaborative education efforts in information security
Stake your territory: the applicable law Have the final say: the invitation to treat On your own terms Is it secure? The customer is always right! Privacy policy and data protection Protecting your brand: Domain names and trademarks
in general The copyright ‘catch’ Chat online [Bulletin Board/Service Provider Liability]
Data Privacy and Indian Law
A fundamental human rightthe right of the individual to be let alone
• Information Privacy (data protection) - personal data
• Bodily privacy - invasive procedures - search, drug testing; genetic testing; etc
• Communications Privacy - mail, telephone, e-mail etc
• Territorial privacy - domestic privacy; CCTV; ID checks etc
“Public” aspects - surveillance, police powers and national security
“Private” aspects - commercial use of data
Overview - major International and US regulations
1948 UN Universal Declaration of Human Rights
1970 US Fair Credit Reporting Act
1974 US Privacy Act
1976 International Covenant on Civil and Political Rights
1980 OECD Guidelines on Protection of Privacy
1980 US Privacy Protection Act
1995 European Commission Directive on Data Protection
1994 US Communications Assistance to Law Enforcement Act
1996 US Health Insurance Portability and Accountability Act
1998 US Children's Online Privacy Protection Act
1998 European Member States implement Directive
1999 US Financial Services Modernization Act
BUSINESS ISSUES
HUMAN RIGHTS
There is no general privacy or data protection law in India:
• Constitution Article 21
Right to life and liberty, interpreted by Supreme Court as including the “right to be let alone”
• International Covenant on Civil and Political Rights 1966 Article 17:
No one shall be subject to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
• Law of privacy (Tort Law) – Action for unlawful invasion of privacy
Information Technology Act 2000
• Section 43 (a)
Penalty for unauthorised access to a computer system
• Section 43 (b) -
Penalty for unauthorised downloading or copying of data without permission
• Section 72 -
Offence of accessing any electronic record, book, register, correspondence, information, document or other material and, without the consent of the person concerned, disclosing such information to another person
• Public Financial Institutions Act of 1993 codifies confidentiality of bank transactions
• ISPs prohibited from violating privacy rights of subscribers by virtue of the licence to operate granted by the Department of Telecommunications
• A general data protection law in India?
National Task Force on IT and Software Development 1998 Submitted “IT Action Plan” calling for “National Policy on Information Security, Privacy and Data Protection Act for handling of computerised data” but no Act introduced to date
Data Protection Worldwide
AFGHANISTANALBANIAALGERIAAMERICAN SAMOAANDORRAANGOLAANGUILLAANTARCTICAANTIGUA AND BARBUDAARGENTINAARMENIAARUBAAUSTRALIAAUSTRIAAZERBAIJANBAHAMASBAHRAINBANGLADESHBARBADOSBELARUSBELGIUMBELIZEBENINBERMUDABHUTANBOLIVIABOSNIA AND HERZEGOVINABOTSWANABOUVET ISLANDBRAZILBRITISH INDIAN OCEAN TERRITORYBRUNEI DARUSSALAMBULGARIABURKINA FASOBURUNDICAMBODIACAMEROONCANADACAPE VERDECAYMAN ISLANDS
CENTRAL AFRICAN REPUBLICCHADCHILECHINACHRISTMAS ISLANDCOCOS (KEELING) ISLANDSCOLOMBIACOMOROSCONGO
COOK ISLANDSCOSTA RICACOTE D'IVOIRECROATIACUBACYPRUSCZECH REPUBLICDENMARKDJIBOUTIDOMINICADOMINICAN REPUBLICEAST TIMORECUADOREGYPTEL SALVADOREQUATORIAL GUINEAERITREAESTONIAETHIOPIAFALKLAND ISLANDS (MALVINAS)FAROE ISLANDSFIJIFINLANDFRANCEFRENCH GUIANAFRENCH POLYNESIAFRENCH SOUTHERN TERRITORIESGABONGAMBIAGEORGIAGERMANYGHANA
GIBRALTARGREECEGREENLANDGRENADA
GUADELOUPEGUAMGUATEMALAGUINEAGUINEA-BISSAUGUYANAHAITIHEARD ISLAND AND MCDONALD ISLANDSHOLY SEE (VATICAN CITY STATE)HONDURASHONG KONGHUNGARYICELANDINDIAINDONESIAIRANIRAQIRELANDISRAELITALYJAMAICAJAPANJORDANKAZAKSTANKENYAKIRIBATIKUWAITKYRGYZSTANLAO PEOPLE'S DEMOCRATIC REPUBLICLATVIALEBANONLESOTHOLIBERIALIBYAN ARAB JAMAHIRIYALIECHTENSTEIN
LITHUANIA OURG
LUXEMBOURG MACAUMACEDONIAMADAGASCARMALAWIMALAYSIAMALDIVESMALIMALTAMARSHALL ISLANDSMARTINIQUEMAURITANIAMAURITIUSMAYOTTEMEXICOMICRONESIA, FEDERATED STATES OFMOLDOVA, REPUBLIC OFMONACOMONGOLIAMONTSERRATMOROCCOMOZAMBIQUEMYANMARNAMIBIANAURUNEPALNETHERLANDSNETHERLANDS ANTILLESNEW CALEDONIANEW ZEALANDNICARAGUANIGERNIGERIANIUENORFOLK ISLANDNORTH KOREANORTHERN MARIANA ISLANDSNORWAYOMAN
PAKISTANPALAUPALESTINIAN TERRITORY, OCCUPIEDPANAMAPAPUA NEW GUINEAPARAGUAYPERUPHILIPPINESPITCAIRNPOLANDPORTUGALPUERTO RICOQATARREUNIONROMANIARUSSIAN FEDERATIONRWANDASAINT HELENASAINT KITTS AND NEVISSAINT LUCIASAINT PIERRE AND MIQUELONSAINT VINCENT AND THE GRENADINESSAMOASAN MARINOSAO TOME AND PRINCIPESAUDI ARABIASENEGALSEYCHELLESSIERRA LEONESINGAPORESLOVAKIASLOVENIASOLOMON ISLANDSSOMALIASOUTH AFRICASOUTH GEORGIASOUTH KOREA SPAINSRI LANKASUDAN
SURINAMESVALBARD AND JAN MAYENSWAZILANDSWEDENSWITZERLANDSYRIAN ARAB REPUBLICTAIWANTAJIKISTANTANZANIA, UNITED REPUBLIC OFTHAILANDTOGOTOKELAUTONGA
TONGATRINIDAD AND TOBAGOTUNISIATURKEYTURKMENISTANTURKS AND CAICOS ISLANDSTUVALUUGANDAUKRAINEUNITED ARAB EMIRATESUNITED KINGDOMUNITED STATES (safe harbor)US MINOR OUTLYING ISLANDSURUGUAYUZBEKISTANVANUATUVENEZUELAVIET NAMVIRGIN ISLANDS, BRITISHVIRGIN ISLANDS, U.S.WALLIS AND FUTUNAWESTERN SAHARAYEMENYUGOSLAVIAZAMBIAZIMBABWE
South KoreaeCommerce ActIn force January 1999
New ZealandPrivacy ActIn force 1 July 1993
United States (includes)CPP Act 1984VPP Act 1988COPP Act 1998In force 21 April 2000HIPA ActIn force 14 April 2001GLB ActIn force 1 July 2001‘General’ ActUnder consideration
FinlandPersonal DP ActIn force 1 June 1999
DenmarkAct on Processing f PDIn force 1 July 2000
Luxembourg -
NetherlandsLaw on Protection PD ctIn force 1 Sep 2001
GreeceProtection Processing In force 10 April 1997
Ireland-
Eastern EuropeEstonia (96) Poland (98) Solovak (98) Slovenia (99) Hungary (99) Czech (00) Latvia (00) Lithuania (00)
PortugalPersonal DP ActIn force 27 October 1998
SpainData Protection ActIn force 13 January 2000
CanadaPIP&ED ActCommenced 1 Jan 2001
United KingdomData Protection ActIn force 1 March 2000
France -
AustraliaPrivacy ActIn force 21 Dec 2001
SwedenPersonal Data ActIn force 24 October 1998
BelgiumData Protection ActIn force 1 Sep 2001
NorwayPersonal D Reg ActIn force 14 April 2000
ItalyData Protection ActIn force 8 May 1997
AustriaData Protection ActIn force 1 January 2000
GermanyData Protection ActIn force 23 May 2001
SwitzerlandData Protection ActIn force 1 June 1999
TaiwanComputer Processed DPIn force 11 August 1995
Hong KongPersonal Data (Privacy)In force 20 Dec 1996
MexicoeCommerce ActIn force 7 June 2000
Data Protection in Europe
• Directive 95/46/EC of the European Commission
• Now implemented in almost all Member States
e.g. UK
previously - UK Data Protection Act 1984
now - UK Data Protection Act 1998 (in force March 2000) (“DPA”)
1. Personal data must be processed fairly and lawfully
2. Personal data must be collected and used only for notified purposes.
3. Personal data must be adequate, relevant and not excessive.
4. Personal data must be accurate and, where necessary, kept up-to-date.
5. Personal data must only be retained for as long as is necessary to carry out the purposes for which it is collected.
6. Personal data must be processed in accordance with the rights of data subjects as set out under the 1998 Act.
7. Appropriate technical and organisational measures must be in place to protect against unauthorised access, amendment or loss of personal data. There must be a contractual obligation, in writing, upon any data processor to comply with the relevant legislation and to ensure that such measures have been put in place.
8. Personal information must not be transferred out of the European Economic Area ("EEA") unless the receiving country ensures "an adequate level of protection" for the rights and freedoms of the data subjects vis-à-vis the processing of personal data.
The Eighth Principle
Personal information must not be transferred out of the European
Economic Area ("EEA") unless the receiving country ensures "an
adequate level of protection" for the rights and freedoms of the data
subjects vis-à-vis the processing of personal data.
Notwithstanding lack of country adequate status, a Data Controller can nevertheless conclude there is adequate protection in respect of a particular transfer if:
There is sufficient protection for individual data subjects
Having regard to: - nature of data being transferred;
- purposes for processing;
- security measures in place;
- individual rights to redress if things go wrong
Note - all of these could be covered in a Seventh-Principle type contract
Data Protection in the USA
United States (Federal)Fair Credit Reporting Act 1970Privacy Act 1974Family Educational Rights and Privacy Act 1974Cable TV Privacy Act 1974Right to Financial Privacy Act 1978Privacy Protection Act 1980Cable Communications Policy Act 1984Electronic Communications Privacy Act 1986Video Privacy Protection Act 1988Employee Polygraph Protection Act 1988Telephone Consumer Protection Act 1991Driver’s Privacy Protection Act 1994Communications Assistance to Law Enforcement Act 1994Health Insurance Portability and Accountability Act 1996Children's Online Privacy Protection Act 1998Deceptive Mail Prevention and Enforcement Act 1999Financial Services Modernization Act 1999‘General’ Act Under consideration?
Safe Harbor In effect 2001
• Self certified compliance with ‘adequate’ principles
• Regulatory enforcement of trade practices legislation
However, only 356 companies in the whole of the United States have current Safe Harbor registrations
This raises questions as to the credibility of the safe harbor regime
Safe Harbor also only addresses transfers of data from abroad, and does not offer comprehensive protection for US citizens
Antiterrorism Acts: USA <the Patriot Act>
26 October 2001 Canada 16 October 2001 India <Prevention of Terrorism
Act> easier to use electronic
surveillance continue and clarify the mandate
of the law enforcement to collect foreign communications
requires individuals who have information related to a terrorist groups to appear before a judge to provide that information
extending DNA data bank to include terrorist crimes
Issues enhanced investigative powers will governments enforce privacy
laws? US, Canada, UK, EU, Australia
Thoughts data protection enforcement is
generally complaint based public continually stress privacy
concerns good privacy is good business erosion of privacy is a win for
terrorism
The Best Solution?
• Comprehensive Laws governing collection, use and dissemination of personal data
• Sectoral laws - piecemeal rules for particular industries, types of information or technologies - piecemeal protection
• Self-regulation - e.g. Safe Harbor - mostly disappointing to date
• Technological solutions - physical and logical security, encryption, etc - must be combined with legislative protections
• To remedy past injustices (e.g. C.Europe, S.America, S.Africa)
• To create confidence and promote e-commerce, m-commerce, ITES and bioinformatics sectors
• To remove barriers to data transfers from Europe, by ensuring India is granted “adequate” status
• To ensure enforceability, through a central oversight agency
• Because effectiveness of self-regulation is limited
• Because State governments are already recognising need and considering own data protection legislation
Technology, Media and Communications